the honeypot project
DESCRIPTION
honeypotTRANSCRIPT
The Honeypot ProjectBy
Itzik JislinYiftach Benjamini
Supervisor: Ben Bershtein
Introduction
What is a Honeypot?
"A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource." - Lance Spitzner
Honeypot OverviewA Honeypot has no functional valueA Honeypot does not do anything active. Its value lies in the knowledge that any access to the Honeypot is probably maliciousIn a perfectly safe network a Honeypot should see no traffic at all
Honeypot Overview - Advantages
Small data sets of high valueVery flexible – does not rely on a fixed database (Like
Anti-Virus software). Allows the detection of new and unknown methods and tools
Minimal resources – Since Honeypots are not intended to
actually server a magnitude of clients they need very little resources
Simple – Honeypots are simple to install and
maintain
Honeypot Overview - DisadvantagesLimited view – A Honeypot can observe only
interaction with itself. It is not a sniffer and cannot log actions against other functional systems in the network
Risk – Depending on the type of the
Honeypot the risk can be greater or lesser. But there is always a risk to the network when a multitude of servers are active in it.
Honeypots Overview - TypesLow-Interaction– Simulates some network services
(HTTP, Telnet, FTP, etc…)– Very low risk (Interaction is only with
a simulation)– Less flexible (Can only simulate what
was programmed)– Easier to identify– Examples are: Specter, honeyd, our
project
Honeypots Overview - TypesHigh-Interaction (Sacrificial Lamb)– Real servers running some kind of
logging software– High risk (Attacker is working with
the real thing)– Almost impossible to identify
Honeypots Overview - Honeynets
Overview – But what good is it?Collect data– Allows researching attackers methods
and tools and developing counter-tools.
Prevention– “Sticky” Honeypots slow down
scanning capabilities of attackers by slow response times
– If the usage of Honeypots is publicly known it might deter hackers from attacking the network for fear of being caught
Overview – But what good is it?Detection and Response– If a Honeypot detects suspicious
activity it can send an e-mail or sms to a network administrator
– A Honeypot is a non essential system, so taking it offline in order to analyze damage done by an attack will be less harmful and disruptive to the functionality of the network
Overview – But what good is it?Counter Attack– A Honeypot could be configured to
actively respond when it detects attacks coming from systems within its network. For instance if it detects worm activity from some system in the network it can quarantine the system or shut it down or even use some routine to purge the worm
Overview - ThreatsViruses – Pieces of software that attach to
innocent files. Consume computers recourses and may be even more malicious (deleting files, ruining hardware, etc…). Rely on social engineering for spreading
Worms– Self propagating code. Searches for
communication vulnerabilities and uses them to infect more computers at an exponential rate.
Overview - ThreatsHumans– White Hats – “Good” Hackers searching
for vulnerabilities in order to report them and increase security awareness
– Black Hats – Hackers with personal gain or mayhem in mind. Break into systems in order to steal or corrupt data.
– Script Kiddies – Tool users. No real understanding of what the are doing. Techniques usually include scanning for a system and then hammering it with various tools in order to find a vulnerability.
Our SolutionThe path to implementation
Phase I – How to simulate an IIS?
Fingerprinting using HMAP
HMAP vs. www.technion.ac.il
HMAP vs. Our Honeypot
Phase II – How do you hack a web server?Directory traversal (double decode)Buffer Overflow (Code Red)Malformed SQL statements
Phase II – How do you hack a web server? Look for directories set up by default with execute permissionsThese directories may also hold default scripts that contain vulnerabilitiesFind them by sending requests like these:– GET /frick.html HTTP/1.0– GET /scripts/ HTTP/1.0– GET /_vti_pvt/ HTTP/1.0– GET /cgi-bin/GetFile.cfm HTTP/1.0– Etc…
Phase II – How do you hack a web server?If we find such a directory we can send malicious strings that use known vulnerabilities such as the “double decode” directory traversal attackOur mission is to execute the cmd.exe program that will get us root access to the computer
Phase II – How do you hack a web server?Example:– Send the string:
• /..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:
– Since the ../../../ attack is well known it checks for it. (Can’t find it in this string)
– Then it decodes the string changing %35 to ‘5’ and %63 to ‘c’. Now we have:• /..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c:
– Now it realizes it forgot to decode %5c which surprisingly decodes to a ‘/’• /../../../../winnt/system32/cmd.exe?/c+dir+c:
– Now we have root permissions
Simulating Port ScanningKnocker FrontEnd – port scanner
Vulnerabilities checkN-Stealth Security Scanner
Phase IIIImplement
Based OnVisual C++ .netVisual Basic .net (GUI)Winsock2ODBC
Honeypot ArchitectureDeployment:
The Internet
Honeypot
Server
Firewall
Workstation
Workstation
Laptop
Attacker
Network Scan
Honeypot ArchitectureThe program is divided into two main applications.– GUI – Allows an easy way of starting
and stopping the servers, searching through collected data and displaying statistics
– Honeypot_Core – Creates and maintains the servers. Collects the data from the users and updates the databases
Honeypot ArchitectureBlock Diagram
Honeypot Core
Medium (WinSock) GUI
HTTP Transactions
DB
Malicious String DB
Telnet Login DB
HTTP Server Telnet Server
Honeypot ArchitectureCommunication between GUI and core is done over WinsockWhy Winsock? Answer:– There were many available options:
• RPC, Signaling, Shared memory, And much more
– We wanted to allow for the expansion of the deployment scheme. Suppose you want to run multiple instances of the core on different computers.
– Using Winsock allows running the GUI on one machine while controlling others over the network
Honeypot Architecture - Classes
Honeypot Architecture - Classes
myDb– A class used as an interface with our
ODBC database.– Functions:
• Connect to the db• Disconnect from the db• Insert data into a table in the db
Honeypot Architecture - Classes
mySock– A class used as an interface with the
winsock2 objects– Functions:
• Create a new socket• Set socket options (Timeout)• Connect to a server• Accept (Listen) new connections• Send data• Receive data• Close socket
Honeypot Architecture - Classes
myServer– A class used to create and maintain
server objects. New servers are created by inheritance and need to implement the serveClient virtual function.
– Implementation allows easy way to add new services in the future
– Functions:• Create and init a server• Start the server• Stop the server
Honeypot Architecture – myServer
Server InitiatedmyServer->initServer()
Start Server on Port XmyServer->startServer(X)
Start Command received from GUI
Init Socket, Create main server thread
Accept connectionsCreate client serving threads
myServer
Honeypot Architecture – HTTPServerThe purpose is to “catch” malicious http strings sent as innocent requestsThe http server emulates a Microsoft IIS 5.0 web serverThe emulation displays only one page taken from index.htmThe Honeypot is completely safe from all attacks since it does actually try to execute any commands sent at it. It’s default response is “Not implemented”
Honeypot Architecture – HTTPServer
serveClient() serveClient() serveClient() serveClient()
Receive request from client
Timeout?
End Thread
Port Scanned?
Parse request
Build Response Header
Send response and Web page if
needed
Update DB
Update DB
Update DB
HTTPServer
Honeypot Architecture – TELNETServer
The purpose is to observe the usernames and passwords attackers will try when hacking a telnet serverThis will allow the creation of a common used passwords database so that users can be advised (or required) as to what passwords not to useIt can also help detecting stolen passwordsThe server emulates nothing more than the login handshake.All logins fail
Honeypot Architecture – TELNETServer
serveClient() serveClient() serveClient() serveClient()
Receive request from client
Timeout?
End Thread
Port Scanned?
Send login Failure
Update DB
Upd
ate
DB
TELNETServer
Login limit reached?
Honeypot Architecture – Communication Flow
GUI Initiated
Honeypot Core initiated
Create GUI Communications Server Socket
Connect to Server
Send Start Commands
Connect to Database
Load and display data
Create and start HTTP & Telnet servers
Serve Clients
Send Stop Commands
Stop and delete servers
Send Quit command
Cleanup and exitCleanup and exit
Demonstration
Summery
SummeryHoneypots are a cheap and simple way to add protection to a network Honeypots allow the study of attackers methods of operation. And help developing new ways for countering them.
Possible Future Additions More services such as ftp, messenger, p2p applicationsAllow administration of multiple servers via networkAdd the ability to answer as different ip addressesEmulate different kinds of web servers other than IISEmulate a more complex telnet session
Thanks!We wish to thank:– Ben for his help and endless
patience– Ilana and the Tochna lab team– Our families