SlideShare a Scribd company logo

Honeypotdeploy Ieee2005

seguridadutpl
seguridadutpl

As part of an effort to improve honeynet’s maintenance process, several procedures and tools automating highinteraction honeypot management tasks have been developed. Among the advantages of the adoption and use of these procedures and tools are the documentation of the maintenance procedures, the standardization of the collected data structure, the elimination of errors during the maintenance of honeypots, the automatization of the tasks that are executed and the reduction of the time between the deactivation and activation of a compromised honeypot.

Education
1 of 6
Download to read offline
Proceedings of the 2005 IEEE Workshop on Information Assurance and Security T1B2 1555 United States Military Academy, West Point, NY, 15–17 June 2005 Honeynet Maintenance Procedures and Tools Carlos Henrique P. C. Chaves, Lucio Henrique Franco, Antonio Montes Renato Archer Research Center - CenPRA/MCT 13069-901 - Campinas, SP - Brazil {carlos.chaves, lucio.franco, antonio.montes}@cenpra.gov.br eypot or reinstalling a compromised one. The image has Abstract— As part of an effort to improve honeynet’s maintenance scripts to perform a variety of tasks that will be described process, several procedures and tools automating high- in the subsequent sections. interaction honeypot management tasks have been devel- The remainder of this paper is organized as follows. Sec- oped. Among the advantages of the adoption and use of these procedures and tools are the documentation of the tion II presents a brief description of honeypots and their maintenance procedures, the standardization of the col- classification. The procedures employed are discussed in lected data structure, the elimination of errors during the Section III and Section IV presents the scripts created for maintenance of honeypots, the automatization of the tasks that are executed and the reduction of the time between the their implementation. Section V concludes this paper. deactivation and activation of a compromised honeypot. II. Honeypots Classification I. Introduction A honeypot is very different from most traditional se- A Honeynet is not a product, it is a highly controlled curity mechanisms. They are security resources that have network used to contain and analyze attackers in the wild. no production value; no person or resource should be com- The primary purpose of a Honeynet is to gather informa- municating with them. As such, any observed activity is tion about threats that exist. New tools can be discovered, suspected by default. Any traffic sent to the honeypot is attack patterns can be determined, and attackers motives most likely a probe, scan, or attack. Any traffic initiated by studied [1]. Honeynets are composed of an administration the honeypot means the system has most likely been com- subnet and many hosts called honeypots, which are security promised and the attacker is making outbound connections resources designed to be probed, attacked or compromised, [4]. and to register these activities [2]. Honeypots can be classified by their level of interaction. In the daily operation of a honeynet, it is not uncommon High-interaction honeypots are hosts with real operating that one has to deactivate a honeypot, clean it up and put systems and services. They can be compromised and fully it back in operation. In addition, it is very convenient to controlled by the attackers. As a result, they can be con- have procedures and tools in place to rapidly install a new figured to collect a large amount of information, such as honeypot when required. This is particularly true if the which vulnerability is being exploited, which tool is being honeynet has many honeypots or when many members of used, and what is the attacker’s motivation. This makes the project share the management task [3]. them very useful as a research tool. On the other hand, The procedures discussed in this paper applies to high- they can pose a serious threat to the environment, since interaction honeypots in a research honeynet. It includes the attacker can try to use the honeypot as a launching zeroing the disk, choosing the operating system, installing point of scan and attacks against other hosts in the net- services, and finally configuring the data collection mech- work. This is the main reason for avoiding using high- anisms and the preservation of the artifacts stored in the interaction honeypots in production network. Instead one honeypot. These procedures help to avoid human errors, may use low-interaction honeypots, which can be as sim- which could cause contamination of the capture data or ple as a listening port or a full blown emulated network. reveal the presence of the honeytrap to attackers. This type of honeypots can be easier to install and should Together with these procedures, a bootable iso-image of be less risky, since the attacks would be directed to fake a system based on the Slax Linux distribution1 has been services or operating systems. As a consequence, the col- developed to automate the process of deploying a new hon- lected data will consist mainly of scans and connections to emulated services. Despite this, it is becoming common to C. H. P. C. Chaves and L.H. Franco are also with National Institute use low-interaction honeypots as a complement to intru- for Space Research - S˜o Jos´ dos Campos, SP - Brazil. a e 1 http://slax.linux-live.org/ sion detection systems in production network, where they ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 30
can be particularly useful in the detection of internal worm 4. The honeypot’s configuration script is executed to create attacks. new users, configure the network settings, etc. 5. In order to monitor the attacker’s steps, keystroke The management of high-interaction honeypots is a com- recording system are configured in the honeypot. These plex task, since there must be no traces of previous instal- systems can send the commands typed by an attacker to lations and of the monitoring tools, and in order to facili- a loghost, using the syslog system [10], and broadcast this tate analysis the activities logging should be configured to information directly into the network [11]. follow the same standards independently of the operating 6. A script to generate the MD5 and SHA1 hashes of the system. These requirements lead to the need of developing honeypot’s files is executed. The hashes can be used later procedures for the first time deployment, monitoring and to discover which files have been changed by an attacker. redeployment of honeypots. 7. A script to generate the system’s status is executed. The present paper describes the procedures and tools This is composed of the output of some Unix commands used to maintain the honeynets of the Brazilian Honeynet like ps, netstat, lsof, socklist and df. Project, made up of high-interaction honeypots [5], [6]. 8. The MD5 and SHA1 hashes and the system’s status files The architecture of these honeynets are based on the GenII are stored in a loghost in the administration subnet which architecture [7] and follows strictly the Honeynet Project stores also the system’s images. requirements [8]. These procedures will be detailed in the 9. Traces of the steps (5-8) above are erased. next section. 10. The system’s image is generated and exported to the loghost. III. Developed Procedures 11. The new honeypot is connected in the honeynet and Honeynets usually contain several honeypots with differ- monitored until the moment when it will be turned off. ent configurations, running a variety of operating system B. Post-deployment Procedure and local or network services. For their maintenance, it is convenient to develop methodologies and elaborate proce- After the honeypot installation, a standardized deploy- dures. As mentioned above, this is particularly relevant if ment log of every honeypot must be created and sent to the honeynet has many honeypots or when many members the project members by e-mail. The log is based on the of the project share the management task [3]. These proce- Honeynet Project model [12]. dures can be automated using scripts which reduce the time The log file name follows a standard, which is HN-[org]- between the honeypot’s deactivation and activation. The DEPLOY-[date]. The [org] tag must be changed by the procedures and scripts contain key steps in a honeypot con- name of the organization where the Honeynet has been figuration, like zeroing the entire disk before installing the deployed, and the [date] tag must be changed by the actual operating system from installation media [9] or removing date. Figure 1 shows an example of a log file created for a traces of the honeypot configuration to avoid information deployed honeypot. leaks. Another important procedure describes a database for the storage of information about the honeypots of a HONEYNET-BR SUMMARY: honeynet, including type and version of the operating sys- ------------------------ GenII Honeynet with a class C IP address block exposed directly to tem, type and version of network services, compromises, the Internet. Typical small organization /24 network. etc. This will ease the process of gathering information IP RANGE: xxx.xxx.xxx.1-254 for status reports and the maintenance of the honeypot’s timeline. ACTIVE HONEYPOTS: ----------------- A. Honeypot Deployment Procedure System Name: Hp1 System IP: 10.0.0.36 System OS: RH 7.2, default, no patches The first step in the honeypot deployment is the defini- Date Deployed: 2004, Nov 24 tion of the operating system and services (including ver- Time Deployed: 10:50am sions) that will be installed. Next, some basic procedures Responsible: Lucio Henrique Franco System Summary: must be followed during the installation process: - minimal installation, with portmap(4.0-38), with xinetd(2.3.3-1) - kernel version: 2.4.7-10 1. The hard disk must be written with a constant data Modifications to System: pattern (usually zeros). This procedure also has the benefit - installed ntpd(4.1.0-4), httpd(1.3.20-16 with ssl & with mod_perl 1.2 4_01-3), php(4.0.6-7), wu-ftpd(2.6.1-18) that disk image copies compress better, and that deleted - installed static bash patch files are easier to find [9]. - installed smartl - add default accounts 2. The chosen operating system is installed, usually using Status Change: the default installation options. 3. The chosen services are installed, configured and initial- Fig. 1. Honeypot deployment log file. ized. ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 31
Also when a honeypot is compromised, a new log file Honeypot disconnected from the Honeynet is created, containig the information about the attack, in- cluding what was the time of the first successful access, the explored service, the atacker’s IP address and its whois in- formation. Figure 2 shows an example of a log file created Try to login from the console for a compromised honeypot. Finally, if the honeypot is deactivated, time and date of end of operation is appended Restart the system. in the Status Change field of the log file (see also Figure YES NO 2). Successful login? HONEYNET-BR SUMMARY: YES NO Execute some commands to Login failed obtain the system’s status twice? ------------------------ GenII Honeynet with a class C IP address block exposed directly to the Internet. Typical small organization /24 network. IP RANGE: xxx.xxx.xxx.1-254 NO NO Have already restarted Is the system working ACTIVE HONEYPOTS: the system? correctly? ----------------- YES YES System Name: Hp1 System IP: 10.0.0.36 System OS: RH 7.2, default, no patches Procedure documented, Date Deployed: 2004, Nov 24 Honeypot status sent to the group and deactivated! Time Deployed: 10:50am honeypot connected in the Honeynet. Responsible: Lucio Henrique Franco System Summary: - minimal installation, with portmap(4.0-38), with xinetd(2.3.3-1) - kernel version: 2.4.7-10 Fig. 3. Honeypots monitoring procedure. Modifications to System: - installed ntpd(4.1.0-4), httpd(1.3.20-16 with ssl & with mod_perl 1.2 4_01-3), php(4.0.6-7), wu-ftpd(2.6.1-18) - installed static bash patch 5. Analyze the honeypots’s status, and if it is working cor- - installed smartl - add default accounts rectly, the results are documented, the status sent to the Status Change: group and the honeypot is connected back to the Honeynet. - First succesfull attack: Sat Dec 04 15:43:50 GMT 2004 (Resp. Cae) - Attack description: OpenSSL Buffer overflow exploit If the honeypot is not working correctly and have not been - Attack origin: 10.10.0.104 restarted, restart the system and try to login again. If it - Whois: 10.10.0.0 - 10.10.255.255 -> Foobar Technologies -> Brazil has already been restarted, deactivate the honeypot. - Offline on 12-10-2004 at 08:30am (Lucio) D. Honeypot Deactivation Procedure Fig. 2. Compromised honeypot log file. From the moment the honeypot is deployed in the hon- eynet, it is constantly monitored by the administration sub- net. Once it has been compromised, alerts are generated C. Honeypot Monitoring Procedure and sent to the project members by e-mail. The commands, actions and other information generated by the attacker are The operating system and applications running on the collected and sent to a loghost. honeypots can have failures, caused by hardware failures, or problems in the filesystem, or simply the interruption of At that moment, one has to decide if it will be deac- a service or all system as a result of an attack. These issues tivated or not. Usually it has to be deactivated if some raise the necessity of a monitoring procedure. Once a week critical part of the operating system has been damaged, (period defined by the project), all honeypots are tested or if the attacker has made so many modifications to the according to the procedure described below and showed in system that it becomes nonfunctional. Figure 3. The deactivation procedure includes the following steps: The operation monitoring procedure is performed as fol- 1. Disconnect the honeypot from the Honeynet. lows: 2. Collect and analyze the system status. 3. Generate the system’s image and export it to the host 1. The honeypot is disconnected from the Honeynet. containing the initial image (described in step 8 of the in- 2. The system is first tested by trying to login from the stallation procedure). console. 4. The honeypot is ready to be reinstalled (procedure de- 3. If the login is successful, a script is executed to obtain scribed at section III-A). the honeypot’s status (see Subsection IV-F). Otherwise, try to login again. As mentioned before, some honeypots may be so dam- 4. If the login fails twice, deactivate the honeypot. aged that one is unable to login from the console. In this ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 32
case, the honeypot must be rebooted using a live CD-ROM were designed to be used with other distributions and op- or floppy disk of a operating system (like Slax Linux dis- erating systems). tribution) to be able to generate the hard disk’s image and B. Honeypot Configuration Script export it to another host. The image generated is then analyzed and compared with the initial image. This pro- The honeypot configuration script is used after the in- cess can reveal what has been modified in the honeypot by stallation of the operating system, described above, and the attacker. Also the status files and file hashes can be the reboot of the system. The script has two options: (1) compared with the initial ones. configure a new honeypot; or (2) generate the system’s sta- In the next section the scripts generated to automate the tus, the MD54 and SHA15 hashes, clean up all traces and procedures discussed above will be described. export the image of the installed system to another host. The first option must be used when installing a new hon- IV. Developed Tools eypot. In this case, the image copied to the honeypot disk must be from a system installation iso-image. The first step The procedures described in the previous section are in this option is to configure the root password and the hon- complex, and mistakes can be made easily. Moreover, it eypot’s network (IP address, netmask, broadcast address, is interesting to automate the processes in order to make gateway, dns server, NTP server, honeypot’s name and do- them faster and avoid human errors. These assertions main name). The script then automatically detects which raised the necessity of creating scripts to automate the pro- is the operating system being installed to configure it prop- cedures of deploying a honeypot. In order to be portable, erly. The next step is to create the user’s accounts. After they were developed using shell scripts. that, the script asks if any post-installation is required. In A. Honeypot Deployment Script affirmative case, the script will return a root shell to let the user install and configure any other applications. The user This is the central script for the deployment of a hon- will have to run the honeypot cleanup script manually af- eypot. It has three options: (1) erase the hard disk and ter he finishes configuring the applications. Otherwise, the create a new partition; (2) erase one specified partition honeypot cleanup script will be executed automatically. and use it for the installation of the operating system; and The second option will apply when restoring the honey- (3) generate and export the new system image. pot from a compromise and re-installing the same system. In the case of installing a new honeypot, the first option In this case, the only thing that the honeypot configuration must be used because the hard disk must be erased (written script will do is to execute the honeypot cleanup script. with zeros) and a new system partition must be created. In the case of restoring the honeypot and installing the C. SHA1 and MD5 Hash Generation Script same system that was used (from an image), the second The function of this script is to generate the MD5 and option must be chosen because the same partitioning must SHA1 hashes of all files in a given directory. The script can be used. The first two options differ only at the beginning have many directories as input, and all hashes generated of the process. After that, the deployment process follows will be stored in a file for each directory. Finally, these the same sequence, starting with the script asking for the generated files are compressed. location of the image to be copied to the honeypot disk. Then it uses SSH2 to transfer the system’s partition image The name of generated files is composed of the honey- pot name, plus the directory path and the suffix “md5” or from a remote host to the honeypot. Afterward, the swap “sha1”. partition is enabled and the LILO boot loader is installed using the configuration file (/etc/lilo.conf) from the image This script was developed for Linux, FreeBSD, and Win- dows (using cygwin46 ). It uses the command “uname -s” copied to the honeypot. The script finally prepares the new system to call the honeypot configuration script when the to detect which operating system is being used in order to new system is booted and root logs in. set up the right parameters. The third option is used to generate the image of the D. Honeypot Cleanup Script system’s partition and export it to another host using the network. The script has the option of using Netcat3 or SSH The main goal of the honeypot cleanup script is to gen- to transfer the image. Netcat is faster than SSH, but the erate the MD5 and SHA1 hashes of the files in the selected second is more adequate to preserve the image’s confiden- directories, generate the system’s status, clean up all traces tiality and integrity. and export the generated information to the host that will It is important to mention that the scripts were originally store the image of the system. developed to deal with Red Hat Linux honeypots (but they 4 http://www.ietf.org/rfc/rfc1321.txt 2 http://www.openssh.com/ 5 http://www.ietf.org/rfc/rfc3174.txt 3 http://netcat.sourceforge.net/ 6 http://www.cygwin.com/ ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 33
The first operation performed is to execute the MD5 and 5. Finally, the system must be rebooted again. Only now SHA1 hashes generation script to generate the SHA1 and the CD-ROM must be ejected in order to allow the honey- MD5 hashes of the files in the following directories: /bin, pot to boot from its own operating system. /sbin, /dev, /etc, /usr/bin, /usr/sbin, /usr/local/bin and F. Operation Monitoring Script /usr/local/sbin. There might be others, depending on the operating system and applications. The operation monitoring script was created to automate Next the script generate the system’s status using Unix and standardize the process of generating the honeypot’s commands such as ifconfig, netstat, ps, lsof, lsmod, rpcinfo, status. This shell script uses a CD-ROM containing stati- df, socklist, rpm and last. The applications output are cally compiled binaries of the applications used to perform stored in text files, using the name of the application plus the task. The script must be copied and run from a floppy the suffix “.txt”. disk, where the output of the script will also be stored. The Once the SHA1 and MD5 hashes have been generated honeypot operation monitoring script performs the follow- and the system status has been collected, the honeypot ing steps: information is ready to be exported to another host (it is 1. The floppy disk containing the script is mounted. suggested that this information be stored together with the 2. The script is executed from the floppy disk using the new honeypot image). Again, SSH is used to transfer the CD-ROM mounting point and the output directory as pa- files. rameters. Finally, the last step is to remove all traces left from the 3. The output directory is created in the floppy disk using configuration of the honeypot. To ensure that the deleted the current date as its name. files won’t be able to be restored, the application “shred”7 4. The commands that generate the status of the honeypot is used to overwrite the files repeatedly in order to make it are executed and their output is appended to the status file, harder for even very expensive hardware probing to recover located in the output directory. the data. 5. The CD-ROM and the floppy disk are umounted. Figure 4 shows the status file generated for the honeypot E. High-Interaction Honeypot Deployment CD-ROM hp1 that was stored in /mnt/floppy/15 03 2004/hp1. Some lines of the file were trimmed to make the figure fit in the At the beginning of this section, the need to create scripts available space. to automate the procedures for honeypot deployment is discussed. The development of the scripts described above V. Conclusion has partially automated the process, but up to this point it is still necessary to copy and run some scripts in the The creation of procedures and tools for the deployment honeypot manually. of a high-interaction honeypot has great relevance to hon- eynet researchers. They automate the processes and im- This situation lead to the creation of a tool that au- prove the information gathering methods. Standards are tomates the manual processes that remained. A high- created to be followed by all Honeynet administrators and interaction honeypot deployment CD-ROM has been cre- this avoid human error like deactivating a honeypot with- ated using the Slax Linux distribution. It includes all the out generating its final status. This kind of error would scripts described in the previous subsections and automates harm the comparison of the honeypot information imedi- all the required tasks. The CD-ROM executes the following atelly after installation and after the compromise. Also steps: the time that a honeypot stay out of operation is reduced 1. The machine that will host the honeypot has to be considerably. booted from the CD-ROM and when root logs in, the hon- The tools were being developed and used since the begin- eypot deployment script is executed and the deployment nig of the Brazilian Honeynet Project, in december of 2001, process starts. when the definition of the honeypots configuration proce- 2. As described in Subsection IV-A, after the copy of the dures have begun. The difficulties in the management of honeypot’s operating system image to the hard disk, the the honeynets showed the importance of developing tools other scripts are copied to the /root directory of the hon- to automate and document the processes of honeypot con- eypot, and a call to the honeypot configuration script is figuration, monitoring and deployment. added in the file /etc/profile of the honeypot. 3. A reboot is performed to boot the honeypot’s own sys- VI. Acknowledgments tem. When root logs in, the configuration script is exe- cuted. The authors would like to thank Cristine Hoepers, Klaus 4. After all configuration and cleaning up, the system is Steding-Jessen and Marcelo Chaves for useful discussions. rebooted using the Slax’s CD-ROM to generate and export References the honeypot’s image. [1] H. Project, “Know your enemy: Honeynets,” November 2003. 7 http://www.gnu.org/software/fileutils/ http://www.honeynet.org/papers/honeynet/index.html. ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 34
[2] L. Spitzner, “Hosus (honeypot surveillance system),” ;lo- gin: Magazine of Usenix and Sage, vol. 27, Decem- $cat /mnt/floppy/15_03_2004/hp1 ber 2002. http://www.usenix.org/publications/login/2002- 12/pdfs/spitzner.pdf. ### hostname ### [3] L. H. Franco and A. Montes, “Procedimentos e Ferramentas para hp1.localdomain Manuten¸˜o de Honeypots de Alta Interatividade,” in Anais ca ### df -h ### do I WorkComp Sul - Unisul - Universidade do Sul de Santa Filesystem Size Used Avail Capacity Mounted on Catarina (WorkComp Sul’2004), (Florian´polis, SC), May 2004. o /dev/sda1 1.7G 628M 1.0G 38% / ISBN 85-86870-25-0. none 46M 0 46M 0% /dev/shm [4] L. Spitzner, Honeypots: Tracking Hackers. Addison Wesley, /dev/fd0 1.4M 3.5k 1.3M 1% /mnt/floppy 2002. /dev/cdrom 358M 358M 0 100% /mnt/cdrom [5] A. B. Filho, A. S. M. S. Amaral, A. Montes, C. Hoepers, K. Steding-Jessen, L. H. Franco, and M. H. P. C. Chaves, “Hon- ### w ### eynet.BR: Desenvolvimento e Implanta¸˜o de um Sistema para ca 12:46pm up 32 days, 0 min, 1 user, load average: 0.28, 0.42, 0.25 Avalia¸˜o de Atividades Hostis na Internet Brasileira,” in Anais ca USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT do IV Simp´sio sobre Seguran¸a em Inform´tica (SSI’2002), o c a root tty1 - 12:32pm 3.00s 4.00s 0.27s /bin/sh ./statu (Sao Jose dos Campos, SP), pp. 19–25, November 2002. ### last ### [6] H. Project, “Status report: January – august 2004,” September root tty1 Tue Jul 27 12:32 still logged in 2004. http://www.honeynet.org.br/status-report/. root tty1 Fri Jun 25 12:53 - 12:54 (00:01) [7] H. Project, “Know your enemy: Genii honeynets,” November reboot system boot 2.4.7-10 Fri Jun 25 12:52 (31+23:54) 2003. http://www.honeynet.org/papers/gen2/index.html. root tty1 Wed Jun 16 10:24 - 10:25 (00:00) [8] H. Project, “Honeynet definitions, require- reboot system boot 2.4.7-10 Wed Jun 16 10:22 (9+02:26) ments, and standards,” October 2004. http://project.honeynet.org/alliance/requirements.html. ### netstat -na ### [9] W. Venema and D. Farmer, “Being prepared Active Internet connections (servers and established) for intrusion,” Dr. Dobb’s Journal, April 2001. Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/tct/being- tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN prepared.html. tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN [10] H. Project, Know Your Enemy: Revealing the Security Tools, tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN Tactics, and Motives of the Blackhat Community. Addison Wes- tcp 0 0 0.0.0.0:11223 0.0.0.0:* ley, 2001. udp 0 0 0.0.0.0:3049 0.0.0.0:* [11] L. G. C. Barbato and A. Montes, “SMaRT - Session Monitor- udp 0 0 0.0.0.0:111 0.0.0.0:* ing and Replay Tool,” in Apresentado no Grupo de Trabalho udp 0 0 10.0.0.36:123 0.0.0.0:* em Seguran¸a de Redes (GTS’02.2003), (Rio de Janeiro, RJ), c udp 0 0 127.0.0.1:123 0.0.0.0:* December 2003. udp 0 0 0.0.0.0:123 0.0.0.0:* [12] H. Project, “Honeypot deployment log,” December 2001. (...) http://www.honeynet.org/alliance/AppendixA.txt. ### ps -auwwwwx ### USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1384 340 ? S Jun25 0:31 init [3] root 2 0.0 0.0 0 0 ? SW Jun25 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW Jun25 0:00 [kapm-idled] root 8 0.0 0.0 0 0 ? SW Jun25 0:39 [kupdated] root 468 0.0 0.6 1452 584 ? S Jun25 0:05 syslogd -m 0 root 473 0.0 1.0 2036 980 ? S Jun25 0:00 klogd -2 root 32404 0.0 0.0 0 0 ? Z Jul11 0:00 [sh <defunct>] root 32403 0.0 0.0 948 32 ? T Jul11 0:00 /bin/sh -c sa1 root 950 0.0 0.7 1580 684 ? S Jul12 0:00 CROND (...) ### vmstat ### procs -------memory------- -swap- --io-- -system- --cpu--- r b w swpd free buff cache si so bi bo in cs us sy id 0 0 0 1956 3096 1540 37336 0 0 0 0 8 11 016 ### rpcinfo -p 0 ### program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 1024 status 100024 1 tcp 1024 status ### uptime ### 12:46pm up 32 days, 0 min, 1 user, load average: 0.28, 0.42, 0.25 ### printenv ### HOSTNAME=hp1.localdomain SHELL=/bin/bash TERM=linux HISTSIZE=1000 USER=root (...) Fig. 4. Summary of a status file. ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 35

Recommended

Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
UltraUploader
 
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
Mrunalini Koritala
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
Zain Abid
 
A fault tolerance approach to computer viruses
A fault tolerance approach to computer virusesA fault tolerance approach to computer viruses
A fault tolerance approach to computer viruses
UltraUploader
 
Spectre & Meltdown
Spectre & MeltdownSpectre & Meltdown
Spectre & Meltdown
Murray Security Services
 
Review on Honeypot Security
Review on Honeypot SecurityReview on Honeypot Security
Review on Honeypot Security
IRJET Journal
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
Rian Yulian
 
Testbed For Ids
Testbed For IdsTestbed For Ids
Testbed For Ids
amiable_indian
 

Recommended

Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
UltraUploader
 
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
Mrunalini Koritala
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
Zain Abid
 
A fault tolerance approach to computer viruses
A fault tolerance approach to computer virusesA fault tolerance approach to computer viruses
A fault tolerance approach to computer viruses
UltraUploader
 
Spectre & Meltdown
Spectre & MeltdownSpectre & Meltdown
Spectre & Meltdown
Murray Security Services
 
Review on Honeypot Security
Review on Honeypot SecurityReview on Honeypot Security
Review on Honeypot Security
IRJET Journal
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
Rian Yulian
 
Testbed For Ids
Testbed For IdsTestbed For Ids
Testbed For Ids
amiable_indian
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case Study
Amr Thabet
 
Processing tech malicioussoftware_ecommerce
Processing tech malicioussoftware_ecommerceProcessing tech malicioussoftware_ecommerce
Processing tech malicioussoftware_ecommerce
Chittagong University
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
Nicholas Davis
 
Backtracking king05
Backtracking king05Backtracking king05
Backtracking king05
Dalton Dalton
 
PPT_Compiled
PPT_CompiledPPT_Compiled
PPT_Compiled
Avineshwar Singh
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
Enchaning system effiency through process scanning
Enchaning system effiency through process scanningEnchaning system effiency through process scanning
Enchaning system effiency through process scanning
sai kiran
 
IRJET- Sandbox Technology
IRJET- Sandbox TechnologyIRJET- Sandbox Technology
IRJET- Sandbox Technology
IRJET Journal
 
Honeypot- An Overview
Honeypot- An OverviewHoneypot- An Overview
Honeypot- An Overview
IRJET Journal
 
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.comHOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
Prof Ansari
 
Seminar
SeminarSeminar
Seminar
Kevin ITian
 
DevOps_SelfHealing
DevOps_SelfHealingDevOps_SelfHealing
DevOps_SelfHealing
Atul Dhingra
 
M0704071074
M0704071074M0704071074
M0704071074
IJERD Editor
 
Network Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISPNetwork Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISP
CSCJournals
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
Asep Sopyan
 
Final Year presentation
Final Year presentationFinal Year presentation
Final Year presentation
Akash Rajguru
 
Modern Attack Detection using Intelligent Honeypot
Modern Attack Detection using Intelligent HoneypotModern Attack Detection using Intelligent Honeypot
Modern Attack Detection using Intelligent Honeypot
IRJET Journal
 
A honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityA honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network security
IAEME Publication
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2C
Fabrizio Farinacci
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Disha Bedi
 
Present and desired network management to cope with the expected expansion, n...
Present and desired network management to cope with the expected expansion, n...Present and desired network management to cope with the expected expansion, n...
Present and desired network management to cope with the expected expansion, n...
Alexander Decker
 

More Related Content

What's hot

What's hot (7)

SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case Study
 
Processing tech malicioussoftware_ecommerce
Processing tech malicioussoftware_ecommerceProcessing tech malicioussoftware_ecommerce
Processing tech malicioussoftware_ecommerce
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
 
Backtracking king05
Backtracking king05Backtracking king05
Backtracking king05
 
PPT_Compiled
PPT_CompiledPPT_Compiled
PPT_Compiled
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 

Similar to Honeypotdeploy Ieee2005

DevOps_SelfHealing
DevOps_SelfHealingDevOps_SelfHealing
DevOps_SelfHealing
Atul Dhingra
 
Final Year presentation
Final Year presentationFinal Year presentation
Final Year presentation
Akash Rajguru
 
A honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityA honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network security
IAEME Publication
 
Current Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyCurrent Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master Copy
Tommie Walls
 
[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...
TI Safe
 

Similar to Honeypotdeploy Ieee2005 (20)

Enchaning system effiency through process scanning
Enchaning system effiency through process scanningEnchaning system effiency through process scanning
Enchaning system effiency through process scanning
 
IRJET- Sandbox Technology
IRJET- Sandbox TechnologyIRJET- Sandbox Technology
IRJET- Sandbox Technology
 
Honeypot- An Overview
Honeypot- An OverviewHoneypot- An Overview
Honeypot- An Overview
 
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.comHOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
 
Seminar
SeminarSeminar
Seminar
 
DevOps_SelfHealing
DevOps_SelfHealingDevOps_SelfHealing
DevOps_SelfHealing
 
M0704071074
M0704071074M0704071074
M0704071074
 
Network Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISPNetwork Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISP
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
 
Final Year presentation
Final Year presentationFinal Year presentation
Final Year presentation
 
Modern Attack Detection using Intelligent Honeypot
Modern Attack Detection using Intelligent HoneypotModern Attack Detection using Intelligent Honeypot
Modern Attack Detection using Intelligent Honeypot
 
A honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityA honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network security
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2C
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
 
Present and desired network management to cope with the expected expansion, n...
Present and desired network management to cope with the expected expansion, n...Present and desired network management to cope with the expected expansion, n...
Present and desired network management to cope with the expected expansion, n...
 
Current Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyCurrent Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master Copy
 
Y04405144148
Y04405144148Y04405144148
Y04405144148
 
Dynamic Analysis And Profiling Of Multi Threaded Systems
Dynamic Analysis And Profiling Of Multi Threaded SystemsDynamic Analysis And Profiling Of Multi Threaded Systems
Dynamic Analysis And Profiling Of Multi Threaded Systems
 
[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...
 
publishable paper
publishable paperpublishable paper
publishable paper
 

Recently uploaded

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Recently uploaded (20)

Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 

Honeypotdeploy Ieee2005

  • 1. Proceedings of the 2005 IEEE Workshop on Information Assurance and Security T1B2 1555 United States Military Academy, West Point, NY, 15–17 June 2005 Honeynet Maintenance Procedures and Tools Carlos Henrique P. C. Chaves, Lucio Henrique Franco, Antonio Montes Renato Archer Research Center - CenPRA/MCT 13069-901 - Campinas, SP - Brazil {carlos.chaves, lucio.franco, antonio.montes}@cenpra.gov.br eypot or reinstalling a compromised one. The image has Abstract— As part of an effort to improve honeynet’s maintenance scripts to perform a variety of tasks that will be described process, several procedures and tools automating high- in the subsequent sections. interaction honeypot management tasks have been devel- The remainder of this paper is organized as follows. Sec- oped. Among the advantages of the adoption and use of these procedures and tools are the documentation of the tion II presents a brief description of honeypots and their maintenance procedures, the standardization of the col- classification. The procedures employed are discussed in lected data structure, the elimination of errors during the Section III and Section IV presents the scripts created for maintenance of honeypots, the automatization of the tasks that are executed and the reduction of the time between the their implementation. Section V concludes this paper. deactivation and activation of a compromised honeypot. II. Honeypots Classification I. Introduction A honeypot is very different from most traditional se- A Honeynet is not a product, it is a highly controlled curity mechanisms. They are security resources that have network used to contain and analyze attackers in the wild. no production value; no person or resource should be com- The primary purpose of a Honeynet is to gather informa- municating with them. As such, any observed activity is tion about threats that exist. New tools can be discovered, suspected by default. Any traffic sent to the honeypot is attack patterns can be determined, and attackers motives most likely a probe, scan, or attack. Any traffic initiated by studied [1]. Honeynets are composed of an administration the honeypot means the system has most likely been com- subnet and many hosts called honeypots, which are security promised and the attacker is making outbound connections resources designed to be probed, attacked or compromised, [4]. and to register these activities [2]. Honeypots can be classified by their level of interaction. In the daily operation of a honeynet, it is not uncommon High-interaction honeypots are hosts with real operating that one has to deactivate a honeypot, clean it up and put systems and services. They can be compromised and fully it back in operation. In addition, it is very convenient to controlled by the attackers. As a result, they can be con- have procedures and tools in place to rapidly install a new figured to collect a large amount of information, such as honeypot when required. This is particularly true if the which vulnerability is being exploited, which tool is being honeynet has many honeypots or when many members of used, and what is the attacker’s motivation. This makes the project share the management task [3]. them very useful as a research tool. On the other hand, The procedures discussed in this paper applies to high- they can pose a serious threat to the environment, since interaction honeypots in a research honeynet. It includes the attacker can try to use the honeypot as a launching zeroing the disk, choosing the operating system, installing point of scan and attacks against other hosts in the net- services, and finally configuring the data collection mech- work. This is the main reason for avoiding using high- anisms and the preservation of the artifacts stored in the interaction honeypots in production network. Instead one honeypot. These procedures help to avoid human errors, may use low-interaction honeypots, which can be as sim- which could cause contamination of the capture data or ple as a listening port or a full blown emulated network. reveal the presence of the honeytrap to attackers. This type of honeypots can be easier to install and should Together with these procedures, a bootable iso-image of be less risky, since the attacks would be directed to fake a system based on the Slax Linux distribution1 has been services or operating systems. As a consequence, the col- developed to automate the process of deploying a new hon- lected data will consist mainly of scans and connections to emulated services. Despite this, it is becoming common to C. H. P. C. Chaves and L.H. Franco are also with National Institute use low-interaction honeypots as a complement to intru- for Space Research - S˜o Jos´ dos Campos, SP - Brazil. a e 1 http://slax.linux-live.org/ sion detection systems in production network, where they ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 30
  • 2. can be particularly useful in the detection of internal worm 4. The honeypot’s configuration script is executed to create attacks. new users, configure the network settings, etc. 5. In order to monitor the attacker’s steps, keystroke The management of high-interaction honeypots is a com- recording system are configured in the honeypot. These plex task, since there must be no traces of previous instal- systems can send the commands typed by an attacker to lations and of the monitoring tools, and in order to facili- a loghost, using the syslog system [10], and broadcast this tate analysis the activities logging should be configured to information directly into the network [11]. follow the same standards independently of the operating 6. A script to generate the MD5 and SHA1 hashes of the system. These requirements lead to the need of developing honeypot’s files is executed. The hashes can be used later procedures for the first time deployment, monitoring and to discover which files have been changed by an attacker. redeployment of honeypots. 7. A script to generate the system’s status is executed. The present paper describes the procedures and tools This is composed of the output of some Unix commands used to maintain the honeynets of the Brazilian Honeynet like ps, netstat, lsof, socklist and df. Project, made up of high-interaction honeypots [5], [6]. 8. The MD5 and SHA1 hashes and the system’s status files The architecture of these honeynets are based on the GenII are stored in a loghost in the administration subnet which architecture [7] and follows strictly the Honeynet Project stores also the system’s images. requirements [8]. These procedures will be detailed in the 9. Traces of the steps (5-8) above are erased. next section. 10. The system’s image is generated and exported to the loghost. III. Developed Procedures 11. The new honeypot is connected in the honeynet and Honeynets usually contain several honeypots with differ- monitored until the moment when it will be turned off. ent configurations, running a variety of operating system B. Post-deployment Procedure and local or network services. For their maintenance, it is convenient to develop methodologies and elaborate proce- After the honeypot installation, a standardized deploy- dures. As mentioned above, this is particularly relevant if ment log of every honeypot must be created and sent to the honeynet has many honeypots or when many members the project members by e-mail. The log is based on the of the project share the management task [3]. These proce- Honeynet Project model [12]. dures can be automated using scripts which reduce the time The log file name follows a standard, which is HN-[org]- between the honeypot’s deactivation and activation. The DEPLOY-[date]. The [org] tag must be changed by the procedures and scripts contain key steps in a honeypot con- name of the organization where the Honeynet has been figuration, like zeroing the entire disk before installing the deployed, and the [date] tag must be changed by the actual operating system from installation media [9] or removing date. Figure 1 shows an example of a log file created for a traces of the honeypot configuration to avoid information deployed honeypot. leaks. Another important procedure describes a database for the storage of information about the honeypots of a HONEYNET-BR SUMMARY: honeynet, including type and version of the operating sys- ------------------------ GenII Honeynet with a class C IP address block exposed directly to tem, type and version of network services, compromises, the Internet. Typical small organization /24 network. etc. This will ease the process of gathering information IP RANGE: xxx.xxx.xxx.1-254 for status reports and the maintenance of the honeypot’s timeline. ACTIVE HONEYPOTS: ----------------- A. Honeypot Deployment Procedure System Name: Hp1 System IP: 10.0.0.36 System OS: RH 7.2, default, no patches The first step in the honeypot deployment is the defini- Date Deployed: 2004, Nov 24 tion of the operating system and services (including ver- Time Deployed: 10:50am sions) that will be installed. Next, some basic procedures Responsible: Lucio Henrique Franco System Summary: must be followed during the installation process: - minimal installation, with portmap(4.0-38), with xinetd(2.3.3-1) - kernel version: 2.4.7-10 1. The hard disk must be written with a constant data Modifications to System: pattern (usually zeros). This procedure also has the benefit - installed ntpd(4.1.0-4), httpd(1.3.20-16 with ssl & with mod_perl 1.2 4_01-3), php(4.0.6-7), wu-ftpd(2.6.1-18) that disk image copies compress better, and that deleted - installed static bash patch files are easier to find [9]. - installed smartl - add default accounts 2. The chosen operating system is installed, usually using Status Change: the default installation options. 3. The chosen services are installed, configured and initial- Fig. 1. Honeypot deployment log file. ized. ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 31
  • 3. Also when a honeypot is compromised, a new log file Honeypot disconnected from the Honeynet is created, containig the information about the attack, in- cluding what was the time of the first successful access, the explored service, the atacker’s IP address and its whois in- formation. Figure 2 shows an example of a log file created Try to login from the console for a compromised honeypot. Finally, if the honeypot is deactivated, time and date of end of operation is appended Restart the system. in the Status Change field of the log file (see also Figure YES NO 2). Successful login? HONEYNET-BR SUMMARY: YES NO Execute some commands to Login failed obtain the system’s status twice? ------------------------ GenII Honeynet with a class C IP address block exposed directly to the Internet. Typical small organization /24 network. IP RANGE: xxx.xxx.xxx.1-254 NO NO Have already restarted Is the system working ACTIVE HONEYPOTS: the system? correctly? ----------------- YES YES System Name: Hp1 System IP: 10.0.0.36 System OS: RH 7.2, default, no patches Procedure documented, Date Deployed: 2004, Nov 24 Honeypot status sent to the group and deactivated! Time Deployed: 10:50am honeypot connected in the Honeynet. Responsible: Lucio Henrique Franco System Summary: - minimal installation, with portmap(4.0-38), with xinetd(2.3.3-1) - kernel version: 2.4.7-10 Fig. 3. Honeypots monitoring procedure. Modifications to System: - installed ntpd(4.1.0-4), httpd(1.3.20-16 with ssl & with mod_perl 1.2 4_01-3), php(4.0.6-7), wu-ftpd(2.6.1-18) - installed static bash patch 5. Analyze the honeypots’s status, and if it is working cor- - installed smartl - add default accounts rectly, the results are documented, the status sent to the Status Change: group and the honeypot is connected back to the Honeynet. - First succesfull attack: Sat Dec 04 15:43:50 GMT 2004 (Resp. Cae) - Attack description: OpenSSL Buffer overflow exploit If the honeypot is not working correctly and have not been - Attack origin: 10.10.0.104 restarted, restart the system and try to login again. If it - Whois: 10.10.0.0 - 10.10.255.255 -> Foobar Technologies -> Brazil has already been restarted, deactivate the honeypot. - Offline on 12-10-2004 at 08:30am (Lucio) D. Honeypot Deactivation Procedure Fig. 2. Compromised honeypot log file. From the moment the honeypot is deployed in the hon- eynet, it is constantly monitored by the administration sub- net. Once it has been compromised, alerts are generated C. Honeypot Monitoring Procedure and sent to the project members by e-mail. The commands, actions and other information generated by the attacker are The operating system and applications running on the collected and sent to a loghost. honeypots can have failures, caused by hardware failures, or problems in the filesystem, or simply the interruption of At that moment, one has to decide if it will be deac- a service or all system as a result of an attack. These issues tivated or not. Usually it has to be deactivated if some raise the necessity of a monitoring procedure. Once a week critical part of the operating system has been damaged, (period defined by the project), all honeypots are tested or if the attacker has made so many modifications to the according to the procedure described below and showed in system that it becomes nonfunctional. Figure 3. The deactivation procedure includes the following steps: The operation monitoring procedure is performed as fol- 1. Disconnect the honeypot from the Honeynet. lows: 2. Collect and analyze the system status. 3. Generate the system’s image and export it to the host 1. The honeypot is disconnected from the Honeynet. containing the initial image (described in step 8 of the in- 2. The system is first tested by trying to login from the stallation procedure). console. 4. The honeypot is ready to be reinstalled (procedure de- 3. If the login is successful, a script is executed to obtain scribed at section III-A). the honeypot’s status (see Subsection IV-F). Otherwise, try to login again. As mentioned before, some honeypots may be so dam- 4. If the login fails twice, deactivate the honeypot. aged that one is unable to login from the console. In this ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 32
  • 4. case, the honeypot must be rebooted using a live CD-ROM were designed to be used with other distributions and op- or floppy disk of a operating system (like Slax Linux dis- erating systems). tribution) to be able to generate the hard disk’s image and B. Honeypot Configuration Script export it to another host. The image generated is then analyzed and compared with the initial image. This pro- The honeypot configuration script is used after the in- cess can reveal what has been modified in the honeypot by stallation of the operating system, described above, and the attacker. Also the status files and file hashes can be the reboot of the system. The script has two options: (1) compared with the initial ones. configure a new honeypot; or (2) generate the system’s sta- In the next section the scripts generated to automate the tus, the MD54 and SHA15 hashes, clean up all traces and procedures discussed above will be described. export the image of the installed system to another host. The first option must be used when installing a new hon- IV. Developed Tools eypot. In this case, the image copied to the honeypot disk must be from a system installation iso-image. The first step The procedures described in the previous section are in this option is to configure the root password and the hon- complex, and mistakes can be made easily. Moreover, it eypot’s network (IP address, netmask, broadcast address, is interesting to automate the processes in order to make gateway, dns server, NTP server, honeypot’s name and do- them faster and avoid human errors. These assertions main name). The script then automatically detects which raised the necessity of creating scripts to automate the pro- is the operating system being installed to configure it prop- cedures of deploying a honeypot. In order to be portable, erly. The next step is to create the user’s accounts. After they were developed using shell scripts. that, the script asks if any post-installation is required. In A. Honeypot Deployment Script affirmative case, the script will return a root shell to let the user install and configure any other applications. The user This is the central script for the deployment of a hon- will have to run the honeypot cleanup script manually af- eypot. It has three options: (1) erase the hard disk and ter he finishes configuring the applications. Otherwise, the create a new partition; (2) erase one specified partition honeypot cleanup script will be executed automatically. and use it for the installation of the operating system; and The second option will apply when restoring the honey- (3) generate and export the new system image. pot from a compromise and re-installing the same system. In the case of installing a new honeypot, the first option In this case, the only thing that the honeypot configuration must be used because the hard disk must be erased (written script will do is to execute the honeypot cleanup script. with zeros) and a new system partition must be created. In the case of restoring the honeypot and installing the C. SHA1 and MD5 Hash Generation Script same system that was used (from an image), the second The function of this script is to generate the MD5 and option must be chosen because the same partitioning must SHA1 hashes of all files in a given directory. The script can be used. The first two options differ only at the beginning have many directories as input, and all hashes generated of the process. After that, the deployment process follows will be stored in a file for each directory. Finally, these the same sequence, starting with the script asking for the generated files are compressed. location of the image to be copied to the honeypot disk. Then it uses SSH2 to transfer the system’s partition image The name of generated files is composed of the honey- pot name, plus the directory path and the suffix “md5” or from a remote host to the honeypot. Afterward, the swap “sha1”. partition is enabled and the LILO boot loader is installed using the configuration file (/etc/lilo.conf) from the image This script was developed for Linux, FreeBSD, and Win- dows (using cygwin46 ). It uses the command “uname -s” copied to the honeypot. The script finally prepares the new system to call the honeypot configuration script when the to detect which operating system is being used in order to new system is booted and root logs in. set up the right parameters. The third option is used to generate the image of the D. Honeypot Cleanup Script system’s partition and export it to another host using the network. The script has the option of using Netcat3 or SSH The main goal of the honeypot cleanup script is to gen- to transfer the image. Netcat is faster than SSH, but the erate the MD5 and SHA1 hashes of the files in the selected second is more adequate to preserve the image’s confiden- directories, generate the system’s status, clean up all traces tiality and integrity. and export the generated information to the host that will It is important to mention that the scripts were originally store the image of the system. developed to deal with Red Hat Linux honeypots (but they 4 http://www.ietf.org/rfc/rfc1321.txt 2 http://www.openssh.com/ 5 http://www.ietf.org/rfc/rfc3174.txt 3 http://netcat.sourceforge.net/ 6 http://www.cygwin.com/ ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 33
  • 5. The first operation performed is to execute the MD5 and 5. Finally, the system must be rebooted again. Only now SHA1 hashes generation script to generate the SHA1 and the CD-ROM must be ejected in order to allow the honey- MD5 hashes of the files in the following directories: /bin, pot to boot from its own operating system. /sbin, /dev, /etc, /usr/bin, /usr/sbin, /usr/local/bin and F. Operation Monitoring Script /usr/local/sbin. There might be others, depending on the operating system and applications. The operation monitoring script was created to automate Next the script generate the system’s status using Unix and standardize the process of generating the honeypot’s commands such as ifconfig, netstat, ps, lsof, lsmod, rpcinfo, status. This shell script uses a CD-ROM containing stati- df, socklist, rpm and last. The applications output are cally compiled binaries of the applications used to perform stored in text files, using the name of the application plus the task. The script must be copied and run from a floppy the suffix “.txt”. disk, where the output of the script will also be stored. The Once the SHA1 and MD5 hashes have been generated honeypot operation monitoring script performs the follow- and the system status has been collected, the honeypot ing steps: information is ready to be exported to another host (it is 1. The floppy disk containing the script is mounted. suggested that this information be stored together with the 2. The script is executed from the floppy disk using the new honeypot image). Again, SSH is used to transfer the CD-ROM mounting point and the output directory as pa- files. rameters. Finally, the last step is to remove all traces left from the 3. The output directory is created in the floppy disk using configuration of the honeypot. To ensure that the deleted the current date as its name. files won’t be able to be restored, the application “shred”7 4. The commands that generate the status of the honeypot is used to overwrite the files repeatedly in order to make it are executed and their output is appended to the status file, harder for even very expensive hardware probing to recover located in the output directory. the data. 5. The CD-ROM and the floppy disk are umounted. Figure 4 shows the status file generated for the honeypot E. High-Interaction Honeypot Deployment CD-ROM hp1 that was stored in /mnt/floppy/15 03 2004/hp1. Some lines of the file were trimmed to make the figure fit in the At the beginning of this section, the need to create scripts available space. to automate the procedures for honeypot deployment is discussed. The development of the scripts described above V. Conclusion has partially automated the process, but up to this point it is still necessary to copy and run some scripts in the The creation of procedures and tools for the deployment honeypot manually. of a high-interaction honeypot has great relevance to hon- eynet researchers. They automate the processes and im- This situation lead to the creation of a tool that au- prove the information gathering methods. Standards are tomates the manual processes that remained. A high- created to be followed by all Honeynet administrators and interaction honeypot deployment CD-ROM has been cre- this avoid human error like deactivating a honeypot with- ated using the Slax Linux distribution. It includes all the out generating its final status. This kind of error would scripts described in the previous subsections and automates harm the comparison of the honeypot information imedi- all the required tasks. The CD-ROM executes the following atelly after installation and after the compromise. Also steps: the time that a honeypot stay out of operation is reduced 1. The machine that will host the honeypot has to be considerably. booted from the CD-ROM and when root logs in, the hon- The tools were being developed and used since the begin- eypot deployment script is executed and the deployment nig of the Brazilian Honeynet Project, in december of 2001, process starts. when the definition of the honeypots configuration proce- 2. As described in Subsection IV-A, after the copy of the dures have begun. The difficulties in the management of honeypot’s operating system image to the hard disk, the the honeynets showed the importance of developing tools other scripts are copied to the /root directory of the hon- to automate and document the processes of honeypot con- eypot, and a call to the honeypot configuration script is figuration, monitoring and deployment. added in the file /etc/profile of the honeypot. 3. A reboot is performed to boot the honeypot’s own sys- VI. Acknowledgments tem. When root logs in, the configuration script is exe- cuted. The authors would like to thank Cristine Hoepers, Klaus 4. After all configuration and cleaning up, the system is Steding-Jessen and Marcelo Chaves for useful discussions. rebooted using the Slax’s CD-ROM to generate and export References the honeypot’s image. [1] H. Project, “Know your enemy: Honeynets,” November 2003. 7 http://www.gnu.org/software/fileutils/ http://www.honeynet.org/papers/honeynet/index.html. ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 34
  • 6. [2] L. Spitzner, “Hosus (honeypot surveillance system),” ;lo- gin: Magazine of Usenix and Sage, vol. 27, Decem- $cat /mnt/floppy/15_03_2004/hp1 ber 2002. http://www.usenix.org/publications/login/2002- 12/pdfs/spitzner.pdf. ### hostname ### [3] L. H. Franco and A. Montes, “Procedimentos e Ferramentas para hp1.localdomain Manuten¸˜o de Honeypots de Alta Interatividade,” in Anais ca ### df -h ### do I WorkComp Sul - Unisul - Universidade do Sul de Santa Filesystem Size Used Avail Capacity Mounted on Catarina (WorkComp Sul’2004), (Florian´polis, SC), May 2004. o /dev/sda1 1.7G 628M 1.0G 38% / ISBN 85-86870-25-0. none 46M 0 46M 0% /dev/shm [4] L. Spitzner, Honeypots: Tracking Hackers. Addison Wesley, /dev/fd0 1.4M 3.5k 1.3M 1% /mnt/floppy 2002. /dev/cdrom 358M 358M 0 100% /mnt/cdrom [5] A. B. Filho, A. S. M. S. Amaral, A. Montes, C. Hoepers, K. Steding-Jessen, L. H. Franco, and M. H. P. C. Chaves, “Hon- ### w ### eynet.BR: Desenvolvimento e Implanta¸˜o de um Sistema para ca 12:46pm up 32 days, 0 min, 1 user, load average: 0.28, 0.42, 0.25 Avalia¸˜o de Atividades Hostis na Internet Brasileira,” in Anais ca USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT do IV Simp´sio sobre Seguran¸a em Inform´tica (SSI’2002), o c a root tty1 - 12:32pm 3.00s 4.00s 0.27s /bin/sh ./statu (Sao Jose dos Campos, SP), pp. 19–25, November 2002. ### last ### [6] H. Project, “Status report: January – august 2004,” September root tty1 Tue Jul 27 12:32 still logged in 2004. http://www.honeynet.org.br/status-report/. root tty1 Fri Jun 25 12:53 - 12:54 (00:01) [7] H. Project, “Know your enemy: Genii honeynets,” November reboot system boot 2.4.7-10 Fri Jun 25 12:52 (31+23:54) 2003. http://www.honeynet.org/papers/gen2/index.html. root tty1 Wed Jun 16 10:24 - 10:25 (00:00) [8] H. Project, “Honeynet definitions, require- reboot system boot 2.4.7-10 Wed Jun 16 10:22 (9+02:26) ments, and standards,” October 2004. http://project.honeynet.org/alliance/requirements.html. ### netstat -na ### [9] W. Venema and D. Farmer, “Being prepared Active Internet connections (servers and established) for intrusion,” Dr. Dobb’s Journal, April 2001. Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/tct/being- tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN prepared.html. tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN [10] H. Project, Know Your Enemy: Revealing the Security Tools, tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN Tactics, and Motives of the Blackhat Community. Addison Wes- tcp 0 0 0.0.0.0:11223 0.0.0.0:* ley, 2001. udp 0 0 0.0.0.0:3049 0.0.0.0:* [11] L. G. C. Barbato and A. Montes, “SMaRT - Session Monitor- udp 0 0 0.0.0.0:111 0.0.0.0:* ing and Replay Tool,” in Apresentado no Grupo de Trabalho udp 0 0 10.0.0.36:123 0.0.0.0:* em Seguran¸a de Redes (GTS’02.2003), (Rio de Janeiro, RJ), c udp 0 0 127.0.0.1:123 0.0.0.0:* December 2003. udp 0 0 0.0.0.0:123 0.0.0.0:* [12] H. Project, “Honeypot deployment log,” December 2001. (...) http://www.honeynet.org/alliance/AppendixA.txt. ### ps -auwwwwx ### USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1384 340 ? S Jun25 0:31 init [3] root 2 0.0 0.0 0 0 ? SW Jun25 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW Jun25 0:00 [kapm-idled] root 8 0.0 0.0 0 0 ? SW Jun25 0:39 [kupdated] root 468 0.0 0.6 1452 584 ? S Jun25 0:05 syslogd -m 0 root 473 0.0 1.0 2036 980 ? S Jun25 0:00 klogd -2 root 32404 0.0 0.0 0 0 ? Z Jul11 0:00 [sh <defunct>] root 32403 0.0 0.0 948 32 ? T Jul11 0:00 /bin/sh -c sa1 root 950 0.0 0.7 1580 684 ? S Jul12 0:00 CROND (...) ### vmstat ### procs -------memory------- -swap- --io-- -system- --cpu--- r b w swpd free buff cache si so bi bo in cs us sy id 0 0 0 1956 3096 1540 37336 0 0 0 0 8 11 016 ### rpcinfo -p 0 ### program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 1024 status 100024 1 tcp 1024 status ### uptime ### 12:46pm up 32 days, 0 min, 1 user, load average: 0.28, 0.42, 0.25 ### printenv ### HOSTNAME=hp1.localdomain SHELL=/bin/bash TERM=linux HISTSIZE=1000 USER=root (...) Fig. 4. Summary of a status file. ISBN 0-7803-9814-9/$10.00 c 2002 IEEE 35