Presentation is loading. Please wait.

Presentation is loading. Please wait.

Setting Up And Running A Honeypot - Nepenthes Brian Allen (ballen at wustl.edu) Network Security Analyst Washington University in St. Louis.

Published byAmya Kessell Modified over 9 years ago

Similar presentations

Presentation on theme: "Setting Up And Running A Honeypot - Nepenthes Brian Allen (ballen at wustl.edu) Network Security Analyst Washington University in St. Louis."— Presentation transcript:

1 Setting Up And Running A Honeypot - Nepenthes Brian Allen (ballen at wustl.edu) Network Security Analyst Washington University in St. Louis

2 Nepenthes

3 Q: What is a Honeypot? A: Generally a computer that appears to be legitimate, but in reality is a trap for malware and hackers A: Generally a computer that appears to be legitimate, but in reality is a trap for malware and hackers There should be no legit traffic to the honeypot, so any traffic it sees is immediately suspicious There should be no legit traffic to the honeypot, so any traffic it sees is immediately suspicious A darknet is similar, but on a much bigger scale, say an entire /24 subnet A darknet is similar, but on a much bigger scale, say an entire /24 subnet

4 Different Types of Honeypots Low Interaction: This type runs virtual hosts and services. Collects info in logs. Example: Honeyd Low Interaction: This type runs virtual hosts and services. Collects info in logs. Example: Honeyd Medium Interaction: Similar to LI, but will interact with the malware and download the binary for analysis. Ex: Nepenthes Medium Interaction: Similar to LI, but will interact with the malware and download the binary for analysis. Ex: Nepenthes High Interaction: A honeypot or honeynet that will allow hackers to actually compromise it while the admin monitors his moves. Ex: Sebek High Interaction: A honeypot or honeynet that will allow hackers to actually compromise it while the admin monitors his moves. Ex: Sebek

5 Nepenthes Brief History Georg Wicherski originally wrote a tool called mwcollect while Paul Baecher and Markus Koetter were working on Nepenthes Georg Wicherski originally wrote a tool called mwcollect while Paul Baecher and Markus Koetter were working on Nepenthes Mwcollect was merged into Nepenthes in February 2006 Mwcollect was merged into Nepenthes in February 2006 Nepenthes 0.2.0 was released on November 13, 2006 Nepenthes 0.2.0 was released on November 13, 2006

6 How Nepenthes Works Vulnerability Modules – emulates various services which look ripe for compromise to an attacker (lsass, dcom, veritas, dameware, etc) Vulnerability Modules – emulates various services which look ripe for compromise to an attacker (lsass, dcom, veritas, dameware, etc) Shellcode Handlers and Emulators – allows Nepenthes to interact with the malware Shellcode Handlers and Emulators – allows Nepenthes to interact with the malware Download Modules – will download the binary (http, ftp, curl, etc) Download Modules – will download the binary (http, ftp, curl, etc) Submission Modules – will submit the binary for analysis (Norman, CWSandbox, postgres, etc) Submission Modules – will submit the binary for analysis (Norman, CWSandbox, postgres, etc)

7 To Compile Nepenthes On CentOS #./configure #./configure --prefix=/usr/local/nepenthes --prefix=/usr/local/nepenthes --enable-capabilities --enable-capabilities --with-cap-lib=/lib/libcap.so --with-cap-lib=/lib/libcap.so --enable-debug-logging --enable-debug-logging --enable-pcap --enable-pcap --with-pcap-lib=/usr/lib/libpcap.so --with-pcap-lib=/usr/lib/libpcap.so # make; # make install # make; # make install

8 How To Start Nepenthes To start Nepenthes on the command line: To start Nepenthes on the command line: /usr/local/nepenthes/bin/nepenthes -u nepenthes -g nepenthes -r /usr/local/nepenthes -C & /usr/local/nepenthes/bin/nepenthes -u nepenthes -g nepenthes -r /usr/local/nepenthes -C & -u run as user “nepenthes” -u run as user “nepenthes” -g run as group “nepenthes” -g run as group “nepenthes” -r chroot to the /usr/local/nepenthes dir -r chroot to the /usr/local/nepenthes dir -C run as non-root, but keep kernel capabilities -C run as non-root, but keep kernel capabilities

9 Using Nepenthes Nepenthes runs on a large number of TCP/IP ports: Nepenthes runs on a large number of TCP/IP ports: # lsof -i -P | egrep nep | sort -t: -n -k 2,2 # lsof -i -P | egrep nep | sort -t: -n -k 2,2 nepenthes 328 nepenthes 17u IPv4 71388 TCP *:21 (LISTEN) nepenthes 328 nepenthes 17u IPv4 71388 TCP *:21 (LISTEN) nepenthes 328 nepenthes 33u IPv4 71404 TCP *:42 (LISTEN) nepenthes 328 nepenthes 33u IPv4 71404 TCP *:42 (LISTEN) nepenthes 328 nepenthes 34u IPv4 71405 TCP *:80 (LISTEN) nepenthes 328 nepenthes 34u IPv4 71405 TCP *:80 (LISTEN) nepenthes 328 nepenthes 6u IPv4 71377 TCP *:110 (LISTEN) nepenthes 328 nepenthes 6u IPv4 71377 TCP *:110 (LISTEN) nepenthes 328 nepenthes 14u IPv4 71385 TCP *:135 (LISTEN) nepenthes 328 nepenthes 14u IPv4 71385 TCP *:135 (LISTEN) nepenthes 328 nepenthes 26u IPv4 71397 TCP *:139 (LISTEN) nepenthes 328 nepenthes 26u IPv4 71397 TCP *:139 (LISTEN) nepenthes 328 nepenthes 7u IPv4 71378 TCP *:143 (LISTEN) nepenthes 328 nepenthes 7u IPv4 71378 TCP *:143 (LISTEN) nepenthes 328 nepenthes 8u IPv4 71379 TCP *:220 (LISTEN) nepenthes 328 nepenthes 8u IPv4 71379 TCP *:220 (LISTEN) nepenthes 328 nepenthes 18u IPv4 71389 TCP *:443 (LISTEN) nepenthes 328 nepenthes 18u IPv4 71389 TCP *:443 (LISTEN) nepenthes 328 nepenthes 15u IPv4 71386 TCP *:445 (LISTEN) nepenthes 328 nepenthes 15u IPv4 71386 TCP *:445 (LISTEN) nepenthes 328 nepenthes 9u IPv4 71380 TCP *:465 (LISTEN) nepenthes 328 nepenthes 9u IPv4 71380 TCP *:465 (LISTEN) nepenthes 328 nepenthes 10u IPv4 71381 TCP *:993 (LISTEN) nepenthes 328 nepenthes 10u IPv4 71381 TCP *:993 (LISTEN) nepenthes 328 nepenthes 11u IPv4 71382 TCP *:995 (LISTEN) nepenthes 328 nepenthes 11u IPv4 71382 TCP *:995 (LISTEN) …

10 Note: If The Port is Already In Use Then Nepenthes can't use it. For example if you are running a service on port 2745, then nepenthes can't load a module for that port. In this case vuln-bagle.conf listens on port 2745: Then Nepenthes can't use it. For example if you are running a service on port 2745, then nepenthes can't load a module for that port. In this case vuln-bagle.conf listens on port 2745: [ crit net handler ] Could not Bind Socket to Port 2745 [ crit net handler ] Could not Bind Socket to Port 2745 Address already in use Address already in use [ crit net handler ] ERROR Could not init Socket Address already in use [ crit net handler ] ERROR Could not init Socket Address already in use [ crit net mgr ] ERROR Binding :2745 failed [ crit net mgr ] ERROR Binding :2745 failed

11 Malware Analysis Sites Norman sandbox - http://sandbox.norman.no/live_4.html Norman sandbox - http://sandbox.norman.no/live_4.html http://sandbox.norman.no/live_4.html CWSandbox - http://luigi.informatik.uni- mannheim.de/submit.php?action=verify (There is a – after uni) CWSandbox - http://luigi.informatik.uni- mannheim.de/submit.php?action=verify (There is a – after uni)http://luigi.informatik.uni- mannheim.de/submit.php?action=verifyhttp://luigi.informatik.uni- mannheim.de/submit.php?action=verify Virus total - http://www.virustotal.com/en/indexf.html Virus total - http://www.virustotal.com/en/indexf.html

12 Norman Sandbox Report I nepenthes-6a036697ebe5068ffbb3a4f3690fb606- setup_83117.exe : W32/Malware (Signature: NO_VIRUS) nepenthes-6a036697ebe5068ffbb3a4f3690fb606- setup_83117.exe : W32/Malware (Signature: NO_VIRUS) [ General information ] [ General information ] * Anti debug/emulation code present. * Anti debug/emulation code present. * **Locates window "Unreal3.2 Modded By LyR [class NULL]" on desktop. * **Locates window "Unreal3.2 Modded By LyR [class NULL]" on desktop. * **Locates window "NULL [class mIRC]" on desktop. * **Locates window "NULL [class mIRC]" on desktop. * File length: 65963 bytes. * File length: 65963 bytes. * MD5 hash: 6a036697ebe5068ffbb3a4f3690fb606. * MD5 hash: 6a036697ebe5068ffbb3a4f3690fb606.

13 Norman Sandbox Report II [ Changes to filesystem ] [ Changes to filesystem ] * Creates file C:\WINDOWS\smss.exe. * Creates file C:\WINDOWS\smss.exe. * Deletes file c:\sample.exe. * Deletes file c:\sample.exe.

14 Norman Sandbox Report III [ Changes to registry ] [ Changes to registry ] * Creates key "HKLM\Software\\Microsoft\\Windows". * Creates key "HKLM\Software\\Microsoft\\Windows". * Sets value "h8d6v1d2n8d1"="c:\sample.exe" in key "HKLM\Software\\Microsoft\\Windows". * Sets value "h8d6v1d2n8d1"="c:\sample.exe" in key "HKLM\Software\\Microsoft\\Windows". * Deletes value "h8d6v1d2n8d1" in key "HKLM\Software\\Microsoft\\Windows". * Deletes value "h8d6v1d2n8d1" in key "HKLM\Software\\Microsoft\\Windows". * Sets value "u8l9n89x4u3"="3/6/2006, 1:20 PM" in key "HKLM\Software\\Microsoft\\Windows". * Sets value "u8l9n89x4u3"="3/6/2006, 1:20 PM" in key "HKLM\Software\\Microsoft\\Windows". * Sets value "WaitToKillTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control". * Sets value "WaitToKillTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".

15 Norman Sandbox Report IV [ Network services ] [ Network services ] * Looks for an Internet connection. * Looks for an Internet connection. * Connects to "mail2.TIKTIKZ.COM" on port 9632 (TCP). * Connects to "mail2.TIKTIKZ.COM" on port 9632 (TCP). * Connects to IRC Server. * Connects to IRC Server. * IRC: Uses nickname [||106824802]. * IRC: Uses nickname [||106824802]. * IRC: Uses username XP-5094. * IRC: Uses username XP-5094. * Opens URL: http://www.proxy.us.pl/azenv.php. * Opens URL: http://www.proxy.us.pl/azenv.php.http://www.proxy.us.pl/azenv.php * Opens URL: http://www.nassc.com/pr.php. * Opens URL: http://www.nassc.com/pr.php.http://www.nassc.com/pr.php * Opens URL: http://69.59.137.236/cgi/prxjdg.cgi. * Opens URL: http://69.59.137.236/cgi/prxjdg.cgi.http://69.59.137.236/cgi/prxjdg.cgi * IRC: Sets the usermode for user [||106824802] to. * IRC: Sets the usermode for user [||106824802] to. * IRC: Joins channel #oo# with password m00. * IRC: Joins channel #oo# with password m00. * Connects to "mail2.TIKTIKZ.COM" on port 7412 (TCP). * Connects to "mail2.TIKTIKZ.COM" on port 7412 (TCP).

16 Norman Sandbox Report V [ Process/window information ] [ Process/window information ] * Creates service "Windows NT Session Managers (Windows NT Session Managers)" as ""C:\WINDOWS\smss.exe"". * Creates service "Windows NT Session Managers (Windows NT Session Managers)" as ""C:\WINDOWS\smss.exe"". * Attempts to access service "Windows NT Session Managers". * Attempts to access service "Windows NT Session Managers". * Creates a mutex h8d6v1d2n8d1. * Creates a mutex h8d6v1d2n8d1. (C) 2004-2006 Norman ASA. All Rights Reserved. (C) 2004-2006 Norman ASA. All Rights Reserved.

17 Homework I Run Snort & Tcpdump with Nepenthes Run Snort & Tcpdump with Nepenthes This will allow an admin to analyze more in depth what the attackers are trying to do to the machine in addition to what is stored in nepenthes logs This will allow an admin to analyze more in depth what the attackers are trying to do to the machine in addition to what is stored in nepenthes logs

18 Homework II HoneyTrap Module (Or set up Argus) HoneyTrap Module (Or set up Argus) What if malware tries to infect a computer on different port? What if malware tries to infect a computer on different port? The HoneyTrap Module will detect this and allow the malware to “talk” to this port even though it isn’t really open The HoneyTrap Module will detect this and allow the malware to “talk” to this port even though it isn’t really open This is a new feature in version 0.2.0, and it is based on honeytrap.sf.net by Werner Tillmann This is a new feature in version 0.2.0, and it is based on honeytrap.sf.net by Werner Tillmann

19 Nepenthes at WUSTL Since 6/06 Collected 34 unique binaries Collected 34 unique binaries Found 1728+ unique IP addresses which scanned the honeypot Found 1728+ unique IP addresses which scanned the honeypot Found 101 different WUSTL IP addresses which scanned the honeypot Found 101 different WUSTL IP addresses which scanned the honeypot

20 What To Do With This Data? Contact me Contact me

21 Nepenthes Development Team - Paul Baecher ( nepenthesdev at users.sourceforge.net ) - Paul Baecher ( nepenthesdev at users.sourceforge.net ) - Markus Koetter ( nepenthesdev at users.sourceforge.net ) - Markus Koetter ( nepenthesdev at users.sourceforge.net ) - Georg Wicherski ( georg-wicherski at pixel-house.net ) - Georg Wicherski ( georg-wicherski at pixel-house.net ) nepenthesdev at gmail.com nepenthesdev at gmail.com

22 Nepenthes Websites http://nepenthes.mwcollect.org – Nepenthes Homepage http://nepenthes.mwcollect.org – Nepenthes Homepage http://nepenthes.mwcollect.org http://sourceforge.net/projects/nepenthes http://sourceforge.net/projects/nepenthes http://sourceforge.net/projects/nepenthes

23 Useful Articles "Medium Interaction Honeypots" by Wicherski in April 2006 which includes a lot of information on Nepenthes - http://www.pixel-house.net/midinthp.pdf "Medium Interaction Honeypots" by Wicherski in April 2006 which includes a lot of information on Nepenthes - http://www.pixel-house.net/midinthp.pdf http://www.pixel-house.net/midinthp.pdf “Using Nepenthes Honeypots to Detect Common Malware” by Jamie Riden in November 2006 at SecurityFocus.com http://www.securityfocus.com/infocus/1880 “Using Nepenthes Honeypots to Detect Common Malware” by Jamie Riden in November 2006 at SecurityFocus.com http://www.securityfocus.com/infocus/1880 http://www.securityfocus.com/infocus/1880

Download ppt "Setting Up And Running A Honeypot - Nepenthes Brian Allen (ballen at wustl.edu) Network Security Analyst Washington University in St. Louis."

Similar presentations

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.
Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.

17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
1 Linux IP Masquerading Brian Vargyas XNet Information Systems.

1 Linux IP Masquerading Brian Vargyas XNet Information Systems.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Your Definitive Lockdown Guide

Your Definitive Lockdown Guide
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Troubleshooting Startup Problems

Troubleshooting Startup Problems
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
OFFICE OF SUPERINTENDENT OF PUBLIC INSTRUCTION Division of Assessment and Student Information Online MSP Testing In-Depth Technology Training January 13,

OFFICE OF SUPERINTENDENT OF PUBLIC INSTRUCTION Division of Assessment and Student Information Online MSP Testing In-Depth Technology Training January 13,
Configuring and Troubleshooting ACLs

Configuring and Troubleshooting ACLs
1 Online communication: remote login and file transfer.

1 Online communication: remote login and file transfer.
What’s New in Fireware XTM v11.9.1

What’s New in Fireware XTM v11.9.1
Expose the Vulnerability Paul Hogan Ward Solutions.

Expose the Vulnerability Paul Hogan Ward Solutions.
· SoftScan Solna Strandväg 78 171 54 Solna Sweden The less you hear from us the better Shhh… The less.

· SoftScan Solna Strandväg Solna Sweden The less you hear from us the better Shhh… The less.
Macromedia Dreamweaver MX 2004 – Design Professional Dreamweaver GETTING STARTED WITH.

Macromedia Dreamweaver MX 2004 – Design Professional Dreamweaver GETTING STARTED WITH.
What is RMI? Remote Method Invocation –A true distributed computing application interface for Java, written to provide easy access to objects existing.

What is RMI? Remote Method Invocation –A true distributed computing application interface for Java, written to provide easy access to objects existing.

Similar presentations

Ads by Google