هانی پات هانی نت PDF

1
www.kaminpod.com
2
www.kaminpod.com
3
www.kaminpod.com
4
6 .......................................................................................................
21 ..............................................................................................................
21 ...................................................................................................
12 .........................................
12 ..................................................
12 .............................................

12 ................................
www.kaminpod.com
5
www.kaminpod.com
6
Honeypot .
Honeypot .

.
( )IDS
.

IDS . .

. Honeypot

.
Honeypot :
.

Firewall IPS .
www.kaminpod.com
7
Honeypot
.
Honeypot .
Honeypot 0555 .
Honeypot
. Honeypot
. Honeypot .
Honeypot .
Honeypot :

Honeypot
.
Honeypot

. .

.

.
www.kaminpod.com
8
Honeypot .
Honeypot
.
Honeypot .
Honeypot
.
.
.
Honeypot .
( Honeytoken )
.
. Honeypot
.
Honeypot .

.
.
Honeypot .
Honeypot HoneyNET
. Honeypot
HoneyNet HoneyNet .
. HoneyNet
Honeypot
.
www.kaminpod.com
9
Honeypot
Honeypot .
Honeypot

.
Honeypot
.
Honeypot .
Honeypot .

.
.
.
Honeypot
Honeypot
. Honeypot
.
Honeypot .

.
Honeypot
.

www.kaminpod.com
10

.
Honeypot .
.
Honeypot
.
.
Honeypot .
IPsec SSH SSL
Honeypot .
Honeypot
Honeypot
.
Honeypot IPv6 . Honeypot IP

IPv6 IP IPv6 .
( )IP
.
IPv6 .
Honeypot Honeypot .
.
Honeypot
:
.
www.kaminpod.com
11
Honeypot .
Honeypot .
IP .
www.certcc.ir :
www.kaminpod.com
12
Honeypot
. Honeypot
.
) (Interaction
. Interaction
Honeypot .

.
.
Honeypot
.
www.kaminpod.com
13
Low Interaction LinT

Honeypot

. Honeypot BackOfficer Friendly Honeypot
.
Honeypot
. Honeypot
.

Administrator .
Honeypot
. Honeypot Specter
. Honeypot 31
31 .
Honeypot
Honeypot .

.
toolkit

.
.
Honeypot
.
www.kaminpod.com
14
Specter HoneyD
KFSensor . Honeypot
HoneyD .
- HoneyD Honeypot :
HoneyD 2552
HoneyD .
. Honeypot
.
.
HoneyD Honeypot
. .
IP HoneyD

.
HoneyD Linux 2.4.10

FTP 23 .
.
FTP FTP
. FTP
.

.

.
www.kaminpod.com
15
HoneyD Honeypot .
Honeypot
IP .
fingerprinting Nmap Xprobe
HoneyD IP .
HoneyD IP
HoneyD . IP Honeypot
IP
. HoneyD IP

.
HoneyD .
High Interaction - HinT

Honeypot Honeypot

Honeypot .

. .
. Honeypot

.
rootkit
www.kaminpod.com
16

.

.
Honeypot
.
Honeypot
IP
IPv6 IPv4 .
. .
Honeypot
Honeypot
. Honeypot .
Honeypot .
.
Honeypot
.
Honeypot Decoy Server Honeynet.

Honeypot Decoy Server
.
- Decoy Server Honeypot :

Decoy Server Honeypot Symantec
. Honeypot

. Decoy Server
www.kaminpod.com
17
Solaris . Solaris
.
Honeypot .
.
.
Honeypot .
Honeypot Honeypot
Honeypot
. .
Honeypot Honeypot
:
Honeypot ( )
:
.
:
.
: Honeypot

.
Honeypot
www.kaminpod.com
18
( )
( )
:
.

.
Honeypot
. Honeypot

.
Medium Interaction - MinT

LinT HinT
MinT .
vaya co. 2
LinT
.
LinT
HinT
.
www.certcc.ir :
www.kaminpod.com
19
Honeypot
. Honeypot
.

Honeypot
.
. -
Honeypot
. Honeypot -
Honeypot .
Honeypot
.
:
.
.
.

.
www.kaminpod.com
20

.

.
.
Honeypot .
.
Honeypot IP
.
.
TCP .
LaBrea Tarpit .
.
.
Honeypot
. .
.

. .

.
Honeypot . Honeypot
Deception Toolkit .
www.kaminpod.com
21

.
.
.
.
.
.
.
.

IPv6 .
.
.

Honeypot .

.

.
. .

. Mail Server

www.kaminpod.com
22
.
.

.

.
(
)
.
.
.

.

Honeypot .
.
.
Honeypot .
Honeypot
Honeypot
.
.
.
www.kaminpod.com
23

.

.
Honeypot
.
www.certcc.ir :
www.kaminpod.com
24

.
Honeypot .

.
Honeypot
.
Honeypot :
-3

.
.
.

.
Honeypot :
www.kaminpod.com
25
( )
Snort
Ethernal
-2

.
.

Honeypot .
Sebek Honeypot
UDP
Sebek .
.
.
Sebek
www.kaminpod.com
26
-1 / ()Gateway
Gateway
. Gateway

.
Sebek .
Gateway
.
Gateway . Gateway

.
www.certcc.ir :
www.kaminpod.com
27

.
Honeypot
.
.

.

. .
.
.
-3
Honeypot .

.
.

www.kaminpod.com
28

.
FTP .
Honeypot
FTP.
IDS -2
Snort

.
IDS : IDS

ASCII
ASCII payload .
Snort
Snort
.

.
IRC
privmsg.pl .
IRC Max Vision IRC . Internet
www.kaminpod.com
29
Relay Chat
IRC Honeypot
.
-1
Honeypot
Honeypot ( syslog ) .

.

reboot
.
Honeypot
Honeypot
.
IDS .
-1
( )Forensics
.

.

. Honeypot
www.kaminpod.com
30
.

NetCat .
NetCat .
-0

. Honeypot

.

.
. icat
. unrm
.
www.certcc.ir :
www.kaminpod.com
31

.

.
-3

.
.
-2

.

.
www.kaminpod.com
32

.

.
Honeypot .

. Honeypot

.

.
.

. WIPE

.
.
-1
.

LAN .
www.kaminpod.com
33

. (
DSL
) .
.
Honeypot
www.kaminpod.com
34
-2

Honeypot

Snort . Ethereal
. Ethereal Snort
.
www.kaminpod.com
35
Snort
Snort .
Snort Snort .

.
www.certcc.ir :
www.kaminpod.com
36
www.kaminpod.com
37
www.kaminpod.com
38

HoneyD
.

HoneyD .
HoneyD .
2550
Command
.
3131
HoneyD

HoneyD .
Edith Cowan
.
" HoneyD "

.
Edith Cowan
.
www.kaminpod.com
39
:

... .

. ( HoneyD )

.

.
.
:
HoneyD
:
.

.

www.kaminpod.com
40

)Brenton, n.d; Klug, 2000; Spitzer, 2002( .

( .
).

.
HoneyD
HoneyD 2552
. ) (Open Source
.

HoneyD HoneyD .
155 IP Base
.
( Specter ) HoneyD
IP .
IP IP
www.kaminpod.com
41
NMAP Net Scan / IP Probing

IP
.
HoneyD IP

.
:

. .
-2
( HoneyD Honeypot
Open Source) HoneyD . ( 155
) Honeynet .
HoneyD
. Honeypot
HoneyD
HoneyD ( Nmap ) ( )3113
. ( %05 )
Honeypot
. .
www.kaminpod.com
42
-1
HoneyD
.
. 25
.
www.kaminpod.com
43
( )2 :
.
( )SCIS Edith
Perth Cowan .
.

.

.
-1
Honeynet .
.
Honeynet
.
.
.

.
.
-2 Log
Log

.
www.kaminpod.com
44
Log
. :
( ACID ) ()Danyliw, n.d

ACID Log
.
.
Ethereal and Tcpdump

Log
.
Ethereal Tcpdump
Ethereal .
:
- ( )Live Network

- TCP session
- Unix
- 235
-
-
Ethereal - .
Ethereal
.
www.kaminpod.com
45
:6
6
Log .
.
.
Log .
.
( ) Open Source
. .

. Log

. Log .
Log
Honeynet HoneyD
.
.
-5

.
Honeynet

.
www.kaminpod.com
46
-6

.

.
1 0 6
Honeynet .
. .
Log
. 1 0 6
.
Honetynet
.
:Honeypot

Honeypot . 2
Honeypot Sniffer
.
www.kaminpod.com
47
( )1
3 ( )NetSec 1.8
. .
sniff ( )Domain Collision

Sniffing .
.
.
Netsec2 Gupta.au HoneyD Netsec8

Snort Sniffer
Gupta.au . Red Hat Linux 7.3
:
www.kaminpod.com
48
( )2 honeypot
Honeynet
. HoneyD IP
Honeynet . 1
HoneyD .
( )1
www.kaminpod.com
49
HoneyD IP .
( )10.11.68.0.24,10.11.0/24 Cisco
. 2 IP
HoneyD :
( )1 IP
10.11.69.0/24 10.11.69.2
. :
Windows 2000 ProfessionalServer Aix 3.2 Server
Solaris 2.3-2.4 10.11.69.2 Free BSD 3.2-4.0 10.11.69.4
10.11.69.4 ( Windows 98 )
10.11.69.0/24 .
10.11.69.1 10.11.69.4 ( Http

)80 ( )web.sh . HTTP
.
10.11.69.0/24 13
)HTTP( 80 )Net-Bios( 139 . 13
www.kaminpod.com
50
10.11.69.0/24 10.11.69.0/24 Cisco Router /

Switch with IOS 11.2 IP10.11.68.18
Cisco 760 ) Cisco 160 Service (Non IOS IBM Stackable Hub
10.11.68.19 .
Novell Network 3.12 10.11.69.0/24 386 TCP/IP

10.11.68.10 13 10.11.68.11 . 13
Client .
Redhat Linux 7.3 Honeyd 0.4

.
Honeynet
. Sniffing .
Redhat Linux 7.3
:
( )1
Snort IDS Sniffer

.
www.kaminpod.com
51
Snort Mysql .
Snort MYSql .
( ACID ) .

Snort .
( )2
Syslog-ng .

Backup Webmin .
Honeypot .

.
: Honeyd 0.4 A

( 10.11.68.0/24 10.11.69.0/24 .)1

.
] 17.02.2003 [11:00:28 ] 18-02-2003 [17:58:01 .
www.kaminpod.com
52

.
.
-1.01 :ACID
3103 Snort IDS SQL .
SQL 498 33
.
33 :
( 33 )2
.
.
www.kaminpod.com
53
.
DDOS .
Flood
SNMP Dos .
DOS
0 . 0
:
( )5
SNMPV1 SNMP
DoS
Get Next Request)2 Get Request)3 Set Request)1.
Flood
SNMP
.

SNMP .
Client
.
www.kaminpod.com
54
.

.
( )6
1.02 :Ethereal
Tcpdump Tcpdump log 1045547976
Ethereal Packet Sniffer
. 8717 Ethereal
Tcpdump %10 ICMP %12.26
TCP . Log
. :
TCP SYN 1060 Webcache
www.kaminpod.com
55
PSH FIN ACK URG TCPmux

ACK 22 SSH
ACID 22 SSH
206 35
:
1Portscans :
3( NMAP Fingerprint (Stateful) detection : )NMAP
3Stealth Activity )FIN Scan( :
3Stealth Activity )Null Scan( :
3Stealth Activity )Vecna Scan( :
3 Scan Nmap TCP :
NMAP NMAP TCP ping
.
SYN 705 DNM

62 105
SNMP )cVE:CAN-2002-0012( Agent X/TCP.
SYN 162 .Solaris

. 351 SNMP
. SNMP TRAP
DOS )CRE: CAN-2002-0013( .
.
: ( )Header : .
www.kaminpod.com
56
UDP TFTP .

TCP .
Web Cache

.
Brute Force .
SSH .
.
SNMP
DoS .
1.03

.
:
:2 .
Gateway
.
:1 (
) 98 .
www.kaminpod.com
57
. 98
. FTP Telnet .
:1 98
. AIX 25 SPAM
() .
. 98 http
SSH NetBIOS .
:HONEYD 0.5

.

.
.
. :
HoneyD 0.4a HoneyD 0.5 .

Honeyd Logging
Xprobe .
Arpd 0.1 Arpd 0.2 .

Honeyd . :
IP 10.X.X.X 192.168.X.X
'' ''Windows 2000 Professional, Build 2128
www.kaminpod.com
58
" ''Windows NT4.5 Server SP5-SP6 .

.
Perl IIS http 80
.
139,137 TCP 137,135 .UDP
Net-Bios
- .
'' ''AIX 3.2 20 .

ISP 20
. SPAM .
. 23 FTP
Sell . Log
FTP FTP .
FTP Upload
.
Cisco Telnet .
Telnet, 23 " ''Router- Telnet. Pl
Telnet .
Telnet .
'' ''Novell Netware 3.12 or 386 TCP/IP

" "Novell Netware 5.0 SP5 .
www.kaminpod.com
59
( )5 Honeynet
2 IP
HoneyD .
www.kaminpod.com
60
( )2 IP
Telnet )192.168.1.100-101( Cisco

. Cisco Telnet .
Telnet
. 22 SSH
98 .
22
Sniff ( )
.
1.04 :

( 192.168.2.0/24 192.168.1.0.24 )6 HoneyD 0.5
. { 21-03-2003}00:54:26
{ 22-03-2003}12.21.55 .
.
ACID
23500 Snort IDS 001
31 .
31 :
www.kaminpod.com
61

.
CGI IIS . Login
.
Root
. Query
RPCbind/Portmap Solaris
RPC RPC .
. 0
:
www.kaminpod.com
62
( 0: )1
ICMP %16 ( )21055

. .
( SNMP Request UDP (%12

.
Cisco IOS .
( )21
www.kaminpod.com
63
1.05 Log
Log Nessus
( )http://www.nessus.org
.
Brute Force .

. CGI Perl
.
SSH Nessus
Putty-Release-0.53b Putty . Telnet SSH
Rlogin 12 .
1.06 Ethereal
Tcpdump .
] Tcpdump.log.1048208266[Created on 21/03/03
] Tcpdump.log.1048298249[Created on 22/03/03
Ethereak Packet Sniffer .
Ethereal Tcpdump.log.1048208266
22146 % 12.23 ICMP %10.15 TCP
. TCP HTTP . %16.60
.TCP Remote shell Rlogin
. %36.11 UDP
%31.13 SNMP . Log
.
:
www.kaminpod.com
64
Login root 172.16.253.253

( ) ( 192.168.1.1 )
Query TFTP 172.16.253.253

192.168.1.1 . Read TFTP
/etc/passwd .
PSH TCP FIN URG 42778

172.16.253.253 192.168.1.1
Ethereal
746 Tcpdump.log.1048298249 %14.61
ICMP %76.94 TCP . TCP
HTTP . %69.71 .TCP
Shell Rlogin Log . %8.45
UDP . Log
.
:
Portmap 2 Dump ()Source

172.16.1.120 192.168.1.1 .
SunRPC 624
( )111 .
UDP 172.16.0.1 nfsd

172.16.1.120 800 ( 1236
)
www.kaminpod.com
65
( )YPPASSWORD
12351 ( )RPC 2 .
Login root ( 172.16.1.120

) ( 192.168.1.1 ) .
Query TFTP 172.16.1.120

192.168.1.1 . Read TFTP
/etc/passwd .
1.07 :

.
:
:2 traceroute ping
.
MAC . traceroute
192.168.1.1 Subnet .
192.168.1.1 .
. NFS subnet
. 192.168.1.1
. 192.168.1.1

www.kaminpod.com
66
. Cisco DoS
.
:1 98 SSH
. SSH
. Cisco 192.168.1.100 .
traceroute
192.168.1.1 . 192.168.1.1
Gateway subnet .
.
HoneyD 0.5

.
()
.
.
.
98 IIS v.5
.
98 IIS v.4.
1.08
www.kaminpod.com
67

( 192.168.1.0/24 )192.168.2.0/24 HoneyD 5.0
. ] 26-05-2003 [14:09:16 ][18:14:50
27-05-2003 .
Log .
31516 Snort IDS 101

32 .
32 33 .
( )22 32

CGI IIS .
www.kaminpod.com
68
351 Web-Application-Activity
15 Web-Application-Attack .
2 . UDP
192.168.1.28 . DoS

. %62
Bad-Unknown .
ICMP UDP
DoS 0 . 32 .
( 0 )32
ICMP Redirect %11 .

.
Misc Large UDP Packets
Bad-Unknown .
UDP
. DoS .
UDP IP ) (Source
.
www.kaminpod.com
69
.
.
( Attempted-Recon -) .
33 32
Bad-Unknown Attempted-Recon .
.

31 .
( )21
1.09 Log
Log Nessus
www.kaminpod.com
70
) (http://www.nessus.org
.
Brute Force .
.
c:\>drive:
.
Log
IIS .
Web-Server .
Web Server Web- Based
( ) .
1.10 Ethereal
Log Tcpdump :
tcpdump.log.1053944062 tcpdump.log.1054023963
Ethereal Packet Sniffer .
31131 tcpdump.log.1053944062
www.kaminpod.com
71
%30.52 ICMP %25.36 TCP .

TCP HTTP %12.03 TCP .
%44.13 UDP %37.10
. UDP
.
Log
. :
UDP 192.168.1.28
3074 ( 80 )HTTP .
( )6 UDP

.
Ethereal
:
www.kaminpod.com
72
( )2
tcpdump.log.1054023963
1532 %49.73 ICMP %35.96
TCP HTTP %19.79 TCP
. %14.31 UDP
%12.47 SNMP.

Honeynet .
.
.

.
.
.
%50
TCP . UDP ICMP %18 %32
. TCP/IP
www.kaminpod.com
73
HTTP 80 8080 .
Proxy Scan
WEB-IIS.

FTP Telnet
.
HoneyD
. TCP %5 %45
. Honeypot
TCP/IP .
UDP . ICMP %4 %38 .
Login
FTP
Telnet .
) PuttyRelease0.53b (SSH-Client .

.
.
TCP .
TCP %29 %16
UDP %20 %37 .
(Denial of service) DoS
www.kaminpod.com
74
UDP Flooder UDP .

ICMP .
IIS
GET .
.
HoneyD
.
Honeynet .
Honeynet
.
) (Backup . Honeynet
.
:

:
www.ecu.edu.au
www.kaminpod.com
www.vaya.ir
www.kaminpod.com
75
www.kaminpod.com

هانی پات هانی نت PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

هانی پات هانی نت PDF

Uploaded by

Copyright:

Available Formats

1

Honeypot IPv6 . Honeypot IP

Low Interaction LinT

HoneyD Linux 2.4.10

High Interaction - HinT

Honeypot Decoy Server Honeynet.

- Decoy Server Honeypot :

Medium Interaction - MinT

" HoneyD "

NMAP Net Scan / IP Probing

( ACID ) ()Danyliw, n.d

Ethereal and Tcpdump

Netsec2 Gupta.au HoneyD Netsec8

10.11.69.1 10.11.69.4 ( Http

10.11.69.0/24 10.11.69.0/24 Cisco Router /

Novell Network 3.12 10.11.69.0/24 386 TCP/IP

Redhat Linux 7.3 Honeyd 0.4

Snort IDS Sniffer

TCP SYN 1060 Webcache

PSH FIN ACK URG TCPmux

SYN 705 DNM

SYN 162 .Solaris

HoneyD 0.4a HoneyD 0.5 .

Arpd 0.1 Arpd 0.2 .

" ''Windows NT4.5 Server SP5-SP6 .

'' ''AIX 3.2 20 .

'' ''Novell Netware 3.12 or 386 TCP/IP

Telnet )192.168.1.100-101( Cisco

ICMP %16 ( )21055

( SNMP Request UDP (%12

Login root 172.16.253.253

Query TFTP 172.16.253.253

PSH TCP FIN URG 42778

Portmap 2 Dump ()Source

UDP 172.16.0.1 nfsd

Login root ( 172.16.1.120

Query TFTP 172.16.1.120

31516 Snort IDS 101

ICMP Redirect %11 .

%30.52 ICMP %25.36 TCP .

UDP Flooder UDP .

You might also like