IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RES: Honeytokens and detection

From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Fri, 11 Apr 2003 16:48:20 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Augusto Paes de Barros writes:


One of my favourite ones is the bogus administrator/root user with null
password. Did anyone already try something with these?


Yeah, about a half dozen years ago.

At the time, the exploit du jour used a field separator bug in an
installed-by-default CGI script.  Probably test-cgi, printenv or something
like that, but I don't really recall.  Anyway, the most common variant used
said bug to cat /etc/passwd.  So I wrote a little replacement that
emulated the behaviour of the vulnerable script and responded with
a bogus passwd file.  The root passwd was a dictionary word.

The machine running the web server didn't allow telnet at all, but I
used Wiete Venema's tcp_wrappers to respond to connection requests on port 23
with a banner that said something like:

        Sorry, inbound telnet connections are not currently
        allowed from domain foo.com.  Please contact
        admin@target_server.net if you feel this is an error.

...where foo.com was the domain of the originating connection,
and www.target_server.net was the web server.

So the typical scenario would play out like this:

        0860758276.297376 host.foo.com.12345 > www.target_server.net.80
        ...
        0860759296.003735 host.foo.com.34272 > www.target_server.net.23
        ...
        0860759304.576054 dialin.bar.com.34275 > www.target_server.net.23
        ...
        0860759309.262021 www.baz.net.34278 > www.target_server.net.23
        ...

...and so on.

If you're actually interested in tracking the evildoer down, you
can't -buy- intelligence that good.  And he just gave it away for
free.

Morals of the story:

        -Always give the bad guy a chance to tell you about himself
        -`Honeytoken' is a cool catchphrase, but the idea's been around
         a long time





- -spb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE+l1QKG3kIaxeRZl8RAhRaAJ9y2QCztlaX5XtWAoutmw2UspvFKwCgiNHL
HLNeNUx5lUZW1l0tr/aTPh8=
=whK9
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
 
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - 
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. 
 
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids
Previous By Date Next
Previous By Thread Next

Current thread: