Honeynet Project

From Hack Story

Jump to: navigation, search
Staff Zap (Under Construction)black.jpg

 Hispasec - una-al-día                                  21/07/2001
 Todos los días una noticia de seguridad          www.hispasec.com
-------------------------------------------------------------------
Honeynet, una dulce trampa
--------------------------

El pasado jueves fue dado a conocer un proyecto que atrae nuestra curiosidad, el proyecto Honenynet, o lo que traducido al castellano sería "tarro de miel".

Este proyecto está funcionando de manera experimental desde hace algo más de un año mantenido por algo más de 30 voluntarios. Uno de ellos, Lance Spitzner, responsable de arquitectura de seguridad de Sun Microsystems, comentó, " El proyecto ha estado funcionando desde hace algo más de un año de un modo limitado, pero será ampliado a sistemas de todo el mundo","ahora mismo los asaltantes nos angustian debido a que sólo hay un Honeynet".

El funcionamiento a grandes rasgos de lo que pretende ser la red Honeynet, sería un sistema de detección de intrusión, que a su vez esté conectado con un sistema de alarma virtual que se encargará de monitorizar cada uno de los movimiento del intruso, facilitando su localización y la obtención de pruebas.

Según Spitzner la filosofía de este proyecto no es capturar a los atacante sino aprender de ellos, dicho con sus palabras, "Nuestra meta nunca ha sido ni será coger a los atacantes de las computadoras", "Nosotros estamos desplegando los sistemas para recoger los datos del enemigo."

Este proyecto nació de forma no lucrativa, habiendo captado el interés de multitud de empresas y organismos gubernamentales, creyéndose del mismo que formará una parte muy importante de la seguridad de Internet.

Opina sobre esta noticia: http://www.hispasec.com/unaaldiacom.asp?id=1000

Más Información:

Honeynet Project sweetens hacker bait http://news.cnet.com/news/0-1003-200-6560377.html?tag=mn_hd

The Honeynet project http://project.honeynet.org

Know Your Enemy http://project.honeynet.org/papers/enemy


Antonio J. Román Arrebola antonio_roman@hispasec.com


-----

http://www.builder.com/Servers/SecurityIssues/082300/?tag=st.bl.3880.linksgp

By Chris Prosise and Saumil Udayan Shah 8/23/00

We often hear about "black hat" hackers invading our networks, taking over systems, and pillaging sensitive information. Some of us might even have experienced it. But one rarely gets a chance to actually sit and observe how hackers go about invading a network. We got such an opportunity a few months ago when we joined the Honeynet Project, which was created to learn the techniques the enemy uses. The project was initiated and coordinated by Lance Spitzner, who is a part of Sun Microsystems' GESS Global Security Team.

The purpose of the Honeynet Project was simple: to learn about the mindset and the techniques used by black-hat hackers today. To this end, the project members created a network of computers loaded with commonly used software, registered a domain name, and monitored Internet traffic to see what would happen. This set of computers, or honeypot, was set up specifically to lure hackers. It was guarded by standard firewalls that were specifically designed to allow network traffic into the systems but to restrict traffic going out of these systems back onto the Internet. The crux of the honeypot, however, was the monitoring system, which recorded the data going in and out of the network--including suspicious activity performed by attackers. In this case, the project used Snort as the monitoring system. The computers in the honeypot ran out-of-the-box Solaris 2.6 and Windows NT 4.0 operating systems.

The Attack Begins URL: http://www.builder.com/Servers/SecurityIssues/082300/ss01.html

The first successful attack on the honeypot occurred on June 4, 2000. Remarkably, the honeypot network had been created just a few days earlier, with no public launch. The rapidity of the attack shows us how quickly black-hat hackers will find new systems. Also, the systems on the honeypot network contained no juicy information. They were set up as plain vanilla systems on the Internet. That they were compromised indicates that, although systems containing sensitive information such as user profiles or credit card numbers may be prime targets for hackers, systems that do not host sensitive information are not spared.

The hackers used a common Solaris exploit known as rpc.ttdbserv to compromise the honeypot and to gain root (system administrator) privileges. The rpc.ttdbserv exploit is listed in the SANS Top Ten List as the third most commonly used hacking trick. Immediately after compromising the system, the attackers created two user accounts with root privileges so that they could get back into the system at a later time. They set up a rootshell (an interactive login shell with root privileges) to listen on an arbitrary TCP port so that they could gain administrative access without being authenticated.

Bring On the Rootkit

After creating a back door, our attackers proceeded to download and set up a rootkit on the compromised system. Very simply, a rootkit is a set of programs that replaces commonly used system tools and utilities and that hides the attackers' activities. Typical Unix rootkits include replacements for programs such as ps to hide processes, netstat to hide network connections, ls to hide files, and other tools such as packet sniffers to monitor network traffic (especially passwords). The rootkit even removes any telltale activities from system log files. In the rootkit our attackers used, we noticed the Pico editor, an easy-to-use Unix editor (as opposed to vi, the popular editor found on most Unix systems). The presence of Pico made it obvious that the attackers did not have advanced Unix skills.

The Daily Word, Via IRC URL: http://www.builder.com/Servers/SecurityIssues/082300/ss02.html

The attackers' next step was to set up an Internet Relay Chat proxy so that they could use their proxy to maintain system operations on their IRC channel. That was convenient for us: because we were able to recover log files of their conversations, the IRC channel gave us excellent firsthand information on their activities. We analyzed the logs each day to understand the hackers' motives and psychology. The logs also helped us figure out where the hackers were based.

Our first hint about the hackers' location was that they conversed in Urdu. That, along with some other clues, helped us deduce that they were from Pakistan. Fortunately, Saumil was able to translate the conversations from Urdu into English. A sanitized version of the IRC logs is available on the Honeynet Project site.

Fourteen days of snooping on their IRC chat gave us a clear picture of who the attackers were, what kind of skills they possessed, and what they were setting out to do. Basically, these hackers were joyriders who would try to compromise any system they could find. The attacks were random, and systems that were easy picking were compromised.

Hackers Show Off

One of our favorite examples of bravado occurred when one of the attackers bragged that he had compromised 40 systems in one fell swoop. This statement shows us how real the threat is. Exploits are becoming automated to such an extent that even amateur attackers, often called "script kiddies" by the security community, can compromise hosts, despite the fact that such hackers have no idea how or why the exploit works. In the IRC logs we observed, the attackers taught each another some basic Unix skills, including how to go about launching canned exploits and even denial of service (DoS) attacks.

As time progressed, we saw more of their malicious side. According to what we culled from their log files, these hackers were attacking computer systems in India, the United Arab Emirates, and Pakistan, plus a few other systems scattered around the globe. They said they were a politically motivated hacker group, performing such activities as part of their propaganda.

Their claimed malicious activities included using password crackers to crack user accounts on ISPs, launching major DoS attacks on various sites and ISPs, trading credit cards over underground IRC channels, and teaching other attackers the tricks of the trade. One of the attackers even claimed to have compromised a billing system on an ISP and gained access to more than 5000 user accounts. The hackers said they were using the used stolen credit cards to register some domains to host their propaganda and exploit tools.

Lessons to Be Learned URL: http://www.builder.com/Servers/SecurityIssues/082300/ss03.html

Our close encounter with black hat hackers reinforced the following points:

  • The hacker threat is very real.

For anyone hosting systems on the Internet, it is only a matter of time till a hacker probe comes knocking on your door. Even the least interesting system can be a target. Systems get compromised if they appear to be weakly protected or are suspected of having a known vulnerability. Most of the time, attackers use compromised systems to cover their tracks when launching attacks against other systems.

  • It does not take a great deal of skill for hackers to compromise

systems.

With canned exploit tools available on the Internet, attackers can compromise systems without even knowing how their exploits work. As we observed in this particular episode, the attackers possessed only some basic Unix skills, yet they managed to get root access to systems.

  • Compromised systems are used as launching points for further

malicious activity.

In this situation, the attackers said they used compromised systems to launch denial of service attacks against various sites.

In gaining firsthand experience with malicious hackers, Lance Spitzner and the whole Honeynet Project team did us all a service. They've provided us with rare insight into the minds and practices of one of the greatest Internet threats to date: "black hats."

Hackstory.es - La historia nunca contada del underground hacker en la Península Ibérica.