USE HONEYPOTS TO KNOW YOUR ENEMIES

Transcription

1 USE HONEYPOTS TO KNOW YOUR ENEMIES SHERIF MOUSA (EG-CERT) 9 MAY 2012

2 WHAT ARE WE GOING TO TALK ABOUT? What exactly happens on the end of your Internet connection. Open Source tools to set up your own Honeypot and IDS setup and how to tie them together. LAB

3 YOUR INTERNET CONNECTION (IMAGINED)

4 YOUR INTERNET CONNECTION (REALITY)

5 YOUR INTERNET CONNECTION (WITH HONEYPOTS)

6 BASIC HONEYNET

7 HONEYPOT Generally a computer that appears to be legitimate, but in reality is a trap for malware and hackers to monitor their actions and tactics. There should be no legit traffic to the honeypot, so any traffic it sees is immediately suspicious. A darknet is similar, but on a much bigger scale, say an entire /24 subnet

8 TYPES High Interaction Honeypots Make use of the actual vulnerable service or software. Usually complex solutions as they involve real operating systems and applications. Help in identifying unknown vulnerabilities. Big headache. Low/Medium Interaction Honeypots Allow only limited interaction for an attacker or malware. All services offered are emulated. Save many headaches.

9 NEPENTHES Nepenthes is a low interaction honeypot. It emulate _known_ vulnerabilities to collect information about potential attacks. Nepenthes is designed to emulate vulnerabilities worms use to spread, and to capture these worms. As there are many possible ways for worms to spread, Nepenthes is modular.

10 HOW NEPENTHES WORKS Vulnerability Modules emulates various services which look ripe for compromise to an attacker (lsass, dcom, veritas, dameware, etc). Shellcode Handlers and Emulators allows Nepenthes to interact with the malware. Download Modules will download the binary (http, ftp, curl, etc). Submission Modules will submit the binary for analysis (Norman, CWSandbox, postgres, etc)

11 NEPENTHES KEY LOG FILES/DIRECTORIES /var/lib/nepenthes/binaries Captured binaries are named after their md5sums, and they are stored in the above directory /var/log/nepenthes/logged_submissions This log file indicates how and where each binary is obtained. var/log/nepenthes/nepenthes.log

12 NEPENTHES PHARM PHARM is an Open Source client/server and web portal package, which provides central reporting and analysis of your distributed Nepenthes based honeypots. PHARM Clients are installed on along with your Nepenthes installs, PHARM clients listen for any changes in nepenthes log files (logged_submissions and nepenthes.log) and sends over the logged data and malware collected over to the server running the PHARM server. PHARM server gets all the data collected from PHARM Clients and provides analysis/report of your honeypots through the PHARM Web portal.

13 PHARM MALWARE DATA

14 PHARM nepenthes.log DATA

15 KIPPO Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker. Features Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included. Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included. Session logs stored in an UML compatible format for easy replay with original timings. Kippo saves files downloaded with wget for later inspection.

16 SESSION TTY LOG REAL SAMPLE

17 KIPPO-GRAPH Kippo-Graph is a full featured script to visualize statistics from a Kippo SSH honeypot. Kippo-Graph currently shows 24 charts, including: Top 10 passwords, top 10 username/password combos. Connections per IP, connections per country. ssh clients. Others. There are also geolocation data extracted and displayed with Google visualization technology using a Google Map.

18 TOP 10 PASSWORDS

19 TOP 10 IP ADDRESSES

20 GEO-LOCATION

21 SNORT An open source network intrusion prevention and detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods. The most widely deployed intrusion detection and prevention technology. Gold standard in opensource IDS systems. Many frontends (BASE, SGUIL, SNORBY,...). Free + free rules updates.

22 SNORT USES Packet sniffer: capture and display packets from the network with different levels of detail on the console. Packet logger: log data in text file. Honeypot monitor: deceiving hostile parties. NIDS: network intrusion detection system.

23 SNORBY Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular IDS s (Snort, Suricata and Sagen). Free and opensource.

24 DASHBOARD

25 SAMPLE EVENT

26 SECURITY ONION Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Xubuntu and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. We ll use it just for Snort and Snorby.

27 TEST ENVIRONMENT NETWORK TOPOLOGY HINT: where x.x.x.0/24 is a public class C network. This topology is not secure for production.

28 SUMMARY Internet connection reality. Nepenthes. Pharm project. Kippo. Kippo-graph. Snort. Snorby. Security Onion.

29 LAB Check the lab manual (Lab_Manual.pdf)

30 REFERENCES Nepenthes >> PHARM Project >> Kippo >> BruteForce Lab's Blog >> Snort >> Snorby >> Security Onion >> & THC-Hydra >> Zenmap >>

31 QUESTIONS?

32 CONTACT INFORMATION