Kf - University of Windsor

Kf - University of Windsor

Sunil Gurung [60-475] Security and Privacy on the Internet KFSensor Vs Honeyd Honeypot System Agenda Introduction Honeypot Technology KFSensor

Honeyd Features Tests Conclusion Introduction Good Defence is Good Offence Network security Firewall, IDS, antivirus. Traditional approach defensive

Today offensive approach Honeypot solutions Honeypot Technology A honeypot is security resource whose value lies in being probed, attacked, or compromised. - Lance Spitzner we want attackers to probe and exploit the virtual system running emulated services.

System no production value, no traffic, most connection probe, attack or compromised. Complements the traditional security tools. Fig: The basic setup up of the honeypot system. In the figure two

KFSensor are configured production honeypots. Figure taken from User Manual of KFSensor Help

TYPES of ATTACKERS 1) Script Kiddies - Amateurs, dont care about the host - Educate the inadequacy of the security policy 1) Blackhat - Focus on high value system, more experienced - More dangerous and operate silently

Types of Honeypot Interaction: level of activity Honeypot allows with attacker Low Interaction Emulated services, easy to deploy and maintain, less risk. Designed to capture only known attack High Interaction Setup real services and provides interaction with OS

More information, no assumption made give full open environments. Can use the real honeypot to attack others. Symantec Decoy Server, Honeynet KFSensor Commercial low interaction honeypot solution Windows OS Preconfigured services: ssh, http, ftp etc Easy configuration and flexible

Components of KFSensor Scenarios, Sim Server standard and banner Honeyd Low interaction, open source Developed by Niels Provos of U of M Features: service emulation and IP stack of OS Product Detail

Software: honeyd Version: honeyd 0.8 License: open source Download site: http://honeyd.org

OS: Windows, Linux, Unix Solaris Installation ARPD, Libraries Dependencies Libevent-0.8a.tar.gz, libpcap0.8.3.tar.gz Honeyd package Installation process: # tar -zvxf libevent-0.8a.tar.gz Compile the libevent:

# cd libevent-0.8a (Note: pwd is /honeyd_packages/ libevent-0.8a) #. /configure # make # make install Major Differences between the two software

IP address assignment Listening port OS emulation Open source advantage Financial value How it works

1. Configuration File 2. Nmap.print & Xprobe2 3. Script for running the services Explanation of Configuration file # Example of a simple host template and its binding

annotate "AIX 4.0 - 4.2" fragment old create template set template personality "AIX 4.0 - 4.2" add template tcp port 80 open add template tcp port 22 open add template tcp port 23 open set template default tcp action reset bind 192.168.1.80 template

Nmap.print and Xprobe2 # Contributed by Felix Lindner ([email protected]) Fingerprint AXENT Raptor Firewall running on Windows NT TSeq(Class=TR) T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) T2(Resp=N) T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T7(Resp=N) PU(Resp=N) Test Environment Inside the router

1) University network 2) Home network: putting the honeypot system inside the router [192.168.0.102] Various test performed: Testing Honeyd IP of honeypot: 192.168.1.122 IP of host running the honeypot: 192.168.1.121 1) Running ARPD

#arpd 192.168.0.0\24 2) Running Honeyd #honeyd d f config.sample p nmap.print x xprobe2 l \Log File I 2 Test 1: FTP (KFSensor) Test 2: FTP honeyd

Other possible test (Network Topology) route entry 10.0.0.1 route 10.0.0.1 link 10.0.0.0/24 route 10.0.0.1 add net 10.1.0.0/16 10.1.0.1 latency 55ms loss 0.1 route 10.0.0.1 add net 10.2.0.0/16 10.2.0.1 latency 20ms loss 0.1 route 10.1.0.1 link 10.1.0.0/24 route 10.2.0.1 link 10.2.0.0/24 create routerone set routerone personality "Cisco 7206 running IOS 11.1(24)"

set routerone default tcp action reset add routerone tcp port 23 "scripts/router-telnet.pl" create netbsd set netbsd personality "NetBSD 1.5.2 running on a Commodore Amiga (68040 processor)" set netbsd default tcp action reset add netbsd tcp port 22 proxy $ipsrc:22 add netbsd tcp port 80 "sh scripts/web.sh" bind 10.0.0.1 routerone

bind 10.1.0.2 netbsd Results take from the abstract $ traceroute -n 10.3.0.10 traceroute to 10.3.0.10 (10.3.0.10), 64 hops max 1 10.0.0.1 0.456 ms 0.193 ms 0.93 ms 2 10.2.0.1 46.799 ms 45.541 ms 51.401 ms 3 10.3.0.1 68.293 ms 69.848 ms 69.878 ms 4 10.3.0.10 79.876 ms 79.798 ms 79.926 ms

Conclusion Both are low interaction Honey with better feature like IP simulation and OS IP stack simulation KFSensor better GUI easy configuration Can not replace the existing system. Work better along with it.

Recently Viewed Presentations

  • Uncertainty Overview  Definition, and relationship to geographic representation

    Uncertainty Overview Definition, and relationship to geographic representation

    Ecological Fallacy Correlation does not always mean there is a causality between the two variables. Outside influence may be a factor. Larger areas, coarse grain, greater autocorrelation Modifiable Areal Unit Problem Scale + aggregation = MAUP can be investigated through...
  • History Skill Builder

    History Skill Builder

    In the early 1930s, a flood of books argued that the United States had been dragged into World War I by greedy bankers and arms dealers. Public outrage led to the creation of the Nye Committee in Congress, which investigated...
  • 幻灯片 1 - Massachusetts Institute of Technology

    幻灯片 1 - Massachusetts Institute of Technology

    Trie-based Framework. Step3: From the document, find the matched segments from the triestructure. Baseline: Trie-search Method. 3.1 Enumerator all valid substrings. 3.2 Find each suffix of every substring in the trie structure to check if it can reach the leaf...
  • Chapter Three: Chemical Concepts - Pace University

    Chapter Three: Chemical Concepts - Pace University

    Arial Times New Roman Wingdings Wingdings 3 Network Chapter Three: Chemical Concepts Units of Measurement SI Units Prefixes for Units The Mole Solutions and Concentrations Molarity (M) Percent Concentration Parts Per… (for dilute solutions) Soluent-Diluent Volume Ratios Density Stoichiometry Stoichiometry,...
  • Welcome to Back to School Night

    Welcome to Back to School Night

    Parent Portal gives you access to: Gradebook- Attendance, Grades, Assignments, Progress Reports. You can select options to be notified when your student is absent, tardy, or fails a test. CANVAS- Access teacher classroom content. Student Center App- View lunch balance,...
  • CLINICAL METHODS IN DIAGNOSIS OF POAG OPTIC DISC

    CLINICAL METHODS IN DIAGNOSIS OF POAG OPTIC DISC

    Non-glaucomatous (increased cup size) OPTIC DISC CUP Increases with disc size Horizontally oval Depth: with disc size (deepest: JPOAG, Shallowest: high myopic type of POAG)- negative correlation to PPA CD RATIO H>V hence H/V>1.0 but in early to medium G...
  • Connect with CPALMS via Social Media www.facebook.com/icpalms @tweetcpalms

    Connect with CPALMS via Social Media www.facebook.com/icpalms @tweetcpalms

    Workshop Goals. Explore the Beyond the Standards Math K-5 Video Series and Perspectives Videos . Learn to navigate CPALMS and explore modules and resources which can be used for Professional Development
  • Onset and Evolution of the Imperial Sassanid Twelver's Shiite ...

    Onset and Evolution of the Imperial Sassanid Twelver's Shiite ...

    The initial conspiracy evolved over the years from assassination of the Muslim Arab Caliphs to conquering Muslims by Persian Twelver's Shiite Sect in the name of "Al Mahdi": . Assassinating the 2nd Caliph and reviving the Zoroastrian Sassanid Persian Empire....