5. • Lance Spitzner’s definition of honeypots is
as follows...
• A honeypot is an information system resource
whose value lies in unauthorized or illicit use of
that resource. (May 2003)
6.
7. Open source
• Argos
• HIHAT (High Interaction Honeypot Analysis
Toolkit)
• Capture-HPC
• Honeywall
• Sebek (kernel module)
• Qebek
Commercial
• Windows XP SP0
• Windows Vista SP0
18. • A low-interaction honeypot
• Emulates a wide range of different
vulnerabilities.
• Payload transmitted by the attacker is
analyzed
• Any download URL found is extracted.
• Next, the honeypot tries to download the
malicious software and store it on the
local hard disc, for further analyses.
19. • A web application honeypot
• Web server written in Python
• Popular attack type emulation
already in place
• Remote file inclusion
• Local file inclusion
• HTML injection via POST
requests
• SQL injection emulation
20. • Medium interaction SSH honeypot
• Designed to log brute force attacks
and, most importantly, the entire
shell interaction performed by the
attacker.
• Has a fake file system you can
read/write to.
• You can add additional commands
21.
22. • “To catch bugs”
• meant to be a nepenthes
successor
• Python embedded
• can detect shellcodes
• supports ipv6 and tls.
• A VoIP module has been
developed as part of GSoc
2011
23. # Nmap 6.01 scan initiated Wed Jul 25 21:46:59 2012 as: nmap -A -oN
/root/Desktop/dionaea_off.txt 192.168.1.197
Nmap scan report for lp (192.168.1.197)
Host is up (0.00075s latency).
All 1000 scanned ports on lp (192.168.1.197) are closed
MAC Address: 08:00:27:7C:3B:55 (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.75 ms lp (192.168.1.197)
OS and Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
# Nmap done at Wed Jul 25 21:47:01 2012 -- 1 IP address (1 host up)
scanned in 2.28 seconds
24. # Nmap 6.01 scan initiated Wed Jul 25 21:47:16 2012 as: nmap -A -oN /root/Desktop/dionaea_on.txt 192.168.1.197
Nmap scan report for lp (192.168.1.197)Host is up (0.00087s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Dionaea honeypot ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
42/tcp open tcpwrapped
80/tcp open http?
|_http-title: Directory listing for /
135/tcp open msrpc?
443/tcp open ssl/https?|_http-title: Directory listing for /
| ssl-cert: Subject: commonName=Nepenthes Development
Team/organizationName=dionaea.carnivore.it/countryName=DE
| Not valid before: 2012-07-26 01:47:37
|_Not valid after: 2013-07-26 01:47:37445/tcp open microsoft-ds Dionaea honeypot smbd
1433/tcp open ms-sql-s Dionaea honeypot MS-SQL server
3306/tcp open mysql MySQL 5.0.54| mysql-info: Protocol: 10
| Version: 5.0.54
| Thread ID: 1729232896
| Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
| Status: Autocommit|_Salt: aaaaaaaa
5060/tcp open sip (SIP end point; Status: 200 OK)5061/tcp open ssl/sip (SIP end point; Status: 200 OK)
| ssl-cert: Subject: commonName=Nepenthes Development
Team/organizationName=dionaea.carnivore.it/countryName=DE| Not valid before: 2012-07-26 01:47:37|_Not valid after:
2013-07-26 01:47:374 services unrecognized despite returning data.
MAC Address: 08:00:27:7C:3B:55 (Cadmus Computer Systems)Device type: general purposeRunning: Linux 2.6.X|3.XOS
CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3OS details: Linux 2.6.38 - 3.2Network Distance: 1 hopHost script
results:|_nbstat: NetBIOS name: LP, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>|_smbv2-enabled: Server
doesn't support SMBv2 protocol| smb-security-mode: | Account that was used for smb scripts: guest| User-level
authentication| SMB Security: Challenge/response passwords supported|_ Message signing disabled (dangerous, but
default)| smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager)| NetBIOS computer name: HOMEUSER-
25. • 14 pcap files, total of 102 Meg
• 129 “replay” files – 4 Meg
• 2 log files
• Error log
• Activity log
• 2 SQLite database files
• Logsqlite – Activity log but in SQLite format
• Sipaccounts
• 1 malicious executable
26. Day 1
• 44 Unique IP addresses
• Time it took to get connections – 14 minutes
Day 2
• xx Unique IP addresses
• Time it took to get connections -
• Malicious file uploaded
• Never live with the results of one tool,
always use multiple tools!!
31. Occurrence
OS s Link Occurrences
Linux 14 ethernet/modem 54
Windows 30 IPv6/IPIP 3
Solaris 1 pppoe (DSL) 15
sometimes DSL (3) 4
OS version - Windows OS version - Linux
XP/2000 (RFC1323+, w+, tstamp-) 2 2.6 (newer, 1) 1
XP SP1+, 2000 SP3 3 2.6 (newer, 2) 2
2000 SP4, XP SP1+ 22 2.6 (newer, 3) 4
2.6, seldom 2.4 (older,
2000 SP2+, XP SP1+ (seldom 98) 3 2) 5
2.6, seldom 2.4 (older,
4) 2
32. Day 1
Goals
• Get the honeypot installed and up and running
• Get some traffic
• Run some packet captures
Timeline
1. 2:55 pm
1. Started dionaea
2. I immediately run an nmap scan and it just lit up like a
Christmas tree.
3. That accounts for 1053 connection attempts.
4. 6:44pm - Started wireshark packet capture
2. 3:07 - the first “attacker” appears (me)
1. 6:58 - the first connection appears
33. Day 2
Goals
• Start saving packet captures (with “no arp” on the capture
filter)
• Get some traffic
• Catch some malware?
Timeline
1. 11:12:04am
1. Get a connection from 69.57.27.138
2. Attempts connection to TCP port 135 (epmap). It gets a SYN,
ACK.
2. 11:12:06 am
1. Tftp session is initiated and malware is being dropped on
system
3. 11:12:42 am
1. Tftp session completes
4. 14:39:47 am
1. He’s back! (Process from 1.1 starts all over again)
34. MD5 - aff643a5014a9d8e98b24fa4dac11623
• Virus Total – 40/42 detection ratio
• Rbot
• ThreatExpert
•A malicious backdoor trojan that runs in the
background and allows remote access to the
compromised system
• A network-aware worm that attempts to
replicate across the existing network(s)
35. IP Address and Domain Information – Chrome extension (from TCPIPUtils.
OrgName Algona Municipal
Utilities
OrgId AMU-6
Address 104 West Call Street
Address PO Box 10
City Algona
StateProv IA
PostalCode 50511
Country US
RegDate 1/20/2011
Updated 7/6/2011
http://www.netamu.com/
39. Round 2
Amazon EC2 Ubuntu 12.04 Microinstance
• Virginia
• Oregon
• San Paolo, South America
• Ireland
• Toyko (Thanks Sukotto_san!)
Unable to do
• Singapore
40. • Virginia
• 3 files
• Oregon
• 0 files
• South America
• 1 file
• Toyko
• 1 file
• Ireland
• 40 files!!
56. TCP
Port Occurances Protocol
3306 909 MySQL database system
176 81 ??
1433 49 MSSQL Server
34354 38 ??
3389 34 Microsoft Terminal Server (RDP)
80 31 Hypertext Transfer Protocol (HTTP)
110 18 Post Office Protocol v3 (POP3)
445 18 Microsoft-DS Active Directory, Windows shares
25 13 Simple Mail Transfer Protocol (SMTP)
139 11 NetBIOS NetBIOS Session Service
23 9 Telnet protocol
Microsoft EPMAP (End Point Mapper), also known
135 6 as DCE/RPC Locator service,[14] used to remotely
manage services including DHCP
server, DNSserver and WINS. Also used by DCOM
64. Detection
File name (MD5) ratio: Analysis date: Kaspersky Microsoft Sophos
c7277972654775258bf3d4d6936eb 2012-11-05 05:48:00 Worm:Win32/Conficker Mal/Conficker-
1b0 41 / 44 UTC Net-Worm.Win32.Kido.ih .B A
cae4b7963f5e43033664299a4d5bd 2012-11-05 05:48:11 Worm:Win32/Conficker Mal/Conficker-
176 43 / 44 UTC Net-Worm.Win32.Kido.ih .B A
d45895e3980c96b077cb4ed8dc163 2012-11-05 05:48:48 Worm:Win32/Conficker Mal/Conficker-
db8 43 / 44 UTC Trojan.Win32.Genome.taql .C A
d90b4a84515f3a4d7d4ca716d9263 2012-11-05 05:49:11 Worm:Win32/Conficker Mal/Conficker-
a5e 42 / 44 UTC Net-Worm.Win32.Kido.ih .B A
e1855fbe6cf64738bffb9dc195e38ed 2012-11-05 05:49:46 Worm:Win32/Conficker Mal/Conficker-
1 41 / 44 UTC Net-Worm.Win32.Kido.ih .B A
e53ed987e82ad7bf076c23d91401c 2012-11-05 05:50:05 Worm:Win32/Conficker Mal/Conficker-
ac7 42 / 44 UTC Net-Worm.Win32.Kido.ih .B A
ef87b673c8e3b77bdf2342e42e1b5f 2012-11-05 05:50:49 Net- Worm:Win32/Conficker Mal/Conficker-
0c 43 / 44 UTC Worm.Win32.Kido.dam.ba .C A
fb34cb2d017899592aa1c8d578bfa4 2012-11-05 05:51:36 Worm:Win32/Conficker Mal/Conficker-
55 41 / 44 UTC Net-Worm.Win32.Kido.ih .B A
d41d8cd98f00b204e9800998ecf842 2012-11-05 16:11:31
7e 0 / 42 UTC - - -
65.
66. TCP Port Occurrences Protocol
3306 205 MySQL database system
1433 173 MSSQL Server
445 154 Microsoft-DS Active Directory, Windows shares
5060 45 Session Initiation Protocol (SIP)
139 38 NetBIOS NetBIOS Session Service
80 32 Hypertext Transfer Protocol (HTTP)
3389 13 Microsoft Terminal Server (RDP)
1080 11 SOCKS proxy
135 6 DCE endpoint resolution
9097 5 ??
23 3 Telnet protocol
110 3 Post Office Protocol v3 (POP3)
67. IP address Occurrences GeoIP location Interesting notes
TCPIPUtils.com – 1 of 4 spam databases
48 different websites near this IP
61.147.103.137 147 Beijing, Beijing, China (CN)
Gaza, Palestinian Territory
188.161.92.153 44 (PS) TCPIPUtils.com – 1 of 4 spam databases
42.121.19.84 27 Hangzhou, Zhejiang, China (CN) TCPIPUtils.com – 1 of 4 spam databases
203.162.35.88 23 Vietnam (VN)
125.65.108.65 16 Chengdu, Sichuan, China (CN) 68 different websites near this IP
Buenos Aires, Distrito
181.0.218.144 16 Federal, Argentina (AR)
26 different websites near this IP
65.18.174.167 16 Near Wichita, KS including datemarriedwomen.org
Same website where malware from
111.249.26.205 14 Taipei, T'ai-pei, Taiwan (TW) Virginia came from.
211.154.213.122 12 Beijing, Beijing, China (CN)
TCPIPUtils.com – 1 of 4 spam databases
42.120.0.238 12 Hangzhou, Zhejiang, China (CN)
São Paulo, Sao Paulo, Brazil TCPIPUtils.com – 1 of 4 spam databases
187.35.61.105 10 (BR)
17 different websites near this IP
210.211.117.81 10 Vietnam (VN)
82. • A host at $IP ($location)tried to log into my
honeypot's fake Terminal Services server
• GET-based RFI attack from $IP ($location)
• A host at $IP ($location)tried to log into my
honeypot's fake MSSQL Server
http://inguardians.com/
90. http://securityonion.blogspot.com/
• Installing a honeypot? Why not have all the monitoring tools
already in place?
• And there are some bad ass tools on this distro.
• Counting Security Onion is Xubuntu based and all of the honeypot
installs are based on Lubuntu, I suspect there won’t be any issues.
• I haven’t tested this to confirm. If you find out otherwise,
email me. I’d love to know your what you experience.
91. Mercury – Live Honeypot DVD
ftp://ftp.carnivore.it/projects/dionaea/mercury-dvd
http://blog.infosanity.co.uk/2010/09/22/mercury-live-honeypot-dvd/
Mercury Live DVD was initially (I believe) announced in a post to the
Nepenthes Mailing list. It is a remastered Ubuntu distribution with pre-installed
honeypot applications and malware analysis tools created by John Moore.
From the ReadMe:
This live DVD is a remastered version of Ubuntu 10.0 Beta LTS x86_32. It was
designed due to my being disappointed with another reverse engineering
malware live CD that was released recently. I have decided to call my creation
MERCURY, which is an acronym for Malware Enumeration, Capture, and
Reverse Engineering.
The Mercury live DVD contains tools used for digital forensics, data recovery,
network monitoring, and spoofing. It should primarily be used as a honeypot or
network monitoring platform as well as a laboratory and teaching aid. There are
three honeypots installed – honeyd, nepenthes, and dionaea. Four, if you
92. Scripts, tools and other lessons learned
• Amun
• amun_install.sh
• Location to grab the file
• How to set it up
• Dionaea
• install_dionaea.sh (Quick and easy setup)
• install_dionaea_full_monty.sh (previously ran successfully on a Mint
12 install)
• run_dionaea.sh
• run_p0f_dionaea.sh (In case you want to capture OS information)
• Glastopf
• setup_glastopf.sh (Script untested, but ran through steps manually
successfully)
• Kippo
• kippo_install.sh (This is one option on installing and running {last line
runs it})
93. Scripts, tools and other lessons learned
Lessons learned
• Run only one honeypot at a time
• When running a honeypot from the cloud, test test and retest your
packet capture script
• When in doubt, use dumpcap (it’s been the most successful for me)
• Adjust the level of logging on dionaea if you’re running in the cloud,
especially if you’re in an extremely active area.
• Downloading a 4 Gig log file from Ireland was not a quick process
• First time running dionaea, log everything.
• Adjust your logging level according to the information you see.
• If a lot is not useful, dial it back a notch or two.
• Install on an Ubuntu based system.
• I tried installing on a Debian based load and ran into dependency
issues.
• The keyboard is small and I want to minimize the time at the
keyboard. ;)
• I haven’t tried Fedora or OpenSuSE or BSD based systems.
• If you do, let me know your results. (See slide # 88 for my
contact info)
• Take the time to get a good dionaea config file.
• Getting the malware is good. Automatically submitting to
Hinweis der Redaktion
Insert video from Duck Dynasty here?
Insert video from Duck Dynasty here?
Put the ports opened up by dionaea and the results of an nmap scan
