Re: Heisenberg in the honeypot

[Valdis.Kletnieks () vt edu]

On Tue, 22 Jun 2004 03:44:15 PDT, Harlan Carvey said:

> Perhaps another way of putting it...say I have a brand
> spanking new exploit (not blocked by firewalls, and no
> IDS rules exist for it), something no one has ever
> even considered.  Let's say that I'm particularly
> nefarious, and intend to use this exploit for
> malicious purposes.  Now, do you think I would run
> this exploit against arbitrary targets, knowing that
> somewhere out there, a honeypot would collect the data
> and someone might figure out what I was doing?  Or do
> you think I would do a little recon (even of a
> physical nature) first, to ensure that I've got a
> really juicy, easy to access target...with NO
> honeypots?

You missed the most obvious case. :)

You attack a juicy easy access target, and you *don't* bother worrying about
honeypots because you're conducting a *targeted* attack.  You gain a *first*
foothold inside the target network via some means - e-mail spam that installs a
trojan, mass scan for a *known* vulnerability, hoping that *one* person didn't
patch their desktop box, etc...

Now work from that box.  Watch the ARP traffic, learn machine names on the
local subnet.  See if the local DNS will let you do a AXFR to get all the names
in one shot (remember - they *may* have AXFR denied and they actually read the
logs, but it's a pretty safe bet that the machine that's configured as your
primary DNS isn't a honeypot - with one exception discussed later).  From
there, start working it - the desktop box probably has pointers to the
organization's web server, mail server, and database machines... Start reading
the e-mail on the box - is there announced downtime of a server? If it's
important enough to announce the outage, it might be interesting.. and so on.

It isn't a question of "blindly shoot and worry about hitting a honeypot" versus
"select a target known not to have honeypots".  If you're clued enough to be
doing a targeted attack, you're clued enough to realize the following:

1) Real production machines will have lots of references to them (mentioned in
e-mails, config files, and so on).

2) Honeypots will *not* have any/many references to them, because otherwise
they'll false-positive like crazy.

3) As a result, as your recon work finds new machines, the fact that you *found*
the machines means that the box is probably *not* a honeypot (modulo the method
of discovery, of course - finding it via an nmap scan of the subnet doesn't give much
confidence - the fact that the current box has 3 open shares on the file server, and
the files you can see indicate that 25 or 30 *other* boxes also have shares there..
well, it's probably not a honeypot... :)

The one exception is if the site is *so* clued that they can set up a fake
desktop box, with *all* of this stuff faked too - a bogus router, bogus ARP
traffic - with realistic replies from boxes you ping/nmap after learning their
IP address via ARP, bogus DNS/mail/DB machines, bogus e-mail folders, and so
on.  Remember that a production network leaves a *LOT* of traces of itself on
the boxes (poke around your own machine if you don't believe me ;).

This was sort of what "An Evening with Berferd" was about - and notice that it
didn't take very long at all before keeping up the charade got difficult.

The other alternative is to sprinkle your network with red herrings - send out
mass e-mails saying that "Server <codename-for-honeypot> will be down from 3:15
to 5PM Thursday after next for a security upgrade" - generally a bad idea, as
users will deluge your support desk with calls of "Why did I get this e-mail
about a server I never heard of?" - and you can be sure that 10% of your users
will try to login to said server after the "upgrade" to make sure their files
are still there. ;)

It's that sort of issue why I honestly don't think that a honeypot wll catch
many black hats, unless you (a) have a *really* nice "real" target and lots of
resources to build a very elaborate facade, or (b) the black hat is a real
novice and/or not paying close attention....

Another way to look at it - consider the end of Indiana Jones and the Last Crusade.
All those letters on the floor are systems.  However, your honeypot at J won't get
hit unless this happens:

Professor Henry Jones: The Word of God.
Marcus Brody: No, Henry. Try not to talk.
Professor Henry Jones: The Name of God.
Indiana Jones: The Name of God. Jehovah.
Professor Henry Jones: But in the Latin alphabet, "Jehovah" begins with an "I".
Indiana Jones: J-...

Attachment: _bin
Description: