Luke's Report on HIDS implementation on windows Honeypot
advertisement
MASSEY UNIVERSITY SCHOOL OF ENGINEERING AND ADVANCED TECHNOLOGY Engineering Project Submitted as part requirement for B.Eng (Hons). Intrusion Detection Using Honeynets Luke Birkin 2010 SUPERVISORS a. Richard Harris b. Fahim Abbasi Table of Contents 1. Summary 2. Introduction 2.1. Networking 2.2. Security Threats 2.3. The Problem 2.4. Outline 3. Background 3.1. The Honeynet project 3.2. What is a Honeynet 3.3. Current Honeynet setup at Massey 3.3.1. Virtualisation 3.3.2. Host 3.3.3. Honeywall 3.3.4 Honeypots 4. Implementation 4.1. The need for a Windows Honeypot 4.2. Open Source 4.3. Honeypot 4.3.1. Setup 4.3.2. Windows settings 4.3.3. Snapshot 4.4. Honeywall 4.4.1. Setup 4.4.2. Data Acquisition 4.4.3 Obtaining Information 4.5. Tools 4.5.4. Sebek as a data capture tool 4.5.4.1. What it does 4.5.4.2. Installation 4.5.4.2. Retrieving data 4.5.5. Ossec as a intrusion detection system 4.5.5.1. What it does 4.5.5.2. Installation 4.5.5.3. Retrieving data 2 4.5.6. How to see more in your Windows box 4.5.6.1. Windows tools 4.5.6.2. Security Logs 4.5.6.3. Windows Firewall logs 4.6. Data Integration 5. Results 5.1. 5.2. 5.3. 5.4. 5.5. OSSEC Windows security logs Firewall logs Sebek and network traffic Example 6. Conclusions 7. References 8. Bibliography 9. Appendices Appendix 1 - Project Proposal Appendix 2 - Reflections Appendix 3 - Data 3 Illustration index Illustration 1: Honeynet Architecture [2] Illustration 2: vSphere Client Illustration 3: Walleye Interface Illustration 4: Windows Honeypot Illustration 5: Local Area Connection Properties Illustration 6: Internet Protocol Properties Illustration 7: Advanced Tab Illustration 8: Windows Firewall Illustration 9: Windows Firewall Illustration 10: Advanced Settings Illustration 11: ICMP Settings Illustration 12: ICMP Settings Illustration 13: WinSCP Login Illustration 14: WinSCP Illustration 15: Sebek Deployment [13] Illustration 16: OSSEC Install Log Illustration 17: Enabling Audit Policies Illustration 18: Event Viewer Illustration 19: Event Properties Illustration 20: Log Settings Illustration 21: OSSEC Notification Example Illustration 22: Windows log Example Illustration 23: Windows Firewall Log Example Illustration 24: Wireshark 4 1. Summary There is a need to study how hackers and viruses interact with computers and so small networks can be set up to let the outside world interact with a computer while recording it undetected. Such a network is called a Honeynet and a Honeypot is the computer that the outside world can interact with thinking it’s a normal computer. A Honeynet has been set up at Massey University which is limited to Linux bases Honeypots. There is a need to expand to use a Windows system and to install tools for extensive data capture to extend the type of information that it can gather. There is also a need to collate data from different tools to be able produce summaries of events such as intrusion attempts. In the end I have accomplished this and have been able to record and identify some intrusion attempts. However there is still room to install more tools to record more data and also systems are needed to automatically integrate the data from different sources and extract useful information. 5 2. Introduction 2.1. Networking From when computers were invented, up to today, the capabilities of computers have grown from standalone machines doing basic computations that your calculator can do, to a huge range of applications. One area that most computers are used for now is networking, in the form of the internet and local networks. This connectivity means that any computer in the world connected to the internet can potentially communicate with every other computer in the world connected to the internet. This communication between computers has allowed fast communications and easy access to information and services. Many everyday things that people do can be done on or enhanced by the internet. A few examples are business, commerce, information transfer, advertising, banking, entertainment, shopping and education. So networking has become a very important and valuable resource which is well used by society today. Also networking has allowed easier access to resources such as services, information and devices connected to networks. As with most resources there are people who exploit this connectivity for personal gain. People who use computers to gain access to resources illegally are called Black Hats. People that fight Black Hats are called White Hats. So tools need to be developed to be able to study what Black Hats are doing to be able to protect valuable resources. Security Threats So there are security threats. The risk of threats is generally proportional to how important, valuable or useful the system or information accessed through the system is. This means that there is a need for security to keep out people who might steal or damage resources. Threats may or may not be intentional, and passive or active. Intentional threats are when it is premeditated and the entity knows what it’s doing and doing it for a specific reason usually personal gain. Passive threats are taking or using resources without changing anything, such as eavesdropping, whereas active threats modify resources. Some methods that intruders use are: • Externally using basic methods such as guessing passwords • Externally using advanced methods, like hackers. • Gaining access through existing clients. • Pretending to be a client to gain access. • Internal intruders. 6 There are many different threats that intruders can impose on communication systems, from obtaining information to stopping whole networks from working. Some of the most common threats are: • Unauthorized access • Eavesdropping • Masquerading • Modification of information • Misusing messages • Repudiation • Network flooding And if successful the threats above can have different results. The major results of security breaches are: • Theft of information • Unauthorised use of services • Theft of services • Denial of services 2.2. The Problem So networks and resources that can be accessed by networks need to be protected from hackers gaining unwanted access. So security systems are needed such as antivirus software and firewalls. Antivirus software works by checking network traffic and data against known threats. As hackers are always growing in intelligence and developing new viruses and hacking methods antivirus software needs to be constantly updated. To be able to keep up with and possible stay ahead of Black Hats, we need to know what they are doing. They aren’t going to tell us and Google isn’t going to tell us either, so we need tools to study and understand what Black Hats are doing in an effective and efficient way. 2.3. Outline This report will cover how a Honeynet works, how I have set up a Windows Honeypot and installed some tools for extensive data capture. Then how I obtained data from those sources and extracted information from that data and how I put that information together to look at certain events. 7 3. Background 3.1. The Honeynet Project The Honeynet project is an international non-profit research organisation that exists to improve internet security. There are different groups all over the world called chapters. Three things that they focus on are awareness of threats that exist, providing information about protecting resources and providing open source tools and techniques to help people continue research [1]. All tools, software and information from this project are open source. This means that no one owns it so it is free for anyone to use without charge. It also means that programs can be modified and worked. 3.2. The Honeynet The fundamental tool provided by the Honeynet project is the Honeynet, which is a flexible tool that can be modified and built upon depending on the need. A Honeynet is a network whose function is to record data flows and intrusions into the network for research purposes. It is used to collect information about malicious network traffic including what black hats are doing. It normally has no other use so most interactions with the system from the outside world are likely to be malicious, such viruses and hackers. A map of a the standard Honeynet architecture is shown in illustration 1 Within the Honeynet there are Honeypots (labelled 3 and 4) which are individual systems that hackers can interact with. These can be different operating systems. From the internet the Honeypots appear to be normal machines. These machines are set up to make it easier than normal for people to gain access to them. The Honeypots can be low or high level interaction which determines how much information can be gathered. Within this architecture the gateway is called the Honeywall (labelled 1) which records all the network traffic. This is managed from outside the Honeynet (labelled 2) and is undetectable from the outside world. Honeynets are quite flexible as different operating systems can be used as Honeypots and different programs and tools can be installed on the Honeywall and Honeypots to collect different types of data. 8 Illustration 1: Honeynet Architecture 3.3. Current Honeynet setup at Massey The Honeynet that I intend to set up a Honeypot on has already been setup by Fahim Abbasi. And so I won’t be going into detail about how to implement a Honeynet. Rather an overview of how it is set up. For more information on this please refer to Fahim’s work [3]. 3.3.1. Virtualisation The Honeywall and Honeypots are set up using virtual computers. A virtual computer is a program that runs on a computer that simulates a real computer. And so from the internet it looks like a real computer. In this case Vmware server [4] has been used. The advantages of this are: • Many virtual machines can be setup on one physical machine • Easy to setup and disable machines. • Easy to install/uninstall software. • Cheap, less hardware needed. • Easy to allocate resource for the machines such as ram and cpu. • Easy to revert to previous setting if things get changed • Can access the whole thing remotely in one interface from different locations 9 3.3.2. The Host The host machine labelled 2 in illustration 1 is a physical fedora machine which is used to manage the rest of the network and where all the data collected is stored. Illustration 2 below shows the vSphere Client interface used to manage all the virtual machines. On the left are different virtual computers that can be accessed. In the middle is where the console is displayed and tabs there take you to settings other things. Illustration 2: vSphere Client 3.3.3. Honeywall Honeywall Roo [5] is used to implement the Honeynet. All the network traffic collected by the Honeywall is stored in a database on the host machine. On this system we are using a web interface called Walleye which accesses the database. This interface is accessed by using a web browser on the host machine. With this interface I can search results by specifying times and applying different filters. I can also look at different things like flows and packet sizes and packet contents. illustration 3 shows this interface. 10 Illustration 3: Walleye Interface 3.3.4. Honeypots The Honeypots are also setup and accessed through the vSphere client. These are the machines that are visible from the outside world that hackers and viruses interact with. 11 4. Implementation 4.1. The need for a window honeypot Most hackers use Linux because it allows full access to hardware, ports and networking with less software and graphical user interface in the way. Also it’s open source which means easier modification of code and writing code and programs. Different operating systems run quite differently and so different methods are used to gain access to them. Windows is the most popular operating system today for everyday people. So there is a need to expand the Honeynet to use a Windows Honeypot and set up systems for extensive data capture. These need to be done to make it easier and more effective to study the behaviour of black hats and what they are doing, specifically with Windows based systems. There are different levels of honeypots, low, medium and high interaction. These define how much attackers can interact with the system. I plan to set up a high interaction Honeypot. This means that it will be a full operating system that hackers can interact with and all these interactions will be recorded using different tools. Once things are set up I need systems to access the data and get that data into a user friendly format to be able to get information from it. I will also consider developing methods of automating the integration and data extraction. 4.2. Open Source I am using mostly open source software. This is because I am on a budget and can’t afford to fork out for expensive software. Also the Honeynet project is a not for profit organization and most of what I am doing and software I am using is from that effort and building on what others have done. Also so that others can look at what I have done and implement it for themselves and improve on it without cost. The only bit of software is the Windows operating system which I obtained through Massey University at no cost. 4.3. Honeypot 4.3.1. Setup The Honeypot is setup by creating new virtual machine and an operating system installed on it like a normal computer. I am using Windows XP as this is the most suitable Windows operating system. I can then access this in vSphere client as shown in illustration 4, by clicking on the machine on the left and clicking on the console tab. 12 Illustration 4: Windows Honeypot Once this has been installed the network settings need to be set. In local area connection network properties (illustration 5) and in properties for internet protocol( illustration 6), the IP addresses ,mask and gateway etc I am using need to be entered. Illustration 5: Local Area Connection Properties Illustration 6: Internet Protocol Properties 13 4.3.2. Windows settings Most computers are set up to block all malicious activity. But we want lots of this activity to interact with the system to it can be recorded. So I need to ensure there are more opportunities and ways of getting in. So some things can be done to make that easier. Antivirus programs An antivirus program works by having a database of known viruses and threats and comparing incoming traffic with those. So it works to keep anything suspicious from getting in. So I won’t install any antivirus programs. Firewall A firewall works by monitoring network traffic and only lets in traffic that is requested by the computer or that it knows is safe. There are many different settings that can be changed. I will enable some settings to make it easier to gain access to the system. Clicking on the advanced tab (Illustration 7) in local area connection properties, gains access to Windows Firewall settings. Clicking on settings button gets you to the firewall settings (Illustration 8). I made sure that the firewall was on and don’t allow exceptions box was is not ticked. Illustration 7: Advanced Tab Illustration 8: Windows Firewall 14 Then clicking on the advanced tab (Illustration 9) produces access to more settings. In the settings for local area network I enabled all the services (Illustration 10) and all the ICMP settings (Illustration 11 and 12). Illustration 9: Windows Firewall Illustration 10: Advanced Settings Illustration 11: ICMP Settings . Illustration 12:ICMP Settings 15 4.3.3. Snapshot After all this is done it is important to take a snapshot of the machine. This is a function in the virtualisation software that allows you to make a copy of the machine so that if things get messed then you can return everything to how it was when you took the copy. This need to be done after every major change such as installing new programs and tools. 4.4. Honeywall 4.4.1. Setup Once the Honeypot has been created the Honeywall will record all the network traffic that goes on to and from the Honeypot. As the Honeywall has already been set up i don’t need to do anything here. 4.4.2. Data Acquisition To access the data that the Honeywall collects I use the Walleye interface as shown in illustration 3. To study the data in more detail I can download pcap (packet capture) files of the data specifying a time period. This pcap file is downloaded onto the host machine. To get this onto the local computer I am working on I used WinSCP [6] which is a FTP client mainly used for secure file transfer between a remote computer and a local computer. Illustration 13 shows the login screen. I just need to enter the IP of the Honeywall machine, a port number that has been set on the destination machine and also the username and password that I use to access the virtual machine. Once I am in I can navigate to where my file is and copy it to a local directory (Illustration 14). Illustration 13: WinSCP Login 16 Illustration 14: WinSCP 4.4.3. Obtaining Information Once I have a pcap file on my local computer there are many programs I can use to view these files. Some of the most useful open source ones that I like are Wireshark [7], Netwitness Investigator [8], Network Miner [9], Packetyzer [10]. These programs are made to capture network traffic as well, but as the Honeywall is used to collect network traffic I have used these programs to view and analyse pcap files. As data sent over the internet is sent in packets. Looking at these packets can reveal a lot of information such as IP addresses, ports used, protocols, OS, location, what the packet was sent for etc. The main program I use is Wireshark because it has a good user interface and easy to navigate through large amounts of data. It shows a chronological list of the packets which can be clicked on to view more information and filters can be applied based on different things like IP addresses and ports. So I can filter out all the packets that I know aren’t helpful such as traffic of other Honeypots This can cut the number of packets down quite a bit. I like to then save the current selection in a new pcap file and open that to make further filtering faster. The programs listed below are similar to Wireshark but have different interfaces and can be used to extract different things from the traffic. So it’s helpful to look at the traffic for 17 specific events with these programs also. 18 Netwitness Investigator shows the amount of traffic on a timeline and it lists a lot of useful information that can be filtered and you can focus on certain things. It is very navigatible and has a nice interface so it very user friendly. Network miner has different pages that show different things such as the hosts, frames, files, images, messages and so on. Also you can click on the hosts and find out more information about these. So this extracts useful information and shows it on different pages. This is very useful for quickly gaining information and seeing what hosts have interesting information attached to them instead of trawling through data looking for it. 4.5. Tools 4.5.1. Sebek as a data capture tool 4.5.1.1. What it does Sebek [11] is a tool used to collect more than just network data. It is made to collect information about hacker’s activities that are accessing the machine that Sebek is installed on. It records keystrokes, file uploads, passwords and processes that are run. There are two parts to this. One is a client that is a kernel module which runs on the Honeypot, which records what the attacker does. The kernel is at the basic machine level of the computer, below the high level applications that most programs run at. This means that it is generally undetectable. It sends this recorded data to a server. This is the second part which receives all the data and where we can obtain this data. This server can run independently but it is helpful to use the Honeywall gateway which has a built in option to identify Sebek packtets. So this gateway picks up the Sebek packets like all other network traffic but it recognizes the protocol of these packets as Sebek. Illustration 15 illustrates this setup. Illustration 15: Sebek Deployment 19 4.5.1.2. Installation To install the client I downloaded the windows client binaries zip file onto the Honeypot and extracted the files. Included in this is a setup file, a configuration file and readme and license txt files. I also obtained some documentation [12] to find out how it worked and how to install it. To install it I ran the setup file which installed it. Then I ran the configuration file. Here you have to set the IP address and port to send packets to. This is so that the Honeywall can identify these packets as being sent by Sebek. This is also set the same on the Honeywall under the admin tab. The IP address can be any unused one; it should not be that of the server because it is possible for intruders to use this to identify the host/server machine. You also need to specify the eth mac address to use which can be found on the Honeywall options. The Walley interface has a built in option for Sebek which needs to be set so that the Honeywall recognizes Sebek packets. After running the configuration the computer needs to be rebooted for the client to start. 4.5.1.3. Retrieving data The Sebek data is mixed with the rest of the network traffic data. There is two different ways of obtaining this. You can download a pcap (packet capture) file from the Honeywall and filter out everything except for the Sebek packets by setting it to only take packets sent to the port that the Sebek packets are being sent to. The other option is to download all the traffic in a pcap file and filter it using Wireshark. Doing it the first way is good to be able to look at the packets themselves and what information is in them. The second one is good to look at when the packets arrive in relation to other network traffic. Wireshark shows any information in the packet relating to the intrusion that was detected. 4.5.2. Ossec as an intrusion detection system 4.5.2.1. What it does OSSEC is a host-based intrusion detection system [14]. So it runs on the Honeypot machine and runs scans and checks if anything relating to the machine’s system has been changed. Any changes are recorded and an alert is sent off. This is useful because it helps us to see what effect any malicious activity has on the computer and so we can differentiate between traffic sources that have affected the system and those that haven’t and what effect they have had on the system. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, realtime alerting and active response. 20 • • • • Log analysis is analyzing computer generated records to study what the machine has been doing or what users have been doing on it. Policy monitoring is monitoring the effectiveness of policies, rules, goals or other methods in policy. File integrity checking is checking files, in this case system files, to make records of any changes to them. This is important for system files because any changes can affect what the system does and how it runs. A rootkit is a bunch of programs that allow administration level access to a computer. Often hackers will install a rootkit program to gain privileges to a computer, so it is important to keep an eye on this. So OSSEC checks these things and reports on them as soon as they happen. 4.5.2.2. Installation From the documentation [15], there are two different setups that can be implemented, which are local installation or server-agent installation. Local installation is stand alone and cannot be done on Windows. With server-agent installation it is useful for having many agents monitored by one server. The server can be installed on different platforms such Linux, Unix and BSD but not windows, but the agent can be installed on all the above. The agent is installed on the Honeypot and it records system changes. This information is sent to the server which is installed on a different machine which stores the data in logs. The Honeypot I am working on is a windows platform so I need to have a server on the host and an agent on the Honeypot to make it work. The server is installed first. Fahim installed this on the host machine. This involved downloading the OSSEC file onto the machine and running the install script. When installing the server there are a number of options: - Installation type (server, agent, local) - Where to install (/var/ossec) - Configuration o Set email o Confirm SMTP server o Integrity check daemon o Rootkit detection engine o Active response o Firewall-drop response o White list of active response o Remote syslog 21 - o Configuration to analyze logs o Needs ports 1514 and maybe 514 so need to make sure that any filters on the server machine enables inbound UDP traffic on these ports Agents o Agents need to be added and name, IP address and agent ID need to be set Usually the same file is used to install agents and the agent installation type is selected, but for windows there is a separate exe installation file. This is downloaded onto the honeypot and run. The steps are outlined below. 1. 2. 3. 4. 5. 6. 7. Click next and accept licence Choose components, I chose all of them, and installation directory Enter the server IP Extract the agent key on the server and enter into the agent setup This can be done from agent using putty or by accessing the server directly This will start the agent. Check the agent log to see if it has connected Illustration 16 shows the agent logs which shows all that went on during the installation. This log is found in the program folder. The important things to note are that it has connected to the server and done some scans. Illustration 16: OSSEC Install Log 22 4.5.2.3. Retrieving data There are different ways of getting data from OSSEC. Firstly OSSEC stores all collected data into logs. This is the primary place where it is all stored. But this is not a very useful format and takes time to access it and find anything useful. So in the setup it can be set to send email alerts and also to push all the data into a database. Both of these are useful. Email alerts are useful because you know when something has happened and it summarises the event in the email. The database is also useful because it stores all the data in one location which makes it easier to search for things and quicker access than browsing through emails. 4.5.3. How to see more in your Windows box 4.5.3.1. Windows Tools Windows has built in logging tools that log certain events. As they are built in they don’t have to be installed but a few setting need to be changed and some things done to extract useful information and get it into a useful format. There is the Audit Policy which can log events relating to applications, security and system. Also the Firewall can be set to make logs as well. I am particularly interested in security logs and Firewall logs. 4.5.3.2. Security Logs Enabling audit logging To enable audit logging I clicked on Start > Control panel > administration tools > local security policy. In the left pane expand local policies and click on audit policy as in illustration 17. This shows a list of things that you can audit. 23 Illustration 17: Enabling Audit Policies These things are: - - - - - - Account logon events o This audits each instance of a user logging on or off another computer, using this computer to validate the account. Account management o This audits account management events such as, user accounts being changed and passwords changed. Directory service acces o This audits users accessing an Active Directory object that has its own system access control list (SACL) specified. Logon events o This audits every instance of users logging on or off this computer. Object access o This audits users accessing objects such as files, folders, registry keys and printers etc that has its own system access control list (SACL) specified. ?????????? Policy change o This audits any changes to user rights assignment policies, audit policies and trust policies. Privilege use 24 - - o This audits when instances of users exercising their rights Process tracking o This audits detailed tracking information for events like program activation, process exits, handle duplication and indirect object access. System events o This audits when users restart or shuts down the computer and any events that affect the system security or the security log. Double clicking on these enables you to enable or disable if these are audited or not. I enabled all of these. I also made the maximum log size quite large so that it wouldn’t over write old logs until I had made some sort of copy. Viewing the logs To get information from these logs you can view them in the windows event viewer. To view these events I went to: Start > Control panel > administration tools > event viewer Clicking on security in the left pane (illustration 18) shows a list of all the events that have been audited Illustration 18: Event Viewer To view details of a log just double I click on it and it will open small window. (illustration 19) This shows the same details as well as a description of the event and more details. 25 Illustration 19: Event Properties To view logs without the event viewer they need to be exported. There are different ways to export windows logs. What I have described below is how I’ve gone about doing it. Exporting logs First of all windows logs are saved as .evt files. This is the file extension that windows event viewer uses and is not very helpful to me. So to export the logs in a different format go into windows event viewer and right click on security and click on ‘save log file as’. I save them as csv files, this stands for comma separated variables. This saves the logs in a format where all the useful fields are separated by commas. This helps in putting it into a database later. The next thing is to get the .csv file off the honeypot machine onto a local machine. There are several practical ways of doing this. One is to use WinSCP on the honeypot to transfer it to the host machine and then use WinSCP on the local machine to transfer that to the local machine. This way requires minimal setup but takes more time. Another way is to set up an event schedule in windows to automatically open a file transfer protocol (FTP) session and send it to the local machine which requires more setup which I haven’t had time to do. Another way is to use FTP to manually transfer it directly across to a local machine which I didn’t have time to figure out either. So now the logs can be viewed in notepad on my local computer and I can easily look through it and search for things. 26 4.5.3.3. Windows Firewall logs Enabling logging Security logging settings under the advanced tab in Windows Firewall (illustration 9) allows you to enable the firewall to keep logs as shown in illustration 20. Check the boxes to log dropped packets and successful connections. This will log any packets that the firewall blocks and any that it lets through. You can also set where it is saved and I made the size maximum possible to avoid losing data when it over writes old logs. Illustration 20: Log Settings Viewing logs To view the logs go to the place where you specified it to be saved, I left it as the default option in the Windows folder. This can be opened in notepad like the audit logs and is in a nice format to view and make searches. 4.5.4. Data Integration So I am now able to obtain data from a number of different sources but they are quite limited by themselves. So far the data sources I’ve got are Sebek, Ossec, Windows logs and network traffic. So I can obtain different information from these different sources and when put together can make one big picture about certain events such as intrusion attempts. So I can look at network traffic and Sebek packets using programs such as Wireshark, I can look at OSSEC results from emails and the database and I can look at Windows logs using notepad and event viewer. So I can study the data from these sources manually and focus on different attacks by comparing times, IP address, ports and events between the sources. But this takes time to compare them and look for things that relate. 27 To make this more effective it needs to be automated somehow. I didn’t have time to work on this but have started work on the first step which is to get all the data from different sources together in one format. A database is the best thing for storing large amounts of data so it can be filtered and searched. As Walleye already stores the network traffic using the open source databases system MySQL [16], this is the assumed tool to use. On the host, OSSEC can be configured to push its data into a database. Windows event logs are not in a database friendly format. The format in the cvs files which I export are not what I need. The dates are in month/date/year format but MySQL uses yy/mm/dd format. Also the logs are in 12 hour time and the data from other sources are in 24 hour time. Even though the fields are separated by commas there are commas in some of the logs and some are on multiple lines. My solution to this was to first change the csv file to a txt file by changing the extension. Then I wrote a small Python program to take the text file and change the date and time formats and make sure that there are all the fields are on single lines with no extra commas. The Windows firewall logs however are already in this format. I haven’t managed to get Sebek logs into a database. The next step would be to automate the task of get Sebek and Windows logs into a database like the network traffic and OSSEC is and also to get them altogether in one database, preferably on the host machine. 28 5. Results 5.1. Ossec Email alerts Part of an email alert from OSSEC looks something like illustration 21. The information will be different for different events but generally some of the information I can get from these alerts are: - Date and time - Which Honeypot - Level and a short description - Source - Event id - Who and what computer Then some details about the event like: - What - Why - User name - Domain - Processes So this gives a basic overview of the event without going into a lot of details. So this is useful because it brings my attention to important events which I can then study and gather more information by looking at other sources. Illustration 21: OSSEC Notification Example OSSEC HIDS Notification. 2010 Sep 22 20:37:46 Received From: (XP-Honeypot) 150.206.2.4->WinEvtLog Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." Portion of the log(s): WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: MASSEY-80383E93: Logon Failure: Reason: Unknown user name or bad password User Name: administrador Domain: MASSEY-80383E93 Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MASSEY-80383E93 WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: MASSEY-80383E93: Logon Failure: Reason: Unknown user name or bad password User Name: administrador Domain: MASSEY-80383E93 Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MASSEY-80383E93 29 5.2. Windows security logs A Windows security log looks like illustration 22. It has some of the same information as OSSEC but it goes into a lot more detail and for a single event that OSSEC identifies these logs provide all the different events and processes that make that one big event. Often there are numbers in the logs such as event ids that mean certain things, so I can research them on the internet find out more about them. Illustration 22: Windows log Example 9/22/2010,8:36:58 PM,Security,Success Audit,Detailed Tracking ,592,NT AUTHORITY\SYSTEM,MASSEY-80383E93,"A new process has been created: New Process ID: 1796 Image File Name: C:\WINDOWS\system32\csrss.exe Creator Process ID: 532 User Name: MASSEY-80383E93$ Domain: Logon ID: 5.3. WORKGROUP (0x0,0x3E7) Firewall logs Windows firewall logs show a list of attempted connections to the machine (illustration 23). So for each connection is shows whether it was dropped or accepted. Some of the things that the firewall logs show for each entry are: - date - time - action - protocol - src-ip - dst-ip src- port dst-port - size This is quite useful to match events from OSSEC and firewall logs to certain IP address and ports which enable me to find where in the world the packets are coming from and what services are being used. I can match these logs to events by comparing times and the number of occurrences of an event. Illustration 23: Windows Firewall Log Example 2010-09-03 23:32:33 DROP TCP 218.28.220.222 150.206.2.4 6000 42 40 S 367132672 0 16384 - - - RECEIVE 2010-09-22 19:17:28 OPEN-INBOUND TCP 218.28.220.222 150.206.2.4 6000 3389 - - - - - - - - 2010-09-22 19:17:28 CLOSE TCP 150.206.2.4 218.28.220.222 3389 6000 - - - - - - - - - 30 5.4. Sebek and network traffic Looking at the captured network traffic is looking at all the packets that go to and from the machine. It is low level data, any lower than this and you are looking at ones and zeroes. So looking for events by looking through this network traffic is quite time consuming and tedious and easy to miss things. So once I have identified an event from other sources such as OSSEC I know what to look for in the network traffic and so I can straight away focus in on the traffic relating to that event to find out more information. The network traffic allows me to look at each packet sent so I can see what protocols are used and the actual contents of the packets. Illustration 24 shows the Wireshark interface and how you can see the contents of a packet. Illustration 24: Wireshark 31 5.5. Example I get an email alert from OSSEC which is in (appendix 3). From this email I learn that someone is trying to logon to the Honeypot from a remote machine. There are lots of alerts so it is attempted many times. But it is failing due to incorrect username and password. Using the time frame I have look at the Windows security logs (appendix 3). In the logs I can see repeated attempts to log in to the machine. This shows all the processes that are run during the attempt. And I can see that the remote machine gained access to some sort of logon screen and attempted to logon using Windows logon procedure, similar to logging onto a network computer. Looking at the Windows Firewall logs at the same times I find the IP address of the machine and that it tried to access the Honeypot from a certain port trying many different ports on the Honeypot. All these connections are dropped by the firewall. Then it finds the remote desktop port which is open and so it allows the connection. Then the attacker sticks to this port and changes his port many times. So he tries to logon from different ports which all fail. Also the Sebek packets confirm the ports, IP addresses and that something was run on the machine for each login attempt. Looking at the network traffic I can see for each logon attempt the remote machine sets up a tcp connection and then used remote desktop protocol to try to login. Below is a summary of the attack. Time range: Source IP: Source Ports: Source country: Source organisation: Source city: Source domain: User name: Destination ports: 10:03:53 PM 03/09/2010 to 12:44:43 PM 25/09/2010 218.28.220.222 6000, between 1000 and 5000 China fxhlwswfw corp henan zz.ha.cn administrador 3389, a few others Overview: 32 First they tried connecting through different ports from port 6000. They found port 3389 open so they tried from many different ports more than a hundred times. Port 3389 is remote desktop and terminal services port. The attacker first connected using TCP to get a login screen and then tried to log in with RDP. So he was trying to access the machine remotely using some sort remote desktop service. 33 6. Conclusions So what I’ve achieved with this project is setting up a functional Windows Honeypot which allows attackers to interact with it like a normal computer connected to the internet, which records data such as network traffic and effects of any traffic on the machine itself. I have also been able to look at the data from different sources and manually extract information about specific attacks. I also have made a start on integrating this data into same format So even though something useful was created in this project, there is still potential to expand what I’ve done to capture more data and automate the task of extracting the data into a user friendly format. There is also a lot of potential to taking another step to fully integrate the data and to somehow automate the process of extracting information about specific events. 34 7. References 1. Honeynet Project, http://www.honeynet.org/ 2. Honeynet Poject, http://www.honeynet.pk/honeywall/roo/honeywall2.jpg) 3. Fahim Abbasi, http://seat.massey.ac.nz/projects/honeynet/ 4. VMware server http://www.vmware.com/download/server/ 5. Honeywall Roo http://old.honeynet.org/papers/cdrom/roo/index.html, https://projects.honeynet.org/honeywall/ 6. WinSCP http://winscp.net/eng/index.php 7. Wiresharkhttp://www.wireshark.org/ 8. NetWitness investigator http://download.netwitness.com/download.php?src=DIRECT 9. Network Miner http://networkminer.sourceforge.net/ 10. Packetyzer http://network-chemistry-packetyzer.software.informer.com/ 11. Sebek https://projects.honeynet.org/sebek/ 12. Sebek documentation http://old.honeynet.org/papers/sebek.pdf 13. Sebek deployment http://old.honeynet.org/papers/sebek.pdf 14. OSSEC http://www.ossec.net/ 15. OSSEC documentation http://www.ossec.net/doc/ 16. MySql http://www.mysql.com/ 35 8. Bibliography Abbasi, Fahim H.; Harris, R. J.; , "Experiences with a Generation III virtual Honeynet," Telecommunication Networks and Applications Conference (ATNAC), 2009 Australasian , vol., no., pp.1-6, 10-12 Nov. 2009 doi: 10.1109/ATNAC.2009.5464785 URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5464785&isnumber=5464714 Rozenblit, M. (2000). Security for Telecommunications Network Management. USA: IEEE. Ascenso, J., Luminita, B., Belo, C., & Saramago, M. (2006). e-Business and Telecommunication Networks. Netherlands, Dordrecht: Springer. Wang, H. (1999). Telecommunications Network Management. USA McGraw-Hill. Valade, J. (2006). PHP & MySQL. Wiley Publishing. McClure, S., Scambray, J., Kurtz, G. (2005). Hacking Exposed. McGraw-Hill. Novak, J., Northcutt, S. (2003). Network Intrusion Detection. New Riders Publishing. 36 9. Appendices Appendix 1 MASSEY UNIVERSITY 4TH YEAR PROJECT FOR 2010 Student: Supervisor: Co-supervisor: Luke Birkin Richard Harris Fahim Abbasi Intrusion Detection Using Honeynets 37 Summary As the internet has grown, the abilities of hackers and malware have too. They need to be studied to be able to develop tools to combat them and to keep one step ahead of them. Honeynets are very useful to do this, which is a network that enables hackers to interact with a computer and that records data flows without their knowledge. The Honeynet at Massey University is currently limited to Linux Honeypots. Since most users use Windows based operating systems there is huge internet population of Windows users. So these systems have become an easy target and there is a need to improve security. This means there is a need for more research tools in this area. So there is a need to set up a Windows Honeypot in the current Honeynet to be able to gather more information about Windows security threats. I will be working on a Honeynet at Massey University set up by Fahim Abbasi. I aim to set up a high interaction Windows Honeypot and install different data capture tools on it such as Sebek, OSSEC, CaptureHC and Nepenthes. Doing this I aim to expand the current intrusion detection capabilities of this Honeynet to be able to record extensive data. I want to integrate this data in such a way that useful information can be extracted efficiently and be used for behavioural analysis to understand hackers better. I have one year to work on this project from 01/03/2010 to 10/11/2010 and during the week each Friday is allocated for it. I have budget of $300 but as most things are set up and I’m using Open Source software the only major cost will be an external hard drive to store recorded data. When I am finished I want to have a Windows Honeypot with data capture tools working on it. And a system to integrate this data and extract useful information. 38 Contents Section 1. 2. 3. 4. 5. Description Context Literature Survey Requirement analysis Intellectual Property i) Others work ii) My work 6. Aim 7. Objectives i) ii) iii) iv) v) Improvement the Honeywall interface Setup a windows machine as Honeypot Setup Nepenthes as a malware collecting Honeypot Use Sebek with windows Honeypots Use OSSEC as HIDS 8. Constraints 9. Schedule 10. Budget i) Finances ii) Time 11. Communication Plan 12. Project Outputs 39 1. Description To research and improve intrusion detection capabilities of a Honeynet to be able to study and analyse the behaviour of hackers and viruses more efficiently and effectively by expanding the capabilities of an existing Honeynet at Massey University. This will be carried out by setting up a Windows XP based Honeypot within the Honeynet, which will give us valuable insight into both network and system base malicious events. 2. Context A Honeynet is very useful tool to gather information. Below is an illustration of the architecture. This is a network whose function is to record data flows and intrusions into the network for research purposes. It normally has no other use so most interactions with the system are likely to be malicious such viruses and hackers. From the internet the Honeypots appear to be normal machines. Within this architecture the gateway is called the Honeywall (labelled 1) which records all data flows. This is accessed from outside the Honeynet (labelled 2) and is undetectable. Within the Honeynet there are Honeypots (labelled 3 and 4) which are individual systems that hacker can interact with. They can be low or high level interaction which determines how much information can be gathered. With the growth of the internet and networking so have security issues. Many organisations have networks made up of routers and hosts connected to many devices and computers, which have to be protected from hackers and viruses gaining unwanted access. These threats can cause data loss, unwanted changes, and vulnerabilities. Hackers 40 are always growing in intelligence and developing new viruses and hacking methods. Firewalls, antivirus software have to be constantly updated to keep up with them and keep networks safe. So there is a need to study what black hats are doing and develop tools to combat them. A Honeynet is a very useful tool to gather information and study what black hats are doing. 3. Literature Review 1. www.honeynet.org This site provides a lot of information on how Honeynets work and provides lots of different tools to use. There are many other people all over the world working on this project so it is a place for people to share tools that have been developed and to share ideas. 2. Stephen Northcutt & Judy Novak. (2003), Network Intrusion Detection, New Riders Publishing. This book covers intrusion detection from the very basics of networks and packets up to implementation and application and real world examples. 3. Abbasi, Fahim H.; Harris, R. J.; , "Experiences with a Generation III virtual Honeynet," Telecommunication Networks and Applications Conference (ATNAC), 2009 Australasian , vol., no., pp.1-6, 10-12 Nov. 2009 doi: 10.1109/ATNAC.2009.5464785 URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5464785&isnumber=5 464714 This paper covers in detail the need for Honeynets and how they work and Fahim’s experience in setting up the one at Massey University. This will be very useful for me in my project as I will be building on what has already been accomplished by Fahim. 4. Requirements analysis The current setup at Massey University is limited to Linux based Honeypots. There is a need to improve the current interface and expand to use Windows and setup systems for more extensive data capture. These need to be done to make it easier and more effective to study the behaviour of black hats and what they are doing, as current tools and implementation is based on knowledge base system and lacks a behaviour model. Incorporating behavioural data into existing setup will augment the intrusion detection capabilities and give a broader picture to the security analysis. 41 5. Intellectual property i) Others work The Honeynet project is a non-profit research organisation committed to improving network security. They encourage the use of Open Source, and so any networking software I use will be Open Source, and any other programs I use will be registered to myself or Massey University. ii) My work One of the possibilities will be a tool that will intelligently correlate network and system events in a Honeynet to infer and classify a malicious activity. Another candidate tool will be a tool that will parse system (windows xp) log files to generate a behavioural profile. As I progress into the research I might have more ideas or methods that could have future value. In this case I would talk to my supervisor and discuss possibilities. 6. Aim To set up a windows Honeypot on an existing Honeynet and setup data capture tools on that Honeypot to be record information of intrusions. And to integrate information obtained to be able to study black hats behaviour more effectively. 7. Objectives i) Setup a windows machine as a Honeypot Microsoft Windows based Operating Systems claim a huge desktop based user market share, over 80% of PC users worldwide use Microsoft Windows on their desktops. This leads to a massive online population of such systems. With their ease of use & lack of strong security functions, such systems have become an easy target. This being a reason that a large number of attacks today are directed at Windows based systems. For our Honeynet infrastructure we require to setup a windows based host as a Honeypot. This will give us insight into Windows based attacks and hacks. We would like to setup two such systems. One will be a passive Windows server, setup with basic services like ftp and IIS. The other system will be a Windows based client Honeypot, preferably an implementation of a client based Honeypot such as CaptureHPC developed by Victoria university. ii) Use Sebek with Windows honeypots There are different levels of Honeypots that determines how much the attacker can interact with the system. There are also different ways of capturing data, most methods just record the packets. The more information that can be collected the more we can find 42 about hackers. Sebek is a module that can be installed on a high level honey pot for extensive data capture, more than a low level Honeypot can collect. We would like to setup Sebek on our windows based server iii) Use OSSEC as HIDS OSSEC is a host based high level intrusion detection system that records how the hacker interacts with the system. This goes beyond just recording what is in packets and makes it possible to study the behaviour of hackers and what they actually do when they have access to a system. iv) Install Capture HPC This is a high interaction client Honeynet which finds malicious servers on a network. It interacts with servers from a dedicated virtual machine and looks for system state changes. It is able to observe file systems, registries and processes at the kernel level and can collect malware. v) Setup Nepenthes as a malware collecting Honeypot Currently the Honeywall that is set up records all the intrusions and port scans for us to study but doesn’t do any processing. To make the Honeynet more effective we need more software to specifically detect malware. Nepenthes is one such software that collects malware. We would like to setup a Nepenthes based Honeypot within our Honeynet infrastructure. vi) Integrate obtained data There is no use in capturing data unless it can be interpreted and useful information gotten from it. With packet data often there are huge amounts of data and it can be difficult and time consuming to extract anything useful from it. So the data obtained from different tools need to be integrated and displayed in a useful way to allow it to be viewed and efficiently obtain information from it. 8. Constraints I will be working on a Honeynet on the Turitea Massey campus that was set up by Fahim Abbasi. My activities will be restricted to this network. I plan to develop information collection systems on virtual Honeypots and this will be restricted to setting up high interaction systems to record how hackers interact with the system and also to collect malware. So I’m developing research systems. 43 9. Schedule Below is a Gantt chart of my proposed schedule for the rest of this year. Proposed Schedule March April May June July August September October November Project proposal Literature Review Setup a Windows machine as Honeypot Set up Sebek on Windows Honeypot Instal OSSEC as HIDS Install Capture HPC Setup Nepenthes as malware collecting Honeypot Obtain and integrate data Report write up 44 10. Budget Finances I am entitled to a budget of $300 cover expenses. Things required: • Computer to work on • A Honeynet • Softare • External harddrive • Information resources As I will be working on a system that is already physically set up and most of what am doing is software based which is all Open Source, there will not be any major ongoing costs involved with obtaining tools and materials. Massey will also provide a computer for me to use while I am here. Information I need can be obtained from the internet, the Library and my supervisors. The only item I will need to purchase is a external USB hard drive, mainly to store and transport data logs. One of these can be obtained for under $200 Time Start 01/03/2010 Finish 10/11/2010 The time specified above includes proposal and final report writing. Half an hour a week is set for meeting with my supervisor. All day Friday is set apart for working on this project, so I plan to spend a minimum of 8 hours a week on this project. I will also be spending time during the week whenever required. 11. Communication Plan My supervisor, co supervisor and I will meet weekly on Friday mornings to discuss my progress and any problems. If additional communication is need we can do that by email, or organise meeting times. 12. Project outputs i) A Honeywall interface that is easier to use and more efficient. ii) A working windows based Honeypot. iii) Nepenthes set up to record malware on a Honeypot. iv) Have Sebek set up on a Honeypot for extensive data capture. v) Have a host based high level intrusion detection system setup for behaviour analysis. vi) Have a system to integrate data and be able to extract information efficiently. 45 Appendix 2 I found this project quite hard for different reasons. I didn’t know a lot of what I had to work with so there was quite a bit of research and self learning to do which I found hard to motivate myself to do. There was quite a wide range of potential things to do so I had to try and focus and get something completed and not get distracted by other thing to do. Also the amount of data was quite daunting, so working out how to get useful information without getting bogged down was an issue. So I think for next time I think the major thing to improve my performance would be to do more preliminary research and get a better understanding of the project before I started. Also I should have spent more time planning and specifying what needed to be done and what was optional so that I knew exactly what I was doing throughout the project and so could have been more productive. 46 Appendix 3 Ossec email alert OSSEC HIDS Notification. 2010 Sep 22 20:37:46 Received From: (XP-Honeypot) 150.206.2.4->WinEvtLog Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." Portion of the log(s): WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: MASSEY-80383E93: Logon Failure: Reason: Unknown user name or bad password User Name: administrador Domain: MASSEY-80383E93 Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MASSEY-80383E93 WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: MASSEY-80383E93: Logon Failure: Reason: Unknown user name or bad password User Name: administrador Domain: MASSEY-80383E93 Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MASSEY-80383E93 47 Windows logs 9/22/2010,8:36:58 PM,Security,Success Audit,Detailed Tracking ,592,NT AUTHORITY\SYSTEM,MASSEY80383E93,"A new process has been created: New Process ID: 1796 Image File Name: C:\WINDOWS\system32\csrss.exe Creator Process ID: 532 User Name: MASSEY-80383E93$ Domain: WORKGROUP Logon ID: (0x0,0x3E7) " 9/22/2010,8:36:58 PM,Security,Success Audit,Detailed Tracking ,592,NT AUTHORITY\SYSTEM,MASSEY80383E93,"A new process has been created: New Process ID: 468 Image File Name: C:\WINDOWS\system32\winlogon.exe Creator Process ID: 532 User Name: MASSEY-80383E93$ Domain: WORKGROUP Logon ID: (0x0,0x3E7) " 9/22/2010,8:37:00 PM,Security,Success Audit,System Event ,515,NT AUTHORITY\SYSTEM,MASSEY80383E93,A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name: Winlogon\MSGina 9/22/2010,8:37:00 PM,Security,Success Audit,Privilege Use ,577,NT AUTHORITY\SYSTEM,MASSEY80383E93,"Privileged Service Called: Server: NT Local Security Authority / Authentication Service Service: LsaRegisterLogonProcess() Primary User Name: MASSEY-80383E93$ Primary Domain: WORKGROUP Primary Logon ID: (0x0,0x3E7) Client User Name: MASSEY-80383E93$ Client Domain: WORKGROUP Client Logon ID: (0x0,0x3E7) Privileges: SeTcbPrivilege" 9/22/2010,8:37:01 PM,Security,Success Audit,Privilege Use ,577,NT AUTHORITY\SYSTEM,MASSEY80383E93,"Privileged Service Called: Server: NT Local Security Authority / Authentication Service Service: LsaRegisterLogonProcess() Primary User Name: MASSEY-80383E93$ Primary Domain: WORKGROUP Primary Logon ID: (0x0,0x3E7) Client User Name: MASSEY-80383E93$ Client Domain: WORKGROUP Client Logon ID: (0x0,0x3E7) Privileges: SeTcbPrivilege" " 48 9/22/2010,8:37:01 PM,Security,Failure Audit,Logon/Logoff ,529,NT AUTHORITY\SYSTEM,MASSEY80383E93,Logon Failure: Reason: Unknown user name or bad password User Name: administrador Domain: MASSEY-80383E93 Logon Type: 10 Logon Process: User32 Authentication Package:Negotiate Workstation Name: MASSEY-80383E93 9/22/2010,8:37:01 PM,Security,Failure Audit,Account Logon ,680,NT AUTHORITY\SYSTEM,MASSEY80383E93,Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: administrador Source Workstation: MASSEY-80383E93 Error Code: 0xC0000064 9/22/2010,8:37:03 PM,Security,Success Audit,Detailed Tracking ,593,NT AUTHORITY\SYSTEM,MASSEY80383E93,"A process has exited: Process ID: 468 Image File Name: C:\WINDOWS\system32\winlogon.exe User Name: MASSEY-80383E93$ Domain: WORKGROUP Logon ID: (0x0,0x3E7) " 9/22/2010,8:37:03 PM,Security,Success Audit,Detailed Tracking ,593,NT AUTHORITY\SYSTEM,MASSEY80383E93,"A process has exited: Process ID: 1796 Image File Name: C:\WINDOWS\system32\csrss.exe User Name: MASSEY-80383E93$ Domain: WORKGROUP Logon ID: (0x0,0x3E7) " 49
