OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: George Bakos (gbakosists.dartmouth.edu)
Date: Thu Apr 04 2002 - 22:45:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Well, dudes, here goes. I put together a few scripts that allow me to
    collect quite a bit of data with very little risk, on systems that are in
    fulltime legitimate use. thp (tiny honeypot) is a complete ruse,
    appearing to the intruder to be a system with every port open, & every
    imagineable rpc service turned on. Connect via any tcp port and it
    appears to be a root shell. I've caught autorooter scripts (including ftp
    credentials), many rpc.statd attempts, folks that believe the box has
    already been rooted and start looking for signs of rootkits, etc.
    It won't fool a reasonably intelligent human for more than a moment, but
    the unintelligent ones do some pretty interesting things, as do the
    scripted attacks.

    You can pull it down from:
        http://alpinista.dyndns.org:81/files/thp-0.3.1.tar.gz

    If you have suggestions, additional ideas, constructive criticisms, etc,
    let me know.

    Here's the README, which pretty much lays it out:

    thp - the tiny honeypot

    # version 0.3.1
    # Copyright George Bakos - alpinistabigfoot.com
    # April 4, 2002
    # This is free software, released under the tems of the GNU General
    # Public License avaiable at http://www.gnu.org

    INTRODUCTION
    ------------
    I threw this together and started capturing pretty good poop, so Bill
    Stearns
    & Lance Spitzner thought I should make it available. Here it is. If you
    think
    it's lame, that's fine. I wasn't going to put it out, anyway. You may
    find
    it worthwile if you have only one ip address, and don't want to DNAT
    everything incoming to an internal dedicated honeypot.

    DISCLAIMER
    ----------
    This is a neat toy. That's all it is. You can learn from your toys
    if you use them responsibly, or you can leave them lying around on
    the floor, trip on them, and break your neck. Don't come crying to me
    because you thought my toys didn't break. That's stupid. When it breaks,
    grab a little glue and fix it, or throw it away; I don't give a shit.
    Have fun, learn something, help others learn, but don't whine because
    you were told that this was foolproof. It isn't. Fools will always
    provide the proof.

    CONCEPT
    -------
    The concept is simple: listen and record. The only problem is that the
    badguys can't speak until after a connection comes up. So we give them
    one.
    On any port they want. Period. Upon connecting, they are presented with
    a
    greeting (I use fortune) and a root prompt. W00p! They are leet.

    xinetd is used to open a single port. New connections to it get handed
    off
    to a simple bash script that builds two files: a running connection
    tracker,
    and a unique session file, into which we merely capture all data. That's
    also
    where the root prompt comes from. Keystrokes, autorooter scripts, exploit
    reconnects, whatever.

    iptables REDIRECT is used to pass all incoming connection requests,
    regardless
    of destination port, to that xinetd listener, unless we make an
    exception.
    Portmap is one such exception.

    In order for the intruder-to-be to know what port rpc.cmsd (or any other
    rpc
    service) is listening on, she needs to ask the target system's
    portmapper.
    So we fire up a portmapper, and feed it bogus mappings for every service
    we
    can. Sort of like building a static arp table, only more funnerer.

    Now, all of this port redirect tomfoolery is TCP only, but that's ok.
    UDP
    is connectionless; once the attacker believes she knows what port to use,
    off it flies. And we capture it, even if there is no service at the near

    end. I personally use Snort & SHADOW to alert me & capture everything,
    you
    go ahead and roll your own solution. Mine accommodates a pretty busy DSL

    that serves my family, while still grabbing every bit of nastiness that
    is
    sent to it.

    INSTALLATION
    ------------
    I'm going to assume that you have a fully functioning IDS of some sort
    up and running. If not, you probably should put down the keyboard and
    step away from the computer. Do not pass go, do not install this hpot.

    .......... OK, now that they are out of the room, let's party.

    Keep your IDS sigs up to date, folks. I use Snort for grabbing full
    binaries
    of anything that fires a sig, as well as SHADOW to have a complete header
    log.
    With SHADOW, I get logging even if I get hit with an 0-day that Snort
    misses.
    It's nice to see the progression of events, too. (plug, plug, plug)

    xinetd/inetd
    ------------
    Some inted super-server needs to be installed. I prefer xinetd, but good
    ol'
    /sbin/inetd is ok, too. Use the inetd.conf line here:

    6635 stream tcp nowait nobody /usr/local/sbin/logthis
    logthis

    Copy the xinetd configure file "hpot" into your xinetd.d directory, and
    be sure
    to re-enable it by editing. Don't ask me why I used port 6635, my head
    just
    happenned to fall on those keys, then I woke up.

    If you need it, xinetd is available from http://www.synack.net/xinetd/.
    Some
    folks will prefer a different listener; go for it. nc works beautifully,

    although it won't fork, limiting concurrent sessions.

    logthis
    -------
    The file "logthis" needs to be copied to /usr/local/sbin and chmod-ed +x.
     I
    really should do an installer. Nah. While we are copying files, let's go
    ahead
    and make the log directory, as well:

            mkdir /var/log/hpot && chown nobody /var/log/hpot

    portmap
    -------
    I wanted to register every service imaginable with the portmapper, but
    didn't
    like the idea of actually running the daemons necessary and relying on
    the
    firewall to keep the beasties at bay (some dweeb's voice in my ear kept
    saying,
    "defense in depth.") I was going to bang on the sources to portmapper
    and
    hardcode everything from /etc/rpc into there, but after I pulled the
    tarball
    down, I started reading and saw that pmap_dump and pmap_set would do it
    all.
    Cool. Thanks Wietse.

    The fakerpc here is derived from RedHat Linux 7.1, Irix 5.3, and Solaris
    8's
    /etc/rpc files, and then built to include lines for versions 1-4 of each
    rpc
    program, via both udp and tcp. You should copy it into /usr/local/etc.
    Start
    portmapper as normal, but instead of firing up rpc programs, just
    execute:
                    "pmap_set < /usr/local/etc/fakerpc".
    There's a 1:1 chance that this will break your existing legit rpc
    services. If
    you are running rpc services on your firewall/hpot, you should go hang
    out with
    those non-IDS types above.

    iptables
    --------
    I'll write this section later. For now, read the comments in the
    iptables.thp
    and edit as necessary, or incorporate the essential bits into your own
    ruleset.

    George Bakos 

    -- 
George Bakos
Institute for Security Technology Studies
Dartmouth College
gbakosists.dartmouth.edu

    ---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities. 
Please, see: https://alerts.securityfocus.com/