Abstract:
A Honeypot is an Internet-attached server designed to detect and monitor the activities of computer intruders. HoneyNet is a network of these honeypots with high interaction design. CUHK has launched the HoneyNet project since June 2002. This seminar reviews some findings from this HoneyNet project, which include hacking techniques, intruders' activities after break-ins, and some general intruders' behaviors. Some intruders' activities will be described and illustrated with live demonstrations through scene reconstruction. Forensic techniques used to examine the data obtained from the HoneyNet and the technical details of the HoneyNet implementation will also be discussed.

Seminar Outline:

1. Objectives of our Honeynet
2. Implementation of our Honeynet
3. Hackers' activities and forensics techniques (with live demo)
4. Future Development
5. Q & A

Presentation Slides ([PPT|PDF])

Some findings in last year

Some hacking patterns from captured packets

• A ssh CRC32 overflow NOOP attack
• Creating backdoor accounts in a root shell access
• An Apache/mod_ssl Worm attack
• A wuftpd break-in and backdoor setup

Hackers' keystroke

• A intruder keystroke record
  
  • sneak in by a backdoor account
  • Get root access by sudo
  • Check around the honeypot environment
  • Download a root kit and intsall it
  • Disable the honeypot anonymous ftp so as to keep out other intruders.
• A intruder started up a IRC bot
• A intruder killed other intruder backdoor daemon
• A intruder checked out other intruders' IRC bot and backdoors, and then kill them
• A intruder wiped out log entries
• A intruder mass openssl scanned to other network and try to attack
• A intruder launch a DoS attack
• A intruder installed rootkit which check for other rootkit

Some intruders' startup scripts

• Startup ssh backdoor daemon, disguise it as portmap daemon, and startup sniffer program
• Startup ssh backdoor daemon, disguise it as java daemon, and startup sniffer program
• Startup trojan daemon, hide it, and send reboot e-mail back
• Startup ssh backdoor daemon at port

Hacker conversation from IRC data capture

W32/MSBLAST worm analysis

MSBLAST.D (W32/Nachi) worm analysis

MS-SQL worm (also called Sapphire, SQL Slammer, SQL Hell) analysis

W32/SWEN Worm analysis

A hacker tried to set up a shoutcast server in the honeypot

• HoneyNet Project at www.honeynet.org
• SNORT NIDS
• Honeypots: Tracking Hackers
• Forensics tools on UNIX
• The Coroner's Toolkit (TCT)
• Internet Storm Center
• CERT