Presentation is loading. Please wait.

Presentation is loading. Please wait.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Published byJodie Lamb Modified over 8 years ago

Similar presentations

Presentation on theme: "ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel."— Presentation transcript:

1 ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel

2 Background Honeypot Definition in lab: system whose value lies in being probed, attacked, or otherwise taken advantage of by blackhat. Definition in lab: system whose value lies in being probed, attacked, or otherwise taken advantage of by blackhat. Responds to the user informing hacker has attempted an attack on system Responds to the user informing hacker has attempted an attack on system Two types: Two types: Production Honeypots: alerts user of an attack Research Honeypots: tracks hacker’s actions

3 Background Intrusion Detection System (IDS) Monitors traffic and suspicious activities Alerts the network administrator May respond to malicious traffic by blocking user or source IP address from accessing the network

4 Section 1: BackOfficerFriendly Known for its ability to attract and trap hackers For exercise, attempted a connection from RH 4.0 to windows using telnet Outcome? Source IP Address, username and passwords attempted Source IP Address, username and passwords attempted Why use BOF? Prevent hackers Prevent hackers

5 Section 2: Homemade Honeypot using Netcat as a Port Sniffer Offers more options than BOF Monitored and stored sent data Data was sent from RH 4.0 to RH 7.2 machine Should be able to see the file

6 Section 3: Capturing Packets using Ethereal Packets observed using Telnet: TCP telnet packets to port 23 TCP telnet packets to port 23 Content of packets They contained single characters. They contained single characters. Packets observed using IMAP: SMB packets SMB packets Content of packets The commands from the imapd client The commands from the imapd client

7 Section 4: Set up and use Snort to capture packets Snort: Similar to Ethereal Similar to Ethereal Three modes: Sniffer, Packet Logger, Network Intrusion Detection Three modes: Sniffer, Packet Logger, Network Intrusion Detection How –l option organizes logging of network traffic? A new directory was created for each IP, with subdirectories for each type of packet sent. A new directory was created for each IP, with subdirectories for each type of packet sent.

8 Section 5: Scan of the Month Challenge Challenge is to determine hacker’s activity and how it was accomplished: Challenge is to determine hacker’s activity and how it was accomplished: Hacker’s IP: 203.173.144.80 Hacker’s IP: 203.173.144.80 Hacker’s first activity: Initializes the backdoor to respond to one specific IP Hacker’s first activity: Initializes the backdoor to respond to one specific IP Purpose of ‘foo’: To gather email address and send them via UDP to particular host Purpose of ‘foo’: To gather email address and send them via UDP to particular host How ‘foo’ will be used? : To spam, sell addresses, create havoc How ‘foo’ will be used? : To spam, sell addresses, create havoc

9 Section 6: Using SNORT to act as an IDS Create rules to generate alerts and logs of suspicious packets. Rule syntax: ACTION PROTOCOL IP[/mask] PORT -> IP[/mask] PORT (OPTIONS) Rule to detect the imapd-ex attack: “alert tcp any any -> 57.35.6.147 143”

10 Section 6: Using SNORT to act as an IDS How to evade detection by SNORT? Send packets out of sequence Send packets out of sequence Retransmit different byte ranges of data Retransmit different byte ranges of data Content inspection of packets is expensive. Can be easily overloaded with bogus alerts Content inspection of packets is expensive. Can be easily overloaded with bogus alertsSolution? Support modules: portscan and stream4 preprocessors Support modules: portscan and stream4 preprocessors

11 Section 7: Advanced Uses of Ethereal Conducted forensic analysis of real honeynet data snort-0320@0001.log Source IP : 219.166.103.235, 130.160.86.86, 128.61.252.112 Target IP: 192.168.1.10, 192.168.1.20, etc. Duration: approximately 8 hours Hacker Activities: ARP broadcast for specific internal IP ARP broadcast for specific internal IP Spoofs this IP Spoofs this IP Attempts to connect to the corresponding IP with various methods/services: ARP, FTP, http, ICMP (ping), and SNMP. Attempts to connect to the corresponding IP with various methods/services: ARP, FTP, http, ICMP (ping), and SNMP.

12 Section 7 cont. snort-0920@0001.log Duration: approximately 15 hours Hacker Activities: ARP broadcast to find legitimate active IP on network. Attempts to establish ssh connection http request to execute command on webserver. Script calls windows command line to run a TFTP (trivial FTP) client to retrieve remote files such as Kill.exe and.ini files on 199.203.162.200 victim webserver copies file from server script performs other operations such as: deleting, copying, moving files, etc.

13 Section 7 cont. Security Methods for Prevention Limit the number of ARP broadcasts within a time interval Packets with destination port value of 80 should only be connecting to network’s web server Secure neighboring routers, own router, neighboring subnets to prevent hackers from compromising a system and sending ARP broadcasts.

14 Section 8 Introduction to AIDE Used AIDE (Advanced Intrusion Detection Environment) to detect system changes Creates checksums of files for later comparison Drawback: AIDE must be run before an attack Where should the clean copy be stored?

15 Section 8 cont. aide –check after adding a new user:

16 Section 8 cont. Overwriting /bin/login with lrk4 login file:

17 Section 9: Snare for Windows System iNtrusion Analysis & Reporting Environment View specific details of system events How is Snare useful for our purposes? What’s the benefit in having remote control functionality?

18 Section 10: Forensics Investigation the Penguin Sleuth Kit Bootable Linux distribution based on KNOPPIX. Using Penguin Sleuth for “postmortem” forensic investigation Using Autopsy to analyze hard drive image Generate time line of what happened on a system Is there a Windows Alternative?

19 Questions? ?

Download ppt "ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel."

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Instructor & Todd Lammle

Instructor & Todd Lammle
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.

Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Network Analyzer Example

Network Analyzer Example
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Similar presentations

Ads by Google