Slashdot Mirror

← Back to Stories (view on slashdot.org)

Help Perfect The Cracker Antfarm With honeyd

Posted by timothy on from the where-are-the-red-ants dept.

Niels Provos would like you to help create the perfect lure for crackers. In the style of similar challenges presented by the Honeynet Project, Provos, a doctoral candidate at CITI (a research institute at the University of Michigan) has announced a public competition for contributions to his honeyd project, which the project page describes as "a small daemon that creates virtual hosts on a network." Honeyd does more than that terse description implies, though: read on to see how you can contribute to creative cracker snaring.

Behind door number three ... Rather than wait for production systems to be cracked, honeypot makers arrange sting operations: they set up as traps intentionally tempting target machines loaded with tools to observe any break-ins.

Though the projects' names (and their rosters of hackers) are confusingly similar, honeyd is distinct from the Honeynet Project. Both are concerned with watching intruders' behavior for analysis and, in the long run, preventing their exploits, but the projects vary in their scope. Honeyd offers specific software tools to effect the appearance of a crackable box (and can simulate thousands of crackable machines at once); the Honeynet Project is broader, and uses honeyd within its larger framework of studying cracker attacks.

"Honeyd creates virtual honeypots that simulate operating system characteristics to such a degree that it fools fingerprinting tools like nmap or xprobe," says Provos. "As such it is a virtual honeypot that may be used for all kinds of purposes -- network sensors, decoys, et cetera. As the Honeynet project investigates interesting honeypot technologies, Honeyd got me involved with the [Honeynet Project] and is my contribution."

The competition Provos is organizing is in turn a chance for others to contribute to his honeypot tool; a variety of prizes (including a trip to CanSecWest/core03) will go to the programmers who provide the best improvements to the current version (0.5) of honeyd. He's hoping to field contributions to upgrade the user interface, better analyze information captured as intruders try to break in, provide simulated P2P programs, and more. Though there's a list of suggestions on the site, anything to more effectively mimic genuine target machines is welcome.

License requirements are friendly to open source programmers: "Source code features to be integrated into Honeyd need to be covered by a BSD-like license. Service emulations and graphical user interface [submissions] may be either BSD-like or GPL."

Though the honeynet.org page says that Provos is sponsoring the challenge, he says others (like Honeynet Project lead Lance Spitzer) have put up the prizes. "As I am still a poor student, I anticipate that my only financial expenses are going to be shipping costs."

What inspired the idea of a contest, rather than simply waiting for code to roll in from interested hackers? "The Honeynet project has held very successful challenges in the past," says Provos. "Additionally, Lance Spitzer and Marcus Ranum have been giving tutorials on honeypots and noticed that all the participants really enjoyed working with Honeyd. As a result, Lance encouraged me to hold this challenge."

What's in it for them? Spitzer, one of the challenge judges, lists a few things he'd like to see come out of this contest. "All the plumbing and features are there for developing your own honeypots. I would love to see these capabilities extended and making it easier to use. For example, it would be great [to see] new emulated services added, a port to Windows, and a GUI to make it easier to use."

Spitzer has recently published a book about honeynets as well, so he has a good reason to want some attention focused on this sort of calculated intruder watching.

"I am most interested in the balance of getting realism with as little risk of abuse," says Job de Haas, another judge for the competition and CEO of security consulting firm ITSX. "The idea is to build simulated services, but you want to end the realism where it starts to undermine the security of the system beyond control." De Haas says that one of the system's weak points right now is that it's simply difficult for new users to know where to begin. "Hopefully lots of useful examples will come out of the challenge, to make it easier to get started."

I send you this file to ask your advice about breaking in.

Code submissions from hundreds of contributors (all of them savvy enough about cracking to contribute in the first place) raise the prospect of at least a few of them trying to sneak in their own malware to subvert the competition, but the organizers discount the possibility of a backdoor or other crack being submitted.

While it's unlikely that malicious code would make it far, Provos says that to be on the safe side (and make sure it doesn't hurt his working environment), "Personally, I run all new code under a systrace sandbox, and before new code gets integrated into the official honeyd source code it has to pass a source code audit."

Similarly, De Haas says that he's not worried about malicious code, but is "alert that someone might try. Generally we're quite used to dealing with untrusted code. On the other hand I don't consider myself unhackable, it can always happen. You mostly try to minimize the damage it can do."

"Generally the community is very good about this." says Spitzner. "While I doubt this would happen, you do have to be concerned about it. Fortunately, the judges we have (except for me :) are outstanding at code review."

Further reading: We've mentioned the Honeynet Project a few times before -- here's one story from July 2001 and other from July 2002; a search on "honeynet" will yield several more.

26 of 93 comments (clear)

  1. They're making this harder than it needs to be by Waffle+Iron · · Score: 5, Funny
    When I feel a cracker attack coming on, I don't sit around waiting to "lure" crackers. Instead, I just head down to the local supermarket and buy a few boxes.

    There's no need to deal with sticky messy honeypots, either. You can get Honey Grahams with the delicious honey flavor baked right in.

    1. Re:They're making this harder than it needs to be by xanadu-xtroot.com · · Score: 3, Funny

      There's no need to deal with sticky messy honeypots, either.

      Yea? Tell that to Pooh...

      --
      I'm not a prophet or a stone-age man,
      I'm just a mortal with potential of a super man.
  2. Is it easy to tell that you're in a honey pot? by Boss,+Pointy+Haired · · Score: 5, Insightful

    How hard is it to make a honey pot look lived in?

    I mean, anybody can walk into a house and tell almost instinctively if anybody is living there at the current time.

    It is nothing you can put your finger on, it is just a "sense".

    Is the same true for honey pots? Can a hacker that is familiar with System X instinctively tell if (s)he is in a real live in-use System X or just a honey pot of System X?

    (posted AC the first time by accident)

  3. Mmm... by grub · · Score: 2, Funny


    Mmmm... Honeynet Cheerios </homer>

    --
    Trolling is a art,
  4. Hmmm...? by Anonymous Coward · · Score: 4, Interesting
    For example, it would be great [to see] new emulated services added, a port to Windows, and a GUI to make it easier to use.
    ...how many people that set up honeypots use Windows or need a GUI?

    Furthermore, how many developers that make these kind of tools want to cater to the Windows/GUI crowd?
    1. Re:Hmmm...? by srmalloy · · Score: 4, Interesting
      ...how many people that set up honeypots use Windows or need a GUI?

      You're right; who needs a honeypot when you can just set up a Windows system, which is automatically a hack magnet?

      Seriously, though, having a Windows honeypot would be useful simply because of the enormous variety of attacks directed at Windows systems. Having a system designed to attract and log attacks would give more information than trying to examine the post-mortem data after a Windows box has been 'H4C|20R3D'.
  5. Genius! by bdesham · · Score: 5, Funny

    This is perfect! Since crackers never visit Slashdot, they'll never see this one coming!

    --
    Alcohol and Calculus don't mix. Don't drink and derive.
    1. Re:Genius! by Joe+the+Lesser · · Score: 4, Funny

      Actually, I think most of /.er's are probably caucasian...

      --
      "I only speak the truth"
      Karma: null(Mostly affected by an unassigned variable)
    2. Re:Genius! by arvindn · · Score: 2, Insightful
      You were probably just trying to be funny, but just in case you thought its really a bad idea to discuss honeypots on /. :

      You are essentially arguing for security through obscurity. Consider how a cracker would start to attack a system. They would most likely have some portscanning scripts that would pick up a vulnerability. Honeypots are perfect for this. You set up a virtual machine that detects a vulnerability.

      Next, the cracker has r00ted your machine and wants to exploit it. They've read about honeypots on /. and wonder if it is one. So how do they find out? From the outside, a honeypot looks just like any other machine.

      If you let the world know that you are running a honeypot on a certain IP, then you're doing something stupid. But knowledge about honeypots in itself does not decrease their effectiveness.

  6. As a network op ... by borgdows · · Score: 3, Funny

    Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.

    ...adding personality to daemons is pure evil!

  7. Re:"Rain Forest Puppy" ?? by glitch_ · · Score: 4, Informative

    Rain Forest Puppy is a well known cracker/hacker. Not necessarily a black hat, but I would put him in a "various shades of gray" hat. It seems that he feels more comfortable going by that name. Just like rappers go by their nicknames, someone like RFP likes to go by his handle. That does not make him a bad person, just someone with a goofy name. :)

  8. Re:"Rain Forest Puppy" ?? by Hanashi · · Score: 4, Insightful

    I guess it only puts the contest in question for you. For most of the rest of us, at least, those of us involved in the security community, Rain Forest Puppy's involvement is a source of positive credibility, not negative. He's well known and very well respected.

    --
    Check out my eclectic infosec blog at InfoSecPotpou
  9. Re:Is it easy to tell that you're in a honey pot? by sporty · · Score: 2, Interesting

    I'd wager you can..

    Audit a live system somewhere, where people "live" to copy everything that isn't "sensitive". Then fake the sensitive info, like passwords, card numbers and names.

    That is how you do final tests before production. You make a system so lifelike, it is infaliable.. or nealy so.

    --

    -
    ping -f 255.255.255.255 # if only

  10. Re:Is it easy to tell that you're in a honey pot? by TopShelf · · Score: 4, Interesting

    That's an interesting point - you'd need to create output files with varying dates and times (to look like production data), log files, etc. I would think one idea would be to take a snapshot of your live environment at a given time, then create a honeypot when needed that alters file create/mod dates appropriately. Not easy, but it's a thought...

    --
    Stop by my site where I write about ERP systems & more
  11. Write my dissertation for me! by murphj · · Score: 3, Funny

    Dear Slashdot,
    I'm a little busy right now, and having trouble finishing my dissertation. Can you guys finish it up for me? Thanks a bunch,
    Niels Provos
    PS - If you help, you can call yourself Dr., too!

    --
    SONY. Because caucasians are just too damn tall.
  12. Re:"Rain Forest Puppy" ?? by arglesnaf · · Score: 5, Informative
    Rain Forest Puppy is a very respected cracker who posts to the Bugtraq mailing lists.

    A PCWorld interview is here

    He is also cited as the discoverer of several MS vulnerabilities by Microsoft themselves:

  13. Hacker? by kramer2718 · · Score: 2, Insightful

    Aren't they actually trying to trap hackers? When I read the title, I naturally assumed that the post refered to an attempt to catch people who break into protected software. Has that use of the term 'cracker' gone away? If so, what does 'hacker' mean now days?

    --
    http://yetanotherpoliticalrant.blogspot.com
  14. Re:Is it easy to tell that you're in a honey pot? by fudgefactor7 · · Score: 2, Interesting

    Couldn't you just write a script (or something) to "touch" random files? That would change the dates. Then add a bunch of fake users (some disabled, naturally, as that's a nice target.) That might work.

  15. Warez by cybermage · · Score: 2, Funny

    Give each honeypot an IP of 127.0.0.1. All the co01 wArEz is there. Crackers will flock to them.

    --
    Some people have a way with words, and some people, um, thingy.
  16. Mirror Pro Al Qaeda Sites. by cybermage · · Score: 4, Interesting

    and find out how the NSA/CIA hack boxes.

    --
    Some people have a way with words, and some people, um, thingy.
  17. Buffer overruns in honeyd by iamacat · · Score: 4, Funny
    While obviously malicious code might be easy to spot, how difficult would it be for someone to slip an obscure buffer overflow into honeyd and have fun after its released. Anyone knows of any good hacks that happened BECAUSE of the honeypot bugs?

    There used to be a package called COPS to check UNIX security. The author made use of eval to scan users' .rhosts for suspicious entry. I promptly modified my own file to contain some ` characters and UNIX commands. Worked like a charm. Thought about modifying sendmail to send a few randomly selected local messages to a random local account, but decided it would be too mean. Exchanging screens of two lab suns with screendump and screenload or playing sounds telling a user that his or her shoe is untied is as far as I got.

  18. Re:Is it easy to tell that you're in a honey pot? by martyros · · Score: 3, Interesting
    It depends on what your goal is. If you're looking to collect new exploits, well, it's pretty easy to make things seem real on the outside. The earlier versions of honeyd (if I recall correctly from my conversations with Neils) didn't actually allow an attacker to get very far with an attack, because they didn't run any actual services, just a fake thing that mimicked a service. The purpose wasn't to actually entrap and convict hackers, or to observe their modes of operation and so on; but to collect information about new attacks (for signature detectors in firewalls) and to hide your real system in among a bunch of fakes.

    If you're looking to actually observe crackers "in the wild", you have to make your system look reasonably real; while at the same time making sure the attackers can't do any real damage from your machine (else you may be implicated in their crimes). The Honeynet project has a lot of good tips and tricks on this sort of thing. For example, not allowing more than 10 outgoing connections (so that it can't be used to scan or launch a DDOS attack), and putting a message in motd saying, "The network is acting kind of flaky, we're working on it, blah blah blah."

    In fact, making a realistic honeypot is essentially just social engineering... hmm...

    --

    TCP: Why the Internet is full of SYN.

  19. Re:Is it easy to tell that you're in a honey pot? by oddrune · · Score: 2, Insightful

    With so many inexperienced system administrators out there - is it possible? It's so easy to put a [insert linux distro here]-system online, say "hey, it worked", and forget about it, that I doubt that anyone would raise an eyebrow when entering a 'dead' system.

  20. Re:Is it easy to tell that you're in a honey pot? by Marcus+Brody · · Score: 4, Insightful

    Doesnt need to look lived in...

    For starters - scripts, scanners, worms, script kiddies arent ever going to notice the difference.

    Furthermore, more advanced crackers wouldnt neccessarily be put off by such a box... e.g. they may see a nice unused NT sitting in the corner of a lab, just waiting for her to install that new DDOS tool...

    However, I guess leet dudes like us would smell a rat!

  21. Honeynets in physical security by Marcus+Brody · · Score: 3, Insightful

    Such tactics as honeypots are probably good methods for prospective risk assesment. It has been used in physical security with some success - I remember the story of Marty Pell (not the lead singer from wet wet wet...).

    A few years ago the was a whole succession of major politicol and tabloid leeks to the British press. Talk surfaced of some "Hacker" with an agenda.... Some legal firm (I think) who were a little shady (e.g. contracts with arms companies, MI6 etc) caught him in the end. Such a company has pretty steep security. Everything got shredded. Occasionally, they would leek false documents into their trash, and see if they would appear in the media.

    One of their fake stories was published in a broadsheet. Marty Pell was caught on CCTV stealing there trash. The guy was the worlds most prolific dumpster diver - a house full of trash, not the slightest hacking skill.

    Makes you wander - is this whole hacking/internet security really just a bit of an academic excersice at times?

    Anyway i digress, I was on-topic at some point....

  22. Follow up article by cascadefx · · Score: 2, Informative

    A good follow up to this post is a short introduction to honeyd by Marcus Ranum in the latest issue of Information Security Magazine. A good little overview of what the program does and how to potentially use it.