530 likes | 712 Views
Workshop – Intro to Honeypot Palembang, 20 Juni 2014. Charles Lim charles.lim@honeynet.or.id Mario Marcello mario@gsk.co.id. Agenda. Introduction to Honeypot Why Honeypot Honeypot – Dionaea Installation Configuration Detecting OS Submitting Samples Visualizing the Attack. Honeypot.
E N D
Workshop – Intro to HoneypotPalembang, 20 Juni 2014 Charles Lim charles.lim@honeynet.or.id Mario Marcello mario@gsk.co.id
Agenda • Introduction to Honeypot • Why Honeypot • Honeypot – Dionaea • Installation • Configuration • Detecting OS • Submitting Samples • Visualizing the Attack
Honeypot • A Honeypot is • systems that are designed to be exploited, whether through emulated vulnerabilities, real vulnerabilities, or weaknesses. “Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.” Source: Malware Analyst Cookbook
Honeypot • Two types of Honeypot: • Low Interaction • Simulate most frequent services requested by attackers • E.g. Dionaea, Kippo, Honeytrap • High Interaction • Imitate the activities of the real systems that host a variety of services • E.g. HiHAT • Virtual Machine is commonly used for ease of maintenance
Other Honeypots • ENISA Published Review on Honeypot in a very nice documentation found in: • http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots “Great insights into malicious activity in a CERT’s constituency, providing early warning of malware infections, new exploits, vulnerabilities and malware behavior as well as an excellent opportunity to learn about changes in attacker tactics.”
Honeypot – Why? • We have used IDS in the past • What we have learned: • Only known attacks are detected • Unknown attacks are not detected • Many false positives (if not properly tuned) • We use honeypot to: • Understand what is the attacker is doing, i.e. behavior of the attack • Both Low interaction & High Interaction have their own advantages and disadvantages
Call to participate • “CERTs need to cooperate and develop large-scale inter-connected sensor networks in order to collect threat intelligence from multiple distributed geographic areas.” ENISA Research on Honeypots
Call to participate • Participate in Honeynet research sponsored by KOMINFO • Help our government in early warning of cyber attack • You will get Honeypot sensor hardware to capture the cyber attack in your infrastructure • You need one Public IP Address
Road Map Amien H Rosyandino -ID SIRTII- Randy Anthony -SGU- Michael -SGU- Stewart -SGU- Glenn -SGU-
Honeypot in SGU • Nepenthes (2010) • Migrate to Dionaea (2011)
Web Interface (2012) Thanks to Stewart (SGU IT Batch 2010)
Web Interface (2012) Thanks to Stewart (SGU IT Batch 2010)
Web Interface (2012) Thanks to Stewart (SGU IT Batch 2010)
Web Interface (2012) Thanks to Stewart (SGU IT Batch 2010)
Web Interface (2012) Thanks to Stewart (SGU IT Batch 2010)
Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)
Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)
Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)
Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)
Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)
Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)
Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)
Call to participate • Register your PIC (Person In Charge) of your university • You need to send us: • IP address of your university • PIC of the server admin • Your sensor (sponsored by KOMINFO) will be sending data to the Repo server
Further Information • The Honeynet Project (http://www.honeynet.org) • Indonesia Honeynet Project (http://www.honeynet.or.id) • Indonesia Honeynet Project Mailing List (http://groups.google.com/group/id-honeynet) • Swiss German University (http://www.sgu.ac.id) • My Blog (http://people.sgu.ac.id/charleslim)
Dionaea • Website: http://dionaea.carnivore.it • Menangkap malware yang menyerang ke sistem • Membuka port 21, 69, 80, 445, 1433, 3306, 5060 • Metode instalasi: • lewat repository yang tersedia • install manual
Data Serangan Dionaea • logsql.sqlite • /binaries -- malware • /log
Honeypot - Dionaea • A low interaction honeypot • A successor to Nepenthes • Originally developed by Markus Kötter • one of the original developers of nepenthes • initially developed dionaea as part of the Honeynet Project’s Summer of Code 2009
Honeypot - Dionaea • Codes written in C • exposes a Python interface add new modules w/o recompiling • It supports IPv6 and TLS • uses libemu for shellcode detection. • It implements a Python-based version of the Windows Server Message Block (SMB) protocol • allowing it to properly establish sessions before being exploited by attacking machines. • Other low-interaction honeypots only simulate certain vulnerable functions. • It logs information on attacks to an SQLite3 database • a simple way to generate and graph statistics
Honeypot - Installation • Dionaea Step-by-step installation has been provided to you for your reference • Recommendation distro: Debian or Ubuntu, though all distro will also works fine • Installation Directory: • /opt/dionaea $DIONAEA_HOME • Main Configuration file: • $DIONAEA_HOME/etc/dionaea/dionaea.conf
Honeypot - Installation • Honeypot Log default configuration is logging: • Debug, • Info, • Message, • Warning, • Critical, and • Error messages
Honeypot - Installation • Consider adjusting the following parameters • Under the default parameters: • Old Levels = “all” • New Levels = “all, -debug” • Under the errors parameters: • Levels = “warning, error” • New Levels = “error”
Honeypot - Installation • IP Interface Binding • Mode = “manual” • # bind to all IPv4 addresses on eth0 interface • addrs = { eth0 = [“0.0.0.0”] } • # bind to .50 and .51 on eth0 interface • addrs = { eth0 = [“10.14.49.50”, “10.14.49.51”] } • # bind to .50 on eth0 and all IPv4 on eth1 • addrs = { eth0 = [“10.14.49.50”], eth1 = [“0.0.0.0”] }
Honeypot - Installation • ihandlers = { • handlers = [“ftpdownload”, • “tftpdownload”, • “emuprofile”, • “cmdshell”, • “store”, • “uniquedownload”, • “logsql”, • // “logxmpp”, • // “p0f”, • // “surfids”] • } Dionaea uses SQLite Database (logsql)
Honeypot - Installation • services = { • serve = [“http”, • “https”, • “tftp”, • “ftp”, • “mirror”, • “smb”, • “epmap”] • } You might want to disable http, https, tftp and ftp. Smb and emap is used for collecting malware
Honeypot - Running $ sudo ./dionaea -u nobody -g nogroup \ -p /opt/dionaea/var/dionaea.pid -D You use the relevant user and group
Honeypot – Passive Identification $ sudo apt-get install p0f • P0f used to identify the host OS (not guaranteed to be accurate) • Also dionaea log p0f result to sqlite database • Modify the parameter in ihandler section
Honeypot – Passive Identification (command line) $ sudo p0f -i any -u root -Q /tmp/p0f.sock -q -l -d -o /dev/null \ -c 1024
Honeypot – Passive Identification (daemon) sudo chown nobody:nogroup /tmp/p0f.sock $ sqlite3 /opt/dionaea/var/dionaea/logsql.sqlite sqlite> select p0f,p0f_genre,p0f_link,p0f_detail from p0fs limit 10; • Permission need to be modified • After restarting dionaea, you can verify them using the sqlite command prompt (as shown above)
Honeypot – Submit samples to virustotal • ihandlers = { • handlers = ["ftpdownload", "tftpdownload", • "emuprofile", "cmdshell", "store", "uniquedownload", • "logsql", • "virustotal", • . • . • } • virustotal = { • apikey = • "78b522c17a419aacad191e355550b3a54c1a9efc40d34$ • file = "var/dionaea/vtcache.sqlite“ • }
Distributed Sensor • Deploy sensor honeypot di beberapa titik • Simpan data di satu storage server (centralized database) • Dua metode untuk mentransfer data: • Pull • Push
Pull • Server login ke masing-masing sensor • Copy data serangan ke server setiap beberapa menit • semi real-time Sensor 1 Sensor 2 Sensor 3 Sensor 4
Dionaea Mysql Reporting System Sqlite Database Migration SSHFS Java
Sqlite Mysql Dionaea Reporting System Step by Step Shutdown Dionaea
Sqlite Mysql Dionaea Reporting System Step by Step Read Database
Sqlite Mysql Dionaea Reporting System Step by Step Rerun Dionaea
Push • Menggunakan XMPP • Simpan data serangan langsung di server • Real-time Sensor 1 Sensor 2 Sensor 3 Sensor 4