1. Honeypots
Bernardo Maia Rodrigues
bmr@csirt.pop-mg.rnp.br
CSIRT PoP-MG
Computer Security Incident Response Team
Ponto de Presença da RNP em Minas Gerais
2. Introdução
Um honeypot é um recurso computacional
de segurança dedicado a ser sondado,
atacado ou comprometido.
3. Aplicação
● Detectar ataques internos;
● Identificar varreduras e ataques
automatizados;
● Identificar tendências;
● Manter atacantes afastados de sistemas
importantes;
● Coletar assiaturas de ataques e códigos
maliciosos (malware);
● Detectar máquinas comprometidas.
5. Ambientes para os Honeypots
● OpenBSD
● FreeBSD
● Linux
● Windows ???
6. Survival Time: Windows
“The survivaltime is calculated as the average time between
reports for an average target IP address. If you are assuming
that most of these reports are generated by worms that attempt
to propagate, an unpatched system would be infected by such a
probe.
The average time between probes will vary widely from
network to network. Some of our submitters subscribe to ISPs
which block ports commonly used by worms. As a result, these
submitters report a much longer 'survival time'. On the other
hand, University Networks and users of high speed internet
services are frequently targeted with additional scans from
malware like bots. If you are connected to such a network, your
'survival time' will be much smaller.”
http://isc.sans.org/survivaltime.html
11. Detectando Máquinas Virtuais
/* VMM detector, based on SIDT trick written by joanna at invisiblethings.org
* should compile and run on any Intel based OS
* http://invisiblethings.org
*/
#include <stdio.h>
int main () {
unsigned char m[2+4], rpill[] = "x0fx01x0dx00x00x00x00xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
printf ("idt base: %#xn", *((unsigned*)&m[2]));
if (m[5]>0xd0) printf ("Inside Matrix!n", m[5]);
else printf ("Not in Matrix.n");
return 0;
}
12.
13. Honeyd
http://www.honeyd.org
● Baixa interatividade
● Daemon: redes virtuais
● Configurável através de scripts para
simular aplicações de qualquer sistema
operacional
● Niels Provos: engenheiro da Google,
colaborador do OpenSSH e OpenBSD
14. Honeyd – Configuração
$> cat /var/honeyd/conf/honeyd.conf
annotate "Linux kernel 2.2.13 (SuSE; X86)" fragment old
create brutessh
set brutessh personality "Linux kernel 2.2.13 (SuSE; X86)"
set brutessh default tcp action reset
set brutessh default udp action reset
set brutessh default icmp action reset
add brutessh tcp port 22 proxy 10.0.0.1:9999
bind *.*.*.* brutessh
create windows
set windows personality "Microsoft Windows XP Professional SP1"
set windows uptime 437849843
add windows tcp port 80 "scripts/iis5.net/main.pl"
bind *.*.*.* windows
15. Honeyd – Scripts
$> cat /var/honeyd/scripts/hello.sh $> telnet 10.0.0.1 23
Trying 10.0.0.1...
#!/usr/local/bin/bash Connected to 10.0.0.1.
echo "Hello world!" Escape character is '^]'.
while read data Hello world!
do
echo "$data" $> tail /var/honeyd/log/honeyd.log
done 2008-08-28-09:48:16.3539 tcp(6) S *.*.*.* 59255
10.0.0.1 23 [Linux 2.6 ]
$> cat /var/honey/conf/honeyd.conf
create test
add test tcp port 23
"/var/honeyd/scripts/hello.sh"
bind 10.0.0.1 test
16. Honeyd – Análise de Logs
$> cat /var/honeyd/log/honeyd.log
2008-08-28-00:39:00.0156 tcp(6) - 189.34.72.204 39367 *.*.*.* 22: 60 S [Linux 2.6 ]
2008-08-28-02:03:34.8542 tcp(6) - 124.64.123.69 64161 *.*.*.* 8080: 48 S [Windows XP SP1]
2008-08-28-02:17:44.3695 tcp(6) - 118.161.232.185 53063 *.*.*.* 3124: 48 S [Windows XP SP1]
2008-08-28-02:39:21.3643 tcp(6) - 201.160.39.176 4628 *.*.*.* 4899: 48 S [Windows XP SP1]
2008-08-28-03:15:22.0131 tcp(6) - 58.215.93.7 6000 *.*.*.* 2967: 40 S
2008-08-28-04:13:58.0860 icmp(1) - 222.124.175.222 *.*.*.*: 8(0): 61
2008-08-28-04:41:32.8131 tcp(6) - 148.204.175.200 35480 *.*.*.* 22: 60 S [Linux 2.6 ]
2008-08-28-04:55:34.4515 icmp(1) - 12.210.84.232 *.*.*.*: 8(0): 61
2008-08-28-05:09:05.3692 tcp(6) - 200.249.132.68 3353 *.*.*.* 135: 48 S [Windows XP SP1]
2008-08-28-06:39:50.9295 tcp(6) - 200.249.132.68 1300 *.*.*.* 135: 48 S [Windows XP SP1]
2008-08-28-07:16:31.3405 tcp(6) - 81.88.245.118 3559 *.*.*.* 445: 48 S [Windows XP SP1]
2008-08-28-07:36:45.1329 tcp(6) - 125.230.79.108 4512 *.*.*.* 25: 52 S [Windows 2000 RFC1323]
2008-08-28-07:45:31.4038 tcp(6) - 201.3.202.102 34215 *.*.*.* 22: 60 S [Linux 2.6 ]
2008-08-28-08:36:44.6540 tcp(6) - 84.60.254.245 4126 *.*.*.* 8080: 48 S [Windows 98 ]
17. Honeyd – Análise de Logs
$> cat /var/honeyd/log/brutessh.log
Fri Jun 13 16:12:41 2008: Authentication attempt (SSHv2) ! User: sandro Password: maconha
Fri Jun 13 16:12:41 2008: Connection from 200.168.71.203 port 18282
Fri Jun 13 16:12:42 2008: Authentication attempt (SSHv2) ! User: sandro Password: cannabis
Fri Jun 13 16:12:42 2008: Connection from 200.168.71.203 port 18313
Fri Jun 13 16:12:32 2008: Authentication attempt (SSHv2) ! User: sandro Password: vasco
Fri Jun 13 16:12:32 2008: Connection from 200.168.71.203 port 17956
Fri Jun 13 16:12:32 2008: Authentication attempt (SSHv2) ! User: sandro Password: flamengo
Fri Jun 13 16:12:36 2008: Connection from 200.168.71.203 port 18086
Fri Jun 13 16:12:36 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro
Fri Jun 13 16:12:37 2008: Connection from 200.168.71.203 port 18114
Fri Jun 13 16:12:37 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro1
Fri Jun 13 16:12:38 2008: Connection from 200.168.71.203 port 18141
Fri Jun 13 16:12:38 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro12
18. Nepenthes
http://nepenthes.mwcollect.org/
● Baixa interatividade
● Emula vulnerabilidades conhecidas para
coletar informações de ataques
● Capta binários e os comandos executados
por worms
● Mwcollect.org: Coleção de malware e
artefatos maliciosos
23. Amun
http://amunhoney.sourceforge.net
● Baixa interatividade
● Captura autônoma de malware
● Escrito em Python
● Facilidade de uso
● Módulos e Exploits
24. Amun – Análise de Logs
$> cat /var/amun/vuln_modules/vuln-ftpd/ftpd_modul.py
import psyco ; psyco.full()
from psyco.classes import *
import struct
import random
import ftpd_shellcodes
import amun_logging
class vuln:
def __init__(self):
try:
self.vuln_name = "FTPD Vulnerability"
self.stage = "FTPD_STAGE1"
self.welcome_message = "220 Welcome to my FTP Server"
self.shellcode = []
except KeyboardInterrupt:
raise
...
25. Amun – Análise de Logs
$> cat /var/amun/logs/exploits.log*
2008-08-23 04:45:06,861 INFO exploit 209.60.60.19:2354 -> *.*.*.*:445 (PNP Vulnerability:
bind://200.19.159.131:8594/)
2008-08-24 18:13:41,306 INFO exploit 122.160.202.148:33772 -> *.*.*.*:2967 (SYMANTEC
Vulnerability: cbacks://61.246.185.69:1235/)
2008-08-24 18:26:01,128 INFO exploit 200.149.108.192:3064 -> *.*.*.*:445 (ASN1 Vulnerability:
ftp://1:1@200.149.108.192:20579/['win.exe'])
2008-08-25 01:06:35,619 INFO exploit 200.249.132.68:3945 -> *.*.*.*:135 (DCOM Vulnerability:
cbackf://200.249.132.68:47683/6Fch+A==)
2008-08-25 02:32:57,851 INFO exploit 200.249.132.68:1580 -> *.*.*.*:135 (DCOM Vulnerability:
cbackf://200.249.132.68:47683/6Fch+A==)
2008-08-25 03:24:20,532 INFO exploit 24.87.32.159:3888 -> *.*.*.*:135 (DCOM Vulnerability:
cbackf://24.87.32.159:24536/YmNpLg==)
2008-08-25 08:34:58,236 INFO exploit 125.211.218.29:3887 -> *.*.*.*:443 (IIS Vulnerability:
http://thecric.free.fr:80/AZenv/azenv.php)
30. Análise de Malware: Sandbox
#/usr/local/bin/bash
for i in `ls /var/nepenthes/binaries/*`
do
echo $i
curl -F "email=email@email.com" -F "upfile=@$i"
"http://cwsandbox.org/submit.php?action=verify" >>
sandbox.txt
printf "n" >> sandbox.txt
done