You are on page 1of 46

Low Interaction Server Honeypot Evolution

Mark Schloesser Giraffe Honeynet Project


FIRST Technical Colloquium, Kuala Lumpur

December 2, 2009

Special thanks. . .

. . . for support

. . . for this event

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

1 of 39

Server honeypots?

Ways to collect malware


Spamtraps Honeyclients ... High interaction Honeypots (Windows systems in virtual machines)

Low interaction server honeypots

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

2 of 39

Giraffe Honeynet Project

Availability of tools is bad


There are non-public (non-GPL) tools Can not / may not be shared Some available, but not efcient enough

Giraffe believes in Open Source


Publicly available GPL Low interaction Fast, efcient (/16 or more)

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

3 of 39

Carnivores

Nepenthes
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 4 of 39

Nepenthes

Low-interaction server honeypot Written by Markus Koetter and Paul Baecher (Giraffe) Written entirely in C++ Vulnerability Modules Shellcode Manager

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

5 of 39

Nepenthes

Low-interaction server honeypot Written by Markus Koetter and Paul Baecher (Giraffe) Written entirely in C++ Vulnerability Modules Shellcode Manager Great tool, widely used Lots of sensors deployed on lots of IP space Lots of malware gathered over the years

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

5 of 39

Nepenthes success

Malware reality
1 2 3 4

Malware often uses public exploit code to spread Malware often packs a bunch of public exploits Malware authors often are lazy / unskilled Malware community does code sharing / selling

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

6 of 39

Nepenthes success

Malware reality
1 2 3 4

Malware often uses public exploit code to spread Malware often packs a bunch of public exploits Malware authors often are lazy / unskilled Malware community does code sharing / selling

This leads to. . . . . . Nepenthes still capturing malware.

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

6 of 39

The problems

There are always two sides. . .


Pros: C++ Cons: C++

Huh?
Even though we always claimed it was easy to write nepenthes modules/addons, there was very little contribution.

C++ is an insult to the human brain.

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

7 of 39

. . . and other issues . . .

Nepenthes disadvantages
No new / unknown vulnerabilities supported Vulnerability- instead of Protocol-emulation Several vulns on Port 445/TCP interfering with each other Impossible to keep up with exploitation trends Shellcode manager needs to know shellcode in advance No TLS

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

8 of 39

Some ugly details

Vuln modules acquiring 445/TCP


LSASS, PNP, DCOM, ASN1, ms06-070, ms08-067

Interference
Modules mostly match against certain byte strings Return UNSURE, DROP, ASSIGN to core Which one sends back a response? Random / Parallel / Chaos

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

9 of 39

Laziness
Malware authors are lazy
send(packetbuffer) recv(1024) and discard send(packetbuffer) recv(1024) and discard ...

Nepenthes authors are lazy, too ;)


LSASSDialogue::incomingData(Message *msg) { // ... char reply[512]; for (int32_t i=0;i<512;i++) reply[i] = rand()%255; // ... doRespond(reply); }
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 10 of 39

MS08-067

Implementing a new vuln module


Copy vuln-foo to vuln-ms08067 Implement some stages Fiddle with the packet matching Send back something meaningful (omg some exploits use libraries) Finally get to the RPC Call, give it to Shellcode Manager Hope that other modules do not break

Conclusion
Tedious, error-prone, possibly breaks other modules

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

11 of 39

What now?

Something needs to be done here . . .

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

12 of 39

Other approaches

Honeytrap
Written by Tillmann Werner (Giraffe) Dynamically handles incoming connection attempts Binds UDP/TCP ports upon request No vulnerability modules

Mirror mode

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

13 of 39

Honeytraps mirror mode


Steps
1

Technically interested person (TIP) connects to honeypot

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

14 of 39

Honeytraps mirror mode


Steps
1 2

Technically interested person (TIP) connects to honeypot Connection request gets freezed

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

14 of 39

Honeytraps mirror mode


Steps
1 2 3

Technically interested person (TIP) connects to honeypot Connection request gets freezed honeytrap starts a listener and accepts the request

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

14 of 39

Honeytraps mirror mode


Steps
1 2 3 4

Technically interested person (TIP) connects to honeypot Connection request gets freezed honeytrap starts a listener and accepts the request Mirror incoming data to the TIP and vice versa

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

14 of 39

Problems with Mirror mode

Not applicable everywhere


Malware that patches the vulnerability it used to get in

Concker
A lot of law enforcement or government institutions may not use

such a mode because of legal issues

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

15 of 39

Moving on

We wanted to create a new honeypot that provides a stable base for any future needs and does not suffer from the shortcomings of nepenthes.

Requirements
Vulnerability modules Scripting Language to ease implementation of modules Reusing code from libraries

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

16 of 39

One more thing

One more thing before we get to the new shiny honeypot.

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

17 of 39

Shellcode detection

The nepenthes way


Nepenthes shellcode manager only uses pattern matching Shellcode needs to be known in advance Actions taken dependant on shellcode content

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

18 of 39

Shellcode detection

Libemu
Generic shellcode detection using GetPC heuristics Binary backwards traversal Instruction dependency tracking Shellcode emulation supporting all basic x86 CPU/FPU instructions Proling by mapping required parts of windows process memory

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

19 of 39

Libemu output example


HMODULE LoadLibraryA ( LPCTSTR lpFileName = 0x0012fe84 => = "ws2_32"; ) = 0x71a10000; int WSAStartup ( WORD wVersionRequested = 2; LPWSADATA lpWSAData = 1244280; ) = 0; SOCKET WSASocket ( int af = 2; int type = 1; int protocol = 0; LPWSAPROTOCOL_INFO lpProtocolInfo = 0; GROUP g = 0; DWORD dwFlags = 0; ) = 66; int bind ( SOCKET s = 66; struct sockaddr_in * name = 0x0012fe70 => struct = { short sin_family = 2; unsigned short sin_port = 23569 (port=4444); struct in_addr sin_addr = { unsigned long s_addr = 0 (host=0.0.0.0); }; char sin_zero = " "; }; int namelen = 16; ) = 0; int listen ( SOCKET s = 66; Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution int backlog = 2;

20 of 39

Libemu graph output example

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

21 of 39

nough said

Libemu will be a core component of the new honeypot.

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

22 of 39

Carnivores continued

dionaea

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

23 of 39

Environment

Who, what and when


Core by Markus Koetter SMB/CIFS protocol stack by me Funded by Honeynet Project summer of code Project timeline in parallel to Google summer of code

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

24 of 39

Dependencies

Not reinventing the wheel


No C++, but C with glib Core event dispatching by libev Embedding Python (using Cython) OpenSSL for TLS udns for asynchronous DNS curl for http downloads libemu for shellcode detection / emulation liblcfg for conguration le parsing

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

25 of 39

Honeypot features

Implementation efciency
Emulate the SMB/CIFS protocol to get (unknown) RPC calls Detect shellcode (generically) in attacks and create a prole of it From the prole guess its actions and act upon that knowledge Emulate windows shell (cmd.exe) Download malware via http/ftp/ftp.exe/tftp Execute multistage shellcode in libemu and grab the downloaded

le (link:// protocol)
Surfnet SURFids integration

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

26 of 39

Honeypot features

Implementation efciency
Emulate the SMB/CIFS protocol to get (unknown) RPC calls Detect shellcode (generically) in attacks and create a prole of it From the prole guess its actions and act upon that knowledge Emulate windows shell (cmd.exe) Download malware via http/ftp/ftp.exe/tftp Execute multistage shellcode in libemu and grab the downloaded

le (link:// protocol)
Surfnet SURFids integration

And it can do Mirror Mode.

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

26 of 39

Mirror mode with dionaea in Python

class mirrorc(connection): def __init__(self, peer=None): connection.__init__(self,peer.transport) self.bind(peer.local.host,0) self.connect(peer.remote.host,peer.local.port) self.peer = peer def handle_established(self): self.peer.peer = self def handle_io_in(self, data): if self.peer: self.peer.send(data) return len(data) def handle_error(self, err): if self.peer: self.peer.peer = None self.peer.close() def handle_disconnect(self): if self.peer: self.peer.close() if self.peer: self.peer.peer = None return 0

class mirrord(connection): def __init__(self, proto=None, host=None, port=None, connection.__init__(self,proto) if host: self.bind(host, port, iface) self.listen() self.peer=None def handle_established(self): self.peer=mirrorc(self) self.timeouts.sustain = 60 self._in.accounting.limit = 100*1024 self._out.accounting.limit = 100*1024 def handle_io_in(self, data): if self.peer: self.peer.send(data) return len(data) def handle_error(self, err): if self.peer: self.peer.peer = None def handle_disconnect(self): if self.peer: self.peer.close() if self.peer: self.peer.peer = None return 0

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

27 of 39

The connection class


Subclass connection to implement some service
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 class allyourbase(connection): def __init__ (self): connection.__init__(self,"tcp") #initialize def handle_established(self): self.timeouts.sustain = 60 self._in.accounting.limit = 100*1024 self._out.accounting.limit = 100*1024 self.processors() def handle_io_in(self,data): #handle data and return processed len self.send(All your base...) return len(data) def handle_disconnect(self): return 0

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

28 of 39

What else

Logging to SQL (sqlite)


Nepenthes had awful, huge logles Logging to sqlite eases analysis and statistics generation Table connections Tables for DCERPC information (services, binds, requests, opnums) Table for emulation proles Tables for le offers and downloads

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

29 of 39

Simple example
Which host attacked us most
SELECT COUNT(remote_host), remote_host FROM connections WHERE connection_type = accept GROUP BY remote_host ORDER BY COUNT(remote_host) DESC LIMIT 10; COUNT(remote_host) remote_host |1655| 10.204.202.23| |420| 10.2.101.193| |234| 10.246.93.128| |224| 10.208.119.223| |120| 10.54.151.201| |120| 10.129.95.105| |120| 10.174.16.255| |120| 10.234.207.36| |120| 10.133.39.52| |120| 10.31.104.74|

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

30 of 39

Complex example
Python script accessing sqlite db

connection 610 smbd tcp accept 10.69.53.52:445 <- 10.65.34.231:2010 dcerpc request: uuid 3919286a-b10c-11d0-9ba8-00c04fd92ef5 opnum 9i p0f: genre:Windows detail:XP SP1+, 2000 SP3 uptime:-1 tos: dist:11 nat:0 fw:0 profile: [{return: 0x7c802367, args: [, CreateProcessA], call: GetProcAddress}, ...., {return: 0, args: [0], call: ExitThread}] service: bindshell://1957 connection 611 remoteshell tcp listen 10.69.53.52:1957 connection 612 remoteshell tcp accept 10.69.53.52:1957 <- 10.65.34.231:2135 p0f: genre:Windows detail:XP SP1+, 2000 SP3 uptime:-1 tos: dist:11 nat:0 fw:0 offer: fxp://1:1@10.65.34.231:8218/ssms.exe download: 1d419d615dbe5a238bbaa569b3829a23 fxp://1:1@10.65.34.231:8218/ssms.e connection 613 ftpctrl tcp connect 10.69.53.52:37065 -> 10.65.34.231/None:821 connection 614 ftpdata tcp listen 10.69.53.52:62087 connection 615 ftpdata tcp accept 10.69.53.52:62087 <- 10.65.34.231:2308 p0f: genre:Windows detail:XP SP1+, 2000 SP3 uptime:-1 tos: dist:11 nat:0 fw:0

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

31 of 39

Every technical talk should have a demo. . .

Demo.

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

32 of 39

Comments on dionaea

Evolution
It was good to start over Fun to code on dionaea, fun to implement modules / services SMB layer copes with all RPC function vulnerabilites

Nepenthes R.I.P.

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

33 of 39

So please. . .

Help us testing and spread the word


We want to replace nepenthes installations Tell us if things are missing Help us test the code Measuring performance on large amounts of IP space Give feedback

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

34 of 39

Installation
Packaging . . .
We have no distribution packages ready Compilation needs newer library versions than most distributions

have
There are quite a number of dependencies We hope that people try it nevertheless! The .debs will come!

Virtualbox image
Dionaea dirty install on debian (by Hugo Gonzalez, HP) Ready for running in Virtualbox ftp://ftp.carnivore.it/projects/dionaea/images/virtualbox-

20091127-hugo/

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

35 of 39

Dionaea website

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

36 of 39

Carnivore.it

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

37 of 39

Honeynet Project

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

38 of 39

EOF
Thank you!
Mark Schloesser ms@mwcollect.org Dionaea honeypot http://dionaea.carnivore.it/

Giraffe Honeynet Project http://giraffe.honeynet.org

carnivore.it Software http://carnivore.it/

Mark SchloesserGiraffe Honeynet Project

Low Interaction Server Honeypot Evolution

39 of 39

You might also like