sunilkfshd

8/12/2019 SunilKFSHD

1/25

60-475 Security and Privacy on the Internet

Dr. A.K. Aggarwal

KFSensor Vs HoneydHoneyot Sy!te"

Sunil #urung

$hur!day% &ove"'er (5% (004


2/25

Table of Contents

). Introduction

(. Honeyot $echnology(.) Attac*er!

(.( Honeyot

+. K,Sen!or

4. Honeyd

4.) Product detail4.( In!tallation

4.+ So"e "aor dierence! 'etween K,Sen!or

4.4 How doe! honeyd wor*4.5 /unning honeyd

4.6 $e!ting honeyd

5. onclu!ion

6. /eerence!

APP1&DI2 A


3/25

1. Introduction

It i! !aid that a good deen!e i! a good oen!e. Pa!t ew year!% co"uter !ecurity !cholar!

and co""unity too* thi! idea into con!ideration and develoed a concet o honeyot.

$raditionally% the idea wa! "ore ocu!ed on the deen!ive !ide and they develoed the

owerul technologie! and tool! li*e ,irewall and Intru!ion Detection Sy!te" 3IDS to

deend the networ* ro" intruder!. $oday% they are "ore concerned in !tudying the tye!

o attac*! the variou! tool! u!ed or attac*ing% the new *ind! o viru! and other !ecurity

threat! !o that they can deend their !y!te" "ore !ecurely. $he idea 'ehind the honeyot

i! to create a virtual or in !o"e !cenario a real !y!te"% ut the !y!te" vi!i'le to the

attac*er! !o that they can co"ro"i!ed and ro'e. $he !y!te" will *ee trac* o the

activitie! and later the logged inor"ation i! analyed to "a*e !ure the roduction

!ervice! and networ* are !ecured with new threat!.

ance Sitner deine! honeyot technology a! 8

A honeypot is security resource whose value lies in being probed, attacked, or

compromised.1

$oday% there are "any co""ercial honeyot !y!te"! availa'le or e.g. Secter%

K,Sen!or% Honeynet and there are al!o 'een lot o develo"ent in 9en !ource area.

$hi! aer will loo* into "ore detail the Honeyot technology% the tye! o honeyot and

the !econd hal o the aer will loo* into the co""ercial roduct 8 K,Sen!or and the

oen !ource !otware honeyd. I will di!cu!! the !i"ilaritie! and dierence! 'etween the!e

!otware and will detail the eature! o honeyd.

)Sitner% ance :Honeyot!; $rac*ing Hac*er!


4/25

2. Honeypot Technology

(.) Attac*er!

$he "ain o'ective o the honeyot i! to lure the 'ad guy! or attac*er!. So thi! !ection

di!cu!!e! the tye! o attac*er! and their "otive!. $here are "ainly two tye! o

attac*er!;

Script Kiddies

$hey are "ore li*e a"ateur% they don>t care the tye o ho!t or networ* they are

co"ro"i!ing. $hey wanted to get into !y!te" or un% or to rove that they are

!ucce!!ully in hac*ing into !o"e !y!te" or to try to educate the inade?uacy o the

!ecurity olicy in laced in an organiation. ,or !o"e% their "ain goal i! to hac*


5/25

co"uter with le!! eort u!ing already e@i!ting !crit! or with "inor change! to !crit!.

$hey are "ore intere!ted into hac*ing "ore nu"'er o co"uter!.

Blachat

$he!e are "ore *nowledgea'le and "ore e@erienced with the internal wor*ing o

variou! co""unication !y!te"!% the internet and they ocu! on !y!te" o high value.

$hey are "o!tly inancially driven and aect the cororate and national level. $hey are

"ore dangerou! 'ecau!e o their !*ill! level and they oerate !ilently.

A! a er!onal ho"e co"uter u!er% we have a "i!arehen!ion that we are not vulnera'le

to attac*! 'ut we are wrong. :In the 'eginning o (00(% a ho"e networ* wa! !canned on

average 'y +) !y!te"! a day.< $oday everyone i! target o attac*er!% a! they are

e@loiting variou! "ean! to get into er!onal co"uter! to get inor"ation li*e er!onal

data% credit card inor"ation and in higher level or any 'u!ine!! their data and !y!te"

re!ource!.

(.( Honeyot

$he "ain value o honeyot lie! on 'eing attac*ed !o that the ad"ini!trator can !tudy

their attac*er! and *ind! o attac*!. $hereore we could !ay that honeyot i! a tool to

!tudy the current world o !ecurity% the variou! threat! and "ean!. $he honeyot alone

can>t !olve or i"rove the !ecurity o the networ*. It ha! to wor* along with the e@i!ting

deen!ive "echani!" to "a*ing the ort !tronger.

,ro" the introduction% we *now that the "ain o'ective o the honeyot i! to collect

inor"ation. $he ad"ini!trator "ight u!e honeyot or two rea!on! a! a roduction or

re!earch uro!e!. $he roduction honeyot will "ea!ure their e@i!ting networ*


6/25

vulnera'ility with out!ide threat. A! a re!earch% they want to !tudy the attac*er! !o that

they can 'e 'etter e?uied or the uture attac*!. So why are there !o "any tal*! a'out

the honeyot $he an!wer to thi! i!; we have to *now who our ene"y i!. I ollow! the

!aying again 'e!t deen!e to our !ecurity i! to have 'e!t oen!e. Bore one i! aware o the

current i!!ue! that are going around% "ore one get e@erienced. $he other a!ect o the

honey ot i! we don>t have to go around hac*er!> co"uter to loo* or the inor"ation%

it>! very a!!ive. It>! li*e a 'ee hive% we !etu a ot ull o honey or !ugar than 'ee will

co"e loo*ing or it. Si"ilarly% we !etu a !y!te" !o"ewhere on a networ*% and wait or

hac*er! to co"e and co"ro"i!e our !y!te".

(.+ $ye! o Honeyot

Deending uon the need o the organiation and what the a"ount o inor"ation they

want to gather ro" the !y!te"% a co"any can i"le"ent honeyot in two or"!;

ow Interaction and High Interaction Honeyot

) ow Interaction Honeyot Sy!te"

A! the na"e indicate!% we give out!ider a! "uch a! le!! nu"'er o activity to

eror" on the !y!te". $hey have li"ited nu"'er o acce!! and interaction with

the virtual !ervice! and oerating !y!te". It i! very !i"le to i"le"ent 'y

in!talling o the !helve! roduct li*e Secter or K,Sen!or or 'y i"le"enting

oen !ource roduct honeyd. It i! le!! ri!*y a! hac*er! won>t have acce!! to the

"ain 9S and only lay around with the e"ulated !ervice!.

,or e.g.


7/25

=e !etu an e"ulated ,$P !ervice to run on the ort () and *ee the !y!te" oen

on the networ*. $he hac*er! will try to log into it. $he !y!te" will record all the

activitie! 'etween two artie!. =e could !et u our honeyot to accet !o"e

co""and to "a*e the attac* real.

$he di!advantage o the low interaction i! that are li"ited with a"ount o

inor"ation we can cature% "o!tly the logging inor"ation and ew other ater

that and we can only *ee trac* o the activitie! that early e@i!t!. $he e@i!tence o

the low interaction o the honeyot i! detected 'y e@erience hac*er!.

( High Interaction Honeyot Sy!te"

$he "ain o'ective o thi! !y!te" to do ull !tudy o the attac*er! !o in!tead o

roviding e"ulated !ervice% real !y!te" in rovided to ro'e. =e give the hac*er!

a real interaction with the !ervice and the oeration !y!te". =e can collect "ore

inor"ation and we can ind new inor"ation on variou! tool! and viru!e!.

:An e@cellent e@a"le o thi! i! how a Honeynet catured encoded 'ac* door

co""and!on a non-!tandard IP rotocol 3!eciically IP rotocol ))% &etwor*

Coice Protocol.


8/25

!. KFSensor

K,Sen!or !erve! 'oth a! the honeyot and an intru!ion detection !y!te". It i! window!

'a!ed !otware with a grahical u!er interace "onitoring !y!te". $he K,Sen!or i! a low

interaction honeyot which e"ulate! reconigured !ervice! and al!o rogra""a'le

!ervice!. $he !otware *ee! trac* o all the co""unication 'etween the !erver and the

out!ide arty. $he detailed eature! and in!tallation rocedure or thi! !otware are

e@lained in "y ir!t aer

:K,Sen!or Honeyot and Intru!ion Detection Sy!te"


9/25

'anner!. $he !otware can al!o 'e conigured to ta*e care o the D9S attac*% all the

logged data can 'e i"orted in dierent or"at and the logged ile! can 'e directly !aved

into the data'a!e.

So"e o the other eature! are;

) $he #EI and ea!y wiard "a*e! it !i"le and it! really le@i'le. an handle

!i"le echo to other !erver!.

( =e can cu!to"ie "ultile !cenario! 'a!ed on our te!t.

+ an li!ten to 'oth $P and EDP ort

4 E!e o 'anner or rogra""a'le !erver.

5 H$$P and SB$P

6 $he event! alert! and data'a!e co"ati'ility.

". Honeyd

Honeyd i! low interaction reely availa'le% oen !ource reac*aged virtual honeyot

!olution. $he !otware wa! develoed 'y &iel! Provo! o the Eniver!ity o Bichigan.

Since it i! an 9en !ource% the rogra" i! con!tantly develoing and evolving with new

eature! and unctionalitie! ro" contri'utor! ro" all around. $he !ource code! are

availa'le or download and cu!to"ie with one>! re?uire"ent !uch a! de!igning the own

e"ulated !ervice!. $he low interaction cla!!iication o honeyd will only allow e"ulating

the !ervice! and doe!n>t allow attac*er to interact with the oerating !y!te" o the

honeyot. Si"ilar to K,Sen!or the !ervice! can 'e ran into any $P ort. $he "ain

o'ective o the 'oth !otware i! to lure the attac*er% deceive and al!o cature their

activity.


10/25

Honeyd i! a dae"on alication which ena'le! the !etu o "ultile virtual honeyot! on

a !ingle "achine. $he "ain i"ortant dierence with the K,Sen!or i! that% er!onality

eature. $hi! eature or coniguration will allow coniguring the each roduction

honeyot with a er!onality o 9S IP !tac* and it 'ind! a !crit to the e"ulated ort to

vi!ualie the !ervice. $he honeyd al!o allow to e"ulate co"le@ networ* architecture and

their characteri!tic!.

4.) Product Detail

Sotware; honeyd

Cer!ion; honeyd 0.G

icen!e; oen !ource

Download !ite; htt;honeyd.org

9S; =indow!% inu@% Eni@ 8 Solari!

4.( In!tallation

$here are other li'rarie! and ac*age! that need to 'e downloaded;

) A/PD

Download the ard-0.).tar.g

htt;www.citi.u"ich.eduurovo!honeydard-0.).tar.g

( i'rarie! Deendencie!

- li'event-0.Ga.tar.g

- li'ca-0.G.+.tar.g
http://honeyd.org/http://www.monkey.org/~provos/libevent-0.8a.tar.gzhttp://www.tcpdump.org/release/libpcap-0.8.3.tar.gzhttp://honeyd.org/http://www.monkey.org/~provos/libevent-0.8a.tar.gzhttp://www.tcpdump.org/release/libpcap-0.8.3.tar.gz


11/25

Fa!ic In!tallation;

9ne ha! to log in with the root u!er. reate a older called honeyd-ac*age!

1@tract and in!tall li'event and lica

1@tract the ac*age! libe#ent;

# tar -zvxf libevent-0.8a.tar.g

o"ile the libe#ent;

# cd libevent-0.8a (Note: pwd is /honeyd_packages/ libevent-0.8a)

#. /configure

# make

# make install

Si"ilarly we can e@tract other ile! and the !y!te" i! ready or te!ting. Feore that I will

e@lain how the honeyd wor*!.

4.+ So"e "aor dierence! 'etween K,Sen!or

Honeyd wa! originally de!igned or Eni@ !y!te" 'ut today honey i! caa'le o running in

"o!t ver!ion o linu@ di!tri'ution and recently it wa! orted to window! environ"ent too.

K,Sen!or i! only de!igned or =indow!. Honeyd i! ri"arily de!igned a! a roduction

lower level honeyot !o to give the attac*er the elu!ion o real !y!te" it ha! added

owerul eature than K,Sen!or. $he !otware i! very le@i'le and ro'u!t.

- 9ne o the "ain dierent 'etween honeyd and K,Sen!or i! that; K,Sen!or u!e!

the co"uter IP a! the "ain K,Sen!or !erver. So when the ho!t i! ro'ed the IP the
http://www.monkey.org/~provos/libevent-0.8a.tar.gzhttp://www.monkey.org/~provos/libevent-0.8a.tar.gzhttp://www.monkey.org/~provos/libevent-0.8a.tar.gz


12/25

attac*er get! i! that o the real !y!te" running the !erver. In other hand% honeyd u!e! one

o the unu!ed IP in the networ* and 'a!ically create a virtual ho!t with honeyot running.

Pa!t ew year!% honeyd ha! 'een te!ted o u!ing al"o!t 60%000 IP at one ti"e. Fa!ically%

honeyd "onitor! a large nu"'er o ho!t and networ* that doe!n>t even e@i!t.+

- $he honeyd only can li!ten to $P ort a! co"are to K,Sen!or li!ten to 'oth

$P and EDP ort.

- 9ne o the "ain eature o the honeyd i! it e"ulate! the variou! oeration !y!te".

urrently honeyd i! caa'le o e"ulating al"o!t 4+7 dierent 9S% router% !witche!. $he

detail o thi! de!ign i! de!cri'ed in !ection! 'elow. $he honeyd "a*e u!e o the &"a

ingerrinting or thi! roce!!. I& other word! it al!o e"ulate! the IP !tac* !o that when

utilitie! li*e n"a i! u!ed to !can the ho!t% the honeyd will re!ond will conigure 9S.

K,Sen!or i! not caa'le o e"ulating and li"ited to only creating variou! !ervice!.

- Since the !otware i! oen !ource% "o!t o the !cholar! in the co""unity

contri'ute to the develo"ent and "a*ing the !otware and 'etter with e"ulated !ervice!.

A! the !otware evolve in year! to co"e honeyd>! a'ility to detect and cature attac*!

will e@onentially grow.

- It! ree o charge while K,Sen!or co!t !o"e "oney.

4.4 How doe! Honeyd wor*!

+Sitner% ance :Honeyot!; $rac*ing Hac*er!


13/25

A! "o!t o the low interaction honeyot% when connection i! "ade on one o the $P

ort the interaction with !ervice i! catured. Honeyd "a*e u!e o the not u!ed IP addre!!

on the networ*. $he "ain co"onent! o honey are;

I. Configuration file

$he coniguration ile i! where we deine the er!onality o the 9S or the router and

deine the variou! $P where we deine the virtual !ervice!. A! !aid 'eore in one

conig ile we can conigure any nu"'er o 9S and router with dierent !ervice!.

Felow i! the e@a"le o the coniguration ile.

# Example of a simple host template and its binding


14/25

annotate "! .0 - .$" fragment old

create template

set template personalit% "! .0 - .$"

add template tcp port 80 open

add template tcp port $$ open

add template tcp port $& open

set template default tcp action reset

bind '($.')8.'.80 template

$he to level we have to create a !y!te" any 9S or% a router. So we !tart with create

co""and ollowed 'y the na"e o the !y!te". In the e@a"le% a'ove we have the !y!te"

na"ed te"late. It i! ollowed 'y the !et o :set< and :add< co""and to add the variou!

!ervice!. Ater the !y!te" i! na"ed we have to !et what *ind o er!onality the !y!te" i!

8 here i! !et to AI2 4.0 8 4.0. It i! i"ortant that the !y!te" ingerrinting !hould "a

with that o the detail! in nmap.print. $hi! i! the "ain coniguration that ool! the n"a

when honeyot i! !canned u!ing the n"a utility. Serie! o tc ort connection i! added

ater the er!onality i! created. A'ove we have oened ort G0% ((% (+. A! regular tc

connection we could oen% clo!ed or re!et the ort.

At 'ind the na"e o the !y!te" that i! template with the IP addre!! that i! not u!ed 'y the

real !y!te" in the networ*.

II. The n$ap fingerprinting files n$ap.print and %probe2


15/25

Honeyd u!e! n"a ingerrinting ile! to create the networ* !tac* 'ehavior o a virtual

honeyot. $he ingerrinting are !i"ilar to one 'elow;

*ingerprint !+! ).,.',m on ! $

e123lass456gcd47'06!47'E6!!54!64$9:;

'25*44??6*lags46ps4@


16/25

Honeyd i! a!!igned an IP addre!! that i! not u!ed 'y any !y!te" on the networ*.

$hereore attac*er! are ro'ing the !y!te" that doe!n>t e@i!t and it i! a!!u"ed that the

attac* i! u!ually ho!tile% "o!t li*e the !can or attac*. $he "ain concern now i! that how

do we redirect the traic to the !y!te" that doe!n>t even e@i!t. =e can>t conigure the

honeyd to do that 'ut we have to get the traic to the honeyd. $here are variou! way! one

can i"le"ent that.

,or the te!t uro!ed I u!ed the A/P !ooing% 'ut one can al!o conigure the router to

have a !tatic routing where the IP o the ho!t running a honeyd !hould oint to the IP o a

virtual honeyot.

Ard i! !otware develoed 'y the Dog Song% what it doe! i! that it ind! the no e@i!ting

!y!te" on the networ* and orward! any connection to the" to honeyot% thi! rincile i!

called A/P !ooing. 9ther way to orward the traic i! u!ing A/P ro@y.

4.6 $e!ting with honeyd

$e!ting or ,$P and H$$P !erver were conducted i! co"ared with K,Sen!or

$he honeyot wa! !etu with a coniguration that oened the ort () and ran the ,$P

!crit downloaded ro" the internet.

$he honeyd wa! run in inu@ ,edora 'o@ !ince we didn>t have to u!e any router

coniguration or traic orwarding. $he ard utility ulilled the uro!e o it. $he router

u!ed wa!. DI&K 8 4 ort! or DSa'le. $he IP !u'net )(.)6G.0.0(4

$he IP addre!! o the ho!t i! )(.)6G.).)(( and the IP addre!! o the virtual honeyot i!

)(.)6G.0.)().


17/25

,ir!t ard utility wa! run to orward all the non e@i!ting IP that i! )(.)6G.0.)() to the

honeyot. E!ing ollowing co""and;

$han the honeyot wa! run a! dae"on

$he otion or the honeyd co""and can 'e ound in the Aendi@ A

) /unning ,$P in honeyd re!ult.

=e can !ee that we initiated a connection to the honeyot !y!te" )(.)6G.0.)() and the

!erver re!on!e with !o"e re!on!e!.


18/25

$he !a"e te!t eror"ed in K,Sen!or;

,$P e"ulation

Aim; I! to interact with the ,$P !i"ulator and to !ee whether K,Sen!or !erver re!ond

with correct inor"ation;

Description:u!ing telnet and we will try to e!ta'li!h the connection through ort () and

eror" !o"e unction on decoy t !erver IP )+7.(07.(+G.))+.

Test ondition:

$he !creen!hot e@lain the te!t condition.

/e!ult!;


19/25

onclusion:$he event wa! generated a! the connection wa! clo!ed. $he ,$P li!tener

*ee! trac* o the vi!itor inor"ation% ort nu"'er% and do"ain. It al!o *ee trac* o the

u!erna"e and a!!word u!ed to gain acce!! and the variou! tran!action! "ade during theconnection eriod.


20/25

+ H$$P connection;

$he !erver re!onded with the inde@ age which had a te@t. $hi! Site i! under

con!truction.

,ro" the!e te!ting I ound out that 'oth had good re!ult! in roviding the !ervice! with

right re!ult. K, !en!or wa! 'etter 'ecau!e it had a u!er riendly #EI. $he re!ult! were

ea!y to read and tran!late. 9n the other hand% honeyd wa! very hard to conigure and

there are very li"ited !ervice! availa'le at the re!ent.

$he two "o!t o the !igniicant eature o the honeyd% which I wa! not a'le to eror" a

te!t !ince due to the lac* o re!ource wa! creating a virtual networ*. I have re!ented here

with the coniguration ile and the te!t conducted 'y the author o the honeyd. $he

!a"le e@a"le! here are ta*en ro" hi! a'!tract.


21/25

route entr% '0.0.0.'

route '0.0.0.' link '0.0.0.0/$

route '0.0.0.' add net '0.'.0.0/') '0.'.0.' latenc% ,,ms loss 0.'

route '0.0.0.' add net '0.$.0.0/') '0.$.0.' latenc% $0ms loss 0.'

route '0.'.0.' link '0.'.0.0/$

route '0.$.0.' link '0.$.0.0/$

create routerone

set routerone personalit% "3isco B$0) running ! ''.'2$;"

set routerone default tcp action reset

add routerone tcp port $& "scripts/router-telnet.pl"

create netbsd

set netbsd personalit% "


22/25

&. Conclusion

,ro" all the o'!ervation! and te!ting% honeyd i! indeed a good honeyot !olution a! it

rovide! with 9S "i"ic! which K,Sen!or doe!n>t and al!o the virtual networ*

toograhy. In other hand it>! very hard to conigure while K,Sen!or #EI "a*e! it ea!ier

to under!tand and i"le"ent a!ter.


23/25

'. (eferences

). ance Sitner :Honeyot!; $rac*ing Hac*er!


24/25

)**+,-I / )

,)0+

hone%d - 9one%pot 5aemon

S,*SIS

hone%d I-dPWJ I-llogfileJ I-pfingerprintsJ I-xxprobeJ I-aassocJ

I-ffileJ I-iinterfaceJ Inet...J

-+SC(I*TI,

honeydcreates virtual hosts for ! addresses matching thespecified net.!t can simulate an% 3 and C5 service. !t replies to

!3@ echo re1uests. 3urrentl%H all C5 ports are closed b% default andhoneydGill repl% Gith an !3@ unreachable port message if the

configured personalit% permits that.

his enables a single host to claim addresses on a K< for netGork

simulation. he netargument ma% contain multiple addresses and netGork

ranges.

!n order for honeydto receive netGork traffic for ! addresses

that it should simulateH it is necessar% to either explicitl% route

traffic to itH use prox% arp or run arpd(8)for unassigned ! addresses

on a shared netGork.

honeydexits on an interrupt or termination signal.

he options are as folloGsF

-d 5o not daemonizeH and enable verbose debugging messages.

-P n some operating s%stemsH it is not possible to get event

notifications for pcap via select(3). !n that caseH honeyd

needs to run in polling mode. his flag enables polling.

-W rint a list of interfaces. ** WIN32 ONLY **

-l logfile

Kog packets and connections to the logfile specified b%

logfile.

-p fingerprints

+ead napst%le fingerprints. he names defined after the

token are stored as personalities. he personalities can be

used in the configuration file to modif% the behaviour of the

simulated 3 stack.

-x xprobe

+ead xpro!est%le fingerprints. his file determines hoG honeyd

reacts to !3@ fingerprinting tools.


25/25

-aassoc

+ead the file that associates napst%le fingerprints Gith

xpro!e st%le fingerprints.

-ffile

+ead the configuration in file. !t is possible to create

host templates Gith the configuration file that specif% Ghich servers

should run and Ghich scripts should be started to simulate them.

-iinterface

Kisten on interface.

net he ! address or netGork 2specified in 3!5+ notation; or !

address ranges to claim 2e.g. LL'0.0.0.&MMHLL'0.0.0.0/')MM

orL'0.0.0.,-'0.0.0.',MM;. !f unspecifiedH honeydGill attempt to

claim an% ! address it sees traffic for.

sunilkfshd

Documents