Honeypots mailing list archives
Re: Google Hack Honeypot v1.0 is released!
From: Christian Kreibich <christian () whoop org>
Date: Tue, 15 Feb 2005 21:13:31 +0000
On Tue, 2005-02-15 at 13:52 -0600, Ryan McGeehan wrote:
"Are you putting up handcrafted webpages that match the criteria identified in a GHDB signature, and render them using PHP for logging purposes?" Yes, GHH outputs the HTML to match a GHDB signature. GHH then logs the headers sent by the browser such as the referrer, and runs some logic to determine what search engine and what query were used to find the honeypot. The logs reflect what obvious tactics were used, such as an exact match from the GHDB database.
I see, thanks.
"Who do you want to capture, and to what depth do you emulate the vulnerable app?" The 7 GHH honeypots released are considered low interaction honeypots. For higher interaction honeypots, (for example a dummy PHP Shell that logs the commands used), we are currently throwing ideas around and are hoping others will become involved to develop and make suggestions.
Cool. Personally I don't see much value in the high-interaction stuff because I think tracking the dynamics of scripted attacks is more interesting, but that's just me. The main twist of your project seems to be that you'll be able to say that the page was discovered through a search engine (because otherwise the obscure location would never be found), and I think that's neat.
"I mean, what I'd do if I wanted to exploit a vulnerability for which I can find exploitable sites via a search engine is script up some Perl to harvest the hits and then go off and nail them one by one. " When your script hit GHH, it wouldn't comprimise anything and your attack would be logged, with the search engine you used and the query you used too.
Right. Isn't that exactly what you want? You mainly want to know *who*'s attempting to hit you so you can tell your IDS or correlate with others etc?
"If you want to find out whether someone found you using a search engine, then any hidden-ish page that resides in an untypical location and matches the signature critera will do and it doesn't really matter whether the webpage actually looks like the vulnerable app." So what happens when the attacker uses Google's cached feature to see if it's the real thing? They will be able to check the HTML and fingerprint the honeypot if it's poorly made. Our tool isn't foolproof but we've covered that step.
Okay my take on this is that if you're aiming at people who manually investigate Google results then you'll be found out soonish anyway (again, I don't believe much in high-interaction honeypots) so if they actually spend the effort to blacklist you then so be it ... I see the main strength of your project in detecting scripted attacks. But how about this: whenever someone hits your honeypot, you use the GHDB signature for that pot, grab some page (making sure it's not yourself :) and present the result to the attacker? Should raise the bar at least a bit, and unless the attacker inspects the page visually, for example say they MD5 the pages or use some other heuristic, you'll still pass the test.
"What do those pages look like in GHH? It would be helpful if you could give examples on your site." You're right, it would be helpful and we'll get it done soon.
Cool :)
"How about you automatically create the pages from the GHDB signatures? That would be much more interesting imho." If you can figure out a way to do that without being instantly fingerprinted, then that would simply rock.
It'd need some fiddling, but I really think just grabbing actual googledork pages could be made to work.
Thanks a lot for the comments :)
Thanks for explaining, it's much clearer now. Good luck with your project. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org
Current thread:
- Google Hack Honeypot v1.0 is released! Ryan McGeehan (Feb 14)
- Re: Google Hack Honeypot v1.0 is released! Christian Kreibich (Feb 15)
- Re: Google Hack Honeypot v1.0 is released! Andrew Smith (Feb 15)
- <Possible follow-ups>
- Re: Google Hack Honeypot v1.0 is released! Ryan McGeehan (Feb 15)
- Re: Google Hack Honeypot v1.0 is released! Christian Kreibich (Feb 15)
- Re: Google Hack Honeypot v1.0 is released! Christian Kreibich (Feb 15)