Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.
Course Overview
The subject of this course is to use the Honeynet/pot technologies as a tool to discover and learn existing and new threats to networked/distributed information system and better understand attackers behaviour. The course includes a project to build a custom honeypot or related tools to turn the theory into a practical session. The course requires a high involvement from the participants. The student will have access to an operational system during the sessions to operate a real world honeypot.
|
Important. Student will get access to real malicious data and information. A high level of ethic is required during his/her participation. |
Project Detail
During the period of the course, there will be a specific project to realize. The project is fully integrated into the course sessions that means some topics covered will help to enhance or complete your work.
Project definition and group composition (2 max) should be known for the 2012-12-07. Project will be released under a free software license and using one of the following programming language: Python, Perl, Ruby, Go, Lua, Bash or Zsh. As the development of the project will be done on an operational system, the project along with its tools might evolve following the feedback received from the attackers themselves. The project can be an improvement to an existing free software security project including extensions, documentation, improvements or even bug fixes. If you don’t have any ideas, I’m sure we can find something in a world surrounded by information security issues, insecure technologies and potential innovative technical solutions (also sometime insecure).
Projects Ideas
If you don’t feel comfortable to start on your own on a specific project, here is some projects that could be done in the time constraint.
Automatic vulnerability assessment from network capture (1)
The project objective is to use a pcap file (or a live pcap stream) to extract potential indicators that can be used for the vulnerability (or the non-vulnerability) assessment of software seen in the network capture.
-
Assess your software in your infrastructure without installing software components on the local systems and only by network monitoring (e.g. a simple port mirror on an internal switch).
-
Assess the software used by an attacker abusing a honeypot to know the level of their competencies or potentially abuse those attackers.
To lookup for the vulnerabilities, you can already use an existing free software called cve-search to have a local database of CVE/CPE entries. This will allow you to query locally the information collected in a fast way while ensuring the privacy of the information checked.
The software can be separated in two distinct parts following the Unix Philosophy.
def findandextract(packet): return extract(findindicator(packet)) def findindex(packet): if packet(contains "User-Agent:"|"SSH handshake"|"Server:"): return (packet) return (packet(source ip),payload(packet)) for packet in pcap(file|capture): findandextract(version Indicator)
The indicator code will return a list of like the following:
192.168.1.1|User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/20100101 Firefox/16.0
The indicator code output will be used by another small program doing the indicator lookup into cve-search and giving a risk indicator per software detected.
192.168.1.1|cpe:/a:mozilla:firefox:16.0|8.9
Modular entropy calculation from network capture (2)
The project objective is to use a pcap file (or a live pcap stream) to calculate the entropy of the TCP and UDP payload of packets seen.
for packet in pcap(file|capture): data = extractpayload(packet,offset=OFFSET_OPTION,block=BLOCK_OPTION) return calculateentropy(data, algorithm=OPTION)
The software must follow the Unix Philosophy by providing an output that can be used into other programs like R, ploticus for analysis or/and visualization.
Extracting geolocation artifact from network capture to validate IP geolocation (3)
Geolocation on IP is usually inaccurate but you can extract not only the IP address geolocation but you can assess the localisation by looking at additional artifacts.
One of the source could be the localisation of the assigned ASN number via Team Cymru services.
Additional artifacts could be a charset definition from server or client (e.g. deducing language from content, limiting a charset to a country/region,…)
1.2.3.4|BE|charset:iso-8859-1|Latin (list of countries)
Guessing time zone and checking time consistency within a network capture (4)
Various time artifacts are present within a network capture. As example, you can calculate the deviation from HTTP server time deviation from the pcap timestamp.
HTTP/1.1 200 OK Date: Thu, 13 Dec 2012 21:08:31 GMT Server: Apache Accept-Ranges: bytes Vary: Accept-Encoding Content-Type: text/html
By checking with the timestamp, you can calculate the deviation from each packet captured and its evolution over time.
1.2.3.4|dev:40sec
Operational Aspect
The system to be used for the project is shared among the class including the system administration of the system. Security and system administration is part of the overall project. This includes adequate system administration, OpenSSH key management, logging management and security monitoring on wild Internet. Git will be extensively used during the courses.
You must also create a GitHub account where all your project including its documentation will be available (publicly).
Workstation Requirements During Classes
The major part of the work during the classes is a mixture of practical exercises, real-life experiments and sometime a kind of theory. The main requirement is that your workstation is an operational Unix-based system (e.g. a recent GNU/Linux distribution like Ubuntu 12.xx or a BSD flavor like OpenBSD or FreeBSD) with system administrator privileges.
Language
Courses will be given in French with the technical support being in English. Your project will be in English as your code and documentation will be available to the Internet community at large.
Evaluation
The evaluation will be mainly based on your project. The evaluation is not an objective and the objective is to have fun while learning all together.
Caveats
You may find that the subject is sometime too experimental and not yet mature for real-life application. If you have any issue with the course (including the way I teach it), don’t hesitate to talk about as early as possible.
Sessions
| Date/Time/Where | Topics and Support | Additional Information and Dataset |
|---|---|---|
2012-11-30 10:00→12:00 and 14:00→18:00 @ E116 |
Introduction to Honeypot Technologies A Tool For Improving Network Forensic Analysis - The Attackers’ Principles The shortest, fastest and cheapest path : a common method for compromising information system |
pcap file 1 (MD5:65ca24413de7ab0ad6423ed2b6329056) pcap file 2 (MD5:db066fcd23e505349978236de5fb8977) |
2012-12-07 10:00→12:00 and 14:00→18:00 @ E116 |
Network Forensic Analysis, Berkeley Packet Capture and Related Technologies IP, TCP, UDP headers + TCP state transition diagram from TCP/IP illustrated, Volume 1 git and socat |
|
2012-12-14 10:00→12:00 and 14:00→18:00 @ E116 |
rootkit and basic malware analysis. Labs with git, tcpflow, httpry, ipsumdump. |
jubrowska capture (SHA1:f84ea94bcc952f2e42aa1cceb41b4448e64f528b) Classroom notes about network packet entropy |
2012-12-21 10:00→12:00 and 14:00→18:00 @ E116 |
Learning from the attackers ipsumdump and information visualization to ease the understanding of large dataset with moowheel and dygraphs. |
|
2013-01-11 09:00→13:00 @ E116 |
Project reviews and status. Master internship proposal: Designing a Certificate Revocation Datastore and Query Interface The Art of Breaking Stuff To Improve It |
|
2013-01-19 09:00→13:00 @ E116 (might be late depending of the weather condition) |
(Lab) A practical view of Red October/sputnik malware and what an IT security dept might do (based on what you learned during the course). Shared notes on etherpad. (from network analysis to honeypot) - A similar exercise for your exam will be asked. |
CIRCL Artefacts on how to detect Red October/sputnik malware Malware.lu Analysis of the sample "Red October" - Part 1 Malware.lu C&C for Red October/Sputnik Kaspersky original post |
2013-01-25 09:00→13:00 @ E116 |
2 new private pcap |
|
2013-02-01 No courses |
Don’t forget to work on your project |
|
2013-02-09 09:00→13:00 @ E116 |
Forensic analysis (lab) Acquiring memory dump and basic analysis of the memory using volatility |
volatility memory dump tools Lest We Remember: Cold Boot Attacks on Encryption Keys Forensic Data Recovery from Flash Memory |
2013-02-16 09:00→13:00 @ E116 (closing session) |
Project review - forensic analysis of a raw disk |
Test raw FAT file system - MD5:4aeb06ecd361777242ab78735d51ace6 - sleuthkit.org |
-
[honeyproject] Know Your Enemy : Learning about Security Threats (2nd Edition) by Honeynet Project The (2004), Addison Wesley,ISBN:0321166469
-
The Internet Motion Sensor: A Distributed Blackhole Monitoring System by M Bailey, E Cooke, F Jahanian, J Nazario, D Watson
-
A Virtual Honeypot Framework by Niels Provos, USENIX Security '04 Paper
-
Towards an estimation of the accuracy of TCP reassembly in network forensics by Gerard Wagener, Alexandre Dulaunoy and Thomas Engel. Published in FGCN (2) 2008: 273-278