you are here: home > security > docs > honeypotting
Call trans opt: receveid. 9-18-99 14:32:31 REC:log>
WARNING: carrier anomaly
Trace program: running
> Welcome 38.103.63.18
24.07.2008 - 02:43 (00:43 GMT)
5orry, you have... NO MAIL.

Honeypotting: The Complete Documentation

  • This category contains 86 Papers
  • The last paper was added on 2007-03-26 (YYYY-MM-DD)

Advanced Honey Pot Identification

Published on 2004-01-16, by Joseph Corey, ©Joseph Corey.

It has been an exciting past three months. Since writing for Phrack 62, I have recieved many emails of support from the fans of AHA (The AntiHoneynet Alliance). The success of the last article has prompted the Phrack Editors to request an update to the work presented in the previous article. Despite an intense class schedule, I hope that I can present you with a enlightening and yet entertaining article on Anti Honeynet Technologies.

File infos:

Analysis of a Compromised Honeypot

Published on , by Christopher J. Reining, ©Christopher J. Reining.

The honeypot was internet accessible for roughly 3 weeks before compromise. Pretty respectable TTL with the amount of vulnerable daemons awaiting exploitation. I was alerted to the compromise as soon as I started investigating the "RPC portmap request status" alert from Snort. This means a query was sent to the portmap daemon, requesting port information for the status service. This query usually precedes attempts to access status.

File infos:

Anti-Honeypot Technology

Published on 2004, by Thorsten Holz, ©Thorsten Holz.

Current Honeypot-based tools have a huge disadvantage: Attackers can detect honeypots with simple techniques and are to some extent also able to circumvent and disable the logging mechanisms. On the basis of some examples, we will show methods for attackers to play with honeypots.

File infos:

Baby steps with a honeypot

Published on 2003-04-01, by Mark Cooper, ©Mark Cooper.

This document describes the build and running of my first honeypot. It was based heavily on the work done by Lance Spitzner and his colleagues of the HoneyNet project

File infos:

Basic Methods of Allowing Access to Your Honeynet

Published on 2003-02-01, by Michael Anuzis, ©Michael Anuzis.

So you want to run a honeynet, but you're not sure where to start. One of the first things you have to decide before you can really do anything is what method of access will you be allowing hackers to use to reach your honeypot. This may seem like nothing important but in fact it plays a huge role in dictating what types of hackers will take the bait and what types of things they will be able to do after they've broken in. One of the difficulties of running a honeynet is you can't dictate ahead of time exactly who will hack you, what their skill level will be, and what they will do once they get in (after all, the fun part is not knowing these things and then figuring them out as they happen). However, by choosing the correct method of honeypot access you want to provide (which is covered in this paper), you will be able to have some influence over who hacks you and what they will be able to do. Think of it as using the right bait for the right fish.

File infos:

Build A Honeypot (To)

Published on 1999-08-04, by Lance Spitzner, ©Lance Spitzner.

This article is a follow up to the "Know Your Enemy" series. Many people from the Internet community asked me how I was able to track black-hats in the act of probing for and compromising a system. This paper discusses just that. Here I describe how I built, implemented, and monitored a honeypot network designed specifically to learn how black-hats work.

File infos:

Building a GenII Honeynet Gateway

Published on 2004-11-14, by Diego González Gómez, ©Spanish Honeynet Project.

This is a short guide to build a GenII Honeynet Gateway, also called a Honeywall, under Linux; broaching the most common problems and providing several solutions and tips. This document does not explain the only way to install a Honeywall. It can be installed and configured using other tools, accomplishing the same objectives.

File infos:

Building a Virtual Honeynet

Published on 2002-02-17, by Hisham Kotry, ©Guardian Digital, Inc..

Creating a virtual honeynet is no more than configuring a number of virtual networked systems to log all activity heading to it, while looking as inconspicuous as possible. Don't worry if you feel you can't afford the resources needed to run the honeynet. Virtual honeynets are cheap, powerful and easy to administer. This paper includes an account of my experiences, which should make the process of configuring your own virtual honeynet easier. Before getting started, there are a few points that may require some explanation.

File infos:

Connection Redirection Applied to Production Honeypots

Published on 2004, by Bob Pelletier, ©Bob Pelletier.

This paper outlines basic honeypot technologies and the results of research carried out from September 2003 through January 2004 at Norwich University. The main focus of the information provided is the usefulness of honeypots in production systems.

File infos:

Creating a Virtual HoneyNet

Published on 2002-09-06, by Hihsam Kotry, ©Infosecwriters.com.

Creating a virtual honeynet is no more than configuring a number of virtual-networked-systems to log all activity heading to it, while looking as generic as possible. Don't worry if you feel you can't afford the resources needed to run the honeynet, virtual honeynets are cheap, powerful and easy to admin, plus thru this paper I'll be trying to put in as much of my experience as possible to make it easier for you, but before we start there are a few points we have to understand.

File infos:

Creating Virtual Honeynets with Connectix Virtual PC 5.2

Published on 2004-05-01, by Andrew Lamb, ©Andrew Lamb.

As network and host-based security becomes more of an interest and concern for organizations, researchers and businesspeople alike are looking for effective network security solutions. One solution that has gained a substantial amount of attention in the last half-decade is the synthesis of virtual machine technology with the data collection and containment techniques seen in honeypots. This paper's aim is to continue the development of these two technologies by showcasing a specific software solution adapted to the use of honeypotting. Discussion in this paper is on the use and feasibility of Connectix's Virtual PC 5.2 virtual machine software for use as a network intrusion detection and analysis honeynet.

File infos:

Days of the Honeynet: Attacks, Tools, Incidents

Published on 2003-04-22, by Anton Chuvakin, ©Guardian Digital, Inc..

Among other benefits, running a honeynet makes one acutely aware about "what is going on" out there. While placing a network IDS outside one's firewall might also provide a similar flood of alerts, a honeypot provides a unique prospective on what will be going on when a related server is compromised used by the intruders.

File infos:

Design Of A Default Redhat Server 6.2 Honeypot

Published on 2002-04-01, by Stephen Holcroft, ©Stephen Holcroft.

The following paper is a description of how I have designed and implemented a honeypot system. The paper describes how the honeypot is used to capture data in layers using different techniques. The aim of the honeypot is to discover the techniques and tactics used by blackhats (hackers) to compromise computer systems. The methods used are similar to the methods used by the Honeynet Project.

File infos:

Design of a Honeynet

Published on , by Christopher J. Reining, ©Christopher J. Reining.

Well, I decided to finally get a honeynet up and running. It has been an interest for some time now, especially after seeing the work done by Lance Spitzner et al with The Honeynet Project. My goal with the honeynet is to strengthen and sharpen my forensic skills in post-compromise as well as to learn what current tools and methods attackers are using. Before I started I realized that running a honeynet is a serious matter as the compromised honeypot machine can be used to break into other machines, carry out D/DoS attacks, or used in other nefarious purposes. I have taken precautions to limit the chances of the feds paying me a visit. Hopefully they are effective ;)

File infos:

Dynamic Honeypots

Published on September 15, 2003, by Lance Spitzner, ©SecurityFocus.

For the past eight months we have been discussing what honeypots are, their value, their different types, and how they can be used and deployed. Today we will do something a little different. Instead of discussing what honeypots can do and how they work, we will take a look into the crystal ball and see what honeypots should do, how they could work. If I had a dream honeypot, this is what I would like to see in the future: the dynamic honeypot.

File infos:

Evolution of Deception Technologies as a Means for Network Defense (The)

Published on , by SANS Institute, ©SANS Institute.

Over the past several years, networked systems have grown considerably in size, complexity and susceptibility to attack. At the same time, the knowledge, tools and techniques available to attackers have also grown in proportion. Unfortunately, defensive techniques have not evolved as quickly due to the reactive nature in which they are used. Current security technologies are reaching their limitations, and more innovative solutions are required to deal with current and future classes of threats.

File infos:

Fighting Internet Worms With Honeypots

Published on 2003-10-23, by Laurent Oudot, ©SecurityFocus.

Summer 2003 will sadly remain famous for netsurfers because of the propagation of an Internet worm known as MSBlast, which infected millions of hosts running Microsoft Windows. This event is far from unique; other worms such as Slammer, Code Red, Nimda have similarly wreaked havoc in the past.

File infos:

Fighting Spammers With Honeypots: Part 1

Published on 2003-11-26, by Laurent Oudot, ©SecurityFocus.

Like most advertising flyers found in postal mailboxes, millions of emails # now classically referred to as spam # fill email inboxes around the world everyday. Spam can be considered as the most annoying cyber-pollution that targets all of us with tons of unsolicited emails. Those emails usually contain advertisements and spammers are paid to spread as many of them as possible.

File infos:

Fighting Spammers With Honeypots: Part 2

Published on 2003-11-26, by Laurent Oudot, ©SecurityFocus.

Most of the time, a spammer connecting to the open proxy server will try to send an initial email in order to check how the proxy is working. This moment can be crucial if you want to fool him properly.

File infos:

Fighting worms with honeypots: honeyd vs msblast.exe

Published on 2003-08-19, by Laurent Oudot, ©Laurent Oudot.

While trying to help the community to fight the evil worm MSBLAST, i looked at my favorite honeypot, called honeyd, to check if we could not play with the worm itself (Labrea played with another worm in the past... the past should not be forgotten).

File infos:

Fun Things To Do With Your Honeypot

Published on 2003-07-22, by Alberto Gonzalez and Jason Larsen, ©Guardian Digital, Inc..

Honeypots are a hot topic in the security research community right now. It seems everyone is starting up their own honeypot system. Most of the papers deal with the potential gains a honeypot can give you, and the proper way to monitor a honeypot. Not very many of them deal with the honeypots themselves.

File infos:

GenII Data Control for Honeynets: Understanding and Building Snort-Inline Data Control

Published on 2003-02-16, by Richard La Bella, ©Infosecwriters.com.

Since late August 2002 the South Florida Honeynet Project has been deploying and publicly demonstrating high interaction, research honeypots and their tools. One of those tools, which we will talk about today is Snort-Inline, a second generation (GenII) data control system. Our Project uses Snort-Inline to control and contain enemy packets from harming other Internet connected hosts outside of our honeynet. This paper will introduce you to GenII data control and Snort-Inline. The purpose of this paper is to help you understand what GenII data control is, its purpose, and its value. Also included in this paper is a mini HOWTO for building your own Snort-Inline data control system. If you already deploy, or are thinking of deploying high interaction honeypots this paper will bring you up-to-speed on the latest in data control technology.

File infos:

Hands in the Honeypot

Published on 2002-11-03, by Kecia Gubbels, ©SANS Institute.

A honeypot is a program, machine, or system put on a network as bait for attackers. The idea is to deceive the attacker by making the honeypot seem like a legitimate system. A honeynet is a network of honeypots set up to imitate a real network. Honeynets can be configured in both production and research environments. A research honeynet studies the tactics and methods of attackers. A production honeynet is set up to mimic the production network of the organization. This type of honeynet is useful to expose the organizations current vulnerabilities. Honeypots return highly valuable data that is much easier to interpret than that of an IDS (Intrusion Detection System). The information gathered from honeypots can be used to better prepare system administrators for attacks.

File infos:

Honey Pot Systems Explained

Published on 2000-07-12, by Loras R. Even, ©SANS Institute.

Honey Pot Systems are decoy servers or systems setup to gather information regarding an attacker or intruder into your system. It is important to remember that Honey Pots do not replace other traditional Internet security systems; they are an additional level or system.

File infos:

Honeyd Research: Honeypots Against Spam

Published on 2003-12-05, by Niels Provos, ©Niels Provos.

Honeyd can be used effectively to battle spam. Since June 2003, Honeyd has been deployed to instrument several networks with spam traps. We observe how spammers detect open mail relays and so forth. The diagram on the right shows the overall architecture of the system.

File infos:

Honeyd, A low involvement - Honeypot in Action

Published on 2003, by Reto Baumann, ©Reto Baumann.

Honeyd — What could that be? Well, honeyd is a small little program with a great effect — you can spend hours of watching and fine-tuning honeyd and the associated scripts and it is even fun. Honeyd is an application which enables the setup of multiple virtual honeypots on a single machine, each with different characteristics and services. But let’s start at the beginning, let’s first have a look at the honeypot technology before we are coming back with more details for honeyd.

File infos:

Honeyd: A Virtual Honeypot Daemon

Published on 2003, by Niels Provos, ©University of Michigan.

Honeypots are closely monitored network decoys serving several purposes: they can distract adversaries from more valuable machines on a network, they can provide early warning about new attack and exploitation trends and they allow in-depth examination of adversaries during and after exploitation of a honeypot. Deploying physical honeypots is often time intensive and expensive as different operating systems require specialized hardware and every honeypot requires its own physical system. This paper presents Honeyd, a framework for virtual honeypots, that simulates virtual computer systems at the network level. The simulated computer systems appear to run on unallocated network addresses. To fool network fingerprinting tools, Honeyd simulates the networking stack of different operating systems and can provide arbitrary services for an arbitrary number of virtual systems. Furthermore, the system supports virtual routing topologies that allow the creation of large virtual networks including characteristics like latency and packet loss. We discuss Honeyd’s design and implementation.

File infos:

Honeykiddies vs OpenSSL: The Battle at Port 443

Published on February 2003, by Anton Chuvakin, ©SANS Institute.

The present practical describes the vulnerability, exploit code and the real incident involving the above vulnerability and exploit that occurred in the research honeynet and the imagined scenario that might have occurred if it were a production small company environment. SANS GCIH Practical format have been slightly extended to provide more details and emphasize the differences between the vulnerability and a particular exploit code. Additionally, the section III of the practical was split into two sections for the real incident in the honeynet and the imagined scenario in the production network.

File infos:

Honeynet Definitions, Requirements, and Standards

Published on April 12, 2003, by ©The Honeynet Project, ©The Honeynet Project.

The purpose of this document is to state the definitions, requirements and standards for a Honeynet. This will allow various organizations to independently research, develop, and deploy their own Honeynets using the same guidelines.

File infos:

Honeynet: Recent Attacks Review

Published on 2003-07-27, by Anton Chuvakin, ©Infosecwriters.com.

Among other benefits, running a honeynet makes one acutely aware about "what is going on" out there. While placing a network IDS outside one's firewall might also provide a similar flood of alerts, a honeypot provides a unique prospective on what will be going on when a related server is compromised used by the intruders. As a result of our research, many gigabytes of network traffic dumps are piling up on the hard drives, databases are filling with alerts, rootkits and exploit-pack collections are growing. This paper is an attempt to informally summarize what was happening to our exposed Linux machine connected to the Internet. The moment is even more appropriate since we are now changing the platform of the victim machine.. Our Linux honeypot survived dozens, if not more, system compromises including several massive outbound denial-of-service attacks (all blocked by the firewall!), major system vulnerability scanning and serving as an Internet Relay Chat (IRC) server for Romanian hackers - and other exciting stuff.

File infos:

Honeynets Applied to the CSIRT Scenario

Published on , by Cristine Hoepers, Klaus Steding-Jessen and Antonio Montes, ©Cristine Hoepers, Klaus Steding-Jessen and Antonio Montes.

A honeynet is a research tool consisting of a network specifically designed for the purpose of being compromised, with control mechanisms that prevent this network from being used as a base for launching attacks against other networks. Once compromised, the honeynet can be used to observe the intruders’ activities, collect tools and determine new trends in network attacks. In this paper we discuss the implementation of a honeynet, based entirely on open source software, that meet the requirements listed above. We present its topology, the tools developed and the results achieved. We also discuss how valuable a honeynet can be to better understand the threats to the constituency of a Computer Security Incident Response Team (CSIRT).

File infos:

Honeypot Bandwidth Rate Limitation

Published on 2002-05-13, by Edward Balas, ©The Honeynet Project.

This document discusses a number of methods of providing per honeypot rate limiting. Specifically, we discuss how to do this with FreeBSD\’s Dummynet,Linux\’s Advanced Routing and Traffic Control, Cisco\’s Committed Access Rate and Juniper\’s Traffic Policing. For all cases discussed, it is presumed that we have 1 honeynet which is behind a routing or switching device which provides the rate limiting. Such a setup would work with GEN I or GEN II honeynets, but may require additional hardware. It should be noted that to date, the Linux, Cisco and Juniper example have not yet been tested, this document will remain incomplete until these are.

File infos:

Honeypot Farms

Published on 2003-08-13, by Lance Spitzner, ©SecurityFocus.

For the past six months this series of papers has covered a breadth of honeypot topics. We have covered everything from what honeypots are, their value and different types, to common misconceptions and legal issues. However, one thing we have yet to discuss is deployment. How can you deploy honeypots in your environment? For small organizations, this may be easy # nothing more then installing a honeypot on a single computer and placing it on your local network. But what about organizations with hundreds of networks and thousands of computers? How can honeypots be easily deployed and managed in such large, distributed environments? One approach is that you don't. Instead, you simply consolidate all of your honeypots in a single honeypot farm, then you let the bad guys come to you.

File infos:

Honeypot Logging

Published on 2003, by Chris Reining, ©Chris Reining.

The following is mental debris about preparation of a honeypot with respect to logging. Although all the core data gathering should be done on a bridge between the honeypot and the internet, having shell logging and HIDS/file integrity on a honeypot can provide beneficial data.

File infos:

Honeypots

Published on 2002-02-26, by Reto Baumann and Christian Plattner, ©Reto Baumann and Christian Plattner.

A honeypot is used in the area of computer and Internet security. It is a resource which is intended to be attacked and compromised to gain more information about the attacker and the used tools. It can also be deployed to attract and divert an attacker from their real targets. One goal of this paper is to show the possibilities of honeypots and their use in a research as well as productive environment. Compared to an intrusion detection system, honeypots have the big advantage that they do not generate false alerts as each observed traffic is suspicious, because no productive components are running on the system. This fact enables the system to log every byte that flows through the network to and from the honeypot, and to correlate this data with other sources to draw a picture of an attack and the attacker. This whitepaper consists of two parts. The first part provides an overview and introduction to the different classes of honeypots. The second part presents the main concepts of honeypots in more detail. The paper ends with a conclusion about the new technology of honeypots.

File infos:

HoneyPots and HoneyNets - Security through Deception

Published on 2001-05-25, by William W. Martin, ©SANS Institute.

This article describes a security tool and concept known as a Honey Pot and Honeynet. What makes this security tool different is that Honey Pots and Honeynets are digital network bait, and through deception, they are designed to actually attract intruders.

File infos:

HONEYPOTS REVEALED

Published on , by Mohamed Noordin Yusuff, ©Mohamed Noordin Yusuff.

IT Security instantly becomes an issue for anyone who connects their system to the Internet, either via a corporate network, an Internet Service Provider (ISP) from home or wireless device that can be used virtually anywhere when there are wireless access points. Security threats range from hacking intrusions, denial of service attacks to computer worms, viruses and more. We must understand that intrusion to a network or system can never be eliminated but however, can be reduced. Computer crimes are always increasing. Countermeasures are developed to detect or prevent attacks - most of these measures are based on known facts, known attack patterns — as in the military, it is important to know who your enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for — by knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. 1 Security activities range from keeping intruders out of the network or system, preventing the interception of information sent via the Internet to limiting the spread of and damage caused by computer viruses.

File infos:

Honeypots: An Exploration

Published on 2003, by Bob Pelletier, ©Bob Pelletier.

This paper outlines basic honeypot technologies as well as my personal work in the field. I was assigned a project that spanned the course of four months. My work during this project consisted of exploring different honeypot technologies and applying what I had learned in a lab environment. The details of my testing scenarios and results of my experiments are outlined in the remainder of this document.

File infos:

Honeypots: Are They Illegal?

Published on 2003-06-12, by Lance Spitzner, ©SecurityFocus.

Honeypots are a new and emerging technology for the security community. Many security professionals are just now beginning to understand what honeypots are, their different types, how they work, and their value. As with many new technologies, not only are the professionals attempting to learn about them but so is the legal community. As honeypots and their concepts have grown more popular, people have begun to ask what legal issues could apply. The purpose of this paper is to address the most commonly asked issues. The concepts covered here will be focusing on US statutes, not international, mainly because I'm only familiar with US law. However, these concepts most likely also play some role in the international community. Also, this paper assumes you are familiar with the definition of a honeypot. If you are new to honeypots, I recommend you first read the paper Honeypots: Definitions and Values.

File infos:

Honeypots: Catching the Insider Threat

Published on 2003, by Lance Spitzner, ©Lance Spitzner.

In the past several years there has been extensive research into honeypot technologies, primarily for detection and information gathering against external threats. However, little research has been done for one of the most dangerous threats, the advance insider, the trusted individual who knows your internal organization. These individuals are not after your systems, they are after your information. This presentation discusses how honeypot technologies can be used to detect, identify, and gather information on these specific threats.

File infos:

Honeypots: Definitions and Value of Honeypots

Published on 2003-05-29, by Lance Spitzner, ©Lance Spitzner.

Honeypots are an exciting new technology with enormous potential for the security community. The concepts were first introduced by several icons in computer security, specifically Cliff Stoll in the book The Cuckoo's Egg", and Bill Cheswick's paper " An Evening with Berferd." Since then, honeypots have continued to evolve, developing into the powerful security tools they are today. The purpose of this paper is to explain exactly what honeypots are, their advantages and disadvatages, and their value to the security.

File infos:

Honeypots: Frequently Asked Questions

Published on 2004-03-25, by Shaheem Motlekar, ©Shaheem Motlekar.

The purpose of this page is to answer the most commonly asked questions concerning honeypot technologies, including what is a honeypot, what's its value, how do they work, and what are the different types. Most of this information was obtained from the honeypot mailing list. This FAQ is maintained by Shaheem Motlekar

File infos:

Honeypots: Simple, Cost-Effective Detection

Published on 2003-04-30, by Lance Spitzner, ©SecurityFocus.

This is the fourth article in an ongoing series examining honeypots. In previous installments, we have covered two different honeypot solutions: Honeyd and Specter. Both honeypots are low-interaction production solutions; their purpose is to help protect organizations, as opposed to research honeypots, which are used to gather information. Production honeypots work by emulating a variety of services and operating systems. Honeyd, an OpenSource solution, is considered more powerful and flexible than Specter, but it is also more difficult to use. Specter, a commercially supported solution, is easier to use as it runs on Windows. In this paper we take a step back for a moment and discuss the value of honeypot technologies in general. Why would you want to deploy production honeypots in your organization? How can a honeypot help security professionals to do their job more effectively?

File infos:

Honeypotting with RemoteBSM

Published on 2003-02-02, by Ryan C. Barnett, ©Ryan C. Barnett.

Data Capture on Honeypot systems is critical. Data Capture is the capturing of all of the blackhat's activities. It is these activities that are then analyzed to learn the tools, tactics, and motives of the blackhat community. The challenge is to capture as much data as possible, without the blackhat knowing their every action is captured. This is done with as few modifications as possible, if any, to the honeypots. Also, data captured cannot be stored on locally on the honeypot. Information stored locally can potentially be detected by the blackhat, alerting them the system is a Honeynet. The stored data can also be lost or destroyed. Not only do we have to capture the blackhats every move without them knowing, but we have to store the information remotely.

File infos:

Honeypotting with VMware - basics

Published on February 15, 2002, by Kurt Seifried, ©Kurt Seifried.

Honeypots are becoming more common as security professionals attempt to conduct more detailed research on current "state of the art" practices among attackers. Honeypots are also invaluable for learning about an attackers motivations, their habits and patterns of behavior. Unfortunately setting up a proper honeypot is a non-trivial task, and correctly configuring network sensors to capture all data, as well as the resulting forensics tasks can be rather daunting. The good news is that there are a number of tools and techniques that can make life much easier for some honeypot administrators.

File infos:

Honeytokens: The Other Honeypot

Published on July 17, 2003, by Lance Spitzner, ©SecurityFocus.

The purpose of this series of honeypot papers is to cover the breadth of honeypot technologies, values and issues. I hope by now readers are beginning to understand that honeypots are an incredibly powerful and flexible technology. They have multiple applications to security, everything from simplified detection to advanced information gathering. Today we extend the capabilities of honeypots even further by discussing honeytokens. Honeytokens are everything a honeypot is, except they are not a computer.

File infos:

HOSUS: Honeypot Surveillance System

Published on December 2002, by Lance Spitzner, ©;login.

Within the past several years, the information security community has increasingly recognized the value of honeypots. First discussed in 1989 and 1990 by Clifford Stoll1 and Bill Cheswick,2 honeypots are a unique security technology; they are resources designed to be attacked. Many people have different interpretations of what a honeypot is. For the purposes of this paper, I will use the following definition for honeypots: a security resource whose value lies in being probed, attacked, or compromised.

File infos:

How To Build A Honeypot

Published on 2002-09-06, by Lance Spitzner, ©Infosecwriters.com.

This article is a follow up to the "Know Your Enemy" series. Many people from the Internet community asked me how I was able to track black-hats in the act of probing for and compromising a system. This paper discusses just that. Here I describe how I built, implemented, and monitored a honeypot network designed specifically to learn how black-hats work.

File infos:

IDS Logs in Forensics Investigations: An Analysis of a Compromised Honeypot

Published on 2003-03-28, by Alan Neville, ©Alan Neville.

An attacker has compromised a Sun Solaris server on a production network using an exploit for the dtspcd service in CDE; a Motif-based graphical user environment for Unix systems. You are the senior security engineer of the Security Operations Center (SOC) for your company and are required to find out how the box was compromised and by whom. Using only a Snort binary capture file from the remote log server, you are to conduct a complete analysis of all IDS captures, log files, and an inspection of the file system. This paper will deconstruct the steps taken to conduct a full analysis of a compromised machine. In particular, we will be examining the tool that was used to exploit a dtspcd buffer overflow vulnerability, which allows remote root access to the system. The objective of this paper is to show the value of IDS logs in conducting forensics investigations.

File infos:

Incident Analysis of a Compromised NT Honeypot

Published on 2001-12-01, by Andrew Lamb, ©Andrew Lamb.

This paper is an account of my first experience with designing a honeypoti system. My selected audience for this whitepaper are computer security enthusiasts with a working knowledge of basic Internet protocols as well as NT functionality. As the objective of the Distributed Honeypot Project states, we “organize dispersed [systems] across the Internet and share our findings with the security community”. By researching what many home broadband connections experience, we can develop and employ better tools for home network security. However, we need not stop there; the statement of the DHP and it's implications are grand. We pay particular attention to technologies which will impact the security of systems and their networks, from personal computers with broadband connections to e-business transactions across virtual private networks between mainframes. Please visit our website for more information.

File infos:

Incident Analysis of a Compromised RedHat Linux 6.2 Honeypot

Published on 2002-04-01, by Stephen Holcroft, ©Stephen Holcroft.

This was the fourth honeypot system I had put into production, my honeypot had been offline for a couple weeks prior to this incident while I made a few changes to the way syslog worked and installed a bash keystroke logger. If you want to learn more details on how I set-up my honeypot then please read my paper describing my particular method of implementation.

File infos:

Incident Analysis of Compromised OpenBSD 3.0 Honeypot

Published on 2003-07-01, by Michael Anuzis, ©Michael Anuzis.

This was the first honeypot I've ever decided to run. I had long drawn out plans for implementing the perfect honeynet, but sadly some of the hardware that was donated to me at the time was given in non-working condition so I wasn't able to implement the honeynet of my dreams. It seems likely there would be other people out there interested in running a sophisticated honeynet, but who lack all the desired equipment and so they think it cannot be done. This paper has been written to show you otherwise!

File infos:

Installing a Virtual Honeywall using VMware

Published on 2004-11-14, by Diego González, ©Diego González.

The Honeywall CDROM is a bootable CD with a set of open source tools configured by the Honeynet Project to make the implementation of a GenII Honeynet Gateway easier. Using this document as an installation guide, we are going to implement the Honeywall using the commercial software, VMware . This document makes a few assumptions, one of them is that you have read and understood the papers Know Your Enemy: Virtual Honeynets, Know Your Enemy: Learning with VMware, Know Your Enemy: Honeywall CDROM.

File infos:

Intelligence Gathering: Watching a Honeypot at Work

Published on January 10, 2003, by Toby Miller, ©SecurityFocus.

The purpose of this article is share with the security community the data I collected from my honeypot. There are many papers available that explain how to set up honeypots and the risks one takes when running a honeypot. While this paper will briefly cover touch upon these topics, it is written for people who want to understand what data honeypot will provide them. This discussion will include the attacker's recon, the attack, the attempted cover-up, and the reason for the attack on the honeypot.

File infos:

Know Your Enemy — Trend Analysis

Published on 2004-12-17, by The Honeynet Project, ©The Honeynet Project.

The past 12-24 months has seen a significant downward shift in successful random attacks against Linux-based systems. Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2 ) have an online mean life expectancy of 3 months before being successfully compromised.

File infos:

Know Your Enemy: Defining Virtual Honeynets

Published on January 27, 2003, by Lance Spitzner, ©The Honeynet Project.

Over the past several years Honeynets

File infos:

Know Your Enemy: Honeynets

Published on January 07, 2003, by Lance Spitzner, ©The Honeynet Project.

The Honeynet Project is a non-profit research organization dedicated to learning the tools, tactics, and motives of the blackhat community and sharing the lessons learned. The primary tool used to gather this information is the Honeynet. The purpose of this paper is to discuss what a Honeynet is, its value, detail how it works, and the risks/issues involved. We hope that the security community can take the technologies discussed here, and not only use them for their own research purposes, but help develop and improve upon these technologies. However, we also want to be sure that organizations are aware of the many risks and issues involved with this technology.

File infos:

Know Your Enemy: Honeynets in Universities

Published on 2004-04-26, by http://www.honeynet.org/papers/edu/, ©Honeynet Project.

Honeynets have demonstrated their value as a research tool in the area of Information Assurance (IA). Many researchers and organizations in the security community, both public and private, are currently employing honeynets to continue to gather knowledge concerning the tactics, techniques and procedures of the hacker community. Since the summer of 2002, Honeynet Alliance members at The Georgia Institute of Technology (Georgia Tech), successfully deployed a honeynet on the internal network to collect information on hackers and to help secure their campus enterprise network. The purpose of this paper is to help academic organizations deploy honeynets in .edu environments by sharing with you their experiences and lessons learned. We assume that you have already read and are familiar with the concepts of a honeynet as discussed in the KYE: Honeynets paper. The deployment of a honeynet on a large enterprise network such as that found on a major college or university can offer numerous benefits to an institution. Based on our experience, we identified two primary benefits. The first is the ability to use the data collected as a teaching and research tool for any type of computer security related course or research that is being offered. Professors and students can potentially use the honeynet as a testing ground for classes or research. In fact, one student recently received his Ph.D based on our honeynet. The second, and based on our experience the more significant benefit of a honeynet, is it can serve as a network security tool to dramatically increase the overall security posture of that institution's network. For example, our honeynet identified over 165 compromised systems on the GA Tech networks, providing extensive information what was compromised, how, and potentially by whom. Later on in the paper we cover in greater detail the value our honeynet provided GA Tech and its faculty, staff, and students.

File infos:

Know Your Enemy: Learning with VMware

Published on January 27, 2003, by The Honeynet Project, ©The Honeynet Project.

Virtual Honeynets are a solution that allow you to run a complete Honeynet with multiple operating systems on the same physical computer. First discussed in the paper Know Your Enemy: Virtual Honeynets, these solutions have the advantage of being easier to deploy and simpler to manage. The Honeynet Project has also found VMware to make an excellent development environment for Honeynet technologies. In this paper, we will take you through step-by-step how to build and deploy such a solution using the commercial software VMware. In this case, we will build a GenII (2nd Generation) Virtual Honeynet with five different honeypots. It is assumed you have read and understand the concepts discussed in both KYE: Virtual Honeynets and KYE: Honeynets. Also, if this is the first time you have ever worked with Honeynet technologies, it is highly recommended you work in a lab environment. Last, as with all virtual software, you need to be aware of the risk of attackers identifying, and potentially breaking out of, the virt

File infos:

Know your Enemy: Web Application Threats

Published on 2007-02-07, by Jamie Riden, Ryan McGeehan, Brian Engert, Michael Mueter, ©Jamie Riden, Ryan McGeehan, Brian Engert, Michael Mueter.

With the constant growth of the Internet, more and more web applications are being deployed. Web applications offer services such as bulletin boards, mail services such as SquirrelMail, online shops, or database administration tools like PhpMyAdmin. They significantly increase the exposed surface area by which a system can be exploited. By their nature, web applications are often widely accessible to the Internet as a whole meaning a very large number of potential attackers. All these factors have caused web applications to become a very attractive target for attackers and the emergence of new attacks. This KYE paper focuses on application threats against common web applications. After reviewing the fundamentals of a typical attack, we will go on to describe the trends we have observed and to describe the research methods that we currently use to observe and monitor these threats. In Appendix A, we give actual examples of a bot (a variant of PERL/Shellbot), the Lupper worm and an attack against a web Content Management System (CMS) as examples that show how web application threats actually act and propagate.

File infos:

LaBrea — A New Approach To Securing Our Networks

Published on 2002-03-07, by Leigh Haig, ©SANS Institute.

This paper has been written to illustrate two of the things that are overlooked with most levels of security implemented to provide a depth of defense: what is happening to the IP addresses on the network that are not being used, and how can these be used to tighten security? If available IP addresses could be used to hold spreading worms or probing systems, then there would be a tangible benefit. LaBrea, an application to address this concept, will be discussed. As LaBrea was written due to the Code Red outbreak, some insight will be provided into how this worm could defeat existing security mechanisms and what benefit the tool LaBrea could offer. To allow us this insight we will look into the history and technology behind this application, the networking fundamentals that allow it to work, and then study the failings of other defenses within existing security solutions.

File infos:

Local Honeypot Identification

Published on , by Joseph Corey, ©Joseph Corey.

Honeypots and Honeynets are deployed on networks to detect and monitor misuse of computer and network resources by unauthorized individuals. Monitoring may take the form of high-interaction implementations[1], or low-interaction virtual honeypots[2]. The devices developed and the methods behind their development are based upon flawed assumptions and premisize, ultimately permitting a determined adversary the ability to detect, neutralize, and in some circumstances, exploit deployed honeypot devices.

File infos:

Modelling the costs and benefits of Honeynets

Published on 2004-05-03, by Maximillian Dornseif and Sascha A. May, ©Maximillian Dornseif and Sascha A. May.

For many IT-security measures exact costs and benefits are not known. This makes it difficult to allocate resources optimally to different security measures. We present a model for costs and benefits of so called Honeynets. This can foster informed reasoning about the deployment of Honeynet technology.

File infos:

Monitoring VMware Honeypots

Published on 2002-09-04, by Ryan C. Barnett, ©Ryan C. Barnett.

In these two posts, I presented two different methods for analyzing VMware virtual disk files and/or DD images (since in theory, they are relatively similar). The first method presented was to create a huge list of common hacker words (sniff, backdoor, trojan, etc...) and then run SWATCH in pass-through mode with this wordlist against an image looking for places to conduct further investigation. While the use of SWATCH for this purpose was overkill, since using egrep or fgrep can achieve the same results, the second idea for using SWATCH was a new concept. This was the idea of having some tool (in this case SWATCH) attempting to monitor the actual live VMware image of a Virtual Guest OS honeypot. This technique is not based on any keyword searching like the previous method, but instead would try and monitor for any changes made within the virtual honeypot system. This brings up the concept of "Data Capture" with regards to Honey(pot|net) monitoring.

File infos:

NoSEBrEaK — Attacking Honeynets

Published on 2004, by Maximillian Dornseif, Thorsten Holz and Christian N. Klein, ©Maximillian Dornseif, Thorsten Holz and Christian N. Klein.

It is usually assumed that Honeynets are hard to detect and that attempts to detect or disable them can be unconditionally monitored. We scrutinize this assumption and demonstrate a method how a host in a honeynet can be completely controlled by an attacker without any substantial logging taking place.

File infos:

Open Proxy Honeypots

Published on 2004-04-30, by Ryan C. Barnett, ©Ryan C. Barnett.

This paper will provide instructions for deploying an Open Proxy Honeypot or Proxypot, by using an Apache web server compiled with additional security modules. The first section talks about Proxy Servers in general. We then discuss the concept of an Open Proxy Honeypot: What it is, How it works and the additional Apache modules used. In the Data Control section I will discuss the various methods for identifying and preventing malicious requests sent from the attacker. In the third section, Data Capture, I will discuss methods to capture verbose HTTP attacker activity, which are not normally available in default Common Log Formats (CLF) log files used my most web servers.

File infos:

Open Source Honeypots, Part Two: Deploying Honeyd in the Wild

Published on March 12, 2003, by Lance Spitzner, ©SecurityFocus.

This is the second part of a three-part series looking at Honeyd, an open source solution that is excellent for detecting attacks and unauthorized activity. In the first paper, we introduced honeypots and discussed what they are, their value, and the different types of honeypots. We then went into detail about the Honeyd,. In this paper we take a closer look at Honeyd. Specifically, we will deploy Honeyd on the big, scary Internet for one week and watch what happens. The intent is to test Honeyd by letting real bad guys interact with and attack it. We will then analyze how the honeypot performed and what it discovered.

File infos: