Interesting plans!
Now I have personally decided not to do any connections from my
honeypot that could be considered offensive, and will probably never
add any such features to kippo (they are easy for anyone to implement,
however).
Like you said, the offending computers are usually victims themselves
(the ones where the scans originate from).
The computers the actual humans log in from after a successful scan
are mostly windows machines running Putty.
And naturally the reason I don't "strike back" is that I would have
very hard time forming a legitimate explanation to the victim on why
there's a SSH break-in originating from my IP :)
All that said, if you want to connect back to the scanning server, the
password might not be the same they used to brute-force in to your
honeypot, as the attackers like to change the password to their own
using the passwd command.
If they have not changed the password, you'd have to playback every
password of their dictionary attack, essentially brute-force attacking
them yourself. Then, why not just use a scanning tool just like them?
However, if you wait until they use the passwd command on your
honeypot, I believe you are likely to have the password you need. Just
guessing, though :)
> --
> You received this message because you are subscribed to the Google Groups "kippo users" group.
> To post to this group, send email to kippo...@googlegroups.com.
> To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.
>
Found 471 unique IP addresses from humans (OpenSSH, PuTTY),
77 (16%) used the passwd command,
35 (7%) issued no commands at all
So around 16% of the users did change the password. It's not a big number, but
it happens, and I suspect many of those passwords would have worked in the
hosts they were scanning from. But still I'm just guessing :)
The query script if someone is interested (my sample size might be a bit
small): http://pastebin.com/s0dHzFDB
So I promised Leon that I would contribute to this conversation and
I've been a slacker...so here goes.
First, may I suggest not calling it an "Offensive Honey-pot".
Offensive has connotations that I don't think apply here -- I'd
suggest a "Strike-Back Honeypot" or something similar. In no way
would your idea be the "aggressor" and I think Offensive suggests an
aggressive activity. (enough of semantics)
When I did my honeypot research, I allowed my machines to be fully
compromised so I could see what what going on -- I also spent time in
the IRC channel used for command and control with the fellows who had
compromised my servers. All of my attacks were brute force ssh to
Linux boxes with intentionally poor passwords.
What I learned from my experience was that once the machines were
compromised, the account was sold, for SPAM and for DDOS. Rarely were
root account passwords changed - - however, it seemed that when it did
it might have been competing groups or individuals "re-compromising"
the machine and trying to lock the others out. My machines seemed to
frequently be used as a pawn for the attackers to DDOS each other,
often "playfully".
I guess that I don't conceptually see the point of attacking back.
Notification would be way more useful (assuming your attack back was
followed with some note or the like to the owner) , but even if you
powered the machine off hoping to draw some attention to the
compromise, I think the likelihood that someone who's root password
was "l3tm31n" would understand the implications of a rooted box and
would be able to fix the issue are slim. Unless you want to take the
time to remove the malicious code left behind and clean up the dropped
tools before you powered it off, then notify the user -- all of this
occurring before the box is re-compromised, of course.
Having said all of that, I think the idea is interesting academically,
but I'm not sure that practically it serves much purpose.
Chris
I agree, I think there's little to be gained from 'attacking back'.
'You got me so I'm going to get you' seems a little childish.
Perhaps there's some middle ground? 'The obstructive honeypot', aimed at making our attacker waste as much time as possible. I guess this comes along the lines of tarpits.
The 'honeypot responder' or 'entry attempt reflector'
If you are trying to explore the legal atmosphere with regards to
events of this nature, perhaps understand the odds of winning such a
case, find grounds upon which to pursue it, or protect yourself,
academic experience in the area of pushing cybersecurity legal
envelope indicates that attempting to do so through application of
theory is nearly impossible, and a very large waste of time. The only
way this envelope will truly be pushed is when someone _does_ get sued
or prosecuted for an alleged violation or wrong-doing in the area. Of
course, if you know anyone willing to martyr themselves for the sake
of pushing the legal or ma=oral envelope, by all means, set them to
it.
> --
> You received this message because you are subscribed to the Google Groups
> "kippo users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/kippousers/-/HVFgpeq6ATIJ.
>
> To post to this group, send email to kippo...@googlegroups.com.
> To unsubscribe from this group, send email to
> kippousers+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/kippousers?hl=en.
--
Kyle Creyts
Information Assurance Professional
BSidesDetroit Organizer
Sent from my iPad
> --
> You received this message because you are subscribed to the Google Groups
> "kippo users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/kippousers/-/UTPCTzwGEfQJ.
--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/kippousers/-/fsLezb73SWYJ.
To post to this group, send email to kippo...@googlegroups.com.
To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.
I know it's fun to build system like that - heck, I had active response system back in early 2000-ish - distributed, self managed, with nice kick (firepower) if one of nodes was attacked.
Lesson learned - any offensive action (where you initiate comms) has legal weight, especially these days.
You have to be very careful not to cross the line, and the line moves depending on how much you spend on lawyers. If you are not careful you will quickly see where fun research project leads you - to the nearest police station or court.
I would leave it as theoretical exercise and not do it - too much potential to bite your back.
BTW not to be FUD-tastic but with the new EU legislation, writing this kind of tool can make you a criminal right away. Kippo is for info gathering, doesn't attack but add what we're discussing and you have a tool that some ass-hat lawyer will call illegal and you may be the firs case tried in court over new law... Is it worth it?
IMHO it's not, not now with that volatile legal situation but that's just my view.
Sorry for typos, writing from my phone ;)
--
Tomasz Miklas
To add to the difficulty:
In the Netherlands, both laws apply:
1. Breaking and entering without prior authorization is a criminal offense, even without violating any kind of protection. same as in Poland (and basically everywhere mefinks)
2. If a system can be broken into because of negligence of the operator (eg: he doesn't apply patches when policy dictates a patch-regime anyway) the operator can be sued by the owner of the system/service. So, in the Netherlands there IS an incentive for operators to uphold service standards, because they can become a liability.
I've yet to see the first case going to court concerning the second point though. Perhaps the latest KPN-hack qualifies.
The reason OS vendors aren't sued is very simple: Their EULA exempts them from liability. Usually they state things like: "don't use this stuff in mission-critical situations" and "The software is delivers AS IS". For some reason everyone falls for it...
-
Dennis Lemckert
http://www.dlemckert.nl
G+: https://plus.google.com/u/0/100625212602501469190/about
PGP Key: 0xF66585F60DDEC3B6
--
Avid proponent of Netiquette. See: http://www.networketiquette.net
Only two things are Infinite: the Universe and human stupidity.
And I'm not sure about the Universe.
-- Albert Einstein --
the approach of a 'offensive' honeypot was implemented in honeytrap
some years ago.
The main idea was not being offensive though, the main idea was not
having to implement the protocol the attacker chooses to attack you.
So for every connection you accept on every port, you open a
connection to the same port on the attacking host, and send him what
he sends you.
This mode is called mirror mode, and well, I'd say it works.
A problem of this approach is, you lack protocol details, and if the
protocol chosen was encrypted, you lacked the plaintext, as you lacked
any information about the keys chosen for the encryption and just
relayed traffic from the attacker to the attacker.
Setting aside the legal implications, the key value of this approach
is little maintenance, you don't have to implement a protocol, you use
the attackers protocol stack, which allows to get traces for attacks
you did not expect or even think of.
For the legal implications, they exist, but I won't expect anything to
happen while your mirror mode is not downloading copyrighted content
via torrent where some association got a serve interest to sue you
for. I'm unaware of lawsuits on people which were infected by a botnet
or whatsoever and infected other machines afterwards. Might be a new
field of action for some lawyers though.
And even in case, the attacker pulled first, so you can still argue it
was 'Justified', as seen on the FX Network.
For a certain service, WINS (tcp/42), dionaea does this kind of mirror
mode too, I was hoping to be able to collect some traces with it and
see what needs to be done to implement the path taken by attackers to
implement it, but ... the service is yet to be attacked.
Converting dionaea to run in complete mirror mode is rather trivial,
nfq & mirroring code exists already, the docs on nfq show what needs
to be done, it is basically a configuration thing.
But, as I said, one would loose a significant amount of detail on the
attacks, all you'll get is traces, so you lack any knowledge of whats
going on the wire and every attack requires manual inspection.
Markus