Transcript The Honeynet Project

The Honeynet Project
Setting Up A Honeynet
Examples Of Blackhat Activity
Test Results, by Kirk Hausman
Review – What Is A Honeynet?
A networked system behind a firewall. Black Hats
use it rather than your production system.




Can look like an actual production system
Records network and system data to logs
Designed to learn who would like to use your system
without your permission for their own ends
Gives organizations information when attacked


Learn vulnerabilities
Develop response plans
What About Honeypots?
 Typically, these are single systems connected to a
production system to lure attackers.

“The Cuckoo’s Nest” by Cliff Stoll
 What products make a honeypot?

Fred Cohan’s Deception Toolkit


Cybercop Sting


http://www.all.net/dtk/index.html
http://www.pgp.com/products/cybercop-sting/default.asp
Recourse Mantrap

http://www.recourse.com/products/mantrap/trap.html
What’s The Difference?
 Honeypots use known vulnerabilities to lure attack.


Configure a single system with special software or
system emulations
Want to find out actively who is attacking the system
 Honeynets are networks open to attack



Often use default installations of system software
Behind a firewall
Rather they mess up the Honeynet than your production
system
Diagram Of A Honeynet
IDS – Intrusion Detection System
p. 21, The Honeynet Project. Addison-Wesley 2002.
Entry to Honeynet
IDS – Intrusion Detection System
p. 21, The Honeynet Project. Addison-Wesley 2002.
Exit from Honeynet
IDS – Intrusion Detection System
p. 21, The Honeynet Project. Addison-Wesley 2002.
Costs
 For hardware, can be minimal

Honeynet Project used Pentiums and SPARC5 with Win
’98, RH Linux and Solaris 2.6. Also old Cisco routers.
 High effort associated with configuring security


Restrict how Black Hats use the Honeynet
Don’t let them know they’re being monitored
 High effort with analysis of data

No tools are available to perform this kind of analysis
Configuration Of Honeynet
 Firewall rulebase
 DNS and NTP
 Anti-spoofing
 Router
 Bandwidth
Firewalls Suggested
 CheckPoint Firewall-1


Honeynet Project used it to enforce rules
Their book provides custom scripts to send alerts
and limit outbound connections
 IPFilter


Open source on Linux
“Swatch” utility to monitor and count outbound
connections
Rules Enforced At Firewall
 Anyone can connect from Internet to
Honeynet
 Unlimited inbound, restricted outbound
 No packets allowed between Honeynet and
Administrative network
DNS And NTP
If want unlimited number of connections from
Honeynet to Internet, recommend setting one
machine as primary DNS and NTP.

Points to one trusted, recursive DNS on Internet




That system to resolve names
Black Hats expect & require DNS (downloading, etc.)
Easier to collect log data about network traffic from one machine
than many within Honeynet.
Role as NTP (Network Time Protocol) server


Communicates with specific, trusted system for NTP updates
Maintains time to sync system clocks
Anti-spoofing
 Critical to enact

This is the most common type of attack out of a
Honeynet
 How to enact





Set 5 to 10 connections maximum outgoing
Limit number to packets to between 5,000 and 10,000
per 24 hours.
Set these limits using script in rulebase of firewall
Apply limit to both UDP and TCP
Deny all outbound ICMP traffic
Router
Honeynet Project used router to filter packets

Anti-spoofing


Only those with correct source IP allowed out
Router is secondary to firewall to control how
Honeynet is used
Attackers not surprised to find a router
 Firewall more transparent if limits on activity are
suspected to be due to the router

Bandwidth
Keep bandwidth small



Honeynet Project used 128 Kbps
Smaller throughput reduces number of packets
sent out during DoS attack
Potentially cheaper to maintain the honeynet
Data Capture
 This is the reason for setting up a honeynet.

Layers of data capture



Use more than one layer
Compromise of one layer leaves others available to see what
happened
Kinds




Access control devices
Network layer
System layer
Off-line layer
Access Control Devices
 Kinds


Firewall
Router
 Scripting


Inbound alerting scripts capture logs
Use in firewall
Network Layer
 Logging of packets in Honeynet network
 Capture two kinds of data


Signature alerts
Packet payload
 IDS (Intrusion Detection System)



They used utility called “Snort” (www.snort.org)
On suspicious activity, Snort captured data and sent alert
message via syslogd to Log/Alert Server
“Swatch” on Log/Alert Server looked for specific alerts
and sent e-mail or page notification to administrator
System Layer
 By remote logging, send system logs to
Administrative Alert/Log server
 Recommended capturing keystrokes via modules
within kernel or by modified bash shell
 Expect logging within Honeynet to be attacked
 Expect syslogd to also be killed or Trojan-horsed
Off-line Layer
 Use utility like “Tripwire” to take images of
system before opening up Honeynet
 Take compromised system off-line and take
another image
 Inspect images to recover tools installed by
Black Hats
Data Analysis
 30 minutes of blackhat activity is about 30 to 40
work hours of data analysis
 All activity within Honeynet is suspicious
 Less than 10 MB of logging per 24 hours is typical.
More Advanced Analysis
 Passive fingerprinting
 Forensics
Fingerprinting
 Learn about attacker without detection
 Active fingerprinting


Fyodor’s Nmap Security Scanner
(http://www.insecure.org/nmap)
Ofir Arkin’s paper “ICMP Usage in Scanning”
(http://www.sys-security.com)
 Passive fingerprinting

Sniffer traces
Forensics
 UNIX systems

The Coroner’s Toolkit, by Dan Farmer and Wietse
Venema



Automated data gathering
Recovery of deleted files
Reconstruction of events based on modify/access/change times
 Windows and NT


EnCase (http://www.encase.com)
J.D. Glaser (Foundstone)
(http://www.blackhat.com/html/bh-usa-99/bh3speakers/html)
Example Of A Blackhat Session
Following An IRC Chat Session
The Honeynet Project. Know Your Enemy. Addison-Wesley, 2002.
Scenario
 What was attacked

Solaris 2.6 honeypot with a rpc.ttdbserv Solaris exploit


Buffer overflow in TookTalk object database server
Exploit listed in SANS Institute’s Top Ten List
(http://www.sans.org/topten.htm)
 What blackhats put there

IRC bot installed




It captured all conversations on the IRC channel
Honeynet Project listened in
After setting system up for their use, they harden security
on the system to prevent other blackhats from using it
Authors believe kiddie scripts were used
The Adventures Of
D1ck And J4n3
 D1ck probably an older teenager living in
Pakistan, possibly near Kashmir, maybe in
Lahore
 J4n3 possibly from Pakistan but wants to
appear as an “elite” hacker.
 IRC chat captured


Underground language and slang.
Parts using Urdu, native language of Pakistan
Where In Pakistan?
http://www.cia.gov/cia/publications/factbook/geos/pk.html
What Was Happening
 Appeared that several Black Hats in group
were sympathetic to Pakistani causes but
others to Indian.

Justification for hacking was for these causes
 Frequently attacked other Black Hats

Compromise systems to hinder their exploits
 Shared common skills and techniques
Example of Blackhat Warfare
June 6, 2000
D1ck! :I just tookover 3 of diz’s box today ;(
D1ck! :one day I did 36
Sp07! : *** it
D1ck! :heh
D1ck! :*ALL* his boxes
J4n3! :woo
D1ck! :Sp07
D1ck! :hmmmmmm
D1ck! :um
Sp07! :?
D1ck! :J4n3:who’se domain example.com is?
D1ck! :and who host’s it
D1ck! :satnet called up zahid eh
p. 196, The Honeynet Project.
D1ck
June 9, 2000
 Rooted more than 40 systems
 Here, he gives J4n3 access to one of them
J4n3 : D1ck
D1ck :sup
J4n3 : I can’t access www.example.com with the user k1dd13 and pass u gave
…
D1ck :sha..d4v3
J4n3 :yup that is
…
D1ck :site work?
J4n3 :wait
J4n3 :yup
p. 244, The Honeynet Project
Honeynet Project’s
Favorite Quotes
June 9, 2000
 D1ck brags how many Linux boxes he
compromised in 3 hours
D1ck :hehe come with yure ip I’ll add u to the new 40 bots
D1ck :I owned and trojaned 40 servers of linux in 3 hours
D1ck ::))))
J4n3 :heh
D1ck :***
J4n3 :107 bots
D1ck :yup
J4n3 :wait brb
D1ck :105 :P
J4n3 :back
D1ck :kewl
p. 250, The Honeynet Project
Psychological Review Of D1ck
And J4n3’s Group
 Social structure was robust with a complex
meritocracy
 Status hierarchy in his local social group and in
groups outside this local group
 Use of derogatory statements to challenge status of
others and to control social processes
 High level of tension reduces their cohesiveness
 Constant fear of detection and arrest
Questions?
Next, Kirk Hausman