Honeypot Presentation - Using Honeyd


Published on

HoneyPots for Network Security - Using Honeyd

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Honeypot Presentation - Using Honeyd

  1. 1. HoneyPots for Network Security Using Honeyd
  2. 2. Botnets <ul><li>One of the biggest threats in network security is botnets . </li></ul><ul><li>Botnets   are a collection of infected computers or bots that have been taken over by   Hackers   (sometimes known as  bot herders) and are used to perform malicious tasks or functions.  </li></ul>botnets.png
  3. 3. Botnets botnets2.jpg <ul><li>This example illustrates how a botnet is created and used to send email spam . </li></ul><ul><li>A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a malicious application—the  bot . </li></ul><ul><li>The  bot  on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server). </li></ul><ul><li>A spammer purchases the services of the botnet from the operator. </li></ul><ul><li>The spammer provides the spam messages to the operator, who instructs the compromised machines via the IRC server, causing them to send out spam messages. </li></ul>
  4. 4. Types of Botnet Attacks <ul><li>Spyware </li></ul><ul><ul><li>software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market </li></ul></ul><ul><li>Adware </li></ul><ul><ul><li>advertise some commercial entity actively and without the user's permission or awareness </li></ul></ul><ul><li>Denial of Service </li></ul><ul><ul><li>multiple systems autonomously access a single Internet system or service in a way that appears legitimate, but much more frequently than normal use and cause the system to become busy </li></ul></ul>botnets3.jpg
  5. 5. Types of Botnet Attacks botnets4.jpg <ul><li>Fast Flux </li></ul><ul><ul><li>DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies </li></ul></ul><ul><li>Click Fraud </li></ul><ul><ul><li>user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain </li></ul></ul><ul><li>E-mail spam </li></ul><ul><ul><li>e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature </li></ul></ul>
  6. 6. Honeypots <ul><li>A server that is configured to detect an intruder by mirroring a real production system. </li></ul><ul><li>It appears as an ordinary server doing work, but all the  data and transactions are phony. </li></ul><ul><li>Located either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as well as determine vulnerabilities in the real system . </li></ul><ul><li>Set to detect , deflect, or in some manner counteract attempts at unauthorized use of information systems. </li></ul>honeypot.png
  7. 7. Types of Honeypots <ul><li>Generally speaking there are two different types of Honeypots : Production Honeypots and Research Honeypots </li></ul><ul><li>Production Honeypots are used primarily by companies or corporations to improve their overall state of security. </li></ul><ul><li>Research Honeypots are used primarily by non-profit research organizations or educational institutions to research the threats organizations face and learn how to better protect against those threats. </li></ul><ul><li>Research Honeypots are used primarily by non-profit research organizations or educational institutions to research the threats organizations face and learn how to better protect against those threats. </li></ul>honeypot2.jpeg
  8. 8. Honeyd <ul><li>Honeyd is a type of daemon honeypot licensed by GPL that has the ability to simulate a big network while using only a single host. To outsiders, the Honeyd looks like a computer network on a network's unused address space. </li></ul>honeyd.gif
  9. 9. Primary Applications of Honeyd <ul><li>Distraction </li></ul><ul><ul><li>Using the software's ability to mimic many different network hosts at once, Honeyd can act as a distraction to potential hackers. </li></ul></ul><ul><ul><li>If a network only has 3 real servers, but one server is running Honeyd , the network will appear running hundreds of servers to a hacker. </li></ul></ul><ul><ul><li>The hacker will then have to do more research in order to determine which servers are real, or the hacker may get caught in a honeypot. Either way, the hacker will be slowed down or possibly caught. </li></ul></ul><ul><li>Honeypot </li></ul><ul><ul><li>On a network, all normal traffic should be to and from valid servers only. </li></ul></ul><ul><ul><li>Thus , a network administrator running Honeyd can monitor his/her logs to see if there is any traffic going to the virtual hosts set up by Honeyd . </li></ul></ul><ul><ul><li>Any traffic going to these virtual servers can be considered highly suspicious. </li></ul></ul><ul><ul><li>The network administrator can then take preventative action, perhaps by blocking the suspicious IP address or by further monitoring the network for suspicious traffic. </li></ul></ul>
  10. 10. Honeyd Configuration <ul><li>/etc/honeypot/ </li></ul><ul><li>Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and xprobe2.conf </li></ul>honeyd1.png <ul><li>/etc/honeypot/ </li></ul><ul><li>Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and xprobe2.conf </li></ul>
  11. 11. Honeyd Configuration <ul><li>/etc/honeypot/ </li></ul><ul><li>Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and xprobe2.conf </li></ul><ul><li>Honeyd.conf is the main configuration file for setting the “personalities” of the virtual hosts. </li></ul>
  12. 12. Honeyd Configuration honeyd1.png <ul><li>Honeyd.conf </li></ul><ul><li>Creates the default actions for the machines </li></ul><ul><li>creates a personality template called honeypot-template </li></ul><ul><ul><li>Sets the mac address, OS, uptime, available protocols and open ports </li></ul></ul><ul><li>Binds the templates to 2 unused IP addresses on the network </li></ul>
  13. 13. Honeyd Configuration <ul><li>$ iptables -A INPUT -d -j ACCEPT  </li></ul><ul><li>$ iptables -A INPUT -d -j ACCEPT  </li></ul><ul><li>$ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT </li></ul><ul><li>Modifies the rules of your firewall to accept packets for the IP Addresses defined in the honeyd's configuration file </li></ul>honeypot1.jpg
  14. 14. Honeyd Configuration <ul><li>/etc/default/ honeyd </li></ul><ul><li>Sets the default run behavior of honeyd </li></ul>honeyd2.png
  15. 15. Honeyd Configuration <ul><li>Another daemon that runs alongside of honeyd is farpd which is the daemon that is forwarding the traffic from the virtual hosts to the main honeyd server. </li></ul><ul><li>farpd  replies to any ARP request for an IP address matching the specified destination  net  with the hardware MAC address of the specified  interface , but only after determining if another host already claims it. </li></ul><ul><li>Any IP address claimed by  farpd  is eventually forgotten after a period of inactivity or after a hard timeout, and is relinquished if the real owner shows up. </li></ul><ul><li>This enables a single host to claim all unassigned addresses on a LAN for network monitoring or simulation. </li></ul>
  16. 16. Testing H oneyd <ul><li>The network scanner To test if the virtual hosts are responding with the right information </li></ul>nmap.png