Total Pageviews

Friday, 20 October 2017

伪装蜜罐

关于伪装技术,今天又继续看了几篇文章,以这篇文章:
http://www.itworldcanada.com/article/deception-technology-enhances-honeypots-for-cyber-defence/380544
为起点,又搜寻出不少相关信息。
1,国外这方面的公司更多:
Attivo: https://attivonetworks.com/
Allure Security Technology: https://www.alluresecurity.com/
CyberTrap: http://www.cybertrap.com/
Cymmetria: http://www.cymmetria.com/
ForeScout: https://www.forescout.com/
GuardiCore: http://www.guardicore.com/
Hexis Cyber Solutions: https://www.hexiscyber.com/
Illusive Networks:
LogRhythm: https://logrhythm.com/
Percipient Networks: https://strongarm.io/
Rapid7:
Shape Security:
Specter:
TrapX Security: http://trapx.com/
TopSpin Security: 
看来专注于这个领域的公司还真多。
2,专业的伪装产品更复杂,模拟的环境更真实,例如会包括终端、网络、应用程序、数据等各种相关层次的模拟伪装。
蜜罐是伪装技术的典型应用,采用蜜罐进行安全防御和情报收集可以追溯到15年以前。有商业蜜罐,也有更多的基于开源的蜜罐:
Snort: https://www.snort.org/
Dionaea: https://github.com/rep/dionaea
Conpot: http://conpot.org/
Shiva:
Nepenthes:
The Honeynet Project: https://www.honeynet.org/,非营利安全研究机构,致力于研究最新的攻击和开发开源安全工具来提高网络安全。
Modern Honey Network (MHN): http://threatstream.github.io/mhn/
开源蜜罐的缺点在于难以管理和规模部署,而在这方面,商业产品能做得更好,例如与SIEM安全信息和事件管理系统进行集成。
但开源领域也做出了不少努力,例如上面提到的MHN。MHN的主要目标是简化蜜罐部署,同时进行数据的收集和整理。我参考这里:http://threatstream.github.io/mhn/进行了实际部署,一起看看。
3,系统环境【注意:这里有坑,请跳到第7步】
1
2
3
4
5
lenky@lenky-virtual-machine:~$ cat /etc/issue
Ubuntu 16.04.1 LTS n l
lenky@lenky-virtual-machine:~$ uname -a
Linux lenky-virtual-machine 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
4,下载源码包
1
2
3
lenky@lenky-virtual-machine:~$ wget https://github.com/threatstream/mhn/zipball/master
lenky@lenky-virtual-machine:~$ unzip master
lenky@lenky-virtual-machine:~$ cd threatstream-mhn-0474d0d/
5,安装
1
lenky@lenky-virtual-machine:~/threatstream-mhn-0474d0d$ sudo ./install.sh
出错:
1
2
3
4
5
6
7
下列软件包有未满足的依赖关系:
 python-dev : 依赖: python2.7-dev (>= 2.7.11-1~) 但是它将不会被安装
 python-pip : 依赖: python-pip-whl (= 8.1.1-2) 但是 8.1.1-2ubuntu0.2 正要被安装
              推荐: python-all-dev (>= 2.6) 但是它将不会被安装
              推荐: python-setuptools 但是它将不会被安装
              推荐: python-wheel 但是它将不会被安装
E: 无法修正错误,因为您要求某些软件包保持现状,就是它们破坏了软件包间的依赖关系。
解决:
1
2
lenky@lenky-virtual-machine:~/threatstream-mhn-0474d0d$ sudo apt-get install aptitude
lenky@lenky-virtual-machine:~/threatstream-mhn-0474d0d$ sudo aptitude install python-dev python-pip
要先选择n,不接受保持解决方案,再选择y,接受降级解决方案。
再执行sudo ./install.sh进行安装,等待,可能还会遇到其他错误,例如pip下载超时等,我遇到问题的解决办法总结:
a) sudo时加上-H,便于pip可以利用缓存,否则提示:
1
2
The directory '/home/lenky/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/lenky/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
如果要反复执行./install.sh进行重复安装,上面这个能够避免重复下载。
b) 看懂安装脚本,避免重复执行某些动作,例如我这里在进行install_hpfeeds.sh时反复几次出错,每次重新执行./install.sh都会重新安装下载libev和hpfeeds,所以直接把里面的相关语句进行注释掉,避免多余动作,加快重试速度。
c) 出错:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
+ pip install -e git+https://github.com/rep/evnet.git#egg=evnet-dev
Obtaining evnet from git+https://github.com/rep/evnet.git#egg=evnet-dev
  Updating ./env/src/evnet clone
Collecting pyev>=0.5.3-3.8 (from evnet)
  Using cached pyev-0.9.0.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-build-SSAIqn/pyev/setup.py", line 56, in <module>
        check_version(python_version, min_python_versions[major], "Python{0}".format(major))
      File "/tmp/pip-build-SSAIqn/pyev/setup.py", line 40, in check_version
        if StrictVersion(current_version) < StrictVersion(minimum_version):
      File "/usr/lib/python2.7/distutils/version.py", line 40, in __init__
        self.parse(vstring)
      File "/usr/lib/python2.7/distutils/version.py", line 107, in parse
        raise ValueError, "invalid version number '%s'" % vstring
    ValueError: invalid version number '2.7.11+'
     
    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-SSAIqn/pyev/
官方当前未解决的问题:https://github.com/rep/evnet/issues/8
想办法解决上面的问题,但继续进行安装时又有其他问题,各种坑,算了,根据官方issue来看:https://github.com/threatstream/mhn/issues/286
目前mhn没法很好的支持Ubuntu 16.04。
7,利用ubuntu-14.04.1-server-amd64.iso安装了一个Ubuntu 14.04的新系统:
1
2
3
4
lenky@ubuntu:~$ uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
lenky@ubuntu:~$ cat /etc/issue
Ubuntu 14.04.1 LTS \n \l
新安装好后,把threatstream-mhn-0474d0d.zip拷贝上来,解压后执行:
1
lenky@ubuntu:~/threatstream-mhn-0474d0d$ sudo -H ./install.sh
竟然一步到底,无任何错误,最后需要进行几步交互式设置,请记住设置的超级管理员的邮箱和密码:
1
2
3
Superuser email: lenky0401@163.com
Superuser password:
Superuser password: (again):
安装OK,果然在一开始就要“选对人”很重要。
注:如果pip安装总是提示超时,建议先设置pip的超时时限和设置下载镜像站点(请自行检查一下镜像站点是否可用):http://blog.csdn.net/dszgf5717/article/details/53138298
建个文件 ~/.pip/pip.conf, 内容如下:
[global]
timeout = 6000
index-url = http://pypi.douban.com/simple/
[install]
use-mirrors = true
mirrors = http://pypi.douban.com/simple/
trusted-host = pypi.douban.com
8,登录web:
nhm安装好后,会通过nginx监听80端口,所以用浏览器打开对应的地址(注意更改IP):
http://192.168.19.130/
然后输入前面设置的邮箱和密码即可进行nhm进行信息查看,当然刚开始是没有数据的。
参考:

以关键字”Deception technology opensource”进行Google搜索.
---------------

介绍一下伪装这门安全技术
之前安全讲防御,现在安全你只讲防御都没人理你,更多的安全关注点落在了检测和响应上,而伪装技术作为威胁检测和响应的有利技术得到了极大的注重,并被Gartner列为2016年十大信息安全技术之一。
摘抄一下:
伪装技术: 这种技术的本质就是有针对性地对攻击者进行网络、应用、终端和数据的伪装,欺骗攻击者,尤其是攻击者的工具中的各种特征识别,使得那些工具失效,扰乱攻击 者的视线,将其引入死胡同,延缓攻击者的时间。譬如可以设置一个伪目标/诱饵,诱骗攻击者对其实施攻击,从而触发攻击告警。Gartner预测到2018 年10%的企业将采用这类技术,主动地与黑客进行对抗。
光看文字描述有点模糊,实际演练一下理解能够更加深入,伪装的概念很广,作为一项持续发展的传统技术,目前可以找到很多这方面的开源,例如Kippo。
Kippo当前的官网在这里:https://github.com/desaster/kippo
但根据介绍来看,更多的更新都在另外一个项目:https://github.com/micheloosterhof/cowrie
因此,这里就试试cowrie,看看到底怎么玩。
1,系统环境:
1
2
3
4
5
lenky@lenky-virtual-machine:~$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
 
lenky@lenky-virtual-machine:~$ uname -a
Linux lenky-virtual-machine 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
2,安装依赖环境:
1
lenky@lenky-virtual-machine:~$ sudo apt-get install git virtualenv libmpfr-dev libssl-dev libmpc-dev libffi-dev build-essential libpython-dev python2.7-minimal
3,创建一个独立用户:
1
2
lenky@lenky-virtual-machine:~$ sudo adduser --disabled-password cowrie
lenky@lenky-virtual-machine:~$ sudo su - cowrie
4,把cowrie代码弄上来,git克隆比较慢,直接从github下载zip文件会比较快:
1
2
3
4
5
6
cowrie@lenky-virtual-machine:~$ ls
cowrie-master  cowrie-master.zip
cowrie@lenky-virtual-machine:~$ cd cowrie-master/
cowrie@lenky-virtual-machine:~/cowrie-master$ ls
bin           cowrie           data  doc  honeyfs     log        requirements.txt  start.sh  twisted  var
CHANGELOG.md  cowrie.cfg.dist  dl    etc  INSTALL.md  README.md  share             stop.sh   txtcmds
5,建立虚拟环境(创建过程需要一点时间,耐心等待):
1
cowrie@lenky-virtual-machine:~/cowrie-master$ virtualenv cowrie-env
6,使用虚拟环境,并安装依赖库:
1
2
cowrie@lenky-virtual-machine:~/cowrie-master$ source cowrie-env/bin/activate
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ pip install -r requirements.txt
爆出一些错误,例如:
Could not find a version that satisfies the requirement twisted>=15.2.1 (from -r requirements.txt (line 1)) (from versions: )
版本号没区分开?没管了,直接一个个安装,有的可能会出错,请根据提示解决:
1
2
3
4
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ pip install incremental
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ pip install twisted
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ pip install cryptography
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ pip install configparser pyopenssl gmpy2 service_identity pycrypto python-dateutil tftpy
7,创建DSA密钥:
1
2
3
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ cd data/
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master/data$ ssh-keygen -t dsa -b 1024 -f ssh_host_dsa_key
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master/data$ cd ..
8,准备配置文件,试运行:
1
2
3
4
5
6
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ cp cowrie.cfg.dist cowrie.cfg
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ ./start.sh
Starting cowrie with extra arguments [] ...
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ ps aux | grep cowrie.pid
cowrie    11955  0.0  1.6 100856 48168 ?        S    18:01   0:00 /home/cowrie/cowrie-master/cowrie-env/bin/python2 /home/cowrie/cowrie-master/cowrie-env/bin/twistd -l log/cowrie.log --umask 0077 --pidfile var/run/cowrie.pid cowrie
cowrie    12111  0.0  0.0  15984  1016 pts/21   S+   18:02   0:00 grep --color=auto cowrie.pid
9,测试一下:
在客户端Windows上的xshell里使用ssh进行连接:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1$ ssh 192.168.19.129 2222
 
 
Connecting to 192.168.19.129:2222...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
 
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
 
richard@svr04:~$ 
连接的账号采用richard/fout(来之cowrie文件data/userdb.txt)。
在连接的终端里进行一些操作,再回过头来看cowrie的日志信息:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ cat log/cowrie.log
...
2016-11-10T19:28:48+0800 [cowrie.ssh.factory.CowrieSSHFactory] New connection: 192.168.19.1:24209 (192.168.19.129:2222) [session: 27125b68]
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] Remote SSH version: SSH-2.0-nsssh2_5.0.0031 NetSarang Computer, Inc.
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] kex alg, key alg: 'diffie-hellman-group-exchange-sha256' 'ssh-rsa'
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] outgoing: 'aes128-cbc' 'hmac-sha1' 'none'
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] incoming: 'aes128-cbc' 'hmac-sha1' 'none'
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] NEW KEYS
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] starting service 'ssh-userauth'
2016-11-10T19:28:54+0800 [SSHService 'ssh-userauth' on HoneyPotSSHTransport,2,192.168.19.1] 'richard' trying auth 'none'
2016-11-10T19:28:57+0800 [SSHService 'ssh-userauth' on HoneyPotSSHTransport,2,192.168.19.1] 'richard' trying auth 'password'
2016-11-10T19:28:57+0800 [SSHService 'ssh-userauth' on HoneyPotSSHTransport,2,192.168.19.1] login attempt [richard/fout] succeeded
2016-11-10T19:28:59+0800 [SSHService 'ssh-userauth' on HoneyPotSSHTransport,2,192.168.19.1] 'richard' authenticated with 'password'
2016-11-10T19:28:59+0800 [SSHService 'ssh-userauth' on HoneyPotSSHTransport,2,192.168.19.1] starting service 'ssh-connection'
2016-11-10T19:28:59+0800 [SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] got channel 'session' request
2016-11-10T19:28:59+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] channel open
2016-11-10T19:28:59+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] pty request: 'xterm' (29, 115, 0, 0)
2016-11-10T19:28:59+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] Terminal Size: 29 115
2016-11-10T19:28:59+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] getting shell
2016-11-10T19:28:59+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] Opening TTY Log: log/tty/20161110-192859-27125b68-0i.log
2016-11-10T19:29:07+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] CMD: ls
2016-11-10T19:29:08+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] Command found: ls
2016-11-10T19:29:09+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] CMD: dir
2016-11-10T19:29:09+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] Command found: dir
2016-11-10T19:29:10+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] CMD: lasdf
2016-11-10T19:29:10+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] Command not found: lasdf
...
2016-11-10T19:59:18+0800 [-] exitCode: 1
2016-11-10T19:59:18+0800 [-] sending request 'exit-status'
可以看到cowrie把客户端的操作完整的记录下来。这样看有些乱,cowrie提供把日志记录到数据库,这需要修改配置文件cowrie.cfg的[output_mysql]段内信息,数据库表参考doc/sql/mysql.sql进行创建,这里不多叙述。
看一下cowrie源码目录里值得关注的文件:
data/userdb.txt : 客户端进行ssh连接的账号信息,例如上面采用的richard/fout就来之这个文件。
dl/* : 客户端通过sftp等上传的文件存于这个目录。
doc/* : 有用的三方帮助文档,例如配置mysql的话,如何创建表结构就可以参考这个目录下的sql/mysql.sql文件。
honeyfs/* : 自定义一些伪装信息,例如系统版本信息,则可以修改etc/issue。
log/* : cowrie的日志文件,分析蜜罐内行为的主要依据。
txtcmds/* : 虚拟命令,实际为文本文件。
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)