Professional Documents
Culture Documents
The Honeypot Project
The Honeypot Project
Introduction
What is a Honeypot?
"A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource." - Lance Spitzner
Honeypot Overview
A Honeypot has no functional value A Honeypot does not do anything active. Its value lies in the knowledge that any access to the Honeypot is probably malicious In a perfectly safe network a Honeypot should see no traffic at all
Minimal resources
Since Honeypots are not intended to actually server a magnitude of clients they need very little resources
Simple
Honeypots are simple to install and maintain
Risk
Depending on the type of the Honeypot the risk can be greater or lesser. But there is always a risk to the network when a multitude of servers are active in it.
Prevention
Sticky Honeypots slow down scanning capabilities of attackers by slow response times If the usage of Honeypots is publicly known it might deter hackers from attacking the network for fear of being caught
Overview - Threats
Viruses
Pieces of software that attach to innocent files. Consume computers recourses and may be even more malicious (deleting files, ruining hardware, etc). Rely on social engineering for spreading
Worms
Self propagating code. Searches for communication vulnerabilities and uses them to infect more computers at an exponential rate.
Overview - Threats
Humans
White Hats Good Hackers searching for vulnerabilities in order to report them and increase security awareness Black Hats Hackers with personal gain or mayhem in mind. Break into systems in order to steal or corrupt data. Script Kiddies Tool users. No real understanding of what the are doing. Techniques usually include scanning for a system and then hammering it with various tools in order to find a vulnerability.
Vulnerabilities check
N-Stealth Security Scanner
Based On
Visual C++ .net Visual Basic .net (GUI) Winsock2 ODBC
Honeypot Architecture
Deployment:
The
Honeypot
Honeypot Architecture
The program is divided into two main applications.
GUI Allows an easy way of starting and stopping the servers, searching through collected data and displaying statistics Honeypot_Core Creates and maintains the servers. Collects the data from the users and updates the databases
Honeypot Architecture
Block Diagram
Honeypot Architecture
Communication between GUI and core is done over Winsock Why Winsock? Answer:
There were many available options:
RPC, Signaling, Shared memory, And much more
We wanted to allow for the expansion of the deployment scheme. Suppose you want to run multiple instances of the core on different computers. Using Winsock allows running the GUI on one machine while controlling others over the network
Honeypot Architecture HTTPServer The purpose is to catch malicious http strings sent as innocent requests The http server emulates a Microsoft IIS 5.0 web server The emulation displays only one page taken from index.htm The Honeypot is completely safe from all attacks since it does actually try to execute any commands sent at it. Its default response is Not implemented
HTTPServer
Honeypot Architecture TELNETServer The purpose is to observe the usernames and passwords attackers will try when hacking a telnet server This will allow the creation of a common used passwords database so that users can be advised (or required) as to what passwords not to use It can also help detecting stolen passwords The server emulates nothing more than the login handshake. All logins fail
Summery
Honeypots are a cheap and simple way to add protection to a network Honeypots allow the study of attackers methods of operation. And help developing new ways for countering them.