Breaking Honeypots for Fun and Profit

Breaking Honeypots for Fun and Profit 

Dean Sysman 

Itamar Sher 

Gadi Evron

What this talk is about 

We’d like to understand how a better honeypot can be 

built, by learning from current work, and understanding 

related flaws and design considerations. 

© 2015 Cymmetria Inc. 2

What this talk isn’t about 

No kernel exploits here. ;) 


About Us 

Dean Sysman 

Previously head of cyber R&D 

team in Israeli intelligence. 

@DeanSysman 

Itamar Sher 

Previously a senior cyber researcher 

Israeli intelligence. 

@itamar_sher 

Gadi Evron 

Previously VP at Kaspersky, 

CoE head at PwC, CISO at Israeli 

Government, etc. 

@gadievron 


Introducing Intrusion Deception

What is cyber deception? 

Managing and shaping the attackers’ behavior so that 

they go where we want them to. To be detected with no 

false positives, investigated, and controlled. 


We sit on the shoulders of giants… 

• Fred Cohen’s Deception Toolkit 

• Lance Spitzner 

• The Honeynet Project 

• Many, many others 


How is intrusion deception different? 

Attacks vs. Attackers detection: 

• Attacks change constantly 

• Attackers’ decision making processes and 

methodologies are known in advance 


Why does it work? 


Targeting the entire attack chain 

OODA 

Deception starts here 

Recon & Intel 

collection 

Delivery & 

Attack 

Exploitation 

Exfiltration 



An economic change 

• Consideration in planning an intelligence operation 

• An economic change 


Elements of Cyber Deception 

• Regardless of what kind of deception campaign you 

may be planning, which may be VERY complex, or 

extremely simplistic – eventually a small module 

remains the same: 

The decoy. 


No False Positives 

• However the attackers found the decoy (which is a 

science by itself, beyond the scope of this talk) 

• … Once they do, if any code runs on it, a machine 

you completely control – It’s an attacker. 


State of decoy technology 

• Low interaction honeypots are useful for malware 

and scanning detection 

• They are limited by definition, which is a recognized 

fact 

… They emulate, which can be easily fingerprinted. 

And they try to lure in the attacker. 


State of decoy technology 

• High interaction honeypots are fully instrumented 

forensic devices – real machines (potentially 

indistinguishable from any others), heavily 

monitored. 

• They do not lure the attacker in, they “watch” to 

generate more threat intelligence to assist with risk 

after the attackers reach them on their own. 


Fingerprinting 

• Is fingerprinting a Vulnerability? 

• Is it an opsec risk? 

• TOR as an analogy 


Low/High Interaction

Low interaction honeypots 

• Simulations of networking services 

• I.e. SMB, SMTP, DNS, and more 

• Attacker interacts and we monitor 

• Can monitor since the code servicing the protocol 

was written with that purpose 


High Interaction Honeypots 

• It’s the actual network services/machine 

• Attacker interacts and we need to monitor 

• Difficult to properly implement 


Previous Work

Previous Work 

• https://honeyscore.shodan.io/ 

(But Isn’t…) 


What is Conpot 

“Conpot is a low interactive server side Industrial 

Control Systems honeypot designed to be easy to 

deploy, modify and extend. By providing a range 

of common industrial control protocols we created 

the basics to build your own system, capable to 

emulate complex infrastructures to convince an 

adversary that he just found a huge industrial 

complex.” (http://conpot.org/) 


Previous Work 

• http://defensive-targeteering.net/findingscada-honeynets-on-shodan/ 

• "Mouser Factory“ was the default name 

(could be configured) 

• Also has the same serial number - 

88111222 (credit Shawn C Merdinger) 


Previous Work 


The perception Discrepancy 


Artillery

What is Artillery 

“Artillery is a combination of a honeypot, 

monitoring tool, and alerting system.” 

(https://github.com/trustedsec/artillery) 


Artillery 


Artillery 

• Default list of common services ports 

• On any connection returns random data 

• Then disconnects and blocks IP 


Artillery 

• Detection is trivial 

• If you can spoof from inside the network 

this can be used to block any IP you want! 


Artillery 

What can we learn from Artillery’s work? 

• Port that shouldn’t be touched is an 

indicator of attacker activity 


Artillery 

How does this affect an attacker? 

• An attacker now needs to consider if a 

service is a trap 


BearTrap

What is BearTrap 

“BearTrap is meant to be a portable network 

defense utility written entirely in Ruby. It opens 

"trigger" ports on the host that an attacker would 

connect to. When the attacker connects and/or 

performs some interactions with the trigger an 

alert is raised and the attacker's ip address is 

potentially blacklisted.” 

(https://github.com/chrisbdaemon/BearTrap) 


BearTrap 

• Default banner: 220 BearTrap-ftpd Service ready 


BearTrap 

• Waits for user command, on anything else returns 

just “530” 

• When USER is passed disconnects and blocks IP 


BearTrap 


just “530” 


• FTP servers do not return an empty response(or 530 

all the time) 


BearTrap 

220 (vsFTPd 3.0.2) 

CWD 

530 Please login with USER and PASS. 

USER 

331 Please specify the password. 


BearTrap 


just “530” 


• FTP servers do not return an empty response(or 530 

all the time) 

• Can Also be spoofed into blocking arbitrary IP’s 


BearTrap 

What can we learn from BearTrap’s work? 

• Implement the service 


BearTrap 


• Attacker is on the lookout for indicators of 

deception 


honeyd

What is honeyd 

“honeyd is a small daemon that creates virtual 

hosts on a network. The hosts can be configured to 

run arbitrary services, and their personality can be 

adapted so that they appear to be running certain 

operating systems.” (http://www.honeyd.org/) 


honeyd 

• Very configurable – fingerprinting is much more 

difficult 

• Service scripts come built-in unless replaced 


honeyd 

NEWREQUEST=`echo "$req1" | grep -E "GET 

.scripts.*cmd.exe.*dir.* HTTP/1.(0|1)"` 

if [ -n "$NEWREQUEST" ] ; then 

REQUEST="cmd_dir“ 

• IIS Service when receives the above GET request always 

returns this response 

Volume in drive C is Webserver 

Volume Serial Number is 3421-07F5 

Directory of C:\inetpub 

01-20-02 3:58a . 

08-21-01 9:12a .. 

08-21-01 11:28a AdminScripts 

08-21-01 6:43p ftproot 

07-09-00 12:04a iissamples 

07-03-00 2:09a mailroot 

07-16-00 3:49p Scripts 

07-09-00 3:10p webpub 

07-16-00 4:43p wwwroot 

0 file(s) 0 bytes 

20 dir(s) 290,897,920 bytes free 


honeyd 

• Linux/FTP – Doesn’t support the ‘DELE’ command 

• Linux/SSH – service script doesn’t do anything 

• In any case will be obvious to the attacker… 


honeyd 

• POSSIBLE FIX – IIS 

• Serve empty dirlist and randomize the timestamps, 

byte counts and volume serial number periodically. 


honeyd 

What can we learn from honeyd’s work? 

• Implement the service with no obvious 

indications 


BearTrap 


• Attackers are aware when a service is 

partially implemented (by definition) 


Nova

What is Nova 

“Nova is an easy to use honeypot configuration, 

deployment, and monitoring network security tool 

for preventing and detecting potentially hostile 

network reconnaissance (including port scanning, 

machine fingerprinting, and service probing).” 

(https://github.com/DataSoft/Nova) 


Nova 


Nova 

• Default windows config has no NetBIOS service 

script 

• So it displays an open port and allows connection 

but doesn’t implement the service 

• This is a situation that never happens on windows 

machines 


Nova 

• POSSIBLE FIX 

• include the latest version of honeyd which also has 

the NetBIOS script OR don’t open the 139 TCP port 


Nova 

What we can learn from Nova’s work? 

• Implement the service completely 


Nova 


• An attacker would look at the whole and 

would be aware when the set of services 

doesn’t make sense 


Kippo

What is Kippo 

“Kippo is a medium interaction SSH honeypot 

designed to log brute force attacks and, most 

importantly, the entire shell interaction performed 

by the attacker.” 

(https://github.com/desaster/kippo) 


Previous Work 

• http://www.rafayhackingarticles.net/2013/06/usinghoneypots-to-your-advantage.html 

• “Using Honeypots To Your Advantage - Attacking Kippo” 

• Attacker is aware of emulation since many commands are 

not implemented 

• WGET is implemented – can be used for DDoS, Port scan 

• https://www.sinister.ly/Thread-Tutorial-Detecting-Kippohoneypots 


More Kippo Issues 

https://prezi.com/wwuskkot4nhs/detecting-medium-interaction-honeypots/ 


Kippo 

• Connect to machine using root and password “123456” 

nas3:~# uname -a 

Linux nas3 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 

GNU/Linux 

• uname is always the same. From the code: 

class command_uname(HoneyPotCommand): 

def call(self): 

if len(self.args) and self.args[0].strip() in 

('-a', '--all'): 

self.writeln( 

'Linux %s 2.6.26-2-686 #1 SMP Wed Nov 4 

20:45:37 UTC 2009 i686 GNU/Linux' % \ 

self.honeypot.hostname) 

else: 

self.writeln('Linux') 

commands['/bin/uname'] = command_uname 


Kippo 


• Either give the actual machine's timestamp or 

randomize it from a logical set. 


Kippo 

What can we learn from Kippo’s work? 

• The honeypot becomes a tool for collecting 

forensic data on top of detection, as 

attackers can now run commands 


Kippo 


• The attacker now faces an opsec risk 

(profiling, op failure) 


Dionaea

What is Dionaea 

“Dionaea intention is to trap malware exploiting 

vulnerabilities exposed by services offered to a 

network, the ultimate goal is gaining a copy of the 

malware.” (http://dionaea.carnivore.it/) 


What is Dionaea 

“Dionaea intention is to trap malware exploiting 

vulnerabilities exposed by services offered to a 

network, the ultimate goal is gaining a copy of the 

malware.” (http://dionaea.carnivore.it/) 

Toward Effective Mitigation! 


Previous Work 

• http://blog.sbarbeau.fr/2012/06/make-dionaea-stealthier-for-fun-and-no.html 

• Nmap detection of Dionaea 

[steeve@omega ~]$ sudo nmap -sS -sV AAA.BBB.CCC.DDD 

Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-09 23:54 CEST 

Nmap scan report for blah.blah.com (AAA.BBB.CCC.DDD) 

Host is up (0.058s latency). 

Not shown: 989 closed ports 

PORT STATE SERVICE VERSION 

… 

1433/tcp open ms-sql-s Dionaea honeypot MS-SQL server 

… 


Dionaea 

From: Markus - 2012-03-31 20:28:04 

Hi, 

Given your permission I'd fwd/crosspost this to nepenthes-devel. 

On 3/28/12, Mikael Keri wrote: 

> First, thank you for developing and maintaining Dionaea, it's a very 

> valuable tool for me in my work! 

> During some research I "discovered" a few ways to identify a 

Dionaea 

> installation. 

> This I guess may not be a surprise to you, as you have already 

noted that the SSLcertificate can be used to pin point a Dionaea 

installation. 

Well, this will end in a witch hunt, as there is simply no way to 

copy a 1:1 behaviour of a certain stack. 

… 

Well, I'm totally aware of the problems you point out, but 

besides from these three are just the tip of the iceberg, there is 

very little I can do about it. 


Dionaea 

• https: certificate issuer is…. dionaea.carnivore.it :S 

• Some more possible techniques 

• ftp: using 2 different passwords for the same user 

(allows to login with any input) 

• ftp: “502 Command 'DELE' not implemented” 


Dionaea 

What can we learn from Dionaea’s work? 

• Make the service exploitable to known 

exploits 


Dionaea 


• Attacker risks losing resources 


Glastopf

What is Glastopf 

“Glastopf is a Honeypot which emulates thousands of 

vulnerabilities to gather data from attacks targeting web 

applications. The principle behind it is very simple: 

Reply the correct response to the attacker exploiting the 

web application.” (http://glastopf.org/) 


Glastopf 


Glastopf 

• Web app honeypot 

• Everything is very configurable which is good 

• Default page is a random generated template page 


Glastopf 


Glastopf 

• Google lookup: "This is a really great entry" "Footer 

Powered By“ brings up interesting stuff (top 500 

website had this in a subdomain) 

• Catches different kinds of web vuls, one of them is lfi 

• Almost any query will make the directory traversal 

work 

• Can copy any file into it 

• comes in default with /etc/passwd and /etc/shadow 


Glastopf 


Glastopf 

• This might already give it away, but if you can access 

/etc/shadow you should be able to access anything in 

/proc/ 

• This gives a lot of logic to attacker 

• Simplest thing is to go through all the /proc//cmdline 

till the “server” 

• If they made it this far you can just analyze the 

/proc//smaps to see if it acts believable 

• IF THIS WORKED they mapped an actual server, HAVE 

FUN 


Glastopf 


• the easiest one is to return permission denied on 

/proc but that might still raise eyebrows 


Glastopf 

• What we can learn from Glastopf’s work? 

• Let attacker exploit simulated machine (file 

system...) 


Glastopf 


• Attribution is introduced as a higher risk 


KFSensor

What is KFSensor 

“KFSensor is a Windows based honeypot Intrusion 

Detection System (IDS). 

It acts as a honeypot to attract and detect hackers and 

worms by simulating vulnerable system services and 

trojans.” (http://www.keyfocus.net/kfsensor/ 


KFSensor 

• When alerting also makes an alarm sound 

• Default config doesn’t make sense (alerts on 

broadcast requests) 


KFSensor 

• HTTP, default web site, just Googled the exact page 

source… 

• When enabling HTTPS the port is open but it doesn’t 

implement the service at all 

• Configurable amount of concurrent connections 

before blocking 

• Default is 40 

• Spoofable like earlier examples 

• If used as Host based and auto blocks… 


KFSensor 

What can we learn from KFSensor’s work? 

• When looking outside the open source 

project ecosystem the issues described still 

apply 


World Deployment

World honeypot deployment (Dionaea) 

• Used Zmap daily scan of port 443 in 2015-07-14 

• Mapped for Dionaea only, through certificate 

• Standard IP attribution limitations apply 


World honeypot deployment 


World honeypot deployments 


World honeypot deployments 

Taiwan 647 Iran 4 

United States 444 Republic of Lithuania 3 

Japan 93 Malaysia 3 

Germany 22 Norway 3 

Singapore 17 Mexico 2 

China 15 Tanzania 2 

South Africa 14 Zambia 2 

Ireland 14 Russia 2 

Canada 9 Republic of Korea 1 

Netherlands 8 Austria 1 

Australia 8 Slovak Republic 1 

Brazil 8 Cambodia 1 

Hong Kong 6 Iceland 1 

Italy 6 Portugal 1 

Poland 6 Hungary 1 

Indonesia 6 India 1 

United Kingdom 6 Denmark 1 

Czech Republic 5 Saudi Arabia 1 

Spain 4 Finland 1 

France 4 Argentina 1 

Switzerland 4 Luxembourg 1 

Total 1380 


Organizations 

375 - Taiwanese ISP 

319 – United States University 

119 - Taiwanese University 

80 – Top Cloud Provider– some are not in cloud hosted 

range… 


Organizations 

• Ministry of Defense for a European Country 

• International Economic Organization 

• US Municipal Authority 

• South African financial services company 


Organizations 

• Taiwanese Computer Manufacturer 

• Taiwanese Government Authority 

• Japanese Infrastructure project 

• Cambodia Gouvernement Authority 

• Malware research blog 


Organizations 

And… 


Organizations 

And… 

• National Iranian Oil Company 


Guess what the regular HTTP serves 





Possibly Modern Honey Network 


Lessons Learned

Lessons learned 

• These flaws are easy to find, and are simple. 

• They are by design (it’s how a low interaction 

honeypot works) 

• By definition we can always find a method of 

detection 

• Low interaction is simply not enough to face modern 

threats 


Where do we take it from here? 

• Can we use what we learned to create a better 

honeypot, that would serve modern purposes? 

• What would it look like? 


Decoy Implementation Schema


How should we be building Honeypots? 

1. Supply the service 

didn’t meet this – Artillery 






2. Supply the whole service 

didn’t meet this – Kippo, Dionaea, KFSensor 








3. Make the set of services make sense for a specific machine 

didn’t meet this – Nova 










4. Make the services exploitable for known exploits 

Dionaea only one shooting for this 












5. Services exploitable to unknown exploits 

Is this even possible in a low interaction honeypot? 












5. Services exploitable to unknown exploits 

Is this even possible in a low interaction honeypot? 

6. Future Fantasy – machine is real in attackers’ eyes post 

exploitation 

- While being able to monitor of course 


Real 

Machine 

Services 

Exploitable for 

Unknown Exploits 

Services Exploitable for 

Known Exploits 

Set of Services 

Whole Service 

A Service 

A Port 


Code release and further work 

• We will be releasing code when responsible 

disclosure is concluded: 

http://0x90.ninja/ 


Thanks 

• We’d like to thanks all the respected 

projects for their hard work and unpaid 

development 

• The Honeynet Project – Respect! 


More thanks 

• Felix Leder, Ioannis Koniaris, Lukas Rist, Angelo 

Dell'Aera, David Watson, Andrea De Pasquale, Leon van 

der Eijk, Mark Schloesser, Niels Provos, Tillman Werner, 

Silas Cutler, Mike Damm, Omer Cohen, John Strand, 

Benjamin Donnelly, Shawn Merdinger, Johannes Ullrich, 

Piotr Kijewski, Tom Wright, Dave Kennedy, HD Moore, 

Trey Ford, Paul Vixie, Andey Fried, Rick Wesson, Chris 

Benedict, John Matherly and many others! 


Questions? 

@Cymmetria on Twitter

Breaking Honeypots for Fun and Profit

Create successful ePaper yourself

Delete template?

Save as template?