SlideShare ist ein Scribd-Unternehmen logo

Honeypots: Visão Geral

B
bernardo_mr
1 von 34
Downloaden Sie, um offline zu lesen
Honeypots Bernardo Maia Rodrigues bmr@csirt.pop-mg.rnp.br CSIRT PoP-MG Computer Security Incident Response Team Ponto de Presença da RNP em Minas Gerais
Introdução Um honeypot é um recurso computacional de segurança dedicado a ser sondado, atacado ou comprometido.
Aplicação ● Detectar ataques internos; ● Identificar varreduras e ataques automatizados; ● Identificar tendências; ● Manter atacantes afastados de sistemas importantes; ● Coletar assiaturas de ataques e códigos maliciosos (malware); ● Detectar máquinas comprometidas.
Baixa x Alta Interatividade
Ambientes para os Honeypots ● OpenBSD ● FreeBSD ● Linux ● Windows ???
Survival Time: Windows “The survivaltime is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe. The average time between probes will vary widely from network to network. Some of our submitters subscribe to ISPs which block ports commonly used by worms. As a result, these submitters report a much longer 'survival time'. On the other hand, University Networks and users of high speed internet services are frequently targeted with additional scans from malware like bots. If you are connected to such a network, your 'survival time' will be much smaller.” http://isc.sans.org/survivaltime.html
Survival Time: Windows
Escolha do Ambiente
Máquina Virtual
Máquina Virtual
Detectando Máquinas Virtuais /* VMM detector, based on SIDT trick written by joanna at invisiblethings.org * should compile and run on any Intel based OS * http://invisiblethings.org */ #include <stdio.h> int main () { unsigned char m[2+4], rpill[] = "x0fx01x0dx00x00x00x00xc3"; *((unsigned*)&rpill[3]) = (unsigned)m; ((void(*)())&rpill)(); printf ("idt base: %#xn", *((unsigned*)&m[2])); if (m[5]>0xd0) printf ("Inside Matrix!n", m[5]); else printf ("Not in Matrix.n"); return 0; }
Honeyd http://www.honeyd.org ● Baixa interatividade ● Daemon: redes virtuais ● Configurável através de scripts para simular aplicações de qualquer sistema operacional ● Niels Provos: engenheiro da Google, colaborador do OpenSSH e OpenBSD
Honeyd – Configuração $> cat /var/honeyd/conf/honeyd.conf annotate "Linux kernel 2.2.13 (SuSE; X86)" fragment old create brutessh set brutessh personality "Linux kernel 2.2.13 (SuSE; X86)" set brutessh default tcp action reset set brutessh default udp action reset set brutessh default icmp action reset add brutessh tcp port 22 proxy 10.0.0.1:9999 bind *.*.*.* brutessh create windows set windows personality "Microsoft Windows XP Professional SP1" set windows uptime 437849843 add windows tcp port 80 "scripts/iis5.net/main.pl" bind *.*.*.* windows
Honeyd – Scripts $> cat /var/honeyd/scripts/hello.sh $> telnet 10.0.0.1 23 Trying 10.0.0.1... #!/usr/local/bin/bash Connected to 10.0.0.1. echo "Hello world!" Escape character is '^]'. while read data Hello world! do echo "$data" $> tail /var/honeyd/log/honeyd.log done 2008-08-28-09:48:16.3539 tcp(6) S *.*.*.* 59255 10.0.0.1 23 [Linux 2.6 ] $> cat /var/honey/conf/honeyd.conf create test add test tcp port 23 "/var/honeyd/scripts/hello.sh" bind 10.0.0.1 test
Honeyd – Análise de Logs $> cat /var/honeyd/log/honeyd.log 2008-08-28-00:39:00.0156 tcp(6) - 189.34.72.204 39367 *.*.*.* 22: 60 S [Linux 2.6 ] 2008-08-28-02:03:34.8542 tcp(6) - 124.64.123.69 64161 *.*.*.* 8080: 48 S [Windows XP SP1] 2008-08-28-02:17:44.3695 tcp(6) - 118.161.232.185 53063 *.*.*.* 3124: 48 S [Windows XP SP1] 2008-08-28-02:39:21.3643 tcp(6) - 201.160.39.176 4628 *.*.*.* 4899: 48 S [Windows XP SP1] 2008-08-28-03:15:22.0131 tcp(6) - 58.215.93.7 6000 *.*.*.* 2967: 40 S 2008-08-28-04:13:58.0860 icmp(1) - 222.124.175.222 *.*.*.*: 8(0): 61 2008-08-28-04:41:32.8131 tcp(6) - 148.204.175.200 35480 *.*.*.* 22: 60 S [Linux 2.6 ] 2008-08-28-04:55:34.4515 icmp(1) - 12.210.84.232 *.*.*.*: 8(0): 61 2008-08-28-05:09:05.3692 tcp(6) - 200.249.132.68 3353 *.*.*.* 135: 48 S [Windows XP SP1] 2008-08-28-06:39:50.9295 tcp(6) - 200.249.132.68 1300 *.*.*.* 135: 48 S [Windows XP SP1] 2008-08-28-07:16:31.3405 tcp(6) - 81.88.245.118 3559 *.*.*.* 445: 48 S [Windows XP SP1] 2008-08-28-07:36:45.1329 tcp(6) - 125.230.79.108 4512 *.*.*.* 25: 52 S [Windows 2000 RFC1323] 2008-08-28-07:45:31.4038 tcp(6) - 201.3.202.102 34215 *.*.*.* 22: 60 S [Linux 2.6 ] 2008-08-28-08:36:44.6540 tcp(6) - 84.60.254.245 4126 *.*.*.* 8080: 48 S [Windows 98 ]
Honeyd – Análise de Logs $> cat /var/honeyd/log/brutessh.log Fri Jun 13 16:12:41 2008: Authentication attempt (SSHv2) ! User: sandro Password: maconha Fri Jun 13 16:12:41 2008: Connection from 200.168.71.203 port 18282 Fri Jun 13 16:12:42 2008: Authentication attempt (SSHv2) ! User: sandro Password: cannabis Fri Jun 13 16:12:42 2008: Connection from 200.168.71.203 port 18313 Fri Jun 13 16:12:32 2008: Authentication attempt (SSHv2) ! User: sandro Password: vasco Fri Jun 13 16:12:32 2008: Connection from 200.168.71.203 port 17956 Fri Jun 13 16:12:32 2008: Authentication attempt (SSHv2) ! User: sandro Password: flamengo Fri Jun 13 16:12:36 2008: Connection from 200.168.71.203 port 18086 Fri Jun 13 16:12:36 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro Fri Jun 13 16:12:37 2008: Connection from 200.168.71.203 port 18114 Fri Jun 13 16:12:37 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro1 Fri Jun 13 16:12:38 2008: Connection from 200.168.71.203 port 18141 Fri Jun 13 16:12:38 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro12
Nepenthes http://nepenthes.mwcollect.org/ ● Baixa interatividade ● Emula vulnerabilidades conhecidas para coletar informações de ataques ● Capta binários e os comandos executados por worms ● Mwcollect.org: Coleção de malware e artefatos maliciosos
Nepenthes – Módulos
Nepenthes – Análise de Logs $> cat /var/nepenthes/log/logged_downloads [2008-08-27T04:24:58] 213.23.2.114 -> *.*.*.* tftp://192.168.168.199/mslaugh.exe [2008-08-27T12:16:57] 88.156.57.191 -> *.*.*.* creceive://88.156.57.191:9988/0 [2008-08-27T13:02:57] 65.207.42.75 -> *.*.*.* tftp://129.12.19.71/msblast.exe [2008-08-27T13:37:58] 83.92.20.178 -> *.*.*.* creceive://83.92.20.178:9988/0 [2008-08-27T14:10:51] 200.249.132.68 -> *.*.*.* link://200.249.132.68:42087/qFsh+A== [2008-08-27T17:43:10] 200.249.132.68 -> *.*.*.* link://200.249.132.68:42087/qFsh+A== [2008-08-27T18:03:06] 70.126.5.31 -> *.*.*.* creceive://70.126.5.31:9988/0 [2008-08-27T18:27:01] 170.51.137.180 -> *.*.*.* ftp://1:1@170.51.137.180:20864/directxx.exe [2008-08-27T20:31:50] 200.13.254.183 -> *.*.*.* link://200.13.254.183:58382/eOkm/A== [2008-08-27T21:37:29] 200.249.132.68 -> *.*.*.* link://200.249.132.68:42087/qFsh+A== [2008-08-27T21:43:27] 208.28.150.10 -> *.*.*.* tftp://200.1.1.221/msblast.exe [2008-08-27T23:18:42] 74.160.106.20 -> *.*.*.* creceive://74.160.106.20:9988/0 [2008-08-27T23:34:10] 24.98.111.69 -> *.*.*.* http://67.191.230.57/
Nepenthes – Análise de Logs $> cat /var/nepenthes/log/logged_submissions [2008-08-27T12:17:15] 88.156.57.191 -> *.*.*.* creceive://88.156.57.191:18758 b1d52c56c5be86f927374870f1d62fb7 [2008-08-27T13:38:13] 83.92.20.178 -> *.*.*.* creceive://83.92.20.178:3947 32fc8b13d82583304d037859b7753c82 [2008-08-27T18:03:16] 70.126.5.31 -> *.*.*.* creceive://70.126.5.31:4450 3875b6257d4d21d51ec13247ee4c1cdb [2008-08-27T18:27:23] 170.51.137.180 -> *.*.*.* ftp://1:1@170.51.137.180:20864/directxx.exe 382279b44f26c6d87ccaf5d8d4689738 [2008-08-27T20:31:53] 200.13.254.183 -> *.*.*.* link://200.13.254.183:58382/eOkm/A== 474312616dce04c03f13a20a6244b2bf [2008-08-27T23:18:52] 74.160.106.20 -> *.*.*.* creceive://74.160.106.20:19673 3875b6257d4d21d51ec13247ee4c1cdb
Nepenthes – Binários Coletados $> ls -lha total 74844 drwxr-xr-x 3 _nepenthes _nepenthes 15.0K Aug 28 08:42 . drwxr-xr-x 7 _nepenthes _nepenthes 512B May 13 20:23 .. -rw-r--r-- 1 _nepenthes _nepenthes 448K May 21 08:13 015638c416a489dac754f03871fd1968 -rw-r--r-- 1 _nepenthes _nepenthes 66.0K May 19 14:08 0159534b9de510b072a895d1ab29fd33 -rw-r--r-- 1 _nepenthes _nepenthes 544K Jul 5 17:40 01fd2bc35c6add923b86056bb605c20f -rw-r--r-- 1 _nepenthes _nepenthes 56.0K Aug 20 00:27 023efa55a6f3083b592f436a2425f4a3 -rw-r--r-- 1 _nepenthes _nepenthes 78.5K Aug 10 18:57 038a00d06270c801f6edb4ad4202b9a3 -rw-r--r-- 1 _nepenthes _nepenthes 77.0K Jun 16 11:35 038c88bd8b2d8f7b2f5def3950ccabd5 -rw-r--r-- 1 _nepenthes _nepenthes 64.0K May 28 15:25 03dd2becb6d79c91b1a89c827fcfc9d7 -rw-r--r-- 1 _nepenthes _nepenthes 59.5K Aug 12 08:36 0521a4cc3dab5551463c7cb7bfdf1bfc -rw-r--r-- 1 _nepenthes _nepenthes 76.5K Jul 1 11:17 0579339fbed0838000bf47121f4f57fe -rw-r--r-- 1 _nepenthes _nepenthes 101K Jul 20 19:46 059227d3efd52f9c2b0d7d1b6b392ecb
Amun http://amunhoney.sourceforge.net ● Baixa interatividade ● Captura autônoma de malware ● Escrito em Python ● Facilidade de uso ● Módulos e Exploits
Amun – Análise de Logs $> cat /var/amun/vuln_modules/vuln-ftpd/ftpd_modul.py import psyco ; psyco.full() from psyco.classes import * import struct import random import ftpd_shellcodes import amun_logging class vuln: def __init__(self): try: self.vuln_name = "FTPD Vulnerability" self.stage = "FTPD_STAGE1" self.welcome_message = "220 Welcome to my FTP Server" self.shellcode = [] except KeyboardInterrupt: raise ...
Amun – Análise de Logs $> cat /var/amun/logs/exploits.log* 2008-08-23 04:45:06,861 INFO exploit 209.60.60.19:2354 -> *.*.*.*:445 (PNP Vulnerability: bind://200.19.159.131:8594/) 2008-08-24 18:13:41,306 INFO exploit 122.160.202.148:33772 -> *.*.*.*:2967 (SYMANTEC Vulnerability: cbacks://61.246.185.69:1235/) 2008-08-24 18:26:01,128 INFO exploit 200.149.108.192:3064 -> *.*.*.*:445 (ASN1 Vulnerability: ftp://1:1@200.149.108.192:20579/['win.exe']) 2008-08-25 01:06:35,619 INFO exploit 200.249.132.68:3945 -> *.*.*.*:135 (DCOM Vulnerability: cbackf://200.249.132.68:47683/6Fch+A==) 2008-08-25 02:32:57,851 INFO exploit 200.249.132.68:1580 -> *.*.*.*:135 (DCOM Vulnerability: cbackf://200.249.132.68:47683/6Fch+A==) 2008-08-25 03:24:20,532 INFO exploit 24.87.32.159:3888 -> *.*.*.*:135 (DCOM Vulnerability: cbackf://24.87.32.159:24536/YmNpLg==) 2008-08-25 08:34:58,236 INFO exploit 125.211.218.29:3887 -> *.*.*.*:443 (IIS Vulnerability: http://thecric.free.fr:80/AZenv/azenv.php)
Amun – Análise de Logs $> cat /var/amun/logs/submissions.log* 2008-08-24 18:17:15,366 INFO [submit_md5] download (http://www.wuya1001.com:80/83.exe): f16ba3d216853f6f5d40bae499f17c51 (size: 62046) - SYMANTEC 2008-08-24 18:31:55,985 INFO [submit_md5] download (ftp://1:1@200.149.108.192:20579/ ['win.exe']): 8fcdb53b814d3155d232a149efaa40a8 (size: 132096) - ASN1 2008-08-24 18:44:21,365 INFO [submit_md5] download (cbackf://200.13.254.183:46886/eOkW/A==): 474312616dce04c03f13a20a6244b2bf (size: 68608) - DCOM 2008-08-22 15:22:43,798 INFO [submit_md5] download (ftp://liubinbin:liubinbin@60.169.2.167:21/ ['file/Ser1.exe']): aaaeaf9ab82f5cfe6738ca6cbed05085 (size: 61998) - SYMANTEC 2008-08-23 02:46:20,546 INFO [submit_md5] download (cbackf://200.210.158.130:32636/eOmR/w==): 989a2dbd1df28b9165f510bec67ebb3c (size: 100864) - DCOM 2008-08-23 07:08:58,329 INFO [submit_md5] download (http://www.wuya1001.com:80/83.exe): a6938c98d846767ac7bc616c64a9a106 (size: 62037) - SYMANTEC 2008-08-23 19:22:04,694 INFO [submit_md5] download (ftp://1:1@84.59.211.166:16083/ ['directxx.exe']): 382279b44f26c6d87ccaf5d8d4689738 (size: 179200) - ASN1
Análise de Malware: Identificação
Virustotal http://www.virustotal.com
Jotti http://cwsandbox.org
Análise de Malware: Sandbox #/usr/local/bin/bash for i in `ls /var/nepenthes/binaries/*` do echo $i curl -F "email=email@email.com" -F "upfile=@$i" "http://cwsandbox.org/submit.php?action=verify" >> sandbox.txt printf "n" >> sandbox.txt done
CWSandbox http://cwsandbox.org
Anubis http://analysis.seclab.tuwien.ac.at
Monitoramento de Botnets
Honeypots: Visão Geral

Empfohlen

Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Proxy arp
Proxy arpProxy arp
Proxy arpMarian Marinov
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Network Adapter Deep dive
Network Adapter Deep diveNetwork Adapter Deep dive
Network Adapter Deep diveNaoto MATSUMOTO
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Metasploitable
MetasploitableMetasploitable
MetasploitableSri Manakula Vinayagar Engineering College
 

Empfohlen

Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Proxy arp
Proxy arpProxy arp
Proxy arpMarian Marinov
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Network Adapter Deep dive
Network Adapter Deep diveNetwork Adapter Deep dive
Network Adapter Deep diveNaoto MATSUMOTO
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Metasploitable
MetasploitableMetasploitable
MetasploitableSri Manakula Vinayagar Engineering College
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_worldfantasy zheng
 
Hta w22
Hta w22Hta w22
Hta w22SelectedPresentations
 
Kernel crashdump
Kernel crashdumpKernel crashdump
Kernel crashdumpAdrien Mahieux
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloudDobrica Pavlinušić
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet FactoryNullbyte Security Conference
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Pynquino技術資料
Pynquino技術資料Pynquino技術資料
Pynquino技術資料Shohei Aoki
 
Gnu linux on arm for $50 - $100
Gnu linux on arm for $50 - $100Gnu linux on arm for $50 - $100
Gnu linux on arm for $50 - $100Dobrica Pavlinušić
 
Blackviper Xpsp2
Blackviper Xpsp2Blackviper Xpsp2
Blackviper Xpsp2nevjegypartner
 
Vt6655 linux user_guide
Vt6655 linux user_guideVt6655 linux user_guide
Vt6655 linux user_guideMONTBUIAUTOESCOLA
 
Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識維泰 蔡
 
Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全維泰 蔡
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全維泰 蔡
 
Hacking cable modems the later years
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later yearsNullbyte Security Conference
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기Ji-Woong Choi
 

Weitere ähnliche Inhalte

Was ist angesagt?

SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_worldfantasy zheng
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Pynquino技術資料
Pynquino技術資料Pynquino技術資料
Pynquino技術資料Shohei Aoki
 
Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識維泰 蔡
 
Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全維泰 蔡
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全維泰 蔡
 

Was ist angesagt? (20)

SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
 
Hta w22
Hta w22Hta w22
Hta w22
 
Kernel crashdump
Kernel crashdumpKernel crashdump
Kernel crashdump
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardening
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet Factory
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Pynquino技術資料
Pynquino技術資料Pynquino技術資料
Pynquino技術資料
 
Gnu linux on arm for $50 - $100
Gnu linux on arm for $50 - $100Gnu linux on arm for $50 - $100
Gnu linux on arm for $50 - $100
 
Blackviper Xpsp2
Blackviper Xpsp2Blackviper Xpsp2
Blackviper Xpsp2
 
Vt6655 linux user_guide
Vt6655 linux user_guideVt6655 linux user_guide
Vt6655 linux user_guide
 
Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識
 
Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
 
Hacking cable modems the later years
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later years
 

Ähnlich wie Honeypots: Visão Geral

Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기Ji-Woong Choi
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178Abhichai L.
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesIO Visor Project
 
Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day Simone Onofri
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Velocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayVelocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayCosimo Streppone
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdffaker1842002
 
От sysV к systemd
От sysV к systemdОт sysV к systemd
От sysV к systemdDenis Kovalev
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part IIIAlkin Tezuysal
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Communityamiable_indian
 

Ähnlich wie Honeypots: Visão Geral (20)

Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
[오픈소스컨설팅] 프로메테우스 모니터링 살펴보고 구성하기
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178Hack The Box Nest 10.10.10.178
Hack The Box Nest 10.10.10.178
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
BPF Tools 2017
BPF Tools 2017BPF Tools 2017
BPF Tools 2017
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
 
Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
 
How to use mtr 2
How to use mtr 2How to use mtr 2
How to use mtr 2
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
Velocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayVelocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard Way
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
 
От sysV к systemd
От sysV к systemdОт sysV к systemd
От sysV к systemd
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part III
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
 

Honeypots: Visão Geral

  • 1. Honeypots Bernardo Maia Rodrigues bmr@csirt.pop-mg.rnp.br CSIRT PoP-MG Computer Security Incident Response Team Ponto de Presença da RNP em Minas Gerais
  • 2. Introdução Um honeypot é um recurso computacional de segurança dedicado a ser sondado, atacado ou comprometido.
  • 3. Aplicação ● Detectar ataques internos; ● Identificar varreduras e ataques automatizados; ● Identificar tendências; ● Manter atacantes afastados de sistemas importantes; ● Coletar assiaturas de ataques e códigos maliciosos (malware); ● Detectar máquinas comprometidas.
  • 4. Baixa x Alta Interatividade
  • 5. Ambientes para os Honeypots ● OpenBSD ● FreeBSD ● Linux ● Windows ???
  • 6. Survival Time: Windows “The survivaltime is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe. The average time between probes will vary widely from network to network. Some of our submitters subscribe to ISPs which block ports commonly used by worms. As a result, these submitters report a much longer 'survival time'. On the other hand, University Networks and users of high speed internet services are frequently targeted with additional scans from malware like bots. If you are connected to such a network, your 'survival time' will be much smaller.” http://isc.sans.org/survivaltime.html
  • 11. Detectando Máquinas Virtuais /* VMM detector, based on SIDT trick written by joanna at invisiblethings.org * should compile and run on any Intel based OS * http://invisiblethings.org */ #include <stdio.h> int main () { unsigned char m[2+4], rpill[] = "x0fx01x0dx00x00x00x00xc3"; *((unsigned*)&rpill[3]) = (unsigned)m; ((void(*)())&rpill)(); printf ("idt base: %#xn", *((unsigned*)&m[2])); if (m[5]>0xd0) printf ("Inside Matrix!n", m[5]); else printf ("Not in Matrix.n"); return 0; }
  • 12.
  • 13. Honeyd http://www.honeyd.org ● Baixa interatividade ● Daemon: redes virtuais ● Configurável através de scripts para simular aplicações de qualquer sistema operacional ● Niels Provos: engenheiro da Google, colaborador do OpenSSH e OpenBSD
  • 14. Honeyd – Configuração $> cat /var/honeyd/conf/honeyd.conf annotate "Linux kernel 2.2.13 (SuSE; X86)" fragment old create brutessh set brutessh personality "Linux kernel 2.2.13 (SuSE; X86)" set brutessh default tcp action reset set brutessh default udp action reset set brutessh default icmp action reset add brutessh tcp port 22 proxy 10.0.0.1:9999 bind *.*.*.* brutessh create windows set windows personality "Microsoft Windows XP Professional SP1" set windows uptime 437849843 add windows tcp port 80 "scripts/iis5.net/main.pl" bind *.*.*.* windows
  • 15. Honeyd – Scripts $> cat /var/honeyd/scripts/hello.sh $> telnet 10.0.0.1 23 Trying 10.0.0.1... #!/usr/local/bin/bash Connected to 10.0.0.1. echo "Hello world!" Escape character is '^]'. while read data Hello world! do echo "$data" $> tail /var/honeyd/log/honeyd.log done 2008-08-28-09:48:16.3539 tcp(6) S *.*.*.* 59255 10.0.0.1 23 [Linux 2.6 ] $> cat /var/honey/conf/honeyd.conf create test add test tcp port 23 "/var/honeyd/scripts/hello.sh" bind 10.0.0.1 test
  • 16. Honeyd – Análise de Logs $> cat /var/honeyd/log/honeyd.log 2008-08-28-00:39:00.0156 tcp(6) - 189.34.72.204 39367 *.*.*.* 22: 60 S [Linux 2.6 ] 2008-08-28-02:03:34.8542 tcp(6) - 124.64.123.69 64161 *.*.*.* 8080: 48 S [Windows XP SP1] 2008-08-28-02:17:44.3695 tcp(6) - 118.161.232.185 53063 *.*.*.* 3124: 48 S [Windows XP SP1] 2008-08-28-02:39:21.3643 tcp(6) - 201.160.39.176 4628 *.*.*.* 4899: 48 S [Windows XP SP1] 2008-08-28-03:15:22.0131 tcp(6) - 58.215.93.7 6000 *.*.*.* 2967: 40 S 2008-08-28-04:13:58.0860 icmp(1) - 222.124.175.222 *.*.*.*: 8(0): 61 2008-08-28-04:41:32.8131 tcp(6) - 148.204.175.200 35480 *.*.*.* 22: 60 S [Linux 2.6 ] 2008-08-28-04:55:34.4515 icmp(1) - 12.210.84.232 *.*.*.*: 8(0): 61 2008-08-28-05:09:05.3692 tcp(6) - 200.249.132.68 3353 *.*.*.* 135: 48 S [Windows XP SP1] 2008-08-28-06:39:50.9295 tcp(6) - 200.249.132.68 1300 *.*.*.* 135: 48 S [Windows XP SP1] 2008-08-28-07:16:31.3405 tcp(6) - 81.88.245.118 3559 *.*.*.* 445: 48 S [Windows XP SP1] 2008-08-28-07:36:45.1329 tcp(6) - 125.230.79.108 4512 *.*.*.* 25: 52 S [Windows 2000 RFC1323] 2008-08-28-07:45:31.4038 tcp(6) - 201.3.202.102 34215 *.*.*.* 22: 60 S [Linux 2.6 ] 2008-08-28-08:36:44.6540 tcp(6) - 84.60.254.245 4126 *.*.*.* 8080: 48 S [Windows 98 ]
  • 17. Honeyd – Análise de Logs $> cat /var/honeyd/log/brutessh.log Fri Jun 13 16:12:41 2008: Authentication attempt (SSHv2) ! User: sandro Password: maconha Fri Jun 13 16:12:41 2008: Connection from 200.168.71.203 port 18282 Fri Jun 13 16:12:42 2008: Authentication attempt (SSHv2) ! User: sandro Password: cannabis Fri Jun 13 16:12:42 2008: Connection from 200.168.71.203 port 18313 Fri Jun 13 16:12:32 2008: Authentication attempt (SSHv2) ! User: sandro Password: vasco Fri Jun 13 16:12:32 2008: Connection from 200.168.71.203 port 17956 Fri Jun 13 16:12:32 2008: Authentication attempt (SSHv2) ! User: sandro Password: flamengo Fri Jun 13 16:12:36 2008: Connection from 200.168.71.203 port 18086 Fri Jun 13 16:12:36 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro Fri Jun 13 16:12:37 2008: Connection from 200.168.71.203 port 18114 Fri Jun 13 16:12:37 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro1 Fri Jun 13 16:12:38 2008: Connection from 200.168.71.203 port 18141 Fri Jun 13 16:12:38 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro12
  • 18. Nepenthes http://nepenthes.mwcollect.org/ ● Baixa interatividade ● Emula vulnerabilidades conhecidas para coletar informações de ataques ● Capta binários e os comandos executados por worms ● Mwcollect.org: Coleção de malware e artefatos maliciosos
  • 20. Nepenthes – Análise de Logs $> cat /var/nepenthes/log/logged_downloads [2008-08-27T04:24:58] 213.23.2.114 -> *.*.*.* tftp://192.168.168.199/mslaugh.exe [2008-08-27T12:16:57] 88.156.57.191 -> *.*.*.* creceive://88.156.57.191:9988/0 [2008-08-27T13:02:57] 65.207.42.75 -> *.*.*.* tftp://129.12.19.71/msblast.exe [2008-08-27T13:37:58] 83.92.20.178 -> *.*.*.* creceive://83.92.20.178:9988/0 [2008-08-27T14:10:51] 200.249.132.68 -> *.*.*.* link://200.249.132.68:42087/qFsh+A== [2008-08-27T17:43:10] 200.249.132.68 -> *.*.*.* link://200.249.132.68:42087/qFsh+A== [2008-08-27T18:03:06] 70.126.5.31 -> *.*.*.* creceive://70.126.5.31:9988/0 [2008-08-27T18:27:01] 170.51.137.180 -> *.*.*.* ftp://1:1@170.51.137.180:20864/directxx.exe [2008-08-27T20:31:50] 200.13.254.183 -> *.*.*.* link://200.13.254.183:58382/eOkm/A== [2008-08-27T21:37:29] 200.249.132.68 -> *.*.*.* link://200.249.132.68:42087/qFsh+A== [2008-08-27T21:43:27] 208.28.150.10 -> *.*.*.* tftp://200.1.1.221/msblast.exe [2008-08-27T23:18:42] 74.160.106.20 -> *.*.*.* creceive://74.160.106.20:9988/0 [2008-08-27T23:34:10] 24.98.111.69 -> *.*.*.* http://67.191.230.57/
  • 21. Nepenthes – Análise de Logs $> cat /var/nepenthes/log/logged_submissions [2008-08-27T12:17:15] 88.156.57.191 -> *.*.*.* creceive://88.156.57.191:18758 b1d52c56c5be86f927374870f1d62fb7 [2008-08-27T13:38:13] 83.92.20.178 -> *.*.*.* creceive://83.92.20.178:3947 32fc8b13d82583304d037859b7753c82 [2008-08-27T18:03:16] 70.126.5.31 -> *.*.*.* creceive://70.126.5.31:4450 3875b6257d4d21d51ec13247ee4c1cdb [2008-08-27T18:27:23] 170.51.137.180 -> *.*.*.* ftp://1:1@170.51.137.180:20864/directxx.exe 382279b44f26c6d87ccaf5d8d4689738 [2008-08-27T20:31:53] 200.13.254.183 -> *.*.*.* link://200.13.254.183:58382/eOkm/A== 474312616dce04c03f13a20a6244b2bf [2008-08-27T23:18:52] 74.160.106.20 -> *.*.*.* creceive://74.160.106.20:19673 3875b6257d4d21d51ec13247ee4c1cdb
  • 22. Nepenthes – Binários Coletados $> ls -lha total 74844 drwxr-xr-x 3 _nepenthes _nepenthes 15.0K Aug 28 08:42 . drwxr-xr-x 7 _nepenthes _nepenthes 512B May 13 20:23 .. -rw-r--r-- 1 _nepenthes _nepenthes 448K May 21 08:13 015638c416a489dac754f03871fd1968 -rw-r--r-- 1 _nepenthes _nepenthes 66.0K May 19 14:08 0159534b9de510b072a895d1ab29fd33 -rw-r--r-- 1 _nepenthes _nepenthes 544K Jul 5 17:40 01fd2bc35c6add923b86056bb605c20f -rw-r--r-- 1 _nepenthes _nepenthes 56.0K Aug 20 00:27 023efa55a6f3083b592f436a2425f4a3 -rw-r--r-- 1 _nepenthes _nepenthes 78.5K Aug 10 18:57 038a00d06270c801f6edb4ad4202b9a3 -rw-r--r-- 1 _nepenthes _nepenthes 77.0K Jun 16 11:35 038c88bd8b2d8f7b2f5def3950ccabd5 -rw-r--r-- 1 _nepenthes _nepenthes 64.0K May 28 15:25 03dd2becb6d79c91b1a89c827fcfc9d7 -rw-r--r-- 1 _nepenthes _nepenthes 59.5K Aug 12 08:36 0521a4cc3dab5551463c7cb7bfdf1bfc -rw-r--r-- 1 _nepenthes _nepenthes 76.5K Jul 1 11:17 0579339fbed0838000bf47121f4f57fe -rw-r--r-- 1 _nepenthes _nepenthes 101K Jul 20 19:46 059227d3efd52f9c2b0d7d1b6b392ecb
  • 23. Amun http://amunhoney.sourceforge.net ● Baixa interatividade ● Captura autônoma de malware ● Escrito em Python ● Facilidade de uso ● Módulos e Exploits
  • 24. Amun – Análise de Logs $> cat /var/amun/vuln_modules/vuln-ftpd/ftpd_modul.py import psyco ; psyco.full() from psyco.classes import * import struct import random import ftpd_shellcodes import amun_logging class vuln: def __init__(self): try: self.vuln_name = "FTPD Vulnerability" self.stage = "FTPD_STAGE1" self.welcome_message = "220 Welcome to my FTP Server" self.shellcode = [] except KeyboardInterrupt: raise ...
  • 25. Amun – Análise de Logs $> cat /var/amun/logs/exploits.log* 2008-08-23 04:45:06,861 INFO exploit 209.60.60.19:2354 -> *.*.*.*:445 (PNP Vulnerability: bind://200.19.159.131:8594/) 2008-08-24 18:13:41,306 INFO exploit 122.160.202.148:33772 -> *.*.*.*:2967 (SYMANTEC Vulnerability: cbacks://61.246.185.69:1235/) 2008-08-24 18:26:01,128 INFO exploit 200.149.108.192:3064 -> *.*.*.*:445 (ASN1 Vulnerability: ftp://1:1@200.149.108.192:20579/['win.exe']) 2008-08-25 01:06:35,619 INFO exploit 200.249.132.68:3945 -> *.*.*.*:135 (DCOM Vulnerability: cbackf://200.249.132.68:47683/6Fch+A==) 2008-08-25 02:32:57,851 INFO exploit 200.249.132.68:1580 -> *.*.*.*:135 (DCOM Vulnerability: cbackf://200.249.132.68:47683/6Fch+A==) 2008-08-25 03:24:20,532 INFO exploit 24.87.32.159:3888 -> *.*.*.*:135 (DCOM Vulnerability: cbackf://24.87.32.159:24536/YmNpLg==) 2008-08-25 08:34:58,236 INFO exploit 125.211.218.29:3887 -> *.*.*.*:443 (IIS Vulnerability: http://thecric.free.fr:80/AZenv/azenv.php)
  • 26. Amun – Análise de Logs $> cat /var/amun/logs/submissions.log* 2008-08-24 18:17:15,366 INFO [submit_md5] download (http://www.wuya1001.com:80/83.exe): f16ba3d216853f6f5d40bae499f17c51 (size: 62046) - SYMANTEC 2008-08-24 18:31:55,985 INFO [submit_md5] download (ftp://1:1@200.149.108.192:20579/ ['win.exe']): 8fcdb53b814d3155d232a149efaa40a8 (size: 132096) - ASN1 2008-08-24 18:44:21,365 INFO [submit_md5] download (cbackf://200.13.254.183:46886/eOkW/A==): 474312616dce04c03f13a20a6244b2bf (size: 68608) - DCOM 2008-08-22 15:22:43,798 INFO [submit_md5] download (ftp://liubinbin:liubinbin@60.169.2.167:21/ ['file/Ser1.exe']): aaaeaf9ab82f5cfe6738ca6cbed05085 (size: 61998) - SYMANTEC 2008-08-23 02:46:20,546 INFO [submit_md5] download (cbackf://200.210.158.130:32636/eOmR/w==): 989a2dbd1df28b9165f510bec67ebb3c (size: 100864) - DCOM 2008-08-23 07:08:58,329 INFO [submit_md5] download (http://www.wuya1001.com:80/83.exe): a6938c98d846767ac7bc616c64a9a106 (size: 62037) - SYMANTEC 2008-08-23 19:22:04,694 INFO [submit_md5] download (ftp://1:1@84.59.211.166:16083/ ['directxx.exe']): 382279b44f26c6d87ccaf5d8d4689738 (size: 179200) - ASN1
  • 27. Análise de Malware: Identificação
  • 29. Jotti http://cwsandbox.org
  • 30. Análise de Malware: Sandbox #/usr/local/bin/bash for i in `ls /var/nepenthes/binaries/*` do echo $i curl -F "email=email@email.com" -F "upfile=@$i" "http://cwsandbox.org/submit.php?action=verify" >> sandbox.txt printf "n" >> sandbox.txt done