WEB BASED

HONEYPOT DECOYS
INTRODUCTION
HONEYPOT - a computer system on the Internet that
is expressly set up to attract and "trap" people who attempt
to penetrate other people's computer systems.
HONEYNET - a network containing honeypots
LOW INTERACTION- the functionality or
vulnerability it provides is only emulated
HIGH INTERACTION- provides real functionality
to the outside world and does not only perform emulation
4 MAIN CONCEPTS –
DEPLOYING HONEYPOT
DATA CONTROL - mitigate the risk
DATA CAPTURE - gather information about the
attacker, without the attacker’s knowledge
DATA ANALYSIS - converts the collected data
into sensible information
DATA COLLECTION - Transfer and store all
data captured in a central location
DEVELOPMENT OF
HONEYNET CREATOR
REQUIREMENT
system functionality and performance should be the same
as the identical web application would offer as a non-
honeypot system
Comprehensive data capture – stored externally on a
separate and secure system
Prevent attacker from using the honeypot
provide different means to support the process of
analyzing the collected data.
should be extensible that it easily adapt to new attack
patterns and exploits
DESIGN APPROACH
Design approach – 2 ways
to start off with an existing web application and
convert it into a honeypot
to take an existing low-interaction honeypot for a
specific web application and add any kind of
functionality separately
WORKING
In order to log the information an attacker enters into a
web application, the contents of four crucial arrays are
stored which are provided PHP
1. $_SERVER
2. $_GET
3. $_POST
4. $_COOKIE
WORKING (Cont…)
$_SERVER
HTTP USER AGENT - a string denoting the user agent
which was used to access the page
HTTP REFERER - describes the address of the page
REMOTE ADDR - the IP address of the current user
requesting a page
WORKING (Cont..)
REMOTE PORT - the port being used on the user’s
machine to communicate with the web server
HTTP ACCEPT - refers to the HTTP accept request-header
HTTP ACCEPT LANGUAGE - similar to Accept,
restricts the set of natural languages as a response
to the request
REQUEST TIME - keep track of every single
request
WORKING (Cont..)
$_GET - contains all data that is transferred to the
server via HTTP GET request
$_POST -contains all data that is transferred to the
server via HTTP POST request
$_COOKIE - contains all data that is transferred to
the server via HTTP cookies
LOGGING CODE
a specially crafted logging code is inserted into each relevant file of
the web application – following steps are performed
makes a list of each source code file the web application
comprises
serializes the data and stores it in an external SQL database.
recursively crawls the directory of the web application and creates a
list of all PHP and HTML files
the Honeypot-Creator performs all insertions at the beginning
ANALYSIS TOOL
To support the process of extracting the important information out
of the data
supports the analysis of data acquired from all different kinds
of web-based honeypots
Two main views - Overview mode and Detailed viewing mode
Tool - filters for attacks patterns
- Provides high expendability
- Should comprise an automatic download function
ANALYSIS TOOL
HIHAT - High Interaction Honeypot Analysis Tool
overview about the most recent entries.
Actual number of entries per access varies and
depends on the implementation of the web application
to avoid illicit access to the analysis tool, a password is
requested for the usage of HIHAT
STRUCTURAL OVERVIEW
Structure of a web based honeynet
Honeynet
Secured area
Honey
pot I
Log
server
Honeypot II
SQL db
SQL db
Honeypot
III
SQL
db
Honeypot
IV
Honeypot
V
Analysi
s Tool
DATA CONTROL
to ensure the system is running within safe boundaries and
does not cause harm to other non-honeypot systems
Following issues has to be considered
Secure base operating system
Connection number limitation
Bandwidth limitation
Honeywall
TRANSPARENT LINKING
LEVEL1.php
LEVEL2.php
LEVEL3.php
LEVEL4.php
LEVEL2.php
LEVEL1.php
LEVEL2.php\
LEVEL3.php
LEVEL4.php
LEVEL2.php
Index.php
start
LAYER1 LAYER2 LAYER3
HONEYNET SETUP
A proper configuration and setup of the system can be
accomplished performing these steps
Operating system
High customizability
Good security support
Minimalistic system
Detailed documentation
Virtual machine setup
HONEYNET SETUP (Cont..)
Honey wall setup
Decoy selection
Log server setup
Honeypot - Creator
Transparent links
Setup of HIHAT
CONCLUSION

INTRODUCTION
is expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems.

HONEYPOT - a computer system on the Internet that HONEYNET - a network containing honeypots LOW INTERACTION - the functionality or HIGH INTERACTION - provides real functionality
to the outside world and does not only perform emulation

vulnerability it provides is only emulated

mitigate the risk DATA CAPTURE .converts the collected data into sensible information DATA COLLECTION .4 MAIN CONCEPTS – DEPLOYING HONEYPOT DATA CONTROL .gather information about the attacker.Transfer and store all data captured in a central location . without the attacker’s knowledge DATA ANALYSIS .

DEVELOPMENT OF HONEYNET CREATOR .

should be extensible that it easily adapt to new attack patterns and exploits .REQUIREMENT system functionality and performance should be the same as the identical web application would offer as a nonhoneypot system Comprehensive data capture – stored externally on a separate and secure system Prevent attacker from using the honeypot provide different means to support the process of analyzing the collected data.

DESIGN APPROACH Design approach – 2 ways to start off with an existing web application and convert it into a honeypot to take an existing low-interaction honeypot for a specific web application and add any kind of functionality separately .

$_SERVER $_GET $_POST $_COOKIE 2.WORKING In order to log the information an attacker enters into a web application. the contents of four crucial arrays are stored which are provided PHP 1. 4. . 3.

describes the address of the page REMOTE ADDR .WORKING (Cont…) $_SERVER HTTP USER AGENT .a string denoting the user agent which was used to access the page HTTP REFERER .the IP address of the current user requesting a page .

) REMOTE PORT .keep track of every single request .the port being used on the user’s machine to communicate with the web server HTTP ACCEPT .refers to the HTTP accept request-header HTTP ACCEPT LANGUAGE .WORKING (Cont. restricts the set of natural languages as a response to the request REQUEST TIME ..similar to Accept.

) $_GET .WORKING (Cont.contains all data that is transferred to the server via HTTP GET request $_POST -contains all data that is transferred to the server via HTTP POST request $_COOKIE ..contains all data that is transferred to the server via HTTP cookies .

recursively crawls the directory of the web application and creates a list of all PHP and HTML files the Honeypot-Creator performs all insertions at the beginning .LOGGING CODE a specially crafted logging code is inserted into each relevant file of the web application – following steps are performed makes a list of each source code file the web application comprises serializes the data and stores it in an external SQL database.

filters for attacks patterns .Should comprise an automatic download function .ANALYSIS TOOL To support the process of extracting the important information out of the data supports the analysis of data acquired from all different kinds of web-based honeypots Two main views .Provides high expendability .Overview mode and Detailed viewing mode Tool .

Actual number of entries per access varies and depends on the implementation of the web application to avoid illicit access to the analysis tool.High Interaction Honeypot Analysis Tool overview about the most recent entries.ANALYSIS TOOL HIHAT . a password is requested for the usage of HIHAT .

STRUCTURAL OVERVIEW .

Honey pot I Honeypot II SQL db Honeypot III Honeypot IV SQL db Log server Analysi s Tool SQL db Honeypot V .

DATA CONTROL to ensure the system is running within safe boundaries and does not cause harm to other non-honeypot systems Following issues has to be considered Secure base operating system Connection number limitation Bandwidth limitation Honeywall .

php LEVEL3.php start Index.php LEVEL2.php LEVEL1.TRANSPARENT LINKING LEVEL1.php LEVEL2.php LEVEL2.php LEVEL4.php LEVEL4.php\ LEVEL3.php LEVEL2.php .

HONEYNET SETUP A proper configuration and setup of the system can be accomplished performing these steps Operating system High customizability Good security support Minimalistic system Detailed documentation Virtual machine setup .

.HONEYNET SETUP (Cont.) Honey wall setup Decoy selection Log server setup Honeypot .Creator Transparent links Setup of HIHAT .

CONCLUSION .

Sign up to vote on this title
UsefulNot useful