1 / 51

Workshop – Intro to Honeypot Palembang, 20 Juni 2014

Workshop – Intro to Honeypot Palembang, 20 Juni 2014. Charles Lim charles.lim@honeynet.or.id Mario Marcello mario@gsk.co.id. Agenda. Introduction to Honeypot Why Honeypot Honeypot – Dionaea Installation Configuration Detecting OS Submitting Samples Visualizing the Attack. Honeypot.

pakuna
Télécharger la présentation

Workshop – Intro to Honeypot Palembang, 20 Juni 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Workshop – Intro to HoneypotPalembang, 20 Juni 2014 Charles Lim charles.lim@honeynet.or.id Mario Marcello mario@gsk.co.id

  2. Agenda • Introduction to Honeypot • Why Honeypot • Honeypot – Dionaea • Installation • Configuration • Detecting OS • Submitting Samples • Visualizing the Attack

  3. Honeypot • A Honeypot is • systems that are designed to be exploited, whether through emulated vulnerabilities, real vulnerabilities, or weaknesses. “Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.” Source: Malware Analyst Cookbook

  4. Honeypot • Two types of Honeypot: • Low Interaction • Simulate most frequent services requested by attackers • E.g. Dionaea, Kippo, Honeytrap • High Interaction • Imitate the activities of the real systems that host a variety of services • E.g. HiHAT • Virtual Machine is commonly used for ease of maintenance

  5. Honeypot

  6. Other Honeypots • ENISA Published Review on Honeypot in a very nice documentation found in: • http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots “Great insights into malicious activity in a CERT’s constituency, providing early warning of malware infections, new exploits, vulnerabilities and malware behavior as well as an excellent opportunity to learn about changes in attacker tactics.”

  7. Honeypot – Why? • We have used IDS in the past • What we have learned: • Only known attacks are detected • Unknown attacks are not detected • Many false positives (if not properly tuned) • We use honeypot to: • Understand what is the attacker is doing, i.e. behavior of the attack • Both Low interaction & High Interaction have their own advantages and disadvantages

  8. Call to participate • “CERTs need to cooperate and develop large-scale inter-connected sensor networks in order to collect threat intelligence from multiple distributed geographic areas.” ENISA Research on Honeypots

  9. Call to participate • Participate in Honeynet research sponsored by KOMINFO • Help our government in early warning of cyber attack • You will get Honeypot sensor hardware to capture the cyber attack in your infrastructure • You need one Public IP Address

  10. Road Map Amien H Rosyandino -ID SIRTII- Randy Anthony -SGU- Michael -SGU- Stewart -SGU- Glenn -SGU-

  11. Honeypot in SGU • Nepenthes (2010) • Migrate to Dionaea (2011)

  12. Web Interface (2012) Thanks to Stewart (SGU IT Batch 2010)

  13. Web Interface (2012) Thanks to Stewart (SGU IT Batch 2010)

  14. Web Interface (2012) Thanks to Stewart (SGU IT Batch 2010)

  15. Web Interface (2012) Thanks to Stewart (SGU IT Batch 2010)

  16. Web Interface (2012) Thanks to Stewart (SGU IT Batch 2010)

  17. Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)

  18. Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)

  19. Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)

  20. Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)

  21. Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)

  22. Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)

  23. Web Interface (2013) Thanks to Andrew & Tommy (SGU IT Batch 2011)

  24. Call to participate • Register your PIC (Person In Charge) of your university • You need to send us: • IP address of your university • PIC of the server admin • Your sensor (sponsored by KOMINFO) will be sending data to the Repo server

  25. Further Information • The Honeynet Project (http://www.honeynet.org) • Indonesia Honeynet Project (http://www.honeynet.or.id) • Indonesia Honeynet Project Mailing List (http://groups.google.com/group/id-honeynet) • Swiss German University (http://www.sgu.ac.id) • My Blog (http://people.sgu.ac.id/charleslim)

  26. Honeypot – Dionaea

  27. Dionaea • Website: http://dionaea.carnivore.it • Menangkap malware yang menyerang ke sistem • Membuka port 21, 69, 80, 445, 1433, 3306, 5060 • Metode instalasi: • lewat repository yang tersedia • install manual

  28. Data Serangan Dionaea • logsql.sqlite • /binaries -- malware • /log

  29. Honeypot - Dionaea • A low interaction honeypot • A successor to Nepenthes • Originally developed by Markus Kötter • one of the original developers of nepenthes • initially developed dionaea as part of the Honeynet Project’s Summer of Code 2009

  30. Honeypot - Dionaea • Codes written in C • exposes a Python interface  add new modules w/o recompiling • It supports IPv6 and TLS • uses libemu for shellcode detection. • It implements a Python-based version of the Windows Server Message Block (SMB) protocol • allowing it to properly establish sessions before being exploited by attacking machines. • Other low-interaction honeypots only simulate certain vulnerable functions. • It logs information on attacks to an SQLite3 database • a simple way to generate and graph statistics

  31. Honeypot - Installation • Dionaea Step-by-step installation has been provided to you for your reference • Recommendation distro: Debian or Ubuntu, though all distro will also works fine • Installation Directory: • /opt/dionaea  $DIONAEA_HOME • Main Configuration file: • $DIONAEA_HOME/etc/dionaea/dionaea.conf

  32. Honeypot - Installation • Honeypot Log default configuration is logging: • Debug, • Info, • Message, • Warning, • Critical, and • Error messages

  33. Honeypot - Installation • Consider adjusting the following parameters • Under the default parameters: • Old Levels = “all” • New Levels = “all, -debug” • Under the errors parameters: • Levels = “warning, error” • New Levels = “error”

  34. Honeypot - Installation • IP Interface Binding • Mode = “manual” • # bind to all IPv4 addresses on eth0 interface • addrs = { eth0 = [“0.0.0.0”] } • # bind to .50 and .51 on eth0 interface • addrs = { eth0 = [“10.14.49.50”, “10.14.49.51”] } • # bind to .50 on eth0 and all IPv4 on eth1 • addrs = { eth0 = [“10.14.49.50”], eth1 = [“0.0.0.0”] }

  35. Honeypot - Installation • ihandlers = { • handlers = [“ftpdownload”, • “tftpdownload”, • “emuprofile”, • “cmdshell”, • “store”, • “uniquedownload”, • “logsql”, • // “logxmpp”, • // “p0f”, • // “surfids”] • } Dionaea uses SQLite Database (logsql)

  36. Honeypot - Installation • services = { • serve = [“http”, • “https”, • “tftp”, • “ftp”, • “mirror”, • “smb”, • “epmap”] • } You might want to disable http, https, tftp and ftp. Smb and emap is used for collecting malware

  37. Honeypot - Running $ sudo ./dionaea -u nobody -g nogroup \ -p /opt/dionaea/var/dionaea.pid -D You use the relevant user and group

  38. Honeypot – Passive Identification $ sudo apt-get install p0f • P0f used to identify the host OS (not guaranteed to be accurate) • Also dionaea log p0f result to sqlite database • Modify the parameter in ihandler section

  39. Honeypot – Passive Identification (command line) $ sudo p0f -i any -u root -Q /tmp/p0f.sock -q -l -d -o /dev/null \ -c 1024

  40. Honeypot – Passive Identification (daemon) sudo chown nobody:nogroup /tmp/p0f.sock $ sqlite3 /opt/dionaea/var/dionaea/logsql.sqlite sqlite> select p0f,p0f_genre,p0f_link,p0f_detail from p0fs limit 10; • Permission need to be modified • After restarting dionaea, you can verify them using the sqlite command prompt (as shown above)

  41. Honeypot – Submit samples to virustotal • ihandlers = { • handlers = ["ftpdownload", "tftpdownload", • "emuprofile", "cmdshell", "store", "uniquedownload", • "logsql", • "virustotal", • . • . • } • virustotal = { • apikey = • "78b522c17a419aacad191e355550b3a54c1a9efc40d34$ • file = "var/dionaea/vtcache.sqlite“ • }

  42. Distributed Sensor • Deploy sensor honeypot di beberapa titik • Simpan data di satu storage server (centralized database) • Dua metode untuk mentransfer data: • Pull • Push

  43. Pull • Server login ke masing-masing sensor • Copy data serangan ke server setiap beberapa menit • semi real-time Sensor 1 Sensor 2 Sensor 3 Sensor 4

  44. Dionaea Mysql Reporting System Sqlite Database Migration SSHFS Java

  45. Sqlite Mysql Dionaea Reporting System Step by Step Shutdown Dionaea

  46. Sqlite Mysql Dionaea Reporting System Step by Step Read Database

  47. Sqlite Mysql Dionaea Reporting System Step by Step Rerun Dionaea

  48. Push • Menggunakan XMPP • Simpan data serangan langsung di server • Real-time Sensor 1 Sensor 2 Sensor 3 Sensor 4

  49. Push

  50. Raspberry Pi

More Related