170 likes | 491 Views
Intrusion Deception. Kirby Kuehl Honeynet Project Member 05/08/2002. Intrusion Deception—Deceiving the Blackhat. Reconnaissance An inspection or exploration of an area, especially one made to gather military information. A Honeypot MUST appear to be an attractive target.
E N D
Intrusion Deception Kirby Kuehl Honeynet Project Member 05/08/2002
Intrusion Deception—Deceiving the Blackhat • Reconnaissance An inspection or exploration of an area, especially one made to gather military information. • A Honeypot MUST appear to be an attractive target. • Accurate Responses to active (nmap) and passive(p0f) operating system fingerprinting methods, daemon banner queries, port scans, and vulnerability scanners (nessus). • Convincing content if system is running httpd or ftpd. • Inconspicuous in relation to rest of network. • The Honeypot can reside next to production systems so that it is scanned during sweeps or ports can be redirected from production systems to the Honeypot. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Intrusion Deception— Passing Recon • Honeynet Project • Uses actual default installations of actively exploited operating systems and services. • Nothing is emulated so host’s response to reconnaissance methods will be accurate. • Data Capture (logging), Data Control (firewalling), and Intrusion Detection (alerting) are performed utilizing other HARDENED hosts on the network. • No production hosts on network to eliminate data pollution. All traffic is suspect and is logged in full tcpdump format. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Honeynet Design – Generation I Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Honeynet Design – Generation II • The Honeynet Sensor • Data Control: • Limits outbound connections (hogwash or iptables) allowing Blackhats to obtain their tools, but not attack other systems. • Data Capture: • IDS (snort) logging all traffic as well as providing alert mechanism. • Deception: • No IP Stack. • No TTL decrementing. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Intrusion Deception— Passing Recon • Virtual Honeynets • VMWare: GuestOS (Honeypot) virtual machine inside HostOS • GuestOS is caged by denying access to HostOS filesystem. • Host only networking forces the GuestOS to access the network through the HostOS allowing firewalling and intrusion detection. • The Honeynet Project utilizes a Red Hat default installation running inside a Hardened Red Hat installation. • NMAP’s TCP fingerprinting returned unknown OS • Running a mock ecommerce site. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Intrusion Deception— Passing Recon Open source Honeypots • Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run simulated TCP services or proxy the service to another machine. The TCP/IP personality (OS Fingerprints) can be adapted so that they appear to be running certain versions of operating systems. • Arpd enables a single host to claim all unassigned addresses on a LAN by answering any ARP request for an IP address with the MAC address of the machine running arpd. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Honeyd / Arpd Configuration Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Intrusion Deception— Passing Recon • Commercial Honeypots • Mantrapfrom Recourse Technologies (requires Solaris) • Ability to create up to 4 sub-systems (cages) each running Solaris by utilizing separate interfaces (each host will have unique MAC Address). • You can run virtually any application that doesn’t interact with the kernel within the 4 chrooted cages. • Content Generation Module can be used to create realistic data. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Mantrap Configuration Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Mantrap Configuration Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Intrusion Deception— Passing Recon • Commercial Honeypots • Specter (requires Windows NT) • Specter can emulate one of 13 different operating systems. As of Version 6.02 the IP stack is not emulated so IP fingerprinting tools are not fooled. (A Stealth Plugin is currently under development using raw socket support on XP.) • Specter honeypots offer 14 100% emulated services such as: STMP, FTP, Telnet, Finger, POP3, IMAP4, HTTP, and SSH • Custom fake password files and custom HTTP content. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Specter Configuration Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Intrusion Deception— Passing Recon • Commercial Honeypots • Netfacade from Verizon (requires Solaris) • Can simulate up to an entire class C although all hosts will have the same MAC Address. • Simulates 8 different operating systems properly fooling TCP fingerprinting methods. • Simulates 13 different vulnerable services such as FTP (wu-2.4.2-academ[BETA-12](1), System V Release 4.0, and SunOS4.1 versions), SSH (SSH Communications Security Ltd's. 1.2.26 and 2.0.9 versions), etc. • Automatically generates hostnames, user accounts, operating systems and running services for simulated hosts through web interface. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Intrusion Deception— Changing with the times • Blackhat techniques have become more sophisticated. • Using kernel module rootkits (adore, kis) • Process hiding • Keystroke logging • Covert communication channels • Polymorphic shellcode (ADMutate) • Fragroute (IDS Evasion) • Honeynet Project • Patching the kernel directly • Keystroke logging allowing us to capture encrypted outbound traffic (ssh) • Logging via covert communication channels rather than remote syslog • Snort-stable enabling appropriate preprocessors and logging all traffic (Not just TCP/UDP/ICMP) Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Intrusion Deception— Honeynet Alliance • Research Alliance Honeynets • Freedom for organizations to create their own honeynets and participate in a virtual community. • Standardized Capture and Logging formats • Events can be forwarded to a common database • Shared Research and Analysis • Research Alliance Honeynets exist within advertised environments alongside production systems. • Hopefully attracting targeted and more sophisticated attacks. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
Intrusion Deception— More Information • http://project.honeynet.org • Whitepapers • Forensic Challenge • Scan of the month • Research Alliance • Know your Enemy book • kkuehl@cisco.com Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl