OpenBSD 3.0 Honeypot Whitepaper

Tortured Potato writes "This white paper, by Michael Anuzis, details how he set up an OpenBSD 3.0 honeypot, watched it get cracked and then analyzed it -- all within 28 hours. Fascinating stuff...this is the first OpenBSD honeypot I've heard of."

From the article:

[SuiteSisterMary]

Most honeypots out there tend to be Redhat Linux as it's has the worst record for security out of pretty much every OS out there

Oooh, dems fightin' words! (runs into the General Store and closes the curtains, peeking out)

Re:From the article:

[SuiteSisterMary]

Actually, most of the compromised servers were Redhat Linux in the version 6 days ( circa 1998-99) because all services were enabled by default, leaving the system wide open. Of course, inexperienced (stupid wouldn't be polite) admins share the blame.

I've said it before, and I'll say it again. 10, 15, 20 years ago, the security advisories were all the same, only the names were different. SunOS, Solaris, HP-UX, IRIX. Sendmail, CERN httpd, X.

He didn't wipe out enough info on those images

http://www.google.ca/search?q=cache:b3jn4bU41cYC:w ww.omegapunx.org/+muffinface+band&hl=en&ie=UTF -8

White paper ?

[kraf]

This white paper, by Michael Anuzis, details how he set up an OpenBSD 3.0 honeypot, watched it get cracked and then analyzed it -- all within 28 hours

You can do it with a default install in 30 minutes.

Re:What is a honeypot?

[Innomi]

A honeypot is a machine set up for the sole purpose of distracting hackers away from your main network by putting up an easy target.

First OpenBSD honeypot

[snake_dad]

this is the first OpenBSD honeypot I've heard of

Which is not very surprising for an OS that has had "One remote hole in the default install, in nearly 6 years!". An interesting read 'though.

By the way, there is a slashbox for OpenBSD Journal, which can be enabled here. It featured this story yesterday.

Re:First OpenBSD honeypot

[platypus]

Well that doesn't mean you're secure.
It's worth remembering for some OpenBSD worshipping newbie zealots that every OS is as secure as the admin installing/maintaining the server.
Let me say that I know the seasoned OpenBSD users surely are not prone to that, but that is true for (nearly) any OS, and for all *nixes.

Re:What is a honeypot?

[snake_dad]

You can learn a lot about honeypots and network security in general on the Honeynet site. Browse the challenges, and the results, and be amazed ;)

Info on the 'Hacker'

[DeeEm]

If anyones interested, the website for the 'hacker' is omegapunx.org, his msn name is omegakidd@hotmail.com
E-Mail: omegakidd@tfz.net
E-Mail2: omegakidd@cheguevara.zzn.com
aim: eromlenosam
aim2: shoogy maple
aim3: satan the killer
msn: omegakidd@hotmail.com
yahoo: omegakidd
irc@efnet: omegakidd

ph34r omegapunx

[nyquist_theorem]

obligatory link to omegapunx's google-cached website is here

the best entry is certainly May 31st, when this gem appeared:

It seems to me that the Americans are actually the terrorists. I would elaborate right now but I am too lazy to type that much right now.
9:30PM: I had some fun with smoke bombs. I lit like 5 in my back yard and there was this pretty big smoke could going into my front yard. Sense it looked so cool I searched for some more smoke bombs, and all I could find was like 3. But then I lit them in the feild and that was cool. There was this cloud of blue smoke like 4 and a half feet from the ground. It was soo cool.

Re:What is a honeypot?

[Wakko+Warner]

On a similar note, what is your IP address?

- A.P.

Doesn't this prove at secure systems are bad ?

[Krapangor]

Well, there isn't really such a thing like a secure system.
So all this pro-OpenBSD propaganda by Theo de Rat saying "OpenBSD is secure, really, always" is rather a bad thing. I lulls sysadms into the belief that their system is save, making them unaware of the fact that a system is never secure at all.
Of course, the sources of every OS should be explicitly checked for security holes. But this shouldn't be the single feature of an OS. In fact claiming an OS "secure" just due to these checks is serving security rather badly.
I sometimes wonder if the OpenBSD project hasn't excatly the opposite effects than intended by it's maintainers for these very reasons. On the other hand there are some cynical commentators out there, who claim that the main intend of OpenBSD is to boost Theo's ego.

Re:Doesn't this prove at secure systems are bad ?

[LionMan]

Note that statistically,
0.31% of defaced sites were running OpenBSD, which greatly contrasts with netcraft's statistics that over 59% of indexed web sites use the Apache httpd server, and considering that Apache runs on the BSD's, Linux, commercial *nix's, Windows, MacOS ... even assuming an equal distribution, this means that the defaced sites are at least two orders of magnitude less than the total sites using OpenBSD (ok, that is a lot of assuming, but I couldn't find statistics of server OS distribution).

OmegaPunx's aka Elmore Mason's Phone Number

From Betterwhois.com

Registrant:
OmegaPunx
5233 Welcome Ave N.
Crystal, Minnesota 55429
US

Registrar: Dotster (http://www.dotster.com)
Domain Name: OMEGAPUNX.ORG
Created on: 03-MAY-02
Expires on: 03-MAY-03
Last Updated on: 03-MAY-02

Administrative, Technical Contact:
Elmore, Mason omegakidd@tfz.net
OmegaPunx
5233 Welcome Ave N.
Crystal, Minnesota 55429
US
(763)531-0637
I tried calling the number, but no one answered (at 9:30AM EST) let me know if

Re:OmegaPunx's aka Elmore Mason's Phone Number

[RazzleDazzle]

HAHAHA... this is like 25 minutes from my house, maybe I should drive over there and wait for him and take some pictures and post them online and send them to the Mike A, and maybe one to the kid himself with a link to the story about how he *hacked*(snickering) a honeypot. There could be a ton of fun with this. HA... plus in a few hours I am going to the TC BSD User Group meeting. I wonder if his momma is gonna drop him off there... :) I will be looking for you Mason Elmore a.k.a. OmegaKidd

Re:OmegaPunx's aka Elmore Mason's Phone Number

[omegakidd]

eh. that was my sister.

Excellent learning resource!

[Demerara]

This article is valuable not so much for how to set up a honeypot (and no doubt this discussion will ventilate that issue) but, to a security newbie (me), it shows how the analysis of the logs proceeded.
Nice one. One question though - why not publish the IP of the hackers? Why protect their anonymity?

Re:Obligatory anti-linux statement

[phoxix]

Stuff that effects Redhat not only effects redhat, but the rest of the open source community itself. Last time I checked, redhat used mostly standardized open source software to get the job done. (i.e. openssh for sshd, apache for httpd, etc)

So when redhat has a new securty flaw, it isn't so much as a redhat problem as it is to a open source community security flaw.

Sunny Dubey

Obscuring the IP

[tg_schlacht]

Well for one thing the IP may be dynamic. Some other person may have been assigned that IP. Another thing is that they might have been working from a compromised system (though I doubt that in this case.)

In any case the anonymity of at least one of them was not really too well protected as several of the posts above indicate.

Re:NAT issue

OpenBSD uses random TCP sequence numbers, therefore it isn't very useful to nmap openbsd for finding initial sequence numbers when the firewall admin could simply apply "modulate state" for extra protection. For documentation man pf.conf(5) and search on down for "STATE MODULATION".

Firewall, shmirewall

[alienmole]

Its a reminder

Of just how much you need a firewall these days.

Let's think that through. Let's say this honeypot had a standard packet-filtering firewall in front of it, e.g. the kind implemented by ipchains in Linux. Assume there are two services which we wish to expose to the outside world: Apache and SSH. So we set the firewall to forward all HTTP connections to Apache and all SSH connections to OpenSSH.

Now, how secure is this network? You've got a firewall, so you're secure, right? Just two minor little flaws: the security holes mentioned in the article are in Apache and SSH. Your firewall didn't add any security at all! You're just as exposed as the next guy with no firewall.

Sticking a firewall in front of your network and thinking you're secure can be very dangerous, if it lulls you into thinking that the machines behind the firewall are now secure. Most exploitable holes are not on the thousands of unused ports that a firewall blocks - they're on the ports that the firewall lets through.

I should mention that with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts. However, stateful firewalls tend to be more expensive, less transparent (require more maintenance), and if they're commercial, more expensive. And many hacks can't even be detected by a stateful firewall, and there are all sorts of tunneling tricks that can be used to circumvent this kind of security. Ultimately, the only way to be secure is to make sure that every box that can be accessed from the outside is completely secure.

Especially if you run windows.

Along those lines, one of my favorite firewall-related quotes came from a sysadmin whose mail server and entire internal 70-station LAN had been infected by NIMDA: "But we have a firewall! How did it get through??"

Re:Firewall, shmirewall

[alienmole]

Yes, you read my reply wrong. I was replying to someone who suggested that this article indicated the need for firewalls, and pointing out that firewalls don't necessarily protect you from attacks like these.

I agree that a lot can be done with stateful firewalls. My point was really to dispel the notion that many people have that any old firewall will protect you from attacks like these. Although in the end, it's kinda futile, since just the word "firewall" conjures up visions of shiny magic boxes in people's heads, and overcoming the marketing is tough.

As for Nimda, IIRC it spread through HTTP attacks as well as email, so it was more of a worm than a virus. Regardless, it is related to firewalls in the way implied by the previous paragraph. There are people out there who believe that their firewall protects them from exploits like Nimda. In fact, Nimda is a great case in point, since even if you had a stateful firewall which prevent the Nimda HTTP hack, your workstations could still become infected via email, potentially ultimately infecting your servers, and once again proving that admins shouldn't believe everything the slick salesman told them about the $18,000 Checkpoint Firewall-1 they just bought.

Re:Firewall, shmirewall

[evilviper]

You are correct, to a point... Stateful packet filtering can be more secure, but certainly not for reasons you suggest.

Stateful packet filters only check the first packet, and then only for the source, some flags, and then pass it through. Then it will make sure that following pieces of the conversation are limited to the same source, destination, and ports. What good does this do? Well, instead of just blindly passing ports through, you can say that inbound connections are only allowed if they are responses to outbound requests (net client), and vise versa (net servers).

with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts

I'm afraid that's just not true. A stateful firewall is really only concered with the protocol, flags that are initally set, and source and dest ports. The contents could be pure random binary data sent to Apache or SSH, the firewall doesn't care.

So, if your firewall is set to allow connections to Apache and SSH, the worm or exploit will still get through. As far as more secure, you could configure your firewall to prevent outbound connections, stopping the spread of worms from your machine to others, preventing the use of your machine to attack others, and preventing outbound connections (e.g. Sub7, outgoing e-mails, et al.)... However, even in that restrictive configuration, you are just as susceptible to an attacker connecting with SSH, or an exploit sending a: rm -rf /

So, properly configured, a stateful firewall still can NOT prevent you from being exploited. However, it can prevent your server from being of any use to an attacker (or a worm).

Re:Firewall, shmirewall

[mgv]

Yes, you read my reply wrong. I was replying to someone who suggested that this article indicated the need for firewalls, and pointing out that firewalls don't necessarily protect you from attacks like these.

I agree with most of what has been posted above. What I was pointing out in my initial post is just how quickly any system that has a routable IP address will most likely be probed. I'm not saying that firewalls are total protection. But I'm not turning off the firewall on my DSL connetion right now either.

In particular, having a windows 9X (no security) or win XP (Default user has admin rights with no password) on a machine without a firewall is likely to be compromised rather quickly.

Michael

Re:Firewall, shmirewall

[evilviper]

Okay, I understand what you meant.

Some of the layer-7 firewalls can prevent certain application exploits. Even something like this SSH hole could potentially be blocked by such a firewall

That's doubtful... Not impossible, but doubtful. To do that, the firewall (App-Layer Reverse SSH Proxy Actually) would need to generate SSH keys, decrypt all incomming traffic, then re-encrypt it before sending it back out again (just like a filtering HTTPS proxy). So, every server that the firewall serves will be seen as having the same key (the one on the firewall). Also, a firewall that does app-layer filtering, it is rather vulnerable to attack, itself.

Besides that, the OpenSSH vulnerability is easy to protect against. You simply have to disable S/Key (ChallengeResponse) auth, or upgrade to the latest version.

Blocking exploits AFTER they have happened is not the job of a firewall (that's the IDS' part). Rather, a firewall should be able to block the attacks, or somehow help to render them useless.

<rant>
I don't see much value in reverse proxies. They are slow, not likely to block most exploits, and vulnerable themselves.

You'd be much better off using a stateful firewall/router with a good ruleset, in combination with running services as a normal user, chroot-ing services, or using software that will keep the software in line (Systrace, imsafe, or something similiar).

I happen to recall some commerical software similiar to imtrace that would detect strange behavior in running services, kill the process, ban the IP that caused the behavior temporarily, then restart the service. Their 'hack this server' site was a fairly impressive demonstration. Anyone happen to know the company name or URL?
</rant>

A Gay Script Kiddie too?

[XBL]

My brother's girlfriend Danyel gave me this purply long skirt thingy. It is soo cool. I would wear it to school tommorow, but there are these kids in the loccer room who hate gay people.

This guy has a lot going for him. He can crack any kid's computer that tried to beat him up.

Re:A Gay Script Kiddie too?

[BrookHarty]

This guy has a lot going for him. He can crack any kid's computer that tried to beat him up.

He can pack a gun, would that earn you more respect?

Its a good thing they didnt post the kids IPs, these kids are just kids and should be left alone. They dont need more gay-bashing or script kidding bashing. He just wanted to hack to put on a IRC bot script, which is pretty harmless, wrong, but harmeless.

Re:A Gay Script Kiddie too?

[BrookHarty]

If your system is compromised, and you don't know, what harm has been caused? Not all comprimised systems produce monetary damages or lost productivity. But I'm sure you can find your system cracked, spend a million dollars on upgrading security, and consulting fees, and say some "script kiddie" just cost your company a million dollars.

Re:A Gay Script Kiddie too?

[BrookHarty]

My god, you guys rate crackers as terrorists or murders. WTF is wrong with you?! Yes you need to protect your systems, and you need to slap the kids on the wrists for cracking, but if a kid trespasses, you put a bigger lock on your door, you don't build a new house and shoot the kid. Get some fucking perspective.

Maybe you are just trying to rationalize your own illegal behavior?

Maybe your a tight assed republican, hard core christen who believe in the death penalty, and hates gays.

BTW, people can support a prosecuted group, and not belong to that group. I for one, believe that the "Zero Tolerance" approach is more evil than murder. You need to look at each case, and punish for the level of intent. Stop believing the FUD, crackers/hackers have been around for 30+ years on our computer systems, only a very few cause monetary damage. But yes, he was pretty harmless compared to most, and yes I believe its wrong to enter a computer uninvited.

Re:A Gay Script Kiddie too?

[Shanep]

Hey, there are even gays on the other side of the fence, so to speak...

Here is Theo de Raadt slamming into Darren Reed over Darren having a bit of a poke at OpenBSD practices in the shadow of the recent OpenSSH hole that led to a remote exploit in the default install.

I spend more than 8 hours of every single day of my life auditing code (and over the last week, 16+ hours a day), and here is some gay guy from Australia who spent all of Usenix in San Antonio years ago moping with droopy eyes after a very straight and girlfriended Mudge is not going to tell me that I am not doing enough

I love reading Theo's posts.

BLAH

[Junior+Macintosh]

For some interesting reading related to this article, take a look at the text files that come with the exploit that was used to crack this honeypot.

Re:What is a honeypot?

[Beryllium+Sphere(tm)]

Not the sole purpose.

A honeypot is also a research tool into cracking trends and techniques.

"Hacker 1" who's "Hacker 2"?

[jarodss]

Ok, so we have info on "Hacker 1" but what about his litte friend "Hacker 2"? Who is he? Maybe omegakidd can help us out with that one...

Re:"Hacker 1" who's "Hacker 2"?

[jarodss]

He's actually updated this page, he says his friend doesn't want the publicity or something along those lines in the forum.

operating system: FreeBSD 4.5
processer: 845Mhz AMD Duron Processor
ram: 576 MB
ide1: 40 GB Hard Drive
ide2: 52x CD-ROM
nic: Linksys 10/100 base NIC
monitor: 17" Hewlett Packard
info: It all started out when me(omegakidd) and my friend created a channel on EFnet. Then I decided to get omegapunx.org. That is the end of that.

Re:What is a honeypot?

[BarefootClown]

127.24.88.72. Why do you ask?

Re:Obligatory anti-linux statement

[JoeBuck]

I like the folks at Red Hat, they have made huge contributions to everyone. The OpenBSD folks, for example, can't build a single executable without using a compiler that has been developed and maintained largely by Red Hat folks over the last ten years (about 50% of all gcc development work over the last decade, if not more, has been by Red Hat/Cygnus people, and it was their business/marketing people that got the funding to allow all those guys to work full-time on gcc).

Nevertheless, Red Hat has in the past put out releases that were horribly insecure, and this has been a problem for the net as a whole. They've gotten much better, but by the time a release sold in stores requires so many updates to make it secure that it would take 12 hours to download them all on a dialup modem, that makes the retail version dangerous to the public, a product that should be recalled. This goes both for Windows and Linux. Bad security doesn't just affect the owner of the system, an "owned" system is commonly used as a launch pad for distributed denial of service attacks.

Maybe the thing to do is to get any BSD or Linux distribution that is sold at retail or shipped on CDs that might not be current, to "phone home" the first time the system is connected to the net (telling the user what is happening, of course), so that the very first thing that happens is that all security updates that enable remote exploits get installed.

Re:A Gay Script Kiddie too? No.

[LoonXTall]

Clothing doesn't make people gay. Try reading this book and see if you look at the world in the same way ever again.

Re:What is a honeypot?

[evilviper]

warez.slashdot.org

My sincerest apologies.

[mikeanuzis]

First, my apologies to the Honeynet Project (http://project.honeynet.org), the Distibuted Honeypot Project (http://www.lucidic.net), and everyone else who does research in the field of honeynets for releasing a paper which revealed the identity of the hackers involves, as this clearly doesn't fall into the scope of releasing a good whitepaper on the topic. Second, my sincerest apologies to the two hackers who compromised my honeypot. I went through and tried to conceal the identity of the two hackers involved, but it's true I knew they could still be traced by searching google's cache for pretty much any sentence on the cached page I displayed. I had no intention of revealing their identities, and it's clear I thoroughly overestimated the level of maturity of my target audience. To be completely honest, I would rather have never had this article featured on deadly.org and /. if I had known ahead of time how badly the two hackers personal information would be exploited. To those people who read this, please stop bugging the hackers involved. They appear to be nothing more than innocent (and slightly unwise) kids. Let's grow up for a minute here for their sake. It can't be all bad, because after all they did hack a honeypot... so I guess there's a moral to be learned with this story, but please don't take their humiliation any farther than it's already gone. I'm honored my whitepaper was featured on these great websites, and I hate to feel like I'm crashing the party... but I can't help but feel bad for the poor hackers involved. With utmost sincerity, Michael Anuzis

Re:My sincerest apologies.

[LionMan]

I disagree;
attention it is, but not positive attention. Their servers are being hit with posts of 'that was a dumb thing to do' (look at the guest book) and the like. It's a lot of negative attention, and the kids are probably feeling pretty shitty right now being the target of name-calling and attacks (verbal, and their computers are probably being attacked also.)
Don't stereotype that just because they are teenagers they crave any type of attention.

It was a honeypot, he did nothing wrong

[mangu]

The purpose of a honeypot is to get knowledge from the hacker. In this case, I think the sysadmin should pay the hacker for the knowledge gained.

Re:It was a honeypot, he did nothing wrong

[mosch]

Could I please have the IP address of the servers you admin, so I can give you some knowledge? I'll send you a bill afterwards.

Re:It was a honeypot, he did nothing wrong

[mangu]

Yeah those women that wear short skirts in bad parts of town are asking to be raped too.

Not exactly raped, but there are female police officers who do that to catch men who are looking for prostitutes, where prostitution is illegal. If not done exactly right, this is called "entrapment" and the perpetrator walks free.

A badly designed honeypot may be contributing to hacking, and may be considered as participating in the crime. The honeypot sysadmin may be an accessory before the fact.

Thinking from a moral standpoint, i.e. considering the spirit of the law instead of merely the letter, I believe the guiltiest part here was the sysadmin who set the trap. He was an experienced computer professional who induced a somewhat confused teen to commit an illegal act.

Re:Enough with the political correctness!

[AndrewHowe]

Then what are "I" and "you"?
You clearly don't know what you are talking about, because the case (you said nominative) is irrelevant here.
It's in the third person singular that English has gender specific pronouns, and that goes for nominative (he/she), oblique (him/her) and genitive (his/her).
So who is the fool?

Kid wants to hide his screenshots.

[Shanep]

As of the 13th of July, our script kid friend wants to hide his screenshots section for some reason.

Too bad Google has it cached.

Re:Kid wants to hide his screenshots.

[Shanep]

I think you've been given a bit of a bad wrap here.

Script kiddying is nothing to be proud of, but I don't think it's anything to be ashamed of either. People who take care of servers on the net, who don't keep them patched should be ashamed. Before someone jumps down my throat, I'm not refering to the Honeypot, it did what it was supposed to do, I'm refering to real production servers.

If it were'nt for root kits, there would be less desire to keep secure, as a believe real hackers are a rarity amongst all the script kids. Script kids keep admins on their toes. Kids will be kids.

Mirror site of the whitepaper

[mikeanuzis]

For those interested the site the whitepaper was on has been temporarily disabled by the web hosting company due to too much traffic.

Another copy of the whitepaper is available at:
http://www.anuzisnetworking.com/whitepapers/

And to verify, yes it was in fact me who posted the above apology. --Michael Anuzis

Re:active honeypot - 200.49.83.130

[ZigMonty]

The IP's host name is host083130.metrored.net.ar if anyone cares. ar is Argentina isn't it? It looks like a dialup or other home connection. It certainly isn't www.whitehouse.gov or anything like that.