Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

Honeypots and Other Deception-based Security Tools

One of the principles of  crime prevention is that you are attempting to increase the perceived risk to illegitimate users and decrease the perceived risk to legitimate users. This is kind of entrapment and it is often used in Intrusion detection via honeypots. Honeypots is highly recommended security tool for several reasons

First of all it changes the dynamic of the attack in favor of defender. In this case the intruder must attempt the intrusion before being able to discover if they can attack the vulnerable server or this is a trap. Thus we increase the perceived risk and hopefully the intruder tries his skills somewhere else.

The simplest form of honeypot is so called honeyport -- as IP interface connected to snort or other network IDS but that has no other legitimate purpose. In this case scans detected on this port (or better several of them) can be correlated with scans of actual servers.

One of the earliest honeypots was "The deception toolkit" It  presented a system that appears to have well known vulnerabilities (i.e. old Sendmail etc). The system does not actually have these vulnerabilities, but the attacker cannot discover this from an 'innocent scan' they must actually attempt to exercise the vulnerability

root6 (root6@home.com)
Fri, 1 Jan 1999 18:56:08 -0800

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Tomas Halgas: "nmap can crash microsoft telnetd"
Previous message: Troy Davis: "Re: netscan.org - broadcast ICMP list"

A quick note to say that Deception Toolkit (DTK) is now running on my SCO Open Server 5.0.2 and 5.0.4 machines with Perl5.0004_4, thanks to  the generous (and patient) assistance of the author, Dr. Fred Cohen, who states that future releases will include SCO support.

This DTK is remarkable. Within three hours of successful installation, I was able to interdict a vexious (and peristent) little ankle-biter who has been troubling me for weeks.

Installation on SCO entailed generating a socket.ph.SCO file on the basis of socket.h, and editing Configure to reflect SCO as an option. After that, it was a snap.

A word of thanks is due Dr. Cohen for making this valuable tool freely available. Check it out, at http://all.net/dtk/dtk.html

Another classical case of deception are Trojan horses.  Fake su, for example, can be a useful Trojan horse.  Fake chmod is another, but it can break some scripts.

Old News ;-)

[Jul 27, 2007] freshmeat.net Project details for MITRE Honeyclient Project

A 'honeypot' is designed to detect server-side attacks. In contrast, a 'honeyclient' is designed to detect client-side attacks. Specifically, a honeyclient is a dedicated host that drives specially instrumented applications to access remote servers to see if those servers are behaving in a malicious manner (by compromising the client). Honeyclients can proactively detect exploits against client applications without known signatures. This framework uses a client-server model with SOAP messaging as the primary communication method, and uses the free version of VMware Server as a means of virtualizing the client environment.

Release focus: Initial freshmeat announcement

[Dec 20. 2006] Kojoney A honeypot that emulates an SSH server.

[Sep 30, 2006] [PPT] Honeypot Forensics

[Sep 30, 2006] [PDF] An Investigation of a Compromised Host on a Honeynet Being Used to ...

[Sep 30, 2006] [PDF] Modelling the costs and benefits of Honeynets

[Jun 5, 2006] [PDF] Centralized Surveillance of Unused Address Space by using Virtual ...

[Mar 20, 2000] Feature: Building a Honeypot  by Lance Spitzner

[Mar 07, 2001] CNN.com - Technology - 'Decoy nets' gain backers in battle against hackers - By Ellen Messmer

(IDG) -- As hackers obtain ever more dangerous and easy-to-use tools, they are being countered by novel defense strategies. Witness the experimental idea of setting up a decoy network separate from your real one to fool intruders as they try to fool you.

This so-called "deception" network is envisioned as more than just a single server set up to be a "honeypot," where hackers may break in, find a dead end and have their activities recorded with an eye toward prosecution. Rather, the decoy net is an entire fake network, complete with host computers on a LAN with simulated traffic, to convince hackers for as long as possible that it's real.

Experts debate whether such nets will be worth the effort, but agree they can be a way to slow hackers long enough to sort the curious from the truly destructive.

A group calling itself The Honeynet Project has quietly begun testing decoy networks on the Internet and soon plans to publish a paper on how to build one.

According to Ed Skoudis, chief security strategist at Predictive Systems, the idea is the brainchild of Sun security consultant Lance Spitzner. "We set up honeypots to watch hacker activity," says Skoudis, who participates in the invitation-only group and spoke about new hacker tools and defenses at last week's InfoSec show.

The Honeynet Project is not intended to prosecute intruders who haplessly wander into their elaborate decoys, but to study hacker responses in depth in order to devise the best decoy defenses. There are only a few commercial honeypot-style products on the market, including Network Associates' CyberCop Sting and Recourse Technologies' ManTrap.

Other decoy networks do slow intruders with an eye toward collecting evidence to prosecute them, says Rusty Miller, an executive at Veridian Information Systems.

"To collect evidence, you need to divert the hacker to a deception network," says Miller, who claims to have built deception networks for secretive government agencies. He says the idea is to feed back information about what hackers do to a kind of "deception central" for network administrators. "The time the hackers are dealing with a deception environment is time they're not in your network," he says.

It is possible to create a deception network that has the same IP network address as your real network, Miller says. He acknowledges deception nets carry obvious administrative burdens, such as the need to generate realistic traffic to fool a hacker and maintain a network no one really uses. He notes the risk that administrators will lose track of what's real and what's not.

These deception techniques have doubters. Steve Manzuik, security analyst at BindView, appreciates the work being done by The Honeynet Project and would like to contribute, but he remains skeptical.

"It's not clear yet you can fool a lot of people with this deterrent," he says.

Meanwhile, hackers continue to learn new tricks.

The past year has seen the emergence of a new breed of distributed port scanners and sniffers that make it easier for attackers to hide their intent, Skoudis says.

There's now a kernel-level root-kit for Linux, called Knark, which when installed by hackers changes the operating system to hide files and present false information to administrators. And another new one, called Dsniff, can be used to capture traffic on Ethernet switches and inject traffic into a network to direct traffic to itself, known as the man-in-the-middle attack.

"It's pretty nasty stuff," Skoudis says. "For very sensitive networks, you may want to activate port-level security on your switches."

Many tools that let hackers carry out surveillance are now Web-based, according to David Rhoades, director of systems engineering at AppGate, who also spoke at the conference. "Why Web-based? It's easy. No complicated downloads or zip files. They can hack from anywhere, and it's anonymous."

While a talented few among hackers actually make attack tools, many of these tools today are freeware.

And they're posted on dozens of techie sites, not the secret underground.

BindView security analyst Manzuik says his firm late last year developed a tool to test for the so-called Naptha denial-of-service attack affecting at least seven major operating systems.

The tool, which involves launching an attack to determine operating system weakness, was given solely to vendors but somehow ended up posted on the Packetstorm site in its depository for tools.

In the wrong hands "this tool is dangerous," Manzuik says. "But that version isn't as dangerous as other versions that will be released."

Recommended Links

---

In case of broken links please try to use Google search. If you find the page please notify us about new location

Honeypot (computing) - Wikipedia, the free encyclopedia

Niels Provos. A Virtual Honeypot Framework. In Proceedings of the 13th USENIX Security Symposium, August 2004.

HoneyNet Project

Articles

[Ap 07, 2003] Honeypots The next intrusion detection solution ZDNet Australia News Security By Lance Spitzner

In this special report for ZDNet Australia Lance Spitzner, the founder of the Honeynet Project, explains why honeypot technologies are becoming a commercially relevant and acceptable intrusion detection methodology.

Detection systems identify and alert on unauthorised activity, and are a critical element of security.

Detection is critical for two reasons. First, if you can detect an event before it happens, you can prevent damage from occurring. For example, if you detect an employee looking at company files they shouldn’t be, it may be possible to stop them before they can do any damage. Second, if a compromise does occur, the sooner you detect and respond to the compromise, the better you can minimise the damage. For example, if an attacker breaks into a company's mail-server, the damage that is done depends on how soon the attack is detected.

If it takes weeks or even months for a compromise to be detected, an attacker will have had unlimited access to the target company's communications for an extended period of time, which could be devastating.

If the attack was immediately detected, the attacker could be removed from the system, and the mail-server rebuilt in a more secure manner. Early and successful detection can prevent or mitigate the compromise of data and resources.

The next challenge becomes: How do you successfully detect a compromise? The most common method has been Network Intrusion Detection Systems, otherwise known as NIDS. This technology works by monitoring network traffic. When it identifies anything it considers an attack, it generates an alert, notifying the administration. The trick is defining and identifying what an attack is. Different NIDS use different technologies, such as signatures, rules based, or anomaly detection. Each technology has its own advantages and disadvantages, but they all share some common problems.

• Data Overload: These solutions tend to generate an extremely large volume of alerts. This volume makes it time consuming, resource intensive, and costly to analyse and review all the alerts the NIDS generate. For example, I know of organisations with over 100,000 alerts a day.
• False Positives: Many of these alerts are false alerts. The NIDS thought it saw an attack, but was wrong. You can quickly have a situation where the 'little boy cried wolf'. If your technologies are repeatedly generating false positives, administrators begin to ignore the technology.
• False Negatives: It can difficult for some NIDS technologies to discover or identify unknown attacks or behaviour. This leaves organisations vulnerable to new attacks.
• Resources: NIDS require resource intensive hardware to keep up with organisation's activity and traffic. The faster your network and the more data you have, the bigger your NIDS will have to be to keep up.
• Encryption: More and more organisations are moving to encryption, all of the data is encrypted. This is due to security issues, regulation, and encryption technologies are more widely available (SSH, SSL, IPSec). However, these same technologies blind the NIDS so they can no longer monitor the network traffic.

There is a new technology that can address many of these issues in detection: honeypots. Honeypots are a relatively new security technology and are unique for two reasons. First, they work by having the bad guy actually interact with them. Second, honeypots are not a solution; they do not fix a specific problem. Instead, they are a highly flexible tool with multiple applications for security, from preventing attacks, to detecting unauthorised activity, to gathering intelligence on black-hat (bad-guy) hackers. One of the best applications of honeypots is detection because they address many of the problems associated with traditional detection.

The concept of honeypots is simple. They are a resource that has no authorised activity and no production value. This means that any interaction with a honeypot is most likely malicious or unauthorised. Any connections sent to the honeypot are most likely a probe, scan or attack. Honeypots can work in many different ways and come in many shapes and sizes. They can be a simple program that emulates different services, detecting any connections to it, such as Specter. A more advanced honeypot, such as Honeyd, can monitor all of your unused IP space with attackers interacting with virtual honeypots.

Honeypots can also be as advanced as entire networks of real systems waiting to be compromised, such as Honeynets (groups of networked honeypots) or ManTrap. Which honeypot is best for you depends on what you want to achieve. For detection, simple honeypots that emulate systems and services, such as Specter and Honeyd, are the best for detection.

These simple honeypots can have tremendous advantages for detection. While honeypots should never replace NIDS, their advantages make them a powerful tool to address the problems of NIDS. Advantages of honeypots include:

• Small Data Sets: Honeypots only collect data when someone or something is interacting with them. Organisations that may log thousands of alerts a day may only log a hundred alerts with honeypots. This makes the data honeypots collect much easier to manage and analyse.
• Reduced False Positives: Honeypots dramatically reduce false positives. Any activity with honeypots is by definition unauthorised, making it extremely effective at detecting attacks.
• Catching False Negatives: Honeypots can easily identify and capture new attacks against them. Any activity with the honeypot is an anomaly, making new or unseen attacks easily stand out.
• Minimal Resources: Honeypots require minimal resources, even on the largest of networks. A simple Pentium computer can monitor literally millions of IP addresses.
• Encryption: It does not matter if an attack is encrypted, the honeypot will capture the activity.

It is because of these advantages that honeypots make a simple and cost effective technology for detection, so while they do not replace any existing solutions, they can definitely help organisations with detection.

Lance Spitzner

To Build a Honeypot - 7 June, 2000

One method of building your own honeypot to learn more about the black-hat community. The tools and methods discussed are some of the original methods for the "Know Your Enemy" series. This paper is out of date, the Honeynet Project will be releasing a new paper on their techniques developed over the past two years.

Under fire!

The Turing Test Is Not A Trick Turing Indistinguishability Is A Scientific Criterion

Deception Toolkit

Anecdotes

• Illusionworks

Art of Deception Government Corruption, Covert

[Aug 12, 1999] 'Decoy' Tracks, Traps Attackers

Blocking attacks on their networks is no longer enough for IT managers. Now, they want to track and even apprehend intruders.

To that end, a new security company called Recourse Technologies Inc. will unveil software next week that will give IT managers the ability to contain and actually take control of malicious activities being carried out by hackers.

Working in conjunction with a company's firewall, Recourse's ManTrap software directs hackers that have obtained unauthorized network access to a decoy system. Once the intruder is trapped inside the decoy, security managers can monitor hacking activity and gather data for prosecution.

The concept of decoy systems or ⌠honey-pots, which entice hackers by appearing to be legitimate systems with valuable information, is gaining momentum as attacks increase, industry experts said.

The increase in companies opening their networks to users and partners, moreover, is driving the need for such new tools.

To date ⌠there aren't many [commercial decoy] tools, so organizations are forced to create their own capabilities, said Peter Stephenson, director of technology for Enterprise Networking Solutions' global security division. As more companies look for ways to gather data on suspicious activity, decoy systems will become more important, said Stephenson, an expert in computer forensics.

Network Associates Inc. announced a similar product in April with CyberCop Sting. However, with no user feedback yet, the system is unproven.

ManTrap has been tested, at least in its early development stage. The software was developed at Exodus Communications, a provider of IT outsourcing services, where it was used as a spoof box for redirecting suspicious activity picked up by the firewall, said Frank Huerta, Recourse's president and CEO. Huerta, a former product manager at Exodus, and Michael Lyle, another former Exodus employee, decided to package the software and bring it to market.

Even in its early version, the spoof box was able to track and trap an intruder who hacked his way into one of Exodus' Linux systems, said Leroy Lacy, director of risk management and security at Exodus.

He probably had root access on 2,000 [different] systems across the Internet, Lacy said.

Even though the spoof box allowed Exodus to track and shut down the intruder, the box ⌠was fairly labor-intensive, Lacy said. You had to do a lot of work to populate the box, so it would look like something that you weren't supposed to have access to.

ManTrap, however, has more automated functions so users can customize the decoy system to fit their needs, said Lacy, who is beta testing the software.

Once ManTrap is installed on a server, it automatically creates false data sets, said Huerta. But a security manager can input names of company executives and other information to give the server the look and feel of your business, said Fred Kost, vice president of product marketing at Recourse.

ManTrap will be available in September at a cost of $3,495 per server.

Tools

Shawn F. Mckay, Dummy "su" program
Abstract: This program is intended to help an intruder who does not know the system (many work from "cheat sheets") to trip alarms so the rightful sysadmin folks can charge to the rescue.

Wietse Venema, Eindhoven University of Technology, fake-rshd

Abstract: Echo the specified arguments to the remote system after satisfying a minimal subset of the rshd protocol. Works with the TCP Wrapper to send an arbitrary message back to someone trying to make an rsh/rlogin connection.

Title: fake-rshd
Authors: Wietse Venema Eindhoven University of Technology
File size: 2866 bytes
 

Rsucker

Lionel Cons, Rsucker
Abstract: A perl script that acts as a fake r* daemon and log the attempt is syslog. Byte sucker for r* commands.

Etc