Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Breaking</strong> <strong>Honeypots</strong> <strong>for</strong> <strong>Fun</strong> <strong>and</strong> <strong>Profit</strong><br />
Dean Sysman<br />
Itamar Sher<br />
Gadi Evron
What this talk is about<br />
We’d like to underst<strong>and</strong> how a better honeypot can be<br />
built, by learning from current work, <strong>and</strong> underst<strong>and</strong>ing<br />
related flaws <strong>and</strong> design considerations.<br />
© 2015 Cymmetria Inc. 2
What this talk isn’t about<br />
No kernel exploits here. ;)<br />
© 2015 Cymmetria Inc. 3
About Us<br />
Dean Sysman<br />
Previously head of cyber R&D<br />
team in Israeli intelligence.<br />
@DeanSysman<br />
Itamar Sher<br />
Previously a senior cyber researcher<br />
Israeli intelligence.<br />
@itamar_sher<br />
Gadi Evron<br />
Previously VP at Kaspersky,<br />
CoE head at PwC, CISO at Israeli<br />
Government, etc.<br />
@gadievron<br />
© 2015 Cymmetria Inc. 4
Introducing Intrusion Deception
What is cyber deception?<br />
Managing <strong>and</strong> shaping the attackers’ behavior so that<br />
they go where we want them to. To be detected with no<br />
false positives, investigated, <strong>and</strong> controlled.<br />
© 2015 Cymmetria Inc. 6
We sit on the shoulders of giants…<br />
• Fred Cohen’s Deception Toolkit<br />
• Lance Spitzner<br />
• The Honeynet Project<br />
• Many, many others<br />
© 2015 Cymmetria Inc. 7
How is intrusion deception different?<br />
Attacks vs. Attackers detection:<br />
• Attacks change constantly<br />
• Attackers’ decision making processes <strong>and</strong><br />
methodologies are known in advance<br />
© 2015 Cymmetria Inc. 8
Why does it work?<br />
© 2015 Cymmetria Inc. 9
Targeting the entire attack chain<br />
OODA<br />
Deception starts here<br />
Recon & Intel<br />
collection<br />
Delivery &<br />
Attack<br />
Exploitation<br />
Exfiltration<br />
© 2015 Cymmetria Inc. 10
© 2015 Cymmetria Inc. 11
An economic change<br />
• Consideration in planning an intelligence operation<br />
• An economic change<br />
© 2015 Cymmetria Inc. 12
Elements of Cyber Deception<br />
• Regardless of what kind of deception campaign you<br />
may be planning, which may be VERY complex, or<br />
extremely simplistic – eventually a small module<br />
remains the same:<br />
The decoy.<br />
© 2015 Cymmetria Inc. 13
No False Positives<br />
• However the attackers found the decoy (which is a<br />
science by itself, beyond the scope of this talk)<br />
• … Once they do, if any code runs on it, a machine<br />
you completely control – It’s an attacker.<br />
© 2015 Cymmetria Inc. 14
State of decoy technology<br />
• Low interaction honeypots are useful <strong>for</strong> malware<br />
<strong>and</strong> scanning detection<br />
• They are limited by definition, which is a recognized<br />
fact<br />
… They emulate, which can be easily fingerprinted.<br />
And they try to lure in the attacker.<br />
© 2015 Cymmetria Inc. 15
State of decoy technology<br />
• High interaction honeypots are fully instrumented<br />
<strong>for</strong>ensic devices – real machines (potentially<br />
indistinguishable from any others), heavily<br />
monitored.<br />
• They do not lure the attacker in, they “watch” to<br />
generate more threat intelligence to assist with risk<br />
after the attackers reach them on their own.<br />
© 2015 Cymmetria Inc. 16
Fingerprinting<br />
• Is fingerprinting a Vulnerability?<br />
• Is it an opsec risk?<br />
• TOR as an analogy<br />
© 2015 Cymmetria Inc. 17
Low/High Interaction
Low interaction honeypots<br />
• Simulations of networking services<br />
• I.e. SMB, SMTP, DNS, <strong>and</strong> more<br />
• Attacker interacts <strong>and</strong> we monitor<br />
• Can monitor since the code servicing the protocol<br />
was written with that purpose<br />
© 2015 Cymmetria Inc. 19
High Interaction <strong>Honeypots</strong><br />
• It’s the actual network services/machine<br />
• Attacker interacts <strong>and</strong> we need to monitor<br />
• Difficult to properly implement<br />
© 2015 Cymmetria Inc. 20
Previous Work
Previous Work<br />
• https://honeyscore.shodan.io/<br />
(But Isn’t…)<br />
© 2015 Cymmetria Inc. 22
What is Conpot<br />
“Conpot is a low interactive server side Industrial<br />
Control Systems honeypot designed to be easy to<br />
deploy, modify <strong>and</strong> extend. By providing a range<br />
of common industrial control protocols we created<br />
the basics to build your own system, capable to<br />
emulate complex infrastructures to convince an<br />
adversary that he just found a huge industrial<br />
complex.” (http://conpot.org/)<br />
© 2015 Cymmetria Inc. 23
Previous Work<br />
• http://defensive-targeteering.net/findingscada-honeynets-on-shodan/<br />
• "Mouser Factory“ was the default name<br />
(could be configured)<br />
• Also has the same serial number -<br />
88111222 (credit Shawn C Merdinger)<br />
© 2015 Cymmetria Inc. 24
Previous Work<br />
© 2015 Cymmetria Inc. 25
The perception Discrepancy<br />
© 2015 Cymmetria Inc. 26
Artillery
What is Artillery<br />
“Artillery is a combination of a honeypot,<br />
monitoring tool, <strong>and</strong> alerting system.”<br />
(https://github.com/trustedsec/artillery)<br />
© 2015 Cymmetria Inc. 28
Artillery<br />
© 2015 Cymmetria Inc. 29
Artillery<br />
• Default list of common services ports<br />
• On any connection returns r<strong>and</strong>om data<br />
• Then disconnects <strong>and</strong> blocks IP<br />
© 2015 Cymmetria Inc. 30
Artillery<br />
• Detection is trivial<br />
• If you can spoof from inside the network<br />
this can be used to block any IP you want!<br />
© 2015 Cymmetria Inc. 31
Artillery<br />
What can we learn from Artillery’s work?<br />
• Port that shouldn’t be touched is an<br />
indicator of attacker activity<br />
© 2015 Cymmetria Inc. 32
Artillery<br />
How does this affect an attacker?<br />
• An attacker now needs to consider if a<br />
service is a trap<br />
© 2015 Cymmetria Inc. 33
BearTrap
What is BearTrap<br />
“BearTrap is meant to be a portable network<br />
defense utility written entirely in Ruby. It opens<br />
"trigger" ports on the host that an attacker would<br />
connect to. When the attacker connects <strong>and</strong>/or<br />
per<strong>for</strong>ms some interactions with the trigger an<br />
alert is raised <strong>and</strong> the attacker's ip address is<br />
potentially blacklisted.”<br />
(https://github.com/chrisbdaemon/BearTrap)<br />
© 2015 Cymmetria Inc. 35
BearTrap<br />
• Default banner: 220 BearTrap-ftpd Service ready<br />
© 2015 Cymmetria Inc. 36
BearTrap<br />
• Waits <strong>for</strong> user comm<strong>and</strong>, on anything else returns<br />
just “530”<br />
• When USER is passed disconnects <strong>and</strong> blocks IP<br />
© 2015 Cymmetria Inc. 37
BearTrap<br />
• Waits <strong>for</strong> user comm<strong>and</strong>, on anything else returns<br />
just “530”<br />
• When USER is passed disconnects <strong>and</strong> blocks IP<br />
• FTP servers do not return an empty response(or 530<br />
all the time)<br />
© 2015 Cymmetria Inc. 38
BearTrap<br />
220 (vsFTPd 3.0.2)<br />
CWD<br />
530 Please login with USER <strong>and</strong> PASS.<br />
USER<br />
331 Please specify the password.<br />
© 2015 Cymmetria Inc. 39
BearTrap<br />
• Waits <strong>for</strong> user comm<strong>and</strong>, on anything else returns<br />
just “530”<br />
• When USER is passed disconnects <strong>and</strong> blocks IP<br />
• FTP servers do not return an empty response(or 530<br />
all the time)<br />
• Can Also be spoofed into blocking arbitrary IP’s<br />
© 2015 Cymmetria Inc. 40
BearTrap<br />
What can we learn from BearTrap’s work?<br />
• Implement the service<br />
© 2015 Cymmetria Inc. 41
BearTrap<br />
How does this affect an attacker?<br />
• Attacker is on the lookout <strong>for</strong> indicators of<br />
deception<br />
© 2015 Cymmetria Inc. 42
honeyd
What is honeyd<br />
“honeyd is a small daemon that creates virtual<br />
hosts on a network. The hosts can be configured to<br />
run arbitrary services, <strong>and</strong> their personality can be<br />
adapted so that they appear to be running certain<br />
operating systems.” (http://www.honeyd.org/)<br />
© 2015 Cymmetria Inc. 44
honeyd<br />
• Very configurable – fingerprinting is much more<br />
difficult<br />
• Service scripts come built-in unless replaced<br />
© 2015 Cymmetria Inc. 45
honeyd<br />
NEWREQUEST=`echo "$req1" | grep -E "GET<br />
.scripts.*cmd.exe.*dir.* HTTP/1.(0|1)"`<br />
if [ -n "$NEWREQUEST" ] ; then<br />
REQUEST="cmd_dir“<br />
• IIS Service when receives the above GET request always<br />
returns this response<br />
Volume in drive C is Webserver<br />
Volume Serial Number is 3421-07F5<br />
Directory of C:\inetpub<br />
01-20-02 3:58a .<br />
08-21-01 9:12a ..<br />
08-21-01 11:28a AdminScripts<br />
08-21-01 6:43p ftproot<br />
07-09-00 12:04a iissamples<br />
07-03-00 2:09a mailroot<br />
07-16-00 3:49p Scripts<br />
07-09-00 3:10p webpub<br />
07-16-00 4:43p wwwroot<br />
0 file(s) 0 bytes<br />
20 dir(s) 290,897,920 bytes free<br />
© 2015 Cymmetria Inc. 46
honeyd<br />
• Linux/FTP – Doesn’t support the ‘DELE’ comm<strong>and</strong><br />
• Linux/SSH – service script doesn’t do anything<br />
• In any case will be obvious to the attacker…<br />
© 2015 Cymmetria Inc. 47
honeyd<br />
• POSSIBLE FIX – IIS<br />
• Serve empty dirlist <strong>and</strong> r<strong>and</strong>omize the timestamps,<br />
byte counts <strong>and</strong> volume serial number periodically.<br />
© 2015 Cymmetria Inc. 48
honeyd<br />
What can we learn from honeyd’s work?<br />
• Implement the service with no obvious<br />
indications<br />
© 2015 Cymmetria Inc. 49
BearTrap<br />
How does this affect an attacker?<br />
• Attackers are aware when a service is<br />
partially implemented (by definition)<br />
© 2015 Cymmetria Inc. 50
Nova
What is Nova<br />
“Nova is an easy to use honeypot configuration,<br />
deployment, <strong>and</strong> monitoring network security tool<br />
<strong>for</strong> preventing <strong>and</strong> detecting potentially hostile<br />
network reconnaissance (including port scanning,<br />
machine fingerprinting, <strong>and</strong> service probing).”<br />
(https://github.com/DataSoft/Nova)<br />
© 2015 Cymmetria Inc. 52
Nova<br />
© 2015 Cymmetria Inc. 53
Nova<br />
• Default windows config has no NetBIOS service<br />
script<br />
• So it displays an open port <strong>and</strong> allows connection<br />
but doesn’t implement the service<br />
• This is a situation that never happens on windows<br />
machines<br />
© 2015 Cymmetria Inc. 54
Nova<br />
• POSSIBLE FIX<br />
• include the latest version of honeyd which also has<br />
the NetBIOS script OR don’t open the 139 TCP port<br />
© 2015 Cymmetria Inc. 55
Nova<br />
What we can learn from Nova’s work?<br />
• Implement the service completely<br />
© 2015 Cymmetria Inc. 56
Nova<br />
How does this affect an attacker?<br />
• An attacker would look at the whole <strong>and</strong><br />
would be aware when the set of services<br />
doesn’t make sense<br />
© 2015 Cymmetria Inc. 57
Kippo
What is Kippo<br />
“Kippo is a medium interaction SSH honeypot<br />
designed to log brute <strong>for</strong>ce attacks <strong>and</strong>, most<br />
importantly, the entire shell interaction per<strong>for</strong>med<br />
by the attacker.”<br />
(https://github.com/desaster/kippo)<br />
© 2015 Cymmetria Inc. 59
Previous Work<br />
• http://www.rafayhackingarticles.net/2013/06/usinghoneypots-to-your-advantage.html<br />
• “Using <strong>Honeypots</strong> To Your Advantage - Attacking Kippo”<br />
• Attacker is aware of emulation since many comm<strong>and</strong>s are<br />
not implemented<br />
• WGET is implemented – can be used <strong>for</strong> DDoS, Port scan<br />
• https://www.sinister.ly/Thread-Tutorial-Detecting-Kippohoneypots<br />
© 2015 Cymmetria Inc. 60
More Kippo Issues<br />
https://prezi.com/wwuskkot4nhs/detecting-medium-interaction-honeypots/<br />
© 2015 Cymmetria Inc. 61
Kippo<br />
• Connect to machine using root <strong>and</strong> password “123456”<br />
nas3:~# uname -a<br />
Linux nas3 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686<br />
GNU/Linux<br />
• uname is always the same. From the code:<br />
class comm<strong>and</strong>_uname(HoneyPotComm<strong>and</strong>):<br />
def call(self):<br />
if len(self.args) <strong>and</strong> self.args[0].strip() in<br />
('-a', '--all'):<br />
self.writeln(<br />
'Linux %s 2.6.26-2-686 #1 SMP Wed Nov 4<br />
20:45:37 UTC 2009 i686 GNU/Linux' % \<br />
self.honeypot.hostname)<br />
else:<br />
self.writeln('Linux')<br />
comm<strong>and</strong>s['/bin/uname'] = comm<strong>and</strong>_uname<br />
© 2015 Cymmetria Inc. 62
Kippo<br />
• POSSIBLE FIX<br />
• Either give the actual machine's timestamp or<br />
r<strong>and</strong>omize it from a logical set.<br />
© 2015 Cymmetria Inc. 63
Kippo<br />
What can we learn from Kippo’s work?<br />
• The honeypot becomes a tool <strong>for</strong> collecting<br />
<strong>for</strong>ensic data on top of detection, as<br />
attackers can now run comm<strong>and</strong>s<br />
© 2015 Cymmetria Inc. 64
Kippo<br />
How does this affect an attacker?<br />
• The attacker now faces an opsec risk<br />
(profiling, op failure)<br />
© 2015 Cymmetria Inc. 65
Dionaea
What is Dionaea<br />
“Dionaea intention is to trap malware exploiting<br />
vulnerabilities exposed by services offered to a<br />
network, the ultimate goal is gaining a copy of the<br />
malware.” (http://dionaea.carnivore.it/)<br />
© 2015 Cymmetria Inc. 67
What is Dionaea<br />
“Dionaea intention is to trap malware exploiting<br />
vulnerabilities exposed by services offered to a<br />
network, the ultimate goal is gaining a copy of the<br />
malware.” (http://dionaea.carnivore.it/)<br />
Toward Effective Mitigation!<br />
© 2015 Cymmetria Inc. 68
Previous Work<br />
• http://blog.sbarbeau.fr/2012/06/make-dionaea-stealthier-<strong>for</strong>-fun-<strong>and</strong>-no.html<br />
• Nmap detection of Dionaea<br />
[steeve@omega ~]$ sudo nmap -sS -sV AAA.BBB.CCC.DDD<br />
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-09 23:54 CEST<br />
Nmap scan report <strong>for</strong> blah.blah.com (AAA.BBB.CCC.DDD)<br />
Host is up (0.058s latency).<br />
Not shown: 989 closed ports<br />
PORT STATE SERVICE VERSION<br />
…<br />
1433/tcp open ms-sql-s Dionaea honeypot MS-SQL server<br />
…<br />
© 2015 Cymmetria Inc. 69
Dionaea<br />
From: Markus - 2012-03-31 20:28:04<br />
Hi,<br />
Given your permission I'd fwd/crosspost this to nepenthes-devel.<br />
On 3/28/12, Mikael Keri wrote:<br />
> First, thank you <strong>for</strong> developing <strong>and</strong> maintaining Dionaea, it's a very<br />
> valuable tool <strong>for</strong> me in my work!<br />
> During some research I "discovered" a few ways to identify a<br />
Dionaea<br />
> installation.<br />
> This I guess may not be a surprise to you, as you have already<br />
noted that the SSLcertificate can be used to pin point a Dionaea<br />
installation.<br />
Well, this will end in a witch hunt, as there is simply no way to<br />
copy a 1:1 behaviour of a certain stack.<br />
…<br />
Well, I'm totally aware of the problems you point out, but<br />
besides from these three are just the tip of the iceberg, there is<br />
very little I can do about it.<br />
© 2015 Cymmetria Inc. 70
Dionaea<br />
• https: certificate issuer is…. dionaea.carnivore.it :S<br />
• Some more possible techniques<br />
• ftp: using 2 different passwords <strong>for</strong> the same user<br />
(allows to login with any input)<br />
• ftp: “502 Comm<strong>and</strong> 'DELE' not implemented”<br />
© 2015 Cymmetria Inc. 71
Dionaea<br />
What can we learn from Dionaea’s work?<br />
• Make the service exploitable to known<br />
exploits<br />
© 2015 Cymmetria Inc. 72
Dionaea<br />
How does this affect an attacker?<br />
• Attacker risks losing resources<br />
© 2015 Cymmetria Inc. 73
Glastopf
What is Glastopf<br />
“Glastopf is a Honeypot which emulates thous<strong>and</strong>s of<br />
vulnerabilities to gather data from attacks targeting web<br />
applications. The principle behind it is very simple:<br />
Reply the correct response to the attacker exploiting the<br />
web application.” (http://glastopf.org/)<br />
© 2015 Cymmetria Inc. 75
Glastopf<br />
© 2015 Cymmetria Inc. 76
Glastopf<br />
• Web app honeypot<br />
• Everything is very configurable which is good<br />
• Default page is a r<strong>and</strong>om generated template page<br />
© 2015 Cymmetria Inc. 77
Glastopf<br />
© 2015 Cymmetria Inc. 78
Glastopf<br />
• Google lookup: "This is a really great entry" "Footer<br />
Powered By“ brings up interesting stuff (top 500<br />
website had this in a subdomain)<br />
• Catches different kinds of web vuls, one of them is lfi<br />
• Almost any query will make the directory traversal<br />
work<br />
• Can copy any file into it<br />
• comes in default with /etc/passwd <strong>and</strong> /etc/shadow<br />
© 2015 Cymmetria Inc. 79
Glastopf<br />
© 2015 Cymmetria Inc. 80
Glastopf<br />
• This might already give it away, but if you can access<br />
/etc/shadow you should be able to access anything in<br />
/proc/<br />
• This gives a lot of logic to attacker<br />
• Simplest thing is to go through all the /proc//cmdline<br />
till the “server”<br />
• If they made it this far you can just analyze the<br />
/proc//smaps to see if it acts believable<br />
• IF THIS WORKED they mapped an actual server, HAVE<br />
FUN <br />
© 2015 Cymmetria Inc. 81
Glastopf<br />
• POSSIBLE FIX<br />
• the easiest one is to return permission denied on<br />
/proc but that might still raise eyebrows<br />
© 2015 Cymmetria Inc. 82
Glastopf<br />
• What we can learn from Glastopf’s work?<br />
• Let attacker exploit simulated machine (file<br />
system...)<br />
© 2015 Cymmetria Inc. 83
Glastopf<br />
How does this affect an attacker?<br />
• Attribution is introduced as a higher risk<br />
© 2015 Cymmetria Inc. 84
KFSensor
What is KFSensor<br />
“KFSensor is a Windows based honeypot Intrusion<br />
Detection System (IDS).<br />
It acts as a honeypot to attract <strong>and</strong> detect hackers <strong>and</strong><br />
worms by simulating vulnerable system services <strong>and</strong><br />
trojans.” (http://www.keyfocus.net/kfsensor/<br />
© 2015 Cymmetria Inc. 86
KFSensor<br />
• When alerting also makes an alarm sound <br />
• Default config doesn’t make sense (alerts on<br />
broadcast requests)<br />
© 2015 Cymmetria Inc. 87
KFSensor<br />
• HTTP, default web site, just Googled the exact page<br />
source…<br />
• When enabling HTTPS the port is open but it doesn’t<br />
implement the service at all<br />
• Configurable amount of concurrent connections<br />
be<strong>for</strong>e blocking<br />
• Default is 40<br />
• Spoofable like earlier examples<br />
• If used as Host based <strong>and</strong> auto blocks…<br />
© 2015 Cymmetria Inc. 88
KFSensor<br />
What can we learn from KFSensor’s work?<br />
• When looking outside the open source<br />
project ecosystem the issues described still<br />
apply<br />
© 2015 Cymmetria Inc. 89
World Deployment
World honeypot deployment (Dionaea)<br />
• Used Zmap daily scan of port 443 in 2015-07-14<br />
• Mapped <strong>for</strong> Dionaea only, through certificate<br />
• St<strong>and</strong>ard IP attribution limitations apply<br />
© 2015 Cymmetria Inc. 91
World honeypot deployment<br />
© 2015 Cymmetria Inc. 92
World honeypot deployments<br />
© 2015 Cymmetria Inc. 93
World honeypot deployments<br />
Taiwan 647 Iran 4<br />
United States 444 Republic of Lithuania 3<br />
Japan 93 Malaysia 3<br />
Germany 22 Norway 3<br />
Singapore 17 Mexico 2<br />
China 15 Tanzania 2<br />
South Africa 14 Zambia 2<br />
Irel<strong>and</strong> 14 Russia 2<br />
Canada 9 Republic of Korea 1<br />
Netherl<strong>and</strong>s 8 Austria 1<br />
Australia 8 Slovak Republic 1<br />
Brazil 8 Cambodia 1<br />
Hong Kong 6 Icel<strong>and</strong> 1<br />
Italy 6 Portugal 1<br />
Pol<strong>and</strong> 6 Hungary 1<br />
Indonesia 6 India 1<br />
United Kingdom 6 Denmark 1<br />
Czech Republic 5 Saudi Arabia 1<br />
Spain 4 Finl<strong>and</strong> 1<br />
France 4 Argentina 1<br />
Switzerl<strong>and</strong> 4 Luxembourg 1<br />
Total 1380<br />
© 2015 Cymmetria Inc. 94
Organizations<br />
375 - Taiwanese ISP<br />
319 – United States University<br />
119 - Taiwanese University<br />
80 – Top Cloud Provider– some are not in cloud hosted<br />
range…<br />
© 2015 Cymmetria Inc. 95
Organizations<br />
• Ministry of Defense <strong>for</strong> a European Country<br />
• International Economic Organization<br />
• US Municipal Authority<br />
• South African financial services company<br />
© 2015 Cymmetria Inc. 96
Organizations<br />
• Taiwanese Computer Manufacturer<br />
• Taiwanese Government Authority<br />
• Japanese Infrastructure project<br />
• Cambodia Gouvernement Authority<br />
• Malware research blog <br />
© 2015 Cymmetria Inc. 97
Organizations<br />
And…<br />
© 2015 Cymmetria Inc. 98
Organizations<br />
And…<br />
• National Iranian Oil Company<br />
© 2015 Cymmetria Inc. 99
Guess what the regular HTTP serves<br />
© 2015 Cymmetria Inc. 100
Guess what the regular HTTP serves<br />
© 2015 Cymmetria Inc. 101
Guess what the regular HTTP serves<br />
Possibly Modern Honey Network<br />
© 2015 Cymmetria Inc. 102
Lessons Learned
Lessons learned<br />
• These flaws are easy to find, <strong>and</strong> are simple.<br />
• They are by design (it’s how a low interaction<br />
honeypot works)<br />
• By definition we can always find a method of<br />
detection<br />
• Low interaction is simply not enough to face modern<br />
threats<br />
© 2015 Cymmetria Inc. 104
Where do we take it from here?<br />
• Can we use what we learned to create a better<br />
honeypot, that would serve modern purposes?<br />
• What would it look like?<br />
© 2015 Cymmetria Inc. 105
Decoy Implementation Schema
Lessons learned<br />
How should we be building <strong>Honeypots</strong>?<br />
1. Supply the service<br />
didn’t meet this – Artillery<br />
© 2015 Cymmetria Inc. 107
Lessons learned<br />
How should we be building <strong>Honeypots</strong>?<br />
1. Supply the service<br />
didn’t meet this – Artillery<br />
2. Supply the whole service<br />
didn’t meet this – Kippo, Dionaea, KFSensor<br />
© 2015 Cymmetria Inc. 108
Lessons learned<br />
How should we be building <strong>Honeypots</strong>?<br />
1. Supply the service<br />
didn’t meet this – Artillery<br />
2. Supply the whole service<br />
didn’t meet this – Kippo, Dionaea, KFSensor<br />
3. Make the set of services make sense <strong>for</strong> a specific machine<br />
didn’t meet this – Nova<br />
© 2015 Cymmetria Inc. 109
Lessons learned<br />
How should we be building <strong>Honeypots</strong>?<br />
1. Supply the service<br />
didn’t meet this – Artillery<br />
2. Supply the whole service<br />
didn’t meet this – Kippo, Dionaea, KFSensor<br />
3. Make the set of services make sense <strong>for</strong> a specific machine<br />
didn’t meet this – Nova<br />
4. Make the services exploitable <strong>for</strong> known exploits<br />
Dionaea only one shooting <strong>for</strong> this<br />
© 2015 Cymmetria Inc. 110
Lessons learned<br />
How should we be building <strong>Honeypots</strong>?<br />
1. Supply the service<br />
didn’t meet this – Artillery<br />
2. Supply the whole service<br />
didn’t meet this – Kippo, Dionaea, KFSensor<br />
3. Make the set of services make sense <strong>for</strong> a specific machine<br />
didn’t meet this – Nova<br />
4. Make the services exploitable <strong>for</strong> known exploits<br />
Dionaea only one shooting <strong>for</strong> this<br />
5. Services exploitable to unknown exploits<br />
Is this even possible in a low interaction honeypot?<br />
© 2015 Cymmetria Inc. 111
Lessons learned<br />
How should we be building <strong>Honeypots</strong>?<br />
1. Supply the service<br />
didn’t meet this – Artillery<br />
2. Supply the whole service<br />
didn’t meet this – Kippo, Dionaea, KFSensor<br />
3. Make the set of services make sense <strong>for</strong> a specific machine<br />
didn’t meet this – Nova<br />
4. Make the services exploitable <strong>for</strong> known exploits<br />
Dionaea only one shooting <strong>for</strong> this<br />
5. Services exploitable to unknown exploits<br />
Is this even possible in a low interaction honeypot?<br />
6. Future Fantasy – machine is real in attackers’ eyes post<br />
exploitation<br />
- While being able to monitor of course<br />
© 2015 Cymmetria Inc. 112
Real<br />
Machine<br />
Services<br />
Exploitable <strong>for</strong><br />
Unknown Exploits<br />
Services Exploitable <strong>for</strong><br />
Known Exploits<br />
Set of Services<br />
Whole Service<br />
A Service<br />
A Port<br />
© 2015 Cymmetria Inc. 113
Code release <strong>and</strong> further work<br />
• We will be releasing code when responsible<br />
disclosure is concluded:<br />
http://0x90.ninja/<br />
© 2015 Cymmetria Inc. 114
Thanks<br />
• We’d like to thanks all the respected<br />
projects <strong>for</strong> their hard work <strong>and</strong> unpaid<br />
development<br />
• The Honeynet Project – Respect!<br />
© 2015 Cymmetria Inc. 115
More thanks<br />
• Felix Leder, Ioannis Koniaris, Lukas Rist, Angelo<br />
Dell'Aera, David Watson, Andrea De Pasquale, Leon van<br />
der Eijk, Mark Schloesser, Niels Provos, Tillman Werner,<br />
Silas Cutler, Mike Damm, Omer Cohen, John Str<strong>and</strong>,<br />
Benjamin Donnelly, Shawn Merdinger, Johannes Ullrich,<br />
Piotr Kijewski, Tom Wright, Dave Kennedy, HD Moore,<br />
Trey Ford, Paul Vixie, Andey Fried, Rick Wesson, Chris<br />
Benedict, John Matherly <strong>and</strong> many others!<br />
© 2015 Cymmetria Inc. 116
Questions?<br />
@Cymmetria on Twitter