![Page 1: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/1.jpg)
Honeypots - The Latest
![Page 2: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/2.jpg)
Purpose
Latest developments with honeypots.
![Page 3: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/3.jpg)
Agenda
z Honeypotsz Low Interactionz High Interaction
![Page 4: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/4.jpg)
Honeypots
![Page 5: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/5.jpg)
Initiative
Honeypots allow you to take the initiative,they turn the tables on the bad guys.
![Page 6: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/6.jpg)
Honeypots
A security resource whoÕs value lies in beingprobed, attacked, or compromised.
![Page 7: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/7.jpg)
The Concept
z System has no production value, noauthorized activity.
z Any interaction with the honeypot is mostlikely malicious in intent.
![Page 8: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/8.jpg)
Flexible Tool
Honeypots do not solve a specificproblem. Instead, they are a highlyflexible tool with different applications tosecurity.
![Page 9: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/9.jpg)
Types of Honeypots
z Production (Low Interaction)z Research (High Interaction)
![Page 10: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/10.jpg)
![Page 11: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/11.jpg)
Emulated FTP Server
case $incmd_nocase in
QUIT* ) echo -e "221 Goodbye.\r" exit 0;; SYST* ) echo -e "215 UNIX Type: L8\r" ;; HELP* ) echo -e "214-The following commands are recognized (* =>'s unimplemented).\r" echo -e " USER PORT STOR MSAM* RNTO NLST MKD CDUP\r" echo -e " PASS PASV APPE MRSQ* ABOR SITE XMKD XCUP\r" echo -e " ACCT* TYPE MLFL* MRCP* DELE SYST RMD STOU\r" echo -e " SMNT* STRU MAIL* ALLO CWD STAT XRMD SIZE\r" echo -e " REIN* MODE MSND* REST XCWD HELP PWD MDTM\r" echo -e " QUIT RETR MSOM* RNFR LIST NOOP XPWD\r" echo -e "214 Direct comments to ftp@$domain.\r" ;; USER* )
![Page 12: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/12.jpg)
Research honeypots
z Used to gain information. Thatinformation has different value to differentorganizations.
z Does not emulate, but runs actualoperating systems. Install FTP server.
![Page 13: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/13.jpg)
ManTrap
Host Operating System
Cage 1 Cage 2 Cage 3 Cage 4
![Page 14: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/14.jpg)
Low-Interaction Technology
![Page 15: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/15.jpg)
Example - Honeyd honeypot
z OpenSource honeypot developed by NielsProvos.
z Production honeypot.z Emulates services and operating systems.
![Page 16: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/16.jpg)
How Honeyd works
z Monitors unused IP space.z When it sees connection attempt,
assumes IP and interacts with attacks.
z Can monitor literally millions of IPaddresses at the same time.
![Page 17: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/17.jpg)
Network with unused IPs
![Page 18: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/18.jpg)
Honeyd monitoringunused IPs
![Page 19: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/19.jpg)
NetBait
z Not a product, a service.z Attackers directed to honeypot pool,
which can be located in a different,isolated network.
![Page 20: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/20.jpg)
Real Network
![Page 21: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/21.jpg)
Attacker Sees
![Page 22: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/22.jpg)
Bait-n-Switch
![Page 23: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/23.jpg)
High Interaction Technology
![Page 24: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/24.jpg)
Honeynets
z Honeynets are a research honeypot.z Not a product, but an architecture.z An entire network of systems designed to
be compromised.
![Page 25: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/25.jpg)
Latest Developments
z Snort_Inlinez Sebek2z Bootable CDROMz User Interface
![Page 26: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/26.jpg)
GenII Honeynet
![Page 27: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/27.jpg)
Snort-inline
drop tcp $EXTERNAL_NET any -> $HOME_NET 53(msg:"DNS EXPLOIT named";flags: A+;content:"|CD80 E8D7 FFFFFF|/bin/sh";
alert tcp $EXTERNAL_NET any -> $HOME_NET 53(msg:"DNS EXPLOIT named";flags: A+;content:"|CD80 E8D7 FFFFFF|/bin/sh";replace:"|0000 E8D7 FFFFFF|/ben/sh";)
![Page 28: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/28.jpg)
![Page 29: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/29.jpg)
![Page 30: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/30.jpg)
Sebek2
z Capture bad guys activities without themknowing.
z Insert kernel mods on honeypots.z Mods are hiddenz Dump all activity to wirez Bad guy can sniff any packet with pre-set
MAC
![Page 31: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/31.jpg)
Sebek2 Configuration
#----- sets destination IP for sebek packetsDESTINATION_IP="192.168.1.254"
#----- sets destination MAC addr for sebek packetsDESTINATION_MAC="00:01:C9:F6:D3:59"
#----- defines the destination udp port sebek sends toDESTINATION_PORT=34557
#----- controls what SRC MAC OUIs to hide from usersFILTER_OUI="0A:0B:0C"
![Page 32: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/32.jpg)
Sebek2 Output
06:06:25-2003/03/23 [0:mingetty:6785:vc/1:0]06:06:26-2003/03/23 [0:mingetty:6785:vc/1:0]root06:06:50-2003/03/23 [0:bash:13674:vc/1:0]ifconfig -a06:06:58-2003/03/23 [0:bash:13674:vc/1:0]exec csh06:07:08-2003/03/23 [0:csh:13674:vc/1:16]ftp ftp.openbsd.org06:07:12-2003/03/23 [0:ftp:13738:vc/1:0]1bye06:07:19-2003/03/23 [0:csh:13674:vc/1:16]vi /etc/resolv.conf06:07:22-2003/03/23 [0:vim:13739:vc/1:0]1:q06:07:28-2003/03/23 [0:csh:13674:vc/1:16]dig www.intel.com06:09:39-2003/03/23 [0:csh:13674:vc/1:16]
![Page 33: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/33.jpg)
Bootable CDROM
z Insert CDROMz Bootz Instant Honeynet Gateway (Honeywall)
![Page 34: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/34.jpg)
User Interface
z Runs on Honeywallz Analyze attacks in real time
Demo
![Page 35: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/35.jpg)
Summary
z We are just beginning to see the potentialfor honeypots.
z Honeypots are where firewalls were tenyears ago (Marcus Ranum)
![Page 36: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/36.jpg)
Resources
z Honeypot websitey www.tracking-hackers.com
z Honeypots maillisty www.securityfocus.com/popups/forums/honeypots/faq.html
![Page 37: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/37.jpg)
Resources - Books
z Know Your Enemyy www.honeynet.org/book/
z Honeypots: Tracking Hackersy www.tracking-hackers.com/book/
![Page 38: Honeypots - The Latest - Black · PDF fileInitiative Honeypots allow you to take the initiative, they turn the tables on the bad guys](https://reader037.vdocuments.mx/reader037/viewer/2022110222/5a9eb9797f8b9a71178bc059/html5/thumbnails/38.jpg)
?