Oct 7, 2010
B-Sides January
Very successful team building and planning event tonight. Not much to be said other than if everything plans out as we hope, this is gonna be one KICK ASS event! Presently from a CTF perspective many thoughts are floating about. Sidelines within the attack area for "Demonstrate\Teach an exploit" or "basic techniques of web penetration on live targets". Obviously much of this engages and looks to pull in the technically savvy, While I certainly wouldn't expect anything to the level of greatness that are Defcon, Schmoocon, or so many others, it would certainly be an amazing opportunity for both the trainer and students or budding engineers. Another immediate thought is subdivisions within the area it's self. Within each subdivision could be a live defense area, that is being attacked by a separate group, as well as network monitoring or forensics in another area. I really like this idea although do not believe it could be a center piece yet, likely more so an addition to a center layered lab environment. The lab it's self will likely remain secret to all but a few until the day of fun. However I would expect; wifi and hopefully rfid challenges, passive network IDS, use of pivoting in higher levels, and definitely vulnerable web applications and databases. Right now... this is certainly just a thought and a dream, but with any luck and whole lot of hard work, well let's just see what we can do!
Sep 9, 2010
DC612 September Meeting
I and a large portion of our local defcon group had a wonderful discussion on mplsctfgames.org. A new capture the flag\computer security event site that I've begun. With any luck and a lot of work, we hope to accomplish all of the following:
On a final note, I believe I owe some python scripts related to Windows memory analysis... Their done and still coming, maybe a week or two this time :)
- Monthly DC612 Challenges with prizes to be determined
- Bi\weekly tutorials on, or help with selected challenges
- Conspire with Security B-Sides to create a challenge or event for the January meet.
- Corporate sponsorship, shared resources, or of course beer and pizza money!
On a final note, I believe I owe some python scripts related to Windows memory analysis... Their done and still coming, maybe a week or two this time :)
Apr 5, 2010
Automated Volatility Memory Scanner
The latest Honeynet Project Forensic Challenge, is right up my alley! Live system and memory analysis is a large part of my interest in secure computing, especially related to malware and exploitation. While playing around with the sample file, it occurred to me that something like Volatility, could be much more useful, in a day to day basis, scripted out to run a general and\or more detailed scan, if needed.
At the moment, a quick scan shows the results for pslist, DLLlist, modules, connections, and sockets. The advanced scan is not yet complete, but should include something like entire registry export(may move to quick), driverscan, idt, ssdt, apihooks,and possibly mutantscan. I do not intend to overlap scans, but instead to offer a third complete scan, calling them both.
The script will be made available 4/19/2010, after the challenge is completed and submitted, and after I've had proper time to complete a V 1.0.
At the moment, a quick scan shows the results for pslist, DLLlist, modules, connections, and sockets. The advanced scan is not yet complete, but should include something like entire registry export(may move to quick), driverscan, idt, ssdt, apihooks,and possibly mutantscan. I do not intend to overlap scans, but instead to offer a third complete scan, calling them both.
The script will be made available 4/19/2010, after the challenge is completed and submitted, and after I've had proper time to complete a V 1.0.
Feb 20, 2010
Nepenthes with Pharm, Dionaea, Glastopf, MWCollectd, Ubuntu Karmic, and The Fun That Is Honeypots!
I have been planning on deploying my own honeypot\net for several months. Its been a battle of having the resources for equipment, time for installation and analysis, and simply determining which software to go with. As you may know there are 2 main types of honeypots, low interaction, and high interaction, . A low interaction honeypot is generally, a piece of software running on a machine to emulate an exploitable service or software, to attract unwanted guests in your network, and log them accordingly. A high interaction honeypot is much the same, with the exception that it is generally an actual OS open to attack, with live vulnerabilities that are exploitable. The main differences are that the low interaction solutions are generally only able to accept and catalog known exploitations, and apply a best effort to capture unknown samples. A high interaction honeypot on the other hand, is theoretically able to capture any and all exploits as it is a live OS and would react exactly as the vulnerability would expect. There are many more subtleties and differences that are out of the scope of this post.
Back to the topic at hand, so in addition to the different types of honeypots, there also are different implementations of each, and as expected, some are far more efficient for an analyst, are more recently updated, have larger databases of vulnerabilities, or may be the only one that offers the exploitable service that your looking for. One of the main driving factors in honeypot development and advancement is the Honeynetproject.org. They seem to be a great and very helpful bunch of people from all over the world, intent on making the internet a safer place, by attempting to capture and analyze the nastiness in the world of computers. Two other major sites that seem to be very influential and helpful were carnivore.it and mwcollect.org The main projects that interest us for the sake of the article and following postings are:
Nepenthes
Nepenthes PHARM Client\Server Backend
Dionaea
Project Glastopf
MWCollectd
For the sake of simplicity and completeness, I should mention that UnrealIRCd and Anope, mysql, Apache 2, and plenty of hard drive space were pre-installed on a separate Ubuntu Karmic 9.10 JEOS machine for use as a secured and separate backend for monitoring and storing results from our sensors activities. At this point, Nepenthes is up and running, along with the sql entries for the Pharm backend. I had some issues with the cgi scripts for PHARM as I installed and put everything in place as root, you must "chmod -R 0755 pharm/" and "chmod -R a+x pharm/cgi-bin/", now the only issue is the error on line 18 of the pharm_dologin.cgi, that I can't manage to pinpoint. In the meantime Glastopf is up next and already beginning setup!
As some may know or have thought to themselves, this is all well and good but certainly some of these applications have spillover or monitor the same ports, and you would most certainly be correct. However with all of the following applications. module based implementation and almost absolute configuration is key. They realize and have already thought that you may not want to use a certain portion of their specific application. The idea that I will be going for, is to give each of the softwares their fair shot with overlaying ports for a short period of time, otherwise for the most part will follow the order below with decending priority when deciding overlapping ports;
Glastoph - Handles HTTP and port 80, 443, and first priority for needed ports
Dionaea - Focuses mainly on SMB and port 445, it may have others that I am not aware of, or develop in the future.
MWCollectd - A newer and better implementation of Nepenthes and Honeytrap.
Nepenthes and PHARM backend - Implemetation of further use of PHARM and Nepenthes without mwcollectd are doubtful as mwcollectd is signifigantly updated and revised code.
If you have created, develop, or otherwise work with any of the aforementioned projects or software, and would like to comment on my theory of merging projects, feel that I am misusing your code, or have any thoughts and suggestions, I certainly welcome it! Also if you know of other software, forums, projects, or otherwise that I should be informed of, please by all means share.
Note: Complete port scans with nmap and iptables turned off on the honeypot, will be uploaded per software as it is installed and working, along with different configurations with all or some programs running.
Thanks for reading,
Commie
Back to the topic at hand, so in addition to the different types of honeypots, there also are different implementations of each, and as expected, some are far more efficient for an analyst, are more recently updated, have larger databases of vulnerabilities, or may be the only one that offers the exploitable service that your looking for. One of the main driving factors in honeypot development and advancement is the Honeynetproject.org. They seem to be a great and very helpful bunch of people from all over the world, intent on making the internet a safer place, by attempting to capture and analyze the nastiness in the world of computers. Two other major sites that seem to be very influential and helpful were carnivore.it and mwcollect.org The main projects that interest us for the sake of the article and following postings are:
Nepenthes
Nepenthes PHARM Client\Server Backend
Dionaea
Project Glastopf
MWCollectd
For the sake of simplicity and completeness, I should mention that UnrealIRCd and Anope, mysql, Apache 2, and plenty of hard drive space were pre-installed on a separate Ubuntu Karmic 9.10 JEOS machine for use as a secured and separate backend for monitoring and storing results from our sensors activities. At this point, Nepenthes is up and running, along with the sql entries for the Pharm backend. I had some issues with the cgi scripts for PHARM as I installed and put everything in place as root, you must "chmod -R 0755 pharm/" and "chmod -R a+x pharm/cgi-bin/", now the only issue is the error on line 18 of the pharm_dologin.cgi, that I can't manage to pinpoint. In the meantime Glastopf is up next and already beginning setup!
As some may know or have thought to themselves, this is all well and good but certainly some of these applications have spillover or monitor the same ports, and you would most certainly be correct. However with all of the following applications. module based implementation and almost absolute configuration is key. They realize and have already thought that you may not want to use a certain portion of their specific application. The idea that I will be going for, is to give each of the softwares their fair shot with overlaying ports for a short period of time, otherwise for the most part will follow the order below with decending priority when deciding overlapping ports;
Glastoph - Handles HTTP and port 80, 443, and first priority for needed ports
Dionaea - Focuses mainly on SMB and port 445, it may have others that I am not aware of, or develop in the future.
MWCollectd - A newer and better implementation of Nepenthes and Honeytrap.
Nepenthes and PHARM backend - Implemetation of further use of PHARM and Nepenthes without mwcollectd are doubtful as mwcollectd is signifigantly updated and revised code.
If you have created, develop, or otherwise work with any of the aforementioned projects or software, and would like to comment on my theory of merging projects, feel that I am misusing your code, or have any thoughts and suggestions, I certainly welcome it! Also if you know of other software, forums, projects, or otherwise that I should be informed of, please by all means share.
Note: Complete port scans with nmap and iptables turned off on the honeypot, will be uploaded per software as it is installed and working, along with different configurations with all or some programs running.
Thanks for reading,
Commie
Subscribe to:
Posts (Atom)