In this paper, KFSensor and Honeyd (two widely-used low-interaction honeypots) and Kippo (a medium-interaction honeypot) are deployed to simulate Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and Secure Shell (SSH) services in an isolated, virtual environment. This environment is populated with legitimate virtual machines running actual services to both hide the honeypots and to provide a control baseline for analysis. Both low-interaction honeypots were identified using commonly available network scanning and vulnerability analysis tools while the medium interaction one was not.
In this paper, KFSensor, Honeyd and Kippo are fingerprinted against control machines running legitimate services in an isolated, virtual environment. Specifically, these honeypots will be simulating FTP and HTTP and SSH servers. The network is populated with two legitimate virtual machines in order to hide the honeypots and act as controls for the services being tested. A “Gray Hat” machine is placed within the network environment to mimic an attacker’s initial probing, network reconnaissance and vulnerability assessment. These scans attempt to fingerprint the honeypots by their network behavior and interactions with the adversary.
Despite the varying size, scope and use, all honeypots can be classified by shared similarities in their characteristics and behavior.
High-interaction honeypots allow the attacker to interact more with the honeypot. High-interaction honeypots are real-world systems with bogus data that, once breached, allow the intruder access to the system. This high level of interaction can allow more detailed analysis of attack patterns, new vulnerabilities or identifying the attacker’s identification and motives. However, allowing access into the system creates the potential risk of giving the attacker a foothold into one’s actual systems in which to launch further attacks.
The Gray Hat virtual machine is an installation of Kali Linux 2.0, a Debian-based distribution designed for digital forensics and penetration testing. As a Windows-based honeypot, KFSensor is installed on a separate machine running Windows 8 Professional. The Linux machine contains an installation of HoneyDrive, a collection of honeypots, network and forensic tools pre-installed and pre-configured in Xubuntu Desktop 12.04.4 LTS. Other similar honeypot distributions exist (two of note are Stratagem and ADHD), but HoneyDrive was chosen because of it is an active project with a large active community.
Honeyd and KFSensor are configured to simulate FTP (a file transfer language over a TCP/IP network), HTTP (a language for encoding and transporting information between a web server such as Apache, and a client such as a web browser) and SSH services while Kippo only runs SSH service. SSH is a service that provides secure and encrypted communication between two untrusted hosts over an insecure network. These three services were chosen because they are not platform specific; thus, they can run on both low-interaction honeypots and both control machines.
Initial testing concluded the two low-interaction honeypots tested were easily fingerprinted using service interaction technique. On the other hand, the only medium-interaction honeypot, Kippo, was not fingerprinted using that same technique.For the honeypot implementations, future work will focus upon finding newer honeypots and refining the honeypots already in place. Honeyd is an older tool and may be deprecated. However, fixing the latency caused by ARP spoofing and updating Honeyd’s outdated service scripts will be examined to see if performance can be enhanced.In terms of detection, future iterations of this project will look at customizing NSE scripting and implementing Python scripts. A means of automating the detection process will be examined to closely mirror the unattended operation of many of today’s cyber-attacks.