07.21
(Check out the traditional chinese and simplified chinese verison!)
Who is Hacking Me?
1. Who is it
2. What is a honeypot
3. Setting a honeypot
4. Retaliation
5. Honeypot logs
6. Improving further
7. Summary
===
1. Who is it
We are under attacked all the time. How do we find out who that is?
This article will not reveal the answers immediately, but will guide you to a possible solution. If you are new to the concept of honeypot, this will be an interesting concept to you.
2. What is a honeypot
Honeypot is a fully functional operating system that its sole purpose is to be hacked, without any real value in it. It is basically the same with a normal computer, and could be a Windows or a Linux, etc. Through the hacked computer, we can monitor the attacker’s motives and actions. By logging these actions, and relating it to other identifiable information such as IP address, we hope to backtrace the attacker’s identity. By definition of a honeypot, it should have no traffic and hence any traffic is considered malicious in nature. This relieves us the effort to sieve through genuine benign conncetions to look for attackers.
Honeypots are generally in two categories, but can be a mix or other kinds :
1. High Interaction Honeypot
2. Low Interaction Honeypot
High interaction honeypot – This kind of honeypot resembles a real computer and can be used as so. It is designed to be controlled by the attacker, but with all the actions inside logged. Because it is a real computer, the attacker can initiate any sort of illegal activities and attacks on it, which means innocent people can be affected. Hence, Data Control must be deployed to control these malicious traffic from leaving, by means of such as Honeywall. Therefore, there is a risk in high interaction honeypots. Moreover, they take a complete physical machine or virtual machine, and hence is quite resourceful compared to low interaction honeypots. This article will not describe how to setup a high interaction honeypot.
Low interaction honeypot - This kind of honeypot is actually a software that emulates a vulnerability partially, such that it is enough to fool automated programs or unskilled attackers to believe it is a real system. Because it is not a fully functional program and only reads data, and that after the attack vector has been collected, the connection will be ended, the danger associated with high interaction honeypot is far less. The difference mainly lies in the fact it is not a real vulnerability and hence the attack should fail.
This article will describe how to setup a low interaction honeypot ( Nepenthes ) on Linux ( Ubuntu 9.04 ). Ubuntu ( or Debian ) is chosen because it is easier to deploy on it.
3. Setting a honeypot
We will use Nepenthes as our low-interaction honeypot. The concept of Nepenthes is to emulate vulnerabilities so it is enough to fool automated attacks and unskilled attackers. From their attack vectors and payloads, we might be able to capture skills and malware that is unseen in the public. Because it emulates a vulnerability only, it only logs the connections and hence is much safer. Moreover, even if it is attacked, the emulated vulnerabilities are only for Windows and Linux will be unaffected. It is also capable of capturing malware for analysis, allowing you to investigate into unseen malware.
Ubuntu/Debian users may employ this command :
$apt-get install nepenthes
Or download the source code from the official website :
http://nepenthes.carnivore.it/
4. Retaliation
$nepenthes
You are good to go!
If you need more information, modify /etc/nepenthes/nepenthes.conf accordingly。
// logging
41 “logattack.so”, “log-attack.conf”, “”
42 “logdownload.so”, “log-download.conf”, “”
43 // “logirc.so”, “log-irc.conf”, “” // needs configuration
44 // “logprelude.so”, “log-prelude.conf”, “”
45 “loghexdump.so” “” “”
Uncomment logattack.so, logdownload.so . And you may experiment with the config file further.
5. Honeypot logs
If you are lucky, you should find entries /var/log/nepenthes.log shortly . If there is not, please wait patiently, and also check the external connectivity to your honeypot.
( The IP addresses have been modified to protect the IP logged. )
–
Socket|LUID=0×9b6b290|Start=1246711030.266579|Finish=1246711030.638501|Status=CONNECTED|Proto=TCP|Type=INCOMING|Local=192.168.1.4:135|Remote=xxx.96.245.148:61250|RX=2,1520,a87bbacd0cd1c84a5991ccc690492866|TX=3,532,dc9b4e2f264c732eb5b239b2bd3a23bd|Dumpfile=
Shellcode|LUID=0×9b6afd0|Start=1246711030.453659|Finish=1246711030.462127|Type=UNKNOWN|Emulation=SUCCESS|Handler=execute::createprocess|ISock=0×9b6b290|MD5=52e5dbe8fc84060525e965aa0c030f0c|Trigger=Generic Microsoft Windows DCOM
Download|LUID=0×9b6bcb8|Result=SUCCEEDED|Start=1246711030.461798|Finish=1246711185.861585|ISock=0×9b6b290|SSock=|MD5=5069160ffe5a229ed2ee1ddd8ca14df6|SHA512=ca50e009cad7f861759f85f8db74a684f6eee8f081bcdc255414ca898bbd7ef5c14c8a7bdd875201a51581ea484a49f4cceaf90ecef526c8bdda0d5ae94e24f5|Trigger=Download Initiated by Shell Command|URL=tftp://xxx.96.245.148/ssms.exe
–
…
…
This is an attack from xxx.96.245.148:61250 to my private network 192.168.1.4:135. The MD5 hash of the captured binary is 5069160ffe5a229ed2ee1ddd8ca14df6, which VirusTotal identifies as Net-Worm.Win32.Kolabc.gwr.
6. Improving Further
We can use NMap to scan our Honeypot 192.168.1.4 .
Here is the results of NMap :
# Nmap 4.90RC1 scan initiated Sat Jul 11 01:39:09 2009 as: nmap -oN 192.168.1.4.sS.txt -v -sS 192.168.1.4
Host 192.168.1.4 is up (0.000011s latency).
Interesting ports on 192.168.1.4:
Not shown: 975 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
42/tcp open nameserver
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
1023/tcp open netvenuechat
1025/tcp open NFS-or-IIS
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open unknown
3372/tcp open msdtc
5000/tcp open upnp
5901/tcp open vnc-1
6129/tcp open unknown
10000/tcp open snet-sensor-mgmt
10012/tcp open unknown
Read data files from: /usr/local/share/nmap
# Nmap done at Sat Jul 11 01:39:09 2009 — 1 IP address (1 host up) scanned in 0.17 seconds
For an averaged skilled hacker, this can be very attractive but at the some time too good to be true. It is just full of holes, much like welcoming visitors. To improve the authenticity, consider exposing only some the ports. For instance, go to /etc/nepenthes/nepenthes.conf, comment :
57 // vulnerability modules
…
62 “vulniis.so”, “vuln-iis.conf”, “”
63 // “vulnkuang2.so”, “vuln-kuang2.conf”, “”
64 “vulnlsass.so”, “vuln-lsass.conf”, “”
…
Interested individuals may add a -sV modifier to NMap ( Send service probes to fingerprint software and its version ). You may find some interesting results!
7. Summary
We are under attacked all the time, but we do not know who they are. Through honeypots, you may learn about the attacker’s motives, and make the first attempt to answer “Who is Hacking Me?”. We introduced a low interaction honeypot, Nepenthes, in this article, but it is only but one of the many honeypots available. Through high interaction honeypot, you may learn even more about the attacker. Now, you are no longer passive, but proactive. You can now learn what is happening behind the scenes.
Author
“Log0″ a security researcher on honeypots, web application security, cybercrime. He writes security articles on http://onhacks.org .
===
Reference
Nepenthes – http://nepenthes.carnivore.it/
Niels Provos, Thorsten Holz – “Virtual Honeypots: From Botnet Tracking to Intrusion Detection”
English
No Comment.
Add Your Comment