honeytrap – trap attacks against tcp services

Overview

Honeytrap is a network security tool written to observe attacks against TCP services. As a low-interactive honeypot, it collects information regarding known or unknown network-based attacks and thus can provide early-warning information.

Concept

The applied model strictly distinguishes between data capture and attack analysis. The process of collecting information related to attacks is completely done within the core system. Further processing like automated analysis can be done with plugins which can be loaded dynamically during runtime. This guarantees expandability without the need of shutting down or even recompile the software.

How?

A classic approach in honeypot technology is to emulate services or even well-known vulnerabilities in services, pursued by lots of excellent tools (e.g., nepenthes – have a look). However, this does not work if one is interested in being able to also trap totally unknown attacks.

If the honeytrap daemon detects a request to an unbound TCP port, it starts a server process to handle the incoming connection. This makes it possible to handle attacks right when they occur, no matter if they are by then known or not. There is no need to keep thousands of ports bound to make sure that new attacks are caught. Instead, honeytrap extracts TCP connection attempts from a network stream by using so-called "connection monitors". Two different kinds of connection monitors are currently available:

• A a libpcap-based sniffer catches locally generated RST packets with a sequence number of zero indicating a rejected connection request. Normally – particularly in case of an attack – the remote system will try it again and then be successful. This is the default monitor because of its portability.
• On Linux systems it is possible to hook the ip_queue interface of netfilter/iptables and create an iptables rule to deliver SYN packets related to new connections to honeytrap. This monitor has the advantage to catch an attack the first time it hits, but it is not as stealth as the pcap approach.

Service emulation

Although service emulation is not in the main focus of the concept, honeytrap has a "poor man's service emulator", some basic emulation capabilities. If a connected host transmits no data for some short time, sending a response often makes the attack going on. Honeytrap can read default responses for specific ports from files which basically contain captured responses from original services. All files are stored in a central directory and processed automatically, so adding a new service emulation is as simple as capturing a response (e.g. using netcat) and dumping it to a file located in the right directory.

Attack handling modes

A neat thing is the "mirror mode" in which all incoming data is mirrored back to the attacker. For every incoming connection honeytrap establishes a "mirror connection" back to the remote host on the requested port. Responses from the mirror connection are mirrored to the initial connection and vice versa. One can think of honeytrap in mirror mode as a generic tcp proxy, arranging an attacker to attack himself. Thus, service emulation is no longer necessary. :-) A connection handler automatically falls back to normal mode (including the "poor man's service emulator") if no mirror connection could be established.

An attack can also be processed in "proxy mode" to relay incoming connections to a different host or service and at the same time record the whole communication. Ports can also be explicitly configured to be handled in "normal mode" or in "ignore mode". In the latter case connection to that port are simply not handled by honeytrap. The appropriate mode can be set individually for any TCP port.

The presence of different modi allows a setup of honeytrap as a meta-honeypot: Connections that shall be handled by other honeypots or real services can be proxied to them, others can be mirrored back to the attacker or handled in normal mode.

Available plugins

Many attacks take place in multiple steps. I.e, after successfully exploiting a service, additional tools are downloaded to the compromised host to launch further attacks or to open backdoors that allow the intruder to come back. To get as much information as possible referring to an attack, honeytrap uses plugins to save and analyze collected data. The following plugins are currently available:

• Basic module that stores attack strings in the file system for external analysis.
• Parser for FTP download commands and client-side protocol implementation to perform downloads that tries to be similarly to that of MS Windows – which basically showed up to be the most successful concept. Downloaded files are stored in the file system.
• Parser for TFTP download commands and client-side protocol implementation to perform downloads. Downloaded files are stored in the file system.
• Parser for HTTP URLs in attacks against weak VNC servers. Files can be downloaded by invoking external tools like wget.
• Plugin that recognizes and decodes some base64-encoded exploits to conduct further automated analysis.

Download

Honeytrap is licensed under the GNU General Public License (GPL) and freely available from sourceforge download mirrors. The latest version 0.6.3.1 was released on 2006-10-01. You can also check out cutting-edge code from the publicly accessible subversion repository:

svn co https://svn.sourceforge.net/svnroot/honeytrap/trunk honeytrap-svn

Documentation

These installation instructions contain information on how to set up honeytrap. Topics regarding the software can be discussed on the public mailing list. Postings are available in this online archive. Also have a look at the honeytrap manpage, the README file included in the source distribution and the program code.

Sample attacks

To get an idea what kind of data honeytrap collects, take a look at the sample attacks page. If you trapped something interesting that fits into this place, drop me a mail. Md5 checksums of captured binaries can be found here.

Contact

Feel free to send questions, ideas and suggestion to me.

honeytrap was written by Tillmann Werner.

Powered by Sourceforge. Valid XHTML 1.0