Keep track of everything that happens on your honeypot.
Once an attacker has fallen prey to your honeypot and gained access to it, it is critical that you monitor all activity on that machine. By monitoring every tiny bit of activity on your honeypot, you can not only learn the intentions of your uninvited guest, but often also learn about new techniques for compromising a system as the intruder tries to gain further access. Besides, if you’re not interested in what attackers are trying to do, why run a honeypot at all?
One of the most effective methods for tracking every packet and keystroke is to use a kernel-based monitoring tool. This way, you can monitor nearly everything that attackers do on your honeypot, even if they use encryption to protect their data or network connections. One powerful package for monitoring a honeypot at the kernel level is Sebek
(http://www.honeynet.org/tools/sebek/).
Sebek is a loadable kernel module for the Linux, Solaris, BSD, and Windows operating systems that intercepts key system calls in the kernel and monitors them for interesting information. It then transmits the data to a listening server, hiding the presence of the transmissions from the local system.
To build the kernel modules on Linux, first make sure that the build directory within your modules directory points to the source code of the kernel for which you want to compile the modules:
$ ls -lad /lib/modules/2.6.16/build
lrwxrwxrwx 1 root root 47 Apr 10 22:55 /lib/modules/2.6.16/build -> ../../../usr/src/linux-2.6.16Then, run the usual ./configure command. Alternatively, you can build Sebek for another version of the kernel by adding the --with-kernel-dir switch and specifying a directory containing the kernel source code:
$ ./configure --with-kernel-dir=/usr/src/linux-2.6.11
Note, however, that if you specify an alternative version of the kernel, you’ll need to have the kernel source at the specified location configured and set up. Run the following commands from within the directory containing the kernel source to do this:
$make oldconfig$make prepare
Now that all of that is out of the way, run ./configure and then make. The latter will generate a tarball containing the kernel modules and an installer script. Copy this archive to your honeypot to complete the installation.
Here’s what’s inside:
$ tar tfz sebek-lin26-3.1.2b-bin.tar.gz
sebek-lin26-3.1.2b-bin/
sebek-lin26-3.1.2b-bin/parameters.sh
sebek-lin26-3.1.2b-bin/sbk_install.sh
sebek-lin26-3.1.2b-bin/README
sebek-lin26-3.1.2b-bin/sbk.koBefore installing the modules on your honeypot, you’ll need to edit the sbk_install.sh script and modify three variables that tell sebek.ko where to send the information that it collects: DESTINATION_MAC, DESTINATION_IP, and DESTINATION_PORT. These should all be set to point to the Sebek server that you will build in a moment. If the server is on a different subnet, set DESTINATION_MAC to your router’s MAC address.
Additionally, you can optionally configure the source port that Sebek uses by setting SOURCE_PORT. Make sure to use the same DESTINATION_PORT for all honeypots that you’ll be operating. You’ll also need to set INTERFACE to the interface that should be used to send data to DESTINATION_IP.
Set the MAGIC_VAL variable to the same value on all your honeypots. This variable, in conjunction with DESTINATION_PORT, hides traffic from other honeypots you are operating.
If you want Sebek to collect only keystrokes from your honeypot, you can set the KEYSTROKE_ONLY variable to 1. The SOCKET_TRACKING and WRITE_TRACKING variables also control what Sebek records. If the former is set to 1, Sebek will collect information on socket usage. If the latter is enabled, Sebek will track all write operations. This can be quite a lot of activity, so it’s recommended that you leave this variable at its default setting: -- disabled.
Once you’re satisfied with your configuration, set the TESTING variable to 0. This will cause Sebek to hide itself once it’s loaded into the kernel.
Now, run the install script on your honeypot:
# ./sbk_install.sh
Installing Sebek:
358887816.o installed successfullyThe 358887816.o file contains the contents of sebek.ko. The new filename is randomly generated at compile-time in order to obscure its presence from intruders, who might try to detect its presence by examining kernel memory directly. Alternatively, you can set the MODULE_NAME variable in sbk_install.sh to a name of your choosing. Once Sebek is installed, be sure to remove the archive and installation files. The presence of these files on a system is a pretty clear indication that it is a honeypot and could tip off intruders.
There are two ways to collect the data from a system running Sebek. The simplest is to run the Sebek server, which will sniff for the information and automatically extract it for you. If you prefer to collect the data manually, you can use a sniffer and later use Sebek’s data extraction utility to pull the information out of your packet dumps.
To install the server, download the source distribution from the project page, unpack it, and go into the directory that it created. Then, run this command:
$ ./configure && make
After compilation has finished, become root and run make install. This will install sbk_extract, sbk_ks_log.pl, and sbk_upload.pl. To extract information sent from a honeypot, use sbk_extract. You can run it in sniffer mode by using the -i and -p options to specify which interface to listen on and which destination port to look for, respectively.
If you want to process packets that have already been captured using a packet capture tool, use the -f option to specify the location of the packet dump file.
sbk_extract also gives the option of running in a chroot() jail: simply use the -c option and specify a directory to chroot() to. It’s recommended that you do this when collecting data in the wild because of the chance (however remote it may be) that an intruder could exploit an unknown vulnerability in sbk_extract by sending specially crafted data.
Once you’ve extracted the data, you can use sbk_ks_log.pl to display the attacker’s keystrokes. It’s also possible to monitor keystrokes in real time, by piping the output of sbk_extract into sbk_ks_log.pl:
# ./sbk_extract -c /var/empty -i eth0 -p 65000 | ./sbk_ks_log.pl
monitoring eth0: looking for UDP dst port 65000
192.168.0.43 2006/05/04 05:12:48 record 362 recieved 1 lost 0 (0.00 percent)
[2006-05-04 01:38:48 Host:192.168.0.43 UID:0 PID:9958 FD:0 INO:4 COM:bash ]#cat /etc/shadow
192.168.0.43 2006/05/04 05:13:50 record 539 recieved 177 lost 0 (0.00 percent)Installing the Sebek client under Windows is much more straightforward, especially when using the precompiled binaries (http://www.savidtech.com/sebek/latest/), which walk you through the installation process via wizards. After you’ve downloaded and unpacked the .zip archive, run the included Setup.exe program, which installs Sebek.sys. By default, the wizard will install it into C:\Windows\system32\drivers, but the wizard allows you to change this location.
Once Sebek.sys has been installed, you can configure it by launching Configuration Wizard.exe. Here, you can specify all of the parameters that were specified in sbk_install.sh (see “Installing the Linux Client”). In the first step of this process, you’ll need to tell the wizard where you installed Sebek.sys. Then, click the Next button to bring up the dialog shown in Figure 11-14.
The
fields in Figure 11-14 correspond to the DESTINATION_MAC, DESTINATION_IP, and DESTINATION_PORT variables in sbk_install.sh. In the next step, you’ll need to input a magic value. The configuration wizard thoughtfully includes the ability to randomly generate this number for you; simply click the Random Value button, as shown in Figure 11-15.
After you’ve done that, click Next and select the network adapter that will be used to send data to your Sebek server.
So far, the entire configuration process has pretty much corresponded with variables used in setting up Sebek under Linux. The only difference is the next screen, shown in Figure 11-16.
What if you want to reconfigure Sebek at some point? You can run the configuration wizard again, but what’s to stop intruders from using it to disable Sebek after they’ve compromised the system? This screen helps you to make it a lot harder for someone to do that by allowing only programs with a certain name to alter Sebek’s configuration. By default, this name is the first 12 characters of the filename you used to launch the current instance of the configuration wizard (e.g., Configuration, if you didn’t rename it). At this point, it’s best to use a random password generator to generate a filename. Then, rename Configuration Wizard.exe to the randomly generated name and keep it in a safe place (i.e., not on a system running Sebek).
After you’ve done this, click Next, and you’re finished. After you reboot the system, it will begin sending data to your Sebek server.
Sebek also has an optional web interface called Walleye, which allows you to analyze the collected data easily. In addition to logged keystrokes, the web interface can extract files that have been uploaded to the honeypot. Walleye is part of the Roo Honeywall CD-ROM distribution, a hardened Fedora Core 3-based Linux distribution designed with honeynet data collection and analysis in mind. More information about it can be found
at http://www.honeynet.org/tools/cdrom/.