Professional Documents
Culture Documents
www.kaminpod.com
2
www.kaminpod.com
3
www.kaminpod.com
4
6 .......................................................................................................
21 ..............................................................................................................
21 ...................................................................................................
12 .........................................
12 ..................................................
12 .............................................
12 ................................
www.kaminpod.com
5
www.kaminpod.com
6
Honeypot .
Honeypot .
.
( )IDS
.
IDS . .
. Honeypot
.
Honeypot :
.
Firewall IPS .
www.kaminpod.com
7
Honeypot
.
Honeypot .
Honeypot 0555 .
Honeypot
. Honeypot
. Honeypot .
Honeypot .
Honeypot :
Honeypot
.
Honeypot
. .
.
.
www.kaminpod.com
8
Honeypot .
Honeypot
.
Honeypot .
Honeypot
.
.
.
Honeypot .
( Honeytoken )
.
. Honeypot
.
Honeypot .
.
.
Honeypot .
Honeypot HoneyNET
. Honeypot
HoneyNet HoneyNet .
. HoneyNet
Honeypot
.
www.kaminpod.com
9
Honeypot
Honeypot .
Honeypot
.
Honeypot
.
Honeypot .
Honeypot .
.
.
.
Honeypot
Honeypot
. Honeypot
.
Honeypot .
.
Honeypot
.
www.kaminpod.com
10
.
Honeypot .
.
Honeypot
.
.
Honeypot .
IPsec SSH SSL
Honeypot .
Honeypot
Honeypot
.
Honeypot Honeypot .
.
Honeypot
:
.
www.kaminpod.com
11
Honeypot .
Honeypot .
IP .
www.certcc.ir :
www.kaminpod.com
12
Honeypot
. Honeypot
.
) (Interaction
. Interaction
Honeypot .
.
.
Honeypot
.
www.kaminpod.com
13
Honeypot
. Honeypot BackOfficer Friendly Honeypot
.
Honeypot
. Honeypot
.
Administrator .
Honeypot
. Honeypot Specter
. Honeypot 31
31 .
Honeypot
Honeypot .
.
toolkit
.
.
Honeypot
.
www.kaminpod.com
14
Specter HoneyD
KFSensor . Honeypot
HoneyD .
- HoneyD Honeypot :
HoneyD 2552
HoneyD .
. Honeypot
.
.
HoneyD Honeypot
. .
IP HoneyD
.
www.kaminpod.com
15
HoneyD Honeypot .
Honeypot
IP .
fingerprinting Nmap Xprobe
HoneyD IP .
HoneyD IP
HoneyD . IP Honeypot
IP
. HoneyD IP
.
HoneyD .
Honeypot Honeypot
Honeypot .
. .
. Honeypot
.
rootkit
www.kaminpod.com
16
.
.
Honeypot
.
Honeypot
IP
IPv6 IPv4 .
. .
Honeypot
Honeypot
. Honeypot .
Honeypot .
.
Honeypot
.
www.kaminpod.com
17
Solaris . Solaris
.
Honeypot .
.
.
Honeypot .
Honeypot Honeypot
Honeypot
. .
Honeypot Honeypot
:
Honeypot ( )
:
.
:
.
: Honeypot
.
Honeypot
www.kaminpod.com
18
( )
( )
:
.
.
Honeypot
. Honeypot
.
LinT HinT
MinT .
vaya co. 2
LinT
.
LinT
HinT
.
www.certcc.ir :
www.kaminpod.com
19
Honeypot
. Honeypot
.
Honeypot
.
. -
Honeypot
. Honeypot -
Honeypot .
Honeypot
.
:
.
.
.
.
www.kaminpod.com
20
.
.
.
Honeypot .
.
Honeypot IP
.
.
TCP .
LaBrea Tarpit .
.
.
Honeypot
. .
.
. .
.
Honeypot . Honeypot
Deception Toolkit .
www.kaminpod.com
21
.
.
.
.
.
.
.
.
IPv6 .
.
.
Honeypot .
.
.
. .
. Mail Server
www.kaminpod.com
22
.
.
.
.
(
)
.
.
.
.
Honeypot .
.
.
Honeypot .
Honeypot
Honeypot
.
.
.
www.kaminpod.com
23
.
.
Honeypot
.
www.certcc.ir :
www.kaminpod.com
24
.
Honeypot .
.
Honeypot
.
Honeypot :
-3
.
.
.
.
Honeypot :
www.kaminpod.com
25
( )
Snort
Ethernal
-2
.
.
Honeypot .
Sebek Honeypot
UDP
Sebek .
.
.
Sebek
www.kaminpod.com
26
-1 / ()Gateway
Gateway
. Gateway
.
Sebek .
Gateway
.
Gateway . Gateway
.
www.certcc.ir :
www.kaminpod.com
27
.
Honeypot
.
.
.
. .
.
.
-3
Honeypot .
.
.
www.kaminpod.com
28
.
FTP .
Honeypot
FTP.
IDS -2
Snort
.
IDS : IDS
ASCII
ASCII payload .
Snort
Snort
.
.
IRC
privmsg.pl .
IRC Max Vision IRC . Internet
www.kaminpod.com
29
Relay Chat
IRC Honeypot
.
-1
Honeypot
Honeypot ( syslog ) .
.
reboot
.
Honeypot
Honeypot
.
IDS .
-1
( )Forensics
.
.
. Honeypot
www.kaminpod.com
30
.
NetCat .
NetCat .
-0
. Honeypot
.
.
. icat
. unrm
.
www.certcc.ir :
www.kaminpod.com
31
.
.
-3
.
.
-2
.
.
www.kaminpod.com
32
.
.
Honeypot .
. Honeypot
.
.
.
. WIPE
.
.
-1
.
LAN .
www.kaminpod.com
33
. (
DSL
) .
.
Honeypot
www.kaminpod.com
34
-2
Honeypot
Snort . Ethereal
. Ethereal Snort
.
www.kaminpod.com
35
Snort
Snort .
Snort Snort .
.
www.certcc.ir :
www.kaminpod.com
36
www.kaminpod.com
37
www.kaminpod.com
38
HoneyD
.
HoneyD .
HoneyD .
2550
Command
.
3131
HoneyD
HoneyD .
Edith Cowan
.
www.kaminpod.com
39
:
... .
. ( HoneyD )
.
.
.
:
HoneyD
:
.
.
www.kaminpod.com
40
)Brenton, n.d; Klug, 2000; Spitzer, 2002( .
( .
).
.
HoneyD
HoneyD 2552
. ) (Open Source
.
HoneyD HoneyD .
155 IP Base
.
( Specter ) HoneyD
IP .
IP IP
www.kaminpod.com
41
HoneyD IP
.
:
. .
-2
( HoneyD Honeypot
Open Source) HoneyD . ( 155
) Honeynet .
HoneyD
. Honeypot
HoneyD
HoneyD ( Nmap ) ( )3113
. ( %05 )
Honeypot
. .
www.kaminpod.com
42
-1
HoneyD
.
. 25
.
www.kaminpod.com
43
( )2 :
.
( )SCIS Edith
Perth Cowan .
.
.
.
-1
Honeynet .
.
Honeynet
.
.
.
.
.
-2 Log
Log
.
www.kaminpod.com
44
Log
. :
www.kaminpod.com
45
:6
6
Log .
.
.
Log .
.
( ) Open Source
. .
. Log
. Log .
Log
Honeynet HoneyD
.
.
-5
.
Honeynet
.
www.kaminpod.com
46
-6
.
.
1 0 6
Honeynet .
. .
Log
. 1 0 6
.
Honetynet
.
:Honeypot
Honeypot . 2
Honeypot Sniffer
.
www.kaminpod.com
47
( )1
3 ( )NetSec 1.8
. .
sniff ( )Domain Collision
Sniffing .
.
.
www.kaminpod.com
48
( )2 honeypot
Honeynet
. HoneyD IP
Honeynet . 1
HoneyD .
( )1
www.kaminpod.com
49
HoneyD IP .
( )10.11.68.0.24,10.11.0/24 Cisco
. 2 IP
HoneyD :
( )1 IP
10.11.69.0/24 10.11.69.2
. :
Windows 2000 ProfessionalServer Aix 3.2 Server
Solaris 2.3-2.4 10.11.69.2 Free BSD 3.2-4.0 10.11.69.4
10.11.69.4 ( Windows 98 )
10.11.69.0/24 .
www.kaminpod.com
50
Honeynet
. Sniffing .
Redhat Linux 7.3
:
( )1
www.kaminpod.com
51
Snort Mysql .
Snort MYSql .
( ACID ) .
Snort .
( )2
Syslog-ng .
Backup Webmin .
Honeypot .
.
: Honeyd 0.4 A
( 10.11.68.0/24 10.11.69.0/24 .)1
.
] 17.02.2003 [11:00:28 ] 18-02-2003 [17:58:01 .
www.kaminpod.com
52
.
.
-1.01 :ACID
3103 Snort IDS SQL .
SQL 498 33
.
33 :
( 33 )2
.
.
www.kaminpod.com
53
.
DDOS .
Flood
SNMP Dos .
DOS
0 . 0
:
( )5
SNMPV1 SNMP
DoS
Get Next Request)2 Get Request)3 Set Request)1.
Flood
SNMP
.
SNMP .
Client
.
www.kaminpod.com
54
.
.
( )6
1.02 :Ethereal
Tcpdump Tcpdump log 1045547976
Ethereal Packet Sniffer
. 8717 Ethereal
Tcpdump %10 ICMP %12.26
TCP . Log
. :
www.kaminpod.com
55
ACID 22 SSH
206 35
:
1Portscans :
3( NMAP Fingerprint (Stateful) detection : )NMAP
3Stealth Activity )FIN Scan( :
3Stealth Activity )Null Scan( :
3Stealth Activity )Vecna Scan( :
3 Scan Nmap TCP :
NMAP NMAP TCP ping
.
.
: ( )Header : .
www.kaminpod.com
56
UDP TFTP .
TCP .
Web Cache
.
Brute Force .
SSH .
.
SNMP
DoS .
1.03
.
:
:2 .
Gateway
.
:1 (
) 98 .
www.kaminpod.com
57
. 98
. FTP Telnet .
:1 98
. AIX 25 SPAM
() .
. 98 http
SSH NetBIOS .
:HONEYD 0.5
.
.
.
. :
www.kaminpod.com
58
Cisco Telnet .
Telnet, 23 " ''Router- Telnet. Pl
Telnet .
Telnet .
www.kaminpod.com
59
( )5 Honeynet
2 IP
HoneyD .
www.kaminpod.com
60
( )2 IP
1.04 :
( 192.168.2.0/24 192.168.1.0.24 )6 HoneyD 0.5
. { 21-03-2003}00:54:26
{ 22-03-2003}12.21.55 .
.
ACID
23500 Snort IDS 001
31 .
31 :
www.kaminpod.com
61
.
CGI IIS . Login
.
Root
. Query
RPCbind/Portmap Solaris
RPC RPC .
. 0
:
www.kaminpod.com
62
( 0: )1
( )21
www.kaminpod.com
63
1.05 Log
Log Nessus
( )http://www.nessus.org
.
Brute Force .
. CGI Perl
.
SSH Nessus
Putty-Release-0.53b Putty . Telnet SSH
Rlogin 12 .
1.06 Ethereal
Tcpdump .
] Tcpdump.log.1048208266[Created on 21/03/03
] Tcpdump.log.1048298249[Created on 22/03/03
Ethereak Packet Sniffer .
Ethereal Tcpdump.log.1048208266
22146 % 12.23 ICMP %10.15 TCP
. TCP HTTP . %16.60
.TCP Remote shell Rlogin
. %36.11 UDP
%31.13 SNMP . Log
.
:
www.kaminpod.com
64
Ethereal
746 Tcpdump.log.1048298249 %14.61
ICMP %76.94 TCP . TCP
HTTP . %69.71 .TCP
Shell Rlogin Log . %8.45
UDP . Log
.
:
www.kaminpod.com
65
( )YPPASSWORD
12351 ( )RPC 2 .
1.07 :
.
:
:2 traceroute ping
.
MAC . traceroute
192.168.1.1 Subnet .
192.168.1.1 .
. NFS subnet
. 192.168.1.1
. 192.168.1.1
www.kaminpod.com
66
. Cisco DoS
.
:1 98 SSH
. SSH
. Cisco 192.168.1.100 .
traceroute
192.168.1.1 . 192.168.1.1
Gateway subnet .
.
HoneyD 0.5
.
()
.
.
.
98 IIS v.5
.
98 IIS v.4.
1.08
www.kaminpod.com
67
( 192.168.1.0/24 )192.168.2.0/24 HoneyD 5.0
. ] 26-05-2003 [14:09:16 ][18:14:50
27-05-2003 .
Log .
32 33 .
( )22 32
CGI IIS .
www.kaminpod.com
68
351 Web-Application-Activity
15 Web-Application-Attack .
2 . UDP
192.168.1.28 . DoS
. %62
Bad-Unknown .
ICMP UDP
DoS 0 . 32 .
( 0 )32
UDP
. DoS .
UDP IP ) (Source
.
www.kaminpod.com
69
.
.
( Attempted-Recon -) .
33 32
Bad-Unknown Attempted-Recon .
.
31 .
( )21
1.09 Log
Log Nessus
www.kaminpod.com
70
) (http://www.nessus.org
.
Brute Force .
.
c:\>drive:
.
Log
IIS .
Web-Server .
Web Server Web- Based
( ) .
1.10 Ethereal
Log Tcpdump :
tcpdump.log.1053944062 tcpdump.log.1054023963
Ethereal Packet Sniffer .
31131 tcpdump.log.1053944062
www.kaminpod.com
71
Log
. :
UDP 192.168.1.28
3074 ( 80 )HTTP .
( )6 UDP
.
Ethereal
:
www.kaminpod.com
72
( )2
tcpdump.log.1054023963
1532 %49.73 ICMP %35.96
TCP HTTP %19.79 TCP
. %14.31 UDP
%12.47 SNMP.
Honeynet .
.
.
.
.
.
%50
TCP . UDP ICMP %18 %32
. TCP/IP
www.kaminpod.com
73
HTTP 80 8080 .
Proxy Scan
WEB-IIS.
FTP Telnet
.
HoneyD
. TCP %5 %45
. Honeypot
TCP/IP .
UDP . ICMP %4 %38 .
Login
FTP
Telnet .
) PuttyRelease0.53b (SSH-Client .
.
.
TCP .
TCP %29 %16
UDP %20 %37 .
(Denial of service) DoS
www.kaminpod.com
74
IIS
GET .
.
HoneyD
.
Honeynet .
Honeynet
.
) (Backup . Honeynet
.
:
:
www.ecu.edu.au
www.kaminpod.com
www.vaya.ir
www.kaminpod.com
75
www.kaminpod.com