為甚麼檢測方法能檢測出蜜罐呢？

首先，問自己：

如何分辯人和電腦？

圖片文字 (CAPTCHA) 的答案是：讓目標去認出一些文字。若能認出，大概是人，否則就是電腦。其中的概念為電腦不能有效地認出圖篇中的文字。

抽像少許，我們要求目標去做一些人類能輕易做到的事，但電腦則不能。利用這點，若果過關了，就是人類，否則不是。

CAPTCHA 可以用來分辯電腦和人類。那麼怎樣分辯出真的服務和模擬服務？

同理，技術層面上，模擬服務和真的服務有不同之處，這不同之處正是用來區分兩者的要訣。利用這一點，就能分辯出兩者了。

以一個實際例子說明吧。有些人很喜歡問：

如何分析一段不在虛擬機運行的惡意代碼？我的 VMware 不行，難道要用實體機？

等等！但它會在 VirtualBox 裡運行！Eh?

去找一個 SdBot 。它們大多數有 能測出虛擬機 的能力，至使在虛擬機中不會運行。你在 VMware 裡頭試試下，是 VMware。之後，用 VirtualBox 再試試。不過，我已測過了，信我的結果的話，能可以省省時間看下去了。

所以，他們問錯問題了！應該問：

為甚麼 SdBot 能區分虛擬機和實體機？

它能夠做到是因為在技術性層面上，虛擬機和實體機有不同之處。這是和真的服務和虛擬服務同出一轍的。當我說的技術性層面的不同之處，就是說實現方法不同。

準確來說，SdBot 能在 VirtualBox 但不能在 VMware 裡運行意味著 SdBot 是能檢測 VMware，但並不是防所有虛擬機的。

看看：

• 同一個動作，VMware 可能會使用寄存器 (register) 但實體機不會。
• VMware 有一個 dhcpd 來分派 IP 給虛擬機，這是實體機大多數沒有的。
• 有些處理器命令 VMware 沒有支持。

和之前講述的一樣道理。

所以，所謂的不會在虛擬機運行的惡意代碼，正確來說是不在某種虛擬機下運行而已。在其他沒能檢測出的虛擬機 (VirtualBox, Xen, etc) 等就會運行了。當然，那檢測方法可能一次過能檢測出多種虛擬機。

總結就是，如果要在虛擬機下運行 SdBot 的話，你不用用實體機這麼麻煩，只要找出一個不被檢出的環境或關掉它的檢測方法就好了。這就是箇中道理了，這亦是如何檢測出其他蜜罐的概念。努力找蜜罐吧！

這是沒有用到服務分析的 (淨化了)：

# Nmap 4.90RC1 scan initiated Sat Jul 11 00:39:13 2009 as: nmap -oN result.sS.txt -v -sS <XXXXXX>

Host <xxxxxx> (aaa.bbb.ccc.ddd) is up (0.092s latency).
Interesting ports on <xxxxxx> (aaa.bbb.ccc.ddd):
Not shown: 550 filtered ports, 434 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
110/tcp  open  pop3
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
993/tcp  open  imaps
995/tcp  open  pop3s
1023/tcp open  netvenuechat
1025/tcp open  NFS-or-IIS
2103/tcp open  zephyr-clt
2105/tcp open  eklogin
2107/tcp open  unknown
3372/tcp open  msdtc
Read data files from: /usr/local/share/nmap
# Nmap done at Sat Jul 11 00:41:08 2009 — 1 IP address (1 host up) scanned in 114.52 seconds

以下為用到服務分析的：

# Nmap 4.90RC1 scan initiated Sat Jul 11 00:43:00 2009 as: nmap -oN result.sS.O.sV.txt -O -sV -v -sS <xxxxxx>
Increasing send delay for aaa.bbb.ccc.ddd from 0 to 5 due to 24 out of 79 dropped probes since last increase.
Initiating OS detection (try #1) against <xxxxxx> (aaa.bbb.ccc.ddd)
Retrying OS detection (try #2) against <xxxxxx> (aaa.bbb.ccc.ddd)
Host <xxxxxx> (aaa.bbb.ccc.ddd) is up (0.091s latency).
Interesting ports on <xxxxxx> (aaa.bbb.ccc.ddd):
Not shown: 550 filtered ports, 434 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Nepenthes HoneyTrap fake vulnerable ftpd
22/tcp   open  ssh           OpenSSH 5.1p1 Debian 5ubuntu1 (protocol 2.0)
25/tcp   open  smtp?
110/tcp  open  pop3?
139/tcp  open  netbios-ssn?
143/tcp  open  imap?
443/tcp  open  ssh           OpenSSH 5.1p1 Debian 5ubuntu1 (protocol 2.0)
465/tcp  open  smtps?
993/tcp  open  imaps?
995/tcp  open  pop3s?
1023/tcp open  netvenuechat?
1025/tcp open  NFS-or-IIS?
2103/tcp open  zephyr-clt?
2105/tcp open  eklogin?
2107/tcp open  unknown
3372/tcp open  msdtc?
4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

…
…

Read data files from: /usr/local/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done at Sat Jul 11 00:48:38 2009 — 1 IP address (1 host up) scanned in 338.94 seconds

Nmap 服務分析會去猜測服務的版本和背後的服務，它對這些半假半真的服務打了個問號，這是因為低互動性蜜罐只是模擬真實服務的一部分，就是說沒有模仿的基本部份會被 Nmap 認為是奇怪的部份，明明就像偏偏不是。若果你見到類似的分析，大概也能相信這是假的，甚至是蜜罐。這當然只是其中的一種方法，你還可以想想其他方法。

當然，這不是針只對 Nepenthes 的方法，他也有效的。下一篇將會講述如何檢測虛擬機、蜜罐以及如何對付不在虛擬機運行的惡意代碼。

Problem
Network managers always want to or are forced to control the information flowing around a network. Most of the time, filtering is a good way to do the control. Inside this big category, we always like to use block list to prevent information comes in or goes out, to and from the network.

Scenarios
Flora doesn’t want her daughter wallow in Japan pop star. Flora knows that her daughter always navigate to some sites with domain name ending as ‘.jp’, she is looking for a tool that can control what kinds of websites their PC can reach.

IT administrator in PC middle school discovered that their mail system started receiving porn advertisement and students are trying to share these links through the mail system, they are planning to have a filter that can block all such mail flows.

Justin loves blogging so much, he is writing them weekly. He loves to collect and read feedbacks from the audiences. However, he hates those spammer pasting unrelated advertisement on his posts. He want to figure out a way to stop them appearing from other audiences.

Solution
The trivial filtering solution to help these people out is bad word filtering. The basic idea is the same as general block list, users can specify the tokens they want to look for when deciding to block the information. In general, there are at least two different definitions to distinguish whether we found the bad word or not. Given an input message M,

1. Split the message M into a sequence of words Ws, we found a bad word bW is in the message only if Ws contains bW.
2. Take the message M as an input stream, we found a bad word bW when there is a list of consecutive characters equals bW.

Both definition has there own advantages and disadvantages, but we will keep this discussion later since the current topic is how to test the filter. Let’s say we pick the first definition for our filter, then what should we test? (Take some time to think about scenarios before continue reading)

Functional Test
According the input of this filter (input message M), we can design few functional test cases. Basic scenarios are,

• empty message [Expected: Accept];
• only a word (either good or bad word) [Expected: good - Accept, bad - Reject];
• two words (good and bad) with different delimiter [Expected: Depends on how the feature define delimiter];
• a list of word and contains (0, 1, 2, all) bad words [Expected: all reject];
• a bad word is embedded in a word (eg. assume evil is bad word, message conatins residentevil.com) [Expect: By design, this message will be accepted]

Beside these functional test cases, we should to have a lengthy message to check boundary cases of the feature. Assume the longest message we accept is N characters, we need to have message with length N, N+1 and N+2. On the other hand, globalization and localization test may be required, depends on who is your target user.

Security Concern
Then we would ask: is there other way to bypass the filter (eg. message using different encoding)? Is it possible to have code injection or script injection attack? Who can use the feature? Where is the bad word list? Who have rights to touch the list? These are security concerns when testing the feature. Drawing a data flow diagram always help to identify what kind of security issues we may have. However, this post only focus on functional testing a feature. May be next time we can discuss how to design security test cases of a feature.

Conclusion
We have only discussed some elementary skills to design the test plan of a feature. You can consider what kind of input the feature can have, both valid and invalid input. Output is another way to discover new scenarios, output is anything that the feature shown. Since we assumed that this filter only say accept or reject of a message and throw some exceptions (eg. input size exceed), the test cases we found here are almost dominated by what we found with the input. Now, you are able to test your program more systematically!

Have a good weekend!

Practice (Just for fun)
Should you want to have some practice, we can discuss how to test an IP block list filter. Here is a simple definition:

INPUT: Only allow IPv4 address, one at a time
IMPLEMENTATION: An IP block list is stored as a text file in the same folder of the filter, user need to directly modify the text file if he want to Add/Remove/Edit an IP address in the block list. The filter will perform a binary search to see if the input address is on the list. If it is, then it will announce reject, otherwise output accept.
OUTPUT: Accept/ Reject the address