1 / 43

The Honeypot Project

The Honeypot Project. By Itzik Jislin Yiftach Benjamini Supervisor: Ben Bershtein. Introduction. What is a Honeypot?. "A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource." - Lance Spitzner. Honeypot Overview.

wan
Download Presentation

The Honeypot Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Honeypot Project By Itzik Jislin Yiftach Benjamini Supervisor: Ben Bershtein

  2. Introduction

  3. What is a Honeypot? "A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource." - Lance Spitzner

  4. Honeypot Overview • A Honeypot has no functional value • A Honeypot does not do anything active. Its value lies in the knowledge that any access to the Honeypot is probably malicious • In a perfectly safe network a Honeypot should see no traffic at all

  5. Honeypot Overview - Advantages • Small data sets of high value • Very flexible • does not rely on a fixed database (Like Anti-Virus software). Allows the detection of new and unknown methods and tools • Minimal resources • Since Honeypots are not intended to actually server a magnitude of clients they need very little resources • Simple • Honeypots are simple to install and maintain

  6. Honeypot Overview - Disadvantages • Limited view • A Honeypot can observe only interaction with itself. It is not a sniffer and cannot log actions against other functional systems in the network • Risk • Depending on the type of the Honeypot the risk can be greater or lesser. But there is always a risk to the network when a multitude of servers are active in it.

  7. Honeypots Overview - Types • Low-Interaction • Simulates some network services (HTTP, Telnet, FTP, etc…) • Very low risk (Interaction is only with a simulation) • Less flexible (Can only simulate what was programmed) • Easier to identify • Examples are: Specter, honeyd, our project

  8. Honeypots Overview - Types • High-Interaction (Sacrificial Lamb) • Real servers running some kind of logging software • High risk (Attacker is working with the real thing) • Almost impossible to identify

  9. Honeypots Overview - Honeynets

  10. Overview – But what good is it? • Collect data • Allows researching attackers methods and tools and developing counter-tools. • Prevention • “Sticky” Honeypots slow down scanning capabilities of attackers by slow response times • If the usage of Honeypots is publicly known it might deter hackers from attacking the network for fear of being caught

  11. Overview – But what good is it? • Detection and Response • If a Honeypot detects suspicious activity it can send an e-mail or sms to a network administrator • A Honeypot is a non essential system, so taking it offline in order to analyze damage done by an attack will be less harmful and disruptive to the functionality of the network

  12. Overview – But what good is it? • Counter Attack • A Honeypot could be configured to actively respond when it detects attacks coming from systems within its network. For instance if it detects worm activity from some system in the network it can quarantine the system or shut it down or even use some routine to purge the worm

  13. Overview - Threats • Viruses • Pieces of software that attach to innocent files. Consume computers recourses and may be even more malicious (deleting files, ruining hardware, etc…). Rely on social engineering for spreading • Worms • Self propagating code. Searches for communication vulnerabilities and uses them to infect more computers at an exponential rate.

  14. Overview - Threats • Humans • White Hats –“Good” Hackers searching for vulnerabilities in order to report them and increase security awareness • Black Hats – Hackers with personal gain or mayhem in mind. Break into systems in order to steal or corrupt data. • Script Kiddies – Tool users. No real understanding of what the are doing. Techniques usually include scanning for a system and then hammering it with various tools in order to find a vulnerability.

  15. Our Solution The path to implementation

  16. Phase I – How to simulate an IIS? • Fingerprinting using HMAP HMAP vs. www.technion.ac.il HMAP vs. Our Honeypot

  17. Phase II – How do you hack a web server? • Directory traversal (double decode) • Buffer Overflow (Code Red) • Malformed SQL statements

  18. Phase II – How do you hack a web server? • Look for directories set up by default with execute permissions • These directories may also hold default scripts that contain vulnerabilities • Find them by sending requests like these: • GET /frick.html HTTP/1.0 • GET /scripts/ HTTP/1.0 • GET /_vti_pvt/ HTTP/1.0 • GET /cgi-bin/GetFile.cfm HTTP/1.0 • Etc…

  19. Phase II – How do you hack a web server? • If we find such a directory we can send malicious strings that use known vulnerabilities such as the “double decode” directory traversal attack • Our mission is to execute the cmd.exe program that will get us root access to the computer

  20. Phase II – How do you hack a web server? • Example: • Send the string: • /..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: • Since the ../../../ attack is well known it checks for it. (Can’t find it in this string) • Then it decodes the string changing %35 to ‘5’ and %63 to ‘c’. Now we have: • /..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: • Now it realizes it forgot to decode %5c which surprisingly decodes to a ‘/’ • /../../../../winnt/system32/cmd.exe?/c+dir+c: • Now we have root permissions

  21. Simulating Port Scanning • Knocker FrontEnd – port scanner

  22. Vulnerabilities check • N-Stealth Security Scanner

  23. Phase III Implement

  24. Based On • Visual C++ .net • Visual Basic .net (GUI) • Winsock2 • ODBC

  25. Attacker Honeypot Architecture • Deployment: Network Scan

  26. Honeypot Architecture • The program is divided into two main applications. • GUI – Allows an easy way of starting and stopping the servers, searching through collected data and displaying statistics • Honeypot_Core – Creates and maintains the servers. Collects the data from the users and updates the databases

  27. Honeypot Architecture • Block Diagram

  28. Honeypot Architecture • Communication between GUI and core is done over Winsock • Why Winsock? • Answer: • There were many available options: • RPC, Signaling, Shared memory, And much more • We wanted to allow for the expansion of the deployment scheme. Suppose you want to run multiple instances of the core on different computers. • Using Winsock allows running the GUI on one machine while controlling others over the network

  29. Honeypot Architecture - Classes

  30. Honeypot Architecture - Classes • myDb • A class used as an interface with our ODBC database. • Functions: • Connect to the db • Disconnect from the db • Insert data into a table in the db

  31. Honeypot Architecture - Classes • mySock • A class used as an interface with the winsock2 objects • Functions: • Create a new socket • Set socket options (Timeout) • Connect to a server • Accept (Listen) new connections • Send data • Receive data • Close socket

  32. Honeypot Architecture - Classes • myServer • A class used to create and maintain server objects. New servers are created by inheritance and need to implement the serveClient virtual function. • Implementation allows easy way to add new services in the future • Functions: • Create and init a server • Start the server • Stop the server

  33. Honeypot Architecture – myServer

  34. Honeypot Architecture – HTTPServer • The purpose is to “catch” malicious http strings sent as innocent requests • The http server emulates a Microsoft IIS 5.0 web server • The emulation displays only one page taken from index.htm • The Honeypot is completely safe from all attacks since it does actually try to execute any commands sent at it. It’s default response is “Not implemented”

  35. Honeypot Architecture – HTTPServer

  36. Honeypot Architecture – TELNETServer • The purpose is to observe the usernames and passwords attackers will try when hacking a telnet server • This will allow the creation of a common used passwords database so that users can be advised (or required) as to what passwords not to use • It can also help detecting stolen passwords • The server emulates nothing more than the login handshake. • All logins fail

  37. Honeypot Architecture – TELNETServer

  38. Honeypot Architecture – Communication Flow

  39. Demonstration

  40. Summery

  41. Summery • Honeypots are a cheap and simple way to add protection to a network • Honeypots allow the study of attackers methods of operation. And help developing new ways for countering them.

  42. Possible Future Additions • More services such as ftp, messenger, p2p applications • Allow administration of multiple servers via network • Add the ability to answer as different ip addresses • Emulate different kinds of web servers other than IIS • Emulate a more complex telnet session

  43. Thanks! • We wish to thank: • Ben for his help and endless patience • Ilana and the Tochna lab team • Our families

More Related