Honeypot & amp; Honeynet _ Hack hell (Overview)

Article out: Red wolf Security Team (C.R. S.T)
Author: yby123

This document describes how to set up a Honeypot through solairs10 and windowns. Two tools are used: Honeypot and VMware.
Pre-Description: This article may be more theoretical. It will be designed for Honeypot, honey network, resources, costs, hackers and other technologies!
Part 1:

What is a Honeypot: A Honeypot is a network resource specially designed to be scanned, attacked, and infiltrated. it aims to establish a spoofing environment to attract attackers and intruders, observe and record their activities in the form of logs, and enable attackers to consume energy and technology in the honeypot, this protects truly valuable normal systems and resources. specifically, a honeypot is a system that contains vulnerabilities. It can simulate one or more vulnerable hosts and contain data that does not threaten system security to lure attackers. since there are no other tasks in the honeypot, all connection attempts are considered suspicious. Once a hacker enters the honeypot system, he only needs to record his logs, so that we can accurately analyze the hacker attack process ideas and so on! Of course, administrators must have strong security awareness and security technologies. Or the administrator must be familiar with routine hacker attacks!

What is honey Network: Honey network is a new concept gradually developed in the honeypot technology, also known as the trap network. The honey network technology is essentially a type of research-oriented high-interaction honeypot technology, the so-called high interaction means that the honey network uses real operating systems, applications, and services to interact with attackers rather than just providing simulated systems and services like Honeyd. The difference from the traditional honeypot technology is that the honey network constructs a hacker trap network architecture, which can contain one or more honeypot while ensuring high network controllability, A variety of tools are provided to facilitate the collection and analysis of attack information. A typical honey Netcom usually consists of firewalls, intrusion detection systems (IDS), and multiple honeypot hosts. The firewall and IDS capture and control all data in and out of the honey network, and then analyze the captured information to obtain information about attackers. Any type of system can be placed inside the honey network to act as a honeypot, such as Solaris, Linux, Windows NT, Cisco switch, etc. In this way, attackers can create a more realistic network environment. At the same time, by configuring different services for various systems, such as DNS, Web, ftp, www server or Solaris FTP server, you can understand various tools and tactics used by attackers.

Part 2:

Cost: for small and medium-sized enterprises and colleges, it is not suitable for setting up a mi network. If there are 500 LAN computer networks, we need at least five computers to set up the MI network! Second, we also need to purchase a considerable number of switches to create a real network environment! Using the honeypot technology, we generally only need 3 to 5 computers to build a Honeypot service! One of them is deployed on the gateway level, and the others are placed on the Intranet, which can minimize the loss when Hackers break into the Intranet, and also prevent malicious users from scanning and attacking other computers on the Intranet.

We also need to use the intrusion detection system and hardware firewall to build the honey network. Here, the teacher from the Xi'an Network Center of the Chinese Emy of Sciences has produced this product with good performance and high technology! Therefore, it is difficult to divide the honey network by cost. What's more, the most important factor restricting its development is the professional quality of practitioners!

Part 3: hacker technology, which does not involve attack technology. This article only describes intrusion technology. there are many technical means of hacker intrusion. ftp www server intrusion Elevation of Privilege is currently one of the most common intrusion methods for hackers. Let's take a look at how hackers work. First, we must understand that the www server is the most vulnerable to attacks in the network cluster. Because the www server does not send requests to anyone, including illegal requests, for example, SQL Injection in script intrusion can remotely contain files, password cracking, and data downloads! Hackers can easily use this method to obtain a webshell backdoor program. Then hackers will use mysql, 3389, PCANYWHERE, weak passwords, and other techniques to upgrade their webshells! Finally, get the root permission. Then we will gradually expand the battle using technologies such as sniffing and scanning!

Part 4: Honeypot Technology Research

[Attach] 575 [/attach]

This is a typical honey network system. Let's see how the honeypot works! We now divide the topology into two parts: the honeypot system on the left and the normal network system on the right. First, hackers need to intrude into the web server, which may scan the IP address of the server. From this topology, we can think that the server does not have a public IP address, therefore, hackers cannot obtain any information about the server. At this time, hackers will adopt two methods of attack. The first method is to take the server currently open to WWW servers as the starting point, and obtain server permissions through page technology, etc, at this time, the normal network on the right is no longer secure. Another hacker intrusion means intrusion through office computers! A friend may ask if the office computer is under firewall protection and cannot obtain information. You are right, but hackers use social engineering to implant bounce trojans on office computers, and use Trojans to reverse link the office computers to hacker computers. (Here I want to explain that it is easy to expose the location of hackers. Of course, experienced hackers will control office computers through multi-level stepping stone !) (Social engineering reference: the trilogy of social engineering-lizaib) Once a hacker controls any office computer in the Intranet, he must first conduct a flood attack on the Intranet switch to make the switch a receiver, sniffed the Intranet to capture the server's 3389 account password, MYSQL password, or telnet login information! (It is recommended that the anti-sniffing technology is not perfect. Because the sniffing attack is a static attack, it is difficult to capture it! This is a high requirement on the professional quality and security awareness of administrators !) Of course, if a hacker does not want to be found too early, he can choose not to flood attacks. (After all, flood attacks are easy to detect .) You can obtain a lot of information by scanning the network. (Here I want to talk about the continuous development of hacker technology over the past few years. At present, you can sniff the network without attacking the switch)

Here, our honeypot has no function, so a large amount of manpower and material resources to build a honeypot system is just a decoration! Is there a way of thinking that allows the honeypot to be intercepted by hackers? Yes. Currently, I have three ideas. Train of Thought 1: Do not trust all network users. By setting the firewall, we will forward the accepted data packets sent by both Internet users and Intranet users to the honeypot system, and then the honeypot system

Filter out harmful information and leave it in the honeypot. The false information is returned to the hacker so that the hacker can access the honeypot system from the normal network.

Train of Thought 2: In a normal Intranet, build a small Honeypot system. When malicious packets are captured in the Intranet, the honeypot automatically works, forge data, and lure hackers into the Honeypot! Train of Thought 3: purchase an intrusion detection system and place it in a normal Intranet. Cooperate with the firewall. Once the intrusion detection system discovers that there is malicious data in the normal Intranet, it notifies the firewall to disconnect the network of the malicious data sender!

Below I would like to explain the shortcomings of these three ideas.

Idea 1: First of all, this will consume a lot of loan resources and can be deployed in small intranets. At the same time, data redirection, writing packets, and other issues may cause packet loss.

Train of Thought 2: Build a small Honeypot system in a normal Intranet, but it is insufficient because the small honeypot cannot be well disguised, and hackers can easily find the honeypot system. Is there any way to make the small Honeypot system as perfect as possible? At present, I have been thinking this way, through the normal Intranet small Honeypot, now the hacker is captured, and then through the small Honeypot system to seduce the hacker into the honeypot system on the left topology. However, I have discovered a vulnerability in this way, because we must have a network connection between the mother Honeypot system on the left and the Child Honeypot system on the right, in the firewall settings, access from two networks is not allowed. Therefore, we must enable mutual access rules, which will directly cause hackers not only to intrude into the normal network, but even the honeypot system to be destroyed! So we can't. We can divide VLANs to directly connect the sub-Honeypot with the parent honeypot. Ensure network security! In fact, there is no need to really connect the mother honeypot with the child Honeypot! You can use VMware to create a network environment for multiple computers! We will explore this topic later!

Idea 3: This idea requires a lot of material resources, which is hard for enterprises to handle!

Now that we have a good idea, we need to understand some Honeypot systems.

Honeypot is translated as a Honeypot, which is also available in linux, windows, solairs, and unix!

So what exactly does the Honeypot system have? In fact, this question is not particularly good, because Honeypot does not have a feature specification, and everything needs to be set by yourself. Of course, it has already created most of the rules!

Here, I have referred to the research on network information security of honeypot technology by Associate Professor Li yuezhen from the management department of North China University of Science and Technology.

[Attach] 576 [/attach]

This figure is summarized in one sentence: "data packets from any network are compared by the analysis module on the data link layer with the rule repository. If the rule repository does not match the rule, the data is transferred in for processing ."

Let's carefully analyze the meaning of the following figure.

Data capture module: it is the most basic function framework of the Honeypot system. Generally, we use wincap. Wincap is designed for the BSD system kernel. Simple Information Filtering includes IP address filtering, packet type filtering, and port types. The BPF information filtering mechanism can greatly improve the capture efficiency! The multi-thread capture technology for embedded systems is designed here!

Protocol Module: Decode captured packets in the network in real time to understand the protocol, service, and data packet source and target addresses running in the network, and obtain hacker attack methods and ideas, even tools used!

Analysis module: this is the core of the Honeypot system. It is the main module for analyzing and detecting decoded data packets and provides measures to protect the system and network! The analysis module contains three key points.

1. Translation rules: extract the rule files that have been configured by the rule repository and put them into the memory files.

2: Analysis Rules: analyze the data content, record malicious data to the event log, and prompt the alarm system

3: Alarm System: When a hacker attack is detected, notify the administrator or the network of the malicious data sender in the firewall phase!

Part 5: Research on the honey Wall System

The honey wall system usually consists of two modules: data control and data capture. I wonder whether hackers can intrude into the normal network through a honeypot? If you completely intercept the network communication between the normal network and the honey wall, you do not need to consider such a problem, but in real time you did not think so naive, theoretically, computers that pass through a firewall can communicate with each other! As long as you control your firewall, everything is not that complicated! In addition, the second thought in the honeypot technology I mentioned above also leaves a chance for hackers! So we must be careful!

(1) Data Control: it restricts the activity of attackers and reduces the risks brought about by the introduction of the honey network. In addition, if we restrict a lot of actions by hackers, the less information we obtain from them, and the more embarrassing it is to obtain evidence from the Internet. We cannot understand