sunilkfshd
TRANSCRIPT
-
8/12/2019 SunilKFSHD
1/25
60-475 Security and Privacy on the Internet
Dr. A.K. Aggarwal
KFSensor Vs HoneydHoneyot Sy!te"
Sunil #urung
$hur!day% &ove"'er (5% (004
-
8/12/2019 SunilKFSHD
2/25
Table of Contents
). Introduction
(. Honeyot $echnology(.) Attac*er!
(.( Honeyot
+. K,Sen!or
4. Honeyd
4.) Product detail4.( In!tallation
4.+ So"e "aor dierence! 'etween K,Sen!or
4.4 How doe! honeyd wor*4.5 /unning honeyd
4.6 $e!ting honeyd
5. onclu!ion
6. /eerence!
APP1&DI2 A
-
8/12/2019 SunilKFSHD
3/25
1. Introduction
It i! !aid that a good deen!e i! a good oen!e. Pa!t ew year!% co"uter !ecurity !cholar!
and co""unity too* thi! idea into con!ideration and develoed a concet o honeyot.
$raditionally% the idea wa! "ore ocu!ed on the deen!ive !ide and they develoed the
owerul technologie! and tool! li*e ,irewall and Intru!ion Detection Sy!te" 3IDS to
deend the networ* ro" intruder!. $oday% they are "ore concerned in !tudying the tye!
o attac*! the variou! tool! u!ed or attac*ing% the new *ind! o viru! and other !ecurity
threat! !o that they can deend their !y!te" "ore !ecurely. $he idea 'ehind the honeyot
i! to create a virtual or in !o"e !cenario a real !y!te"% ut the !y!te" vi!i'le to the
attac*er! !o that they can co"ro"i!ed and ro'e. $he !y!te" will *ee trac* o the
activitie! and later the logged inor"ation i! analyed to "a*e !ure the roduction
!ervice! and networ* are !ecured with new threat!.
ance Sitner deine! honeyot technology a! 8
A honeypot is security resource whose value lies in being probed, attacked, or
compromised.1
$oday% there are "any co""ercial honeyot !y!te"! availa'le or e.g. Secter%
K,Sen!or% Honeynet and there are al!o 'een lot o develo"ent in 9en !ource area.
$hi! aer will loo* into "ore detail the Honeyot technology% the tye! o honeyot and
the !econd hal o the aer will loo* into the co""ercial roduct 8 K,Sen!or and the
oen !ource !otware honeyd. I will di!cu!! the !i"ilaritie! and dierence! 'etween the!e
!otware and will detail the eature! o honeyd.
)Sitner% ance :Honeyot!; $rac*ing Hac*er!
-
8/12/2019 SunilKFSHD
4/25
2. Honeypot Technology
(.) Attac*er!
$he "ain o'ective o the honeyot i! to lure the 'ad guy! or attac*er!. So thi! !ection
di!cu!!e! the tye! o attac*er! and their "otive!. $here are "ainly two tye! o
attac*er!;
Script Kiddies
$hey are "ore li*e a"ateur% they don>t care the tye o ho!t or networ* they are
co"ro"i!ing. $hey wanted to get into !y!te" or un% or to rove that they are
!ucce!!ully in hac*ing into !o"e !y!te" or to try to educate the inade?uacy o the
!ecurity olicy in laced in an organiation. ,or !o"e% their "ain goal i! to hac*
-
8/12/2019 SunilKFSHD
5/25
co"uter with le!! eort u!ing already e@i!ting !crit! or with "inor change! to !crit!.
$hey are "ore intere!ted into hac*ing "ore nu"'er o co"uter!.
Blachat
$he!e are "ore *nowledgea'le and "ore e@erienced with the internal wor*ing o
variou! co""unication !y!te"!% the internet and they ocu! on !y!te" o high value.
$hey are "o!tly inancially driven and aect the cororate and national level. $hey are
"ore dangerou! 'ecau!e o their !*ill! level and they oerate !ilently.
A! a er!onal ho"e co"uter u!er% we have a "i!arehen!ion that we are not vulnera'le
to attac*! 'ut we are wrong. :In the 'eginning o (00(% a ho"e networ* wa! !canned on
average 'y +) !y!te"! a day.< $oday everyone i! target o attac*er!% a! they are
e@loiting variou! "ean! to get into er!onal co"uter! to get inor"ation li*e er!onal
data% credit card inor"ation and in higher level or any 'u!ine!! their data and !y!te"
re!ource!.
(.( Honeyot
$he "ain value o honeyot lie! on 'eing attac*ed !o that the ad"ini!trator can !tudy
their attac*er! and *ind! o attac*!. $hereore we could !ay that honeyot i! a tool to
!tudy the current world o !ecurity% the variou! threat! and "ean!. $he honeyot alone
can>t !olve or i"rove the !ecurity o the networ*. It ha! to wor* along with the e@i!ting
deen!ive "echani!" to "a*ing the ort !tronger.
,ro" the introduction% we *now that the "ain o'ective o the honeyot i! to collect
inor"ation. $he ad"ini!trator "ight u!e honeyot or two rea!on! a! a roduction or
re!earch uro!e!. $he roduction honeyot will "ea!ure their e@i!ting networ*
-
8/12/2019 SunilKFSHD
6/25
vulnera'ility with out!ide threat. A! a re!earch% they want to !tudy the attac*er! !o that
they can 'e 'etter e?uied or the uture attac*!. So why are there !o "any tal*! a'out
the honeyot $he an!wer to thi! i!; we have to *now who our ene"y i!. I ollow! the
!aying again 'e!t deen!e to our !ecurity i! to have 'e!t oen!e. Bore one i! aware o the
current i!!ue! that are going around% "ore one get e@erienced. $he other a!ect o the
honey ot i! we don>t have to go around hac*er!> co"uter to loo* or the inor"ation%
it>! very a!!ive. It>! li*e a 'ee hive% we !etu a ot ull o honey or !ugar than 'ee will
co"e loo*ing or it. Si"ilarly% we !etu a !y!te" !o"ewhere on a networ*% and wait or
hac*er! to co"e and co"ro"i!e our !y!te".
(.+ $ye! o Honeyot
Deending uon the need o the organiation and what the a"ount o inor"ation they
want to gather ro" the !y!te"% a co"any can i"le"ent honeyot in two or"!;
ow Interaction and High Interaction Honeyot
) ow Interaction Honeyot Sy!te"
A! the na"e indicate!% we give out!ider a! "uch a! le!! nu"'er o activity to
eror" on the !y!te". $hey have li"ited nu"'er o acce!! and interaction with
the virtual !ervice! and oerating !y!te". It i! very !i"le to i"le"ent 'y
in!talling o the !helve! roduct li*e Secter or K,Sen!or or 'y i"le"enting
oen !ource roduct honeyd. It i! le!! ri!*y a! hac*er! won>t have acce!! to the
"ain 9S and only lay around with the e"ulated !ervice!.
,or e.g.
-
8/12/2019 SunilKFSHD
7/25
=e !etu an e"ulated ,$P !ervice to run on the ort () and *ee the !y!te" oen
on the networ*. $he hac*er! will try to log into it. $he !y!te" will record all the
activitie! 'etween two artie!. =e could !et u our honeyot to accet !o"e
co""and to "a*e the attac* real.
$he di!advantage o the low interaction i! that are li"ited with a"ount o
inor"ation we can cature% "o!tly the logging inor"ation and ew other ater
that and we can only *ee trac* o the activitie! that early e@i!t!. $he e@i!tence o
the low interaction o the honeyot i! detected 'y e@erience hac*er!.
( High Interaction Honeyot Sy!te"
$he "ain o'ective o thi! !y!te" to do ull !tudy o the attac*er! !o in!tead o
roviding e"ulated !ervice% real !y!te" in rovided to ro'e. =e give the hac*er!
a real interaction with the !ervice and the oeration !y!te". =e can collect "ore
inor"ation and we can ind new inor"ation on variou! tool! and viru!e!.
:An e@cellent e@a"le o thi! i! how a Honeynet catured encoded 'ac* door
co""and!on a non-!tandard IP rotocol 3!eciically IP rotocol ))% &etwor*
Coice Protocol.
-
8/12/2019 SunilKFSHD
8/25
!. KFSensor
K,Sen!or !erve! 'oth a! the honeyot and an intru!ion detection !y!te". It i! window!
'a!ed !otware with a grahical u!er interace "onitoring !y!te". $he K,Sen!or i! a low
interaction honeyot which e"ulate! reconigured !ervice! and al!o rogra""a'le
!ervice!. $he !otware *ee! trac* o all the co""unication 'etween the !erver and the
out!ide arty. $he detailed eature! and in!tallation rocedure or thi! !otware are
e@lained in "y ir!t aer
:K,Sen!or Honeyot and Intru!ion Detection Sy!te"
-
8/12/2019 SunilKFSHD
9/25
'anner!. $he !otware can al!o 'e conigured to ta*e care o the D9S attac*% all the
logged data can 'e i"orted in dierent or"at and the logged ile! can 'e directly !aved
into the data'a!e.
So"e o the other eature! are;
) $he #EI and ea!y wiard "a*e! it !i"le and it! really le@i'le. an handle
!i"le echo to other !erver!.
( =e can cu!to"ie "ultile !cenario! 'a!ed on our te!t.
+ an li!ten to 'oth $P and EDP ort
4 E!e o 'anner or rogra""a'le !erver.
5 H$$P and SB$P
6 $he event! alert! and data'a!e co"ati'ility.
". Honeyd
Honeyd i! low interaction reely availa'le% oen !ource reac*aged virtual honeyot
!olution. $he !otware wa! develoed 'y &iel! Provo! o the Eniver!ity o Bichigan.
Since it i! an 9en !ource% the rogra" i! con!tantly develoing and evolving with new
eature! and unctionalitie! ro" contri'utor! ro" all around. $he !ource code! are
availa'le or download and cu!to"ie with one>! re?uire"ent !uch a! de!igning the own
e"ulated !ervice!. $he low interaction cla!!iication o honeyd will only allow e"ulating
the !ervice! and doe!n>t allow attac*er to interact with the oerating !y!te" o the
honeyot. Si"ilar to K,Sen!or the !ervice! can 'e ran into any $P ort. $he "ain
o'ective o the 'oth !otware i! to lure the attac*er% deceive and al!o cature their
activity.
-
8/12/2019 SunilKFSHD
10/25
Honeyd i! a dae"on alication which ena'le! the !etu o "ultile virtual honeyot! on
a !ingle "achine. $he "ain i"ortant dierence with the K,Sen!or i! that% er!onality
eature. $hi! eature or coniguration will allow coniguring the each roduction
honeyot with a er!onality o 9S IP !tac* and it 'ind! a !crit to the e"ulated ort to
vi!ualie the !ervice. $he honeyd al!o allow to e"ulate co"le@ networ* architecture and
their characteri!tic!.
4.) Product Detail
Sotware; honeyd
Cer!ion; honeyd 0.G
icen!e; oen !ource
Download !ite; htt;honeyd.org
9S; =indow!% inu@% Eni@ 8 Solari!
4.( In!tallation
$here are other li'rarie! and ac*age! that need to 'e downloaded;
) A/PD
Download the ard-0.).tar.g
htt;www.citi.u"ich.eduurovo!honeydard-0.).tar.g
( i'rarie! Deendencie!
- li'event-0.Ga.tar.g
- li'ca-0.G.+.tar.g
http://honeyd.org/http://www.monkey.org/~provos/libevent-0.8a.tar.gzhttp://www.tcpdump.org/release/libpcap-0.8.3.tar.gzhttp://honeyd.org/http://www.monkey.org/~provos/libevent-0.8a.tar.gzhttp://www.tcpdump.org/release/libpcap-0.8.3.tar.gz -
8/12/2019 SunilKFSHD
11/25
Fa!ic In!tallation;
9ne ha! to log in with the root u!er. reate a older called honeyd-ac*age!
1@tract and in!tall li'event and lica
1@tract the ac*age! libe#ent;
# tar -zvxf libevent-0.8a.tar.g
o"ile the libe#ent;
# cd libevent-0.8a (Note: pwd is /honeyd_packages/ libevent-0.8a)
#. /configure
# make
# make install
Si"ilarly we can e@tract other ile! and the !y!te" i! ready or te!ting. Feore that I will
e@lain how the honeyd wor*!.
4.+ So"e "aor dierence! 'etween K,Sen!or
Honeyd wa! originally de!igned or Eni@ !y!te" 'ut today honey i! caa'le o running in
"o!t ver!ion o linu@ di!tri'ution and recently it wa! orted to window! environ"ent too.
K,Sen!or i! only de!igned or =indow!. Honeyd i! ri"arily de!igned a! a roduction
lower level honeyot !o to give the attac*er the elu!ion o real !y!te" it ha! added
owerul eature than K,Sen!or. $he !otware i! very le@i'le and ro'u!t.
- 9ne o the "ain dierent 'etween honeyd and K,Sen!or i! that; K,Sen!or u!e!
the co"uter IP a! the "ain K,Sen!or !erver. So when the ho!t i! ro'ed the IP the
http://www.monkey.org/~provos/libevent-0.8a.tar.gzhttp://www.monkey.org/~provos/libevent-0.8a.tar.gzhttp://www.monkey.org/~provos/libevent-0.8a.tar.gz -
8/12/2019 SunilKFSHD
12/25
attac*er get! i! that o the real !y!te" running the !erver. In other hand% honeyd u!e! one
o the unu!ed IP in the networ* and 'a!ically create a virtual ho!t with honeyot running.
Pa!t ew year!% honeyd ha! 'een te!ted o u!ing al"o!t 60%000 IP at one ti"e. Fa!ically%
honeyd "onitor! a large nu"'er o ho!t and networ* that doe!n>t even e@i!t.+
- $he honeyd only can li!ten to $P ort a! co"are to K,Sen!or li!ten to 'oth
$P and EDP ort.
- 9ne o the "ain eature o the honeyd i! it e"ulate! the variou! oeration !y!te".
urrently honeyd i! caa'le o e"ulating al"o!t 4+7 dierent 9S% router% !witche!. $he
detail o thi! de!ign i! de!cri'ed in !ection! 'elow. $he honeyd "a*e u!e o the &"a
ingerrinting or thi! roce!!. I& other word! it al!o e"ulate! the IP !tac* !o that when
utilitie! li*e n"a i! u!ed to !can the ho!t% the honeyd will re!ond will conigure 9S.
K,Sen!or i! not caa'le o e"ulating and li"ited to only creating variou! !ervice!.
- Since the !otware i! oen !ource% "o!t o the !cholar! in the co""unity
contri'ute to the develo"ent and "a*ing the !otware and 'etter with e"ulated !ervice!.
A! the !otware evolve in year! to co"e honeyd>! a'ility to detect and cature attac*!
will e@onentially grow.
- It! ree o charge while K,Sen!or co!t !o"e "oney.
4.4 How doe! Honeyd wor*!
+Sitner% ance :Honeyot!; $rac*ing Hac*er!
-
8/12/2019 SunilKFSHD
13/25
A! "o!t o the low interaction honeyot% when connection i! "ade on one o the $P
ort the interaction with !ervice i! catured. Honeyd "a*e u!e o the not u!ed IP addre!!
on the networ*. $he "ain co"onent! o honey are;
I. Configuration file
$he coniguration ile i! where we deine the er!onality o the 9S or the router and
deine the variou! $P where we deine the virtual !ervice!. A! !aid 'eore in one
conig ile we can conigure any nu"'er o 9S and router with dierent !ervice!.
Felow i! the e@a"le o the coniguration ile.
# Example of a simple host template and its binding
-
8/12/2019 SunilKFSHD
14/25
annotate "! .0 - .$" fragment old
create template
set template personalit% "! .0 - .$"
add template tcp port 80 open
add template tcp port $$ open
add template tcp port $& open
set template default tcp action reset
bind '($.')8.'.80 template
$he to level we have to create a !y!te" any 9S or% a router. So we !tart with create
co""and ollowed 'y the na"e o the !y!te". In the e@a"le% a'ove we have the !y!te"
na"ed te"late. It i! ollowed 'y the !et o :set< and :add< co""and to add the variou!
!ervice!. Ater the !y!te" i! na"ed we have to !et what *ind o er!onality the !y!te" i!
8 here i! !et to AI2 4.0 8 4.0. It i! i"ortant that the !y!te" ingerrinting !hould "a
with that o the detail! in nmap.print. $hi! i! the "ain coniguration that ool! the n"a
when honeyot i! !canned u!ing the n"a utility. Serie! o tc ort connection i! added
ater the er!onality i! created. A'ove we have oened ort G0% ((% (+. A! regular tc
connection we could oen% clo!ed or re!et the ort.
At 'ind the na"e o the !y!te" that i! template with the IP addre!! that i! not u!ed 'y the
real !y!te" in the networ*.
II. The n$ap fingerprinting files n$ap.print and %probe2
-
8/12/2019 SunilKFSHD
15/25
Honeyd u!e! n"a ingerrinting ile! to create the networ* !tac* 'ehavior o a virtual
honeyot. $he ingerrinting are !i"ilar to one 'elow;
*ingerprint !+! ).,.',m on ! $
e123lass456gcd47'06!47'E6!!54!64$9:;
'25*44??6*lags46ps4@
-
8/12/2019 SunilKFSHD
16/25
Honeyd i! a!!igned an IP addre!! that i! not u!ed 'y any !y!te" on the networ*.
$hereore attac*er! are ro'ing the !y!te" that doe!n>t e@i!t and it i! a!!u"ed that the
attac* i! u!ually ho!tile% "o!t li*e the !can or attac*. $he "ain concern now i! that how
do we redirect the traic to the !y!te" that doe!n>t even e@i!t. =e can>t conigure the
honeyd to do that 'ut we have to get the traic to the honeyd. $here are variou! way! one
can i"le"ent that.
,or the te!t uro!ed I u!ed the A/P !ooing% 'ut one can al!o conigure the router to
have a !tatic routing where the IP o the ho!t running a honeyd !hould oint to the IP o a
virtual honeyot.
Ard i! !otware develoed 'y the Dog Song% what it doe! i! that it ind! the no e@i!ting
!y!te" on the networ* and orward! any connection to the" to honeyot% thi! rincile i!
called A/P !ooing. 9ther way to orward the traic i! u!ing A/P ro@y.
4.6 $e!ting with honeyd
$e!ting or ,$P and H$$P !erver were conducted i! co"ared with K,Sen!or
$he honeyot wa! !etu with a coniguration that oened the ort () and ran the ,$P
!crit downloaded ro" the internet.
$he honeyd wa! run in inu@ ,edora 'o@ !ince we didn>t have to u!e any router
coniguration or traic orwarding. $he ard utility ulilled the uro!e o it. $he router
u!ed wa!. DI&K 8 4 ort! or DSa'le. $he IP !u'net )(.)6G.0.0(4
$he IP addre!! o the ho!t i! )(.)6G.).)(( and the IP addre!! o the virtual honeyot i!
)(.)6G.0.)().
-
8/12/2019 SunilKFSHD
17/25
,ir!t ard utility wa! run to orward all the non e@i!ting IP that i! )(.)6G.0.)() to the
honeyot. E!ing ollowing co""and;
$han the honeyot wa! run a! dae"on
$he otion or the honeyd co""and can 'e ound in the Aendi@ A
) /unning ,$P in honeyd re!ult.
=e can !ee that we initiated a connection to the honeyot !y!te" )(.)6G.0.)() and the
!erver re!on!e with !o"e re!on!e!.
-
8/12/2019 SunilKFSHD
18/25
$he !a"e te!t eror"ed in K,Sen!or;
,$P e"ulation
Aim; I! to interact with the ,$P !i"ulator and to !ee whether K,Sen!or !erver re!ond
with correct inor"ation;
Description:u!ing telnet and we will try to e!ta'li!h the connection through ort () and
eror" !o"e unction on decoy t !erver IP )+7.(07.(+G.))+.
Test ondition:
$he !creen!hot e@lain the te!t condition.
/e!ult!;
-
8/12/2019 SunilKFSHD
19/25
onclusion:$he event wa! generated a! the connection wa! clo!ed. $he ,$P li!tener
*ee! trac* o the vi!itor inor"ation% ort nu"'er% and do"ain. It al!o *ee trac* o the
u!erna"e and a!!word u!ed to gain acce!! and the variou! tran!action! "ade during theconnection eriod.
-
8/12/2019 SunilKFSHD
20/25
+ H$$P connection;
$he !erver re!onded with the inde@ age which had a te@t. $hi! Site i! under
con!truction.
,ro" the!e te!ting I ound out that 'oth had good re!ult! in roviding the !ervice! with
right re!ult. K, !en!or wa! 'etter 'ecau!e it had a u!er riendly #EI. $he re!ult! were
ea!y to read and tran!late. 9n the other hand% honeyd wa! very hard to conigure and
there are very li"ited !ervice! availa'le at the re!ent.
$he two "o!t o the !igniicant eature o the honeyd% which I wa! not a'le to eror" a
te!t !ince due to the lac* o re!ource wa! creating a virtual networ*. I have re!ented here
with the coniguration ile and the te!t conducted 'y the author o the honeyd. $he
!a"le e@a"le! here are ta*en ro" hi! a'!tract.
-
8/12/2019 SunilKFSHD
21/25
route entr% '0.0.0.'
route '0.0.0.' link '0.0.0.0/$
route '0.0.0.' add net '0.'.0.0/') '0.'.0.' latenc% ,,ms loss 0.'
route '0.0.0.' add net '0.$.0.0/') '0.$.0.' latenc% $0ms loss 0.'
route '0.'.0.' link '0.'.0.0/$
route '0.$.0.' link '0.$.0.0/$
create routerone
set routerone personalit% "3isco B$0) running ! ''.'2$;"
set routerone default tcp action reset
add routerone tcp port $& "scripts/router-telnet.pl"
create netbsd
set netbsd personalit% "
-
8/12/2019 SunilKFSHD
22/25
&. Conclusion
,ro" all the o'!ervation! and te!ting% honeyd i! indeed a good honeyot !olution a! it
rovide! with 9S "i"ic! which K,Sen!or doe!n>t and al!o the virtual networ*
toograhy. In other hand it>! very hard to conigure while K,Sen!or #EI "a*e! it ea!ier
to under!tand and i"le"ent a!ter.
-
8/12/2019 SunilKFSHD
23/25
'. (eferences
). ance Sitner :Honeyot!; $rac*ing Hac*er!
-
8/12/2019 SunilKFSHD
24/25
)**+,-I / )
,)0+
hone%d - 9one%pot 5aemon
S,*SIS
hone%d I-dPWJ I-llogfileJ I-pfingerprintsJ I-xxprobeJ I-aassocJ
I-ffileJ I-iinterfaceJ Inet...J
-+SC(I*TI,
honeydcreates virtual hosts for ! addresses matching thespecified net.!t can simulate an% 3 and C5 service. !t replies to
!3@ echo re1uests. 3urrentl%H all C5 ports are closed b% default andhoneydGill repl% Gith an !3@ unreachable port message if the
configured personalit% permits that.
his enables a single host to claim addresses on a K< for netGork
simulation. he netargument ma% contain multiple addresses and netGork
ranges.
!n order for honeydto receive netGork traffic for ! addresses
that it should simulateH it is necessar% to either explicitl% route
traffic to itH use prox% arp or run arpd(8)for unassigned ! addresses
on a shared netGork.
honeydexits on an interrupt or termination signal.
he options are as folloGsF
-d 5o not daemonizeH and enable verbose debugging messages.
-P n some operating s%stemsH it is not possible to get event
notifications for pcap via select(3). !n that caseH honeyd
needs to run in polling mode. his flag enables polling.
-W rint a list of interfaces. ** WIN32 ONLY **
-l logfile
Kog packets and connections to the logfile specified b%
logfile.
-p fingerprints
+ead napst%le fingerprints. he names defined after the
token are stored as personalities. he personalities can be
used in the configuration file to modif% the behaviour of the
simulated 3 stack.
-x xprobe
+ead xpro!est%le fingerprints. his file determines hoG honeyd
reacts to !3@ fingerprinting tools.
-
8/12/2019 SunilKFSHD
25/25
-aassoc
+ead the file that associates napst%le fingerprints Gith
xpro!e st%le fingerprints.
-ffile
+ead the configuration in file. !t is possible to create
host templates Gith the configuration file that specif% Ghich servers
should run and Ghich scripts should be started to simulate them.
-iinterface
Kisten on interface.
net he ! address or netGork 2specified in 3!5+ notation; or !
address ranges to claim 2e.g. LL'0.0.0.&MMHLL'0.0.0.0/')MM
orL'0.0.0.,-'0.0.0.',MM;. !f unspecifiedH honeydGill attempt to
claim an% ! address it sees traffic for.