Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Sayyed Mehdi Poustchi Amin MCTS-MCITP-MCSE-MCSA-MCP IRAN Honeynet-Project Manager [email_address] 14 Oct 2008 All about Ho...
Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><l...
Introduction to honeypots  &  honeynets <ul><li>What is a honeypot? </li></ul><ul><ul><li>Abstract definition: </li></ul><...
Introduction to honeypots  &  honeynets <ul><li>The threat is real </li></ul><ul><ul><li>Black hats have the initiative; a...
Introduction to honeypots  &  honeynets
Introduction to honeypots  &  honeynets <ul><li>Benefits of deploying a honeypot  </li></ul><ul><ul><li>Risk mitigation:  ...
Introduction to honeypots  &  honeynets <ul><li>Benefits of deploying a honeypot  (cont.) </li></ul><ul><ul><li>Evidence: ...
Introduction to honeypots  &  honeynets <ul><li>Downside of deploying a honeypot </li></ul><ul><ul><li>Limited view:  </li...
Introduction to honeypots  &  honeynets <ul><li>How to classify a honeypot? </li></ul><ul><li>Honeypots are classified by ...
Introduction to honeypots  &  honeynets <ul><li>Advantages of low-interaction honeypot </li></ul><ul><ul><li>Good starting...
Introduction to honeypots  &  honeynets <ul><li>Disadvantages of low-interaction honeypot </li></ul><ul><ul><li>Pretty bor...
Introduction to honeypots  &  honeynets <ul><li>Advantages of high-interaction honeypot </li></ul><ul><ul><li>This is wher...
Introduction to honeypots  &  honeynets <ul><li>Disadvantages of high-interaction honeypot </li></ul><ul><ul><li>Building,...
Introduction to honeypots  &  honeynets <ul><li>What is a honeynet? </li></ul><ul><ul><li>Honeynet is a network that conta...
Introduction to honeypots  &  honeynets <ul><li>Honeynet Project Goals  (http://www.honeynet.org)  </li></ul><ul><li>The H...
Introduction to honeypots  &  honeynets <ul><li>Honeynet Architecture </li></ul>
Introduction to honeypots  &  honeynets <ul><li>key requirements </li></ul><ul><ul><li>Data Control </li></ul></ul><ul><ul...
Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><l...
Free  &  commercial honeypot solutions <ul><li>Digest of honeypot products </li></ul><ul><ul><li>BackOfficer Friendly: </l...
Free  &  commercial honeypot solutions <ul><li>Which is best? </li></ul><ul><ul><li>None, they all have their advantages a...
Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><l...
Installing your own honeypot <ul><li>How to prepare the installation of a honeypot </li></ul><ul><ul><li>Read as much as y...
Installing your own honeypot <ul><li>How to prepare the installation of a honeypot (cont.) </li></ul><ul><ul><li>Low-inter...
Installing your own honeypot <ul><li>How to prepare the installation of a honeypot (cont.) </li></ul><ul><ul><li>Copy the ...
Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><l...
Detection of honeypots <ul><li>Techniques of detection </li></ul><ul><ul><li>Technical properties of the honeypot </li></u...
Detection of honeypots <ul><li>Techniques of detection (cont.) </li></ul><ul><ul><li>Search for traces of honeypot tools <...
Detection of honeypots <ul><li>Examples of honeypot detection </li></ul><ul><ul><li>Inconsistencies in TCP/IP stack : </li...
Detection of honeypots <ul><li>Overview of different TCP/IP stacks </li></ul><ul><ul><li>A list of properties of different...
Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><l...
Future of honeypot technologies <ul><li>Future on the good side… </li></ul><ul><ul><li>Honeytokens </li></ul></ul><ul><ul>...
Future of honeypot technologies <ul><li>Honeytokens </li></ul><ul><ul><li>The concept of honeytokens is not new.  </li></u...
Future of honeypot technologies <ul><li>Wireless honeypots </li></ul><ul><ul><li>Usage of honeypot technology to detect in...
Future of honeypot technologies <ul><li>Honeypot farms </li></ul><ul><ul><li>Farming is a solution to simplify large honey...
Future of honeypot technologies <ul><li>Search-engine honeypot </li></ul><ul><ul><li>A web server builds to catch attacker...
Future of honeypot technologies <ul><li>Future on the evil side… </li></ul><ul><ul><li>New honeypot detection technologies...
Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><l...
Summary <ul><li>Coming closer to the end… </li></ul><ul><ul><li>Honeypots are a quite new field of research, lot’s of work...
Further information <ul><li>Online resources </li></ul><ul><ul><li>Honeynet Project, http://www.honeynet.org </li></ul></u...
All about Honeypots  &  Honeynets <ul><li>The end. </li></ul><ul><li>Thanks for your patience  </li></ul><ul><li>and atten...
Upcoming SlideShare
Loading in …5
×

All about Honeypots & Honeynets

22,164 views

Published on

All about Honeypots & Honeynets

Published in: Technology, Business

All about Honeypots & Honeynets

  1. 1. Sayyed Mehdi Poustchi Amin MCTS-MCITP-MCSE-MCSA-MCP IRAN Honeynet-Project Manager [email_address] 14 Oct 2008 All about Honeypots & Honeynets All about Honeypots & Honeynets
  2. 2. Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><li>Benefits /Downsides of deploying a honeypot </li></ul></ul><ul><ul><li>How to classify a honeypot? </li></ul></ul><ul><ul><li>Advantages/Disadvantages of low-interaction honeypots </li></ul></ul><ul><ul><li>Advantages/Disadvantages of high-interaction honeypots </li></ul></ul><ul><ul><li>What is a honeynet? </li></ul></ul><ul><li>Free and commercial honeypot solutions </li></ul><ul><ul><li>Digest of honeypot products </li></ul></ul><ul><li>Installing your own honeypot </li></ul><ul><ul><li>How to prepare the installation of a honeypot </li></ul></ul><ul><li>Detection of honeypots </li></ul><ul><ul><li>Techniques of detection </li></ul></ul><ul><li>Future of honeypot technologies </li></ul><ul><ul><li>Honeytokens </li></ul></ul><ul><ul><li>Wireless honeypots </li></ul></ul><ul><ul><li>SPAM honeypots </li></ul></ul><ul><ul><li>Honeypot farms </li></ul></ul><ul><li>Summary </li></ul>
  3. 3. Introduction to honeypots & honeynets <ul><li>What is a honeypot? </li></ul><ul><ul><li>Abstract definition: </li></ul></ul><ul><ul><li>“ A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner) </li></ul></ul><ul><ul><li>Concrete definition: </li></ul></ul><ul><ul><li>“ A honeypot is a fictitious vulnerable IT system used for the purpose of being attacked, probed, exploited and compromised.” </li></ul></ul>
  4. 4. Introduction to honeypots & honeynets <ul><li>The threat is real </li></ul><ul><ul><li>Black hats have the initiative; attack whatever they want, whenever they want </li></ul></ul><ul><ul><li>Public knows very little about the black hats (Who are they? How do they attack? Why?) </li></ul></ul><ul><ul><li>Arms races, and the bad guys are always ahead </li></ul></ul><ul><ul><li>See next figure </li></ul></ul>
  5. 5. Introduction to honeypots & honeynets
  6. 6. Introduction to honeypots & honeynets <ul><li>Benefits of deploying a honeypot </li></ul><ul><ul><li>Risk mitigation: </li></ul></ul><ul><ul><ul><li>A honeypot deployed in a productive environment may lure an attacker away from the real production systems ( “ easy target“) . </li></ul></ul></ul><ul><ul><li>IDS-like functionality: </li></ul></ul><ul><ul><ul><li>Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions. </li></ul></ul></ul><ul><ul><li>Attack strategies: </li></ul></ul><ul><ul><ul><li>Find out reasons and strategies why and how you are attacked. </li></ul></ul></ul><ul><ul><li>Identification and classification: </li></ul></ul><ul><ul><ul><li>Find out who is attacking you and classify him (her). </li></ul></ul></ul>
  7. 7. Introduction to honeypots & honeynets <ul><li>Benefits of deploying a honeypot (cont.) </li></ul><ul><ul><li>Evidence: </li></ul></ul><ul><ul><ul><li>Once the attacker is identified all data captured may be used in a legal procedure. </li></ul></ul></ul><ul><ul><li>Increased knowledge: </li></ul></ul><ul><ul><ul><li>By knowing how you are attacked you are able to enlarge your ability to respond in an appropriate way and to prevent future attacks. </li></ul></ul></ul><ul><ul><li>Research: </li></ul></ul><ul><ul><ul><li>Operating & monitoring a honeypot can reveal most up-to-date techniques/exploits and tools used as well as spreading techniques of worms or viruses. </li></ul></ul></ul>
  8. 8. Introduction to honeypots & honeynets <ul><li>Downside of deploying a honeypot </li></ul><ul><ul><li>Limited view: </li></ul></ul><ul><ul><ul><li>Honeypots can only track and capture activity that directly interacts with them. Therefore honeypots will not capture attacks against other systems . </li></ul></ul></ul><ul><ul><li>Additional risk : </li></ul></ul><ul><ul><ul><li>Deploying a honeypot could create an additional risk and eventually put a whole organizations’ IT security at risk. </li></ul></ul></ul><ul><ul><ul><li>Just as all security related technologies honeypots have risk. Depending on the type of honeypot deployed there is the risk the system is being taken over by a bad guy and being used to harm other systems. This could lead to serious legal consequences. </li></ul></ul></ul>
  9. 9. Introduction to honeypots & honeynets <ul><li>How to classify a honeypot? </li></ul><ul><li>Honeypots are classified by the level of interaction they provide to the attacker: </li></ul><ul><li>Low-interaction honeypot: </li></ul><ul><ul><ul><li>Only parts of (vulnerable) applications or operating systems are emulated by software (e.g. honeyd), no real interaction </li></ul></ul></ul><ul><li>High-interaction honeypot: </li></ul><ul><ul><ul><li>An attacker is provided with a full and working operating system enabling him/her to interact in the highest way possible. </li></ul></ul></ul><ul><li>Several honeypots could be combined to an entire honeynet. </li></ul>
  10. 10. Introduction to honeypots & honeynets <ul><li>Advantages of low-interaction honeypot </li></ul><ul><ul><li>Good starting point </li></ul></ul><ul><ul><li>Easy to install, configure, deploy and maintain </li></ul></ul><ul><ul><li>Introduce a low or at least limited risk </li></ul></ul><ul><ul><li>Logging and analyzing is simple </li></ul></ul><ul><ul><ul><li>only transactional information are available, no information about the attacks themselves, e.g. time and date of an attack, protocol, source and destination IP as well as port </li></ul></ul></ul>
  11. 11. Introduction to honeypots & honeynets <ul><li>Disadvantages of low-interaction honeypot </li></ul><ul><ul><li>Pretty boring :-) </li></ul></ul><ul><ul><li>No real interaction for an attacker possible </li></ul></ul><ul><ul><li>Very limited logging abilities </li></ul></ul><ul><ul><li>Can only capture known attacks </li></ul></ul><ul><ul><li>Easily detectable by a skilled attacker </li></ul></ul>
  12. 12. Introduction to honeypots & honeynets <ul><li>Advantages of high-interaction honeypot </li></ul><ul><ul><li>This is where the fun part starts :-) </li></ul></ul><ul><ul><li>You will face real-life data and attacks so the activities captured are most valuable. </li></ul></ul><ul><ul><li>Learn as much as possible about the attacker, the attack itself and especially the methodology as well as tools used. </li></ul></ul><ul><ul><li>High-interaction honeypots could help you to prevent future attacks and get a certain understanding of possible threats. </li></ul></ul>
  13. 13. Introduction to honeypots & honeynets <ul><li>Disadvantages of high-interaction honeypot </li></ul><ul><ul><li>Building, configuring, deploying and maintaining a high-interaction honeypot is very time consuming as it involves a variety of different technologies (e.g. IDS, firewall etc.) that have to be customized. </li></ul></ul><ul><ul><li>Analyzing a compromised honeypot is extremely time consuming (40 hours for every 30 minutes an attacker spend on a system!) and difficult (e.g. identity exploits, rootkit, system or configuration modifications etc.). </li></ul></ul><ul><ul><li>A high-interaction honeypot introduces a high level of risk and - if there are no additional precautions in place - might put an organizations overall IT security at stake. </li></ul></ul>
  14. 14. Introduction to honeypots & honeynets <ul><li>What is a honeynet? </li></ul><ul><ul><li>Honeynet is a network that contains one or more honeypots. </li></ul></ul><ul><ul><ul><li>Since honeypots are not production systems, the honeynet itself has no production activity, no authorized services. As a result, any interaction with a honeynet implies malicious or unauthorized activity. </li></ul></ul></ul><ul><ul><li>Honeynet is an architecture. </li></ul></ul><ul><ul><ul><li>This architecture creates a highly controlled network, one that you can control and monitor all activity that happens within it. You then place your target systems, your honeypots, within that architecture. </li></ul></ul></ul>
  15. 15. Introduction to honeypots & honeynets <ul><li>Honeynet Project Goals (http://www.honeynet.org) </li></ul><ul><li>The Honeynet Project is a nonprofit organization founded in October 1999 dedicated to information security and honeypot research </li></ul><ul><ul><li>Awareness: </li></ul></ul><ul><ul><ul><li>Learn the Tools, Tactics, and Motives of the Hacker Community </li></ul></ul></ul><ul><ul><li>Information: </li></ul></ul><ul><ul><ul><li>To teach and inform about the application of honeypots and forensic challenges </li></ul></ul></ul><ul><ul><li>Research: </li></ul></ul><ul><ul><ul><li>To spur thought provoking discussion and help drive innovation and research in this emerging space </li></ul></ul></ul>
  16. 16. Introduction to honeypots & honeynets <ul><li>Honeynet Architecture </li></ul>
  17. 17. Introduction to honeypots & honeynets <ul><li>key requirements </li></ul><ul><ul><li>Data Control </li></ul></ul><ul><ul><ul><li>Data Control defines how activity is contained with the honeynet without an attacker knowing it. Its purpose is to minimize risk.(e.g. Snort-Inline , Bandwidth Throttling) </li></ul></ul></ul><ul><ul><li>Data Capture </li></ul></ul><ul><ul><ul><li>Data Capture is capturing all of the attacker's activity without the attacker knowing it (e.g. sebek) </li></ul></ul></ul><ul><ul><li>Data Analysis </li></ul></ul><ul><ul><ul><li>Data Analysis is the ability to analyze this data </li></ul></ul></ul><ul><ul><li>Data Collection </li></ul></ul><ul><ul><ul><li>Data Collection is the ability to collect data from multiple honeynets to a single source </li></ul></ul></ul>
  18. 18. Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><li>Benefits /Downside of deploying a honeypot </li></ul></ul><ul><ul><li>How to classify a honeypot? </li></ul></ul><ul><ul><li>Advantages/Disadvantages of low-interaction honeypots </li></ul></ul><ul><ul><li>Advantages/Disadvantages of high-interaction honeypots </li></ul></ul><ul><ul><li>What is a honeynet? </li></ul></ul><ul><li>Free and commercial honeypot solutions </li></ul><ul><ul><li>Digest of honeypot products </li></ul></ul><ul><li>Installing your own honeypot </li></ul><ul><ul><li>How to prepare the installation of a honeypot </li></ul></ul><ul><li>Detection of honeypots </li></ul><ul><ul><li>Techniques of detection </li></ul></ul><ul><li>Future of honeypot technologies </li></ul><ul><ul><li>Honeytokens </li></ul></ul><ul><ul><li>Wireless honeypots </li></ul></ul><ul><ul><li>SPAM honeypots </li></ul></ul><ul><ul><li>Honeypot farms </li></ul></ul><ul><li>Summary </li></ul>
  19. 19. Free & commercial honeypot solutions <ul><li>Digest of honeypot products </li></ul><ul><ul><li>BackOfficer Friendly: </li></ul></ul><ul><ul><ul><li>A free win32 based honeypot solution. It is able to emulate single services such as telnet, ftp, smtp </li></ul></ul></ul><ul><ul><li>Deception toolkit (DTK): </li></ul></ul><ul><ul><ul><li>A free and programmable solution intending to make it appear to attackers as if the system running DTK has a large number of widely known vulnerabilities . </li></ul></ul></ul><ul><ul><li>Mantrap / Decoy Server (commercial) </li></ul></ul><ul><ul><ul><li>Symantec Decoy Server sensors deliver holistic detection and response as well as provide detailed information through its system of data collection modules. </li></ul></ul></ul><ul><ul><li>Specter </li></ul></ul><ul><ul><ul><li>SPECTER offers common Internet services such as SMTP, FTP, POP3, HTTP and TELNET. They appear to be normal to the attackers but are in fact traps for them. </li></ul></ul></ul>
  20. 20. Free & commercial honeypot solutions <ul><li>Which is best? </li></ul><ul><ul><li>None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve. </li></ul></ul>
  21. 21. Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><li>Benefits /Downside of deploying a honeypot </li></ul></ul><ul><ul><li>How to classify a honeypot? </li></ul></ul><ul><ul><li>Advantages/Disadvantages of low-interaction honeypots </li></ul></ul><ul><ul><li>Advantages/Disadvantages of high-interaction honeypots </li></ul></ul><ul><ul><li>What is a honeynet? </li></ul></ul><ul><li>Free and commercial honeypot solutions </li></ul><ul><ul><li>Digest of honeypot products </li></ul></ul><ul><li>Installing your own honeypot </li></ul><ul><ul><li>How to prepare the installation of a honeypot </li></ul></ul><ul><li>Detection of honeypots </li></ul><ul><ul><li>Techniques of detection </li></ul></ul><ul><li>Future of honeypot technologies </li></ul><ul><ul><li>Honeytokens </li></ul></ul><ul><ul><li>Wireless honeypots </li></ul></ul><ul><ul><li>SPAM honeypots </li></ul></ul><ul><ul><li>Honeypot farms </li></ul></ul><ul><li>Summary </li></ul>
  22. 22. Installing your own honeypot <ul><li>How to prepare the installation of a honeypot </li></ul><ul><ul><li>Read as much as you can about honeypots. </li></ul></ul><ul><ul><li>Confirm that honeypots are allowed in your environment. </li></ul></ul><ul><ul><li>Define the goals of your honeypot. Why do you want to run a honeypot? </li></ul></ul><ul><ul><li>Figure out what type of honeypot you will deploy </li></ul></ul><ul><ul><li>Collect your own set of monitoring, logging, and forensic analysis tools. </li></ul></ul><ul><ul><li>Develop a recovery plan. How are you going to restore the honeypot system back to an unaltered state ? </li></ul></ul><ul><ul><li>Deploy the honeypot and its supporting components. </li></ul></ul><ul><ul><li>Test the deployment. </li></ul></ul><ul><ul><li>Analyze the results </li></ul></ul><ul><ul><li>Fine-tune the honeypot system based on lessons learned. </li></ul></ul><ul><ul><li>Repeat steps as necessary. </li></ul></ul>
  23. 23. Installing your own honeypot <ul><li>How to prepare the installation of a honeypot (cont.) </li></ul><ul><ul><li>Low-interaction honeypot: </li></ul></ul><ul><ul><ul><li>Make sure an attacker can’t access the underlying operating system , just KEEP IT SIMPLE!. </li></ul></ul></ul><ul><ul><li>High-interaction honeypot: </li></ul></ul><ul><ul><ul><li>Use advanced network techniques to control the honeypot (e.g. firewalls, intrusion detection systems) and make sure it can’t be used to harm third parties. </li></ul></ul></ul><ul><ul><li>Don’t expect too much! </li></ul></ul><ul><ul><ul><li>In the beginning don’t force yourself too much. You will probably want to catch 0-day exploits but that is a *long* way to go! Start with something simple. </li></ul></ul></ul><ul><ul><li>Wipe the hard drive before using it in a honeypot </li></ul></ul>
  24. 24. Installing your own honeypot <ul><li>How to prepare the installation of a honeypot (cont.) </li></ul><ul><ul><li>Copy the evidence before analyzing it (e.g. with dd). </li></ul></ul><ul><ul><li>Give the honeypot enough time to work. </li></ul></ul><ul><ul><ul><li>An attacker needs time to compromise a system and work with it. Just give him or her enough time to play (e.g. two weeks). </li></ul></ul></ul><ul><ul><li>Don’t put any production data on the honeypot. </li></ul></ul><ul><ul><li>It’s a good idea to place pseudo-interesting data on a honeypot but just don’t put any real production data on it! </li></ul></ul>
  25. 25. Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><li>Benefits /Downside of deploying a honeypot </li></ul></ul><ul><ul><li>How to classify a honeypot? </li></ul></ul><ul><ul><li>Advantages/Disadvantages of low-interaction honeypots </li></ul></ul><ul><ul><li>Advantages/Disadvantages of high-interaction honeypots </li></ul></ul><ul><ul><li>What is a honeynet? </li></ul></ul><ul><li>Free and commercial honeypot solutions </li></ul><ul><ul><li>Digest of honeypot products </li></ul></ul><ul><li>Installing your own honeypot </li></ul><ul><ul><li>How to prepare the installation of a honeypot </li></ul></ul><ul><li>Detection of honeypots </li></ul><ul><ul><li>Techniques of detection </li></ul></ul><ul><li>Future of honeypot technologies </li></ul><ul><ul><li>Honeytokens </li></ul></ul><ul><ul><li>Wireless honeypots </li></ul></ul><ul><ul><li>SPAM honeypots </li></ul></ul><ul><ul><li>Honeypot farms </li></ul></ul><ul><li>Summary </li></ul>
  26. 26. Detection of honeypots <ul><li>Techniques of detection </li></ul><ul><ul><li>Technical properties of the honeypot </li></ul></ul><ul><ul><ul><li>Respond times, banners, registry entries, inconsistent responses or parameters … </li></ul></ul></ul><ul><ul><li>“ Social” properties of the system, user interaction </li></ul></ul><ul><ul><ul><li>No typical usage (e.g. no new files created or accessed on a server for more than a week…) </li></ul></ul></ul><ul><ul><li>Network sniffing </li></ul></ul><ul><ul><ul><li>Packets going to/from the system (sniffing may be done from an different system on the network if possible) </li></ul></ul></ul><ul><ul><li>Search for traces of Vmware </li></ul></ul><ul><ul><ul><li>Vmware is a popular platform for honeypots, but it can be detected locally </li></ul></ul></ul>
  27. 27. Detection of honeypots <ul><li>Techniques of detection (cont.) </li></ul><ul><ul><li>Search for traces of honeypot tools </li></ul></ul><ul><ul><ul><li>Temp folders, kernel dumps, backdoors (sebek etc.) </li></ul></ul></ul><ul><ul><li>Search for the history files/logs and other configuration errors </li></ul></ul><ul><ul><ul><li>Not only bad guys make mistakes :-) </li></ul></ul></ul><ul><ul><li>Vulnerabilities/exploits for the honeypot product itself </li></ul></ul><ul><ul><ul><li>low-interaction honeypots only </li></ul></ul></ul><ul><ul><li>Just be creative :-) </li></ul></ul>
  28. 28. Detection of honeypots <ul><li>Examples of honeypot detection </li></ul><ul><ul><li>Inconsistencies in TCP/IP stack : </li></ul></ul><ul><ul><ul><li>Tools like hping can be used to detect incorrect TCP/IP stack emulations </li></ul></ul></ul><ul><ul><ul><li>Normal RH9: TTL=64, window=0 , id=0, DF </li></ul></ul></ul><ul><ul><ul><li>RH9 on vmware: TTL=64, window=0 , id=0, DF </li></ul></ul></ul><ul><ul><ul><li>RH9 on honeyd: TTL=64, window=1460 , id=0, DF </li></ul></ul></ul>
  29. 29. Detection of honeypots <ul><li>Overview of different TCP/IP stacks </li></ul><ul><ul><li>A list of properties of different TCP/IP stacks could easily be build (e.g. with hping): </li></ul></ul>
  30. 30. Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><li>Benefits /Downside of deploying a honeypot </li></ul></ul><ul><ul><li>How to classify a honeypot? </li></ul></ul><ul><ul><li>Advantages/Disadvantages of low-interaction honeypots </li></ul></ul><ul><ul><li>Advantages/Disadvantages of high-interaction honeypots </li></ul></ul><ul><ul><li>What is a honeynet? </li></ul></ul><ul><li>Free and commercial honeypot solutions </li></ul><ul><ul><li>Digest of honeypot products </li></ul></ul><ul><li>Installing your own honeypot </li></ul><ul><ul><li>How to prepare the installation of a honeypot </li></ul></ul><ul><li>Detection of honeypots </li></ul><ul><ul><li>Techniques of detection </li></ul></ul><ul><li>Future of honeypot technologies </li></ul><ul><ul><li>Honeytokens </li></ul></ul><ul><ul><li>Wireless honeypots </li></ul></ul><ul><ul><li>SPAM honeypots </li></ul></ul><ul><ul><li>Honeypot farms </li></ul></ul><ul><li>Summary </li></ul>
  31. 31. Future of honeypot technologies <ul><li>Future on the good side… </li></ul><ul><ul><li>Honeytokens </li></ul></ul><ul><ul><li>Wireless honeypots </li></ul></ul><ul><ul><li>SPAM honeypots </li></ul></ul><ul><ul><li>Honeypot farms </li></ul></ul><ul><ul><li>Search-engine honeypots </li></ul></ul>
  32. 32. Future of honeypot technologies <ul><li>Honeytokens </li></ul><ul><ul><li>The concept of honeytokens is not new. </li></ul></ul><ul><ul><li>Generally a honeytoken could be a bogus record in a database which is not needed by any application. If someone tries to access this an alarm can be indicated (honeypot inside an application). </li></ul></ul><ul><ul><ul><li>Example: Patient record John F. Kennedy in a hospital’s patient database. There is no such patient in the hospital. </li></ul></ul></ul>
  33. 33. Future of honeypot technologies <ul><li>Wireless honeypots </li></ul><ul><ul><li>Usage of honeypot technology to detect intruders of wireless networks. </li></ul></ul><ul><ul><li>Other wireless technologies, like Bluetooth could be also considered. </li></ul></ul>
  34. 34. Future of honeypot technologies <ul><li>Honeypot farms </li></ul><ul><ul><li>Farming is a solution to simplify large honeynet deployments </li></ul></ul><ul><ul><li>Instead of deploying large numbers of honeypots, or honeypots on every network, you simply deploy your honeypots in a single, consolidated location. </li></ul></ul><ul><ul><li>Attackers are then redirected to the farm, regardless of what network they are on or probing. </li></ul></ul>
  35. 35. Future of honeypot technologies <ul><li>Search-engine honeypot </li></ul><ul><ul><li>A web server builds to catch attackers using a search engine (mostly Google) as an attacking tool. </li></ul></ul>
  36. 36. Future of honeypot technologies <ul><li>Future on the evil side… </li></ul><ul><ul><li>New honeypot detection technologies </li></ul></ul><ul><ul><li>Automated honeypot scanners and Anti Honeypot Technologies </li></ul></ul><ul><ul><li>Honeypot exploits </li></ul></ul>
  37. 37. Agenda <ul><li>Introduction to honeypots and honeynets </li></ul><ul><ul><li>What is a honeypot? </li></ul></ul><ul><ul><li>Benefits /Downside of deploying a honeypot </li></ul></ul><ul><ul><li>How to classify a honeypot? </li></ul></ul><ul><ul><li>Advantages/Disadvantages of low-interaction honeypots </li></ul></ul><ul><ul><li>Advantages/Disadvantages of high-interaction honeypots </li></ul></ul><ul><ul><li>What is a honeynet? </li></ul></ul><ul><li>Free and commercial honeypot solutions </li></ul><ul><ul><li>Digest of honeypot products </li></ul></ul><ul><li>Installing your own honeypot </li></ul><ul><ul><li>How to prepare the installation of a honeypot </li></ul></ul><ul><li>Detection of honeypots </li></ul><ul><ul><li>Techniques of detection </li></ul></ul><ul><li>Future of honeypot technologies </li></ul><ul><ul><li>Honeytokens </li></ul></ul><ul><ul><li>Wireless honeypots </li></ul></ul><ul><ul><li>SPAM honeypots </li></ul></ul><ul><ul><li>Honeypot farms </li></ul></ul><ul><li>Summary </li></ul>
  38. 38. Summary <ul><li>Coming closer to the end… </li></ul><ul><ul><li>Honeypots are a quite new field of research, lot’s of work has still to be done (so start your own now!) </li></ul></ul><ul><ul><li>Try your first own forensic investigation by analyzing the files provided by honeynet.org :-) </li></ul></ul><ul><ul><li>Analyzing compromised honeypots supports you in getting a certain understanding of tools, methodologies and avenues used by attackers in the wild (may improve your own hacking skills as well as defense strategies!) </li></ul></ul>
  39. 39. Further information <ul><li>Online resources </li></ul><ul><ul><li>Honeynet Project, http://www.honeynet.org </li></ul></ul><ul><ul><li>Lance Spitzner, “Tracking hackers”, http://www.tracking-hackers.com </li></ul></ul><ul><ul><li>Lance Spitzner, “Honeypot Farms”, http://www.securityfocus.com/infocus/1720 </li></ul></ul><ul><ul><li>Distributed Honeypot Project, http://www.lucidic.net </li></ul></ul><ul><ul><li>Niels Provos, honeyd, http://www.honeyd.org </li></ul></ul><ul><ul><li>Phrack magazine, http://www.phrack.org </li></ul></ul><ul><ul><li>Lance Spitzner, “Fighting Relay Spam the Honeypot Way”, http://www.tracking-hackers.com/solutions/sendmail.html </li></ul></ul><ul><ul><li>Honeynet Germany, “IT-Sicherheit in Deutschland”, http://www.honeynet.de </li></ul></ul><ul><ul><li>Google.com :-) </li></ul></ul>
  40. 40. All about Honeypots & Honeynets <ul><li>The end. </li></ul><ul><li>Thanks for your patience </li></ul><ul><li>and attention! </li></ul>This presentation is available online at http://www.FanavaranComputer.com/honeypot http://www.Honeynet.ir

×