The Honeynet Project

We are excited to announce the latest chapter coming on Board, the United Arab Emirates Chapter, hosted and formed by aeCERT.  This is the very first Chapter to be joining from the middle-east, we are very excited to have them on board and expect great things from them!

Shucran!

lance

The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.

The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)

• Giraffe Chapter

Here is a brief introduction on Qebek, answering some questions.

Picviz is a parallel coordinates[1] plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize your data and discover interesting results quickly. This way, you can find in million of events malicious things you were not thinking about and that no regex based program would find for you.

[1] http://en.wikipedia.org/wiki/Parallel_coordinates

We got a new milestone due:

10.08.2009

• thread-pool works
• stream recording works
• shellcode detection using libemu works
• shellcode emulation using libemu works
• compiles on linux&openbsd

An exploit taken from a public repository, run against the software, is detected and emulated.

To shorten things, basically all required points are hit with current svn.

So, given the time we just saved, some words about how it works.

• GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Hi all:

       I have finished almost all the coding stuff of Project #1, now you can try out the new PHoneyC with shellcode/heapspray detection here:

http://code.google.com/p/phoneyc/source/browse/phoneyc#phoneyc/branches/phoneyc-honeyjs

        Please feel free to report any bug or suggestion on shellcode/heapspray detection to me.

• Chinese Chapter

Today I make a retrospection on my work on the Glastopf Web Honeypot during the Google Summer of Code Program. My goal was to push forward the development on a Honeypot for an attack vector in web security which is really underestimated in current discussions. The main objectives could be merged into one intention: Increasing our attractiveness and answering every request as close as possible to a real world system. This got achieved with the new PHP file parser and the dynamic Google dork list which we provide for the Google crawler.

Second milestone reached! Honeybrid has now all its functionalities working and it's time for testing. In order to check that everything works efficiently, I deployed a Windows honeypot to receive traffic from five /24 unused subnets during half an hour. Here are the details of this experiment.

Here is a overall diagram of the testing architecture:

(Internet) <=====> [NATing Gateway with Honeybrid] <-------> [Windows Honeypot]

The NATing gateway was configured with the following iptables rules:

• GSoC Project #6 - Develop Hybrid Honeypot Architecture

Hi Folks,

I worked on the Front-End to make my interface more user-friendly, I don't detail every modifications, we can split them in three:

• Profile Management
• Organisation Management
• Honeyclient Management

My code is under Honeynet Subversion so you can consult it if you're curious !
I also corrected a lot of bugs even if some of them are a bit persistent....

• GSoc Project #9 - Managing Honeypot Clients

Since my last update, I've separated the visualizations by IP address, along with adding a few cosmetic additions (lines to the next event in the height different experiment), although there's still a little bit of work to separate that visualization into different IPs.  I've also added camera controls, the basic WSAD at the moment, so that a user can scroll up, down, left, and right, depending on how many host machines there are, as well as how many events there are.  There was also some work on the backend as well, to make the files a little easier to read, as well as adding more commen

Last week I had the honor of being interviewed by the sharp team at PaulDotCom, in which they quized me extensively about honeypots and honeypot technology.  I have had the chance to work with John Strands of the team, who is one of the best penetration testers I know, he really knows his stuff and creates great demonstration hacking videos.  If you have a chance, check it out, they are smart group of fun guys.

 http://pauldotcom.com/2009/07/pauldotcom-security-weekly---e-19.html

As the console spy is almost finished, the next stage is mainly for network activities. Sebek Win32 version uses TDI hook to get this done. However, since getting driver object in virtualization layer is hard and TDI is TDI is on the path to deprecation, I need to find another way. The best solution seems to be hooking NtDeviceIoControlFile, the API Windows uses to do network related stuff and has been widely mentioned in malware behavior analysis papers. After some days of searching, I encounter a very useful resources today, a master thesis from TTAnalyze team:

• Chinese Chapter

Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.

• GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

ORGANIZATION

The Spanish Honeynet Project chapter primary areas of interest and development are wireless honeynets, web honeypots, data collecting and analyzing and research technical papers to inform the community. Our current members are:

• Spanish Chapter