Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PyConZA 2015: "OpenCanary: a new Python-based h...

Pycon ZA
October 01, 2015

PyConZA 2015: "OpenCanary: a new Python-based honeypot" by Azhar Desai

Honeypots: a great idea tempered by over a decade of glorious misapplication resulting in a slow relegation to the realm of academia and slightly dubious research. But it doesn’t have to be that way. In August 2015 we released OpenCanary, the Open Source version of our commercial Python-based honeypot.

Traditional honeypots aim to reveal attacker tools, techniques and procedures, by entrapping attackers through emulation (or instrumentation) of common protocols and services. They are typically installed standalone, and seldom updated. We argue that this honeypot approach is outdated; current organisations struggle far more with identifying breaches than identifying the version of some generic rootkit installed post-breach.

OpenCanary changes that, treating the honeypot as an internal distributed sensor rather than a standalone alert generator. Each event reported is a high-quality indicator of investigation-worthy activity, and each OpenCanary instance feeds event data to a correlator which produces single alerts even in the face of network-wide scans. With such a high signal-to-noise ratio, every alert requires investigation. This is in contrast to the stream of alerts produced by tools such as anti-virus, network IDS or traditional honeypots.

OpenCanary wound up relying on Python for the majority of the code. The Python eco-system provided support that sped up development and, more importantly, deployment. However it didn’t take us the full distance.

In this talk, we provide a brief background on honeypots, discuss the design of OpenCanary, delve into the challenges experienced and our plans for the project. Along the way, we’ll demo the trivially installable OpenCanary, configure a few fake services and provide an outsider’s view of developing in Python.

Pycon ZA

October 01, 2015
Tweet

More Decks by Pycon ZA

Other Decks in Programming

Transcript

  1. struct.pack (wonderful stdlib functions) sqlmap (tool for exploiting sql injections)

    scapy (library for packet manipulation) plugin language for IDA & GDB (reverse engineering) Innuendo (framework for developing implants)
  2. “I was wondering how much effort this was worth….. It

    was fun to lead this guy on, but whats the goal?” “Though the Jail was an interesting and educational exercise, it was not worth the effort. It is too hard to get it right, and never quite secure.”
  3. “Dedicated to learning the black-hat community’s tools, tactics, and motives

    and then sharing any lessons learned” https://www.honeynet.org/
  4. Research pitched with wrong criteria Honeypots got a bad rep

    judged by the wrong criteria Back then we didn’t know/understand those hackers Other security tech sells better, especially “preventative” ones Defense too busy fighting fires
  5. Focus on the narrower use- case as a canary Image:

    Didier Descouens [CC BY-SA 4.0], via Wikimedia Commons
  6. OpenCanary daemons report to a single correlator Runs on Twisted

    pip installable Mostly pure python 15 services 3.5k loc
  7. Modules TCP FTP SSH Telnet SMB MSSQL UDP SIP SNMP

    TFTP NTP Portscanning MySQL RDP Git VNC HTTP HTTP Proxy
  8. honeyd http://www.honeyd.org/release.php Kippo https://github.com/desaster/kippo/commits/ Kojoney http://sourceforge.net/projects/kojoney/files/ conpot https://pypi.python.org/pypi/Conpot artemisa http://sourceforge.net/projects/artemisa/files/

    delilah https://github.com/Novetta/delilah Elastichoney https://github.com/jordan-wright/elastichoney mhn https://github.com/threatstream/mhn/commits/ Glastopf https://github.com/mushorg/glastopf/commits/ Dionaea http://src.carnivore.it/dionaea Amun http://amunhoney.sourceforge.net Honeytrap http://src.carnivore.it/honeytrap/log/ Wordpot https://github.com/gbrindisi/wordpot/commits/ Shockpot https://github.com/threatstream/shockpot/ Artillery https://github.com/trustedsec/artillery/commits/ Decoy Server http://www.symantec.com/region/reg_eu/ Nepenthes http://src.carnivore.it/nepenthes/log/ Tom’s Honeypot http://labs.inguardians.com/tomshoneypot.html ..
  9. A little python, and a little elbow grease and you

    really can push tech out there…
  10. Nmap OS Detection sends 16 probe packets (TCP, UDP, ICMP)

    runs > 100 tests on the responses match test results with database of OS results
  11. Problem Solution Cleartext messages Encryption (NaCl) Limitation on chars in

    labels Base 32 encoding (modified) DNS Caching Lower TTL & append random data Limit size of domain name Chunk message into packets Repeated queries Add packet IDs
  12. Parting Thoughts If keen, jump in — opencanary is being

    used out there Our other canary-project is http://canarytokens.org Plenty of security problems are waiting for you to solve
  13. Some (distant) History This isn’t new JP 3-13.4 bereford cliff

    stoll honeynet project http://jfsc.ndu.edu/Portals/72/Documents/JC2IOS/ Additional_Reading/1C3-JP_3-13-4_MILDEC.pdf