Internet Systematics Lab Honeynet Project Quarterly Report Q2/2003.
===================================================================

Current Setup

After the changes of  the last quarter, the scene has remained quite stable in terms of honeynet topologies and architecture.

Our setup consists of  two GEN-II Honeynets. The second and newer of our Honeynets (Honey-2) is the primary focus of the team, while our older Honeynet (Honey-1) has been used mainly for testing purposes.

Honey-2 Description
Honey-2 follows closely on the reference GEN-II topology
Age : 3 months
Current Status:  ACTIVE
   1) Actively attacked daily
   2)  monitoring atleast two blackhat groups

Honeypots

1) Linux RedHat 7.3 - Syslog Server - Using IPChains FW

2) Linux RedHat 7.3, Default Installation

3)Windows 2000, SP2 Applied

Honeypot Services
-----------------------
1.windows networking
2.apache
3.wu-ftpd
4.mysqld
5.sendmail
6.syslogd
7.bind
8.ms-sql
9.Microsoft IIS


Data Capture Methods

1)Snort-2.0 Binary Capture
2)Snort-2.0 Alerts
3)Snort-2.0 ASCII SESSIONS
4)FW logs
5)Sebek2 - (Linux 2.01)
6)Remote Syslog Data

Data Control Methods
1)Conection Rate Limiting - IPTables (rc.firewall 0.7.2)
2)Snort-inline 2.0 - DROP mode


Management

1)Honeywall :
1. ssh access
2. Data Management - Custom scripts

2)Honeypots: Local console



Honey-2 Quarterly Advancments

1)Integrated this new Honeynet to the central Data Management and Analysis framework of ISLAB.


Honey-1 Description

Age : 18 months
Current status:  OFFLINE
   1) For the past quarter was used mainly for testing purposes
   2) Some data have been captured, mainly scans. No succesfull attacks

Honeypots

This Honeynet contains Virtual Honeypots.

Honeypot Operating Systems List:
Linux RedHat 6.2,
Linux RedHat 7.0,
Linux RedHat 7.1,
Linux RedHat 7.2
Windows 98,
Windows 2000,
Windows NT 4.0
Debian GNU/Linux Sparc
Solaris 2.5, Sparc
Solaris 2.7 X86.

Tools Used

In daily analysis we utilise the following tools.

1)ACID : Analysis Console
2)DEMARC: Network Security Monitor
3)ETHEREAL: King of the free Network Protocol ANalyzers
4)TCPSLICE: Acquiring part of traffic from large binary logs based on timestamp
5)NGREP : Searching for tags inside packet payload
6)EDITCAP : Spliting large binary traffic files in smaller manageaable sets
7)Custom Scripts (batch-analysis scripts): Batch DNS,WHOIS, Alert Sumarization
8) sysprep : Enabling usage of a win2k honeypot image on deverse hardware (great for fornsics on live windows system)


Findings

A) Several scans and exploit attempts have been captured, summarized next:

scan Netbios
ping scan
Scan ăéá ms-sql-s(1447), mtp(57)
IIS Vulnerability SCANs
Nessus Scan
Kuang scan,
ftp anonymous scan
open proxy scan
codered -II
Telnet Scan
WebDav Attacks
Windows RPC service DoS
DNS Version scan
ICQ scan

B) For this quarter we investigated the following cases:

1) Win2k WAREZ hack case acquiring knowledge on tools and tactics of a warez blackhat group. Highlights of this case are:
1.Use of  radmin (remote admin) windows tool as backdoor access tool.
2.Utilization of the www.tzo.com dynamic DNS service to support warez sites
3.Exploitation of an ms-sql vulnerability.

During this investigation a lot of resources were used in managing the large binary files  and windows OS mirroring. As a result our tools section has been expanded with tools such as sysprep, tcpslice and editcap.

2)Linux openssl hack.The group that compromised this honeypot is using it in diverse ways:
1.IRC proxy
2.step stone
3.bulkemailer

Several hacker tools have been caught.

Full reports formatted according to the Hacked Honeypot Report standard is an on going task.

C) Comparing traffic from Honey-1 and Honey-2 we were able to notice: Presence of a router inside a Honeynet increases the noise generated by portscans. This results in massive portscan detections by snort and ICMP unreachables send by the router.

Developments

1.Finished second draft of Chapter 5 from the upcoming KYE-II book.
2.Completed graduate thesis by lab member John Papapanos " ICMP spoof snort preprocessor" also announced at the snort-developers' list. Results of this work are available at http://www.epmhs.gr/en/snort/preprocessor_icmpspoof
3.Data Management and analysis framework of the ISLAB has been advanced approaching to a releasable form.
4.Continue the work with ISLab-Honeynet webserver turning to web based CMS tool in order help us "connect" the various activities taking place in-house. This allows us to overcome the problem of trainee (students, professionals) coming/going cycles permeating our learning lab.
This is the way we will keep our extranet website µinteresting¶.  First phase, the intranet is completed now we are moving to the next phase, working on the design of the extranet.


Presentations
Utilizing Honeynet Technology - Dr. Yannis Corovesis - Internet Systematics Lab
At  1st Hellenic Conference
The Country's Critical Infrastructure Protection - Athens, 13 & 14 May 2003 - http://www.iit.demokritos.gr/cip-conf/en/index.html

Plans for the Next Quarter

1.Complete the investigation of the above two hack cases
2.Release Development item 3. above to the Alliance
3.New Project site based on intranet CMS tool
4.Develop a SNORT plugin for detecting buffer overflows by  graduate student and new team member