Project Artillery Active Honeypotting. Dave Kennedy Founder, Principal Security Consultant

Transcription

1 Project Artillery Active Honeypotting Dave Kennedy Founder, Principal Security Consultant

2 About the Speaker Founder, Principal Security Consultant at TrustedSec. Business guy, Penetration Tester, Exploit Writer. Creator of The Social-Engineer Toolkit (SET) and Artillery. Author of Metasploit: The Penetration Testers Guide. Back Track Development Team Exploit-DB Team Social- Engineer.org and ISDPodcast.

3 The Basics of the Talk Preventing attacks is half the battle, the first is detection. Artillery was designed to be that early warning system and hopefully prevent attacks before they happen. Purely blue team tool.

4 Why was Ar8llery made? Artillery was made to fill a gap in the defensive capabilities of systems. There are a number of others but none that do everything Artillery does, for example OSSEC HIDS. Designed to be SIMPLE!

5 History of Ar8llery Idea came up when configuring multiple *nix servers. On an airplane ride back, Artillery 0.1 was born. Easy way for open source community to be able to strengthen systems quickly.

6 Project Ar8llery Open-Source native Python written tool. Originally named off of the Artillery song by Infected Mushroom. Threat intelligence, Honeypot, file integrity monitoring, attack detection, and much more. Ability to detect and prevent attacks. Works on Windows and Linux.

7 Introduc8on to Ar8llery Simple installation, python setup.py install. Opens a number of ports on the system and listens for attacks. Monitors the file system for changes. Detect things such as port scans and others.

8 Performance Minimal CPU performance hit, roughly about 1 percent usage. RAM wise extremely thin. Usually about 4 to 5 megs. Even the file system monitoring requires minimal CPU usage. Is throttled.

9 Threat Intelligence Feed Servers deployed all across the world (UK, Australia, China (don t ask), Russia, and others). Look for attacks and report them back to the central Artillery server. Artillery instances that use the intelligence feed can automatically pull it down. All free, open source project.

10 Visualizing the AEacks

11 Most AEackers United States by far is the largest attacker with Russia second with 892. China third with 789. Brazil fourth with 770. Romania fifth with 700.

12 Some Interes8ng Ones There was only 1 attack in Ethiopia. Nigeria only had 10 attacks. Australia only 33 attacks. Hungary had 386 attacks.

13 Current Totals Current banlist provides 67,482 IP addresses. Does not clear out the IP addresses yet, working on a configurable option.

14 The Basics of Ar8llery First and foremost the config file is the most important aspect of Artillery. Allows you to customize the the insides of Artillery and give you the functionality you need.

15 Walkthrough of the configuration file

16 Installing Ar8llery Uses all native python libraries (no third party). Download by: svn co svn.trustedsec.com/ artillery artillery/ python setup.py will install and ensure it runs at each instance.

17 Demonstration on the Installation

18 Checking the Ports We can see the honeypot actively listening on a bunch of different ports. Listens on commonly attacked ports and are all configurable. Most common ports, 135, 445 (RPC/NetBios), 5900 VNC, 3389 RDP, 1433 MSSQL, etc.

19 Ac8ve Blocking Artillery will detect when a connection is established (TCP only at this point). Send random os.urandom data to the attacker and then use IPTables to block.

20 Checking out the Active Blocking

21 IPTables are automa8cally updated IPTables are automatically updated based on the attacker and permanently blocked. You can specify whitelists based on IP and CIDR notation in the config.

22 Ar8llery File Monitoring Based on the configuration file, Artillery will monitor certain directory for changes. Stored in a flat database with SHA512 hashes for each file.

23 File Monitoring Alerts Two ways currently that the alerts can be delivered, one through s, others through a log file. Can configure the flagging and alerts inside the config file for interval alerting.

24 Aler8ng on Insecure Configura8ons Artillery will alert on different misconfigurations or insecurities. Some examples root permissions not set on Apache, sshd allows root logins etc.

25 SSH Brute Force Detec8on Detects SSH brute force detection. Can change attempts through the config and can also whitelist invalid attempts.

26 Configuring: Threat Intelligence Feed First edit the config and turn the threat intelligence feed to on. By default the feed is turn to ON and will automatically download the latest feed.

27 Configuring your own feed Editing the config, you can specify multiple other servers that you may have deployed and they will all work with each other to automatically ban different attackers.

28 An8 Dos Protec8on Can throttle and limit connections to certain TCP based ports. Can configure whatever port you want in the config file, by default is 80 and 443.

29 Apache Monitoring Basic right now, working on an inline interceptor to get raw HTTP data. Ability to create web application firewall techniques for Apache.

30 Sending No8fica8ons Can send alerts through GMAIL and standard SMTP servers. Can throttle the amount of time between alerts, for example not every time there's an alert, can bulk them together every 10 minutes.

31 Using Ar8llery Once installed, modifying the configuration file is about it. Any configuration change requires a restart of Artillery for now. python restart_server.py

32 Best way to Implement Ar8llery There are a few different ways to deploy Artillery from a detective and response scenario. Lets discuss a few deployment scenarios.

33 Passive Honeypot Deploy Artillery to multiple servers internally and externally. Do not have the automatic blocking turned on and monitor the attempts for connections.

34 Ac8ve Protec8on Place on sensitive servers exposed on the net. Block them actively as they attack to prevent further attacks. Identify the best strategy to deploy it larger scale.

35 Catches on Windows Doesn t actively block at this point, working on it. Does not start at boot, need to run per instance. Service is being written to start on each startup and run as a service.

36 Things to Come Server / Agent model where Artillery can have a centralized feed and control multiple Artillery instances. Ability to actively shun attacker IP addresses on Cisco devices when a deny is present in the Cisco device. Better Windows support.

37 Things to Come Part 2 Ability to send Artillery logs to remote syslog servers. Develop better ways for monitoring more system files. Add more attack signatures.

38

39 Fun stuff, more fun stuff then, Project Artillery Active Honeypotting Dave Kennedy Founder, Principal Security Consultant