Slide 1
Slide 1 text
ରܕϋχʔϙοτ
Λௐࠪͯ͠Έͨ
WELCOME TO HONEY POT WORLD
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
Slide 2
Slide 2 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
͓ॻ͖
1. ࣗݾհ
2.ϋχʔϙοτͱ
3.ϋχʔϙολʔͷಓͷΓ
4. ϋχʔϙοτௐࠪ
5. ௐࠪ݁Ռ(·ͱΊʣ
Slide 3
Slide 3 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
͡Ίʹ
▸ ຊൃදݸਓతͳҙݟ͓ΑͼݸਓతͳௐࠪʹΑΔͷͰ͢ɻ
▸ Կ͔ຊൃදͰޡΓ͕͋Γ·ͨ͠Βɺޙ΄Ͳ
twittrͳͲͰڭ͚͑ͯΔͱ͍Ͱ͢ɻ
Slide 4
Slide 4 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ࣗݾհ
▸ ໊લ
sec chick@one_sec_chick
▸ ͓ࣄ
αΠόʔηΩϡϦςΟؔ࿈
˞ PSOCͰΞφϦετΛ͍ͯ͠·ͨ͠
▸ ϋχʔϙολʔྺ
6ϲ݄
▸ ར༻ϋχʔϙοτ
WoWHoneypot
Slide 5
Slide 5 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ࠓճͷൃද
▸ T-pot͕εϖοΫతʹݫ͘͠ɺରܕϋχʔϙοτͰӡ༻͠Α͏ͱ
͍ͯ͠Δਓʹ͚ͯɺͦΕͧΕɺͲͷΑ͏ͳಛ͕͋Δ͔Λௐࠪ
˞ରܕɿಛఆͷOSΞϓϦέʔγϣϯΛΤϛϡϨʔτ͠ࢹ
▸ ࠓճɺௐͨϋχʔϙοτҎԼͷ௨Γ
• cowrie
• dionaea
• glastopf
• honeytrap
• WoW Honeypot
‣ ͜ͷൃදͰ1ਓͰϋχʔϙολʔ͕૿͑ͯ͘ΕΔ͜ͱΛඪʹͯ͠ൃද
Slide 6
Slide 6 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ϋχʔϙοτͱ
▸ Θ͟ͱ੬ऑͳڥΛઃஔ͠߈ܸऀʹ৵ೖͤ͞ɺ߈ܸऀͷߦ
ಈΛࢹ͠ɺੳ͢Δ͜ͱΛతͱͨ͠γεςϜ
▸ ϋχʔϙοτͷछྨͱͯ͠ɺओʹαʔϏεΛΤϛϡϨʔτ
͢ΔରܕͱຊͷΞϓϦέʔγϣϯOSΛ͏
ߴରܕ͕ଘࡏ
▸ ࣮ࡍʹϩάΛݟΔ͜ͱͰɺ߈ܸऀ͕ͲͷΑ͏ͳ੬ऑੑΛར༻
͠ɺͲͷΑ͏ͳతͰ߈ܸ͍ͯ͠Δ͔Λ؍Ͱ͖Δ
Slide 7
Slide 7 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ϋχʔϙοτͱ
੬ऑͳαʔό
)POOFZQPU
߈ܸΛֻ͚Δ ߈ܸΛੳ
Slide 8
Slide 8 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ϋχʔϙολʔͷಓͷΓᶃ
▸ ษڧձͷαΠτΛݟ͍ͯΔͱɺԿΒϋχʔϙοτͱ͍͏
จࣈྻΛൃݟ
▸ ௐͯΈΔͱɺ͋͑ͯ੬ऑੑͳڥʹͯ͠ɺ߈ܸͤ͞Δ͜ͱ
Ͱɺ߈ܸํ๏Λ؍͢Δͱ͍͏ັྃతͳϫʔυ
▸ ໘നͦ͏ͩͱࢥ͍ɺࣗϋχʔϙολʔʹͳΔ͜ͱΛܾҙ
Slide 9
Slide 9 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ϋχʔϙολʔͷಓͷΓᶄ
▸ ·ͣϋχʔϙοτΛબͿඞཁ͕͋Δ͕ɺछྨ͕ଟ͘ͲΕΛબ
͍͍͔͔Βͳ͍
Slide 10
Slide 10 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ϋχʔϙολʔͷಓͷΓᶅ
▸ ωοτͰௐͯΈΔͱɺT-PotΛ͍ͬͯΔਓ͕ଟ͍
▸ T-PotෳͷϋχʔϙοτΛ؍ଌՄೳͰ͋ΓɺΠϯετʔϧ͢Δͩ
͚Ͱ෯͍αʔϏεΛ؍ଌͰ͖Δϋχʔϙοτ
Slide 11
Slide 11 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ϋχʔϙολʔͷಓͷΓᶆ
▸ ࣗʹT-PotΛߏங͠Α͏ͱࢥ͕ͬͨɺ҆શੑΛߟྀͯ͠ VPSʹߏங͢Δ͜ͱʹ
▸ ͜͜Ͱ T-PotͷਪεϖοΫ͕ωοΫʹɻɻɻɻ
˞ඪ४ͷΠϯετʔϧͰϝϞϦ 4GBɺSSD 64 GB ͷ༰ྔ͕ඞཁ
▸ ਪεϖοΫͰͳ͍͕ɺ͓ۚͷ߹্ɺϝϞϦ2GͰಈ͔ͯ͠ΈΔ͜ͱʹ
ਪεϖοΫͰ͘͞ΒVPSͰՁ
֨ΛݟͯΈΔͱɺ݁ߏߴ͍
ਪεϖοΫ͡Όͳ͍͚Ͳɺ
ϝϞϦΛ2GBͯ͠େৎ͔ͳ
Slide 12
Slide 12 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ʲࢀߟʳ͘͞ΒVPSͷ͓ஈ
ࢀরɿhttps://vps.sakura.ad.jp/specification/
Slide 13
Slide 13 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ʲࢀߟʳϋχʔϙοτઃஔՄೳαʔϏε
▸ աڈʹϋχʔϙολ͕ௐͯ༰Ͱ֤αʔϏεͰͷϋχʔϙοτͷ
ӡ༻Մ൱ʹ͍ͭͯௐ͓ࠪͯ͠Γɺଟ͘ͷڥͰར༻͢Δ͜ͱ͕Մೳ
αʔϏε໊
αϙʔτ͔Β
ͷճ
Մ൱ උߟ
ConoHa 2017.06.21 NG نҧͰͳ͍͕ଞͷ͓٬༷ͷӨڹ͕ݒ೦͞ΕΔͷͰ߇͑ͯ΄͍͠
͘͞ΒͷΫϥυ 2017.08.10 OK
ར༻ن੍ݶࣄ߲ʹ֘͠ͳ͍ͷͰͳ͍ɻଞͷ͓٬༷ʹ໎͕͔͔Δঢ়
گ(େྔͷτϥϑΟοΫ͕ൃੜ͢Δɺར༻͍ͯ͠Δαʔό͕ݪҼͰ֎෦ͷෆਖ਼α
ʔόͷϦετʹొ͞ΕΔɺ)͕͋Εɺݸผʹ੍ݶΛ࣮ࢪ͢߹͕͋Δ
͘͞ΒͷVPS 2017.08.10 OK ಉ্
IDCFΫϥυ 2017.08.10 OK
Ϋϥυ্ͰӡӦ͢Δ༰ʹ͍ͭͯΘΕͳ͍ͷͰӡ༻Մೳɻͨͩ͠ɺୈࡾऀ
ʹෆਖ਼ʹѻΘΕͨ߹ʹͯ·ΔՄೳੑ͕͋Δ
ABLENET VPS 2017.08.10 OK
ϋχʔϙοτͷΠϯετʔϧΛېࢭ͍ͯ͠ͳ͍͕ɺଞͷ͓٬༷ͷར༻ʹӨڹ͕
ग़ΔΑ͏ͳ߹ར༻ͷ੍ݶܖղআΛߦ͏߹͕͋Δ
KAGOYA CLOUDʗ2 2017.08.10 OK
ϋχʔϙοτͷӡ༻ʹର੍ͯ͠ݶͳ͍͕ɺ߈ܸΛड͚ΔલఏͷγεςϜͳͷͰ
ηΩϡϦςΟରࡦΛेʹ࣮ࢪͨ͠͏͑Ͱӡ༻ͯ͠΄͍͠ɻ
ServersManˏVPS 2017.08.10 OK
Πϯετʔϧ͢ΔΞϓϦέʔγϣϯʹ੍ݶઃ͚͍ͯͳ͍͕ɺنͷୈ17͓
Αͼୈ32ʹ֘͢Δͱஅ͞Εͨ߹੍ݶΛߦ͏ࣄ͕͋Δɻ
ʮServersMan@VPSϓϥϯར༻نʯͷېࢭࣄ߲Λ֬ೝͯ͠΄͍͠ɻ
໊͓લ.comVPS 2017.08.14 OK
ࢀরɿϋχʔϙοτͷӡ༻͕نҧͰͳ͍͔ௐͯΈͨIUUQTCMBDLMFQBSEOFUWCON
Slide 14
Slide 14 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ϋχʔϙολʔͷಓͷΓᶇ
▸ ؒॱௐʹಈ͍͍͕ͯͨɺΤϥʔͰT-Pot͕ࢭ·ͬͯ͠·͏ࣄ
͕ଟൃ
▸ ݁ہɺ҆ఆͯ͠ಈ͔ͳ͍ͷͰɺղ͢Δ͜ͱʹɻɻɻɻ
▸ ݱࡏɺεϖοΫͰՔಇՄೳͰɺHTTPͷ߈ܸΛࢹͰ͖Δ
WoWHoneypotΛӡ༻த
Slide 15
Slide 15 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ରܕ HONEYPOT ௐࠪ
▸ ରܕͷϋχʔϙοτΛհ
Slide 16
Slide 16 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
GLASTOPF
▸ WEBͰͷ߈ܸΛࢹʹಛԽͨ͠ϋχʔϙοτ
▸ σΟϨΫτϦτϥόʔαϧ SQL Injection ʹରͯ͠ɺΤϛϡϨʔτ
ͨ݁͠ՌΛදࣔ
Slide 17
Slide 17 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
GLASTOPF Ϩεϙϯεྫ
▸ ϦΫΤετྫ1
http://192.168.0.xx/test.php?q=SELECT%20A%20FROM%20B
Ϩεϙϯε
Invalid query: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'SELECT A FROM B' at line 1
▸ ϦΫΤετྫ2
http://192.168.0.xx/test.php?a=../../../../../../../etc/passwd
Ϩεϙϯε
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:
2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync
games:x: ~ লུ ~
※ ҎԼͷgithubͷςετέʔεΛࢀߟ
ɹhttps://github.com/mushorg/glastopf/blob/master/glastopf/testing
Slide 18
Slide 18 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
WOW HONEYPOT
▸ HTTPͷ߈ܸΛࢹతͱͨ͠ϋχʔϙοτ
▸ ߈ܸऀͷϦΫΤετʹରͯ͠ɺ߈ܸ͕ޭͨ͠Α͏ʹݟ͔͚ͤΔ
ϨεϙϯεΛฦ৴
▸ ϋϯςΟϯάػೳʹΑΓɺϚϧΣΞΛVirus TotalͰղੳՄೳ
(ݕମอଘ͠ͳ͍)
▸ Πϯετʔϧ͕؆୯ʢҎԼͷϖʔδΛࢀߟʹΠϯετʔϧՄೳʣ
https://github.com/morihisa/WOWHoneypot
Slide 19
Slide 19 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
WOW HONEYPOT
߈ܸऀ͕αʔόϦΫΤετΛૹ৴
αʔόͷ'8Ͱϙʔτసૹ
ྫɿϙʔτ͔Βϙʔτ
ϦΫΤετ͔ΒϨεϙϯε༰Λܾఆ
߈ܸऀϨεϙϯεΛฦ͢
8P8)POFZQPU
ࢀߟɿॳ৺ऀ͚ϋχʔϙοτ808)POFZQPUͷհ
ɹɹɹIUUQTTQFBLFSEFDLDPNNPSJIJ@TPDDIVYJO[IFYJBOHLFIBOJIPUVUPXPXIPOFZQPUGBMTFTIBPKJF TMJEF
Slide 20
Slide 20 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
WOW HONEYPOT Ϩεϙϯεྫ
▸ GET /etc/passwd
Ϩεϙϯεɿ
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/
usr/sbin/nologin ~লུ~
▸ GET /getcfg.php (D-Link)
Ϩεϙϯεɿ
DEVICE.ACCOUNT 100 admin 100 adminpass administrators manage
▸ POST /wls-wsat/CoordinatorPortType
εςʔλείʔυɿ500
Slide 21
Slide 21 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
COWRIE
▸ SSH͓ΑͼTelnetͷࢹΛతͱͨ͠ϋχʔϙοτ
▸ ߈ܸऀͷଧͪࠐΜͩίϚϯυͷه͓Αͼ࠶ੜ͕Մೳ
▸ ߈ܸऀ͕ϋχʔϙοτʹμϯϩʔυͨ͠ϑΝΠϧΛอଘ
Slide 22
Slide 22 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
COWRIE
▸ ϩά (/log/cowrie-textlog.log)
2018-06-21T06:20:11.790706Z login attempt [sec_chick/aaaaaa] failed
2018-06-21T06:20:15.884342Z login attempt [sec_chick/bbbbb] failed
2018-06-21T06:20:18.976004Z login attempt [sec_chick/cccccc] succeeded
2018-06-21T06:20:19.466336Z Terminal Size: 24 80
2018-06-21T06:20:19.467874Z request_env: LANG=ja_JP.UTF-8
2018-06-21T06:20:19.470091Z Opening TTY Log: log/tty/
20180621-062019-758689600833-0i.log
2018-06-21T06:20:33.007909Z CMD: ls
2018-06-21T06:20:33.020759Z Command found: ls
2018-06-21T06:20:49.834860Z CMD: wget www[.]yahoo.co.jp
2018-06-21T06:20:49.839532Z Command found: wget www[.]yahoo.co.jp
2018-06-21T06:20:49.937292Z Downloaded URL (http://www[.]yahoo.co.jp) with
SHA-256
bbede94bcf9ab5fbc4469b382335449ebf2499595ffc84b64eb492faa79b35e1 to dl/
bbede94bcf9ab5fbc4469b382335449ebf2499595ffc84b64eb492faa79b35e1
Slide 23
Slide 23 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
COWRIE ϩάΠϯ࣌
▸ ϩάΠϯ࣌ͷϩά
login attempt [sec_chick/aaaaaa] failed
login attempt [sec_chick/bbbbb] failed
login attempt [sec_chick/cccccc] succeeded
▸ ͋͑ͯԿ͔ϩάΠϯΛࣦഊ͔ͤͯ͞ΒϩάΠϯͤ͞ΔΈ
˞̏ճͰϩάΠϯޭ
▸ ϩάΠϯ෦ͰϢʔβ໊͓ΑͼύεϫʔυΛऩू
Slide 24
Slide 24 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
COWRIE ϩάΠϯޙ
▸ ϩάΠϯޙͷϩά
CMD: ls
Command found: ls
CMD: wget www.yahoo.co.jp
Command found: wget www[.]yahoo.co.jp
Downloaded URL (http://www[.]yahoo.co.jp) with SHA-256
bbede94bcf9ab5fbc4469b382335449ebf2499595ffc ~লུ~
▸ ϩάΠϯޭޙɺ߈ܸऀ͕ͲͷΑ͏ͳίϚϯυΛ࣮ߦ͔ͨ͠
֬ೝՄೳ
▸ μϯϩʔυ͞ΕͨϑΝΠϧอଘ͞ΕΔͨΊɺޙ͔Β֬ೝՄೳ
Slide 25
Slide 25 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
DIONAEA
▸ ωοτϫʔΫ্ͰՔಇ͍ͯ͠ΔαʔϏεͷ੬ऑੑΛૂͬͨϚ
ϧΣΞͷั֫Λతͱͨ͠ϋχʔϙοτ
▸ FTPɺHTTPɺMySQLɺSMBͳͲͷ෯͍αʔϏε(16छྨ)
ʹؔ͢Δ߈ܸΛࢹՄೳ
▸ ั֫͞ΕͨϚϧΣΞσΟϨΫτϦʹอଘ͞ΕΔ
Slide 26
Slide 26 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
DIONAEA
▸ ҎԼͷαʔϏε͕dionaea্ͰࢹՄೳ
໊લ αʔϏε ϙʔτ ϓϩτί
Black
hole
telnet 23 tcp
DNS 53 tcp,udp
NTP 123 udp
EPMAP SMB 135 tcp
FTP FTP 21 tcp
HTTP HTTP 80 tcp
Memache memcache 11211 tcp
mirror mirror 42 tcp
MongoDB MongoDB 27017 tcp
mqtt
MQ
Telemetry
Transport
1883 tcp
໊લ αʔϏε ϙʔτ ϓϩτί
MSSQL MSSQL 1433 tcp
MYSQL MYSQL 3306 tcp
PPTP PPTP 1723 tcp
SIP
(VoIP)
SIP 5060 tcp
SIP over
TLS
5061 tcp
SIP 5060 udp
SMB SMB 445 tcp
TFTP TFTP 69 udp
UPnP UPnP 1900 udp
Slide 27
Slide 27 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
DIONAEA දࣔྫ(HTTP)
▸ σϑΥϧτͰ Directory listing for ͷϖʔδ͕දࣔ͞ΕΔ
Slide 28
Slide 28 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
DIONAEA දࣔྫ(FTP)
▸ FTPଓ࣌ͷ༷ࢠ
220 FTP server ready.
USER sec_chick
331 Password required for sec_chick.
PASS password
230 User logged in, proceed
pwd
257 "/"
help
502 Command 'HELP' not implemented
Slide 29
Slide 29 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
HONEYTRAP
▸ ෯͍αʔϏεΛࢹ͢Δ͜ͱ͕Ͱ͖Δϋχʔϙοτ
▸ TCP͓ΑͼUDPʹରͯ͠ͷ௨৴Λϩάʹه
˞ύέοτΛNFQUEUEʹૹΓɺHoneytrap͕ॲཧ
▸ දతͳϓϩτίϧʹରͯ͠ɺܾ·ͬͨϨεϙϯεΛ
ฦ͢͜ͱ͕Մೳ
▸ αʔϏεΛݶఆ͍ͯ͠ͳ͍ͨΊɺ༷ʑͳ߈ܸΛࢹՄೳ
Slide 30
Slide 30 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
HONEYTRAP Ϩεϙϯεྫ
▸ FTP
220 Welcome to localhost
▸ SMTP
250 localhost ESMTP Postfix
▸ MYSQL
4.0.24_Debian-10sarge1-logu3;n:u`b,
Slide 31
Slide 31 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
֤ϋχʔϙοτ·ͱΊ
ϋχʔϙοτ໊ ֓ཁ औಘՄೳͳใ
glastopf
ɾWebܦ༝Ͱͷ߈ܸΛࢹΛతͱͨ͠ϋχʔϙοτ
ɾσΟϨΫτϦτϥόʔαϧ SQL Injection ʹରͯ͠
੬ऑੑͳԠΛ߈ܸऀฦ͢
ɾPOSTϦΫΤετͷBODY෦ͷใΛऔಘՄೳ
ɾHTTPϦΫΤετͷ༰
WoWHoneypot
ɾHTTPͷ߈ܸΛࢹతͱͨ͠ϋχʔϙοτ
ɾHTTP ϦΫΤετΛ·Δͬͱอଘ
ɾ߈ܸऀͷϦΫΤετʹରͯ͠ɺ߈ܸ͕ޭͨ͠Α͏ʹ
ɹݟ͔͚ͤΔϨεϙϯεΛฦ৴
ɾϋϯςΟϯάػೳʹΑΓɺϚϧΣΞΛVirus Totalʹ࿈ܞ
Մೳ(ݕମอଘ͠ͳ͍)
ɾΠϯετʔϧ͕؆୯
ɾHTTPϦΫΤετͷ༰
ɾϚϧΣΞͷURLઌ
▸ HTTPʹؔ͢ΔϋχʔϙοτͰ͋Εɺglastopf͘͠
WoWHoneypot͕Φεεϝ
Slide 32
Slide 32 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
֤ϋχʔϙοτ·ͱΊ
ϋχʔϙοτ໊ ֓ཁ औಘՄೳͳใ
cowrie
ɾSSH͓ΑͼTelnetͷࢹΛతͱͨ͠ϋχʔϙοτ
ɾ৵ೖऀͷଧͪࠐΜͩίϚϯυͷه͓Αͼ࠶ੜ͕Մೳ
ɾ৵ೖऀ͕ϋχʔϙοτʹμϯϩʔυͨ͠ϑΝΠϧΛอଘ
ɾSSH͓ΑͼTelnetͰར༻ͨ͠Ϣʔβ໊ɺPW
ɾϩάΠϯޙʹೖྗ͞ΕͨίϚϯυ
ɾwget, curl Ͱμϯϩʔυ͞Εͨ ϑΝΠϧ
dionaea
ɾωοτϫʔΫ্ͰՔಇ͍ͯ͠ΔαʔϏεͷ੬ऑੑΛૂͬͨ
ϚϧΣΞͷั֫Λతͱͨ͠ϋχʔϙοτ
ɾFTPɺHTTPɺMySQLɺSMBͳͲͷ෯͍αʔϏε
(16छྨ)ΛΧόʔ
ɾ৵ೖऀ͕ઃஔͨ͠ϚϧΣΞޙ͔ΒࢀরՄೳ
ɾՔಈ͍ͯ͠ΔαʔϏεͷ௨৴
ɾஔ͞ΕͨϚϧΣΞ
honeytrap
ɾ෯͍αʔϏεΛࢹ͢Δ͜ͱ͕Մೳ
(ࠓճͷݕূͰ࠷ଟ͘ͷϙʔτͰͷ௨৴Λݕ)
ɾ࣮ࡍͷ௨৴༰֬ೝՄೳ
ɾओཁϙʔτͷ؆қతͳϨεϙϯεΛฦ͢
ɾhoneytrapѼͷ௨৴
▸ HTTPҎ֎ͰͷϋχʔϙοτͰ͋Εɺcowrieɺdionaeaɺ
honeytrap͕Φεεϝ
Slide 33
Slide 33 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ௐࠪ݁Ռʢ·ͱΊʣ
▸ ରܕͷϋχʔϙοτʹ͍ͭͯௐࠪΛ࣮ࢪ
▸ ରܕʹͦΕͧΕछྨ͕͋ΔͨΊɺ ࣗͷ؍͍ͨ͠
߈ܸͰϋχʔϙοτΛબ͠·͠ΐ͏ʂ
▸ ͓ۚʹ༨༟͕͋ΔਓT-PotΛӡ༻͢Δͷ༗
▸ ରܕϋχʔϙοτͷಋೖํ๏ɺϒϩάॻ੶Ҏ֎ʹ
Dockerfile͕ࢀߟʹͳΔ(ͲͷίϚϯυΛଧ͍͍͔͔ͯΔͨΊʣ
▸ ࠓճͷൃදͰҰਓͰଟ͘ͷϋχʔϙολʔ͕૿͑Δͱخ͍͠Ͱ͢ʂʂʂ
Slide 34
Slide 34 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ऴΘΓ
▸ ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂʂʂ
Slide 35
Slide 35 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ࢀߟURL
▸ Githubؔ࿈
https://github.com/dtag-dev-sec/tpotce
https://github.com/micheloosterhof/cowrie
https://github.com/dinotools/dionaea
https://github.com/mushorg/glastopf
https://github.com/armedpot/honeytrap
https://github.com/morihisa/WOWHoneypot
Slide 36
Slide 36 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ࢀߟURL
▸ www.morihi-soc.net
http://www.morihi-soc.net/
https://speakerdeck.com/morihi_soc/chu-xin-zhe-xiang-kehanihotuto-wowhoneypot-falseshao-
jie
▸ HONEYPOTӡ༻ه
https://blog.n-etupirka.net/
▸ αΠόʔηΩϡϦςΟ͡Ί·ͨ͠
https://tk-secu.hateblo.jp/
▸ Misc notes
https://fatsheep.hateblo.jp/
▸ nanka iroiro
http://waaai-tanoshiiiii.hatenablog.com/
▸ ଞʹ༷ʑͳϋχʔϙολʔͷϒϩάΛࢀߟʹͤͯ͞Β͍·ͨ͠
Slide 37
Slide 37 text
ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ
ࢀߟॻ੶
▸ Ոܭʹ͍͞͠ϋχʔϙοτೖ
ஶऀɿʹ΄ΜΜ͕
ߪೖURL: https://booth.pm/ja/items/663689
▸ WOWHoneypotͷ༡ͼ͔ͨ
ஶऀɿmorihi-soc
ߪೖURL: https://booth.pm/ja/items/824586