The Honeypot Project - PowerPoint PPT Presentation

1 / 43
About This Presentation
Title:

The Honeypot Project

Description:

Title: The Honeypot Project Author: Softlab, EE Last modified by: Softlab, EE Created Date: 10/28/2004 5:01:39 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:402
Avg rating:3.0/5.0
Slides: 44
Provided by: Softl2
Category:

less

Transcript and Presenter's Notes

Title: The Honeypot Project


1
The Honeypot Project
  • By
  • Itzik Jislin
  • Yiftach Benjamini
  • Supervisor Ben Bershtein

2
Introduction
3
What is a Honeypot?
  • "A honeypot is an information system resource
    whose value lies in unauthorized or illicit use
    of that resource." - Lance Spitzner

4
Honeypot Overview
  • A Honeypot has no functional value
  • A Honeypot does not do anything active. Its value
    lies in the knowledge that any access to the
    Honeypot is probably malicious
  • In a perfectly safe network a Honeypot should see
    no traffic at all

5
Honeypot Overview - Advantages
  • Small data sets of high value
  • Very flexible
  • does not rely on a fixed database (Like
    Anti-Virus software). Allows the detection of new
    and unknown methods and tools
  • Minimal resources
  • Since Honeypots are not intended to actually
    server a magnitude of clients they need very
    little resources
  • Simple
  • Honeypots are simple to install and maintain

6
Honeypot Overview - Disadvantages
  • Limited view
  • A Honeypot can observe only interaction with
    itself. It is not a sniffer and cannot log
    actions against other functional systems in the
    network
  • Risk
  • Depending on the type of the Honeypot the risk
    can be greater or lesser. But there is always a
    risk to the network when a multitude of servers
    are active in it.

7
Honeypots Overview - Types
  • Low-Interaction
  • Simulates some network services (HTTP, Telnet,
    FTP, etc)
  • Very low risk (Interaction is only with a
    simulation)
  • Less flexible (Can only simulate what was
    programmed)
  • Easier to identify
  • Examples are Specter, honeyd, our project

8
Honeypots Overview - Types
  • High-Interaction (Sacrificial Lamb)
  • Real servers running some kind of logging
    software
  • High risk (Attacker is working with the real
    thing)
  • Almost impossible to identify

9
Honeypots Overview - Honeynets
10
Overview But what good is it?
  • Collect data
  • Allows researching attackers methods and tools
    and developing counter-tools.
  • Prevention
  • Sticky Honeypots slow down scanning
    capabilities of attackers by slow response times
  • If the usage of Honeypots is publicly known it
    might deter hackers from attacking the network
    for fear of being caught

11
Overview But what good is it?
  • Detection and Response
  • If a Honeypot detects suspicious activity it can
    send an e-mail or sms to a network administrator
  • A Honeypot is a non essential system, so taking
    it offline in order to analyze damage done by an
    attack will be less harmful and disruptive to the
    functionality of the network

12
Overview But what good is it?
  • Counter Attack
  • A Honeypot could be configured to actively
    respond when it detects attacks coming from
    systems within its network. For instance if it
    detects worm activity from some system in the
    network it can quarantine the system or shut it
    down or even use some routine to purge the worm

13
Overview - Threats
  • Viruses
  • Pieces of software that attach to innocent files.
    Consume computers recourses and may be even more
    malicious (deleting files, ruining hardware,
    etc). Rely on social engineering for spreading
  • Worms
  • Self propagating code. Searches for communication
    vulnerabilities and uses them to infect more
    computers at an exponential rate.

14
Overview - Threats
  • Humans
  • White Hats Good Hackers searching for
    vulnerabilities in order to report them and
    increase security awareness
  • Black Hats Hackers with personal gain or mayhem
    in mind. Break into systems in order to steal or
    corrupt data.
  • Script Kiddies Tool users. No real
    understanding of what the are doing. Techniques
    usually include scanning for a system and then
    hammering it with various tools in order to find
    a vulnerability.

15
Our Solution
  • The path to implementation

16
Phase I How to simulate an IIS?
  • Fingerprinting using HMAP

HMAP vs. www.technion.ac.il
HMAP vs. Our Honeypot
17
Phase II How do you hack a web server?
  • Directory traversal (double decode)
  • Buffer Overflow (Code Red)
  • Malformed SQL statements

18
Phase II How do you hack a web server?
  • Look for directories set up by default with
    execute permissions
  • These directories may also hold default scripts
    that contain vulnerabilities
  • Find them by sending requests like these
  • GET /frick.html HTTP/1.0
  • GET /scripts/ HTTP/1.0
  • GET /_vti_pvt/ HTTP/1.0
  • GET /cgi-bin/GetFile.cfm HTTP/1.0
  • Etc

19
Phase II How do you hack a web server?
  • If we find such a directory we can send malicious
    strings that use known vulnerabilities such as
    the double decode directory traversal attack
  • Our mission is to execute the cmd.exe program
    that will get us root access to the computer

20
Phase II How do you hack a web server?
  • Example
  • Send the string
  • /..3563..3563..3563..3563winnt/system3
    2/cmd.exe?/cdirc
  • Since the ../../../ attack is well known it
    checks for it. (Cant find it in this string)
  • Then it decodes the string changing 35 to 5
    and 63 to c. Now we have
  • /..5c..5c..5c..5cwinnt/system32/cmd.exe?/cdir
    c
  • Now it realizes it forgot to decode 5c which
    surprisingly decodes to a /
  • /../../../../winnt/system32/cmd.exe?/cdirc
  • Now we have root permissions

21
Simulating Port Scanning
  • Knocker FrontEnd port scanner

22
Vulnerabilities check
  • N-Stealth Security Scanner

23
Phase III
  • Implement

24
Based On
  • Visual C .net
  • Visual Basic .net (GUI)
  • Winsock2
  • ODBC

25
Honeypot Architecture
  • Deployment

Network Scan
26
Honeypot Architecture
  • The program is divided into two main
    applications.
  • GUI Allows an easy way of starting and stopping
    the servers, searching through collected data and
    displaying statistics
  • Honeypot_Core Creates and maintains the
    servers. Collects the data from the users and
    updates the databases

27
Honeypot Architecture
  • Block Diagram

28
Honeypot Architecture
  • Communication between GUI and core is done over
    Winsock
  • Why Winsock?
  • Answer
  • There were many available options
  • RPC, Signaling, Shared memory, And much more
  • We wanted to allow for the expansion of the
    deployment scheme. Suppose you want to run
    multiple instances of the core on different
    computers.
  • Using Winsock allows running the GUI on one
    machine while controlling others over the network

29
Honeypot Architecture - Classes
30
Honeypot Architecture - Classes
  • myDb
  • A class used as an interface with our ODBC
    database.
  • Functions
  • Connect to the db
  • Disconnect from the db
  • Insert data into a table in the db

31
Honeypot Architecture - Classes
  • mySock
  • A class used as an interface with the winsock2
    objects
  • Functions
  • Create a new socket
  • Set socket options (Timeout)
  • Connect to a server
  • Accept (Listen) new connections
  • Send data
  • Receive data
  • Close socket

32
Honeypot Architecture - Classes
  • myServer
  • A class used to create and maintain server
    objects. New servers are created by inheritance
    and need to implement the serveClient virtual
    function.
  • Implementation allows easy way to add new
    services in the future
  • Functions
  • Create and init a server
  • Start the server
  • Stop the server

33
Honeypot Architecture myServer
34
Honeypot Architecture HTTPServer
  • The purpose is to catch malicious http strings
    sent as innocent requests
  • The http server emulates a Microsoft IIS 5.0 web
    server
  • The emulation displays only one page taken from
    index.htm
  • The Honeypot is completely safe from all attacks
    since it does actually try to execute any
    commands sent at it. Its default response is
    Not implemented

35
Honeypot Architecture HTTPServer
36
Honeypot Architecture TELNETServer
  • The purpose is to observe the usernames and
    passwords attackers will try when hacking a
    telnet server
  • This will allow the creation of a common used
    passwords database so that users can be advised
    (or required) as to what passwords not to use
  • It can also help detecting stolen passwords
  • The server emulates nothing more than the login
    handshake.
  • All logins fail

37
Honeypot Architecture TELNETServer
38
Honeypot Architecture Communication Flow
39
Demonstration
40
Summery
41
Summery
  • Honeypots are a cheap and simple way to add
    protection to a network
  • Honeypots allow the study of attackers methods of
    operation. And help developing new ways for
    countering them.

42
Possible Future Additions
  • More services such as ftp, messenger, p2p
    applications
  • Allow administration of multiple servers via
    network
  • Add the ability to answer as different ip
    addresses
  • Emulate different kinds of web servers other than
    IIS
  • Emulate a more complex telnet session

43
Thanks!
  • We wish to thank
  • Ben for his help and endless patience
  • Ilana and the Tochna lab team
  • Our families
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "The Honeypot Project" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!