1 / 17

Intrusion Deception

Intrusion Deception Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception—Deceiving the Blackhat Reconnaissance An inspection or exploration of an area, especially one made to gather military information. A Honeypot MUST appear to be an attractive target.

jacob
Télécharger la présentation

Intrusion Deception

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Deception Kirby Kuehl Honeynet Project Member 05/08/2002

  2. Intrusion Deception—Deceiving the Blackhat • Reconnaissance An inspection or exploration of an area, especially one made to gather military information. • A Honeypot MUST appear to be an attractive target. • Accurate Responses to active (nmap) and passive(p0f) operating system fingerprinting methods, daemon banner queries, port scans, and vulnerability scanners (nessus). • Convincing content if system is running httpd or ftpd. • Inconspicuous in relation to rest of network. • The Honeypot can reside next to production systems so that it is scanned during sweeps or ports can be redirected from production systems to the Honeypot. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  3. Intrusion Deception— Passing Recon • Honeynet Project • Uses actual default installations of actively exploited operating systems and services. • Nothing is emulated so host’s response to reconnaissance methods will be accurate. • Data Capture (logging), Data Control (firewalling), and Intrusion Detection (alerting) are performed utilizing other HARDENED hosts on the network. • No production hosts on network to eliminate data pollution. All traffic is suspect and is logged in full tcpdump format. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  4. Honeynet Design – Generation I Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  5. Honeynet Design – Generation II • The Honeynet Sensor • Data Control: • Limits outbound connections (hogwash or iptables) allowing Blackhats to obtain their tools, but not attack other systems. • Data Capture: • IDS (snort) logging all traffic as well as providing alert mechanism. • Deception: • No IP Stack. • No TTL decrementing. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  6. Intrusion Deception— Passing Recon • Virtual Honeynets • VMWare: GuestOS (Honeypot) virtual machine inside HostOS • GuestOS is caged by denying access to HostOS filesystem. • Host only networking forces the GuestOS to access the network through the HostOS allowing firewalling and intrusion detection. • The Honeynet Project utilizes a Red Hat default installation running inside a Hardened Red Hat installation. • NMAP’s TCP fingerprinting returned unknown OS • Running a mock ecommerce site. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  7. Intrusion Deception— Passing Recon Open source Honeypots • Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run simulated TCP services or proxy the service to another machine. The TCP/IP personality (OS Fingerprints) can be adapted so that they appear to be running certain versions of operating systems. • Arpd enables a single host to claim all unassigned addresses on a LAN by answering any ARP request for an IP address with the MAC address of the machine running arpd. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  8. Honeyd / Arpd Configuration Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  9. Intrusion Deception— Passing Recon • Commercial Honeypots • Mantrapfrom Recourse Technologies (requires Solaris) • Ability to create up to 4 sub-systems (cages) each running Solaris by utilizing separate interfaces (each host will have unique MAC Address). • You can run virtually any application that doesn’t interact with the kernel within the 4 chrooted cages. • Content Generation Module can be used to create realistic data. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  10. Mantrap Configuration Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  11. Mantrap Configuration Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  12. Intrusion Deception— Passing Recon • Commercial Honeypots • Specter (requires Windows NT) • Specter can emulate one of 13 different operating systems. As of Version 6.02 the IP stack is not emulated so IP fingerprinting tools are not fooled. (A Stealth Plugin is currently under development using raw socket support on XP.) • Specter honeypots offer 14 100% emulated services such as: STMP, FTP, Telnet, Finger, POP3, IMAP4, HTTP, and SSH • Custom fake password files and custom HTTP content. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  13. Specter Configuration Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  14. Intrusion Deception— Passing Recon • Commercial Honeypots • Netfacade from Verizon (requires Solaris) • Can simulate up to an entire class C although all hosts will have the same MAC Address. • Simulates 8 different operating systems properly fooling TCP fingerprinting methods. • Simulates 13 different vulnerable services such as FTP (wu-2.4.2-academ[BETA-12](1), System V Release 4.0, and SunOS4.1 versions), SSH (SSH Communications Security Ltd's. 1.2.26 and 2.0.9 versions), etc. • Automatically generates hostnames, user accounts, operating systems and running services for simulated hosts through web interface. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  15. Intrusion Deception— Changing with the times • Blackhat techniques have become more sophisticated. • Using kernel module rootkits (adore, kis) • Process hiding • Keystroke logging • Covert communication channels • Polymorphic shellcode (ADMutate) • Fragroute (IDS Evasion) • Honeynet Project • Patching the kernel directly • Keystroke logging allowing us to capture encrypted outbound traffic (ssh) • Logging via covert communication channels rather than remote syslog • Snort-stable enabling appropriate preprocessors and logging all traffic (Not just TCP/UDP/ICMP) Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  16. Intrusion Deception— Honeynet Alliance • Research Alliance Honeynets • Freedom for organizations to create their own honeynets and participate in a virtual community. • Standardized Capture and Logging formats • Events can be forwarded to a common database • Shared Research and Analysis • Research Alliance Honeynets exist within advertised environments alongside production systems. • Hopefully attracting targeted and more sophisticated attacks. Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

  17. Intrusion Deception— More Information • http://project.honeynet.org • Whitepapers • Forensic Challenge • Scan of the month • Research Alliance • Know your Enemy book • kkuehl@cisco.com Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

More Related