Research Project 2: Metasploit-able Honeypots Research questions - PowerPoint PPT Presentation

Metasploit- able Honeypots Wouter Katz Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter Katz Results wouter.katz@os3.nl Conclusions References University of Amsterdam July 4th 2013 Wouter Katz Metasploit-able Honeypots

Research questions Metasploit- able Honeypots Wouter Katz How feasible is an automated method to detect specific exploits on a honeypot by monitoring network traffic of Research questions exploits? Introduction • What setup is needed in order to have exploits successfully Approach complete their exploit against a honeypot? Results • What is the best method to process network traffic Conclusions References to/from the honeypot to extract and match a unique signature from exploit traffic? • How successful are these methods? Wouter Katz Metasploit-able Honeypots

Research questions summarized Metasploit- able Honeypots Wouter Katz Research questions Introduction Approach Results Conclusions Protocol independent References Wouter Katz Metasploit-able Honeypots

Introduction Metasploit- able Honeypots Wouter Katz Research questions Introduction Approach Results Conclusions References Wouter Katz Metasploit-able Honeypots

Introduction Metasploit- able Honeypots Wouter Katz Research questions Introduction Approach Results Conclusions References Wouter Katz Metasploit-able Honeypots

Introduction Metasploit- able Honeypots Wouter Katz Research questions Introduction Approach Results Conclusions References Wouter Katz Metasploit-able Honeypots

Introduction Metasploit- able Honeypots Wouter Katz Research questions Introduction Approach Results Conclusions References Wouter Katz Metasploit-able Honeypots

Introduction Metasploit- able Honeypots Wouter Katz Research questions Introduction Approach Results Conclusions References Wouter Katz Metasploit-able Honeypots

Introduction Metasploit- able Honeypots Wouter Katz Research questions Introduction Approach Results Conclusions References Wouter Katz Metasploit-able Honeypots

Why is this needed? Metasploit- able Honeypots Wouter Katz • A lot of the honeypot software contain outdated Research vulnerabilities questions Introduction • Analysis of what happened requires manual analysis Approach • Having signatures for the most-used penetration testing Results tool allows for valuable insight in attackers’ activities Conclusions References What we want is to automatically detect modern exploits and show which exploits were detected. Wouter Katz Metasploit-able Honeypots

Exploits used within Metasploit Metasploit- able Honeypots Wouter Katz Research Within Metasploit, exploits targeting FTP server software were questions chosen as a test set for the research: Introduction Approach • Large number of exploits (37) Results • FTP is plain-text protocol, makes development easier Conclusions • Simple commands/responses References Wouter Katz Metasploit-able Honeypots

Testing environment Metasploit- able Honeypots Wouter Katz Research questions Introduction Approach Results Conclusions References Wouter Katz Metasploit-able Honeypots

Process Metasploit- able Honeypots Wouter Katz Research questions Introduction Approach Results Conclusions References Wouter Katz Metasploit-able Honeypots

Python honeypot script Metasploit- able Honeypots Wouter Katz Research • Small database with 30 vulnerable FTP banners for all 37 questions Introduction exploits Approach • Implemented responses to most used FTP commands Results • Saves all traffic Conclusions References • Detect ”suspicious” traffic Wouter Katz Metasploit-able Honeypots

Detect suspicious traffic Metasploit- able Honeypots Wouter Katz Research questions Introduction Approach Results Conclusions References Wouter Katz Metasploit-able Honeypots

Extract signatures from suspicious traffic Metasploit- able Honeypots Wouter Katz • Collect multiple suspicious flows for the same exploit, Research questions different payload Introduction • Find the longest string shared by all suspicious flows using Approach the Longest Common Substring (LCS) algorithm Results • The resulting string will be used as signature Conclusions References • This method depends on static parts in the exploit, regardless of the payload Wouter Katz Metasploit-able Honeypots

Extract signatures from suspicious traffic Metasploit- able Honeypots Wouter Katz Research Flow 1: ffeeddcc acbefafabcdefbafcbaedfeaf questions Flow 2: aabcbeaf ffeeddcc afbdeaabcdefbcffea Introduction Flow 3: feabcdefbfeacceafeabceffaecbeafabcaedd Approach Results Conclusions The string ”ffeeddcc” is the longest common substring in the References first 2 flows, but it does not occur in the 3rd flow. Wouter Katz Metasploit-able Honeypots

Extract signatures from suspicious traffic Metasploit- able Honeypots Wouter Katz Research Flow 1: ffeeddccacbefaf abcdef bafcbaedfeaf questions Flow 2: aabcbeafffeeddccafbdea abcdef fcffea Introduction Flow 3: fe abcdef afeacceafeabceffaecbeafabcaedd Approach Results Conclusions The string ”abcdef” is the longest common substring occurring References in all flows. This will be the signature. Wouter Katz Metasploit-able Honeypots

Extract signatures from suspicious traffic Metasploit- able Honeypots Wouter Katz Research LCS found ”good” signatures for 20 exploits from their questions suspicious traffic flows. The rest either had no signature, or a Introduction too generic signature (e.g. ”USER”). Approach Results Conclusions Solution: for the remaining exploits, run LCS on all other flows. References Resulted in 12 ”good” signatures for the remaining 17 exploits. Wouter Katz Metasploit-able Honeypots

Matching signatures against traffic Metasploit- able Honeypots Wouter Katz Research questions With the signatures, we should be able to detect exploits: Introduction • Check each incoming flow in the honeypot for known Approach signatures Results Conclusions • If a signature is found, print out the matching exploit References Wouter Katz Metasploit-able Honeypots

Matching signatures against traffic Metasploit- able Honeypots Wouter Katz Research questions Problem: some exploits share the same signature, causing false Introduction positives. Approach Easy solution: only check for signatures of exploits belonging Results to the current FTP banner. Conclusions References Wouter Katz Metasploit-able Honeypots

Results Metasploit- able Honeypots Wouter Katz Research questions Introduction In total found signatures for 32 out of 37 exploits (86%). Test Approach how good these signatures detect exploits by firing all exploits Results against the FTP honeypot script, with every possible payload. Conclusions References Wouter Katz Metasploit-able Honeypots

Results Metasploit- able Honeypots Wouter Katz Research questions Introduction Approach Results Conclusions References Average detection rate of 89.95% Wouter Katz Metasploit-able Honeypots

Answering the research questions Metasploit- able Honeypots Wouter Katz How feasible is an automated method to detect specific exploits on a honeypot by monitoring network traffic of Research questions exploits? Introduction • What setup is needed in order to have exploits successfully Approach complete their exploit against a honeypot? Results • What is the best method to process network traffic Conclusions References to/from the honeypot to extract and match a unique signature from exploit traffic? • How successful are these methods? Wouter Katz Metasploit-able Honeypots

Answering the research questions Metasploit- able Honeypots Wouter Katz Research What setup is needed in order to have exploits successfully questions complete their exploit against a honeypot? Introduction Approach Results Many of the exploits check FTP banner and correct FTP Conclusions responses. In order to allow exploits to complete successfully, References we need to emulate both the banner and the correct responses. Wouter Katz Metasploit-able Honeypots

Answering the research questions Metasploit- able Honeypots Wouter Katz What is the best method to process network traffic to/from the Research honeypot to extract and match a unique signature from exploit questions Introduction traffic? Approach Results In this research, a granular method of storing and processing Conclusions network traffic was used. Extract signatures using the LCS References algorithm, match traffic against signatures on-the-fly proved very effective. Wouter Katz Metasploit-able Honeypots

Answering the research questions Metasploit- able Honeypots Wouter Katz Research questions How successful are these methods? Introduction Approach Not all exploits yielded a signature, but for the exploits that Results did, most signatures have a high detection rate. Conclusions References Wouter Katz Metasploit-able Honeypots