El. knyga: Honeypots for Windows

About the Author		xv
About the Technical Reviewers		xvii
Acknowledgments		xix
Introduction		xxi
PART 1 Honeypots in General
An Introduction to Honeypots		3	(32)
What Is a Honeypot?		3	(2)
What Is a Honeynet?		5	(1)
Why Use a Honeypot?		5	(6)
Low False-Positives		5	(2)
Early Detection		7	(1)
New Threat Detection		7	(1)
Know Your Enemy		8	(1)
Defense in Depth		8	(1)
Hacking Prevention		8	(2)
Internet Simulation Environment		10	(1)
Basic Honeypot Components		11	(2)
Honeypot Types		13	(7)
Honeypot Layers		13	(1)
Honeypot Interaction Levels		14	(1)
Real Operating System Honeypot		15	(1)
Virtual Honeypots		16	(4)
Summary of Honeypot Types		20	(1)
History of Honeypots		20	(6)
Genl Honeypots		21	(3)
The Genll Model		24	(2)
Future Generations		26	(1)
Attack Models		26	(6)
Manual Attacks		26	(4)
Automated Attack Programs		30	(1)
Blended Attacks		31	(1)
Summary of Attack Models		32	(1)
Risks of Using Honeypots		32	(2)
Summary		34	(1)
A Honeypot Deployment Plan		35	(28)
Honeypot Deployment Steps		35	(1)
Honeypot Design Tenets		36	(1)
Attracting Hackers		37	(1)
Defining Goals		37	(4)
Production or Research?		37	(2)
Real or Virtual?		39	(1)
Hardening a Virtual Honeypot Host		40	(1)
Honeypot System Network Devices		41	(13)
Hub		41	(5)
Bridge		46	(1)
Switch		46	(1)
Router		47	(4)
Firewall		51	(1)
Honeywall		51	(1)
Honeypot Network Devices Summary		52	(2)
Honeypot System Placement		54	(5)
External Placement		55	(1)
Internal Placement		56	(1)
DMZ Placement		57	(1)
Honeypot Placement Summary		58	(1)
Summary		59	(4)
PART 2 Windows Honeypots
Windows Honeypot Modeling		63	(26)
What You Need to Know		63	(2)
Common Ports and Services		65	(3)
Computer Roles		68	(4)
Generic Windows Server		68	(1)
IIS Server		69	(1)
Windows 2000 Domain Controller		69	(1)
Windows Workstation		70	(1)
SQL Server		70	(1)
Exchange Server		71	(1)
Services in More Detail		72	(11)
RPC		72	(1)
NetBIOS		73	(5)
RDP		78	(1)
Simple TCP/IP Services		78	(1)
FTP		79	(1)
Telnet Server		80	(1)
IIS		80	(3)
Exchange Server		83	(1)
Common Ports by Platform		83	(3)
Common Windows Applications		86	(1)
Putting It All Together		87	(1)
Summary		88	(1)
Windows Honeypot Deployment		89	(32)
Decisions to Make		89	(7)
Do You Really Need a High-Interaction Honeypot?		90	(1)
Real Operating System or Virtual Machine?		90	(1)
Which Microsoft Operating System to Choose?		90	(3)
Client or Server?		93	(1)
Patched or Unpatched?		93	(1)
What Support Tools Are Available?		93	(1)
Which Services and Applications to Install?		94	(1)
SAM or Active Directory?		94	(1)
Hacker's Choice?		94	(1)
What Hardware Is Required?		95	(1)
Installation Guidance		96	(4)
Installation Steps		97	(2)
Honeypot Installation Tips		99	(1)
Hardening Microsoft Windows		100	(20)
Physically Securing the Honeypot		100	(1)
Installing Necessary Patches		101	(2)
Rejecting Defaults		103	(1)
Hardening the TCP/IP Stack		104	(1)
Removing or Securing Network Shares		104	(1)
Filtering Network Traffic		105	(1)
Restricting Unauthorized Software Execution		106	(11)
Protecting User Accounts		117	(1)
Securing Authentication Protocols		118	(1)
Automating Security		119	(1)
Summary		120	(1)
Honeyd Installation		121	(30)
What Is Honeyd?		121	(1)
Why Use Honeyd?		122	(1)
Honeyd Features		123	(13)
IP Stack Emulation		123	(8)
TCP/IP Port Emulation		131	(3)
Honeyd Logging		134	(2)
Honeyd Installation		136	(13)
Deciding Logistics		137	(2)
Hardening the Host		139	(1)
Installing WinPcap		140	(2)
Installing Cygwin		142	(3)
Installing Honeyd		145	(1)
Downloading Scripts		146	(1)
Installing Snort		146	(1)
Installing Ethereal		147	(1)
Reviewing the Honeyd Directory Structure		148	(1)
Summary		149	(2)
Honeyd Configuration		151	(16)
Using Honeyd Command-Line Options		151	(1)
Creating a Honeyd Runtime Batch File		152	(2)
Setting Up Honeyd Configuration Files		154	(11)
Configuring Honeyd Templates		154	(7)
Assembling Templates in a Honeyd Configuration File		161	(4)
Testing Your Honeyd Configuration		165	(1)
Summary		166	(1)
Honeyd Service Scripts		167	(22)
Honeyd Script Basics		167	(5)
Common Script Languages		168	(2)
Script Input/Output Routines		170	(1)
Honeyd Variables		171	(1)
Honeyd Configuration File Syntax		171	(1)
Default Honeyd Scripts		172	(6)
SSH Test Script		172	(1)
Cisco Telnet Session Script		173	(3)
IIS Web Emulation		176	(2)
Downloadable Scripts		178	(2)
Custom Scripts		180	(8)
A Worm Catcher Script		180	(1)
An Offensive Response Script		181	(2)
Microsoft FTP Server		183	(5)
Summary		188	(1)
Other Windows-Based Honeypots		189	(34)
Back Officer Friendly		189	(1)
LaBrea		190	(2)
Installing and Running LaBrea		191	(1)
Using LaBrea		191	(1)
Specter		192	(4)
Setting Up SPECTER		193	(1)
Logging and Alerting with SPECTER		194	(2)
KFSensor		196	(16)
Installing and Running KFSensor		197	(1)
Emulating Services with KFSensor		198	(10)
Logging and Alerting with KFSensor		208	(2)
Configuring KFSensor Listeners and Anti-DoS Settings		210	(2)
PatriotBox		212	(2)
Emulating Services with PatriotBox		212	(2)
Creating Custom PatriotBox Port Listeners		214	(1)
Logging and Alerting with PatriotBox		214	(1)
Jackpot SMTP Tarpit		214	(5)
Installing Jackpot		216	(1)
Configuring Jackpot		216	(2)
Running Jackpot		218	(1)
More Honeypots		219	(1)
Summary		219	(4)
PART 3 Honeypot Operations
Network Traffic Analysis		223	(46)
Why Use a Sniffer and an IDS?		223	(4)
Sniffer Benefits		223	(2)
IDS Benefits		225	(1)
How a Sniffer and IDS Complement Each Other		226	(1)
Where to Place the Sniffer and IDS		226	(1)
Network Protocol Basics		227	(12)
The OSI Model		227	(3)
TCP/IP Suite Basics		230	(7)
Windows Protocols		237	(2)
Network Protocol Capturing Basics		239	(1)
Ethereal		240	(10)
Viewing Packet Information		241	(3)
Using Ethereal Features		244	(5)
Using Tcpdump or WinDump with Ethereal		249	(1)
Using Built-in Ethereal Command-Line Tools		249	(1)
Snort		250	(18)
Understanding How Snort Works		250	(2)
Installing Snort		252	(1)
Configuring Snort		252	(16)
Using Snort Click-and-Point		268	(1)
Summary		268	(1)
Honeypot Monitoring		269	(32)
Taking Baselines		269	(7)
Host Baselines		272	(3)
Network Baselines		275	(1)
Monitoring		276	(8)
In-Band vs. Out-of-Band Monitoring		276	(1)
Monitoring Programs		277	(7)
Protection for Monitoring Communications		284	(1)
Logging		284	(11)
Time Synchronization		285	(1)
Logging of Security Events		285	(2)
Centralized Data Collection		287	(3)
Log File Formats		290	(1)
Data Filtering		291	(2)
Data Correlation		293	(1)
A Honeynet Security Console		294	(1)
Useful Information Extraction		294	(1)
Log Protection		295	(1)
Alerting		295	(5)
Alert Considerations		295	(1)
Alerting Programs		296	(4)
Summary		300	(1)
Honeypot Data Analysis		301	(36)
Why Analyze?		301	(1)
Honeypot Analysis Investigations		302	(2)
Automated vs. Manual		302	(1)
Initial Compromise		303	(1)
After the Initial Compromise		303	(1)
A Structured Forensic Analysis Approach		304	(21)
Taking the Honeypot Offline		305	(1)
Recovering RAM Data		305	(1)
Making Copies of the Hard Drive		306	(3)
Analyzing Network Traffic		309	(2)
Analyzing the File System		311	(6)
Analyzing Malicious Code		317	(1)
Analyzing the Operating System		318	(1)
Analyzing Logs		319	(5)
Drawing Conclusions		324	(1)
Modifying and Redeploying the Honeypot System		324	(1)
Forensic Analysis in Action		325	(10)
A KFSensor Honeypot		325	(7)
The WhiteDoe Real Honeypot		332	(3)
Forensic Tool Web Sites		335	(1)
Summary		336	(1)
Malware Code Analysis		337	(26)
An Overview of Code Disassembly		337	(2)
Assembly Language		339	(10)
Programming Interfaces		340	(5)
Assembly Language Instructions on Computer Platforms		345	(4)
Assembler and Disassembler Programs		349	(9)
Assemblers		350	(3)
Disassemblers		353	(4)
Text Editors		357	(1)
Malicious Programming Techniques		358	(2)
Stealth Mechanisms		358	(1)
Encryption		358	(1)
Packing		358	(1)
Debugger Tricks		359	(1)
Disassembly Environment		360	(1)
Disassembly Practice		360	(1)
Summary		361	(2)
Index		363

Roger A. Grimes (CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CEH, TICSA, Security+, MCT) is a Windows security consultant, instructor, and author. This is Grimes' third book and he has written over a 150 articles for magazines like Windows IT Pro, Microsoft Certified Professional, InfoWorld, Network Magazine, Windows & .NET, and Security Administrator. He is a contributing editor for Windows & .NET, and InfoWorld magazines. Grimes has presented at Windows Connections, MCP TechMentors, and SANS. He was recognized as "Most Valuable Professional" (MVP) by Microsoft, for Windows Server 2003 security. Grimes also writes frequently for Microsoft, including material for two courses on advanced Windows security and Technet. He has taught security to many of the world's largest and most respected organizations, including Microsoft, VeriSign, the U.S. Navy, various universities, and public school systems. Grimes spends his time surrounded by the maddening hum of twelve 1U servers in his home office, monitoring his personal honeypots.