Honeypots

Only available on StudyMode
  • Topic: GNU General Public License, Linux, GNOME
  • Pages : 5 (702 words )
  • Download(s) : 116
  • Published : May 2, 2013
Open Document
Text Preview
A short introduction to honeypots
Εμμανουήλ Βασιλομανωλάκης
Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED) Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣ manolis@cased.de

Outline

 Introduction  Classifications  Deployment Architectures  Open source vs. nothing  2 Honeypots  SURFcert IDS & experiences from Demokritos  Future work - ideas 4/21/2013 Telecooperation Group | CASED

Introduction
 Definition: “A security resource who's value lies in being probed, attacked or compromised”  Doesn’t have to be a system: Honeytokens  We want to get compromised!  Certainly not a standalone security mechanism.  Why? • FUN! • No false-positives! • Research: Malware analysis/reverse engineering • Reducing available attack surface/early warning system 4/21/2013 Telecooperation Group | CASED

Honeypot Classifications
 Low interaction: simulate network operations (usually at the tcp/ip stack)  [Medium interaction: simulate network operations (with more “sophisticated” ways)]  High interaction: real systems (e.g., VMs)  Other classifications: • Purpose: Generic, Malware collectors, SSH, etc. • Production – Research (not really useful) 4/21/2013 Telecooperation Group | CASED

Honeypot Deployment Architectures

4/21/2013

Telecooperation Group | CASED

Open Source vs. nothing (really!)
Honeypot Honeyd Nepenthes Dionaea Honeytrap LaBrea Tiny HP HoneyBot Google Hack HP Multipot Glastopf Kojoney Kippo Amun Omnirova BillyGoat Artemisa GHOST 4/21/2013

Type Generic Malware Malware Generic Generic Generic Malware WEB Malware WEB SSH SSH Malware Malware Malware VOIP USB

OS LINUX LINUX LINUX LINUX LINUX LINUX WINDOWS WINDOWS LINUX LINUX LINUX WINDOWS WINDOWS

Language C C PYTHON C C PERL PHP VB 6 PYTHON PYTHON PYTHON PYTHON Borland Delphi ? PYTHON C

GUI N N N N N N Y Y Y Y N N N Y ? N Y

License GNU GNU GNU GNU GNU GNU CLOSED GNU GNU GNU GNU BSD GNU GNU CLOSED GNU GNU Telecooperation Group | CASED

Dionaea

 Low Interaction honeypot for collecting malware  Nepenthes successor  Basic protocol simulated: SMB (port 445)  Others: HTTP, HTTPS, FTP, TFTP, MSSQL and SIP (VOIP)  Also supports IPv6 and TLS  Malware files: stored locally or/and sent to 3rd party entities (CWSandbox, Norman Sandbox, Anubis, VirusTotal) 4/21/2013 Telecooperation Group | CASED

Kippo (1/2)
 Low interaction SSH honeypot  Features: • Presenting a fake (but “functional”) system to the attacker (resembling a Debian 5.0 installation) • Attacker can download his tools through wget, and we save them for later inspection (cool!) • Session logs are stored in an UML- compatible format for easy replay with original timings (even cooler!)  Easy to install, but hard to get hackers!

4/21/2013

Telecooperation Group | CASED

SURFcert IDS
 An open source (GPLv2) distributed intrusion detection system based on honeypots  Sensors, act as proxies, forwarding network traffic from the monitored network to the system’s center using OpenVPN  Supported Honeypots: Nepenthes, Dionaea, Argos, Kippo

Three parts: Tunnel – honeypot server Web – Logging server Sensors

4/21/2013

Telecooperation Group | CASED

SURFcert IDS
 Also: • Supports p0f for attackers’ OS detection • Statistics, nice web-GUI, sensor status, geographical visualizations, and more…

4/21/2013

Telecooperation Group | CASED

SURFcert IDS @ Demokritos
 Some stats: • 21.000 attacks on 3 different sensors (1 month) • 1500 malware files downloaded • Main target: port 445  Successfully detected infected systems, inside our network (mostly with a Conficker Worm variant)  Automatic malware analysis can give us valuable information on Botnets (and their C&C IRC servers)  Possible to find zero-date exploits / new malware (or different variants) 4/21/2013 Telecooperation Group | CASED

Future Work - Ideas
Features:
Attacker scans our system

 Better...
tracking img