Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.
Course Overview
The subject of this course is to use the Honeynet/pot technologies as a tool to discover and learn existing and new threats to networked/distributed information system and better understand attackers behaviour. The course includes a project to build a custom honeypot or related tools to turn the theory into a practical session. The course requires a high involvement from the participants. The student will have access to an operational system during the sessions to operate a real world honeypot.
|
Student will get access to real malicious data and information. A high level of ethic is required during his/her participation. |
Project Detail
During the period of the course, there will be a specific project to realize. The project is fully integrated into the course sessions that means some topics covered will help to enhance or complete your work.
Project definition and group composition (2 max) should be known for the 2013-12-13. Project will be released under a free software license and using one of the following programming language: Python, Perl, Ruby, Go, Lua, Bash or Zsh. As the development of the project will be done on an operational system, the project along with its tools might evolve following the feedback received from the attackers themselves. The project can be an improvement to an existing free software security project including extensions, documentation, improvements or even bug fixes. If you don’t have any ideas, I’m sure we can find something in a world surrounded by information security issues, insecure technologies and potential innovative technical solutions (also sometime insecure).
Project Ideas
Project should be usually selected by the student but if you lack some ideas. A list of project ideas is proposed and can be used as basis for discussion.
Guessing time zone and checking time consistency within a network capture (1)
Time is a critical component in any forensic analysis. The main issue is to find an accurate time reference while analysing packet captures especially when the acquisition device is unsynchronized. As an example, you can find time references in the response of an HTTP server:
HTTP/1.1 200 OK Date: Thu, 13 Dec 2012 21:08:31 GMT Server: Apache Accept-Ranges: bytes Vary: Accept-Encoding Content-Type: text/html
By checking with the timestamp, the deviation time can be calculated from each packet captured and its evolution over time.
1.2.3.4|dev:40sec
The tool should be easily extendable to add new potential time references.
Annotation tool for pcap files
While doing network forensic, it’s common to annotate your investigation. The idea is to help investigator to do annotation on standard pcap files. In network forensic, the integrity of the analyzed capture is critical. To keep such integrity, the project must use a separate file to store the annotation meta-data (e.g. JSON files).
Annotation can be done on a packet, on a set of packets or a specific data range inside a packet. The bpf filter expression can be extended in order to provide an easy interface way to annotate the packets.
An example vty interface to add a note for a specific filter:
annotate -a "Google DNS name resolution" "udp port 53 and tcp port 53 and host 8.8.8.8"
You can also delete or update specific notes. Then you can display packet capture with or without notes. Your tool can be a wrapper around tcpdump or rely on a standard libpcap library.
Extending Malcom
Extending cve-search
Automatic vulnerability assessment from network capture (1)
The project objective is to use a pcap file (or a live pcap stream) to extract potential indicators that can be used for the vulnerability (or the non-vulnerability) assessment of software seen in the network capture.
-
Assess your software in your infrastructure without installing software components on the local systems and only by network monitoring (e.g. a simple port mirror on an internal switch).
-
Assess the software used by an attacker abusing a honeypot to know the level of their competencies or potentially abuse those attackers.
To lookup for the vulnerabilities, you can already use an existing free software called cve-search to have a local database of CVE/CPE entries. This will allow you to query locally the information collected in a fast way while ensuring the privacy of the information checked.
The software can be separated in two distinct parts following the Unix Philosophy.
def findandextract(packet):
return extract(findindicator(packet))
def findindex(packet):
if packet(contains "User-Agent:"|"SSH handshake"|"Server:"):
return (packet)
return (packet(source ip),payload(packet))
for packet in pcap(file|capture):
findandextract(version Indicator)The indicator code will return a list of like the following:
192.168.1.1|User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/20100101 Firefox/16.0
The indicator code output will be used by another small program doing the indicator lookup into cve-search and giving a risk indicator per software detected.
192.168.1.1|cpe:/a:mozilla:firefox:16.0|8.9
Operational Aspect
The system to be used for the project is shared among the class including the system administration of the system. Security and system administration is part of the overall project. This includes adequate system administration, OpenSSH key management, logging management and security monitoring on wild Internet. Git will be extensively used during the courses.
You must also create a GitHub account where all your project including its documentation will be available (publicly).
Workstation Requirements During Classes
The major part of the work during the classes is a mixture of practical exercises, real-life experiments and sometime a kind of theory. The main requirement is that your workstation is an operational Unix-based system (e.g. a recent GNU/Linux distribution like Ubuntu 12.xx/13.xx or a BSD flavor like OpenBSD or FreeBSD) with system administrator privileges.
Language
Courses will be given in French with the technical support being in English. Your project will be in English as your code and documentation will be available to the Internet community at large.
Evaluation
The evaluation will be mainly based on your project. The evaluation is not an objective and the objective is to have fun while learning all together.
Caveats
You may find that the subject is sometime too experimental and not yet mature for real-life application. If you have any issue with the course (including the way I teach it), don’t hesitate to talk about as early as possible.
Sessions
Date/Time/Where |
Subjects and Supports |
Additional Information and Dataset |
2013-11-28 10:00→12:00 and 14:00→18:00 @ E116 |
pcap file 1 (MD5:65ca24413de7ab0ad6423ed2b6329056) pcap file 2 (MD5:db066fcd23e505349978236de5fb8977) |
|
2013-12-13 10:00→12:00 and 14:00→18:00 @ E116 |
|
Pocket guide IP, TCP, UDP headers Pcap malware dataset (given during the courses) |
2013-12-20 10:00→12:00 and 14:00→18:00 @ E116 |
|
|
2014-01-11 09:00→13:00 @ E116 |
|
|
2014-01-18 09:00→13:00 @ E116 |
|
|
2014-01-25 09:00→13:00 @ E116 |
|
|
2014-02-08 09:00→13:00 @ E116 |
|
|
2014-02-15 09:00→13:00 @ E116 |
|
Bibliography
-
Know Your Enemy : Learning about Security Threats (2nd Edition) by Honeynet Project The (2004), Addison Wesley,ISBN:0321166469
-
The Internet Motion Sensor: A Distributed Blackhole Monitoring System by M Bailey, E Cooke, F Jahanian, J Nazario, D Watson
-
A Virtual Honeypot Framework by Niels Provos, USENIX Security '04 Paper
-
Towards an estimation of the accuracy of TCP reassembly in network forensics by Gerard Wagener, Alexandre Dulaunoy and Thomas Engel. Published in FGCN (2) 2008: 273-278