Re: Google Hack Honeypot v1.0 is released!

[Christian Kreibich <christian () whoop org>]

On Tue, 2005-02-15 at 13:52 -0600, Ryan McGeehan wrote:
> "Are you putting up handcrafted webpages that match the criteria 
> identified in a GHDB signature, and render them using PHP for logging 
> purposes?"
>
> Yes, GHH outputs the HTML to match a GHDB signature. GHH then logs the 
> headers sent by the browser such as the referrer, and runs some logic to 
> determine what search engine and what query were used to find the 
> honeypot. The logs reflect what obvious tactics were used, such as an 
> exact match from the GHDB database.

I see, thanks.

> "Who do you want to capture, and to what depth do you emulate the 
> vulnerable app?"
>
> The 7 GHH honeypots released are considered low interaction honeypots. 
> For higher interaction honeypots, (for example a dummy PHP Shell that 
> logs the commands used), we are currently throwing ideas around and are 
> hoping others will become involved to develop and make suggestions.

Cool. Personally I don't see much value in the high-interaction stuff
because I think tracking the dynamics of scripted attacks is more
interesting, but that's just me. The main twist of your project seems to
be that you'll be able to say that the page was discovered through a
search engine (because otherwise the obscure location would never be
found), and I think that's neat.

> "I mean, what I'd do if I wanted to exploit a vulnerability for which I 
> can find exploitable sites via a search engine is script up some Perl to 
> harvest the hits and then go off and nail them one by one. "
>
> When your script hit GHH, it wouldn't comprimise anything and your 
> attack would be logged, with the search engine you used and the query 
> you used too.

Right. Isn't that exactly what you want? You mainly want to know *who*'s
attempting to hit you so you can tell your IDS or correlate with others
etc?

> "If you want to find out whether someone found you using a search 
> engine, then any hidden-ish page that resides in an untypical location 
> and matches the signature critera will do and it doesn't really matter 
> whether the webpage actually looks like the vulnerable app."
>
> So what happens when the attacker uses Google's cached feature to see if 
> it's the real thing? They will be able to check the HTML and fingerprint 
> the honeypot if it's poorly made. Our tool isn't foolproof but we've 
> covered that step.

Okay my take on this is that if you're aiming at people who manually
investigate Google results then you'll be found out soonish anyway
(again, I don't believe much in high-interaction honeypots) so if they
actually spend the effort to blacklist you then so be it ... I see the
main strength of your project in detecting scripted attacks.

But how about this: whenever someone hits your honeypot, you use the
GHDB signature for that pot, grab some page (making sure it's not
yourself :) and present the result to the attacker? Should raise the bar
at least a bit, and unless the attacker inspects the page visually, for
example say they MD5 the pages or use some other heuristic, you'll still
pass the test.

> "What do those pages look like in GHH? It would be helpful if you could 
> give examples on your site."
>
> You're right, it would be helpful and we'll get it done soon.

Cool :)

> "How about you automatically create the pages from the GHDB signatures? 
> That would be much more interesting imho."
>
> If you can figure out a way to do that without being instantly 
> fingerprinted, then that would simply rock.

It'd need some fiddling, but I really think just grabbing actual
googledork pages could be made to work.

> Thanks a lot for the comments :)

Thanks for explaining, it's much clearer now. Good luck with your
project.

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org