Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WelComeToHoneyPOTWORLD/ 低対話型ハニーポットを調査してみた

sec-chick
June 30, 2018

WelComeToHoneyPOTWORLD/ 低対話型ハニーポットを調査してみた

第4回 ハニーポッター技術交流会

sec-chick

June 30, 2018
Tweet

More Decks by sec-chick

Other Decks in Research

Transcript

  1. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ࣗݾ঺հ ▸ ໊લ
 sec chick@one_sec_chick ▸ ͓࢓ࣄ
 αΠόʔηΩϡϦςΟؔ࿈


    ˞ PSOCͰΞφϦετΛ͍ͯ͠·ͨ͠ ▸ ϋχʔϙολʔྺ
 6ϲ݄ ▸ ར༻ϋχʔϙοτ
 WoWHoneypot
  2. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ϋχʔϙολʔ΁ͷಓͷΓᶆ ▸ ࣗ୐ʹT-PotΛߏங͠Α͏ͱࢥ͕ͬͨɺ҆શੑΛߟྀͯ͠ VPSʹߏங͢Δ͜ͱʹ ▸ ͜͜Ͱ T-Potͷਪ঑εϖοΫ͕ωοΫʹɻɻɻɻ
 ˞ඪ४ͷΠϯετʔϧͰ΋ϝϞϦ

    4GBɺSSD 64 GB ͷ༰ྔ͕ඞཁ ▸ ਪ঑εϖοΫͰ͸ͳ͍͕ɺ͓ۚͷ౎߹্ɺϝϞϦ2GͰಈ͔ͯ͠ΈΔ͜ͱʹ ਪ঑εϖοΫͰ͘͞ΒVPSͰՁ ֨ΛݟͯΈΔͱɺ݁ߏߴ͍ ਪ঑εϖοΫ͡Όͳ͍͚Ͳɺ ϝϞϦΛ2GBͯ͠΋େৎ෉͔ͳ
  3. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ʲࢀߟʳϋχʔϙοτઃஔՄೳαʔϏε ▸ աڈʹϋχʔϙολ͕ௐ΂ͯ಺༰Ͱ֤αʔϏεͰͷϋχʔϙοτͷ ӡ༻Մ൱ʹ͍ͭͯௐ͓ࠪͯ͠Γɺଟ͘ͷ؀ڥͰར༻͢Δ͜ͱ͕Մೳ αʔϏε໊ αϙʔτ͔Β ͷճ౴೔ Մ൱

    උߟ ConoHa 2017.06.21 NG ن໿ҧ൓Ͱ͸ͳ͍͕ଞͷ͓٬༷΁ͷӨڹ͕ݒ೦͞ΕΔͷͰ߇͑ͯ΄͍͠ ͘͞ΒͷΫϥ΢υ 2017.08.10 OK ར༻ن໿΍੍ݶࣄ߲ʹ͸֘౰͠ͳ͍ͷͰ໰୊ͳ͍ɻଞͷ͓٬༷ʹ໎࿭͕͔͔Δঢ় گ(େྔͷτϥϑΟοΫ͕ൃੜ͢Δɺར༻͍ͯ͠Δαʔό͕ݪҼͰ֎෦ͷෆਖ਼α ʔόͷϦετʹొ࿥͞ΕΔɺ౳)͕͋Ε͹ɺݸผʹ੍ݶΛ࣮ࢪ͢৔߹͕͋Δ ͘͞ΒͷVPS 2017.08.10 OK ಉ্ IDCFΫϥ΢υ 2017.08.10 OK Ϋϥ΢υ্ͰӡӦ͢Δ಺༰ʹ͍ͭͯ͸໰ΘΕͳ͍ͷͰӡ༻Մೳɻͨͩ͠ɺୈࡾऀ ౳ʹෆਖ਼ʹѻΘΕͨ৔߹͸໿׺౳ʹ౰ͯ͸·ΔՄೳੑ͕͋Δ ABLENET VPS 2017.08.10 OK ϋχʔϙοτͷΠϯετʔϧΛېࢭ͸͍ͯ͠ͳ͍͕ɺଞͷ͓٬༷ͷར༻ʹӨڹ͕ ग़ΔΑ͏ͳ৔߹͸ར༻ͷ੍ݶ΍ܖ໿ղআΛߦ͏৔߹͕͋Δ KAGOYA CLOUDʗ2 2017.08.10 OK ϋχʔϙοτͷӡ༻ʹର੍ͯ͠ݶ͸ͳ͍͕ɺ߈ܸΛड͚ΔલఏͷγεςϜͳͷͰ ηΩϡϦςΟରࡦΛे෼ʹ࣮ࢪͨ͠͏͑Ͱӡ༻ͯ͠΄͍͠ɻ ServersManˏVPS 2017.08.10 OK Πϯετʔϧ͢ΔΞϓϦέʔγϣϯʹ੍ݶ͸ઃ͚͍ͯͳ͍͕ɺن໿ͷୈ17৚͓ Αͼୈ32৚ʹ֘౰͢Δͱ൑அ͞Εͨ৔߹͸੍ݶΛߦ͏ࣄ͕͋Δɻ ʮServersMan@VPSϓϥϯར༻ن໿ʯͷېࢭࣄ߲Λ֬ೝͯ͠΄͍͠ɻ ໊͓લ.comVPS 2017.08.14 OK ࢀরɿϋχʔϙοτͷӡ༻͕ن໿ҧ൓Ͱͳ͍͔ௐ΂ͯΈͨIUUQTCMBDLMFQBSEOFUWCON
  4. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ GLASTOPF Ϩεϙϯεྫ ▸ ϦΫΤετྫ1
 http://192.168.0.xx/test.php?q=SELECT%20A%20FROM%20B
 Ϩεϙϯε
 Invalid query:

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT A FROM B' at line 1 ▸ ϦΫΤετྫ2
 http://192.168.0.xx/test.php?a=../../../../../../../etc/passwd
 Ϩεϙϯε
 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x: 2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x: ~ লུ ~
 ※ ҎԼͷgithubͷςετέʔεΛࢀߟ
 ɹhttps://github.com/mushorg/glastopf/blob/master/glastopf/testing
  5. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ WOW HONEYPOT ▸ HTTPͷ߈ܸΛ؂ࢹ໨తͱͨ͠ϋχʔϙοτ ▸ ߈ܸऀͷϦΫΤετʹରͯ͠ɺ߈ܸ͕੒ޭͨ͠Α͏ʹݟ͔͚ͤΔ
 ϨεϙϯεΛฦ৴ ▸

    ϋϯςΟϯάػೳʹΑΓɺϚϧ΢ΣΞΛVirus TotalͰղੳՄೳ
 (ݕମ͸อଘ͠ͳ͍) ▸ Πϯετʔϧ͕؆୯ʢҎԼͷϖʔδΛࢀߟʹΠϯετʔϧՄೳʣ
 https://github.com/morihisa/WOWHoneypot
  6. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ WOW HONEYPOT ߈ܸऀ͕αʔό΁ϦΫΤετΛૹ৴ αʔόͷ'8Ͱϙʔτసૹ
 ྫɿϙʔτ͔Βϙʔτ΁ ϦΫΤετ͔ΒϨεϙϯε಺༰Λܾఆ ߈ܸऀ΁ϨεϙϯεΛฦ͢ 8P8)POFZQPU

    ࢀߟɿॳ৺ऀ޲͚ϋχʔϙοτ808)POFZQPUͷ঺հ
 ɹɹɹIUUQTTQFBLFSEFDLDPNNPSJIJ@TPDDIVYJO[IFYJBOHLFIBOJIPUVUPXPXIPOFZQPUGBMTFTIBPKJF TMJEF
  7. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ WOW HONEYPOT Ϩεϙϯεྫ ▸ GET /etc/passwd
 Ϩεϙϯεɿ
 root:x:0:0:root:/root:/bin/bash

    daemon:x:1:1:daemon:/usr/sbin:/ usr/sbin/nologin ~লུ~
 ▸ GET /getcfg.php (D-Link)
 Ϩεϙϯεɿ DEVICE.ACCOUNT 100 admin 100 adminpass administrators manage
 ▸ POST /wls-wsat/CoordinatorPortType
 εςʔλείʔυɿ500
  8. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ COWRIE ▸ ϩά (/log/cowrie-textlog.log)
 2018-06-21T06:20:11.790706Z login attempt [sec_chick/aaaaaa]

    failed
 2018-06-21T06:20:15.884342Z login attempt [sec_chick/bbbbb] failed
 2018-06-21T06:20:18.976004Z login attempt [sec_chick/cccccc] succeeded
 2018-06-21T06:20:19.466336Z Terminal Size: 24 80
 2018-06-21T06:20:19.467874Z request_env: LANG=ja_JP.UTF-8
 2018-06-21T06:20:19.470091Z Opening TTY Log: log/tty/ 20180621-062019-758689600833-0i.log
 2018-06-21T06:20:33.007909Z CMD: ls
 2018-06-21T06:20:33.020759Z Command found: ls 
 2018-06-21T06:20:49.834860Z CMD: wget www[.]yahoo.co.jp
 2018-06-21T06:20:49.839532Z Command found: wget www[.]yahoo.co.jp
 2018-06-21T06:20:49.937292Z Downloaded URL (http://www[.]yahoo.co.jp) with SHA-256 bbede94bcf9ab5fbc4469b382335449ebf2499595ffc84b64eb492faa79b35e1 to dl/ bbede94bcf9ab5fbc4469b382335449ebf2499595ffc84b64eb492faa79b35e1
  9. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ COWRIE ϩάΠϯ࣌ ▸ ϩάΠϯ࣌ͷϩά
 login attempt [sec_chick/aaaaaa] failed


    login attempt [sec_chick/bbbbb] failed
 login attempt [sec_chick/cccccc] succeeded
 ▸ ͋͑ͯԿ౓͔ϩάΠϯΛࣦഊ͔ͤͯ͞ΒϩάΠϯͤ͞Δ࢓૊Έ
 ˞̏ճ໨ͰϩάΠϯ੒ޭ
 ▸ ϩάΠϯ෦෼Ͱ͸Ϣʔβ໊͓ΑͼύεϫʔυΛऩू
  10. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ COWRIE ϩάΠϯޙ ▸ ϩάΠϯޙͷϩά
 CMD: ls
 Command found:

    ls 
 CMD: wget www.yahoo.co.jp
 Command found: wget www[.]yahoo.co.jp
 Downloaded URL (http://www[.]yahoo.co.jp) with SHA-256 bbede94bcf9ab5fbc4469b382335449ebf2499595ffc ~লུ~ ▸ ϩάΠϯ੒ޭޙɺ߈ܸऀ͕ͲͷΑ͏ͳίϚϯυΛ࣮ߦ͔ͨ͠
 ֬ೝՄೳ ▸ μ΢ϯϩʔυ͞ΕͨϑΝΠϧ͸อଘ͞ΕΔͨΊɺޙ͔Β֬ೝՄೳ
  11. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ DIONAEA ▸ ҎԼͷαʔϏε͕dionaea্Ͱ؂ࢹՄೳ ໊લ αʔϏε ϙʔτ ϓϩτί Black

    hole telnet 23 tcp DNS 53 tcp,udp NTP 123 udp EPMAP SMB 135 tcp FTP FTP 21 tcp HTTP HTTP 80 tcp Memache memcache 11211 tcp mirror mirror 42 tcp MongoDB MongoDB 27017 tcp mqtt MQ Telemetry Transport 1883 tcp ໊લ αʔϏε ϙʔτ ϓϩτί MSSQL MSSQL 1433 tcp MYSQL MYSQL 3306 tcp PPTP PPTP 1723 tcp SIP (VoIP) SIP 5060 tcp SIP over TLS 5061 tcp SIP 5060 udp SMB SMB 445 tcp TFTP TFTP 69 udp UPnP UPnP 1900 udp
  12. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ DIONAEA දࣔྫ(FTP) ▸ FTP઀ଓ࣌ͷ༷ࢠ
 220 FTP server ready.


    USER sec_chick
 331 Password required for sec_chick.
 PASS password
 230 User logged in, proceed
 pwd
 257 "/"
 help
 502 Command 'HELP' not implemented
  13. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ HONEYTRAP Ϩεϙϯεྫ ▸ FTP
 220 Welcome to localhost

    ▸ SMTP
 250 localhost ESMTP Postfix ▸ MYSQL
 4.0.24_Debian-10sarge1-logu3;n:u`b,
  14. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ֤ϋχʔϙοτ·ͱΊ ϋχʔϙοτ໊ ֓ཁ औಘՄೳͳ৘ใ glastopf ɾWebܦ༝Ͱͷ߈ܸΛ؂ࢹΛ໨తͱͨ͠ϋχʔϙοτ ɾσΟϨΫτϦτϥόʔαϧ ΍

    SQL Injection ʹରͯ͠
 ੬ऑੑͳ൓ԠΛ߈ܸऀ΁ฦ͢ ɾPOSTϦΫΤετͷBODY෦ͷ৘ใΛऔಘՄೳ ɾHTTPϦΫΤετͷ಺༰ WoWHoneypot ɾHTTPͷ߈ܸΛ؂ࢹ໨తͱͨ͠ϋχʔϙοτ ɾHTTP ϦΫΤετΛ·Δͬͱอଘ ɾ߈ܸऀͷϦΫΤετʹରͯ͠ɺ߈ܸ͕੒ޭͨ͠Α͏ʹ ɹݟ͔͚ͤΔϨεϙϯεΛฦ৴ ɾϋϯςΟϯάػೳʹΑΓɺϚϧ΢ΣΞΛVirus Totalʹ࿈ܞ
 Մೳ(ݕମ͸อଘ͠ͳ͍) ɾΠϯετʔϧ͕؆୯ ɾHTTPϦΫΤετͷ಺༰ ɾϚϧ΢ΣΞͷURLઌ ▸ HTTPʹؔ͢ΔϋχʔϙοτͰ͋Ε͹ɺglastopf΋͘͠͸
 WoWHoneypot͕Φεεϝ
  15. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ֤ϋχʔϙοτ·ͱΊ ϋχʔϙοτ໊ ֓ཁ औಘՄೳͳ৘ใ cowrie ɾSSH͓ΑͼTelnetͷ؂ࢹΛ໨తͱͨ͠ϋχʔϙοτ ɾ৵ೖऀͷଧͪࠐΜͩίϚϯυͷه࿥͓Αͼ࠶ੜ͕Մೳ ɾ৵ೖऀ͕ϋχʔϙοτʹμ΢ϯϩʔυͨ͠ϑΝΠϧΛอଘ

    ɾSSH͓ΑͼTelnetͰར༻ͨ͠Ϣʔβ໊ɺPW ɾϩάΠϯޙʹೖྗ͞ΕͨίϚϯυ ɾwget, curl Ͱμ΢ϯϩʔυ͞Εͨ ϑΝΠϧ dionaea ɾωοτϫʔΫ্ͰՔಇ͍ͯ͠ΔαʔϏεͷ੬ऑੑΛૂͬͨ Ϛϧ΢ΣΞͷั֫Λ໨తͱͨ͠ϋχʔϙοτ ɾFTPɺHTTPɺMySQLɺSMBͳͲͷ෯޿͍αʔϏε (16छྨ)ΛΧόʔ ɾ৵ೖऀ͕ઃஔͨ͠Ϛϧ΢ΣΞ΋ޙ͔ΒࢀরՄೳ ɾՔಈ͍ͯ͠ΔαʔϏε΁ͷ௨৴ ɾ഑ஔ͞ΕͨϚϧ΢ΣΞ honeytrap ɾ෯޿͍αʔϏεΛ؂ࢹ͢Δ͜ͱ͕Մೳ (ࠓճͷݕূͰ࠷΋ଟ͘ͷϙʔτͰͷ௨৴Λݕ஌) ɾ࣮ࡍͷ௨৴಺༰΋֬ೝՄೳ ɾओཁϙʔτ΁ͷ؆қతͳϨεϙϯεΛฦ͢ ɾhoneytrapѼ΁ͷ௨৴ ▸ HTTPҎ֎ͰͷϋχʔϙοτͰ͋Ε͹ɺcowrieɺdionaeaɺ honeytrap͕Φεεϝ
  16. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ௐࠪ݁Ռʢ·ͱΊʣ ▸ ௿ର࿩ܕͷϋχʔϙοτʹ͍ͭͯௐࠪΛ࣮ࢪ ▸ ௿ର࿩ܕʹ΋ͦΕͧΕछྨ͕͋ΔͨΊɺ ࣗ෼ͷ؍࡯͍ͨ͠
 ߈ܸͰϋχʔϙοτΛબ୒͠·͠ΐ͏ʂ ▸

    ͓ۚʹ༨༟͕͋Δਓ͸T-PotΛӡ༻͢Δͷ΋༗ ▸ ௿ର࿩ܕϋχʔϙοτͷಋೖํ๏͸ɺϒϩά΍ॻ੶Ҏ֎ʹ΋
 Dockerfile͕ࢀߟʹͳΔ(ͲͷίϚϯυΛଧͯ͹͍͍͔෼͔ΔͨΊʣ ▸ ࠓճͷൃදͰҰਓͰ΋ଟ͘ͷϋχʔϙολʔ͕૿͑Δͱخ͍͠Ͱ͢ʂʂʂ
  17. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ࢀߟURL ▸ www.morihi-soc.net
 http://www.morihi-soc.net/
 https://speakerdeck.com/morihi_soc/chu-xin-zhe-xiang-kehanihotuto-wowhoneypot-falseshao- jie ▸ HONEYPOTӡ༻೔ه


    https://blog.n-etupirka.net/ ▸ αΠόʔηΩϡϦςΟ͸͡Ί·ͨ͠
 https://tk-secu.hateblo.jp/ ▸ Misc notes
 https://fatsheep.hateblo.jp/ ▸ nanka iroiro
 http://waaai-tanoshiiiii.hatenablog.com/ ▸ ଞʹ΋༷ʑͳϋχʔϙολʔͷϒϩάΛࢀߟʹͤͯ͞΋Β͍·ͨ͠