SEMINAR REPORT ON

HONEY POT

SUBMITTED TO:
BY:

SUBMITTED

Hon. Parveen Singh Sidharth Gupta

B.E (ECE)

Sem VII, 2012

DECLERATION
I hereby declare that the SEMINAR REPORT entitled "Honeypot" is a record of my own work carried out as per requirements for the award of degree of B.E. (E&CE) at Mahant Bachittar Singh College of Engineering & Technology Jammu .

DATE :

Sidharth Gupta (En. No. 37/09)

Certified That the above statements made by student is correct to the best of my knowledge and belief.

Mr. Parveen Singh ( H.O.D. E&CE )

Mrs. Shalini Sharma

( Teacher In charge )

ACKNOWLEDGEMENT
First and Foremost , I would like to thank my respected parents , who always encouraged me and taught me to think and workout innovatively what so ever be the field of life & my sincere thanks to all the staff members and friends for instilling in me a sense of self confidence and encouraging me to be the best in whatever I opt to do.

Sidharth gupta (En. No. 37 / 09)

ABSTRACT
The Internet is growing fast and doubling its number of solving or preventing computer crimes websites every 53 days and the number of people using the internet is also growing. Hence, global communication is getting more increasing. Countermeasures are developed to detect or prevent attacks - most of these measures are based on known facts, known attack patterns. Countermeasures such as firewalls and network intrusion detection systems are based on prevention, detection and reaction mechanism; but is there enough information about the enemy As in the military, it is important to know, who the enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy but important. By knowing attack strategies, countermeasure scan be improved and vulnerabilities can be fixed. To gather as much information as possible is one main goal of a honeypot. Generally, such information gathering should be done silently, without alarming an attacker. All the gathered information leads to an advantage on the defending side and can therefore be used on productive systems to prevent attacks.

CONTENTS
Declaration Acknowledgement Abstract CHAPTER 1 INTRODUCTION 1.1 Basics
1.2 Entymology 1.3 History of honeypot

CHAPTER 2 CLASSIFICATION
2.1 Level of Interaction 2.1.1 Low Interaction 2.1.2 High Interaction 2.2 Implimentation 2.2.1 Physical 2.2.2 Virtual 2.3 Purpose 2.3.1 Production 2.3.2 Research

CHAPTER 3 WORKING OF HONEYPOT

3.1 Prevention

3.2 Detection 3.3 Response

CHAPTER 4 ADVANTAGES OF HP CHAPTER 5 DISADVANTAGES OF HP CHAPTER 6 VARIOUS HONEYPOTS

6.1 Back Officer Friendly (BFO) 6.2 Spector 6.3 Homemade Honeypots 6.4 Honeyd 6.5 Mantrap 6.6 Honeynets

CHAPTER 7 GOOGLE HACK HONEYPOT (GHH) CHAPTER 8 FUTURE OF HONEYPOT BIBLIOGRAPHY

CHAPTER 1 INTRODUCTION

A honeypot is primarily an instrument for information gathering and learning. Its primary purpose is not to be an ambush for the blackhat community to catch them in action and to press charges against them. The focus lies on a silent collection of as much information as possible about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. This is just a primary purpose of a honeypot. There are a lot of other possibilities for a honeypot - divert hackers from productive systems or catch a hacker while conducting an attack are just two possible examples. They are not the perfect solution for solving or preventing computer crimes.

1.1 BASICS

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. They are closely monitored network decoys serving several purposes: they can distract adversaries from more valuable machines on a network, they can provide early warning about new attack and exploitation trends and they allow in-depth examination of adversaries during and after exploitation of a honeypot. Has no production value; anything going to/from a honeypot is

likely a probe, attack or compromise Used for monitoring, detecting and analyzing attacks Does not solve a specific problem. Instead, they are a highly

flexible tool with different applications to security A trap set to detect and deflect attempts at unauthorized use of

information systems. It consist of a computer, data or a network site that appears to

be part of a network but which is actually isolated & protected. Whatever they capture is supposed to be malicious &

unauthorized. An example of a honeypot is a system used to simulate one or more network services that you designate on your computer's ports. An attacker assumes you're running vulnerable services that can be used to break into the machine. This kind of honeypot can be used to log access attempts to those ports

including the attacker's keystrokes. This could give you advanced warning of a more concerted attack

1.2 Etymology

The term "honeypot" is often understood to refer to the English children's character Winnie-the-Pooh, a stuffed bear who was lured into various predicaments by his desire for pots of honey. During the Cold War it was an espionage technique, which inspired spy fiction. The term "honeypot" was used to describe the use of female to gain secret information. In a common scenario, a pretty female Communist agent would trick a male Western official into handing over secret information. An alternative explanation for the term is a reflection of the sarcastic term for outhouses and other methods of collecting feces and other human waste in places that lack indoor plumbing. Honey is a euphemism for such waste, which is kept in a honeypot until it is picked up by a honey wagon and taken to a disposal area. In this usage, attackers are the equivalent of flies, drawn by the stench of sewage

10

1.3 History of Honeypot

The concept of the honeypot is not new. In fact as early as 1991, a number of publications expounded on concepts that were to be foundations of todays honeypot development. Two publications in particular stood out:

1990/1991 The Cuckoos Egg and Evening with Berferd

Clifford Stoll was an astrophysicist turned systems manager at Lawrence Berkeley Lab. Due to a 75 percent accounting error was able to track down a hacker that was using their computers as a launching pad to hack hundreds of military, industrial, and academic computers in search of secrets. His book The Cuckoo's Egg, published in 1988, detailed his experiences through this 3 year incident where he observed the hacker and subsequently gathered information that led to the hackers arrest. The other publication that was of particular note during this period was An Evening with Berferd by the well respected Internet Security expert, Bill Cheswick. In the paper, Mr. Cheswick describes how he and his colleagues set up their jail machine, also known as roach motel2 in which they chronicled a hackers movements and the bait and traps they used to lure and detect him.

1997 - Deception Toolkit

The Deception Toolkit is one of the original and landmark Honeypots. It is generally a collection of PERL scripts designed for UNIX systems that

11

emulate a variety of known vulnerabilities. The concept put forward by the DTK is deceptive defense which now central in Honeypot concepts and implementations

1998 - CyberCop Sting

CyberCop Sting is a component of the CyberCop intrusion protection software family which runs on NT. Cybercop Sting has also been referred to as a decoy server for it can simulate a network containing several different types of network devices, including Windows NT servers, Unix servers and routers. Each of these decoys had the ability to track, record, and report intrusive activity to network and security administrators. As with the DTK, each of these decoys can run simulated services. However, as with the problem with most simulated or low-interaction Honeypots, you can only only simulate limited functionality with Cybercop sting such as telnet logins or SMTP banners thus limiting its ability to deceive and to study hackers in the long term.

1998 - NetFacade (and Snort)

As with Cybercop Sting, it creates a simulated network of hosts, with simulated IP addresses, running seemingly vulnerable services but in a much larger scale. NetFacade can simulate an entire class C network up to 254 systems. It can also simulate 7 different operating systems with a variety of different services.

1998 - BackOfficer Friendly

12

Back Officer Friendly runs in Windows and was free thus giving more people access to Honeypot technology. Though It didnt give much functionality it was still a very useful piece of software which demonstrated the concepts of the Honeypot to a lot of people that who were not familiar to Honeypot concepts at that time.

1999 - Formation of the Honeynet Project 9

A group of people led by Lance Spitzner decided to form the Honeynet Project 9. The honeynet project is a non-profit group dedicated to researching the blackhat community and to share their work to others. Their primary tool for research is the honeynet, an advanced form of Honeypot.

2003- Some Honeypot Tools

In 2003, several important Honeypot tools were introduced through these organizations such as Snort-Inline12, Sebek13, and advanced virtual honeynets14.
Snort- Inline augmented Snort to block and disable attacks instead of

just detecting them.

Sebek provided a means to capture hacker activities in Honeypots by

logging their keystrokes.

Virtual honeynets provided a means to deploy multiple honeynets

with just one computer.

13

CHAPTER 2 CLASSIFICATION OF HONETPOT

By level of interaction High Low By Implementation

Virtual Physical

By purpose Production Research

14

2.1 Level of Interaction

Interaction defines the level of activity a honeypot allows an attacker. There are two categories of interaction Low Level & High Level Interaction which helps us understand what type of honeypot you are dealing with, its strengths, and weaknesses.

Low Interaction: Low-interaction honeypots have limited interaction, they normally work by emulating services and operating systems. Attacker activity is limited to the level of emulation by the honeypot. Simulates some aspects of the system Easy to deploy, minimal risk Limited Information Advantages Its simplicity. These honeypots tend to be easier to deploy and maintain, with minimal risk. Usually they involve installing software, selecting the operating systems and services you want to emulate and monitor, and letting the honeypot go from there. This plug and play approach makes deploying them very easy for most organizations. The emulated services mitigate risk by containing the attacker's activity, the attacker never has access to an operating system to attack or harm others. Disadvantages

15

 They log only limited information and are designed to capture known activity.
Its easier for an attacker to detect a low-interaction honeypot, no matter

how good the emulation is, skilled attacker can eventually detect their presence. Examples of low-interaction honeypots include Specter, Honeyd, and KFSensor. High Interaction: High-interaction honeypots are different; they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated; we give attackers the real thing. If you want a Linux honeypot running an FTP server, you build a real Linux system running a real FTP server. Simulates all aspects of the OS: real systems Can be compromised completely, higher risk More Information Honey-net

Advantages

Extensive amounts of information can be captured. By giving

attackers real systems to interact with, you can learn the full extent of their behavior, everything from new rootkits to international IRC sessions. They make no assumptions on how an attacker will behave.

Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior we would not expect.

Disadvantages

16

It increases the risk of the honeypot as attackers can use these

real operating system to attack non-honeypot systems. As result, additional technologies have to be implement that prevent the attacker from harming other non-honeypot systems

Low Fake Daemon

Operating system

Disk

High Other local resource

17

Difference between high level interaction and low level interaction

Low-interaction

High-interaction

Solution emulates operating systems No emulation, real operating systems and services. Easy to install and deploy. Usually requires simply installing and configuring software on a computer. Minimal risk, as the emulated services control what attackers can and cannot do.
Captures limited amounts of

and services are provided. Can capture far more information, including new tools, communications, or attacker keystrokes. Can be complex to install or deploy (commercial versions tend to be much simpler). Increased risk, as attackers are provided real operating systems to interact with

information, mainly transactional data and some limited interaction.

18

2.2 Implementation - Physical & Virtual Honeypots

A Physical Honeypot is a real machine on the network with its own

IP address. Real machines Own IP Addresses Often high-interactive

A Virtual Honeypot is simulated by another machine that responds

to network traffic sent to the virtual honeypot Simulated by other machines that: Respond to the traffic sent to the honeypots
May simulate a lot of (different) virtual honeypots at the

same

time. A software program that is designed to appear to be a real functioning network but is actually a decoy built specifically to be probed and attacked by malicious users. In contrast to a honeypot, which is typically a hardware device that lures users into its trap, a virtual honeypot uses software to emulate a network. Physical honeypots are often high-interaction, so allowing the system to be compromised completely, they are expensive to install and maintain. For large address spaces, it is impractical or impossible to deploy a physical honeypot for each IP address. In that case, we need to deploy virtual honeypots.

19

2.3 Purpose - Production & Research Honeypot

Production honeypots are systems that help mitigate risk in your organization or environment. They provide specific value to securing your systems and networks. Their job is to take care of the bad guys.

Research Honeypots are complex to deploy and maintain, capture extensive information and are used primarily by research, military or government organization. They can be used for the following: To capture automated threats, such as worms or auto-rooters. By

quickly capturing these weapons and analyzing their malicious payload, organizations can better react to and neutralize the threat. As an early warning mechanism, predicting when future attacks will

happen. This works by deploying multiple honeypots in different locations and organizations. The data collected from these research honeypots can then be used for statistical modeling, predicting future attacks. Attacks can then be identified and stopped before they happen. To capture unknown tools or techniques To better understand attackers' motives and organization. By

capturing their activity after they break into a system, such as communications among each other, we can better understand who our threat is and why they operate. To gain information on advanced blackhats

20

CHAPTER 3 WORKING OF HONEYPOT

Prevent Detect
Attackers

Response Monitor

Attack Data

HoneyPot A

No Connection

Gateway

The three categories are as:

Prevention :

21

In terms of security, prevention means keeping the bad guys out. If you were to secure your house, prevention would be similar to placing deadbolt locks on your doors, locking your windows, and perhaps installing a chainlink fence around your yard. You are doing everything possible to keep out the threat. The security community uses a variety of tools to prevent unauthorized activity. Examples include firewalls that control what traffic can enter or leave a network or authentication, such as strong passwords, digital certificates, or two-factor authentication that requires individuals or resources to properly identify themselves. Based on this authentication, one can determine who is authorized to access resources. Mechanisms such as encryption prevent attackers from reading or accessing critical information, such as passwords or confidential documents. What role do honeypots play here? How do honeypots keep out the bad guys? Honeypots adds little value to prevention, since they do not deter the enemy. In fact, if incorrectly implemented, a honeypot may introduce risk, providing an attacker a window into an organization. The deception concept is used to have attackers waste time and resources in attacking honeypots, as opposed to attacking production systems. The deterrence concept is that if attackers know there are honeypots in an organization, they may be scared off as they do not want to be detected or they do not want to waste their time or resources attacking the honeypots. Both concepts are psychological weapons used to confuse a human attacker but most attacks are usually performed by automated tools, such as auto-rooters or worms so deception or deterrence will not be able to prevent these attacks because there is no conscious individual to deter or deceive. Both concepts fail to prevent the most common of attacks: targets of opportunity. The attacker use automated tools that hack into systems for them. These attackers do not spend time analyzing the systems they target. They merely take a shotgun approach, hitting as many computers as possible and seeing what they get into.
22

However, the time and resources involved in deploying honeypots for preventing attacks, especially prevention based on deception or deterrence is time better spent on security best practices. As long as you have vulnerable systems, you will be hacked. No honeypot can prevent that.

Detection :
The second tier of security is detection, the act of detecting and alerting unauthorized activity. If you were to secure your house, detection would be the installation of burglar alarms and motion detectors. These alarms go off when someone breaks in. In case the window was left open or the lock on the front door was picked, we want to detect the burglar if they get into our house. Within the world of information security, we have the same challenge. Sooner or later, prevention will fail, and the attacker will get in. There are a variety of reasons why this failure can happen: A firewall rule base may be misconfigured, an employee uses an easy-to-guess password, and a new vulnerability is discovered in an application. There are numerous methods for penetrating an organization. Prevention can only mitigate risk; it will never eliminate it. Within the security community, Network Intrusion Detection Systems, are designed to monitor networks and detect any malicious activity. However, they do not keep out the bad guys, but they alert us if someone is trying to get in and if they are successful. How do honeypots help detect unauthorized or suspicious activity? While honeypots add limited value to prevention, they add extensive value to detection. For many organizations, detection is extremely difficult. Three common challenges of detection are :

False positives are when systems falsely alert suspicious or malicious activity. What a system thought was an attack or exploit attempt was
23

actually valid production traffic.

False negatives are the exact opposite: They are when an organization fails to detect an attack.

The third challenge is Data aggregation, centrally collecting all the data used for detection and then corroborating that data into valuable information.

A single false positive is not a problem. The problem occurs when these false alerts happen hundreds or even thousands of times a day. System administrators may receive so many alerts in one day that they cannot respond to all of them and hence start ignoring these false positive alerts as they come in day after day. Network Intrusion Detection Systems are very familar with false positives. The only solution to false positives is to modify the system to not alert about valid, production traffic. This is an extremely time-consuming process, requiring highly skilled individuals who understand network traffic, system logs, and application activity. A false negative is when a system fails to detect a valid attack. The risk is that a successful attack may occur, but the systems fail to detect and alert to the activity. NIDS not only face the challenge of false positives but also have problems with false negatives. The third challenge to detection is data aggregation. Modern technology is extremely effective at capturing extensive amounts of data. NIDS, system logs, application logsall of these resources are very good at capturing and generating gigabytes of data. The challenge becomes how to aggregate all this data so it has value in detecting and confirming an attack. Due to their simplicity, honeypots effectively address the three challenges of detection: false positives, false negatives, and data aggregation. Most honeypots
24

have no production traffic, so there is little activity to generate false positives. Honeypots address false negatives because they are not easily defeated by new exploits. In fact, one of their primary benefits is they can detect a new attack by virtue of system activity, not signatures. It works on the concept that anything sent its way is suspect. The simplicity of honeypots also addresses the third issue: data aggregation. Honeypots address this issue by creating very little data. There is no valid production traffic to be logged, collected, or aggregated. Honeypots generate only several megabytes of data a day, most of which is of high value. This makes it extremely easy to diagnose useful information from honeypots.

Response :
Once we detect a successful attack, we need the ability to respond. When securing our house, we want to be sure someone can protect us in case of a break-in. Often house burglar alarms are wired to monitoring stations or the local police department. When an alarm goes off, the proper authorities are alerted and can quickly react, protecting your house. The same logic applies to securing your organization. Honeypots add value to the response aspect of security. When an attacker breaks into a system, their actions leave evidence, evidence that can be used to determine how the attacker got in, what they did once they gained control of the system, and who were they. It is this evidence that is critical to capture. Without it, organizations cannot effectively respond to the incident. Honeypots can help address these challenges to reaction capability. Remember, a honeypot has no production activity, so this helps the problem of data pollution. When a honeypot is compromised, the only real activity on the system is the activity of the attacker, helping to maintain its integrity. If we look at our train station analogy, imagine a crime at a train station where there are no people or trains coming or going. Evidence such as fingerprints or hair samples are far more
25

likely to remain intact. The same case is true for honeypots. Honeypots can also easily be taken offline for further analysis. Since honeypots provide no production services, organizations can easily take them down for analysis without impacting business activity.

26

CHAPTER 4 ADVANTAGES OF HONEYPOT

Honeypots are a tremendously simply concept, which gives them some very powerful strengths.

Small data sets of high value: Honeypots collect small amounts of

information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Remember, honeypots only capture bad activity; any interaction with a honeypot is most likely unauthorized or malicious activity. As such, honeypots reduce 'noise' by collectin only small data sets, but information of high value, as it is only the bad guys. This means its much easier (and cheaper) to analyze the data a honeypot collects and derive value from it.

New tools and tactics: Honeypots are designed to capture anything

thrown at them, including tools or tactics never seen before.

Minimal resources: Honeypots require minimal resources, they only

capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network.

Encryption or IPv6: Unlike most security technologies (such as IDS

systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it.

27

Information: Honeypots can collect in-depth information that few, if

any other technologies can match.

Simplicty: Finally, honeypots are conceptually very simple. There are

no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations.

28

CHAPTER 5 DISADVANTAGES OF HONEYPOT

Like any technology, honeypots also have their weaknesses. It is because of this they do not replace any current technology, but work with existing technologies.

Limited view: Honeypots can only track and capture activity that

directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots also.

Risk: All security technologies have risk. Firewalls have risk of being

penetrated, encryption has the risk of being broken, IDS sensors have the risk of failing to detect attacks. Honeypots are no different, they have risk also. Specifically, honeypots have the risk of being taken over by the bad guy and being used to harm other systems. These risk various for different honeypots. Depending on the type of honeypot, it can have no more risk then an IDS sensor, while some honeypots have a great deal of risk.

29

CHAPTER 6 VARIOUS HONEYPOTS

6.1 BackOfficer Friendly

BOF (as it is commonly called) is a very simple but highly useful honeypot developed by Marcus Ranum and crew at NFR. It is an excellent example of a low interaction honeypot. It is a great way to introduce a beginner to the concepts and value of honeypots. BOF is a program that runs on most Window based operating system. All it can do is emulate some basic services, such as http, ftp, telnet, mail, or BackOrrifice. Whenever some attempts to connect to one of the ports BOF is listening to, it will then log the attempt. BOF also has the option of "faking replies", which gives the attacker something to connect to. This way one can log http attacks, telnet brute force logins, or a variety of other activity (Screenshot). The value in BOF is in detection, similar to a burglar alarm. It can monitor only a limited number of ports, but these ports often represent the most commonly scanned and targeted services.

6.2 Specter
Specter is a commercial product and it is another 'low interaction' production honeypot. It is similar to BOF in that it emulates services, but it can emulate a far greater range of services and functionality. In addition, not only can it emulate services, but emulate a variety of operating systems. Similar to BOF, it is easy to implement and low risk. Specter works by installing on a Windows system. The risk is reduced as there is no real operating system for the attacker to interact with. For example, Specter can emulate a web server or telnet server of the any operating

30

system. When an attacker connects, it is then prompted with an http header or login banner. The attacker can then attempt to gather web pages or login to the system. This activity is captured and recorded by Specter, however there is little else the attacker can do. There is no real application for the attacker to interact with, instead just some limited, emulated functionality. Specters value lies in detection. It can quickly and easily determine who is looking for what. As a honeypot, it reduces both false positives and false negatives, simplifying the detection process. Specter also supports a variety of alerting and logging mechanisms. You can see an example of this functionality in a screen shot of Specter. One of the unique features of Specter is that it also allows for information gathering, or the automated ability to gather more information about the attacker. Some of this information gathering is relatively passive, such as Whois or DNS lookups. However, some of this research is active, such as port scanning the attacker.

6.3 Homemade Honeypots

Another common honeypot is homemade. These honeypots tend to be low interaction. Their purpose is usually to capture specific activity, such as Worms or scanning activity. These can be used as production or research honeypots, depending on their purpose. Once again, there is not much for the attacker to interact with, however the risk is reduced because there is less damage the attacker can do. One common example is creating a service that listens on port 80 (http) capturing all traffic to and from the port. This is commonly done to capture Worm attacks Homemade honeypots can be modified to do (and emulate) much more, requiring a higher level of involvement, and incurring a higher level of risk. For example, FreeBSD has a jail functionality, allowing an administrator to create a controlled environment within the operating system. The attacker can then interact with this controlled environment. The value here is the more the attacker can do, the more can be potentially learned. However, care must be taken, as the more functionality the attacker can interact with, the more can go wrong, with the honeypot potentially compromised.
31

6.4 Honeyd

Created by Niels Provos,Honeyd is an extremely powerful, OpenSource honeypot. Designed to run on Unix systems, it can emulate over 400 different operating systems and thousands of different computers, all at the same time. Honeyd introduces some exciting new features. First, not only does it emulate operating systems at the application level, like Specter, but it also emulates operating systems at the IP stack level.This means when someone Nmaps the honeypot, both the service and IP stack behave as the emulated operating system. Currently no other honeypot has this capability. Second, Honeyd can emulate hundreds if not thousands of different computers all at the same time. While most honeypots can only emulate one computer at any point in time, Honeyd can assume the identity of thousands of different IP addresses.Third, as an OpenSource solution,not only is it free to use, but it will expotentially grow as members of the security community develop code. Honeyd is primarily used for detecting attacks. It works by monitoring IP addresses that are unused, that have no system assigned to them. Whenever an attacker attempts to probe or attack an non-existant system, Honeyd, through Arp spoofing, assumes the IP address of the victim and then interacts with the attacker through emulated services. These emulates services are nothing more then scripts that react to predetermined actions. For example, a script can be developed to behave like a Telnet service for a Cisco router, with the Cisco IOS login interface. Honeyd's emulated services are also Open Source, so anyone can develop and use their own. The scripts can be written in almost any language, such as shell or Perl. Once connected, the attacker believes they are interacting with a real system. Not only can Honeyd dynamically interact with attackers, but it can detect activity on any port. Most low interaction honeypots are limited to detecting attacks only on the ports that have emulated services listening on. Honeyd is different, it detects and logs connections made to any port, regardless if there is a service listening. The combined capabilities of assuming the identity of non-existant systems, and the ability to detect activity on any port,

32

gives Honeyd incredible value as a tool to detect unauthorized activity. I highly encourage people to check it out, and if possible to contribute new emulated services.

33

6.5 Mantrap
Produced by Recourse, Mantrap is a commercial honeypot. Instead of emulating services, Mantrap creates up to four sub-systems, often called 'jails'. These 'jails' are logically discrete operating systems separated from a master operating system (see Diagram.) Security administrators can modify these jails just as they normally would with any operating system, to include installing applications of their choice, such as an Oracle database or Apache web server. This makes the honeypot far more flexible, as it can do much more. The attacker has a full operating system to interact with, and a variety of applications to attack. All of this activity is then captured and recorded. Not only can we detect port scans and telnet logins, but we can capture rootkits, application level attacks, IRC chat session, and a variety of other threats. However, just as far more can be learned, so can more go wrong. Once compromised, the attacker can used that fully functional operating system to attack others. Care must be taken to mitigate this risk. As such, it can be categorized this as a mid-high level of interaction. Also, these honeypots can be used as either a production honeypot (used both in detection and reaction) or a research honeypot to learn more about threats. There are limitations to this solution. The biggest one is that we are limited to only what the vendor supplies us. Currently, Mantrap only exists on Solaris operating system.

34

6.7 Honeynets
Honeynets represent the extreme of research honeypots. They are high interaction honeypots, one can learn a great deal, however they also have the highest level of risk.

Their primary value lies in research, gaining information on threats that exist in the Internet community today. A Honeynet is a network of production systems. Unlike many of the honeypots discussed so far, nothing is emulated. Little or no modifications are made to the honeypots. The idea is to have an architecture that creates a highly controlled network, one where all activity is 35

controlled and captured. Within this network we place our intended victims, real computers running real applications. The bad guys find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a Honeynet. This gives the attackers a full range of systems, applications, and functionality to attack. All of their activity, from encrypted SSH sessions to emails and files uploads, are captured without them knowing it. This is done by inserting kernel modules on the victim systems that capture all of the attacker's actions. From this we can learn a great deal, not only their tools and tactics, but their methods of communication, group organization, and motives. However, with this capability comes a great deal of risk. A variety of measures must be taken to ensure that once compromised, a Honeynet cannot be used to attack others. Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic to the victim systems, but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim systems, but prevents the attacker from harming other non-Honeynet computers. Honeynets are primarily research honeypots. They could be used as production honeypots, specifically for detection or reaction, however it is most likely not worth the time and effort

We have reviewed six different types of honeypots. No one honeypot is better than the other, each one has its advantages and disadvantages, it all depends on what is to be achieved. To more easily define the capabilities of honeypots, we have categorized them based on their level of interaction. The greater interaction an attacker has, the more we can learn, but the greater the risk. For example, BOF and Specter represent low interactions honeypots. They are easy to deploy and have minimal risk. However, they are limited to emulating specific services and operating systems, used primarily for detection. Mantrap and Honeynets represent mid-to-high interaction honeypots. They can give far greater depth of information, however more work and greater risk is involved

36

CHAPTER 7 Google Hack Honeypot

GHH is the reaction to a new type of malicious web traffic: search engine hackers. GHH is a Google Hack honeypot. It is designed to provide reconaissance against attackers that use search engines as a hacking tool against your resources. GHH implements honeypot theory to provide additional security to your web presence. Google has developed a powerful tool. The search engine that Google has implemented allows for searching on an immense amount of information. The Google index has swelled past 8 billion pages [February 2005] and continues to grow daily. Mirroring the growth of the Google index, the spread of web-based applications such as message boards and remote administrative tools has resulted in an increase in the number of misconfigured and vulnerable web apps available on the Internet. These insecure tools, when combined with the power of a search engine and index

37

which Google provides, results in a convenient attack vector for malicious users. GHH is a tool to combat this threat. GHH emulates a vulnerable web application by allowing itself to be indexed by search engines. It's hidden from casual page viewers, but is found through the use of a crawler or search engine. It does this through the use of a transparent link which isn't detected by casual browsing but is found when a search engine crawler indexes a site. The transparent link (when well crafted) will reduce false positives and avoid a fingerprint of the honeypot. The honeypot connects to a configuration file, and the configuration file writes to a log file which is chosen during configuration. The log file contains information about the host, including IP address, referral information, and user agent. Using the information gathered in the log file, an administrator can learn more about attackers doing reconnaissance against their site. An administrator can cross reference logs and view a better picture of specific attackers.

38

CHAPTER 8 Future of Honeypots

Mr. Lance spitzner who has played a major role in the future development of honeypots has made certain predictions about the future of honeypots. They are as follows:

Government projects: Currently honeypots are mainly used by

organizations, to detect intruders within the organization as well as against external threats and to protect the organization. In future, honeypots will play a major role in the government projects, especially by the military, to gain information about the enemy, and those trying to get the government secrets.

Ease of use : In future honeypots will most probably appear in

prepackaged solutions, which will be easier to administer and maintain. People will be able to install and develop honeypots at home and without difficulty.

Closer integration : Currently honeypots are used along with other

technologies such as firewall, tripwire, IDS etc. As technologies are .developing, in future honeypots will be used in closer integration with them. For example honeypots are being developed for WI-FI or wireless computers. However the development is still under research.

Specific purpose: Already certain features such as honeytokens are

under development to target honeypots only for a specific purpose. Eg: catching only those attempting credit card fraud etc. Honeypots will be used widely for expanding research applications in future.

39

Bibliography
http://en.wikipedia.org/wiki/honeypot http://www.honeynet.org www.honeypots.net/ www.honeynet.org/papers/index.html www.awprofessional.com/articles/article.asp www.spitzner.net/honeypots.html www.honeynet.org.papers/cdrom/roo/ www.honeynet.ie.about.html

40