Presentation is loading. Please wait.

Presentation is loading. Please wait.

Setting Up And Running A Honeypot - Nepenthes Brian Allen (ballen at wustl.edu) Network Security Analyst Washington University in St. Louis.

Similar presentations


Presentation on theme: "Setting Up And Running A Honeypot - Nepenthes Brian Allen (ballen at wustl.edu) Network Security Analyst Washington University in St. Louis."— Presentation transcript:

1 Setting Up And Running A Honeypot - Nepenthes Brian Allen (ballen at wustl.edu) Network Security Analyst Washington University in St. Louis

2 Nepenthes

3 Q: What is a Honeypot? A: Generally a computer that appears to be legitimate, but in reality is a trap for malware and hackers A: Generally a computer that appears to be legitimate, but in reality is a trap for malware and hackers There should be no legit traffic to the honeypot, so any traffic it sees is immediately suspicious There should be no legit traffic to the honeypot, so any traffic it sees is immediately suspicious A darknet is similar, but on a much bigger scale, say an entire /24 subnet A darknet is similar, but on a much bigger scale, say an entire /24 subnet

4 Different Types of Honeypots Low Interaction: This type runs virtual hosts and services. Collects info in logs. Example: Honeyd Low Interaction: This type runs virtual hosts and services. Collects info in logs. Example: Honeyd Medium Interaction: Similar to LI, but will interact with the malware and download the binary for analysis. Ex: Nepenthes Medium Interaction: Similar to LI, but will interact with the malware and download the binary for analysis. Ex: Nepenthes High Interaction: A honeypot or honeynet that will allow hackers to actually compromise it while the admin monitors his moves. Ex: Sebek High Interaction: A honeypot or honeynet that will allow hackers to actually compromise it while the admin monitors his moves. Ex: Sebek

5 Nepenthes Brief History Georg Wicherski originally wrote a tool called mwcollect while Paul Baecher and Markus Koetter were working on Nepenthes Georg Wicherski originally wrote a tool called mwcollect while Paul Baecher and Markus Koetter were working on Nepenthes Mwcollect was merged into Nepenthes in February 2006 Mwcollect was merged into Nepenthes in February 2006 Nepenthes was released on November 13, 2006 Nepenthes was released on November 13, 2006

6 How Nepenthes Works Vulnerability Modules – emulates various services which look ripe for compromise to an attacker (lsass, dcom, veritas, dameware, etc) Vulnerability Modules – emulates various services which look ripe for compromise to an attacker (lsass, dcom, veritas, dameware, etc) Shellcode Handlers and Emulators – allows Nepenthes to interact with the malware Shellcode Handlers and Emulators – allows Nepenthes to interact with the malware Download Modules – will download the binary (http, ftp, curl, etc) Download Modules – will download the binary (http, ftp, curl, etc) Submission Modules – will submit the binary for analysis (Norman, CWSandbox, postgres, etc) Submission Modules – will submit the binary for analysis (Norman, CWSandbox, postgres, etc)

7 To Compile Nepenthes On CentOS #./configure #./configure --prefix=/usr/local/nepenthes --prefix=/usr/local/nepenthes --enable-capabilities --enable-capabilities --with-cap-lib=/lib/libcap.so --with-cap-lib=/lib/libcap.so --enable-debug-logging --enable-debug-logging --enable-pcap --enable-pcap --with-pcap-lib=/usr/lib/libpcap.so --with-pcap-lib=/usr/lib/libpcap.so # make; # make install # make; # make install

8 How To Start Nepenthes To start Nepenthes on the command line: To start Nepenthes on the command line: /usr/local/nepenthes/bin/nepenthes -u nepenthes -g nepenthes -r /usr/local/nepenthes -C & /usr/local/nepenthes/bin/nepenthes -u nepenthes -g nepenthes -r /usr/local/nepenthes -C & -u run as user “nepenthes” -u run as user “nepenthes” -g run as group “nepenthes” -g run as group “nepenthes” -r chroot to the /usr/local/nepenthes dir -r chroot to the /usr/local/nepenthes dir -C run as non-root, but keep kernel capabilities -C run as non-root, but keep kernel capabilities

9 Using Nepenthes Nepenthes runs on a large number of TCP/IP ports: Nepenthes runs on a large number of TCP/IP ports: # lsof -i -P | egrep nep | sort -t: -n -k 2,2 # lsof -i -P | egrep nep | sort -t: -n -k 2,2 nepenthes 328 nepenthes 17u IPv TCP *:21 (LISTEN) nepenthes 328 nepenthes 17u IPv TCP *:21 (LISTEN) nepenthes 328 nepenthes 33u IPv TCP *:42 (LISTEN) nepenthes 328 nepenthes 33u IPv TCP *:42 (LISTEN) nepenthes 328 nepenthes 34u IPv TCP *:80 (LISTEN) nepenthes 328 nepenthes 34u IPv TCP *:80 (LISTEN) nepenthes 328 nepenthes 6u IPv TCP *:110 (LISTEN) nepenthes 328 nepenthes 6u IPv TCP *:110 (LISTEN) nepenthes 328 nepenthes 14u IPv TCP *:135 (LISTEN) nepenthes 328 nepenthes 14u IPv TCP *:135 (LISTEN) nepenthes 328 nepenthes 26u IPv TCP *:139 (LISTEN) nepenthes 328 nepenthes 26u IPv TCP *:139 (LISTEN) nepenthes 328 nepenthes 7u IPv TCP *:143 (LISTEN) nepenthes 328 nepenthes 7u IPv TCP *:143 (LISTEN) nepenthes 328 nepenthes 8u IPv TCP *:220 (LISTEN) nepenthes 328 nepenthes 8u IPv TCP *:220 (LISTEN) nepenthes 328 nepenthes 18u IPv TCP *:443 (LISTEN) nepenthes 328 nepenthes 18u IPv TCP *:443 (LISTEN) nepenthes 328 nepenthes 15u IPv TCP *:445 (LISTEN) nepenthes 328 nepenthes 15u IPv TCP *:445 (LISTEN) nepenthes 328 nepenthes 9u IPv TCP *:465 (LISTEN) nepenthes 328 nepenthes 9u IPv TCP *:465 (LISTEN) nepenthes 328 nepenthes 10u IPv TCP *:993 (LISTEN) nepenthes 328 nepenthes 10u IPv TCP *:993 (LISTEN) nepenthes 328 nepenthes 11u IPv TCP *:995 (LISTEN) nepenthes 328 nepenthes 11u IPv TCP *:995 (LISTEN) …

10 Note: If The Port is Already In Use Then Nepenthes can't use it. For example if you are running a service on port 2745, then nepenthes can't load a module for that port. In this case vuln-bagle.conf listens on port 2745: Then Nepenthes can't use it. For example if you are running a service on port 2745, then nepenthes can't load a module for that port. In this case vuln-bagle.conf listens on port 2745: [ crit net handler ] Could not Bind Socket to Port 2745 [ crit net handler ] Could not Bind Socket to Port 2745 Address already in use Address already in use [ crit net handler ] ERROR Could not init Socket Address already in use [ crit net handler ] ERROR Could not init Socket Address already in use [ crit net mgr ] ERROR Binding :2745 failed [ crit net mgr ] ERROR Binding :2745 failed

11 Malware Analysis Sites Norman sandbox - Norman sandbox - CWSandbox - mannheim.de/submit.php?action=verify (There is a – after uni) CWSandbox - mannheim.de/submit.php?action=verify (There is a – after uni)http://luigi.informatik.uni- mannheim.de/submit.php?action=verifyhttp://luigi.informatik.uni- mannheim.de/submit.php?action=verify Virus total - Virus total -

12 Norman Sandbox Report I nepenthes-6a036697ebe5068ffbb3a4f3690fb606- setup_83117.exe : W32/Malware (Signature: NO_VIRUS) nepenthes-6a036697ebe5068ffbb3a4f3690fb606- setup_83117.exe : W32/Malware (Signature: NO_VIRUS) [ General information ] [ General information ] * Anti debug/emulation code present. * Anti debug/emulation code present. * **Locates window "Unreal3.2 Modded By LyR [class NULL]" on desktop. * **Locates window "Unreal3.2 Modded By LyR [class NULL]" on desktop. * **Locates window "NULL [class mIRC]" on desktop. * **Locates window "NULL [class mIRC]" on desktop. * File length: bytes. * File length: bytes. * MD5 hash: 6a036697ebe5068ffbb3a4f3690fb606. * MD5 hash: 6a036697ebe5068ffbb3a4f3690fb606.

13 Norman Sandbox Report II [ Changes to filesystem ] [ Changes to filesystem ] * Creates file C:\WINDOWS\smss.exe. * Creates file C:\WINDOWS\smss.exe. * Deletes file c:\sample.exe. * Deletes file c:\sample.exe.

14 Norman Sandbox Report III [ Changes to registry ] [ Changes to registry ] * Creates key "HKLM\Software\\Microsoft\\Windows". * Creates key "HKLM\Software\\Microsoft\\Windows". * Sets value "h8d6v1d2n8d1"="c:\sample.exe" in key "HKLM\Software\\Microsoft\\Windows". * Sets value "h8d6v1d2n8d1"="c:\sample.exe" in key "HKLM\Software\\Microsoft\\Windows". * Deletes value "h8d6v1d2n8d1" in key "HKLM\Software\\Microsoft\\Windows". * Deletes value "h8d6v1d2n8d1" in key "HKLM\Software\\Microsoft\\Windows". * Sets value "u8l9n89x4u3"="3/6/2006, 1:20 PM" in key "HKLM\Software\\Microsoft\\Windows". * Sets value "u8l9n89x4u3"="3/6/2006, 1:20 PM" in key "HKLM\Software\\Microsoft\\Windows". * Sets value "WaitToKillTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control". * Sets value "WaitToKillTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".

15 Norman Sandbox Report IV [ Network services ] [ Network services ] * Looks for an Internet connection. * Looks for an Internet connection. * Connects to "mail2.TIKTIKZ.COM" on port 9632 (TCP). * Connects to "mail2.TIKTIKZ.COM" on port 9632 (TCP). * Connects to IRC Server. * Connects to IRC Server. * IRC: Uses nickname [|| ]. * IRC: Uses nickname [|| ]. * IRC: Uses username XP * IRC: Uses username XP * Opens URL: * Opens URL: * Opens URL: * Opens URL: * Opens URL: * Opens URL: * IRC: Sets the usermode for user [|| ] to. * IRC: Sets the usermode for user [|| ] to. * IRC: Joins channel #oo# with password m00. * IRC: Joins channel #oo# with password m00. * Connects to "mail2.TIKTIKZ.COM" on port 7412 (TCP). * Connects to "mail2.TIKTIKZ.COM" on port 7412 (TCP).

16 Norman Sandbox Report V [ Process/window information ] [ Process/window information ] * Creates service "Windows NT Session Managers (Windows NT Session Managers)" as ""C:\WINDOWS\smss.exe"". * Creates service "Windows NT Session Managers (Windows NT Session Managers)" as ""C:\WINDOWS\smss.exe"". * Attempts to access service "Windows NT Session Managers". * Attempts to access service "Windows NT Session Managers". * Creates a mutex h8d6v1d2n8d1. * Creates a mutex h8d6v1d2n8d1. (C) Norman ASA. All Rights Reserved. (C) Norman ASA. All Rights Reserved.

17 Homework I Run Snort & Tcpdump with Nepenthes Run Snort & Tcpdump with Nepenthes This will allow an admin to analyze more in depth what the attackers are trying to do to the machine in addition to what is stored in nepenthes logs This will allow an admin to analyze more in depth what the attackers are trying to do to the machine in addition to what is stored in nepenthes logs

18 Homework II HoneyTrap Module (Or set up Argus) HoneyTrap Module (Or set up Argus) What if malware tries to infect a computer on different port? What if malware tries to infect a computer on different port? The HoneyTrap Module will detect this and allow the malware to “talk” to this port even though it isn’t really open The HoneyTrap Module will detect this and allow the malware to “talk” to this port even though it isn’t really open This is a new feature in version 0.2.0, and it is based on honeytrap.sf.net by Werner Tillmann This is a new feature in version 0.2.0, and it is based on honeytrap.sf.net by Werner Tillmann

19 Nepenthes at WUSTL Since 6/06 Collected 34 unique binaries Collected 34 unique binaries Found unique IP addresses which scanned the honeypot Found unique IP addresses which scanned the honeypot Found 101 different WUSTL IP addresses which scanned the honeypot Found 101 different WUSTL IP addresses which scanned the honeypot

20 What To Do With This Data? Contact me Contact me

21 Nepenthes Development Team - Paul Baecher ( nepenthesdev at users.sourceforge.net ) - Paul Baecher ( nepenthesdev at users.sourceforge.net ) - Markus Koetter ( nepenthesdev at users.sourceforge.net ) - Markus Koetter ( nepenthesdev at users.sourceforge.net ) - Georg Wicherski ( georg-wicherski at pixel-house.net ) - Georg Wicherski ( georg-wicherski at pixel-house.net ) nepenthesdev at gmail.com nepenthesdev at gmail.com

22 Nepenthes Websites – Nepenthes Homepage – Nepenthes Homepage

23 Useful Articles "Medium Interaction Honeypots" by Wicherski in April 2006 which includes a lot of information on Nepenthes - "Medium Interaction Honeypots" by Wicherski in April 2006 which includes a lot of information on Nepenthes - “Using Nepenthes Honeypots to Detect Common Malware” by Jamie Riden in November 2006 at SecurityFocus.com “Using Nepenthes Honeypots to Detect Common Malware” by Jamie Riden in November 2006 at SecurityFocus.com


Download ppt "Setting Up And Running A Honeypot - Nepenthes Brian Allen (ballen at wustl.edu) Network Security Analyst Washington University in St. Louis."

Similar presentations


Ads by Google