The Honeypot Project

By Falgun Rathod Cyber Octet Head Office @ Ahmedabad

Introduction

What is a Honeypot?

"A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource." - Lance Spitzner

Honeypot Overview
A Honeypot has no functional value A Honeypot does not do anything active. Its value lies in the knowledge that any access to the Honeypot is probably malicious In a perfectly safe network a Honeypot should see no traffic at all

Honeypot Overview - Advantages

Small data sets of high value Very flexible
does not rely on a fixed database (Like Anti-Virus software). Allows the detection of new and unknown methods and tools

Minimal resources
Since Honeypots are not intended to actually server a magnitude of clients they need very little resources

Simple
Honeypots are simple to install and maintain

Honeypot Overview - Disadvantages Limited view

A Honeypot can observe only interaction with itself. It is not a sniffer and cannot log actions against other functional systems in the network

Risk
Depending on the type of the Honeypot the risk can be greater or lesser. But there is always a risk to the network when a multitude of servers are active in it.

Honeypots Overview - Types

Low-Interaction
Simulates some network services (HTTP, Telnet, FTP, etc) Very low risk (Interaction is only with a simulation) Less flexible (Can only simulate what was programmed) Easier to identify Examples are: Specter, honeyd, our project

Honeypots Overview - Types

High-Interaction (Sacrificial Lamb)
Real servers running some kind of logging software High risk (Attacker is working with the real thing) Almost impossible to identify

Honeypots Overview - Honeynets

Overview But what good is it?

Collect data
Allows researching attackers methods and tools and developing counter-tools.

Prevention
Sticky Honeypots slow down scanning capabilities of attackers by slow response times If the usage of Honeypots is publicly known it might deter hackers from attacking the network for fear of being caught

Overview But what good is it?

Detection and Response
If a Honeypot detects suspicious activity it can send an e-mail or sms to a network administrator A Honeypot is a non essential system, so taking it offline in order to analyze damage done by an attack will be less harmful and disruptive to the functionality of the network

Overview But what good is it?

Counter Attack
A Honeypot could be configured to actively respond when it detects attacks coming from systems within its network. For instance if it detects worm activity from some system in the network it can quarantine the system or shut it down or even use some routine to purge the worm

Overview - Threats
Viruses
Pieces of software that attach to innocent files. Consume computers recourses and may be even more malicious (deleting files, ruining hardware, etc). Rely on social engineering for spreading

Worms
Self propagating code. Searches for communication vulnerabilities and uses them to infect more computers at an exponential rate.

Overview - Threats
Humans
White Hats Good Hackers searching for vulnerabilities in order to report them and increase security awareness Black Hats Hackers with personal gain or mayhem in mind. Break into systems in order to steal or corrupt data. Script Kiddies Tool users. No real understanding of what the are doing. Techniques usually include scanning for a system and then hammering it with various tools in order to find a vulnerability.

Our Solution The path to implementation

Simulating Port Scanning

Knocker FrontEnd port scanner

Vulnerabilities check
N-Stealth Security Scanner

Phase III Implement

Based On
Visual C++ .net Visual Basic .net (GUI) Winsock2 ODBC

Honeypot Architecture
Deployment:

ATTACKER NETWORK SCAN

The

Honeypot

Honeypot Architecture
The program is divided into two main applications.
GUI Allows an easy way of starting and stopping the servers, searching through collected data and displaying statistics Honeypot_Core Creates and maintains the servers. Collects the data from the users and updates the databases

Honeypot Architecture
Block Diagram

Honeypot Architecture
Communication between GUI and core is done over Winsock Why Winsock? Answer:
There were many available options:
RPC, Signaling, Shared memory, And much more

We wanted to allow for the expansion of the deployment scheme. Suppose you want to run multiple instances of the core on different computers. Using Winsock allows running the GUI on one machine while controlling others over the network

Honeypot Architecture HTTPServer The purpose is to catch malicious http strings sent as innocent requests The http server emulates a Microsoft IIS 5.0 web server The emulation displays only one page taken from index.htm The Honeypot is completely safe from all attacks since it does actually try to execute any commands sent at it. Its default response is Not implemented

Honeypot Architecture HTTPServer

HTTPServer

Honeypot Architecture TELNETServer The purpose is to observe the usernames and passwords attackers will try when hacking a telnet server This will allow the creation of a common used passwords database so that users can be advised (or required) as to what passwords not to use It can also help detecting stolen passwords The server emulates nothing more than the login handshake. All logins fail

Honeypot Architecture TELNETServer

Honeypot Architecture Communication Flow

Summery
Honeypots are a cheap and simple way to add protection to a network Honeypots allow the study of attackers methods of operation. And help developing new ways for countering them.

Possible Future Additions

More services such as ftp, messenger, p2p applications Allow administration of multiple servers via network Add the ability to answer as different ip addresses Emulate different kinds of web servers other than IIS Emulate a more complex telnet session