Embed Size (px)
Citation preview
Setting Up And Running A Setting Up And Running A Honeypot - Nepenthes Honeypot - Nepenthes
Brian Allen (ballen at wustl.edu)Brian Allen (ballen at wustl.edu)
Network Security AnalystNetwork Security Analyst
Washington University in St. LouisWashington University in St. Louis
NepenthesNepenthes
Q: What is a Honeypot?Q: What is a Honeypot?
A: Generally a computer that appears to A: Generally a computer that appears to be legitimate, but in reality is a trap for be legitimate, but in reality is a trap for malware and hackersmalware and hackers
There should be no legit traffic to the There should be no legit traffic to the honeypot, so any traffic it sees is honeypot, so any traffic it sees is immediately suspiciousimmediately suspicious
A darknet is similar, but on a much bigger A darknet is similar, but on a much bigger scale, say an entire /24 subnetscale, say an entire /24 subnet
Different Types of HoneypotsDifferent Types of Honeypots
Low Interaction: This type runs virtual hosts and Low Interaction: This type runs virtual hosts and services. Collects info in logs. Example: services. Collects info in logs. Example: HoneydHoneyd
Medium Interaction: Similar to LI, but will interact Medium Interaction: Similar to LI, but will interact with the malware and download the binary for with the malware and download the binary for analysis. Ex: Nepenthesanalysis. Ex: Nepenthes
High Interaction: A honeypot or honeynet that High Interaction: A honeypot or honeynet that will allow hackers to actually compromise it while will allow hackers to actually compromise it while the admin monitors his moves. Ex: Sebekthe admin monitors his moves. Ex: Sebek
Nepenthes Brief HistoryNepenthes Brief History
Georg Wicherski originally wrote a tool Georg Wicherski originally wrote a tool called mwcollect while Paul Baecher and called mwcollect while Paul Baecher and Markus Koetter were working on Markus Koetter were working on NepenthesNepenthes
Mwcollect was merged into Nepenthes in Mwcollect was merged into Nepenthes in February 2006February 2006
Nepenthes 0.2.0 was released on Nepenthes 0.2.0 was released on November 13, 2006November 13, 2006
How Nepenthes WorksHow Nepenthes Works
Vulnerability Modules – emulates various Vulnerability Modules – emulates various services which look ripe for compromise to an services which look ripe for compromise to an attacker (lsass, dcom, veritas, dameware, etc)attacker (lsass, dcom, veritas, dameware, etc)
Shellcode Handlers and Emulators – allows Shellcode Handlers and Emulators – allows Nepenthes to interact with the malwareNepenthes to interact with the malware
Download Modules – will download the binary Download Modules – will download the binary (http, ftp, curl, etc)(http, ftp, curl, etc)
Submission Modules – will submit the binary for Submission Modules – will submit the binary for analysis (Norman, CWSandbox, postgres, etc)analysis (Norman, CWSandbox, postgres, etc)
To Compile Nepenthes On CentOSTo Compile Nepenthes On CentOS
# ./configure# ./configure --prefix=/usr/local/nepenthes--prefix=/usr/local/nepenthes --enable-capabilities--enable-capabilities --with-cap-lib=/lib/libcap.so--with-cap-lib=/lib/libcap.so --enable-debug-logging--enable-debug-logging --enable-pcap--enable-pcap --with-pcap-lib=/usr/lib/libpcap.so--with-pcap-lib=/usr/lib/libpcap.so# make; # make install# make; # make install
How To Start NepenthesHow To Start Nepenthes
To start Nepenthes on the command line:To start Nepenthes on the command line: /usr/local/nepenthes/bin/nepenthes -u /usr/local/nepenthes/bin/nepenthes -u
nepenthes -g nepenthes -r nepenthes -g nepenthes -r /usr/local/nepenthes -C &/usr/local/nepenthes -C &
-u run as user “nepenthes”-u run as user “nepenthes” -g run as group “nepenthes”-g run as group “nepenthes” -r chroot to the /usr/local/nepenthes dir-r chroot to the /usr/local/nepenthes dir -C run as non-root, but keep kernel -C run as non-root, but keep kernel
capabilitiescapabilities
Using NepenthesUsing Nepenthes Nepenthes runs on a large number of TCP/IP ports:Nepenthes runs on a large number of TCP/IP ports: # lsof -i -P | egrep nep | sort -t: -n -k 2,2# lsof -i -P | egrep nep | sort -t: -n -k 2,2 nepenthes 328 nepenthes 17u IPv4 71388 TCP *:21 (LISTEN)nepenthes 328 nepenthes 17u IPv4 71388 TCP *:21 (LISTEN) nepenthes 328 nepenthes 33u IPv4 71404 TCP *:42 (LISTEN)nepenthes 328 nepenthes 33u IPv4 71404 TCP *:42 (LISTEN) nepenthes 328 nepenthes 34u IPv4 71405 TCP *:80 (LISTEN)nepenthes 328 nepenthes 34u IPv4 71405 TCP *:80 (LISTEN) nepenthes 328 nepenthes 6u IPv4 71377 TCP *:110 (LISTEN)nepenthes 328 nepenthes 6u IPv4 71377 TCP *:110 (LISTEN) nepenthes 328 nepenthes 14u IPv4 71385 TCP *:135 (LISTEN)nepenthes 328 nepenthes 14u IPv4 71385 TCP *:135 (LISTEN) nepenthes 328 nepenthes 26u IPv4 71397 TCP *:139 (LISTEN)nepenthes 328 nepenthes 26u IPv4 71397 TCP *:139 (LISTEN) nepenthes 328 nepenthes 7u IPv4 71378 TCP *:143 (LISTEN)nepenthes 328 nepenthes 7u IPv4 71378 TCP *:143 (LISTEN) nepenthes 328 nepenthes 8u IPv4 71379 TCP *:220 (LISTEN)nepenthes 328 nepenthes 8u IPv4 71379 TCP *:220 (LISTEN) nepenthes 328 nepenthes 18u IPv4 71389 TCP *:443 (LISTEN)nepenthes 328 nepenthes 18u IPv4 71389 TCP *:443 (LISTEN) nepenthes 328 nepenthes 15u IPv4 71386 TCP *:445 (LISTEN)nepenthes 328 nepenthes 15u IPv4 71386 TCP *:445 (LISTEN) nepenthes 328 nepenthes 9u IPv4 71380 TCP *:465 (LISTEN)nepenthes 328 nepenthes 9u IPv4 71380 TCP *:465 (LISTEN) nepenthes 328 nepenthes 10u IPv4 71381 TCP *:993 (LISTEN)nepenthes 328 nepenthes 10u IPv4 71381 TCP *:993 (LISTEN) nepenthes 328 nepenthes 11u IPv4 71382 TCP *:995 (LISTEN)nepenthes 328 nepenthes 11u IPv4 71382 TCP *:995 (LISTEN) ……
Note: If The Port is Already In UseNote: If The Port is Already In Use
Then Nepenthes can't use it. For example if you Then Nepenthes can't use it. For example if you are running a service on port 2745, then are running a service on port 2745, then nepenthes can't load a module for that port. In nepenthes can't load a module for that port. In this case vuln-bagle.conf listens on port 2745:this case vuln-bagle.conf listens on port 2745:
[ crit net handler ] Could not Bind Socket to Port [ crit net handler ] Could not Bind Socket to Port 27452745
Address already in useAddress already in use [ crit net handler ] ERROR Could not init Socket [ crit net handler ] ERROR Could not init Socket
Address already in useAddress already in use [ crit net mgr ] ERROR Binding :2745 failed[ crit net mgr ] ERROR Binding :2745 failed
Malware Analysis SitesMalware Analysis Sites
Norman sandbox - Norman sandbox - http://sandbox.norman.no/live_4.html
CWSandbox - CWSandbox - http://luigi.informatik.uni-mannheim.de/submit.php?action=verify (There is a – after uni)(There is a – after uni)
Virus total - Virus total - http://www.virustotal.com/en/indexf.htmlhttp://www.virustotal.com/en/indexf.html
Norman Sandbox Report INorman Sandbox Report I nepenthes-6a036697ebe5068ffbb3a4f3690fb606-nepenthes-6a036697ebe5068ffbb3a4f3690fb606-
setup_83117.exe : W32/Malware (Signature: setup_83117.exe : W32/Malware (Signature: NO_VIRUS)NO_VIRUS)
[ General information ][ General information ] * Anti debug/emulation code present.* Anti debug/emulation code present. * **Locates window "Unreal3.2 Modded By LyR [class * **Locates window "Unreal3.2 Modded By LyR [class
NULL]" on desktop.NULL]" on desktop. * **Locates window "NULL [class mIRC]" on desktop.* **Locates window "NULL [class mIRC]" on desktop. * File length: 65963 bytes.* File length: 65963 bytes. * MD5 hash: 6a036697ebe5068ffbb3a4f3690fb606.* MD5 hash: 6a036697ebe5068ffbb3a4f3690fb606.
Norman Sandbox Report IINorman Sandbox Report II
[ Changes to filesystem ][ Changes to filesystem ] * Creates file C:\WINDOWS\smss.exe.* Creates file C:\WINDOWS\smss.exe. * Deletes file c:\sample.exe.* Deletes file c:\sample.exe.
Norman Sandbox Report IIINorman Sandbox Report III [ Changes to registry ][ Changes to registry ] * Creates key "HKLM\Software\\Microsoft\\* Creates key "HKLM\Software\\Microsoft\\
Windows".Windows". * Sets value "h8d6v1d2n8d1"="c:\sample.exe" in * Sets value "h8d6v1d2n8d1"="c:\sample.exe" in
key "HKLM\Software\\Microsoft\\Windows".key "HKLM\Software\\Microsoft\\Windows". * Deletes value "h8d6v1d2n8d1" in key "HKLM\* Deletes value "h8d6v1d2n8d1" in key "HKLM\
Software\\Microsoft\\Windows".Software\\Microsoft\\Windows". * Sets value "u8l9n89x4u3"="3/6/2006, 1:20 PM" * Sets value "u8l9n89x4u3"="3/6/2006, 1:20 PM"
in key "HKLM\Software\\Microsoft\\Windows".in key "HKLM\Software\\Microsoft\\Windows". * Sets value "WaitToKillTimeout"="7000" in key * Sets value "WaitToKillTimeout"="7000" in key
"HKLM\System\CurrentControlSet\Control"."HKLM\System\CurrentControlSet\Control".
Norman Sandbox Report IVNorman Sandbox Report IV [ Network services ][ Network services ] * Looks for an Internet connection.* Looks for an Internet connection. * Connects to "mail2.TIKTIKZ.COM" on port 9632 (TCP).* Connects to "mail2.TIKTIKZ.COM" on port 9632 (TCP). * Connects to IRC Server.* Connects to IRC Server. * IRC: Uses nickname [||106824802].* IRC: Uses nickname [||106824802]. * IRC: Uses username XP-5094.* IRC: Uses username XP-5094. * Opens URL: * Opens URL: http://www.proxy.us.pl/azenv.php.. * Opens URL: * Opens URL: http://www.nassc.com/pr.php.. * Opens URL: * Opens URL: http://69.59.137.236/cgi/prxjdg.cgi.. * IRC: Sets the usermode for user [||106824802] to .* IRC: Sets the usermode for user [||106824802] to . * IRC: Joins channel #oo# with password m00.* IRC: Joins channel #oo# with password m00. * Connects to "mail2.TIKTIKZ.COM" on port 7412 (TCP).* Connects to "mail2.TIKTIKZ.COM" on port 7412 (TCP).
Norman Sandbox Report VNorman Sandbox Report V
[ Process/window information ][ Process/window information ] * Creates service "Windows NT Session * Creates service "Windows NT Session
Managers (Windows NT Session Managers)" as Managers (Windows NT Session Managers)" as ""C:\WINDOWS\smss.exe"".""C:\WINDOWS\smss.exe"".
* Attempts to access service "Windows NT * Attempts to access service "Windows NT Session Managers".Session Managers".
* Creates a mutex h8d6v1d2n8d1.* Creates a mutex h8d6v1d2n8d1.
(C) 2004-2006 Norman ASA. All Rights (C) 2004-2006 Norman ASA. All Rights Reserved.Reserved.
Homework IHomework I
Run Snort & Tcpdump with NepenthesRun Snort & Tcpdump with NepenthesThis will allow an admin to analyze more in This will allow an admin to analyze more in
depth what the attackers are trying to do to depth what the attackers are trying to do to the machine in addition to what is stored in the machine in addition to what is stored in nepenthes logsnepenthes logs
Homework IIHomework II
HoneyTrap Module (Or set up Argus)HoneyTrap Module (Or set up Argus)What if malware tries to infect a computer What if malware tries to infect a computer
on different port?on different port?The HoneyTrap Module will detect this and The HoneyTrap Module will detect this and
allow the malware to “talk” to this port allow the malware to “talk” to this port even though it isn’t really openeven though it isn’t really open
This is a new feature in version 0.2.0, and This is a new feature in version 0.2.0, and it is based on honeytrap.sf.net by Werner it is based on honeytrap.sf.net by Werner TillmannTillmann
Nepenthes at WUSTL Since 6/06Nepenthes at WUSTL Since 6/06
Collected 34 unique binariesCollected 34 unique binariesFound 1728+ unique IP addresses Found 1728+ unique IP addresses
which scanned the honeypotwhich scanned the honeypotFound 101 different WUSTL IP Found 101 different WUSTL IP
addresses which scanned the addresses which scanned the honeypothoneypot
What To Do With This Data?What To Do With This Data? Contact meContact me
Nepenthes Development TeamNepenthes Development Team
- Paul Baecher ( nepenthesdev at - Paul Baecher ( nepenthesdev at users.sourceforge.net )users.sourceforge.net )
- Markus Koetter ( nepenthesdev at - Markus Koetter ( nepenthesdev at users.sourceforge.net )users.sourceforge.net )
- Georg Wicherski ( georg-wicherski at - Georg Wicherski ( georg-wicherski at pixel-house.net )pixel-house.net )
nepenthesdev at gmail.comnepenthesdev at gmail.com
Nepenthes WebsitesNepenthes Websites
http://nepenthes.mwcollect.org – http://nepenthes.mwcollect.org – Nepenthes HomepageNepenthes Homepage
http://sourceforge.net/projects/nepentheshttp://sourceforge.net/projects/nepenthes
Useful ArticlesUseful Articles
"Medium Interaction Honeypots" by "Medium Interaction Honeypots" by Wicherski in April 2006 which includes a Wicherski in April 2006 which includes a lot of information on Nepenthes - lot of information on Nepenthes - http://www.pixel-house.net/midinthp.pdfhttp://www.pixel-house.net/midinthp.pdf
““Using Nepenthes Honeypots to Detect Using Nepenthes Honeypots to Detect Common Malware” by Jamie Riden in Common Malware” by Jamie Riden in November 2006 at SecurityFocus.com November 2006 at SecurityFocus.com http://www.securityfocus.com/infocus/1880http://www.securityfocus.com/infocus/1880
