Professional Documents
Culture Documents
December 2, 2009
Special thanks. . .
. . . for support
1 of 39
Server honeypots?
2 of 39
3 of 39
Carnivores
Nepenthes
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 4 of 39
Nepenthes
Low-interaction server honeypot Written by Markus Koetter and Paul Baecher (Giraffe) Written entirely in C++ Vulnerability Modules Shellcode Manager
5 of 39
Nepenthes
Low-interaction server honeypot Written by Markus Koetter and Paul Baecher (Giraffe) Written entirely in C++ Vulnerability Modules Shellcode Manager Great tool, widely used Lots of sensors deployed on lots of IP space Lots of malware gathered over the years
5 of 39
Nepenthes success
Malware reality
1 2 3 4
Malware often uses public exploit code to spread Malware often packs a bunch of public exploits Malware authors often are lazy / unskilled Malware community does code sharing / selling
6 of 39
Nepenthes success
Malware reality
1 2 3 4
Malware often uses public exploit code to spread Malware often packs a bunch of public exploits Malware authors often are lazy / unskilled Malware community does code sharing / selling
6 of 39
The problems
Huh?
Even though we always claimed it was easy to write nepenthes modules/addons, there was very little contribution.
7 of 39
Nepenthes disadvantages
No new / unknown vulnerabilities supported Vulnerability- instead of Protocol-emulation Several vulns on Port 445/TCP interfering with each other Impossible to keep up with exploitation trends Shellcode manager needs to know shellcode in advance No TLS
8 of 39
Interference
Modules mostly match against certain byte strings Return UNSURE, DROP, ASSIGN to core Which one sends back a response? Random / Parallel / Chaos
9 of 39
Laziness
Malware authors are lazy
send(packetbuffer) recv(1024) and discard send(packetbuffer) recv(1024) and discard ...
MS08-067
Conclusion
Tedious, error-prone, possibly breaks other modules
11 of 39
What now?
12 of 39
Other approaches
Honeytrap
Written by Tillmann Werner (Giraffe) Dynamically handles incoming connection attempts Binds UDP/TCP ports upon request No vulnerability modules
Mirror mode
13 of 39
14 of 39
Technically interested person (TIP) connects to honeypot Connection request gets freezed
14 of 39
Technically interested person (TIP) connects to honeypot Connection request gets freezed honeytrap starts a listener and accepts the request
14 of 39
Technically interested person (TIP) connects to honeypot Connection request gets freezed honeytrap starts a listener and accepts the request Mirror incoming data to the TIP and vice versa
14 of 39
Concker
A lot of law enforcement or government institutions may not use
15 of 39
Moving on
We wanted to create a new honeypot that provides a stable base for any future needs and does not suffer from the shortcomings of nepenthes.
Requirements
Vulnerability modules Scripting Language to ease implementation of modules Reusing code from libraries
16 of 39
17 of 39
Shellcode detection
18 of 39
Shellcode detection
Libemu
Generic shellcode detection using GetPC heuristics Binary backwards traversal Instruction dependency tracking Shellcode emulation supporting all basic x86 CPU/FPU instructions Proling by mapping required parts of windows process memory
19 of 39
20 of 39
21 of 39
nough said
22 of 39
Carnivores continued
dionaea
23 of 39
Environment
24 of 39
Dependencies
25 of 39
Honeypot features
Implementation efciency
Emulate the SMB/CIFS protocol to get (unknown) RPC calls Detect shellcode (generically) in attacks and create a prole of it From the prole guess its actions and act upon that knowledge Emulate windows shell (cmd.exe) Download malware via http/ftp/ftp.exe/tftp Execute multistage shellcode in libemu and grab the downloaded
le (link:// protocol)
Surfnet SURFids integration
26 of 39
Honeypot features
Implementation efciency
Emulate the SMB/CIFS protocol to get (unknown) RPC calls Detect shellcode (generically) in attacks and create a prole of it From the prole guess its actions and act upon that knowledge Emulate windows shell (cmd.exe) Download malware via http/ftp/ftp.exe/tftp Execute multistage shellcode in libemu and grab the downloaded
le (link:// protocol)
Surfnet SURFids integration
26 of 39
class mirrorc(connection): def __init__(self, peer=None): connection.__init__(self,peer.transport) self.bind(peer.local.host,0) self.connect(peer.remote.host,peer.local.port) self.peer = peer def handle_established(self): self.peer.peer = self def handle_io_in(self, data): if self.peer: self.peer.send(data) return len(data) def handle_error(self, err): if self.peer: self.peer.peer = None self.peer.close() def handle_disconnect(self): if self.peer: self.peer.close() if self.peer: self.peer.peer = None return 0
class mirrord(connection): def __init__(self, proto=None, host=None, port=None, connection.__init__(self,proto) if host: self.bind(host, port, iface) self.listen() self.peer=None def handle_established(self): self.peer=mirrorc(self) self.timeouts.sustain = 60 self._in.accounting.limit = 100*1024 self._out.accounting.limit = 100*1024 def handle_io_in(self, data): if self.peer: self.peer.send(data) return len(data) def handle_error(self, err): if self.peer: self.peer.peer = None def handle_disconnect(self): if self.peer: self.peer.close() if self.peer: self.peer.peer = None return 0
27 of 39
28 of 39
What else
29 of 39
Simple example
Which host attacked us most
SELECT COUNT(remote_host), remote_host FROM connections WHERE connection_type = accept GROUP BY remote_host ORDER BY COUNT(remote_host) DESC LIMIT 10; COUNT(remote_host) remote_host |1655| 10.204.202.23| |420| 10.2.101.193| |234| 10.246.93.128| |224| 10.208.119.223| |120| 10.54.151.201| |120| 10.129.95.105| |120| 10.174.16.255| |120| 10.234.207.36| |120| 10.133.39.52| |120| 10.31.104.74|
30 of 39
Complex example
Python script accessing sqlite db
connection 610 smbd tcp accept 10.69.53.52:445 <- 10.65.34.231:2010 dcerpc request: uuid 3919286a-b10c-11d0-9ba8-00c04fd92ef5 opnum 9i p0f: genre:Windows detail:XP SP1+, 2000 SP3 uptime:-1 tos: dist:11 nat:0 fw:0 profile: [{return: 0x7c802367, args: [, CreateProcessA], call: GetProcAddress}, ...., {return: 0, args: [0], call: ExitThread}] service: bindshell://1957 connection 611 remoteshell tcp listen 10.69.53.52:1957 connection 612 remoteshell tcp accept 10.69.53.52:1957 <- 10.65.34.231:2135 p0f: genre:Windows detail:XP SP1+, 2000 SP3 uptime:-1 tos: dist:11 nat:0 fw:0 offer: fxp://1:1@10.65.34.231:8218/ssms.exe download: 1d419d615dbe5a238bbaa569b3829a23 fxp://1:1@10.65.34.231:8218/ssms.e connection 613 ftpctrl tcp connect 10.69.53.52:37065 -> 10.65.34.231/None:821 connection 614 ftpdata tcp listen 10.69.53.52:62087 connection 615 ftpdata tcp accept 10.69.53.52:62087 <- 10.65.34.231:2308 p0f: genre:Windows detail:XP SP1+, 2000 SP3 uptime:-1 tos: dist:11 nat:0 fw:0
31 of 39
Demo.
32 of 39
Comments on dionaea
Evolution
It was good to start over Fun to code on dionaea, fun to implement modules / services SMB layer copes with all RPC function vulnerabilites
Nepenthes R.I.P.
33 of 39
So please. . .
34 of 39
Installation
Packaging . . .
We have no distribution packages ready Compilation needs newer library versions than most distributions
have
There are quite a number of dependencies We hope that people try it nevertheless! The .debs will come!
Virtualbox image
Dionaea dirty install on debian (by Hugo Gonzalez, HP) Ready for running in Virtualbox ftp://ftp.carnivore.it/projects/dionaea/images/virtualbox-
20091127-hugo/
35 of 39
Dionaea website
36 of 39
Carnivore.it
37 of 39
Honeynet Project
38 of 39
EOF
Thank you!
Mark Schloesser ms@mwcollect.org Dionaea honeypot http://dionaea.carnivore.it/
39 of 39