SlideShare a Scribd company logo

Honeypot Presentation - Using Honeyd

Download as ODP, PDF
I
icanhasfay

This document discusses honeypots and the honeyd software. Honeypots are decoy servers that are used to detect intruders by appearing as normal servers but containing fake data. Honeyd is a honeypot daemon that can simulate a large network using a single host by creating virtual hosts with different personalities. It is used for distraction, detecting suspicious traffic, and learning about attack techniques. The document describes how to configure honeyd by setting virtual host properties and firewall rules to forward traffic to it.

Related topics:
Network Security
1 of 16
Downloaded 162 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
HoneyPots for Network Security Using Honeyd
Botnets One of the biggest threats in network security is botnets . Botnets   are a collection of infected computers or bots that have been taken over by   Hackers   (sometimes known as  bot herders) and are used to perform malicious tasks or functions.  botnets.png
Botnets botnets2.jpg This example illustrates how a botnet is created and used to send email spam . A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a malicious application—the  bot . The  bot  on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server). A spammer purchases the services of the botnet from the operator. The spammer provides the spam messages to the operator, who instructs the compromised machines via the IRC server, causing them to send out spam messages.
Types of Botnet Attacks Spyware software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market Adware advertise some commercial entity actively and without the user's permission or awareness Denial of Service multiple systems autonomously access a single Internet system or service in a way that appears legitimate, but much more frequently than normal use and cause the system to become busy botnets3.jpg
Types of Botnet Attacks botnets4.jpg Fast Flux DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies Click Fraud user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain E-mail spam e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature
Honeypots A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the  data and transactions are phony. Located either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as well as determine vulnerabilities in the real system . Set to detect , deflect, or in some manner counteract attempts at unauthorized use of information systems. honeypot.png
Types of Honeypots Generally speaking there are two different types of Honeypots : Production Honeypots and Research Honeypots Production Honeypots are used primarily by companies or corporations to improve their overall state of security. Research Honeypots are used primarily by non-profit research organizations or educational institutions to research the threats organizations face and learn how to better protect against those threats. Research Honeypots are used primarily by non-profit research organizations or educational institutions to research the threats organizations face and learn how to better protect against those threats. honeypot2.jpeg
Honeyd Honeyd is a type of daemon honeypot licensed by GPL that has the ability to simulate a big network while using only a single host. To outsiders, the Honeyd looks like a computer network on a network's unused address space. honeyd.gif
Primary Applications of Honeyd Distraction Using the software's ability to mimic many different network hosts at once, Honeyd can act as a distraction to potential hackers. If a network only has 3 real servers, but one server is running Honeyd , the network will appear running hundreds of servers to a hacker. The hacker will then have to do more research in order to determine which servers are real, or the hacker may get caught in a honeypot. Either way, the hacker will be slowed down or possibly caught. Honeypot On a network, all normal traffic should be to and from valid servers only. Thus , a network administrator running Honeyd can monitor his/her logs to see if there is any traffic going to the virtual hosts set up by Honeyd . Any traffic going to these virtual servers can be considered highly suspicious. The network administrator can then take preventative action, perhaps by blocking the suspicious IP address or by further monitoring the network for suspicious traffic.
Honeyd Configuration /etc/honeypot/ Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and xprobe2.conf honeyd1.png /etc/honeypot/ Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and xprobe2.conf
Honeyd Configuration /etc/honeypot/ Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and xprobe2.conf Honeyd.conf is the main configuration file for setting the “personalities” of the virtual hosts.
Honeyd Configuration honeyd1.png Honeyd.conf Creates the default actions for the machines creates a personality template called honeypot-template Sets the mac address, OS, uptime, available protocols and open ports Binds the templates to 2 unused IP addresses on the network
Honeyd Configuration $ iptables -A INPUT -d 192.168.1.201 -j ACCEPT  $ iptables -A INPUT -d 192.168.1.202 -j ACCEPT  $ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Modifies the rules of your firewall to accept packets for the IP Addresses defined in the honeyd's configuration file honeypot1.jpg
Honeyd Configuration /etc/default/ honeyd Sets the default run behavior of honeyd honeyd2.png
Honeyd Configuration Another daemon that runs alongside of honeyd is farpd which is the daemon that is forwarding the traffic from the virtual hosts to the main honeyd server. farpd  replies to any ARP request for an IP address matching the specified destination  net  with the hardware MAC address of the specified  interface , but only after determining if another host already claims it. Any IP address claimed by  farpd  is eventually forgotten after a period of inactivity or after a hard timeout, and is relinquished if the real owner shows up. This enables a single host to claim all unassigned addresses on a LAN for network monitoring or simulation.
Testing H oneyd The network scanner To test if the virtual hosts are responding with the right information nmap.png

More Related Content

PDF
Virtual honeypot
Elham Hormozi
 
PPTX
Hybrid honeypots for network security
chella mani
 
PPTX
Deception technology for advanced detection
Jisc
 
PPTX
Honeypots and honeynets
Rasool Irfan
 
PPTX
Honeypot ppt1
samrat saurabh
 
PDF
Honeypot 101 (slide share)
Emil Tan
 
PDF
Cybersecurity for everyone - Course Final Project.pdf
kahehif874
 
PPTX
Honeypot
Shashwat Shriparv
 
Virtual honeypot
Elham Hormozi
 
Hybrid honeypots for network security
chella mani
 
Deception technology for advanced detection
Jisc
 
Honeypots and honeynets
Rasool Irfan
 
Honeypot ppt1
samrat saurabh
 
Honeypot 101 (slide share)
Emil Tan
 
Cybersecurity for everyone - Course Final Project.pdf
kahehif874
 
Honeypot
Shashwat Shriparv
 

What's hot (20)

PPTX
HONEYPOTS: Definition, working, advantages, disadvantages
amit kumar
 
PPT
Honeypots
J. Scott Christianson
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
PPT
Honeypot honeynet
Sina Manavi
 
PPTX
Tushar mandal.honeypot
tushar mandal
 
PDF
Honeypots for Network Security
Kirubaburi R
 
PDF
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
PDF
SACON - Deception Technology (Sahir Hidayatullah)
Priyanka Aash
 
PPTX
Cyber Deception - AttivoNetwork
Vu Duc Du
 
PPT
All about Honeypots & Honeynets
Mehdi Poustchi Amin
 
PPTX
Subnetting (FLSM & VLSM) with examples
Krishna Mohan
 
PPTX
Honeypots
Gaurav Gupta
 
PDF
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
PPT
Adhoc and Sensor Networks - Chapter 05
Ali Habeeb
 
PDF
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
PPSX
Honeypot and deception
milad saber
 
PPTX
Honeypots (Ravindra Singh Rathore)
Ravindra Singh Rathore
 
PPTX
Honeypot
Sushan Sharma
 
PPTX
Cyber security with ai
Burhan Ahmed
 
PPTX
Homomorphic Encryption
Vipin Tejwani
 
HONEYPOTS: Definition, working, advantages, disadvantages
amit kumar
 
Honeypots
J. Scott Christianson
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Honeypot honeynet
Sina Manavi
 
Tushar mandal.honeypot
tushar mandal
 
Honeypots for Network Security
Kirubaburi R
 
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
SACON - Deception Technology (Sahir Hidayatullah)
Priyanka Aash
 
Cyber Deception - AttivoNetwork
Vu Duc Du
 
All about Honeypots & Honeynets
Mehdi Poustchi Amin
 
Subnetting (FLSM & VLSM) with examples
Krishna Mohan
 
Honeypots
Gaurav Gupta
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
Adhoc and Sensor Networks - Chapter 05
Ali Habeeb
 
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Honeypot and deception
milad saber
 
Honeypots (Ravindra Singh Rathore)
Ravindra Singh Rathore
 
Honeypot
Sushan Sharma
 
Cyber security with ai
Burhan Ahmed
 
Homomorphic Encryption
Vipin Tejwani
 
Ad

Viewers also liked (20)

PPTX
Honeypot
Fatma Ghachem
 
PPT
Honeypots
Jayant Gandhi
 
PPTX
Study of our environment by parveen
parveenb
 
PPTX
Interactive presentation screen format 16-9 - minimal for slideshare
Patrick Keyzer
 
PDF
Honeypots
aelouanzi
 
PPTX
Honeynet
ACADEMIA DE ARTES MARCIALES MIXTAS TITANES
 
PPT
Lecture 7
Education
 
PDF
CDE future sonar webinar
Defence and Security Accelerator
 
PPT
Honeypot Project
Manikyala Rao
 
PPT
Ppt
Shiva Krishna Chandra Shekar
 
PPTX
GIS for Defence
IIC Technologies
 
PPTX
Conferencia Honeynets - CongresoSSI
Katherine Cancelado
 
PPTX
Honey po tppt
Arya AR
 
PDF
Presentacion ugr honeypots
Javier Condori Flores
 
PPTX
Honeypot cupcakes
Sandra Fernandez
 
PDF
Honeypot Social Profiling
Bryan Conde
 
PDF
Honeypots for Active Defense
Greg Foss
 
PPT
Honeypots - Tracking the Blackhat Community
amiable_indian
 
PPT
Honeypot Basics
Manoj kumawat
 
PPTX
Honeypot ss
Kajal Mittal
 
Honeypot
Fatma Ghachem
 
Honeypots
Jayant Gandhi
 
Study of our environment by parveen
parveenb
 
Interactive presentation screen format 16-9 - minimal for slideshare
Patrick Keyzer
 
Honeypots
aelouanzi
 
Honeynet
ACADEMIA DE ARTES MARCIALES MIXTAS TITANES
 
Lecture 7
Education
 
CDE future sonar webinar
Defence and Security Accelerator
 
Honeypot Project
Manikyala Rao
 
Ppt
Shiva Krishna Chandra Shekar
 
GIS for Defence
IIC Technologies
 
Conferencia Honeynets - CongresoSSI
Katherine Cancelado
 
Honey po tppt
Arya AR
 
Presentacion ugr honeypots
Javier Condori Flores
 
Honeypot cupcakes
Sandra Fernandez
 
Honeypot Social Profiling
Bryan Conde
 
Honeypots for Active Defense
Greg Foss
 
Honeypots - Tracking the Blackhat Community
amiable_indian
 
Honeypot Basics
Manoj kumawat
 
Honeypot ss
Kajal Mittal
 
Ad

Similar to Honeypot Presentation - Using Honeyd (20)

PPT
honeypots.ppt
DetSersi
 
PPTX
Honeypots.ppt1800363876
Momita Sharma
 
PDF
A virtual honeypot framework
UltraUploader
 
PPTX
Honeypots
SARANYA S
 
PPTX
Honeypots
SARANYA S
 
DOC
Honeypots
Shiva Krishna Chandra Shekar
 
DOCX
Honeypots
Jyoti Nagargoje
 
PPTX
Honey pot in cloud computing
أحلام انصارى
 
PDF
honeypots-140921060716-phpapp01 (1).pdf
Poooi2
 
PPT
Honeypot
Akhil Sahajan
 
PPT
Honeypot
Akhil Sahajan
 
PPT
Defending Your Network
Adam Getchell
 
PDF
Design & Implementation of Honeyd to Simulate Virtual Honeypots
IOSR Journals
 
PPTX
honeypots-140921060716-phpapp01 (1).pptx
Poooi2
 
PPT
Honey Pot
iradarji
 
PDF
Ananth3
Shiva Krishna Chandra Shekar
 
PPTX
honeypotss.pptx
Poooi2
 
PPTX
Honeypot a trap to hackers
Bhaskarasai Chitturi
 
PPTX
Honeypots for Cloud Providers - SDN World Congress
Vallie Joseph
 
PPT
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
honeypots.ppt
DetSersi
 
Honeypots.ppt1800363876
Momita Sharma
 
A virtual honeypot framework
UltraUploader
 
Honeypots
SARANYA S
 
Honeypots
SARANYA S
 
Honeypots
Shiva Krishna Chandra Shekar
 
Honeypots
Jyoti Nagargoje
 
Honey pot in cloud computing
أحلام انصارى
 
honeypots-140921060716-phpapp01 (1).pdf
Poooi2
 
Honeypot
Akhil Sahajan
 
Honeypot
Akhil Sahajan
 
Defending Your Network
Adam Getchell
 
Design & Implementation of Honeyd to Simulate Virtual Honeypots
IOSR Journals
 
honeypots-140921060716-phpapp01 (1).pptx
Poooi2
 
Honey Pot
iradarji
 
Ananth3
Shiva Krishna Chandra Shekar
 
honeypotss.pptx
Poooi2
 
Honeypot a trap to hackers
Bhaskarasai Chitturi
 
Honeypots for Cloud Providers - SDN World Congress
Vallie Joseph
 
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 

Honeypot Presentation - Using Honeyd

  • 1. HoneyPots for Network Security Using Honeyd
  • 2. Botnets One of the biggest threats in network security is botnets . Botnets   are a collection of infected computers or bots that have been taken over by   Hackers   (sometimes known as  bot herders) and are used to perform malicious tasks or functions.  botnets.png
  • 3. Botnets botnets2.jpg This example illustrates how a botnet is created and used to send email spam . A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a malicious application—the  bot . The  bot  on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server). A spammer purchases the services of the botnet from the operator. The spammer provides the spam messages to the operator, who instructs the compromised machines via the IRC server, causing them to send out spam messages.
  • 4. Types of Botnet Attacks Spyware software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market Adware advertise some commercial entity actively and without the user's permission or awareness Denial of Service multiple systems autonomously access a single Internet system or service in a way that appears legitimate, but much more frequently than normal use and cause the system to become busy botnets3.jpg
  • 5. Types of Botnet Attacks botnets4.jpg Fast Flux DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies Click Fraud user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain E-mail spam e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature
  • 6. Honeypots A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the  data and transactions are phony. Located either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as well as determine vulnerabilities in the real system . Set to detect , deflect, or in some manner counteract attempts at unauthorized use of information systems. honeypot.png
  • 7. Types of Honeypots Generally speaking there are two different types of Honeypots : Production Honeypots and Research Honeypots Production Honeypots are used primarily by companies or corporations to improve their overall state of security. Research Honeypots are used primarily by non-profit research organizations or educational institutions to research the threats organizations face and learn how to better protect against those threats. Research Honeypots are used primarily by non-profit research organizations or educational institutions to research the threats organizations face and learn how to better protect against those threats. honeypot2.jpeg
  • 8. Honeyd Honeyd is a type of daemon honeypot licensed by GPL that has the ability to simulate a big network while using only a single host. To outsiders, the Honeyd looks like a computer network on a network's unused address space. honeyd.gif
  • 9. Primary Applications of Honeyd Distraction Using the software's ability to mimic many different network hosts at once, Honeyd can act as a distraction to potential hackers. If a network only has 3 real servers, but one server is running Honeyd , the network will appear running hundreds of servers to a hacker. The hacker will then have to do more research in order to determine which servers are real, or the hacker may get caught in a honeypot. Either way, the hacker will be slowed down or possibly caught. Honeypot On a network, all normal traffic should be to and from valid servers only. Thus , a network administrator running Honeyd can monitor his/her logs to see if there is any traffic going to the virtual hosts set up by Honeyd . Any traffic going to these virtual servers can be considered highly suspicious. The network administrator can then take preventative action, perhaps by blocking the suspicious IP address or by further monitoring the network for suspicious traffic.
  • 10. Honeyd Configuration /etc/honeypot/ Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and xprobe2.conf honeyd1.png /etc/honeypot/ Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and xprobe2.conf
  • 11. Honeyd Configuration /etc/honeypot/ Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and xprobe2.conf Honeyd.conf is the main configuration file for setting the “personalities” of the virtual hosts.
  • 12. Honeyd Configuration honeyd1.png Honeyd.conf Creates the default actions for the machines creates a personality template called honeypot-template Sets the mac address, OS, uptime, available protocols and open ports Binds the templates to 2 unused IP addresses on the network
  • 13. Honeyd Configuration $ iptables -A INPUT -d 192.168.1.201 -j ACCEPT  $ iptables -A INPUT -d 192.168.1.202 -j ACCEPT  $ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Modifies the rules of your firewall to accept packets for the IP Addresses defined in the honeyd's configuration file honeypot1.jpg
  • 14. Honeyd Configuration /etc/default/ honeyd Sets the default run behavior of honeyd honeyd2.png
  • 15. Honeyd Configuration Another daemon that runs alongside of honeyd is farpd which is the daemon that is forwarding the traffic from the virtual hosts to the main honeyd server. farpd  replies to any ARP request for an IP address matching the specified destination  net  with the hardware MAC address of the specified  interface , but only after determining if another host already claims it. Any IP address claimed by  farpd  is eventually forgotten after a period of inactivity or after a hard timeout, and is relinquished if the real owner shows up. This enables a single host to claim all unassigned addresses on a LAN for network monitoring or simulation.
  • 16. Testing H oneyd The network scanner To test if the virtual hosts are responding with the right information nmap.png