Post on 26-Feb-2016
description
TRACING THE GHOSTS OF CYBER WORLD !
DEFCON BANGALORE17 Aug, 2013
Daniel SinghDaniel@techngeeks.com
About the Presenter
• CISO @ TechNGeeks
• Security Researcher
• Cyber Security Evangelist
• C|EH, E|CSA
About the PresenterDAY JOB: IM A PROGRAMMER.(I GET 21 ERRORS IN A 20 LINE CODE)
My 1st successful program @S**t Inc.
do {!flush(commode);} //please
while (paperTowels.in(/*BOOL*/)==true);
throw(paperTowels); //in garbage collector
About the PresenterBY NIGHTFALL: Transform into 1337 h4x0r
MyTO DOLIST !!!
• Introduction to Honeypots & Honeynets
• Honeypot Background & History• Benefits & Downside of Honeypots• Classification & Implementation• Introduction to Honey Analysis• Legal aspects of Honeypots• Detection of Honeypots• Future of Honeypots• Anti-Honeypot Techniques• Summary• Further information
Agenda
What is a Honeypot?
• A pot, used to store honey
But as a Metaphor, a honeypot refers to:• Espionage Recruitment involving
Sexual Seduction (reality/fiction)• Honeypot Site is a popular visitor
attraction for tourists• A Sting Operation (like ‘Bait Car’)
• Honeypot (noun), An esoteric slang used to refer to Physically attractive women under 30 years of age who exude a measure of restrained yet potent sexuality
What is a Honeypot?
• Term originated from the Military
• Its a Fake target for ambush
• Here it is used in Network Security Environment
Background
Abstract definition: “A honeypot is an information
system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner)Concrete definition:
“A honeypot is a fictitious vulnerable IT system used for the purpose of being attacked, probed, exploited & compromised.”
Some more definitions
What Honeypot actually is?
‘A honeypot is a resource which is expected to be
attacked or compromised.’ • Distraction of an attacker • To gain of information about
attacker• Attack Methods and Tools
Definition
• Risk Mitigation: A honeypot deployed in a productive environment may lure an attacker away from the real production systems
• IDS-like functionality: since no legitimate traffic takes place to/from the honeypot, any traffic appearing is malicious
Benefits of Honeypots
Benefits of Honeypots•Attack Strategies: find out reasons and strategies why and how attacks happen•Attack Tools: detailed information of attack tools•Increased knowledge: knowing how to respond & prevent future attacks•Identification and Classification: Find out who is attacking you and profile them
Benefits of Honeypots•Evidence: after identification of attacker, all data captured can be used in a legal procedure•Research: reveal internal communications of hackers, infections, spreading techniques of worms & viruses
Benefits of Honeypots• Honeypot VS Antivirus
• Honeypot VS Sandboxes
• Honeypot VS IDS/IPS
• Honeypot VS Darknets
• Honeypot VS Secure Web Proxies
Downside of Honeypots•Limited View: Honeypots cannot track & capture activity directed towards other systems•Additional Risk: Deploying a honeypot can create additional risks for whole organization•Legal risk: if honeypot is compromised and joins a bot army, this could lead to serious legal consequences
Classification of Honeypots
Low Interaction
Medium Interaction
Physical
Virtual
Server-side
Client-side
Multifunction
Specialized
Production Level
Research Level
Distributed
Stand-alone
Jails
Tarpits Web Applications
General Purpose
SSH Pot
SCADA Pot
VOIP Pot
Bluetooth Pot
USB Pot
Sinkholes
High Interaction
Hybrid Pots
Examples of HoneypotsLow Interaction Server Side:
General Purpose based
Amun, Dionaea, HoneyD, Tiny Honeypot
Web Application based
Glastopf, Google Hack Honeypot
SSH based KippoSCADA based Honeynet (Digital Bond), ConpotVOIP based ArtemisaBluetooth based BluepotSinkhole HoneysinkUSB based GhostUSBEuropean Network and Information Security Agency
Report
Examples of HoneypotsHigh Interaction Server Side:Argos, HiHAT, Sebek
Low Interaction Client Side:PHoneyC, Thug
High Interaction Client Side:Capture-HPC HG, SheilaEuropean Network and Information Security Agency
Report
Examples of Honeypots*• HoneyMonkey• Canary Trap• Tarpits• Pseudoserver• Network
Telescope/Darknets
HoneyPot SensorsTwo types of Honeypot Sensors:
Fat Sensor: is a complete system, processes, data from the node and sends it to the central server for further analysis and correlation.
HoneyPot SensorsTwo types of Honeypot Sensors:
Thin Sensor: is just a reflector – it forwards all the connections directly to the central server for processing and data analysis
‘A honeynet is a network of honeypots supplemented by
Firewalls & IDS’ • These are more relaistic
environments• Imporved Data Capture &
Analysis • Better Fingerprinting
Honeynet
Implementation of HoneyPot
192.168.1.15
192.168.1.20
192.168.1.25
192.168.1.101
192.168.1.254
Honeywall
Gateway
eth0
eth1
eth2
10.1.1.1
INTERNET
Production Network
Honeypot
Implementation of HoneyNet
192.168.1.15
192.168.1.20
192.168.1.25
192.168.1.101
192.168.1.102
192.168.1.103
Gateway
eth0
eth1
eth2
10.1.1.1
INTERNET
Production Network
HoneyNet 192.168.1.254
ROUTER
Honey Analysis
Honey Analysis
Attacks over Time
Honey Analysis
Distriubution over Time Metric
Honey Analysis
Attack Origin over Time
Honey AnalysisImportant Security Metrics:
Service Port # DescriptionFTP-Data 20 File Transfer [Default Data]FTP 21 File Transfer [Control]SSH 22 Secure ShellTelnet 23 TelnetSMTP 25 Simple Mail TransferDNS 53 Domain Name Server
Important Services and Ports:
• $Destination IP • $Destination Port
• $Source IP• $Source Port
Honey AnalysisImportant Services and Ports:
Service Port # DescriptionBOOTPS 67 Bootstrap Protocol SeverBOOTPC 68 Bootstrap Protocol ClientHTTP 80 Hyper Text Transmission ProtocolPOP3 110 Post Office ProtocolNNTP 119 Network News TransferNTP 123 Network Time ProtocolNETBIOS-NS 137 NETBIOS Name ServiceNETBIOS-DGM 138 NETBIOS DatagramNETBIOS-SSN 139 NETBIOS Session ServiceIMAP 143 Internet Message Access
Protocol V4
Honey AnalysisImportant Services and Ports:
Service Port # DescriptionSNMP 161 Simple Network ManagementIRC 194 Internet Relay ChatHTTPS 443 HTTP over TLS/SSLMS-DS 445 Microsoft-DSSMTPS 465 Secure SMTPSMTP SUBMISSION
587 Simple Mail Transfer Protocol Submission
IMAPS 993 IMAP over TLS/SSLIRCS 994 IRC over TLS/SSLPOP3S 995 POP3 over TLS/SSL
Honey AnalysisImportant Services and Ports:
Service Port # DescriptionAstaro 1026 Astaro User PortalKazaa 1214 Kazaa MediaMS-SQL-S 1433 Microsoft SQL ServerMS-SQL-M 1434 Microsoft SQL MonitorHP-SIM 2381 HP System ManagementBES 3101 Blackberry Enterprise ServerMS-WBT-Server
3389 RDP Terminal Server
Kerio 4040 Kerio Connect Web AdminAstaro 4444 Astaro Web AdminICQ 5190 ICQ.com
Legal Aspects of HoneypotsNew Technology: The legal framework & its adjudicators are going to take the case in as-and-when circumstances
Varied Applications: Honeypots have varied applications (simple port scanner to a virtual machine) which are created on demand. Thus a common law, cannot be internationalised & hard to achieve
Legal Aspects of HoneypotsNo Legal Cases: As of now, there hasn’t been any legal case pertaining to honeypots & their usage
Concepts legalised still debatable: some issues relating to honeypots themselves have debatable rulings in difference scenarios
Legal Aspects of HoneypotsThe basic legal themes related to honeypots are:
1. Entrapment (including enticement)
2. Privacy
3. Downstream liability
Detection of HoneypotsTechnical Attributes of Honeypot:• Respond time & Banners• Registry entries• Inconsistent parameters• “Social” properties of the
System• Usage Interaction & access logs• Network Sniffing• Packets going to/from the
system• Search for traces of VMware
Detection of Honeypots• Sending invalid TCP packet
(S+R)• Spotting System Anomalies• Spotting TTL, Window Size• Spotting IPID, DF-bit• Detect BIOS Version• Detect VMware tools extension• Detect VMware Magic Value
(0x564D5868)
Future of Honeypots• HoneyTokens• SCADA Honeypots• Wireless Honeypots• SPAM Honeypots• Search-Engine
Honeypots• Honeypot Farms
Future of HoneypotsHoneyTokens are resources used for detecting & tracking insider interaction with legitimate resources.
Tokens are fake and crafted items, counterparts of resources that should not be normally accessed (important documents & research, source codes, MS Word & Excel docs, SSNs & CC numbers, confidential emails, login & password detail files)
Future of Honeypots• HoneyTokens• SCADA Honeypots• Mobile Device based• Wireless Honeypots• SPAM Honeypots• Search-Engine
Honeypots• Honeypot Farms
Anti-Honeypot Techniques• Automated Honeypot
Scanners• Honeypot Confusers• Honeypot Exploits• Honeypot Disablers• Checking HTTPS & SOCKS
proxies
SUMMARYHoneypots are a new field and much is to be done:
• Recommend Honeypot setups
• Recommend Honeynet farms• Increase Honeypot accuracy• Invent Anti-Honeypot
techniques
Further Information
TH4NK5