Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste

Published by展妮 余 Modified over 7 years ago

Similar presentations

Presentation on theme: "Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste"— Presentation transcript:

1 Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste
Capturing Malware Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste

2 Nepenthes What is it ? low interaction honeypot
simulates 22 vulnerabilities : MS windows Dameware MSSql IIS ... Listening on 26 ports Capture malwares that use those vuln to propagate C.Monniez - FCCU

3 Nepenthes Where to get it
Runs on Gnu/linux, OpenBSD, FreeBSD, Mac OSX, Cygwin Where to find it : Official Debian package ( ) Unofficial Debian package ( ) nthes/ Download and compile from the subversion repository : svn co trunk/ C.Monniez - FCCU

4 Nepenthes Useful features
Does nothing else than waiting for malware by default Module architecture A module to synchronize malware repositories between two nepenthes sensors with to a database to a web server C.Monniez - FCCU

5 Nepenthes Useful features
A norman sandbox module automatically send to norman sandbox report is received by mail maybe broken due to captcha ... a lot more module to explore pcap ... C.Monniez - FCCU

6 Nepenthes Useful features
hexdumps of unknown attacks C.Monniez - FCCU

7 Nepenthes Where to place it ?
In front of your internet connexion Examples On a gateway between your internal net and internet Side by side with your gateway if you can have another internet IP C.Monniez - FCCU

8 Nepenthes Where to place it ?
In some sort of DMZ Example Forward the 26 ports from your internet GW to the sensor C.Monniez - FCCU

9 Nepenthes Where to place it ?
In your office intranet !!! A good way to track malwares that are spreading in your internal network C.Monniez - FCCU

10 Nepenthes Where to place it ?
At some ISP :-) C.Monniez - FCCU

11 Nepenthes Border filtering
It seems that some ISP are doing border filtering in this case, you only capture malware coming from people at the same ISP C.Monniez - FCCU

12 Nepenthes Captured binaries
Binary files are stored your disk the name of the binary is the md5 hash C.Monniez - FCCU

13 Nepenthes Log files nepenthes.log
a very verbose log file of what nepenthes did logged_downloads filename and from where malware was downloaded logged_submissions filename, from where it was downloaded and md5hash C.Monniez - FCCU

14 Nepenthes Log files logged_downloads screenshot C.Monniez - FCCU

15 Nepenthes Log files logged_submissions screenshot C.Monniez - FCCU

16 Other tools Honeytrap Collect unknown attacks informations
honeyd Honeybow High interaction honeypots honeynet C.Monniez - FCCU

17 Other tools Bleeding snort On windows :
Honeybot (mid interaction honeypot) hp Multipot C.Monniez - FCCU

18 Online sanboxes Sunbelt sandbox Norman sandbox Anubis Threat expert
Norman sandbox Anubis Threat expert C.Monniez - FCCU

19 Online sanboxes Virus Total http://www.virustotal.com/fr/
C.Monniez - FCCU

20 question time Questions ? C.Monniez - FCCU

Download ppt "Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste"

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Site Collection, Sites and Sub-sites

Site Collection, Sites and Sub-sites
Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED)

Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED)
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
FTP Server prepared by Mohammed Ibrahim Programmer Computer & Internet Center Mosul University Presentation.

FTP Server prepared by Mohammed Ibrahim Programmer Computer & Internet Center Mosul University Presentation.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.

IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.

Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.
Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.

Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System

Similar presentations

Ads by Google