Honeypots: Tracking Hackers by Lance Spitzner Publisher: Addison Wesley Pub Date: September 13, 2002 ISBN: 0-321-10895-7 Pages: 480 • Examples
Total Page:16
File Type:pdf, Size:1020Kb
Honeypots: Tracking Hackers By Lance Spitzner Publisher: Addison Wesley Pub Date: September 13, 2002 ISBN: 0-321-10895-7 Pages: 480 • Examples Copyright Foreword: Giving the Hackers a Kick Where It Hurts Preface Audience CD-ROM Web Site References Network Diagrams About the Author Acknowledgments Chapter 1. The Sting: My Fascination with Honeypots The Lure of Honeypots How I Got Started with Honeypots Perceptions and Misconceptions of Honeypots Summary References Chapter 2. The Threat: Tools, Tactics, and Motives of Attackers Script Kiddies and Advanced Blackhats Everyone Is a Target Methods of Attackers Motives of Attackers Adapting and Changing Threats Summary References Chapter 3. History and Definition of Honeypots The History of Honeypots Definitions of Honeypots Summary References Chapter 4. The Value of Honeypots Advantages of Honeypots Disadvantages of Honeypots The Role of Honeypots in Overall Security Honeypot Policies Summary References Chapter 5. Classifying Honeypots by Level of Interaction Tradeoffs Between Levels of Interaction Low-Interaction Honeypots Medium-Interaction Honeypots High-Interaction Honeypots An Overview of Six Honeypots Summary References Chapter 6. BackOfficer Friendly Overview of BOF The Value of BOF How BOF Works Installing, Configuring, and Deploying BOF Information Gathering and Alerting Capabilities Risk Associated with BOF Summary Tutorial References Chapter 7. Specter Overview of Specter The Value of Specter How Specter Works Installing and Configuring Specter Deploying and Maintaining Specter Information-Gathering and Alerting Capabilities Risk Associated with Specter Summary References Chapter 8. Honeyd Overview of Honeyd Value of Honeyd How Honeyd Works Installing and Configuring Honeyd Deploying and Maintaining Honeyd Information Gathering Risk Associated with Honeyd Summary References Chapter 9. Homemade Honeypots An Overview of Homemade Honeypots Port-Monitoring Honeypots Jailed Environments Summary References Chapter 10. ManTrap Overview of ManTrap The Value of ManTrap How ManTrap Works Installing and Configuring ManTrap Deploying and Maintaining ManTrap Information Gathering Risk Associated with ManTrap Summary References Chapter 11. Honeynets Overview of Honeynets The Value of Honeynets How Honeynets Work Honeynet Architectures Sweetening the Honeynet Deploying and Maintaining Honeynets Information Gathering: An Example Attack Risk Associated with Honeynets Summary References Chapter 12. Implementing Your Honeypot Specifying Honeypot Goals Selecting a Honeypot Determining the Number of Honeypots Selecting Locations for Deployment Implementing Data Capture Logging and Managing Data Using NAT Mitigating Risk Mitigating Fingerprinting Summary References Chapter 13. Maintaining Your Honeypot Alert Detection Response Data Analysis Updates Summary References Chapter 14. Putting It All Together Honeyp.com Honeyp.edu Summary References Chapter 15. Legal Issues Are Honeypots Illegal? Precedents Privacy Entrapment Liability Summary References Resources Chapter 16. Future of Honeypots From Misunderstanding to Acceptance Improving Ease of Use Closer Integration with Technologies Targeting Honeypots for Specific Purposes Expanding Research Applications A Final Caveat Summary References Appendix A. Back Officer Friendly ASCII File of Scans Appendix B. Snort Configuration File Appendix C. IP Protocols Appendix D. Definitions, Requirements, and Standards Document PURPOSE DEFINITIONS REQUIREMENTS STANDARDS Appendix E. Honeynet Logs Book: Honeypots: Tracking Hackers Copyright Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and Addison- Wesley, Inc. was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. The author and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. The publisher offers discounts on this book when ordered in quantity for special sales. For more information, please contact: U.S. Corporate and Government Sales (800) 382-3419 [email protected] For sales outside of the U.S., please contact: International Sales (317) 581-3793 [email protected] Visit A-W on the Web: www.awprofessional.com Library of Congress Cataloging-in-Publication Data Spitzner, Lance. Honeypots : tracking hackers / Lance Spitzner. p. cm. Includes bibliographical references and index. 1. Computer security. 2. Computer hackers. 3. Firewalls (Computer security) I. Title. QA76.9.A25 S67 2002 005.8--dc21 2002008010 Copyright © 2003 by Pearson Education, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher. Printed in the United States of America. Published simultaneously in Canada. For information on obtaining permission for use of material from this work, please submit a written request to: Pearson Education, Inc. Rights and Contracts Department 75 Arlington Street, Suite 300 Boston, MA 02116 Fax: (617) 848-7047 Text printed on recycled paper 1 2 3 4 5 6 7 8 9 10-CRS-0605040302 First printing, September 2002 Dedication Dedicated to my wife, Ania, and our son, Adam. My future, hope, and happiness. Book: Honeypots: Tracking Hackers Foreword: Giving the Hackers a Kick Where It Hurts I'm an unabashed Lance Spitzner fan. This is the guy whose cell phone voice message says, "I'm busy geeking out right now, but leave a message, and I'll get back to you as soon as I can." I don't know when he actually stops geeking out long enough to sleep. I sometimes wonder if there are actually two of him. His enthusiasm for what he's doing bleeds over into all aspects of his life. Ideas for cool stuff erupt from him like a volcano and swirl around him, sucking in casual bystanders and students alike. It's somewhat intimidating to share a stage with him at a conference. He makes just about everyone else look uninteresting and tepid by comparison. Lance is a man who loves what he's doing, and what he loves doing is tracking hackers, sharing that information, and making a difference. A lot of people like to reserve the term "hacker" for the techno-elite computer hobbyist- those media darlings often described as "misunderstood whiz-kids" or similar nonsense. One of the great by-products of Lance's work with honeypots and honeynets is that he's helped give us a much clearer picture of the hacker in action: often technically unsophisticated kids playing around with technologies they barely understand. In Know Your Enemy the Honeynet Project demonstrated just how active and unskilled most hackers are. What's that-you don't believe it? Set up your own honeypot or honeynet and see for yourself. This book gives you the necessary tools and concepts to do it! I think it's a great thing for the security community that Lance has written this book. In the past, the hackers roamed our networks with supreme confidence in their anonymity. They take advantage of systems they've compromised to chat with their buddies safely or to launch attacks against other systems and sites without fear of detection. Now, however, they may pause to wonder if their bases of operation are safe-whether they're actually planning their attacks and deploying their tricks under a microscope. Honeypots are going to become a critical weapon in the good guys' arsenals. They don't catch only the lame hackers. Sometimes they catch the new tools and are able to reduce their effectiveness in the wild by letting security practitioners quickly react before they become widespread. They don't catch just the script kiddies outside your firewall but the hackers who work for your own company. They don't catch just unimportant stuff; sometimes they catch industrial spies. They can be time- and effort-consuming to set up and operate, but they're fun, instructive, and a terrific way for a good guy to gain an education on computer forensics in a real-world, low-risk environment. Right now there are about a half-dozen commercial honeypot products on the market. Lance covers several of them in this book, as well as "homemade" honeypots and honeynets, focusing on how they operate, their value, how to implement them, and their respective advantages. I predict that within one year, there will be dozens of commercial honeypots. Within two years, there will be a hundred. This is all good news for the good guys because it'll make it easier for us to deploy honeypots and harder for the bad guys to recognize and avoid them all. When you're trying to defend against an unknown new form of attack, the best defense is an unknown new form of defense. Honeypots will keep the hackers on their toes and, I predict, will do a lot to shatter their sense of invulnerability. This book is a great place to start learning about the currently available solutions. In this book Lance also tackles the confusion surrounding the legality of honeypots. Lots of practitioners I've talked to are scared to dabble in honeypots because they're afraid it may be considered entrapment or somehow illegal. It's probably a good idea to read the chapter on legal issues twice. It may suprise you. Welcome to the cutting edge of technology, where innovation happens and the law is slow to catch up to new concepts. Meanwhile, you can bet that with renewed concerns about state-sponsored industrial espionage and terrorism the "big boys" will be setting up honeypots of their own. I'd hate to be a script kiddy who chose to launch his next attack from a CIA honeypot system! When the big boys come into the honeypot arena, you can bet that they'll make sure it's legal. The sheer variety and options for mischief with honeypots are staggering.