Title of Presentation
Download
Report
Transcript Title of Presentation
Intrusion Deception
Kirby Kuehl
Honeynet Project Member
05/08/2002
Intrusion Deception—Deceiving the Blackhat
Reconnaissance
An inspection or exploration of an area, especially
one made to gather military information.
• A Honeypot MUST appear to be an attractive target.
– Accurate Responses to active (nmap) and
passive(p0f) operating system fingerprinting methods,
daemon banner queries, port scans, and vulnerability
scanners (nessus).
– Convincing content if system is running httpd or ftpd.
– Inconspicuous in relation to rest of network.
– The Honeypot can reside next to production systems
so that it is scanned during sweeps or ports can be
redirected from production systems to the Honeypot.
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
2
Intrusion Deception— Passing Recon
Honeynet Project
• Uses actual default installations of actively exploited
operating systems and services.
– Nothing is emulated so host’s response to
reconnaissance methods will be accurate.
– Data Capture (logging), Data Control (firewalling), and
Intrusion Detection (alerting) are performed utilizing
other HARDENED hosts on the network.
– No production hosts on network to eliminate data
pollution. All traffic is suspect and is logged in full
tcpdump format.
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
3
Honeynet Design – Generation I
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
4
Honeynet Design – Generation II
The Honeynet Sensor
Data Control:
•Limits outbound connections
(hogwash or iptables)
allowing Blackhats to obtain
their tools, but not attack
other systems.
Data Capture:
•IDS (snort) logging all traffic
as well as providing alert
mechanism.
Deception:
•No IP Stack.
•No TTL decrementing.
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
5
Intrusion Deception— Passing Recon
Virtual Honeynets
• VMWare: GuestOS (Honeypot) virtual
machine inside HostOS
– GuestOS is caged by denying access
to HostOS filesystem.
– Host only networking forces the
GuestOS to access the network
through the HostOS allowing
firewalling and intrusion detection.
– The Honeynet Project utilizes a Red
Hat default installation running inside a
Hardened Red Hat installation.
– NMAP’s TCP fingerprinting returned
unknown OS
– Running a mock ecommerce site.
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
6
Intrusion Deception— Passing Recon
Open source Honeypots
Honeyd is a small daemon that creates virtual
hosts on a network. The hosts can be configured to
run simulated TCP services or proxy the service to
another machine. The TCP/IP personality (OS
Fingerprints) can be adapted so that they appear to
be running certain versions of operating systems.
Arpd enables a single host to claim all unassigned
addresses on a LAN by answering any ARP
request for an IP address with the MAC address of
the machine running arpd.
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
7
Honeyd / Arpd Configuration
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
8
Intrusion Deception— Passing Recon
Commercial Honeypots
• Mantrap from Recourse Technologies (requires Solaris)
– Ability to create up to 4 sub-systems (cages) each
running Solaris by utilizing separate interfaces (each
host will have unique MAC Address).
– You can run virtually any application that doesn’t
interact with the kernel within the 4 chrooted cages.
– Content Generation Module can be used to create
realistic data.
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
9
Mantrap Configuration
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
10
Mantrap Configuration
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
11
Intrusion Deception— Passing Recon
Commercial Honeypots
• Specter (requires Windows NT)
– Specter can emulate one of 13 different operating
systems. As of Version 6.02 the IP stack is not
emulated so IP fingerprinting tools are not fooled.
(A Stealth Plugin is currently under development using
raw socket support on XP.)
– Specter honeypots offer 14 100% emulated services
such as: STMP, FTP, Telnet, Finger, POP3, IMAP4,
HTTP, and SSH
– Custom fake password files and custom HTTP
content.
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
12
Specter Configuration
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
13
Intrusion Deception— Passing Recon
Commercial Honeypots
• Netfacade from Verizon (requires Solaris)
– Can simulate up to an entire class C although all hosts
will have the same MAC Address.
– Simulates 8 different operating systems properly
fooling TCP fingerprinting methods.
– Simulates 13 different vulnerable services such as
FTP (wu-2.4.2-academ[BETA-12](1), System V
Release 4.0, and SunOS4.1 versions), SSH (SSH
Communications Security Ltd's. 1.2.26 and 2.0.9
versions), etc.
– Automatically generates hostnames, user accounts,
operating systems and running services for simulated
hosts through web interface.
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
14
Intrusion Deception— Changing with the times
Blackhat techniques have become more sophisticated.
• Using kernel module rootkits (adore, kis)
– Process hiding
– Keystroke logging
– Covert communication channels
• Polymorphic shellcode (ADMutate)
• Fragroute (IDS Evasion)
Honeynet Project
• Patching the kernel directly
– Keystroke logging allowing us to capture encrypted outbound
traffic (ssh)
– Logging via covert communication channels rather than remote
syslog
– Snort-stable enabling appropriate preprocessors and logging all
traffic (Not just TCP/UDP/ICMP)
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
15
Intrusion Deception— Honeynet Alliance
Research Alliance Honeynets
• Freedom for organizations to create their own
honeynets and participate in a virtual community.
– Standardized Capture and Logging formats
– Events can be forwarded to a common database
– Shared Research and Analysis
• Research Alliance Honeynets exist within advertised
environments alongside production systems.
– Hopefully attracting targeted and more sophisticated
attacks.
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
16
Intrusion Deception— More Information
http://project.honeynet.org
–
–
–
–
–
Whitepapers
Forensic Challenge
Scan of the month
Research Alliance
Know your Enemy book
[email protected]
Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl
17