Академический Документы
Профессиональный Документы
Культура Документы
Introduction
What is a Honeypot?
"A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource." - Lance
Spitzner
Honeypot Overview
A Honeypot has no functional value A Honeypot does not do anything active. Its value lies in the knowledge that any access to the Honeypot is probably malicious In a perfectly safe network a Honeypot should see no traffic at all
Minimal resources
Since Honeypots are not intended to actually server a magnitude of clients they need very little resources
Simple
Honeypots are simple to install and maintain
Risk
Depending on the type of the Honeypot the risk can be greater or lesser. But there is always a risk to the network when a multitude of servers are active in it.
Prevention
Sticky Honeypots slow down scanning capabilities of attackers by slow response times If the usage of Honeypots is publicly known it might deter hackers from attacking the network for fear of being caught
Overview - Threats
Viruses
Pieces of software that attach to innocent files. Consume computers recourses and may be even more malicious (deleting files, ruining hardware, etc). Rely on social engineering for spreading
Worms
Self propagating code. Searches for communication vulnerabilities and uses them to infect more computers at an exponential rate.
Overview - Threats
Humans
White Hats Good Hackers searching for vulnerabilities in order to report them and increase security awareness Black Hats Hackers with personal gain or mayhem in mind. Break into systems in order to steal or corrupt data. Script Kiddies Tool users. No real understanding of what the are doing. Techniques usually include scanning for a system and then hammering it with various tools in order to find a vulnerability.
Our Solution
The path to implementation
Directory traversal (double decode) Buffer Overflow (Code Red) Malformed SQL statements
Look for directories set up by default with execute permissions These directories may also hold default scripts that contain vulnerabilities Find them by sending requests like these:
GET /frick.html HTTP/1.0 GET /scripts/ HTTP/1.0 GET /_vti_pvt/ HTTP/1.0 GET /cgi-bin/GetFile.cfm HTTP/1.0 Etc
If we find such a directory we can send malicious strings that use known vulnerabilities such as the double decode directory traversal attack Our mission is to execute the cmd.exe program that will get us root access to the computer
Example:
Send the string:
/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system3
2/cmd.exe?/c+dir+c:
Since the ../../../ attack is well known it checks for it. (Cant find it in this string) Then it decodes the string changing %35 to 5 and %63 to c. Now we have:
/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir +c:
Vulnerabilities check
N-Stealth Security Scanner
Phase III
Implement
Based On
Visual C++ .net Visual Basic .net (GUI) Winsock2 ODBC
Honeypot Architecture
Deployment:
The Internet
Attacker
Honeypot
Network Scan
Firewall Server
Workstation
Workstation Laptop
Honeypot Architecture
The program is divided into two main applications.
GUI Allows an easy way of starting and stopping the servers, searching through collected data and displaying statistics Honeypot_Core Creates and maintains the servers. Collects the data from the users and updates the databases
Honeypot Architecture
Block Diagram
Honeypot Core
Medium (WinSock)
GUI
HTTP Server
Telnet Server
Malicious String DB
HTTP Transactions DB
Telnet Login DB
Honeypot Architecture
Communication between GUI and core is done over Winsock Why Winsock? Answer:
There were many available options:
RPC, Signaling, Shared memory, And much more
We wanted to allow for the expansion of the deployment scheme. Suppose you want to run multiple instances of the core on different computers. Using Winsock allows running the GUI on one machine while controlling others over the network
Honeypot Architecture HTTPServer The purpose is to catch malicious http strings sent as innocent requests The http server emulates a Microsoft IIS 5.0 web server The emulation displays only one page taken from index.htm The Honeypot is completely safe from all attacks since it does actually try to execute any commands sent at it. Its default response is Not implemented
Timeout?
Update DB
Port Scanned?
Update DB
Parse request
Update DB
End Thread
Honeypot Architecture TELNETServer The purpose is to observe the usernames and passwords attackers will try when hacking a telnet server This will allow the creation of a common used passwords database so that users can be advised (or required) as to what passwords not to use It can also help detecting stolen passwords The server emulates nothing more than the login handshake. All logins fail
Timeout?
Update DB
Port Scanned?
Update DB
Connect to Server
Serve Clients
Demonstration
Summery
Summery
Honeypots are a cheap and simple way to add protection to a network Honeypots allow the study of attackers methods of operation. And help developing new ways for countering them.
Thanks!
We wish to thank:
Ben for his help and endless patience Ilana and the Tochna lab team Our families