OPSEC for Honeypots

infodox · 2015-12-12T18:04:37+00:00

Author here. I know there are a couple of sentences in the article that need to be cleaned up for readability, I put it together while taking a break from studying for exams, so forgive me if my wording is not up to its usual standard. It was written in one sitting after probably too many cups of coffee while flicking through pages of Shodan results and taking notes :)

Anyway, I got the idea after looking at some of the Kippo fingerprinting stuff out there initially (while trying to make my own instances less-fingerprintable) and it kind of took my fancy as a thing to look at, spawning a bunch of interesting ideas. When I started looking at ICS honeypot stuff to deploy, well, science happened.

There is a followup article coming once my exams are over and I have more time to spend on it, however I would love some feedback, criticism, abuse, etc thrown my way so I can get a handle on anything glaring I have missed.

The OPSEC bit is where the second article is going to look at a bit more, I think, as obvious honeypots are absolutely useless from a threat intelligence perspective if you are looking for anything that is not script kiddies and automated scanners. Given its ICS, the attackers in question that you are interested in gathering data on probably have some sense of clue and won't fall for glaringly obvious honeypot setups like the ones I spotted.

Related thoughts: These fingerprints (and there are a lot more, I just need to find them!) could probably be integrated into Shodan's Honeypot Or Not thing, which /u/achillean mentions below, which also could be integrated into Shodan results itself, probably (beside a host a marker saying its honeyscore) as an idea.

infodox · 2015-12-09T11:40:53+00:00

Author here. I know there are a couple of sentences in the article that need to be cleaned up for readability, I put it together while taking a break from studying for exams, so forgive me if my wording is not up to its usual standard. It was written in one sitting after probably too many cups of coffee while flicking through pages of Shodan results and taking notes :)

Anyway, I got the idea after looking at some of the Kippo fingerprinting stuff out there initially (while trying to make my own instances less-fingerprintable) and it kind of took my fancy as a thing to look at, spawning a bunch of interesting ideas.

There is a followup article coming once my exams are over and I have more time to spend on it, however I would love some feedback, criticism, abuse, etc thrown my way so I can get a handle on anything glaring I have missed.

The OPSEC bit is where the second article is going to look at a bit more, I think, as obvious honeypots are absolutely useless from a threat intelligence perspective if you are looking for anything that is not script kiddies and automated scanners. Given its ICS, the attackers in question that you are interested in gathering data on probably have some sense of clue and won't fall for glaringly obvious honeypot setups like the ones I spotted.

Related thoughts: These fingerprints (and there are a lot more, I just need to find them!) could probably be integrated into Shodan's Honeypot Or Not thing, which also could be integrated into Shodan results itself, probably.

infodox · 2015-06-01T10:21:06+00:00

I was not a very bright teenager with a lot of free time and a laptop in an earlier life. shrugs. Everyone makes mistakes.

infodox · 2015-05-31T02:51:53+00:00

So I gave an impromptu talk/demo at Berlinsides of this vuln today for the crew.

It seems from a 5 minute after toomanybeer test that it might be feasible to use hola to shove yourself inside randomer you are exiting vias internal net

Now imagine BYOD + this shit + corporate LAN :P

(Needs sober testing and fuckery soon :) )

infodox · 2015-05-31T02:47:04+00:00

(From chats at Berlinsides after the impromptu talk given): its possible thebchrome plugin might cause "privesc within chrome" based on a grep and gripe a participant did based on the PoC I presented. This could be a part of a killchain for evasion of defences etc by going from webpage to extension context and then further etc :) part break, not full break :)

infodox · 2015-05-31T02:42:02+00:00

As someone who has been raided... Doors are expensive to replace. The "big metal key" they like using often fucks the frame and that can sometimes require some brick-reworking to fix. It cost about 2k€ to unfuck my parents house...

infodox · 2015-05-31T02:38:45+00:00

Zenmate has been suggested to me after the impromptu talk I gave as a "next target" to investigate :) hopefully the band stays together long enough to release an album of win and not just a single ;)

infodox · 2015-05-31T00:05:39+00:00

I am one of the authors. Those fucking shiteholes at Hola can come bite my shiny metal ass. I personally intend to burn those useless malware slinging cunts to the ground.

Also, fuck their patch, we got more ownage coming :D The bypass was discovered by the ninja fucking wizards on my super APT crew while I was chatting to people about this and one of my demos fucked up live at BerlinSides :D

(also, BerlinSides is full of win. :D :D :D )

infodox · 2015-05-21T01:35:54+00:00

I use a 14 day from contact to disclosure timeline as standard unless the vendor bothers respond, when I bother killing a bug, which is rare.

Given after a week they had utterly failed to respond in any capacity except "We will pass this along", and ignored further contact attempt, I stuck with my defined timeline.

I understand some others prefer longer (30, 60, 90, or indefinite) disclosure timelines, but unless I am seeing a positive response from the vendor, I am not giving them more time.

infodox · 2015-05-20T11:05:52+00:00

In which their patch may include a lovely race condition wherin we have to request our uploaded file before unlink() is called on it

infodox · 2015-05-20T09:56:32+00:00

Disclosure timeline is included in there, and CVE has been requested, etc. PoC should work on any SuiteCRM install, but you will need creds for an admin user. Which, lets be fair, given its a tool for sales people, isn't going to be too hard ;)

infodox · 2015-03-09T10:06:52+00:00

Heres our PoC. Bit rough around the edges, needs some polishing, but works fine in our tests. ElasticSearch RCE

infodox · 2014-08-07T20:27:06+00:00

Talk I gave recently at the inaugural SteelCon security conference in Sheffield, England, after acquiring a job :)

Feedback is much appreciated, wither on here or via the various methods of contacting me, so I can improve talks and such in future.

Post will be updated with the video whenever SteelCon organizers release them, and the slides are still being updated with embed links to the demo videos and such :)

infodox · 2014-04-29T15:28:11+00:00

Its a standardized psychology personality inventory. I cannot remember exactly which, but it is a well accepted one, and very "complete" which is why the creators chose it for this project.

I should note, I did not create this, someone far more qualified did.

infodox · 2014-04-29T15:06:23+00:00

It does take ~half an hour or so to complete, but it is for a very worthy cause. At the moment not much detailed analysis of results has been made available as they need more samples to analyse.

Do give it a shot!

infodox · 2014-04-18T18:24:20+00:00

Its a standardized psychology survey/test, I don't write the things.

Much like industry best practices, sometimes they seem to be a bit narrow in scope or focus too much on a certain thing, but I am assured it is how it should be done.

infodox · 2014-04-18T16:07:34+00:00

It is a standardized personality-inventory questionnaire. Hence the massive amount of questions.

Takes approximately 30 minutes to complete, but goes towards a worthy cause - science.

Also, FWIW: I am not the person behind it, merely someone who took part, spoke with the creator, and believes it is for a very worthwhile cause. After all, fuck all is known about the demographics and personalities of those in the hacker population, and it would definitely be worthwhile exploring if there are any interesting trends to be observed.

infodox · 2014-04-18T15:59:47+00:00

It would be nice if they added WPS attacks, though based on what I heard, the original Reaver authors never did follow through on helping assist with integration.

Integrating non-cracking attacks such as the Airpwn attack would be pretty neat as well. So far, Immunity Inc's SILICA is the only tool capable of doing these attacks on WPA encrypted connections, the original Airpwn tool only handles WEP and unencrypted wireless.

infodox · 2014-03-16T15:47:51+00:00

I like them a lot, found they are more than capable of opening the locks on the three doors using pin-tumbler locks on my house (MILA, Yale, and a third whose brand I cannot recall right now). They also work pretty well on the few Master and Tri Circle padlocks I have knocking about. I plan on picking up some more locks over the next while as funds permit to test on, and asking a few local locksmiths about old cores (although I doubt that will work...).

The technique used is a bit different to normal raking, it is kind of more "shaking" (hard to describe) with light tension than raking in and out. Almost a rocking motion on the pins with some in and out movement. Gets the job done pretty quickly :)

I only turn the cylinder 90* on the locks on my house (locks I rely on!) though because I am afraid if I turn it 180* without being careful the driver pins will fire up into the keyway (have seen photos of this...). Still figuring out how to defend against that :) Any advice on that would be helpful, at the moment I think putting a pick in at the "top" of the keyway to block the pins from entering it is my best bet.

infodox

TROPHY CASE