1 / 38

ISF H stkonferansen 1. September, 2010

Who am I ?. M.Sc. (Siv.Ing.) in Telematics from NTNUBeen interested in InfoSec for over 10 yearsLast 7 years been working for NorCERTFull member of The Honeynet Project. 45 min Agenda. Briefly about the projectWalk-through of a series of helpful toolsQ

abiola
Download Presentation

ISF H stkonferansen 1. September, 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. ISF Hřstkonferansen 1. September, 2010 Tor Inge Skaar tor.skaar@honeynet.org

    2. Who am I ? M.Sc. (Siv.Ing.) in Telematics from NTNU Been interested in InfoSec for over 10 years Last 7 years been working for NorCERT Full member of The Honeynet Project

    3. 45 min Agenda Briefly about the project Walk-through of a series of helpful tools Q&A

    4. The Honeynet Project

    5. Organization

    6. Chapters around the world

    7. A bunch of geeks...

    8. More about the project

    9. What's the threat? “IKT trussel- og sĺrbarhetsbilde” by NorSIS & NorCERT ...yesterday. “The Stuxnet Case” by Norman ...up next! “Trusler & Trender” by TSOC at 12:15

    10. Tools Nepenthes Dionaea Glastopf Roo Honeytrap Honeymole Honeysnap

    11. Non-THP tools Kippo Daemonlogger Suricata SURFids

    12. User vs. Developer

    13. Honeywall - Roo Bootable CD-ROM All-in-one; Data capture, data control og data management GenII and GenIII honeynets Walleye Web-interface (but also CLI) Distributed as “Honeystick” as well A bit old... :( https://projects.honeynet.org/honeywall/

    14. Sebek Capture attackers activities on a honeypot Keystrokes, passwords and file uploads Client-Server model Covertly data transfer over UDP Bogus or non-existent dst-IP https://projects.honeynet.org/sebek/ KYE paper: http://old.honeynet.org/papers/sebek.pdf

    15. Low interaction honeypot Shellcode detection based on pattern recognition Modularized (Vulns, Shellcode, Fetch, Submission, Log) Large deployment base (companies, academia, gov, even CERTs) No support for new or unknown vulnerabilities Emulation of vulnerabilities instead of protocols Lots of issues with SMB and 445/tcp in general Difficult to keep up with new vulns and exploits No detection of new and unknown shellcode  C++ is both its strength and weakness http://nepenthes.carnivore.it/

    16. Low interaction honeypot Dynamic handling of incoming connection requests (no point in listening on all 65k+ ports) No vulnerability modules Mirror-mode Proxy-mode Focus on the attack vector, not the malware itself. Poor-man's honeypot  http://honeytrap.carnivore.it/

    17. Small library written in C Generic shellcode detection Emulation of x86 CPU instructions The library can also execute the shellcode and also profile its behavior Designed to be a central part of the core of new IDS/IPS and honeypots http://libemu.carnivore.it/

    18. Dionaea Still a low interaction honeypot No more C++, and in with C and glib Integrated with Python (via Cython) and a series of other std libraries; libev, liblcfg, libemu, libcurl, libpcap, +++ Emulate e.g. the SMB protocol and cmd.exe Shellcode detection > Profiling > Actions Handles multistage shellcodes Mirror-mode :) Log to sqlite Complete vm-images are available for download http://dionaea.carnivore.it/

    19. Dionaea - Top attackers

    20. Nebula Automatic IDS signature generator Snort syntax Receives attacks from Honeytrap and Argos

    21. alert tcp any any -> $HOME_NET 8800 (msg: "nebula rule 2000001 rev. 1"; content: "GET / HTTP/1.0|0d 0a|User-Agent\: DFXPDFXPAAA|eb 03|Y|eb 05 e8 f8 ff ff ff|II"; offset: 0; depth: 51; content: "A0A"; distance: 23; within: 91; content: "XP8"; distance: 1; within: 21; content: "Oy"; distance: 18; within: 525; content: "|0d 0a|Authorization\: Basic UVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQm5TOEFFSkNRa0pBejBtYUJ5djhQUWxKcUFsak5MandGV25UdnVFUkdXRkNMK3E5MTZxOTE1Ly9uUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrST0=|0d 0a 0d 0a|"; distance: 58; within: 1845; sid: 2000001; rev: 1;)

    22. Honeysnap Analysis tool (CLI) Packet and connection overview Flow extraction of ASCII based communications Protocol decode; DNS, FTP, HTTP, IRC, Socks, Sebek Binary file transfer extraction Flow summary of inbound and outbound connections Keystroke extraction of v2 and v3 Sebek data https://projects.honeynet.org/honeysnap/

    23. Capture-HPC High interaction client honeypot It's mission is to discover servers serving out malware Runs in a virtual environment Look for changes in state; file system, registry, processes etc.. Uses VMware VIX libraries https://projects.honeynet.org/capture-hpc

    24. Web Application Honeypot Low interaction Attack handler (not template-based) Focus on RFI, LFI and SQL-injection Handles multi-stage attacks Data are stored in a MySQL database Functional web-interface KYT-paper coming soon this autumn http://glastopf.org/

    25. HoneyMole Secure Ethernet over TCP/IP Easy deploy and mgmt of honeypot farms Written in C, using libpcap and libnet Using openssl for authentication and encryption http://www.honeynet.org.pt/index.php/HoneyMole

    26. CC2ASN IPv4, IPv6 and AS-numbers for every country Data fetched from the 5 RIRs; ARIN, RIPE NCC, APNIC, LACNIC and AfriNIC Updated every day ISO-3166-1 alpha-2 country codes as input Service available on both 80/tcp (http) and over 43/tcp (whois) http://www.honeynor.no/tools/cc2asn/

    27. CC2ASN $ whois -h atari.honeynor.no om AS15679 AS28885 AS50010 $ whois -h atari.honeynor.no ipv4 om 46.40.192.0/18 62.61.160.0/19 62.231.192.0/18 82.178.0.0/16 85.154.0.0/16 188.65.24.0/21 188.135.0.0/17 188.140.128.0/17 212.72.0.0/19 $ whois -h atari.honeynor.no ipv6 om 2A00:11A8::/32 2001:1670::/32

    28. CC2ASN Whois limitation ? Netcat :) Enhanced Database (port 44/tcp) – more info at: http://www.honeynor.no/tools/cc2asn

    29. SSHpot Modified version of OpenSSH v. 4.1.p1 Stores every login attempt Honeypots deployed at 6 different ISPs in Norway for over a year Ca. 5.5 million bruteforce attacks http://www.honeynor.no/tools/openssh.honeynor.patch

    30. SSH usernames

    31. SSH passwords

    32. Bruteforce

    33. Kippo Low interaction SSH honeypot Written in Python and uses Twisted framework for emulation of sshd Designed to capture bruteforce attacks But also the user interaction! :) http://code.google.com/p/kippo/

    34. Kippo Fake file system with files and directories (basic FHS) Fake commands (static and dynamic) Session logs stored in UML format for easy replay Stores files downloaded with wget Outgoing SSH connections are intercepted and simulated Fake termination of the SSH connection :) Kippomutate Simple randomization of a Kippo installation http://www.honeynor.no/tools/kippomutate.sh

    35. Suricata Open source IDS Open Information Security Foundation (OISF) Multi-threaded, native IPv6, Snort syntax, Unified2 output, Statistical anomaly detection, File extraction, High-speed Regex, IP reputation, Hardware and GPU Acceleration http://www.openinfosecfoundation.org/

    36. Daemonlogger Packet logger Software Tap Written by Marty Roesch (Mr. Snort) libpcap and libdnet High speed ring-buffer (-r) Several rollover functions; -s <bytes>, -M <pct>, -t <time> http://www.snort.org/users/roesch/Site/ Daemonlogger/Daemonlogger.html

    37. SURFids Distributed IDS Developed and maintained by SURFnet (Dutch NREN) Sensors are booted of a USB stick OpenVPN between sensors and server Tunnels all traffic to a central point Minimal maintenance Nepenthes, Glastopf, Argos, Dionaea, Amun, GeoIP, ++ L2 detection; ARP poisoning, rouge DHCP Updated frequently http://ids.surfnet.nl Argos - An emulator for capturing zero-day attacks Amun HoneypotArgos - An emulator for capturing zero-day attacks Amun Honeypot

    38. Forensics Challenges Do your own analysis, and share your findings Yes, there are prizes! PCAP attack trace, Browsers under attack, Banking troubles, VoIP analysis ... Next challenge (log analysis) today!! Old SotM challenges http://honeynet.org/challenges

    39. Summary There are many threats on the Internet There are many tools available to assist you in your defence ...hope this presentation has given you some pointers in the right direction :)

More Related