1 / 34

The Honeynet Project

The Honeynet Project. Setting Up A Honeynet Examples Of Blackhat Activity Test Results, by Kirk Hausman. Review – What Is A Honeynet?. A networked system behind a firewall. Black Hats use it rather than your production system. Can look like an actual production system

jace
Download Presentation

The Honeynet Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Honeynet Project Setting Up A Honeynet Examples Of Blackhat Activity Test Results, by Kirk Hausman

  2. Review – What Is A Honeynet? A networked system behind a firewall. Black Hats use it rather than your production system. • Can look like an actual production system • Records network and system data to logs • Designed to learn who would like to use your system without your permission for their own ends • Gives organizations information when attacked • Learn vulnerabilities • Develop response plans

  3. What About Honeypots? • Typically, these are single systems connected to a production system to lure attackers. • “The Cuckoo’s Nest” by Cliff Stoll • What products make a honeypot? • Fred Cohan’s Deception Toolkit • http://www.all.net/dtk/index.html • Cybercop Sting • http://www.pgp.com/products/cybercop-sting/default.asp • Recourse Mantrap • http://www.recourse.com/products/mantrap/trap.html

  4. What’s The Difference? • Honeypots use known vulnerabilities to lure attack. • Configure a single system with special software or system emulations • Want to find out actively who is attacking the system • Honeynets are networks open to attack • Often use default installations of system software • Behind a firewall • Rather they mess up the Honeynet than your production system

  5. Diagram Of A Honeynet IDS – Intrusion Detection System p. 21, The Honeynet Project. Addison-Wesley 2002.

  6. Entry to Honeynet IDS – Intrusion Detection System p. 21, The Honeynet Project. Addison-Wesley 2002.

  7. Exit from Honeynet IDS – Intrusion Detection System p. 21, The Honeynet Project. Addison-Wesley 2002.

  8. Costs • For hardware, can be minimal • Honeynet Project used Pentiums and SPARC5 with Win ’98, RH Linux and Solaris 2.6. Also old Cisco routers. • High effort associated with configuring security • Restrict how Black Hats use the Honeynet • Don’t let them know they’re being monitored • High effort with analysis of data • No tools are available to perform this kind of analysis

  9. Configuration Of Honeynet • Firewall rulebase • DNS and NTP • Anti-spoofing • Router • Bandwidth

  10. Firewalls Suggested • CheckPoint Firewall-1 • Honeynet Project used it to enforce rules • Their book provides custom scripts to send alerts and limit outbound connections • IPFilter • Open source on Linux • “Swatch” utility to monitor and count outbound connections

  11. Rules Enforced At Firewall • Anyone can connect from Internet to Honeynet • Unlimited inbound, restricted outbound • No packets allowed between Honeynet and Administrative network

  12. DNS And NTP If want unlimited number of connections from Honeynet to Internet, recommend setting one machine as primary DNS and NTP. • Points to one trusted, recursive DNS on Internet • That system to resolve names • Black Hats expect & require DNS (downloading, etc.) • Easier to collect log data about network traffic from one machine than many within Honeynet. • Role as NTP (Network Time Protocol) server • Communicates with specific, trusted system for NTP updates • Maintains time to sync system clocks

  13. Anti-spoofing • Critical to enact • This is the most common type of attack out of a Honeynet • How to enact • Set 5 to 10 connections maximum outgoing • Limit number to packets to between 5,000 and 10,000 per 24 hours. • Set these limits using script in rulebase of firewall • Apply limit to both UDP and TCP • Deny all outbound ICMP traffic

  14. Router Honeynet Project used router to filter packets • Anti-spoofing • Only those with correct source IP allowed out • Router is secondary to firewall to control how Honeynet is used • Attackers not surprised to find a router • Firewall more transparent if limits on activity are suspected to be due to the router

  15. Bandwidth Keep bandwidth small • Honeynet Project used 128 Kbps • Smaller throughput reduces number of packets sent out during DoS attack • Potentially cheaper to maintain the honeynet

  16. Data Capture • This is the reason for setting up a honeynet. • Layers of data capture • Use more than one layer • Compromise of one layer leaves others available to see what happened • Kinds • Access control devices • Network layer • System layer • Off-line layer

  17. Access Control Devices • Kinds • Firewall • Router • Scripting • Inbound alerting scripts capture logs • Use in firewall

  18. Network Layer • Logging of packets in Honeynet network • Capture two kinds of data • Signature alerts • Packet payload • IDS (Intrusion Detection System) • They used utility called “Snort” (www.snort.org) • On suspicious activity, Snort captured data and sent alert message via syslogd to Log/Alert Server • “Swatch” on Log/Alert Server looked for specific alerts and sent e-mail or page notification to administrator

  19. System Layer • By remote logging, send system logs to Administrative Alert/Log server • Recommended capturing keystrokes via modules within kernel or by modified bash shell • Expect logging within Honeynet to be attacked • Expect syslogd to also be killed or Trojan-horsed

  20. Off-line Layer • Use utility like “Tripwire” to take images of system before opening up Honeynet • Take compromised system off-line and take another image • Inspect images to recover tools installed by Black Hats

  21. Data Analysis • 30 minutes of blackhat activity is about 30 to 40 work hours of data analysis • All activity within Honeynet is suspicious • Less than 10 MB of logging per 24 hours is typical.

  22. More Advanced Analysis • Passive fingerprinting • Forensics

  23. Fingerprinting • Learn about attacker without detection • Active fingerprinting • Fyodor’s Nmap Security Scanner (http://www.insecure.org/nmap) • Ofir Arkin’s paper “ICMP Usage in Scanning” (http://www.sys-security.com) • Passive fingerprinting • Sniffer traces

  24. Forensics • UNIX systems • The Coroner’s Toolkit, by Dan Farmer and Wietse Venema • Automated data gathering • Recovery of deleted files • Reconstruction of events based on modify/access/change times • Windows and NT • EnCase (http://www.encase.com) • J.D. Glaser (Foundstone) (http://www.blackhat.com/html/bh-usa-99/bh3-speakers/html)

  25. Example Of A Blackhat Session Following An IRC Chat Session The Honeynet Project. Know Your Enemy. Addison-Wesley, 2002.

  26. Scenario • What was attacked • Solaris 2.6 honeypot with a rpc.ttdbserv Solaris exploit • Buffer overflow in TookTalk object database server • Exploit listed in SANS Institute’s Top Ten List (http://www.sans.org/topten.htm) • What blackhats put there • IRC bot installed • It captured all conversations on the IRC channel • Honeynet Project listened in • After setting system up for their use, they harden security on the system to prevent other blackhats from using it • Authors believe kiddie scripts were used

  27. The Adventures Of D1ck And J4n3 • D1ck probably an older teenager living in Pakistan, possibly near Kashmir, maybe in Lahore • J4n3 possibly from Pakistan but wants to appear as an “elite” hacker. • IRC chat captured • Underground language and slang. • Parts using Urdu, native language of Pakistan

  28. Where In Pakistan? http://www.cia.gov/cia/publications/factbook/geos/pk.html

  29. What Was Happening • Appeared that several Black Hats in group were sympathetic to Pakistani causes but others to Indian. • Justification for hacking was for these causes • Frequently attacked other Black Hats • Compromise systems to hinder their exploits • Shared common skills and techniques

  30. Example of Blackhat WarfareJune 6, 2000 D1ck! :I just tookover 3 of diz’s box today ;( D1ck! :one day I did 36 Sp07! : *** it D1ck! :heh D1ck! :*ALL* his boxes J4n3! :woo D1ck! :Sp07 D1ck! :hmmmmmm D1ck! :um Sp07! :? D1ck! :J4n3:who’se domain example.com is? D1ck! :and who host’s it D1ck! :satnet called up zahid eh p. 196, The Honeynet Project.

  31. D1ckJune 9, 2000 • Rooted more than 40 systems • Here, he gives J4n3 access to one of them J4n3 : D1ck D1ck :sup J4n3 : I can’t access www.example.com with the user k1dd13 and pass u gave … D1ck :sha..d4v3 J4n3 :yup that is … D1ck :site work? J4n3 :wait J4n3 :yup p. 244, The Honeynet Project

  32. Honeynet Project’s Favorite QuotesJune 9, 2000 • D1ck brags how many Linux boxes he compromised in 3 hours D1ck :hehe come with yure ip I’ll add u to the new 40 bots D1ck :I owned and trojaned 40 servers of linux in 3 hours D1ck ::)))) J4n3 :heh D1ck :*** J4n3 :107 bots D1ck :yup J4n3 :wait brb D1ck :105 :P J4n3 :back D1ck :kewl p. 250, The Honeynet Project

  33. Psychological Review Of D1ck And J4n3’s Group • Social structure was robust with a complex meritocracy • Status hierarchy in his local social group and in groups outside this local group • Use of derogatory statements to challenge status of others and to control social processes • High level of tension reduces their cohesiveness • Constant fear of detection and arrest

  34. Questions? Next, Kirk Hausman

More Related