The Honeynet Project Advancements in Honeypot Tools

1
The Honeynet ProjectAdvancements in
HoneypotTools
2
Presented by Kirby Kuehl

• Background
• Feel free to ask questions during presentation.
• Email kkuehl_at_cisco.com
• Websites http//www.honeynet.org
• http//winfingerprint.sourceforge.net

3
About the Honeynet Project

• Informally began as the Wargames mailing list in
  1999.
• Project officially formed in 2000.
• Became a Non-profit organization in 2001.
• Consists of 30 members who volunteer their time
  and resources to research the hacker community.

4
Honeynet Project Goals

• Learn the Tools, Tactics, and Motives of the
  Hacker Community
• Raise Awareness through release of Know Your
  Enemy series of whitepapers.
• Teach and Inform
• Scan of the Month Challenges
• Reverse Challenge
• Forensic Challenge
• Research
• Honeynet Alliance
• Tool Development

5
Layer 3 Data Control A shell script counted the
number of outbound connections initiated by the
attacker and blocked all connections after a
count of 10 was reached. This suspicious behavior
could lead to the discovery of the firewall via
TTL decrementing (traceroute) and possible attack
since the firewall obviously has Layer 3 Address
(IP Address). Data Capture The IDS (snort)
listens on the span port of the switch, capturing
all inbound/outbound traffic.
6
(No Transcript)
7
Generation II Honeynet Sensor Components

• The Bridging Firewall
• Counting and Blocking Connections Improvements
• Data Control with Snort-Inline
• Sebek kernel module
• Honeyd and arpd
• Sneak Peak of The Honeywall CD

8
Honeynet Data Control The Linux Bridging
Firewall

• Bridges are Layer 2 devices that connect two or
  more distinct Ethernet segments. All packets
  received by one interface are transparently
  copied to the other interface based upon MAC
  address.
• A Bridging Firewall is capable of transparently
  filtering received frames before they are copied
  to the second interface.
• Requires a Linux kernel compiled with bridge and
  bridge firewall support.
• See http//bridge.sourceforge.net/ for kernel
  patches and more information.

9
Honeynet Data ControlMethod 1 Counting and
Blocking Connections

• IPTables Firewall Script uses the LOG and ACCEPT
  targets for all inbound connections allowing
  attackers to enter the honeynet.
• The IPTables Firewall Script LOGs and ACCEPTs
  outbound connections until a predefined limit is
  reached within a specified timeframe. Connection
  attempts beyond the limit are DROPped.
• Example Data Control Firewall Script
  http//www.honeynet.org/papers/honeynet/tools/rc.f
  irewall

10
Honeynet Data ControlMethod 2 Snort-Inline

• The Honeynet Project utilizes Snort-Inline in
  combination with netfilter/iptables operating as
  a bridging firewall to send packets to userspace
  for processing.
• This is accomplished with the QUEUE target.
• The standard queue handler for IPv4 iptables is
  the ip_queue module, which is distributed with
  the kernel and marked as experimental.
• Snort-inline (the userspace application) uses
  the libipq API, (which is distributed with
  iptables) to receive and possibly manipulate the
  packets traversing the bridge as demonstrated in
  the next slides.
• Snort-Inline http//www.snort.org/dl/contrib/patc
  hes/inline/
• Netfilter/iptables http//www.netfilter.org

11
Snort-Inline Rule Options

• Drop The drop rule tells iptables to drop the
  packet and log it via usual snort means
• Sdrop The sdrop rule tells iptables to drop the
  packet. Nothing is logged.
• Reject The reject rule type tells iptables to
  drop the packet log it via usual snort means
  and send a TCP reset if the protocol is TCP or an
  ICMP port unreachable if the protocol is UDP.

12
Snort-Inline Drop Rule

• To drop an DNS attack, the signature would look
  as follows
• drop tcp HOME_NET any EXTERNAL_NET 53
• (msg"DNS EXPLOIT named"flags A
• content"CD80 E8D7 FFFFFF/bin/sh"

13
Snort-Inline Drop Rule
User Space
Snort-Inline
Snort Rules Drop
snort Q c /snort.conf
Iptables-1.2.7a
DROP
modprobe ip_queue
Ip_queue
iptables -A OUTPUT -p icmp -j QUEUE
Kernel Space
14
Snort-Inline Replace Rule

• Another option replaces portions of the payload
  (disabling the effectiveness of the attack) but
  allowing the connection to continue
• alert tcp HOME_NET any -gt EXTERNAL_NET 53
• (msg"DNS EXPLOIT named"flags A
• content"CD80 E8D7 FFFFFF/bin/sh"
• replace"0000 E8D7 FFFFFF/ben/sh")

15
Snort-Inline Replace Mode
User Space
Snort Rules Replace
Snort-Inline
/bin/sh
/ben/sh
Iptables-1.2.7a
modprobe ip_queue
Ip_queue
iptables -A OUTPUT -p icmp -j QUEUE
Kernel Space
16
Honeyd

• Honeyd, when used in conjunction with arpd can
  simulate an entire LAN containing virtual hosts.
• These virtual hosts can fool various TCP and ICMP
  fingerprinting methods.
• These virtual hosts can run various virtual,
  proxied, or fake services.
• http//www.citi.umich.edu/u/provos/honeyd/

17
Honeyd Operation
Sending ICMP Echo Reply 192.168.1.15
-gt 192.168.1.9
ping 192.168.1.15
Reply from 192.168.1.15 bytes32 timelt10ms TTL64
arpd_send who-has 192.168.1.15 to 192.168.1.9
arpd_reply 192.168.1.15 is-at 00096be0399b
18
Honeyd The role of arpd

• Like the bridging firewall used by snort-inline,
  arpd also operates at Layer 2.
• Arpd replies to any ARP request for an IP address
  (Layer 3) within the simulated network with the
  MAC address of the specified interface of the
  machine running arpd.
• This allows one host to simulate an entire
  network of machines.

19
Arpd Screenshot
20
Honeyd Screenshot
21
ARP Cache
22
Sample Honeyd Configuration
Example of a simple host template and its
binding create default set default personality
FreeBSD 2.2.1-STABLE add default tcp port 80
sh scripts/web.sh add default tcp port 22 "sh
scripts/test.sh ipsrc dport" add default tcp
port 113 reset add default tcp port 1 reset set
default uid 32767 gid 32767 bind 192.168.1.15
default set 192.168.1.15 uptime 1327650 add
default tcp port 23 proxy 192.168.1.1323 set
default subsystem /usr/sbin/httpd
23
NMAP Portscan and OS Fingerprint
24
SebekKernel Space data collection

• The Sebek kernel module collects data passing
  through the read() system call. This captures the
  intruders ssh keystrokes and recovers scp file
  transfers.
• Sebek utilizes the adore rootkit to hide the
  sebek files and processes from the attacker.
• Sebek http//www.honeynet.org/papers/honeynet/t
  ools/
• Adore http//www.team-teso.net/releases.php

25
Sdm The Sebek Device Monitor

• Sdm encrypts the payload.
• Based on the intruders input, the IP addresses,
  MAC addresses, and UDP port numbers are
  falsified.
• Data is transferred using a variable amount of
  delay.
• Sdm transmits decoy packets when there is no
  legitimate traffic.

26
Sebeksniff and Sbdump

• Collects the data from sdm, unencrypts it, and
  stores it in a log file.
• Use the sbdump.pl script to examine these log
  files.
• Sbdump displays the timestamp, user id, process
  name, tty, file descriptor and the data (ssh
  keystrokes or file transferred by scp)

27
Sebek Diagram
28
Honeywall CDComing Soon

• Bootable CDROM Honeynet Gateway extracts
  operating system onto a ram drive.
• Hardware requirements 256MB of RAM, a CD-ROM, a
  10GB IDE hard drive (for logging and storage of
  various boot variables such as which networks to
  bridge), and two NICs.
• Capable of Generation 1 (Layer 3) or Generation 2
  (Layer 2) Honeynet Data Control.
• Kernel contains bridge firewalling support for
  the inline enabled snort. Also includes Sebek,
  dsniff, tcpdump, and p0f.

29
Honeywall CD Main Screen
30
Initialize drive mounts a local IDE drive for
Honeynet Logging and storage of settings.
31
Start Layer 2 Bridge
32
Bringing up the bridge and starting various
utilities
33
Wininterrogate Analysis of Win32 File systems
and Processes
34
Wininterrogate File system

• Recursively walks directory structure obtaining
  the following
• File Name
• Complete Path
• Directory
• File Size
• Creation Time
• Last Access Time
• Last Write Time
• Attributes

35
Wininterrogate Processes

• Display Process Name and Path
• Process ID (pid)
• Linked DLLs
• DLL Entry Point
• DLL Base
• DLL Image Size
• Port Bindings (Windows XP Only)

36
Wininterrogate Common Options

• MD5 Checksum providing similar functionality to
  tripwire
• CSV (comma separated value). Import into
  Microsoft Excel or any database for processing.
• Extra information Gathered on .DLL, .VBX,
  .DRV, .EXE, .OCX, .BIN, .SCR
• CompanyName
• FileDescription
• FileVersion
• InternalName
• LegalCopyright
• OriginalFilename
• ProductName
• ProductVersion