The_Honeypot - Networked Software Systems Laboratory

advertisement
The Honeypot Project
By
Itzik Jislin
Yiftach Benjamini
Supervisor: Ben Bershtein
Introduction
What is a Honeypot?
"A honeypot is an information system
resource whose value lies in unauthorized
or illicit use of that resource." - Lance
Spitzner
Honeypot Overview
A Honeypot has no functional value
A Honeypot does not do anything
active. Its value lies in the knowledge
that any access to the Honeypot is
probably malicious
In a perfectly safe network a Honeypot
should see no traffic at all
Honeypot Overview - Advantages
Small data sets of high value
Very flexible
– does not rely on a fixed database (Like
Anti-Virus software). Allows the detection
of new and unknown methods and tools
Minimal resources
– Since Honeypots are not intended to
actually server a magnitude of clients they
need very little resources
Simple
– Honeypots are simple to install and
maintain
Honeypot Overview - Disadvantages
Limited view
– A Honeypot can observe only interaction
with itself. It is not a sniffer and cannot
log actions against other functional
systems in the network
Risk
– Depending on the type of the Honeypot
the risk can be greater or lesser. But there
is always a risk to the network when a
multitude of servers are active in it.
Honeypots Overview - Types
Low-Interaction
– Simulates some network services (HTTP,
Telnet, FTP, etc…)
– Very low risk (Interaction is only with a
simulation)
– Less flexible (Can only simulate what was
programmed)
– Easier to identify
– Examples are: Specter, honeyd, our project
Honeypots Overview - Types
High-Interaction (Sacrificial Lamb)
– Real servers running some kind of logging
software
– High risk (Attacker is working with the
real thing)
– Almost impossible to identify
Honeypots Overview - Honeynets
Overview – But what good is it?
Collect data
– Allows researching attackers methods and
tools and developing counter-tools.
Prevention
– “Sticky” Honeypots slow down scanning
capabilities of attackers by slow response
times
– If the usage of Honeypots is publicly
known it might deter hackers from
attacking the network for fear of being
caught
Overview – But what good is it?
Detection and Response
– If a Honeypot detects suspicious activity it
can send an e-mail or sms to a network
administrator
– A Honeypot is a non essential system, so
taking it offline in order to analyze damage
done by an attack will be less harmful and
disruptive to the functionality of the
network
Overview – But what good is it?
Counter Attack
– A Honeypot could be configured to actively
respond when it detects attacks coming
from systems within its network. For
instance if it detects worm activity from
some system in the network it can
quarantine the system or shut it down or
even use some routine to purge the worm
Overview - Threats
Viruses
– Pieces of software that attach to innocent
files. Consume computers recourses and
may be even more malicious (deleting
files, ruining hardware, etc…). Rely on
social engineering for spreading
Worms
– Self propagating code. Searches for
communication vulnerabilities and uses
them to infect more computers at an
exponential rate.
Overview - Threats
Humans
– White Hats – “Good” Hackers searching for
vulnerabilities in order to report them and
increase security awareness
– Black Hats – Hackers with personal gain or
mayhem in mind. Break into systems in
order to steal or corrupt data.
– Script Kiddies – Tool users. No real
understanding of what the are doing.
Techniques usually include scanning for a
system and then hammering it with
various tools in order to find a
vulnerability.
Our Solution
The path to implementation
Phase I – How to simulate an IIS?
Fingerprinting using HMAP
HMAP vs. www.technion.ac.il
HMAP vs. Our Honeypot
Phase II – How do you hack a web server?
Directory traversal (double decode)
Buffer Overflow (Code Red)
Malformed SQL statements
Phase II – How do you hack a web server?
Look for directories set up by default
with execute permissions
These directories may also hold default
scripts that contain vulnerabilities
Find them by sending requests like
these:
–
–
–
–
–
GET /frick.html HTTP/1.0
GET /scripts/ HTTP/1.0
GET /_vti_pvt/ HTTP/1.0
GET /cgi-bin/GetFile.cfm HTTP/1.0
Etc…
Phase II – How do you hack a web server?
If we find such a directory we can send
malicious strings that use known
vulnerabilities such as the “double
decode” directory traversal attack
Our mission is to execute the cmd.exe
program that will get us root access to
the computer
Phase II – How do you hack a web server?
Example:
– Send the string:
• /..%%35%63..%%35%63..%%35%63..%%35%63winnt/system3
2/cmd.exe?/c+dir+c:
– Since the ../../../ attack is well known it
checks for it. (Can’t find it in this string)
– Then it decodes the string changing %35
to ‘5’ and %63 to ‘c’. Now we have:
• /..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir
+c:
– Now it realizes it forgot to decode %5c
which surprisingly decodes to a ‘/’
• /../../../../winnt/system32/cmd.exe?/c+dir+c:
– Now we have root permissions
Simulating Port Scanning
Knocker FrontEnd – port scanner
Vulnerabilities check
N-Stealth Security Scanner
Phase III
Implement
Based On
Visual C++ .net
Visual Basic .net (GUI)
Winsock2
ODBC
Honeypot Architecture
Deployment:
Attacker
The Internet
Honeypot
Network Scan
Firewall
Server
Workstation
Workstation
Laptop
Honeypot Architecture
The program is divided into two main
applications.
– GUI – Allows an easy way of starting and
stopping the servers, searching through
collected data and displaying statistics
– Honeypot_Core – Creates and maintains
the servers. Collects the data from the
users and updates the databases
Honeypot Architecture
Block Diagram
Honeypot
Core
HTTP Server
Medium
(WinSock)
GUI
Telnet Server
Malicious
String DB
HTTP
Transactions
DB
Telnet Login
DB
Honeypot Architecture
Communication between GUI and core
is done over Winsock
Why Winsock?
Answer:
– There were many available options:
• RPC, Signaling, Shared memory, And much more
– We wanted to allow for the expansion of
the deployment scheme. Suppose you
want to run multiple instances of the core
on different computers.
– Using Winsock allows running the GUI on
one machine while controlling others over
the network
Honeypot Architecture - Classes
Honeypot Architecture - Classes
myDb
– A class used as an interface with our ODBC
database.
– Functions:
• Connect to the db
• Disconnect from the db
• Insert data into a table in the db
Honeypot Architecture - Classes
mySock
– A class used as an interface with the
winsock2 objects
– Functions:
•
•
•
•
•
•
•
Create a new socket
Set socket options (Timeout)
Connect to a server
Accept (Listen) new connections
Send data
Receive data
Close socket
Honeypot Architecture - Classes
myServer
– A class used to create and maintain server
objects. New servers are created by
inheritance and need to implement the
serveClient virtual function.
– Implementation allows easy way to add
new services in the future
– Functions:
• Create and init a server
• Start the server
• Stop the server
Honeypot Architecture – myServer
myServer
Server Initiated
myServer->initServer()
Start Command received from GUI
Start Server on Port X
myServer->startServer(X)
Init Socket,
Create main server thread
Accept connections
Create client serving threads
Honeypot Architecture – HTTPServer
The purpose is to “catch” malicious
http strings sent as innocent requests
The http server emulates a Microsoft
IIS 5.0 web server
The emulation displays only one page
taken from index.htm
The Honeypot is completely safe from
all attacks since it does actually try to
execute any commands sent at it. It’s
default response is “Not implemented”
Honeypot Architecture – HTTPServer
HTTPServer
serveClient()
serveClient()
serveClient()
serveClient()
Receive request
from client
Timeout?
Update DB
Port
Scanned?
Update DB
Parse request
Build Response
Header
Send response
and Web page if
needed
Update DB
End Thread
Honeypot Architecture – TELNETServer
The purpose is to observe the
usernames and passwords attackers
will try when hacking a telnet server
This will allow the creation of a
common used passwords database so
that users can be advised (or required)
as to what passwords not to use
It can also help detecting stolen
passwords
The server emulates nothing more
than the login handshake.
All logins fail
Honeypot Architecture – TELNETServer
TELNETServer
serveClient()
serveClient()
serveClient()
serveClient()
Receive request
from client
Update DB
Timeout?
Port
Scanned?
Update DB
Login limit
reached?
Send login Failure
End Thread
Honeypot Architecture – Communication Flow
GUI Initiated
Honeypot Core initiated
Connect to Database
Create GUI Communications
Server Socket
Connect to Server
Load and display data
Send Start Commands
Create and start HTTP &
Telnet servers
Serve Clients
Send Stop Commands
Stop and delete servers
Send Quit command
Cleanup and exit
Cleanup and exit
Demonstration
Summery
Summery
Honeypots are a cheap and simple way
to add protection to a network
Honeypots allow the study of attackers
methods of operation. And help
developing new ways for countering
them.
Possible Future Additions
More services such as ftp, messenger,
p2p applications
Allow administration of multiple
servers via network
Add the ability to answer as different
ip addresses
Emulate different kinds of web servers
other than IIS
Emulate a more complex telnet session
Thanks!
We wish to thank:
– Ben for his help and endless
patience
– Ilana and the Tochna lab team
– Our families
Download