Workshop Intro to Honeypot

Malang, 10 Oktober 2016

Mario Marcello

mario@forsecnet.com

Agenda

Introduction to Honeypot
Why Honeypot
Honeypot Dionaea
Installation
Configuration
Detecting OS
Submitting Samples

Visualizing the Attack

Honeypot
A Honeypot is
systems that are designed to be exploited, whether
through emulated vulnerabilities, real vulnerabilities,
or weaknesses.

Generally it consists of a computer, data, or a network

site that appears to be part of a network, but is actually
isolated and monitored, and which seems to contain
information or a resource of value to attackers.
Source: Malware Analyst Cookbook

Honeypot
Two types of Honeypot:
Low Interaction
Simulate most frequent services requested by attackers
E.g. Dionaea, Kippo, Honeytrap

High Interaction
Imitate the activities of the real systems that host a variety of
services
E.g. HiHAT

Virtual Machine is commonly used for ease of

maintenance

Honeypot

Real Operating System

Risk
Knowledge Gain
Can be compromised
Maintenance Time

Low Interaction

High Interaction

No

Yes

Lower

Higher

Connection/Request

Extensive

No

Yes

Lower

Higher

Other Honeypots
ENISA Published Review on Honeypot in a
very nice documentation found in:
http://www.enisa.europa.eu/activities/cert/suppor
t/proactive-detection/proactive-detection-ofsecurity-incidents-II-honeypots
Great insights into malicious activity in a CERTs
constituency, providing early warning of malware
infections, new exploits, vulnerabilities and
malware behavior as well as an excellent
opportunity to learn about changes in attacker
tactics.

Honeypot Why?
We have used IDS in the past
What we have learned:
Only known attacks are detected
Unknown attacks are not detected
Many false positives (if not properly tuned)

We use honeypot to:

Understand what is the attacker is doing, i.e.
behavior of the attack
Both Low interaction & High Interaction have their
own advantages and disadvantages

Call to participate
CERTs need to cooperate and develop
large-scale inter-connected sensor
networks in order to collect threat
intelligence from multiple distributed
geographic areas.
ENISA Research on Honeypots

Call to participate
Participate in Honeynet research
sponsored by KOMINFO
Help our government in early warning of
cyber attack

You will get Honeypot sensor hardware

to capture the cyber attack in your
infrastructure
You need one Public IP Address

Road Map

Amien H
Rosyandino
-ID SIRTII-

Randy
Anthony
-SGU-

10

Michael
-SGU-

Stewart
-SGU-

Glenn
-SGU-

Honeypot in SGU

Nepenthes (2010)
Migrate to Dionaea (2011)
Add Kippo (2014)
Add Glastopf (2014)

Web Interface (2012)

Thanks to Stewart (SGU IT Batch 2010)

Web Interface (2012)

Thanks to Stewart (SGU IT Batch 2010)

Web Interface (2012)

Thanks to Stewart (SGU IT Batch 2010)

Web Interface (2012)

Thanks to Stewart (SGU IT Batch 2010)

Web Interface (2012)

Thanks to Stewart (SGU IT Batch 2010)

Web Interface (2013)

Thanks to Andrew & Tommy (SGU IT Batch 2011)

Web Interface (2013)

Thanks to Andrew & Tommy (SGU IT Batch 2011)

Web Interface (2013)

Thanks to Andrew & Tommy (SGU IT Batch 2011)

Web Interface (2013)

Thanks to Andrew & Tommy (SGU IT Batch 2011)

Web Interface (2013)

Thanks to Andrew & Tommy (SGU IT Batch 2011)

Web Interface (2013)

Thanks to Andrew & Tommy (SGU IT Batch 2011)

Web Interface (2013)

Thanks to Andrew & Tommy (SGU IT Batch 2011)

Call to participate
Register your PIC (Person In Charge) of
your university
You need to send us:
IP address of your university
PIC of the server admin

Your sensor (sponsored by KOMINFO)

will be sending data to the Repo server

Further Information
The Honeynet Project
(http://www.honeynet.org)
Indonesia Honeynet Project
(http://www.honeynet.or.id)

Indonesia Honeynet Project Mailing List

(http://groups.google.com/group/id-honeynet)

Swiss German University

(http://www.sgu.ac.id)
My Blog
(http://people.sgu.ac.id/charleslim)

Honeypot Dionaea

Dionaea
Website: http://dionaea.carnivore.it
Menangkap malware yang menyerang
ke sistem
Membuka port 21, 69, 80, 445, 1433,
3306, 5060
Metode instalasi:
lewat repository yang tersedia
install manual

Data Serangan Dionaea

logsql.sqlite
/binaries -- malware
/log

Honeypot - Dionaea
A low interaction honeypot
A successor to Nepenthes
Originally developed by Markus Ktter
one of the original developers of nepenthes
initially developed dionaea as part of the
Honeynet Projects Summer of Code 2009

Honeypot - Dionaea
Codes written in C

exposes a Python interface add new modules w/o

recompiling

It supports IPv6 and TLS

uses libemu for shellcode detection.
It implements a Python-based version of the Windows
Server Message Block (SMB) protocol
allowing it to properly establish sessions before being
exploited by attacking machines.
Other low-interaction honeypots only simulate certain
vulnerable functions.

It logs information on attacks to an SQLite3 database

a simple way to generate and graph statistics

Honeypot - Installation
Dionaea Step-by-step installation has been
provided to you for your reference
Recommendation distro: Debian or Ubuntu,
though all distro will also works fine
Installation Directory:
/opt/dionaea $DIONAEA_HOME

Main Configuration file:

$DIONAEA_HOME/etc/dionaea/dionaea.conf

Honeypot - Installation
Honeypot Log default configuration is logging:

Debug,
Info,
Message,
Warning,
Critical, and
Error messages

Honeypot - Installation
Consider adjusting the following parameters
Under the default parameters:
Old Levels = all
New Levels = all, -debug

Under the errors parameters:

Levels = warning, error
New Levels = error

Honeypot - Installation
IP Interface Binding
Mode = manual
# bind to all IPv4 addresses on eth0
interface
addrs = { eth0 = [0.0.0.0] }
# bind to .50 and .51 on eth0 interface
addrs = { eth0 = [10.14.49.50,
10.14.49.51] }
# bind to .50 on eth0 and all IPv4 on eth1
addrs = { eth0 = [10.14.49.50], eth1 =
[0.0.0.0] }

Honeypot - Installation
ihandlers = {
handlers = [ftpdownload,
tftpdownload,
emuprofile,
cmdshell,
store,
uniquedownload,
logsql,
// logxmpp,
// p0f,
// surfids]
}

Dionaea uses SQLite Database (logsql)

Honeypot - Installation
services = {
serve = [http,
https,
tftp,
ftp,
mirror,
smb,
epmap]
}

You might want to disable http, https, tftp and ftp.

Smb and emap is used for collecting malware

Honeypot - Running

$ sudo ./dionaea -u nobody -g nogroup \

-p /opt/dionaea/var/dionaea.pid -D

You use the relevant user and group

Honeypot Passive
Identification
$ sudo apt-get install p0f

P0f used to identify the host OS (not

guaranteed to be accurate)
Also dionaea log p0f result to sqlite database
Modify the parameter in ihandler section

Honeypot Passive
Identification (command line)
$ sudo p0f -i any -u root -Q /tmp/p0f.sock
-q -l -d -o /dev/null \
-c 1024

Honeypot Passive
Identification (daemon)
sudo chown nobody:nogroup /tmp/p0f.sock
$ sqlite3 /opt/dionaea/var/dionaea/logsql.sqlite
sqlite> select p0f,p0f_genre,p0f_link,p0f_detail
from p0fs limit 10;

Permission need to be modified

After restarting dionaea, you can verify them
using the sqlite command prompt (as shown
above)

Honeypot Submit samples to

virustotal
ihandlers = {
handlers = ["ftpdownload", "tftpdownload",
"emuprofile", "cmdshell", "store",
"uniquedownload",
"logsql",
"virustotal",
.
.
}
virustotal = {
apikey =
"78b522c17a419aacad191e355550b3a54c1a9efc40d3
4$
file = "var/dionaea/vtcache.sqlite
}

Distributed Sensor
Deploy sensor honeypot di beberapa titik
Simpan data di satu storage server
(centralized database)
Dua metode untuk mentransfer data:
Pull
Push

Pull
Server login ke masing-masing sensor
Copy data serangan ke server setiap
beberapa menit
semi real-time

Sensor 1

Sensor 2

Sensor 4

Sensor 3

Database Migration

SSHFS

Reporting System

Dionaea

Sqlite

Java

Mysql

Step by Step

Shutdown Dionaea

Dionaea

Sqlite

Reporting System

Mysql

Step by Step

Read Database

Dionaea

Sqlite

Reporting System

Mysql

Step by Step

Rerun Dionaea

Dionaea

Sqlite

Reporting System

Mysql

Push
Menggunakan XMPP
Simpan data serangan langsung di
server
Real-time

Sensor 1

Sensor 2

Sensor 4

Sensor 3

Push

Raspberry Pi

Raspberry Pi
ARM processor (700MHz)
Low energy consumption (5w)
Komputer kecil seukuran kartu