1 / 23

Setting Up And Running A Honeypot - Nepenthes

Setting Up And Running A Honeypot - Nepenthes . Brian Allen (ballen at wustl.edu) Network Security Analyst Washington University in St. Louis. Nepenthes. Q: What is a Honeypot ?. A: Generally a computer that appears to be legitimate, but in reality is a trap for malware and hackers

dacey
Download Presentation

Setting Up And Running A Honeypot - Nepenthes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Setting Up And Running A Honeypot - Nepenthes Brian Allen (ballen at wustl.edu) Network Security Analyst Washington University in St. Louis

  2. Nepenthes

  3. Q: What is a Honeypot? • A: Generally a computer that appears to be legitimate, but in reality is a trap for malware and hackers • There should be no legit traffic to the honeypot, so any traffic it sees is immediately suspicious • A darknet is similar, but on a much bigger scale, say an entire /24 subnet

  4. Different Types of Honeypots • Low Interaction: This type runs virtual hosts and services. Collects info in logs. Example: Honeyd • Medium Interaction: Similar to LI, but will interact with the malware and download the binary for analysis. Ex: Nepenthes • High Interaction: A honeypot or honeynet that will allow hackers to actually compromise it while the admin monitors his moves. Ex: Sebek

  5. Nepenthes Brief History • Georg Wicherski originally wrote a tool called mwcollect while Paul Baecher and Markus Koetter were working on Nepenthes • Mwcollect was merged into Nepenthes in February 2006 • Nepenthes 0.2.0 was released on November 13, 2006

  6. How Nepenthes Works • Vulnerability Modules – emulates various services which look ripe for compromise to an attacker (lsass, dcom, veritas, dameware, etc) • Shellcode Handlers and Emulators – allows Nepenthes to interact with the malware • Download Modules – will download the binary (http, ftp, curl, etc) • Submission Modules – will submit the binary for analysis (Norman, CWSandbox, postgres, etc)

  7. To Compile Nepenthes On CentOS • # ./configure • --prefix=/usr/local/nepenthes • --enable-capabilities • --with-cap-lib=/lib/libcap.so • --enable-debug-logging • --enable-pcap • --with-pcap-lib=/usr/lib/libpcap.so • # make; # make install

  8. How To Start Nepenthes • To start Nepenthes on the command line: • /usr/local/nepenthes/bin/nepenthes -u nepenthes -g nepenthes -r /usr/local/nepenthes -C & • -u run as user “nepenthes” • -g run as group “nepenthes” • -r chroot to the /usr/local/nepenthes dir • -C run as non-root, but keep kernel capabilities

  9. Using Nepenthes • Nepenthes runs on a large number of TCP/IP ports: • # lsof -i -P | egrep nep | sort -t: -n -k 2,2 • nepenthes 328 nepenthes 17u IPv4 71388 TCP *:21 (LISTEN) • nepenthes 328 nepenthes 33u IPv4 71404 TCP *:42 (LISTEN) • nepenthes 328 nepenthes 34u IPv4 71405 TCP *:80 (LISTEN) • nepenthes 328 nepenthes 6u IPv4 71377 TCP *:110 (LISTEN) • nepenthes 328 nepenthes 14u IPv4 71385 TCP *:135 (LISTEN) • nepenthes 328 nepenthes 26u IPv4 71397 TCP *:139 (LISTEN) • nepenthes 328 nepenthes 7u IPv4 71378 TCP *:143 (LISTEN) • nepenthes 328 nepenthes 8u IPv4 71379 TCP *:220 (LISTEN) • nepenthes 328 nepenthes 18u IPv4 71389 TCP *:443 (LISTEN) • nepenthes 328 nepenthes 15u IPv4 71386 TCP *:445 (LISTEN) • nepenthes 328 nepenthes 9u IPv4 71380 TCP *:465 (LISTEN) • nepenthes 328 nepenthes 10u IPv4 71381 TCP *:993 (LISTEN) • nepenthes 328 nepenthes 11u IPv4 71382 TCP *:995 (LISTEN) • …

  10. Note: If The Port is Already In Use • Then Nepenthes can't use it. For example if you are running a service on port 2745, then nepenthes can't load a module for that port. In this case vuln-bagle.conf listens on port 2745: • [ crit net handler ] Could not Bind Socket to Port 2745 • Address already in use • [ crit net handler ] ERROR Could not init Socket Address already in use • [ crit net mgr ] ERROR Binding :2745 failed

  11. Malware Analysis Sites • Norman sandbox - http://sandbox.norman.no/live_4.html • CWSandbox - http://luigi.informatik.uni-mannheim.de/submit.php?action=verify(There is a – after uni) • Virus total - http://www.virustotal.com/en/indexf.html

  12. Norman Sandbox Report I • nepenthes-6a036697ebe5068ffbb3a4f3690fb606-setup_83117.exe : W32/Malware (Signature: NO_VIRUS) • [ General information ] • * Anti debug/emulation code present. • * **Locates window "Unreal3.2 Modded By LyR [class NULL]" on desktop. • * **Locates window "NULL [class mIRC]" on desktop. • * File length: 65963 bytes. • * MD5 hash: 6a036697ebe5068ffbb3a4f3690fb606.

  13. Norman Sandbox Report II • [ Changes to filesystem ] • * Creates file C:\WINDOWS\smss.exe. • * Deletes file c:\sample.exe.

  14. Norman Sandbox Report III • [ Changes to registry ] • * Creates key "HKLM\Software\\Microsoft\\Windows". • * Sets value "h8d6v1d2n8d1"="c:\sample.exe" in key "HKLM\Software\\Microsoft\\Windows". • * Deletes value "h8d6v1d2n8d1" in key "HKLM\Software\\Microsoft\\Windows". • * Sets value "u8l9n89x4u3"="3/6/2006, 1:20 PM" in key "HKLM\Software\\Microsoft\\Windows". • * Sets value "WaitToKillTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".

  15. Norman Sandbox Report IV • [ Network services ] • * Looks for an Internet connection. • * Connects to "mail2.TIKTIKZ.COM" on port 9632 (TCP). • * Connects to IRC Server. • * IRC: Uses nickname [||106824802]. • * IRC: Uses username XP-5094. • * Opens URL: http://www.proxy.us.pl/azenv.php. • * Opens URL: http://www.nassc.com/pr.php. • * Opens URL: http://69.59.137.236/cgi/prxjdg.cgi. • * IRC: Sets the usermode for user [||106824802] to . • * IRC: Joins channel #oo# with password m00. • * Connects to "mail2.TIKTIKZ.COM" on port 7412 (TCP).

  16. Norman Sandbox Report V • [ Process/window information ] • * Creates service "Windows NT Session Managers (Windows NT Session Managers)" as ""C:\WINDOWS\smss.exe"". • * Attempts to access service "Windows NT Session Managers". • * Creates a mutex h8d6v1d2n8d1. • (C) 2004-2006 Norman ASA. All Rights Reserved.

  17. Homework I • Run Snort & Tcpdump with Nepenthes • This will allow an admin to analyze more in depth what the attackers are trying to do to the machine in addition to what is stored in nepenthes logs

  18. Homework II • HoneyTrap Module (Or set up Argus) • What if malware tries to infect a computer on different port? • The HoneyTrap Module will detect this and allow the malware to “talk” to this port even though it isn’t really open • This is a new feature in version 0.2.0, and it is based on honeytrap.sf.net by Werner Tillmann

  19. Nepenthes at WUSTL Since 6/06 • Collected 34 unique binaries • Found 1728+ unique IP addresses which scanned the honeypot • Found 101 different WUSTL IP addresses which scanned the honeypot

  20. What To Do With This Data? • Contact me

  21. Nepenthes Development Team • - Paul Baecher ( nepenthesdev at users.sourceforge.net ) • - Markus Koetter ( nepenthesdev at users.sourceforge.net ) • - Georg Wicherski ( georg-wicherski at pixel-house.net ) • nepenthesdev at gmail.com

  22. Nepenthes Websites • http://nepenthes.mwcollect.org – Nepenthes Homepage • http://sourceforge.net/projects/nepenthes

  23. Useful Articles • "Medium Interaction Honeypots" by Wicherski in April 2006 which includes a lot of information on Nepenthes - http://www.pixel-house.net/midinthp.pdf • “Using Nepenthes Honeypots to Detect Common Malware” by Jamie Riden in November 2006 at SecurityFocus.com http://www.securityfocus.com/infocus/1880

More Related