pentest extra 6_2012 honeypots
DESCRIPTION
How to protect you site with the Honeypots? by Pierre-Henry Soria Using Honeypots to Augment existing Network Security Measures by Jamie Riden Interview with with the members Network of Affined Honeypot project (NoAH) Jason Polakis and Spiros Antonatos by Stefanus NatahusadaTRANSCRIPT
Titania Limited • County House • St Mary’s Street • Worcester WR1 1HB • UKTelephone: +44 (0)1905 888 785 • Email: [email protected] • www.titania.com Titania Limited is a company registered in England and Wales. Registered Number: 6870498. VAT Registration Number: 984 3990 61
Paws Audits
Antivirus & Spyware
Audit Policy
Files & Directories
Windows Firewalls
Password Policies
Password Warnings
Permissions
Registry Settings
Software Updates
Installed Software
Illegal Software
Software Versions
User Policies
User Rights
Evaluate Paws Studio For Free at www.titania.comor contact us for more
information
KEY FEATURES
Perform compliance audits through either remote network auditing (beta phase) or manual data collection
Produce clear and easy to action reports, with comprehensive summaries to appeal to all levels of your organisation
Audit against pre-defined policies
Define your own customised policy to audit against
Fully scriptable so audits can be written into your existing processes
Export into PDF, CSV, XML and HTML
Run multiple reports simultaneously
INTELLIGENT COMPLIANCE AUDITINGPaws Studio is intelligent compliance software that enables organizations to produce thorough and easy to action compliance audit reports on their windows based workstation and servers.
Assuring that your company complies with industry standards is imperative. Being compliant not only heightens your reputation and allows you to trade in some industries, it also gives your clients confidence in your ability to secure their data.
Paws Studio includes pre-defined policies for top computer usage security standards as well as enabling you to customize the security policy to comply with your own security strategy. Being fully scriptable means that Paws Studio can be written into your existing processes making the compliance process quicker and easier. You can choose whether to manually retrieve the data from your machines or use the remote network auditing function (beta) to automate the data collection process.
Multi-Platform Support for
Define your own Security PolicyPaws Studio has a definition editor with a built in easy to use ‘Simple View.’ This enables you to quickly edit your own definition files. The Editor gives you full access to all the Paws Studio checks so that you can create thorough and customized definition files to base your audits against. There is also an ‘Advanced View’ if you wish to directly modify the generated XML.
Pre-Defined PoliciesCompliance requirements may vary by industry. Paws Studio has several industry standard polices integrated into the software so that you can easily access all the requirements to become compliant.
Manual Data CollectionPaws Studio also provides the option of manually collecting data using the Paws Data Collector. This offers the benefit of creating no network traffic and is ideal for use in secure environments where machines are isolated or locked down.
Remote Network Auditing (beta)With Paws Studio you can remotely collect the data that you want to audit over the network. The choice of manual or remote data collection means that Paws Studio always offers a failsafe, allowing you to complete your audits.
Page 4 http://pentestmag.comEXTRA 06/2012(10)
CONTENTS
Basic 06 Some notes on honeypots
by Mudit GeraA honeypot is an information system resource whose value lies in unauthorized or illicit use of that re-source. It has no production value; anything going to, or from a honeypot, is likely a probe, attack, or compromise.
NETWORK sEcURiTY08 Commercial Honeypots V/S Open Source Honeypots – A Critical Comparison
by Vatsal ParekhA critical comparison on how to choose between commercial honeypots and open source honeypots.
12 Trapping Bears While Floating Like a Butterfly and Stinging Like a Bee
by Daniel WoodTrapping Bears While Floating Like a Butterfly and Stinging Like a Bee we understand what honeypots are, how they can be used to create a honeynet, and how to implement them; we need to keep in mind that if not deployed properly they can create a high risk to your production environment and due dili-gence should be exercised when planning and de-ploying honeypots.
16 Honeypot's – useful within active threat defence
by Dan Ross In today's world of Information Cyber Security hon-eypots have steadily over time become a strategi-cal first line of defence so thus have gained a strong place for their use as an active threat detection tool. They have been adopted into an organisations public and private network for over 10+ years so is no longer a clear-cut definition of what a honeypot is.
22 Protect you site with the Honeypotsby Pierre-Henry SoriaIn all interactive websites, there is a part called "sen-sitive" such as administrative part which allows for control of almost the entire site. In this article, we'll learn how to create a honeypot, more precisely a fake administration panel that allows you to learn how the hacker is doing to exploit vulnerabilities in your site, but also discourage/stop the continuation of the act of piracy, like the principle of honey pot.
Dear Readers,From the positive comments on article "The Honeypots" by Vatsal Parekh in previous edition and great curiosity to this topic of our audience we have decided to continue the topic of honeypots and to devote to it almost the whole issue. It means that honeypot still is a up-to-date topic.
At the beginning we will try to refresh basic points about honey-pots to discover what it is in more detailed way. In this edition you will find more technical articles about honeypots. One more article by Vatsal Parekh about Commercial and Open Source honeypots.
Through the experts you will learn why "A honeypot is an infor-mation system resource whose value lies unauthorized or illicit use of that resource – Lance Spitzner", what types of honeypots are.
Also, please, read the article by Daniel Wood with his easy ex-planations and personal opinion, you will enjoy it for sure. I must rec-ommend you some interesting tutorials by Pierre-Henry Soria and Dan Ross about how to create a honeypot.
One of the member of The Honeynet Project Jamie Riden will give you some recommendations on why you should spending time hardening your network and then implementing some sort of IDS before you start to look at honeypots as a means of defending your network.
You can learn what answered in the interview two experts of honeypots and members of Affined Honeypot project (NoAH) Jason Polakis and Spiros Antonatos on "Does honeypot have the intelli-gence module to detect unknown malware/latest exploit?" or what is the best platform to build honeypot on there opinion.
In addition this time you have an opportunity to read about the data conversions by Colin Renouf.
I hope the experience and opinion of our specialists will help you in your activity give new useful information.
With any comment complains, please, feel free to [email protected].
Thank you all for your great support and invaluable help.And most of all – thanks for staying with us.
Enjoy reading!Viyaleta Piatrouskaya &
PenTest Team.
Page 5 http://pentestmag.comEXTRA 06/2012(10)
CONTENTS
TEAMSupportive Editor: Małgorzata Skóra [email protected]
Product Manager: Viyaleta [email protected]
Betatesters / Proofreaders: Stefanus Natahusada, Steven Swierckx, Daniel Wood, Eric Shultz, Emiliano Piscitelli, Prateek Gianchandani
Senior Consultant/Publisher: Paweł Marciniak
CEO: Ewa [email protected]
Art Director: Ireneusz Pogroszewski [email protected]: Ireneusz Pogroszewski
Production Director: Andrzej Kuca [email protected]
Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.pentestmag.com
Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.
All rights to trade marks presented in the magazine are reserved by the companies which own them.To create graphs and diagrams we used program by
Mathematical formulas created by Design Science MathType™
DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
32 Using Honeypots to Augment Existing Network Security Measures Practical deployment of honeypots for early detection of breaches
by Jamie RidenA honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. – Lance Spitzner.
STANDARDS & PRACTICES42 Data Conversions and System Attacks
by Colin Renouf Now in the new environment each of the sets of bytes was be-ing treated as a character with a set of rules describing how it was to be translated, and when treated as characters in UTF8 a character can be represented by 1, 2, 3 or 4 bytes. This is the world of Unicode, where almost every conceivable char-acter from almost any language can be repre-sented.
INTERVIEW46 Interview with with the members of Affined Honeypot project (NoAH) Jason Polakis and Spiros Antonatos
by Stefanus NatahusadaWhat is the best platform to build honeypot? In terms of se-curity, performance and flexibility? Is there a general frame-work to design,develop and build honeypot system?
BASIC
Page 6 http://pentestmag.comEXTRA 06/2012(10)
a honeypot can be used to log access at-tempts to those ports including the attack-er's keystrokes. This could send early warn-
ings of a more concerted attack.
Types of honeypots
• low-interaction honeypot.(·ex: specter, Honeyd, and KFsensor),
• medium-interaction honeypot,• high-interaction honeypot.(ex:Honeynets).
Advantages and Disadvantages of a honeypotAdvantagesHoneypot collects small data sets of high values:
• it catches new attacks and reduces false nega-tives,
• it works in encrypted or ipv6 environments,• it is a simple concept requiring minimal re-
sources.
Disadvantages
• it has a limited field of view (microscope),• it involves risk (mainly high-interaction honey-
pots).
Where to place a honeypota honeypot should be placed in front of the firewall on the DMZ.
Did you know?Honeypot
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. It has no production value; anything going to, or from a honeypot, is likely a probe, attack, or compromise.
Figure 1. DMZ network
NETWORK SECURITY
Page 8 http://pentestmag.comEXTRA 06/2012(10)
Hello Everyone! First of all i would like to thank all of you for taking interest on this topic HONEYPOTs. We all know and are
aware as to how important honeypots and hon-eynets are in our Network. Today i am going to tell you about commercial Honeypots and Open source Honeypots.
Commercial HONeYPOTScommercial Honeypots are pre-built products. They are built to cater to different types of networks by using just one solution or a set of many solu-tions. They come with a price tag. Highly qualified security professionals are the minds behind de-signing and implementing a successful commer-cial honeypot. commercial honeypots use fixed platforms to provide solutions.
Top-3 Commercial Honeypots
• PatriotBox (Recommended) – a commercial, easy to use, low-interaction honeypot which is specifically designed for Windows based solu-tions. This honeypot solution is extremely pow-erful for windows based networks only.
• KF Sensor – another powerful, low-interac-tion, windows-based honeypot whose prima-ry designing purpose is for detection of threats,
Commercial Honeypots V/S Open Source Honeypots – A Critical Comparison
The Opensource honeypots are proved to be better only when the technical team building and designing them are aware of its capabilities and limitations. Not all opensource in the market are up to the mark, but choosing them according to your needs and then configuring them is a must-to-do job by the technical personnel of the company.
Figure 1. Honeypot
NETWORK SECURITY
Page 12 http://pentestmag.comEXTRA 06/2012(10)
Honeypots are computers, systems, or even a network of computers and systems (called honeynets) that exist in order to detect in-
truders and conduct research on the methods used to attack the network assets of an organization, thus increasing the situational awareness throughout the organization. advantages of implementing honey-pots or a honeynet is that an organization can pro-vide decoy systems for attackers to focus on, rather than going straight to the organization's critical as-
sets. if an attacker is presented with a vulnerable machine, or one that appears to be vulnerable, then they will spend time and effort on trying to compro-mise that vulnerable asset. This gives the organiza-tion time to identify that an attack is underway and take appropriate measures in monitoring the at-tacker, capturing network traffic from the exchange (pcap dumps) and adjusting security measures to protect against future attacks similar in nature and even from the attackers iP address (Figure 2).
it is extremely important to note that if vulnerable assets are being put on a network for the purpose of diverting attackers away from production network assets, that they honeypots be segmented off from anything that is truly critical or sensitive in nature. if an attacker is able to own a machine, there's a real risk that they may be able to pivot to other internal network resources. Obviously this is something we don't want happening and should avoid at all costs. This occurs by essentially standing up a vulnerable host to pivot from and allowing an attacker to by-pass your firewalls, your iDs/iPs, and other protec-tions you may have in place; defeating the entire purpose. if operating within a virtualized environ-ment, it's strongly recommended that special atten-tion and care be taken. Having your honeypot/net is a separate VLaN while still logically connected to a production network is asking for trouble if not
Trapping Bears While Floating like a Butterfly and Stinging like a Bee
After an organization has set up perimeter security controls such as firewalls and intrusion detection, and decides to take a more proactive rather than reactive and defensive stance; an organization may start looking at mechanisms to conduct packet captures or implement solutions such as honeypots.
Figure 1. Kippo an SSH Honeypot listening for brute-force attacks
NETWORK SECURITY
Page 16 http://pentestmag.comEXTRA 06/2012(10)
This article will intend to describe the different uses as well as the need to deploy a hon-eypot or honeynet within your organisations
infrastructure. Overall honeypot's are designed to complimen-
tarily coexist within a network environment in or-der to deliberately observe possible intrusions and would be drive bye attackers. They are pur-posely setup to attract the want to be hacker and appear as an open target on an organisation's network whereby a hacker probing through would move in for intrusion purposes. Honeypot environ-ment's are in fact totally passive systems holding no real content or capacity by which a hacker can access information or possibly use it as a pivot to compromise other systems. instead the hacker becomes the observed as all incoming packets within a honeypot are always likely to come from a malicious source. This is considered a form of counterintelligence and the means by which de-fence practitioners gain a good situation aware-ness on any attack. There are number of different uses of honeypots, some are designed to reduce spam activity, some are designed to deceive the hacker while also prolonging their possible intru-sion into more sensitive areas while also analys-ing their steps and others are just setup to simply collect information on new forms of malware and
also the whereabouts of the command and con-trol of botnets.
as part of defence in depth within the securi-ty community the implantation and deployment of honeypots and their inclusion within networks called "honey-nets" yield much richer logs and intrusion detection data than could ever be pos-sible through monitoring ordinary computer sys-tems and networks. as a security measure it can be considered that honeypots are like playing with fire so thus should never be implemented on or-ganisations critical control systems. These sys-tems should always be protected and concealed by the use of honeypots. it should be said at this point in time that honeypots are utilised not only as a defence mechanism in the protection arsenal from the external world but are also part of internal defence – from attacks from within the organisa-tion itself, so that real access to protected informa-tion becomes difficult and obfuscated to those un-authorised persons who may intrude beyond their boundaries. a example of this is it's implementa-tion at Google within Google Money or the internal accounting systems that are known to use large virtual honeypot environments.
Honeypots are designed to look like many differ-ent kinds of operating system with any number of services running on them in order to distract an
Honeypot's – useful within active threat defence
In today's world of Information Cyber Security honeypots have steadily over time become a strategical first line of defence so thus have gained a strong place for their use as an active threat detection tool. They have been adopted into an organisations public and private network for over 10+ years so is no longer a clear-cut definition of what a honeypot is.
NETWORK SECURITY
Page 22 http://pentestmag.comEXTRA 06/2012(10)
in general, when a hacker trying to break into a website, he will try to bypass the security of the administration functionality by exploiting a secu-
rity breach (sQL injection, ...), or using a bot that will try all possible combinations to login and ac-cess and do whatever he wants.
One technique of protection is to change the name and location of the folder for administration, this complicates the break in by making it more dif-ficult for the hacker to find the page.
instead of having a folder named “admin”, “ad-ministration” or “admin.php”, you can give it a name difficult to find, but that does not stop the hackers to adapt a strategy to discover the name of the folder.
Then, while keeping the true administration fold-er hidden, we will simulate a fake of administration page that will attract hackers by the easy prey so that will not only be wasting valuable time trying to connect instead of seeking the real administration page, but also allow us to analyze the ways they use to exploit potential vulnerabilities in the web-site.
You guessed it; in this tutorial i will show you how to create a fake administrative part which will serve as a honeypot.
To do this, rename the real administration folder of your site by a name hard to guess but easy to
remember (e.g. /my-real-secret-admin-folder/). Then create the fake administrative part in a fold-er under the name “admin” with an index.php file which will require the identifier of the administrator. Here we will record the steps hackers try to get in the administration of your site (Listing 1).
Remember that the design of this fake adminis-tration interface should look similar to your site so that the attacker does not doubt that this is a real login page.
We now retrieve the information sent by the login form and store them in a log file or send them by email, thus you will be immediately notified when someone try to connect.
You can also add a tracking code to get more analytical information (from the country, city, time left on the page, etc.) on people who are trying to connect to the fake admin cP.
Finally, i set the sleep function which allows the script to sleep for a few seconds in order to se-cure against brute force attacks caused by pos-sible bots, but also to annoy the hacker.
and now the “sniffer” PHP class (Listing 2) which will allow to recover most of the actions of the at-tacker, and add the possibility of automatically banning the hackers and bots who try to log into the administrative part (because these visitors of-ten bring nothing positive to your site).
Protect you site with the HoneypotsIn all interactive websites, there is a part called "sensitive" such as administrative part which allows for control of almost the entire site. In this article, we'll learn how to create a honeypot, more precisely a fake administration panel that allows you to learn how the hacker is doing to exploit vulnerabilities in your site, but also discourage/stop the continuation of the act of piracy, like the principle of honey pot.
NETWORK SECURITY
Page 32 http://pentestmag.comEXTRA 06/2012(10)
Firstly, a great deal of this information, in-cluding build scripts has been derived from the http://dionaea.carnivore.it/ website, and
credit belongs to the authors rather than myself. secondly, many thanks are due to internal review-ers with the Honeynet Project for comments on the initial draft of this article.
The basic premise of a honeypot is that the at-tacker believes it’s a genuine server, and only the defender knows the truth. From that start, we can either choose to use it as an early warning system
to jump start our incident response processes, or we can study the behaviour of attackers in their element in order to better understand them. This knowledge can help us better defend our systems and networks. There is always some potential for attackers to cause damage, so you will need to ex-ercise due care.
if you are looking after a production network, you will probably be most interested in early warning system (EWs) honeypots. suppose we have taken the basic steps to lock down our network already,
using Honeypots to Augment existing Network Security MeasuresPractical deployment of honeypots for early detection of breaches
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. – Lance Spitzner
Figure 1. basic placement of honeypots, either in the DMZ or the internal network, or both
STANDARDS & PRACTICES
Page 42 http://pentestmag.comEXTRA 06/2012(10)
The problem manifested itself as a data length error on resaving data that hadn't changed. Understanding the conversions and types
used for the components of a particular system can open up an avenue for attack. This article ex-plains some of the representations and some of the risks involved.
The environment in which we were operating was a typical one for many enterprises; with a lay-ered architecture delivering data from a central da-tabase to a mix of legacy and more current tech-nologies offering application and user interface functionality. it is in the legacy database that the original problem arises; although isn’t manifested as a problem there initially, with issues only being seen when the database was upgraded and then only in production.
a field declared as a VaRcHaR2 text field, which was fine on a Us 7-bit ascii representation where treated as a string of bytes, was actually used to hold a bit string, i.e. some of the 'characters weren't really valid characters. as the data itself hadn't been changed when the problem manifested the issue had to be due to some difference in the da-ta representation in the new infrastructure, in this case due to the use of 32-bit UTF8 in the data-base. in the original representation in the database the binary string would just be split into bytes, as
a character has a byte representation; well almost, seven bits are used.
Now in the new environment each of the sets of bytes was being treated as a character with a set of rules describing how it was to be translated, and when treated as characters in UTF8 a character can be represented by 1, 2, 3 or 4 bytes. This is the world of Unicode, where almost every conceivable character from almost any language can be repre-sented. The data was unchanged, only the infra-structure had changed. issues hadn't been seen in testing as a shared infrastructure database using the original Windows compatible character set had been used. also, between the original legacy en-vironment and the new environment the database had been moved from a Hewlett-Packard Pa-Risc HP-UX environment to a Linux on intel x64 envi-ronment.
The database representation itself is, of course, only part of the environment with web browsers, web servers, proxy servers, routers, and networks between the user and the database – each with possibly different representations and different cPUs with their own representations.
This should serve as a reminder of the impor-tance of data types representing information in the real world, and having representative test systems.
Data Conversions and System AttacksWhilst investigating a major system failure on a payment system it became evident that very few people in IT really understand the amount of data conversions that go on or the differences in data types representations with different technologies.
INTERVIEW
Page 46 http://pentestmag.comEXTRA 06/2012(10)
What is the Honeypot development roadmap for the next 5 years?if one takes a brief look at the honeypot develop-ment history over the last few years, only a few projects are still alive and maintained on a regular basis. One of the main reasons is that the security landscape has changed and attacks are now cli-ent-side and based on social engineering vectors. This landscape shift has made most of the server-side honeypots unattractive and outdated.
However, client-side honeypots and application-specific honeypots are promising and can prove to be a useful tool in the defender's arsenal over the next years.
client-side honeypots can actively search for at-tacks and infected hosts while application-specific honeypots can be used as decoys for critical ser-vices.
We have explored the use of honeypot decoys in instant messaging services [1], and found them to be a valuable source of information on phishing at-tacks that employ social engineering approaches.
What is the best practice honeypot deployment in the enterprise environment?High-interaction honeypots have been proven to be efficient and accurate.
High-interaction honeypots are instrumented virtual-machines that capture every action by an attacker. Unlike low-end honeypots, they are not based on emulation scripts but rather run real op-erating systems and services. Their high-level of realism comes with a configuration and mainte-nance cost but the attack insight they provide is far more powerful than emulation scripts.
interview with the members of
Affined Honeypotproject (NoAH) Jason Polakis and Spiros Antonatos
Jason PolakJason Polak is is currently a PhD candidate at the University of Crete and a research assistant at the Institute of Computer Science, Foundation of Research and Technology Hellas (FORTH). His interests include various areas of computer and network security in general, with a recent focus on security and privacy aspects of online social networks. He was part of the development team of the Network of Affined Honeypots (NoAH) project which was funded by the EU, and has co-authored the paper: "A systematic characterization of IM threats using honeypots" (NDSS 2010).
Spiros AntonatosSpiros Antonatos is currently a senior R&D engineer at Niometrics and has received his PhD from Computer Science Department, University of Crete. During his 8-year experience as a research assistant at the Institute of Computer Science, Foundation of Research and Technology Hellas (FORTH), he was technical manager of Network of Affined Honeypots (NoAH) project, developer of Honey@home tool and co-author of several honeypot-related papers. His interests include network security in general with a focus on network monitoring and high-performance computing.
In the next issue of
If you would like to contact PenTest team, just send an email to [email protected] or [email protected]. We will reply a.s.a.p.
PenTest Magazine has a rights to change the content of the next Magazine Edition.
IT security in Healthcare
Available to download on October 15th
More topics in PenTest Magazine:eBanking, eDiscovery, Sandbox, Phishing, Spoofing, SSH Tunelling,
Guide to BackTrack, IAST, Cloud Application Pentesting, PCI Secu-
rity Standards, Android as a Pentesting Platform, Intrusion Detec-
tion Systems
... and more
Join this free summit to hear industry experts and experienced practitioners discuss the current threat landscape, best prevention techniques and proven implementation methods.
FIND 17 thought leadership webinars
LEARN about the latest industry trends
SHARE the knowledge
To register for free and view the full lineup go tohttp://www.brighttalk.com/r/T2j
NEXT GENERATIONTHREAT PROTECTION
ONLINE SUMMITLIVE 5th SEPTEMBER
Practical solutions
to headline threats.
Three days of information security insight.
Only RSA® Conference Europe 2012 delivers the steps and strategies needed to protect your organisation’s assets. From managing smartphones and tablets, to the workplace risks from social media tools, get the techniques you want and the answers you need.
Hear from highly regarded keynotes including Wikipedia founder Jimmy Wales, internationally renowned security technologist Bruce Schneier, and investigative journalist, author and broadcaster Misha Glenny – one of the world’s leading experts on cybercrime and global ma� a networks.
• Leave with actionable solutions
• Build your skills
• Network with like-minded professionals
• Stay informed, stay ahead
Get the practical insight your organisation needs. Attend and play your part in Europe’s most informative information security event.
9
THE GREAT CIPHERMIGHTIER THAN THE SWORD
www.rsaconference.com/pen©2012 EMC Corporation. All rights reserved. RSA, the RSA logo and RSA Conferences are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other products and services mentioned are trademarks of their respective companies. RSA Security U.K. Limited. Incorporated on June 6, 1996. Company Number: 3208788. Registered O� ce: 1 Carnegie Road, Newbury, Berkshire, RG14 5DJ, England
Find out more at
Hear how the world’s security experts manage challenges like:
• Mobile security
• Data breaches
• Hacktivism
• Cybercrime
• Malware threats
• Cloud computing
Date: 9 - 11 OctoberVenue: Hilton London Metropole Hotel, U.K.
RSA Advert 210x292 Pentest [4.0].indd 1 05/07/2012 19:48