Honeypots : tracking hackers
معرفی کتاب «Honeypots : tracking hackers» نوشتهٔ Stephen King و Lance Spitzner، منتشرشده توسط نشر Addison-Wesley Professional در سال 2002. این کتاب در 63 صفحه، فرمت pdf، زبان انگلیسی ارائه شده است.
RIPPED BY “BUSTER” 1 Foreword: Giving the Hackers a Kick Where It Hurts 1 Preface 2 Audience 2 Web Site 3 References 3 Network Diagrams 3 3 Figure A. Two production systems deployed on a network 3 Figure B. Two honeypots deployed on a network 3 Chapter 1. The Sting: My Fascination with Honeypots 4 The Lure of Honeypots 5 How I Got Started with Honeypots 5 6 Figure 1-1. Diagram of the very first honeypot I ever deployed: A default installation of Red Hat Linux 5.1 behind a firewall. 6 Perceptions and Misconceptions of Honeypots 8 Summary 8 Chapter 2. The Threat: Tools, Tactics, and Motives of Attackers 8 Script Kiddies and Advanced Blackhats 8 Everyone Is a Target 9 Methods of Attackers 9 Targets of Opportunity 10 Figure 2-1. The hacking tool wwwhack has a simple point-n-click interface. 10 An Example Auto-rooter: Luckroot 11 Figure 2-2 Attacker's keystrokes captured by a honeypot. Here we see an attacker launch an auto-rooter against entire class B networks, each network having more than 64,000 IP addresses. 12 Figure 2-3 The output of a mass-rooter, demonstrating all the different systems it can break into 13 Worms: CodeRed 13 Figure 2-4. Graph from CERT of IP addresses compromised by the CodeRed worm (Data for July 13, 2001 as represented to the CERT/CC; from: Incident data for CERT #36881. Used with permission.) 14 Figure 2-5. This diagram, taken from securityfocus.com's analysis, illustrates how the CodeRed II worms improved propagation algorithim dramatically increases its infection rate. 15 Figure 2-6 Scans detected by a honeypot in a single day. Each entry represents a different system probing the honeypot. 15 Targets of Choice 16 Motives of Attackers 17 Denial of Service 17 BOTs 18 Credit Cards 18 Bragging Rights 18 CPU Cycles 18 Corporate Espionage 18 Political Motives 18 Adapting and Changing Threats 18 Summary 19 References 19 Chapter 3. History and Definition of Honeypots 20 The History of Honeypots 20 Early Publications 20 Early Products 21 Recent History: Honeypots in Action 22 Definitions of Honeypots 23 How Honeypots Work 24 Two Examples of Honeypots 24 Figure 3-1. Though vastly different in how they were built and what their purpose is, Honeypots A and B share the definition and concepts of a honeypot. 24 Types of Honeypots 26 Summary 27 References 27 Chapter 4. The Value of Honeypots 27 Advantages of Honeypots 27 Data Value 28 Figure 4-1 Covert network sweep by an attacker picked up by a network of honeypots 28 Resources 28 Simplicity 29 Return on Investment 29 Disadvantages of Honeypots 29 Narrow Field of View 30 Fingerprinting 30 Risk 30 The Role of Honeypots in Overall Security 30 Production Honeypots 31 Prevention 31 Detection 32 Figure 4-2. Network diagram of a honeypot deployed on a DMZ to detect attacks 34 Response 35 Figure 4-3. Honeypot deployed within a DMZ used for incident response 36 Research Honeypots 37 Honeypot Policies 38 Summary 38 References 39 Chapter 5. Classifying Honeypots by Level of Interaction 39 Tradeoffs Between Levels of Interaction 39 39 Figure 5-1. A low-interaction honeypot limits both the amount of interaction an attacker can have and the amount of information you can obtain from the attacker. 39 Figure 5-2 Actual FTP session captured from a high-interaction NT honeypot, demonstrating its extensive data gathering capabilities 40 Table 5-1. Tradeoffs of Honeypot Levels of Interaction 41 Low-Interaction Honeypots 41 Medium-Interaction Honeypots 42 High-Interaction Honeypots 43 An Overview of Six Honeypots 44 BackOfficer Friendly 44 Specter 44 Honeyd 44 Homemade 45 ManTrap 45 Honeynets 45 Summary 45 References 46 Chapter 6. BackOfficer Friendly 46 Overview of BOF 46 46 Figure 6-1. Simplified GUI interface to the remote control client of Back Orifice 46 The Value of BOF 48 48 Figure 6-2. BOF honeypot detecting, logging, and alerting to a series of attacks captured in the wild 48 How BOF Works 49 50 Figure 6-3. Output of netstat -a command. Highlighted in white are the four ports that BOF is currently monitoring on the system called honeypot. 50 Installing, Configuring, and Deploying BOF 50 50 Figure 6-4. Double-clicking on the BOF executable installs and runs the BOF honeypot. 50 Figure 6-5. Menu for BackOfficer Friendly. This is the only GUI to the honeypot, making configuration very simple. 51 Figure 6-6. All the options for configuring BOF 51 Figure 6-7. Snort trace of a Telnet connection to BOF honeypot with Fake Replies disabled. The last packet (highlighted) is an RST packet tearing the connection down. 52 Information Gathering and Alerting Capabilities 53 54 Figure 6-8. When BOF detects activity, the menu pops up, alerting the system user to logged connections. 54 Figure 6-9. Alerts to multiple attacks on BOF 54 Risk Associated with BOF 55 Summary 55 55 Table 6-1. Features of BackOfficer Friendly 55 Tutorial 55 Step 1—Installation 56 Step 2—Configure 56 Figure 6-10. Enabling all the options on BOF honeypot 56 Step 3—Netstat 56 Figure 6-11. Using netstat -na to confirm BOF is monitoring the ports 56 Step 4—Attack System 57 Figure 6-12. Telnet to the localhost, simulating an attack against our BOF honeypot 57 Step 5—Review Alerts 58 Figure 6-13. BOF detecting and alerting to our attacks. Notice how the source of the attack is 127.0.0.1, the IP address for localhost. 58 Step 6—Save Alerts 58 Figure 6-14. Saving the BOF alerts to an ASCII text file 58 References 58 Chapter 7. Specter 59 Overview of Specter 59 59 Figure 7-1. Specter honeypot emulating a vulnerable FTP server 59 The Value of Specter 60 How Specter Works 62 62 Figure 7-2. Specter honeypot emulating a Windows XP server. The Web server, one of seven emulated services, adjusts its behavior based on the selected OS. 62 Figure 7-3. Changing the OS type of the Specter honeypot causes it to change the behavior of the Web server. 63 Installing and Configuring Specter 64 65 Figure 7-4. GUI used to configure the Specter honeypot 65 Operating System 65 Character 66 Figure 7-5. A Specter honeypot with the characteristic set to Open, emulating a vulnerable server. Here, the emulated SMTP service appears vulnerable to spam relay. 66 Figure 7-6. With the characteristic set to Aggressive, the Specter honeypot warns off the attacker when it detects unauthorized activity. 66 Services 67 Figure 7-7. The emulated Web server service customized with the Tracking Hackers Web site to create a more realistic honeypot 68 Intelligence, Traps, Password Types, and Notification 68 Additional Options 69 Starting the Honeypot 69 Deploying and Maintaining Specter 69 70 Figure 7-8. The GUI to remotely manage Specter honeypots has the same options as the local GUI, except there are no Log Analyzer capabilities. 70 Information-Gathering and Alerting Capabilities 70 Short Mail 70 Figure 7-9 Short Mail generated for the FTP attack 71 Alert Mail 71 Figure 7-10 Alert Mail generated for the FTP attack 71 Log Analyzer 72 Figure 7-11. Log Analyzer GUI used to query and select the attacker you want more information about 72 Figure 7-12. Detailed information on the FTP attack, similar to the information in the Alert Mail 73 Event Log 73 Figure 7-13. Event log generated by the FTP attack 73 Syslog 74 Figure 7-14 Syslog entry generated by the FTP attack 74 Intelligence Gathering 74 Risk Associated with Specter 75 Summary 76 76 Table 7-1. Features of Specter 76 References 76 Chapter 8. Honeyd 76 Overview of Honeyd 77 Value of Honeyd 77 How Honeyd Works 78 Blackholing 79 Figure 8-1. Network diagram demonstrating how all traffic for a specific network (10.0.0.0 /8) is redirected to the Honeyd honeypot 79 ARP Spoofing 80 Figure 8-2. The four layers of the TCP/IP protocol suite. (This model is based on Stevens [5].) 80 Figure 8-3 The ARP table of the system apu showing the MAC identifiers and IP addresses mapped together 81 Figure 8-4 System 192.168.1.50 asking the local network for the MAC address of 192.168.1.100. 192.168.1.100 replies, supplying its MAC address. 82 ARP Proxy 83 Figure 8-5 Using the arp -s command to statically assign the IP addresses of known, nonexistent systems to the MAC address of the Honeyd honeypot 83 Responding to Attacks 83 Figure 8-6. Demonstration of Honeyd's emulation capabilities in response to an attacker 84 Installing and Configuring Honeyd 85 85 Figure 8-7 Example of the Nmap signature database file. This is a specific signature for Windows NT Server, Service Pack 5 or 6. 85 Figure 8-8 Example of Honeyd configuration file 85 Figure 8-9 Simple testing script for Honeyd, used to test configuration files and TCP connections 87 Deploying and Maintaining Honeyd 88 Information Gathering 88 88 Figure 8-10 Attacker activity logged by the Honeyd process to syslog. This log is based on the attack seen in Figure 8-6. 88 Risk Associated with Honeyd 89 Summary 89 89 Table 8-1. Features of Honeyd 89 References 90 Chapter 9. Homemade Honeypots 90 An Overview of Homemade Honeypots 90 Port-Monitoring Honeypots 91 The Value of Port Monitoring 91 Figure 9-1 Log of activity over a 24-hour period with a homemade honeypot listening on port TCP 80 92 How Homemade Port Monitors Work 93 Figure 9-2. Running netcat on a Windows sytem to create a simple port listener on port 80 94 Figure 9-3. Attacker connecting to the port listener honeypot on port TCP 80 94 Figure 9-4. After the attacker completes the connection, netcat closes and saves the input to a file. Here we see the contents of that file. 95 Figure 9-5. GUI client used to remotely control a Sub7-infected system 96 Risk Associated with Homemade Port Monitors 98 Jailed Environments 98 The Value of Jails 99 How Jails Work 100 Installing and Configuring Jails 100 Deploying and Maintaining Jails 101 Information Gathering with Jails 101 Figure 9-6 Snort alert detecting an attempt to query the version of our named process 102 Risk Associated with Jails 102 Summary 103 References 103 Chapter 10. ManTrap 103 Overview of ManTrap 103 The Value of ManTrap 104 Prevention 104 Detection 105 Response 105 Research 106 Nontraditional Applications 106 Limitations 106 How ManTrap Works 107 107 Figure 10-1. A ManTrap host with four logical cages 107 Adjustments to the Kernel 107 How ManTrap Handles the File System 108 Figure 10-2 Filesystem on a ManTrap host. We can see the filesystems to all the cages, including cage one, highlighted in bold. 108 Figure 10-3 Filesystem as seen from cage one 109 The Resulting Cages and Their Limitations 109 Figure 10-4 The first five processes running on a cage 109 Installing and Configuring ManTrap 110 Building the Host System 110 iButton and Configuration Options 111 Figure 10-5. On the initial ManTrap configuration menu you identify the system password, number of cages, and location of specific resources. 111 Client Administration 112 Figure 10-6. ManTrap GUI interface used to configure logging and alerting for each cage 112 Customizing the Cages 112 Figure 10-7 Using the chroot(1) command from the Host OS to add a user to cage two 113 Deploying and Maintaining ManTrap 113 114 Figure 10-8. Deployment locations for two ManTrap cages within a Web server farm to detect and respond to attacks 114 Figure 10-9. Actual deployment of ManTrap honeypot to include Host system and remote administration system 114 Information Gathering 115 Data Capture in Practice: An Example Attack 116 Figure 10-10. ManTrap GUI configured to set up alerts to 116 Viewing Captured Data 118 Figure 10-11. ManTrap GUI used to review the system logs and access the attacker's keystrokes 118 Figure 10-12 ManTrap captures the attacker's keys 118 Data Capture at the Application Level 119 File Recovery 119 Using a Sniffer with ManTrap 120 Using iButton for Data Integrity 120 Figure 10-13. New keystroke reply feature with Version 3.0 of ManTrap 121 Risk Associated with ManTrap 121 Summary 122 122 Table 10-1. Features of ManTrap 122 References 123 Chapter 11. Honeynets 123 Overview of Honeynets 123 The Value of Honeynets 124 Methods, Motives, and Evolving Tools 124 Figure 11-1 Encoded commands sent to hacked honeypot using IP protocol 11 125 Figure 11-2 Decoded command sent to the hacked ho 125 Trend Analysis 126 Incident Response 127 Test Beds 128 How Honeynets Work 128 Controlling Data 128 Capturing Data 129 Collecting Data 130 Honeynet Architectures 130 GenI 130 Figure 11-3. Network diagram of a GenI Honeynet 131 Data Control Issues and Methods 131 Figure 11-4. Firewall rulebase used for data control. Rule number four, highlighted, is the rule that counts and blocks outbound connections. 132 Figure 11-5 Honeynet alert warning that one of the honeypots has made an outbound connection 134 Data Capture Issues and Methods 134 Figure 11-6 Firewall logs record all unique inbound connections, which is excellent for trend analysis. 135 Figure 11-7 IDS system generating alerts on inbound HTTP activity, in this case CodeRed Version 2 worm 136 Figure 11-8 Attacker's keystrokes captured using a Trojaned version of the /bin/bash shell on a Linux honeypot 137 Limitations of GenI Honeynets 137 GenII 138 Data Control Issues and Methods 138 Figure 11-9. Network diagram of GenII Honeynet. The biggest difference is the use of a layer two firewall, combining both IDS and firewalling functionality. 138 Data Capture Issues and Methods 140 Data Collection Issues and Methods 140 Virtual Honeynets 141 Sweetening the Honeynet 141 Deploying and Maintaining Honeynets 142 Information Gathering: An Example Attack 143 143 Figure 11-10. A virtual Honeynet using a GenI architecture. All three systems are running on a single, physical computer with VMware. 143 Figure 11-11 IDS Snort sensor detecting and generating an alert to a known FTP attack against the honeypot 144 Figure 11-12 System logs recorded from the Linux honeypot 144 Figure 11-13 Commands executed against the honeypot. These commands were reconstructed using the packet traces captured by the IDS sensor. 144 Figure 11-14 Keystrokes of the attacker downloading three toolkits to the compromised honeypot. Once downloaded, the attacker proceeds to install the Zer0 toolkit by executing the install script Go. 146 Figure 11-15 Network capture of an encrypted SSH session. This demonstrates that encrypted data cannot be recovered from the network level. 147 Figure 11-16 Attacker's keystrokes captured using the Trojaned binary, /bin/bash 147 Figure 11-17. Diagram of all the systems and steps involved in the attack 148 Risk Associated with Honeynets 148 Summary 149 149 Table 11-1. Features of Honeynets 149 References 149 Chapter 12. Implementing Your Honeypot 149 Specifying Honeypot Goals 149 Selecting a Honeypot 151 Interaction Level 151 Commercial Versus Homemade Solutions 152 Platform 152 Determining the Number of Honeypots 153 Selecting Locations for Deployment 154 Placement for Prevention 154 Figure 12-1. Different locations to deploy a honeypot 154 Placement for Detection 155 Placement for Response 156 Placement for Research 156 Implementing Data Capture 157 Maximizing the Amount of Data 157 Figure 12-2. Deploying a sniffer with the honeypot for additional data capture on all detected probes or attacks 157 Adding Redundancy to Data Capture 158 Figure 12-3. Network diagram of how to use a firewall to log all inbound and outbound connections to and from a honeypot 159 IP Addresses Versus Resolved Names 159 Logging and Managing Data 159 160 Figure 12-4. Dedicated honeypot management network, separated by a firewall. The dotted lines are the separate management network. 160 Using NAT 161 NAT and Private Addressing 161 Figure 12-5. Network Address Translation. All out 162 Figure 12-6. Static (one-to-one) Network Address Translation. Each internal system has its one public IP mapped to it. This allows systems from the Internet to initiate a connection to an internal system, using private (RFC 1918) IP addressing. For e 162 The Role of NAT with Honeypots 163 Figure 12-7. Firewall using port address translation. All HTTP packets bound for the Web server go to the Web server. All non-HTTP packets bound for the Web server are forwarded to the honeypot. 163 Mitigating Risk 164 Mitigating Fingerprinting 165 Summary 166 References 167 Chapter 13. Maintaining Your Honeypot 167 Alert Detection 167 Reliability of Alerts 168 Critical Content 168 Figure 13-1 E-mail alert generated by my Honeynet, notifying me that honeypot number 2 was scanned on the SMB service. 168 Prioritizing Alerts 169 Figure 13-2 E-mail alert notifying me that a honeypot has initiated an outbound connection. This implies that the system was compromised and is a high-priority alert. 169 Figure 13-3 Summary of all the low-priority alert 170 Archiving 170 Response 171 Determining Reaction Practices and Roles 171 Documenting Reaction Practices 172 Remote Access and Data Control 172 Data Analysis 173 A Simple Scenario: Low-Interaction Honeypots 173 Figure 13-4 Using the Unix dig(1) command to determine the system name (PTR record) of the IP address attacking us 173 Figure 13-5 Using the Unix utility fwhois to query the whois database and determine the owner of the domain name USIT.net 174 Figure 13-6. Using SamSpade to query the owner and point of contact of the IP address that attacked us 175 A Complex Scenario: High-Interaction Honeypots 176 Figure 13-7. A simple Honeynet with a single NT honeypot 177 Figure 13-8 Taking the Snort binary log file and extracting all packet information to the text file snort.txt 178 Figure 13-9 From the snort.txt file, we see the h 178 Figure 13-10 Contents of the Snort SESSION file SESSION:1874-80, which contains the Unicode attack copying the file cmd.exe to cmd.exe1 179 Figure 13-11. Using the OpenSource tool Ethereal to analyze a Snort binary capture of network activity 180 Figure 13-12 HTTP packet sent by the attacker. The information highlighted in bold indicates that the attacker is a Windows NT 5.0 system (Windows 2000) with several Microsoft Office components installed. 181 Figure 13-13 Windows-based ICMP Echo Request 182 Figure 13.14 Linux-based ICMP Echo Request 182 Figure 13-15. ACID interface to a database centrally logging from six distributed Honeynets 183 Updates 184 Summary 184 References 184 Chapter 14. Putting It All Together 185 Honeyp.com 185 Matching Goals to Honeypot Solutions 186 Identifying Attacks 186 Identifying the Access Method 186 Deploying the Honeypots 187 Determining Quantity and Location of Honeypots 187 Figure 14-1. Deployment plan of both the low-interaction, detection honeypots, and the high-interaction, incident response honeypots 187 Increasing Effectiveness 188 Mitigating Risk 189 Managing the Honeypot and Logging Information 190 Figure 14-2. Honeypot deployment with centralized management and logging network. Dotted line denotes dedicated network. 190 Maintaining the Honeypots 190 Data Capture and Alerting 191 Figure 14-3 One of our four Specter honeypots on the internal networks detecting an FTP scan from another internal system 191 Figure 14-4 The firewall generating an alert when it detects the honeypot attempting an FTP connection to the internal network. This is a high-priority alert, since it indicates the honeypot has been hacked. 192 Reaction Policy 192 Updating 193 Surviving and Responding to an Attack 193 Figure 14-5. Steps involved in the attacking of internal network and capture of the attack by the honeypots 194 Honeyp.edu 195 Matching Goals to Honeypot Solutions 195 Deploying the Honeynet 196 Figure 14-6. GenI Honeynet designed to research various automated threats 197 Maintaining the Honeynet 197 Analyzing Attacks 198 Summary 198 References 198 Chapter 15. Legal Issues 199 Are Honeypots Illegal? 199 Precedents 200 Privacy 200 The Fourth Amendment 201 Stored Information: The Electronic Communications Privacy Act 202 Real-Time Interception of Information: The Wiretap Act and the Pen/Trap Statute 202 Exceptions with Respect to Consent 203 Figure 15-1 One example of a warning banner that determines consent by the attacker 204 Exceptions for Service Provider Protection 204 Entrapment 205 Liability 205 Summary 206 References 206 Chapter 16. Future of Honeypots 207 From Misunderstanding to Acceptance 207 Improving Ease of Use 207 Easier Administration 208 Figure 16-1. CheckPoint FireWall-1 GUI for the NG version. An extremely simple GUI that includes "drag-n-drop" capabilities. 208 Prepackaged Solutions 208 Closer Integration with Technologies 209 Targeting Honeypots for Specific Purposes 209 Expanding Research Applications 210 Early Warning and Prediction 210 Studying Advanced Attackers 211 Identifying New Threats 211 Deploying in Distributed Environments 211 A Final Caveat 211 Summary 212 References 212 Appendix A. Back Officer Friendly ASCII File of Scans 212 Appendix B. Snort Configuration File 215 Appendix C. IP Protocols 217 Appendix D. Definitions, Requirements, and Standards Document 219 PURPOSE 219 DEFINITIONS 219 REQUIREMENTS 220 STANDARDS 221
دانلود کتاب Honeypots : tracking hackers