bsides chicago 2013 honeypots
TRANSCRIPT
Be vewy, vewy quiet….
let’s watch some hackers..
Interactive portion introWhoamiWhat is a Honeypot?Different HoneypotsWhy Honeypots?Things I discovered
Interactive portion end results
Agenda
Interactive portionSSID – FBI MobileIP address – 192.168.2.5User ID – rootThe password is….123456
Whoami
FatherHusband
Whoami
Geek
Antagonist of the shiny things
ShadowServer.org volunteer
Security analyst
Whoami
What is a Honeypot?
A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. (May 2003)
Why Honeypots?
Why Honeypots?
Low interaction
Different HoneypotsServer Honeypots
Windows XP SP 0 Windows Vista SP 0
Client HoneypotsHigh Interaction
Different Honeypots
Basic Network Configuration
Initial Research
A word of advice on using an EC2 instance.
GeoIP locationDionaea - Ireland
Dionaea stats
Started 3/7/2013Stopped 3/9/2013
Started 3/12/2013Stopped 3/14/2013
Dionaea stats
• Don’t forget to add your API key from VirusTotal to your config file!!• If you don’t add the API key, then the pretty visualization tool can’t do it’s job and you have to do manually!!!
58.2
18.1
99.2
50
189.
248.
217.
168
61.1
47.1
03.1
88
61.1
55.1
68.5
9
58.1
20.1
90.2
22
64.3
1.14
.106
218.
222.
22.2
05
69.1
62.1
05.1
8
199.
217.
115.
214
74.6
3.19
5.91
144
109
71
56
1714
149
98
Dionaea statsTop 10 IP addresses
Wireshark AnalysisAttack Attempts
Malware CapturesMD5 Virus Total
Detection Ratio
Common name Source IP Address/WhoIs
78c9042bbcefd65beaa0d40386da9f89
44 / 46 Microsoft - Worm:Win32/Conficker.C
• 209.190.25.37• XLHost – VPS provider• http://www.xlhost.com/
7acba0d01e49618e25744d9a08e6900c
45 / 46 Microsoft - Worm:Win32/Conficker.B
69.28.137.10LimeLight Networks - a Digital Presence Management companyhttp://www.limelight.com/
90c081de8a30794339d96d64b86ae194
42 / 43 Kaspersky - Backdoor.Win32.Rbot.aftu
69.38.10.83WindStream Communications – Voice and data providerhttp://NuVox.net
bcaef2729405ae54d62cb5ed097efa12
43 / 44 Kaspersky - Backdoor.Win32.Rbot.bqj
69.9.236.128Midwest Communications – Comcast/WideOpenWest parallelhttp://midco.net/
GeoIP locationDionaea - recent
Kippo
Started 2/27/2013Stopped 3/1/2013
IP addresses• 14 unique IP addresses• Maximum password attempts – 1342• Successful logins – 7• Replay scripts – 1• Files uploaded - 1
Attacker's IP addresses67
.23.
166.
100
113.
142.
37.1
14
106.
3.10
5.27
221.
132.
73.1
54
213.
165.
170.
183
222.
187.
96.7
0
124.
160.
194.
27
61.1
67.3
3.22
2
222.
114.
39.1
71
220.
172.
191.
31
1.23
4.51
.243
86.1
23.1
30.6
9
116.
11.2
52.1
94
1342
1190
454
163163
156
28 2216
54
1 1
Kippo stats
Attacker's IP addresses/connection attempts
GeoIP locationKippo – recent
Kippo stats
root bi
n
orac
lete
st
nagi
os
mar
tin toor
ftpus
erus
er
post
gres in
fo
webm
aste
r
apac
he
back
up
gues
tr0
0t
publ
ic
gree
n
dem
osit
eje
ffan
dy
i-hea
rt
user
0
cont
ent
1856
6717 10 9 6 6 6 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 3
Top 25 User names
Times tried
Kippo stats
1234
56
Pass
wor
d 0 ?
!Q@
W#E$
R%T^
Y&U*
7hur
@y@
t3am
$#@
!(*
7hur
@y@
t3am
$#@
!(*(
1234
56] s
ucce
eded
pass
w0r
d12
3412
34 test
1234
56] s
ucce
eded
1234
7hur
@y@
t3am
$#@
!(*(
1234
1234
1111
11
!@#$%
^&*
abc1
23
27
16
9 9 98
7 7 7 7 7 7 7 7 7 7 76 6 6
Top 25 Passwords
Tries
Kippo stats
Accounts that used 123456 as password
User ID Triesroot 7ftpuser 3oracle 3andy 2info 2jeff 2site 2test 2webmaster 2areyes 1brian 1
“7 successful logons? But your chart says 27 used the password of 123456?! WTF?”
Kippo stats
root ├╢├Ä ä Ñ . ä ┐ é Ñ├ ┬ ├╛ ├▓├ ┬ ├ ┬ root !Q@W#E$root !@$#jMu2vEUIOLweoP#!TTG$@#dsgfGR#$sgs root !Q@W#E$Rroot $hack4m3baby#b1gbroth3r$ root !Q@W#E$R%root 654321 root !Q@W#E$R%Troot Ki!l|iN6#Th3Ph03$%nix@NdR3b!irD root !Q@W#E$R%T^root @!#$%&*Th3@#$!F0RcE%&*@#IS!@#$%!& root !Q@W#E$R%T^Yroot diffie-hellman-group-exchange-sha11 root !Q@W#E$R%T^Y&root 123 root !Q@W#E$R%T^Y&Uroot 1234 root !Q@W#E$R%T^Y&U*root 12345 root !Q@W#E$R%T^Y&U*Iroot 1234567 root !Q@W#E$R%T^Y&U*I(root 12345678 root !Q@W#E$R%T^Y&U*I(Oroot 123456789 root !Q@W#E$R%T^Y&U*I(O)root deathfromromaniansecurityteamneversleepba root !Q@W#E$R%T^Y&U*I(O)Proot rooooooooooooooooooooooooooooooooot root !Q@W#E$R%T^Y&U*I(O)P_
Interesting passwords
Kippo statsFile downloaded
psyBNC 2.3.2
------------
This program is useful for people who cannot be on irc all the time. Its used to keep a connection to irc and your irc client connected, or also allows to act as a normal bouncer by disconnecting from the irc server when the client disconnects.
HoneyD
How you can your netbook useful and fun again!
Interactive portion results….
Etc
http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots/at_download/fullReport
EtcHoneydrive
Keith Dixon@Tazdrumm3r#misec – [email protected]://tazdrumm3r.wordpress.com