Honeypots: Tracking Hackers

Paperback | September 10, 2002

byLance Spitzner

not yet rated|write a review
It began as an innocent probe. A strange IP address was examining an unused service on my system. In this case, a computer based in Korea was attempting to connect to a rpc service on my computer. There is no reason why anyone would want to access this service, especially someone in Korea. Something was definitely up. Immediately following the probe, my Intrusion Detection System screamed an alert: An exploit had just been launched. My system was under assault! Seconds after the attack, an intruder broke into my computer, executed several commands, and took total control of the system. My computer had just been hacked! I was elated! I could not have been happier. Welcome to the exciting world of honeypots, where we turn the tables on the bad guys. Most of the security books you read today cover a variety of concepts and technologies, but almost all of them are about keeping blackhats out. This book is different: It is about keeping the bad guys in--about building computers you want to be hacked. Traditionally, security has been purely defensive. There has been little an organization could do to take the initiative and challenge the bad guys. Honeypots change the rules. They are a technology that allows organizations to take the offensive. Honeypots come in a variety of shapes and sizes--everything from a simple Windows system emulating a few services to an entire network of productions systems waiting to be hacked. Honeypots also have a variety of values--everything from a burglar alarm that detects an intruder to a research tool that can be used to study the motives of the blackhat community. Honeypots are unique in that they are not a single tool that solves a specific problem. Instead, they are a highly flexible technology that can fulfill a variety of different roles. It is up to you how you want to use and deploy these technologies. In this book, we explain what a honeypot is, how it works, and the different values this unique technology can have. We then go into detail on six different honeypot technologies. We explain one step at a time how these honeypot solutions work, discuss their advantages and disadvantages, and show you what a real attack looks like to each honeypot. Finally, we cover deployment and maintenance issues of honeypots. The goal of this book is not to just give you an understanding of honeypot concepts and architecture but to provide you with the skills and experience to deploy the best honeypot solutions for your environment. The examples in the book are based on real-world experiences, and almost all of the attacks discussed actually happened. You will see the blackhat community at their best, and some of them at their worst. Best of all, you will arm yourself with the skills and knowledge to track these attackers and learn about them on your own. I have been using honeypots for many years, and I find them absolutely fascinating. They are an exciting technology that not only teaches you a great deal about blackhats but also teaches you about yourself and security in general. I hope you enjoy this book as much as I have enjoyed writing and learning about honeypot technologies. Audience This book is intended for the security professional. Anyone involved in protecting or securing computer resources will find this resource valuable. It is the first publication dedicated to honeypot technologies, a tool that more and more computer security professionals will want to take advantage of once they understand its power and flexibility. Due to honeypots' unique capabilities, other individuals and organizations will be extremely interested in this book. Military organizations can apply these technologies to Cyberwarfare. Universities and security research organizations will find tremendous value in the material concerning research honeypots. Intelligence organizations can apply this book to intelligence and counterintelligence activities. Members of law enforcement can use this material for the capturing of criminal activities. Legal professionals will find Chapter 15 to be one of the first definitive resources concerning the legal issues of honeypots. CD-ROM A CD-ROM accompanies this book and contains additional information related to the topics in the book. It includes everything from whitepapers and source code to actual evaluation copies of software and data captures of real attacks. This will give you the hands-on opportunity to develop your skills with honeypot technologies. Web Site This book has a Web site dedicated to it. The purpose of the Web site is to keep this material updated. If any discrepancies or mistakes are found in the book, the Web site will have updates and corrections. For example, if any of the URLs in the book have been changed or removed, the Web site will provide the updated links. Also, new technologies are always being developed and deployed. You should periodically visit the Web site to stay current with the latest in honeypot technologies. http://www.tracking-hackers.com/book/ References Each chapter ends with a references section. The purpose is to provide you with resources to gain additional information about topics discussed in the book. Examples of references include Web sites that focus on securing operating systems and books that specialize in forensic analysis. About the Author Lance Spitzner is a geek who constantly plays with computers, especially network security. He loves security because it is a constantly changing environment. His love for tactics first began in the U.S. Army, where he served both as an enlisted infantryman in the National Guard and as an armor officer in the Rapid Deployment Force. Following the Army he received his graduate degree and became involved in the world of information security. Now he fights the enemy with IPv4 packets instead of 120mm SABOT rounds. His passion is researching honeypot technologies and using them to learn more about the bad guys. He is also actively involved with the security community. He is founder of the Honeynet Project, moderator of the honeypot mail list, coauthor of Know Your Enemy,and author of several whitepapers. He has also spoken at various conferences and organizations, including Blackhat, SANS, CanSecWest, the Pentagon, the FBI Academy, West Point, National Security Agency, and Navy War College. He is a senior security architect for Sun Microsystems Inc. 0321108957P09172002

Pricing and Purchase Info

$36.38 online
$46.99 list price
Out of stock online

From the Publisher

It began as an innocent probe. A strange IP address was examining an unused service on my system. In this case, a computer based in Korea was attempting to connect to a rpc service on my computer. There is no reason why anyone would want to access this service, especially someone in Korea. Something was definitely up. Immediately follo...

From the Jacket

"The text is comprehensive, an honest survey of every honeypot technology I had ever heard of and a number I read about for the first time." --Stephen Northcutt, The SANS Institute "One of the great byproducts of Lance's work with honeypots and honeynets is that he's helped give us a much clearer picture of the hacker in action." --F...

Lance Spitzner is a senior security architect for Sun Microsystems, Inc., and an acknowledged authority in security and honeypot research. He is a developer, the moderator of the honeypots mailing list, and an instructor for the SANS honeypot course. He is also the founder of the Honeynet Project, a nonprofit group of thirty security ...
Format:PaperbackPublished:September 10, 2002Publisher:Pearson EducationLanguage:English

The following ISBNs are associated with this title:

ISBN - 10:0321108957

ISBN - 13:9780321108951

Customer Reviews of Honeypots: Tracking Hackers

Reviews

Extra Content

From the Author

It began as an innocent probe. A strange IP address was examining an unused service on my system. In this case, a computer based in Korea was attempting to connect to a rpc service on my computer. There is no reason why anyone would want to access this service, especially someone in Korea. Something was definitely up. Immediately following the probe, my Intrusion Detection System screamed an alert: An exploit had just been launched. My system was under assault! Seconds after the attack, an intruder broke into my computer, executed several commands, and took total control of the system. My computer had just been hacked! I was elated! I could not have been happier.Welcome to the exciting world of honeypots, where we turn the tables on the bad guys. Most of the security books you read today cover a variety of concepts and technologies, but almost all of them are about keeping blackhats out. This book is different: It is about keeping the bad guys inabout building computers you want to be hacked. Traditionally, security has been purely defensive. There has been little an organization could do to take the initiative and challenge the bad guys. Honeypots change the rules. They are a technology that allows organizations to take the offensive.Honeypots come in a variety of shapes and sizeseverything from a simple Windows system emulating a few services to an entire network of productions systems waiting to be hacked. Honeypots also have a variety of valueseverything from a burglar alarm that detects an intruder to a research tool that can be used to study the motives of the blackhat community. Honeypots are unique in that they are not a single tool that solves a specific problem. Instead, they are a highly flexible technology that can fulfill a variety of different roles. It is up to you how you want to use and deploy these technologies.In this book, we explain what a honeypot is, how it works, and the different values this unique technology can have. We then go into detail on six different honeypot technologies. We explain one step at a time how these honeypot solutions work, discuss their advantages and disadvantages, and show you what a real attack looks like to each honeypot. Finally, we cover deployment and maintenance issues of honeypots. The goal of this book is not to just give you an understanding of honeypot concepts and architecture but to provide you with the skills and experience to deploy the best honeypot solutions for your environment. The examples in the book are based on realworld experiences, and almost all of the attacks discussed actually happened. You will see the blackhat community at their best, and some of them at their worst. Best of all, you will arm yourself with the skills and knowledge to track these attackers and learn about them on your own.I have been using honeypots for many years, and I find them absolutely fascinating. They are an exciting technology that not only teaches you a great deal about blackhats but also teaches you about yourself and security in general. I hope you enjoy this book as much as I have enjoyed writing and learning about honeypot technologies.AudienceThis book is intended for the security professional. Anyone involved in protecting or securing computer resources will find this resource valuable. It is the first publication dedicated to honeypot technologies, a tool that more and more computer security professionals will want to take advantage of once they understand its power and flexibility. Due to honeypots’ unique capabilities, other individuals and organizations will be extremely interested in this book. Military organizations can apply these technologies to Cyberwarfare. Universities and security research organizations will find tremendous value in the material concerning research honeypots. Intelligence organizations can apply this book to intelligence and counterintelligence activities. Members of law enforcement can use this material for the capturing of criminal activities. Legal professionals will find Chapter 15 to be one of the first definitive resources concerning the legal issues of honeypots. CDROMA CDROM accompanies this book and contains additional information related to the topics in the book. It includes everything from whitepapers and source code to actual evaluation copies of software and data captures of real attacks. This will give you the handson opportunity to develop your skills with honeypot technologies.Web SiteThis book has a Web site dedicated to it. The purpose of the Web site is to keep this material updated. If any discrepancies or mistakes are found in the book, the Web site will have updates and corrections. For example, if any of the URLs in the book have been changed or removed, the Web site will provide the updated links. Also, new technologies are always being developed and deployed. You should periodically visit the Web site to stay current with the latest in honeypot technologies. http://www.trackinghackers.com/book/ReferencesEach chapter ends with a references section. The purpose is to provide you with resources to gain additional information about topics discussed in the book. Examples of references include Web sites that focus on securing operating systems and books that specialize in forensic analysis. About the AuthorLance Spitzner is a geek who constantly plays with computers, especially network security. He loves security because it is a constantly changing environment. His love for tactics first began in the U.S. Army, where he served both as an enlisted infantryman in the National Guard and as an armor officer in the Rapid Deployment Force. Following the Army he received his graduate degree and became involved in the world of information security. Now he fights the enemy with IPv4 packets instead of 120mm SABOT rounds.His passion is researching honeypot technologies and using them to learn more about the bad guys. He is also actively involved with the security community. He is founder of the Honeynet Project, moderator of the honeypot mail list, coauthor of Know Your Enemy, and author of several whitepapers. He has also spoken at various conferences and organizations, including Blackhat, SANS, CanSecWest, the Pentagon, the FBI Academy, West Point, National Security Agency, and Navy War College. He is a senior security architect for Sun Microsystems Inc. 0321108957P09172002

Read from the Book

It began as an innocent probe. A strange IP address was examining an unused service on my system. In this case, a computer based in Korea was attempting to connect to a rpc service on my computer. There is no reason why anyone would want to access this service, especially someone in Korea. Something was definitely up. Immediately following the probe, my Intrusion Detection System screamed an alert: An exploit had just been launched. My system was under assault! Seconds after the attack, an intruder broke into my computer, executed several commands, and took total control of the system. My computer had just been hacked! I was elated! I could not have been happier. Welcome to the exciting world of honeypots, where we turn the tables on the bad guys. Most of the security books you read today cover a variety of concepts and technologies, but almost all of them are about keeping blackhats out. This book is different: It is about keeping the bad guys in--about building computers you want to be hacked. Traditionally, security has been purely defensive. There has been little an organization could do to take the initiative and challenge the bad guys. Honeypots change the rules. They are a technology that allows organizations to take the offensive. Honeypots come in a variety of shapes and sizes--everything from a simple Windows system emulating a few services to an entire network of productions systems waiting to be hacked. Honeypots also have a variety of values--everything from a burglar alarm that detects an intruder to a research tool that can be used to study the motives of the blackhat community. Honeypots are unique in that they are not a single tool that solves a specific problem. Instead, they are a highly flexible technology that can fulfill a variety of different roles. It is up to you how you want to use and deploy these technologies. In this book, we explain what a honeypot is, how it works, and the different values this unique technology can have. We then go into detail on six different honeypot technologies. We explain one step at a time how these honeypot solutions work, discuss their advantages and disadvantages, and show you what a real attack looks like to each honeypot. Finally, we cover deployment and maintenance issues of honeypots. The goal of this book is not to just give you an understanding of honeypot concepts and architecture but to provide you with the skills and experience to deploy the best honeypot solutions for your environment. The examples in the book are based on real-world experiences, and almost all of the attacks discussed actually happened. You will see the blackhat community at their best, and some of them at their worst. Best of all, you will arm yourself with the skills and knowledge to track these attackers and learn about them on your own. I have been using honeypots for many years, and I find them absolutely fascinating. They are an exciting technology that not only teaches you a great deal about blackhats but also teaches you about yourself and security in general. I hope you enjoy this book as much as I have enjoyed writing and learning about honeypot technologies. Audience This book is intended for the security professional. Anyone involved in protecting or securing computer resources will find this resource valuable. It is the first publication dedicated to honeypot technologies, a tool that more and more computer security professionals will want to take advantage of once they understand its power and flexibility. Due to honeypots' unique capabilities, other individuals and organizations will be extremely interested in this book. Military organizations can apply these technologies to Cyberwarfare. Universities and security research organizations will find tremendous value in the material concerning research honeypots. Intelligence organizations can apply this book to intelligence and counterintelligence activities. Members of law enforcement can use this material for the capturing of criminal activities. Legal professionals will find Chapter 15 to be one of the first definitive resources concerning the legal issues of honeypots. CD-ROM A CD-ROM accompanies this book and contains additional information related to the topics in the book. It includes everything from whitepapers and source code to actual evaluation copies of software and data captures of real attacks. This will give you the hands-on opportunity to develop your skills with honeypot technologies. Web Site This book has a Web site dedicated to it. The purpose of the Web site is to keep this material updated. If any discrepancies or mistakes are found in the book, the Web site will have updates and corrections. For example, if any of the URLs in the book have been changed or removed, the Web site will provide the updated links. Also, new technologies are always being developed and deployed. You should periodically visit the Web site to stay current with the latest in honeypot technologies. http://www.tracking-hackers.com/book/ References Each chapter ends with a references section. The purpose is to provide you with resources to gain additional information about topics discussed in the book. Examples of references include Web sites that focus on securing operating systems and books that specialize in forensic analysis. About the Author Lance Spitzner is a geek who constantly plays with computers, especially network security. He loves security because it is a constantly changing environment. His love for tactics first began in the U.S. Army, where he served both as an enlisted infantryman in the National Guard and as an armor officer in the Rapid Deployment Force. Following the Army he received his graduate degree and became involved in the world of information security. Now he fights the enemy with IPv4 packets instead of 120mm SABOT rounds. His passion is researching honeypot technologies and using them to learn more about the bad guys. He is also actively involved with the security community. He is founder of the Honeynet Project, moderator of the honeypot mail list, coauthor of Know Your Enemy, and author of several whitepapers. He has also spoken at various conferences and organizations, including Blackhat, SANS, CanSecWest, the Pentagon, the FBI Academy, West Point, National Security Agency, and Navy War College. He is a senior security architect for Sun Microsystems Inc. 0321108957P09172002

Table of Contents



Foreword: Giving the Hackers a Kick Where It Hurts.


Preface.


1. The Sting: My Fascination with Honeypots.

The Lure of Honeypots.

How I Got Started with Honeypots.

Perceptions and Misconceptions of Honeypots.

Summary.

References.



2. The Threat: Tools, Tactics, and Motives of Attackers.

Script Kiddies and Advanced Blackhats.

Everyone Is a Target.

Methods of Attackers.

Targets of Opportunity.

Targets of Choice.

Motives of Attackers.

Adapting and Changing Threats.

Summary.

References.



3. History and Definition of Honeypots.

The History of Honeypots.

Early Publications.

Early Products.

Recent History: Honeypots in Action.

Definitions of Honeypots.

How Honeypots Work.

Two Examples of Honeypots.

Types of Honeypots.

Summmary.

References.



4. The Value of Honeypots.

Advantages of Honeypots.

Data Value.

Resources.

Simplicity.

Return on Investment.

Disadvantages of Honeypots.

Narrow Field of View.

Fingerprinting.

Risk.

The Role of Honeypots in Overall Security.

Production Honeypots.

Research Honeypots.

Honeypot Policies.

Summary.

References.



5. Classifying Honeypots by Level of Interaction.

Tradeoffs Between Levels of Interaction.

Low-Interaction Honeypots.

Medium-Interaction Honeypots.

High-Interaction Honeypots.

An Overview of Six Honeypots.

BackOfficer Friendly.

Specter.

Honeyd.

Homemade.

ManTrap.

Honeynets.

Summary.

Reference.



6. BackOfficer Friendly.

Overview of BOF.

The Value of BOF.

How BOF Works.

Installing, Configuring, and Deploying BOF.

Information Gathering and Alerting Capabilities.

Risk Associated with BOF.

Summary.

Tutorial.

Step 1—Installation.

Step 2—Configure.

Step 3—Netstat.

Step 4—Attack System.

Step 5—Review Alerts.

Step 6—Save Alerts.

References.



7. Specter.

Overview of Specter.

The Value of Specter.

How Specter Works.

Installing and Configuring Specter.

Operating System.

Character.

Services.

Intelligence, Traps, Password Types, and Notification.

Additional Options.

Starting the Honeypot.

Deploying and Maintaining Specter.

Information-Gathering and Alerting Capabilities.

Short Mail.

Alert Mail.

Log Analyzer.

Event Log.

Syslog.

Intelligence Gathering.

Risk Associated with Specter.

Summary.

References.



8. Honeyd.

Overview of Honeyd.

Value of Honeyd.

How Honeyd Works.

Blackholing.

ARP Spoofing.

ARP Proxy.

Responding to Attacks.

Installing and Configuring Honeyd.

Deploying and Maintaining Honeyd.

Information Gathering.

Risk Associated with Honeyd.

Summary.

References.



9. Homemade Honeypots.

An Overview of Homemade Honeypots.

Port Monitoring Honeypots.

The Value of Port Monitoring.

How Homemade Port Monitors Work.

Risk Associated with Homemade Port Monitors.

Jailed Environments.

The Value of Jails.

How Jails Work.

Installing and Configuring Jails.

Deploying and Maintaining Jails.

Information Gathering with Jails.

Risk Associated with Jails.

Summary.

References.



10. ManTrap.

Overview of ManTrap.

The Value of ManTrap.

Prevention.

Detection.

Response.

Research.

Nontraditional Applications.

Limitations.

How ManTrap Works.

Adjustments to the Kernel.

How ManTrap Handles the File System.

The Resulting Cages and Their Limitations.

Installing and Configuring ManTrap.

Building the Host System.

iButton and Configuration Options.

Client Administration.

Customizing the Cages.

Deploying and Maintaining ManTrap.

Information Gathering.

Data Capture in Practice: An Example Attack.

Viewing Captured Data

Data Capture at the Application Level.

File Recovery.

Using a Sniffer with ManTrap.

Using iButton for Data Integrity.

Risk Associated with ManTrap.

Summary.

References.



11. Honeynets.

Overview of Honeynets.

The Value of Honeynets.

Methods, Motives, and Evolving Tools.

Trend Analysis.

Incident Response.

Test Beds.

How Honeynets Work.

Controlling Data.

Capturing Data.

Collecting Data.

Honeynet Architectures.

GenI.

GenII.

Virtual Honeynets.

Sweetening the Honeynet.

Deploying and Maintaining Honeynets.

Information Gathering: An Example Attack.

Risk Associated with Honeynets.

Summary.

References.



12. Implementing Your Honeypot.

Specifying Honeypot Goals.

Selecting a Honeypot.

Interaction Level.

Commercial Versus Homemade Solutions.

Platform.

Determining the Number of Honeypots.

Selecting Locations for Deployment.

Placement for Prevention.

Placement for Detection.

Placement for Response

Placement for Research.

Implementing Data Capture.

Maximizing the Amount of Data.

Adding Redundancy to Data Capture.

IP Addresses Versus Resolved Names.

Logging and Managing Data.

Using NAT.

NAT and Private Addressing.

The Role of NAT with Honeypots.

Mitigating Risk.

Mitigating Fingerprinting.

Summary.

References.



13. Maintaining Your Honeypot.

Alert Detection.

Reliability of Alerts.

Critical Content.

Prioritizing Alerts.

Archiving.

Response.

Determining Reaction Practices and Roles.

Documenting Reaction Practices.

Remote Access and Data Control.

Data Analysis.

A Simple Scenario: Low-Interaction Honeypots.

A Complex Scenario: High-Interaction Honeypots.

Updates.

Summary.

References.



14. Putting It All Together.

Honeyp.com.

Matching Goals to Honeypot Solutions.

Deploying the Honeypots.

Maintaining the Honeypots.

Surviving and Responding to an Attack.

Honeyp.edu.

Matching Goals to Honeypot Solutions.

Deploying the Honeynet.

Maintaining the Honeynet.

Analyzing Attacks.

Summary.

References.



15. Legal Issues.

Are Honeypots Illegal?

Precedents.

Privacy.

The Fourth Amendment.

Stored Information: The Electronic Communications Privacy Act.

Real-Time Interception of Information: The Wiretap Act and the Pen/Trap Statute.

Entrapment.

Liability.

Summary.

References.

Resourcess.



16. Future of Honeypots.

From Misunderstanding to Acceptance.

Improving Ease of Use.

Easier Administration.

Prepackaged Solutions.

Closer Integration with Technologies.

Targeting Honeypots for Specific Purposes.

Expanding Research Applications.

Early Warning and Prediction.

Studying Advanced Attackers.

Identifying New Threats.

Deploying in Distributed Environments.

A Final Caveat.

Summary.

References.



Appendix A. BackOfficer Friendly ASCII File of Scans.


Appendix B. Snort Configuration File.


Appendix C. IP Protocols.


Appendix D. Definitions, Requirements, and Standards Document.


Appendix E. Honeynet Logs.


Index. 0321108957T09172002