Kirby KuehlKirby Kuehl

Honeynet Project MemberHoneynet Project Member

05/08/200205/08/2002

Intrusion DeceptionIntrusion Deception

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 2

Intrusion Deception—Deceiving the BlackhatIntrusion Deception—Deceiving the Blackhat

ReconnaissanceReconnaissance

An inspection or exploration of an area, especially An inspection or exploration of an area, especially one made to gather military information.one made to gather military information.

• A Honeypot MUST appear to be an attractive target.A Honeypot MUST appear to be an attractive target.– Accurate Responses to active (Accurate Responses to active (nmapnmap) and passive() and passive(p0fp0f

) operating system fingerprinting methods, daemon ) operating system fingerprinting methods, daemon banner queries, port scans, and vulnerability scanners banner queries, port scans, and vulnerability scanners (nessus).(nessus).

– Convincing content if system is running httpd or ftpd.Convincing content if system is running httpd or ftpd.– Inconspicuous in relation to rest of network.Inconspicuous in relation to rest of network.– The Honeypot can reside next to production systems The Honeypot can reside next to production systems

so that it is scanned during sweeps or ports can be so that it is scanned during sweeps or ports can be redirected from production systems to the Honeypot.redirected from production systems to the Honeypot.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 3

Intrusion Deception— Passing ReconIntrusion Deception— Passing Recon

Honeynet ProjectHoneynet Project• Uses actual default installations of actively exploited Uses actual default installations of actively exploited

operating systems and services.operating systems and services.– Nothing is emulated so host’s response to Nothing is emulated so host’s response to

reconnaissance methods will be accurate.reconnaissance methods will be accurate.– Data Capture (logging), Data Control (firewalling), and Data Capture (logging), Data Control (firewalling), and

Intrusion Detection (alerting) are performed utilizing Intrusion Detection (alerting) are performed utilizing other HARDENED hosts on the network.other HARDENED hosts on the network.

– No production hosts on network to eliminate data No production hosts on network to eliminate data pollution. All traffic is suspect and is logged in full pollution. All traffic is suspect and is logged in full tcpdump format.tcpdump format.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 4

Honeynet Design – Generation I Honeynet Design – Generation I

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 5

Honeynet Design – Generation IIHoneynet Design – Generation II

The Honeynet Sensor The Honeynet Sensor

Data Control: Data Control:

•Limits outbound connections Limits outbound connections ((hogwash or iptables) or iptables) allowing Blackhats to obtain allowing Blackhats to obtain their tools, but not attack their tools, but not attack other systems.other systems.

Data Capture:Data Capture:

•IDS (IDS (snort) logging all traffic ) logging all traffic as well as providing alert as well as providing alert mechanism.mechanism.

Deception:Deception:

•No IP Stack.No IP Stack.

•No TTL decrementing.No TTL decrementing.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 6

Intrusion Deception— Passing ReconIntrusion Deception— Passing Recon

Virtual HoneynetsVirtual Honeynets• VMWare: GuestOS (Honeypot) virtual VMWare: GuestOS (Honeypot) virtual

machine inside HostOSmachine inside HostOS– GuestOS is caged by denying access GuestOS is caged by denying access

to HostOS filesystem.to HostOS filesystem. – Host only networking forces the Host only networking forces the

GuestOS to access the network GuestOS to access the network through the HostOS allowing through the HostOS allowing firewalling and intrusion detection.firewalling and intrusion detection.

– The Honeynet Project utilizes a Red The Honeynet Project utilizes a Red Hat default installation running inside a Hat default installation running inside a Hardened Red Hat installation.Hardened Red Hat installation.

– NMAP’s TCP fingerprinting returned NMAP’s TCP fingerprinting returned unknown OSunknown OS

– Running a mock ecommerce site.Running a mock ecommerce site.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 7

Intrusion Deception— Passing ReconIntrusion Deception— Passing Recon

Open source HoneypotsOpen source Honeypots Honeyd is a small daemon that creates virtual Honeyd is a small daemon that creates virtual

hosts on a network. The hosts can be configured to hosts on a network. The hosts can be configured to run simulated TCP services or proxy the service to run simulated TCP services or proxy the service to another machine. The TCP/IP personality (OS another machine. The TCP/IP personality (OS Fingerprints) can be adapted so that they appear to Fingerprints) can be adapted so that they appear to be running certain versions of operating systems. be running certain versions of operating systems.

Arpd enables a single host to claim all unassigned Arpd enables a single host to claim all unassigned addresses on a LAN by answering any ARP addresses on a LAN by answering any ARP request for an IP address with the MAC address of request for an IP address with the MAC address of the machine running arpd.the machine running arpd.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 8

Honeyd / Arpd ConfigurationHoneyd / Arpd Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 9

Intrusion Deception— Passing ReconIntrusion Deception— Passing Recon

Commercial HoneypotsCommercial Honeypots• MantrapMantrap from Recourse Technologies (requires Solaris)

– Ability to create up to 4 sub-systems (cages) each Ability to create up to 4 sub-systems (cages) each running Solaris by utilizing separate interfaces (each running Solaris by utilizing separate interfaces (each host will have unique MAC Address).host will have unique MAC Address).

– You can run virtually any application that doesn’t You can run virtually any application that doesn’t interact with the kernel within the 4 chrooted cages.interact with the kernel within the 4 chrooted cages.

– Content Generation Module can be used to create Content Generation Module can be used to create realistic data.realistic data.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 10

Mantrap ConfigurationMantrap Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 11

Mantrap ConfigurationMantrap Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 12

Intrusion Deception— Passing ReconIntrusion Deception— Passing Recon

Commercial HoneypotsCommercial Honeypots• SpecterSpecter (requires Windows NT) (requires Windows NT)

– Specter can emulate one of 13 different operating Specter can emulate one of 13 different operating systems. As of Version 6.02 the IP stack is not systems. As of Version 6.02 the IP stack is not emulated so IP fingerprinting tools are not fooled.emulated so IP fingerprinting tools are not fooled.

(A Stealth Plugin is currently under development using (A Stealth Plugin is currently under development using raw socket support on XP.)raw socket support on XP.)

– Specter honeypots offer 14 100% emulated services Specter honeypots offer 14 100% emulated services such as: STMP, FTP, Telnet, Finger, POP3, IMAP4, such as: STMP, FTP, Telnet, Finger, POP3, IMAP4, HTTP, and SSHHTTP, and SSH

– Custom fake password files and custom HTTP Custom fake password files and custom HTTP content.content.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 13

Specter ConfigurationSpecter Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 14

Intrusion Deception— Passing ReconIntrusion Deception— Passing Recon

Commercial HoneypotsCommercial Honeypots• NetfacadeNetfacade from Verizon (requires Solaris) from Verizon (requires Solaris)

– Can simulate up to an entire class C although all hosts Can simulate up to an entire class C although all hosts will have the same MAC Address.will have the same MAC Address.

– Simulates 8 different operating systems properly Simulates 8 different operating systems properly fooling TCP fingerprinting methods.fooling TCP fingerprinting methods.

– Simulates 13 different vulnerable services such as Simulates 13 different vulnerable services such as FTP (wu-2.4.2-academ[BETA-12](1), System V FTP (wu-2.4.2-academ[BETA-12](1), System V Release 4.0, and SunOS4.1 versions)Release 4.0, and SunOS4.1 versions), , SSH (SSH SSH (SSH Communications Security Ltd's. 1.2.26 and 2.0.9 Communications Security Ltd's. 1.2.26 and 2.0.9 versions)versions), etc., etc.

– Automatically generates hostnames, user accounts, Automatically generates hostnames, user accounts, operating systems and running services for simulated operating systems and running services for simulated hosts through web interface.hosts through web interface.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 15

Intrusion Deception— Changing with the timesIntrusion Deception— Changing with the times

Blackhat techniques have become more sophisticated.Blackhat techniques have become more sophisticated.• Using kernel module rootkits (adore, kis)Using kernel module rootkits (adore, kis)

– Process hidingProcess hiding– Keystroke loggingKeystroke logging– Covert communication channelsCovert communication channels

• Polymorphic shellcode (ADMutate)Polymorphic shellcode (ADMutate)

• Fragroute (IDS Evasion)Fragroute (IDS Evasion)

Honeynet ProjectHoneynet Project• Patching the kernel directlyPatching the kernel directly

– Keystroke logging allowing us to capture encrypted outbound Keystroke logging allowing us to capture encrypted outbound traffic (ssh)traffic (ssh)

– Logging via covert communication channels rather than remote Logging via covert communication channels rather than remote syslogsyslog

– Snort-stable enabling appropriate preprocessors and logging all Snort-stable enabling appropriate preprocessors and logging all traffic (Not just TCP/UDP/ICMP)traffic (Not just TCP/UDP/ICMP)

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 16

Intrusion Deception— Honeynet AllianceIntrusion Deception— Honeynet Alliance

Research Alliance HoneynetsResearch Alliance Honeynets• Freedom for organizations to create their own Freedom for organizations to create their own

honeynets and participate in a virtual community.honeynets and participate in a virtual community.– Standardized Capture and Logging formatsStandardized Capture and Logging formats– Events can be forwarded to a common databaseEvents can be forwarded to a common database– Shared Research and AnalysisShared Research and Analysis

• Research Alliance Honeynets exist within advertised Research Alliance Honeynets exist within advertised environments alongside production systems.environments alongside production systems.

– Hopefully attracting targeted and more sophisticated Hopefully attracting targeted and more sophisticated attacks.attacks.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl 17

Intrusion Deception— More InformationIntrusion Deception— More Information

http://project.honeynet.orghttp://project.honeynet.org– WhitepapersWhitepapers– Forensic ChallengeForensic Challenge– Scan of the monthScan of the month– Research AllianceResearch Alliance– Know your Enemy book Know your Enemy book

kkuehl@cisco.comkkuehl@cisco.com