intrusion deception l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Intrusion Deception PowerPoint Presentation
Download Presentation
Intrusion Deception

Loading in 2 Seconds...

play fullscreen
1 / 17

Intrusion Deception - PowerPoint PPT Presentation


  • 391 Views
  • Uploaded on

Intrusion Deception Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception—Deceiving the Blackhat Reconnaissance An inspection or exploration of an area, especially one made to gather military information. A Honeypot MUST appear to be an attractive target.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Intrusion Deception' - jacob


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
intrusion deception

Intrusion Deception

Kirby Kuehl

Honeynet Project Member

05/08/2002

intrusion deception deceiving the blackhat
Intrusion Deception—Deceiving the Blackhat
  • Reconnaissance

An inspection or exploration of an area, especially one made to gather military information.

      • A Honeypot MUST appear to be an attractive target.
      • Accurate Responses to active (nmap) and passive(p0f) operating system fingerprinting methods, daemon banner queries, port scans, and vulnerability scanners (nessus).
      • Convincing content if system is running httpd or ftpd.
      • Inconspicuous in relation to rest of network.
      • The Honeypot can reside next to production systems so that it is scanned during sweeps or ports can be redirected from production systems to the Honeypot.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

intrusion deception passing recon
Intrusion Deception— Passing Recon
  • Honeynet Project
    • Uses actual default installations of actively exploited operating systems and services.
      • Nothing is emulated so host’s response to reconnaissance methods will be accurate.
      • Data Capture (logging), Data Control (firewalling), and Intrusion Detection (alerting) are performed utilizing other HARDENED hosts on the network.
      • No production hosts on network to eliminate data pollution. All traffic is suspect and is logged in full tcpdump format.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

honeynet design generation i
Honeynet Design – Generation I

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

honeynet design generation ii
Honeynet Design – Generation II
  • The Honeynet Sensor
  • Data Control:
  • Limits outbound connections (hogwash or iptables) allowing Blackhats to obtain their tools, but not attack other systems.
  • Data Capture:
  • IDS (snort) logging all traffic as well as providing alert mechanism.
  • Deception:
  • No IP Stack.
  • No TTL decrementing.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

intrusion deception passing recon6
Intrusion Deception— Passing Recon
  • Virtual Honeynets
    • VMWare: GuestOS (Honeypot) virtual machine inside HostOS
      • GuestOS is caged by denying access to HostOS filesystem.
      • Host only networking forces the GuestOS to access the network through the HostOS allowing firewalling and intrusion detection.
      • The Honeynet Project utilizes a Red Hat default installation running inside a Hardened Red Hat installation.
      • NMAP’s TCP fingerprinting returned unknown OS
      • Running a mock ecommerce site.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

intrusion deception passing recon7
Intrusion Deception— Passing Recon

Open source Honeypots

  • Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run simulated TCP services or proxy the service to another machine. The TCP/IP personality (OS Fingerprints) can be adapted so that they appear to be running certain versions of operating systems.
  • Arpd enables a single host to claim all unassigned addresses on a LAN by answering any ARP request for an IP address with the MAC address of the machine running arpd.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

honeyd arpd configuration
Honeyd / Arpd Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

intrusion deception passing recon9
Intrusion Deception— Passing Recon
  • Commercial Honeypots
    • Mantrapfrom Recourse Technologies (requires Solaris)
      • Ability to create up to 4 sub-systems (cages) each running Solaris by utilizing separate interfaces (each host will have unique MAC Address).
      • You can run virtually any application that doesn’t interact with the kernel within the 4 chrooted cages.
      • Content Generation Module can be used to create realistic data.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

mantrap configuration
Mantrap Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

mantrap configuration11
Mantrap Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

intrusion deception passing recon12
Intrusion Deception— Passing Recon
  • Commercial Honeypots
    • Specter (requires Windows NT)
      • Specter can emulate one of 13 different operating systems. As of Version 6.02 the IP stack is not emulated so IP fingerprinting tools are not fooled.

(A Stealth Plugin is currently under development using raw socket support on XP.)

      • Specter honeypots offer 14 100% emulated services such as: STMP, FTP, Telnet, Finger, POP3, IMAP4, HTTP, and SSH
      • Custom fake password files and custom HTTP content.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

specter configuration
Specter Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

intrusion deception passing recon14
Intrusion Deception— Passing Recon
  • Commercial Honeypots
    • Netfacade from Verizon (requires Solaris)
      • Can simulate up to an entire class C although all hosts will have the same MAC Address.
      • Simulates 8 different operating systems properly fooling TCP fingerprinting methods.
      • Simulates 13 different vulnerable services such as FTP (wu-2.4.2-academ[BETA-12](1), System V Release 4.0, and SunOS4.1 versions), SSH (SSH Communications Security Ltd's. 1.2.26 and 2.0.9 versions), etc.
      • Automatically generates hostnames, user accounts, operating systems and running services for simulated hosts through web interface.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

intrusion deception changing with the times
Intrusion Deception— Changing with the times
  • Blackhat techniques have become more sophisticated.
    • Using kernel module rootkits (adore, kis)
      • Process hiding
      • Keystroke logging
      • Covert communication channels
    • Polymorphic shellcode (ADMutate)
    • Fragroute (IDS Evasion)
  • Honeynet Project
    • Patching the kernel directly
      • Keystroke logging allowing us to capture encrypted outbound traffic (ssh)
      • Logging via covert communication channels rather than remote syslog
      • Snort-stable enabling appropriate preprocessors and logging all traffic (Not just TCP/UDP/ICMP)

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

intrusion deception honeynet alliance
Intrusion Deception— Honeynet Alliance
  • Research Alliance Honeynets
    • Freedom for organizations to create their own honeynets and participate in a virtual community.
      • Standardized Capture and Logging formats
      • Events can be forwarded to a common database
      • Shared Research and Analysis
    • Research Alliance Honeynets exist within advertised environments alongside production systems.
      • Hopefully attracting targeted and more sophisticated attacks.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl

intrusion deception more information
Intrusion Deception— More Information
  • http://project.honeynet.org
      • Whitepapers
      • Forensic Challenge
      • Scan of the month
      • Research Alliance
      • Know your Enemy book
  • kkuehl@cisco.com

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl