Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
mario@forsecnet.com
Agenda
Introduction to Honeypot
Why Honeypot
Honeypot Dionaea
Installation
Configuration
Detecting OS
Submitting Samples
Honeypot
A Honeypot is
systems that are designed to be exploited, whether
through emulated vulnerabilities, real vulnerabilities,
or weaknesses.
Honeypot
Two types of Honeypot:
Low Interaction
Simulate most frequent services requested by attackers
E.g. Dionaea, Kippo, Honeytrap
High Interaction
Imitate the activities of the real systems that host a variety of
services
E.g. HiHAT
Honeypot
Low Interaction
High Interaction
No
Yes
Lower
Higher
Connection/Request
Extensive
No
Yes
Lower
Higher
Other Honeypots
ENISA Published Review on Honeypot in a
very nice documentation found in:
http://www.enisa.europa.eu/activities/cert/suppor
t/proactive-detection/proactive-detection-ofsecurity-incidents-II-honeypots
Great insights into malicious activity in a CERTs
constituency, providing early warning of malware
infections, new exploits, vulnerabilities and
malware behavior as well as an excellent
opportunity to learn about changes in attacker
tactics.
Honeypot Why?
We have used IDS in the past
What we have learned:
Only known attacks are detected
Unknown attacks are not detected
Many false positives (if not properly tuned)
Call to participate
CERTs need to cooperate and develop
large-scale inter-connected sensor
networks in order to collect threat
intelligence from multiple distributed
geographic areas.
ENISA Research on Honeypots
Call to participate
Participate in Honeynet research
sponsored by KOMINFO
Help our government in early warning of
cyber attack
Road Map
Amien H
Rosyandino
-ID SIRTII-
Randy
Anthony
-SGU-
10
Michael
-SGU-
Stewart
-SGU-
Glenn
-SGU-
Honeypot in SGU
Nepenthes (2010)
Migrate to Dionaea (2011)
Add Kippo (2014)
Add Glastopf (2014)
Call to participate
Register your PIC (Person In Charge) of
your university
You need to send us:
IP address of your university
PIC of the server admin
Further Information
The Honeynet Project
(http://www.honeynet.org)
Indonesia Honeynet Project
(http://www.honeynet.or.id)
Honeypot Dionaea
Dionaea
Website: http://dionaea.carnivore.it
Menangkap malware yang menyerang
ke sistem
Membuka port 21, 69, 80, 445, 1433,
3306, 5060
Metode instalasi:
lewat repository yang tersedia
install manual
Honeypot - Dionaea
A low interaction honeypot
A successor to Nepenthes
Originally developed by Markus Ktter
one of the original developers of nepenthes
initially developed dionaea as part of the
Honeynet Projects Summer of Code 2009
Honeypot - Dionaea
Codes written in C
Honeypot - Installation
Dionaea Step-by-step installation has been
provided to you for your reference
Recommendation distro: Debian or Ubuntu,
though all distro will also works fine
Installation Directory:
/opt/dionaea $DIONAEA_HOME
Honeypot - Installation
Honeypot Log default configuration is logging:
Debug,
Info,
Message,
Warning,
Critical, and
Error messages
Honeypot - Installation
Consider adjusting the following parameters
Under the default parameters:
Old Levels = all
New Levels = all, -debug
Honeypot - Installation
IP Interface Binding
Mode = manual
# bind to all IPv4 addresses on eth0
interface
addrs = { eth0 = [0.0.0.0] }
# bind to .50 and .51 on eth0 interface
addrs = { eth0 = [10.14.49.50,
10.14.49.51] }
# bind to .50 on eth0 and all IPv4 on eth1
addrs = { eth0 = [10.14.49.50], eth1 =
[0.0.0.0] }
Honeypot - Installation
ihandlers = {
handlers = [ftpdownload,
tftpdownload,
emuprofile,
cmdshell,
store,
uniquedownload,
logsql,
// logxmpp,
// p0f,
// surfids]
}
Honeypot - Installation
services = {
serve = [http,
https,
tftp,
ftp,
mirror,
smb,
epmap]
}
Honeypot - Running
Honeypot Passive
Identification
$ sudo apt-get install p0f
Honeypot Passive
Identification (command line)
$ sudo p0f -i any -u root -Q /tmp/p0f.sock
-q -l -d -o /dev/null \
-c 1024
Honeypot Passive
Identification (daemon)
sudo chown nobody:nogroup /tmp/p0f.sock
$ sqlite3 /opt/dionaea/var/dionaea/logsql.sqlite
sqlite> select p0f,p0f_genre,p0f_link,p0f_detail
from p0fs limit 10;
Distributed Sensor
Deploy sensor honeypot di beberapa titik
Simpan data di satu storage server
(centralized database)
Dua metode untuk mentransfer data:
Pull
Push
Pull
Server login ke masing-masing sensor
Copy data serangan ke server setiap
beberapa menit
semi real-time
Sensor 1
Sensor 2
Sensor 4
Sensor 3
Database Migration
SSHFS
Reporting System
Dionaea
Sqlite
Java
Mysql
Step by Step
Shutdown Dionaea
Dionaea
Sqlite
Reporting System
Mysql
Step by Step
Read Database
Dionaea
Sqlite
Reporting System
Mysql
Step by Step
Rerun Dionaea
Dionaea
Sqlite
Reporting System
Mysql
Push
Menggunakan XMPP
Simpan data serangan langsung di
server
Real-time
Sensor 1
Sensor 2
Sensor 4
Sensor 3
Push
Raspberry Pi
Raspberry Pi
ARM processor (700MHz)
Low energy consumption (5w)
Komputer kecil seukuran kartu