honeypot and intranet security from 0 to 1 (1)

Posted by lipsius at 2020-03-18

Applying honeypot technology to intranet attack perception, the research process and demo implementation of a master's thesis are introduced. The title map is the simple word segmentation statistics of the original paper abstract. The contents of the series are divided into the following parts:

In the process of technical research, system implementation and thesis writing, I would like to thank my tutor F and my elder martial brother ourren for their guidance, as well as the younger martial brothers and sisters of the project team for their support and cooperation, especially for the efforts of phantom0301 and Simmin in coding implementation. From the research idea to the realization of demo system, I can write the thesis and apply the knowledge and skills I have learned to solve the practical security problems. The paper time with both anxiety and passion is the best memory of my reading career.

When Li Kaifu was studying for a doctoral degree, his Dean once asked him, "what is the purpose of being a doctor?" He blurted out: "it is to make important achievements in a certain field." The dean said: "no, to study as a doctor is to select a narrow and important field for research. When you graduate, you will hand over a world-class graduation thesis and become the world's leading expert in this field. Anyone who mentions this field will think of your name. "

I didn't continue to study as a Ph.D. student, because I felt that my life was not just a mess, but also a poem and Party A, so I joined the Internet company and became an Internet Security soldier (I wrote a dozen essays before)... It's far away, but about the original intention of choosing to study as a graduate student, in addition to the professional skills that I had mastered in the undergraduate years, I also wanted to stay in school for several years In addition, I also want to have more in-depth research in my favorite direction through several years of laboratory scientific research training, and then write a meaningful graduation thesis as a memorial of my student career. Since my junior high school QQ was stolen, my dream is to be a hacker. My undergraduate study is about information security. My graduate student's main direction is Web attack and defense. I have more contact with engineering practice, less academic orientation, and no academic achievements. This is my academic regret. But it is also my interest to apply the learned safety technology to solve the actual safety problems. My graduation thesis also focuses on engineering practice. I feel that since I want to make sense in the process of summing up the theory and writing the article, I need to realize it synchronously, which is a paper with practical results.

Why did you decide the direction of honeypot and intranet security when choosing the topic?

Since it is to study Web attack and defense, penetration testing is indispensable. In the process of penetration testing, after obtaining the access rights of a single server on the external network, the next step is often to take the controlled server as a springboard to further penetrate the internal network server that is not directly exposed to the public network, commonly known as "internal network penetration". And Intranet often means important information assets, database servers, file servers, etc. are often deployed in the intranet. We think that since it's important, it will be strictly guarded. However, according to the investigation at that time, the reality is that when the border protection is broken, many enterprises or institutions are not aware of the fact that they are treated as backyard by attackers on the intranet and even dragged to the warehouse! At that time, I collected 91579 vulnerability title data of wooyun platform from July 13, 2010 to March 14, 2016. According to simple keyword statistics, the proportion of vulnerabilities in the intranet increased year by year.

Therefore, I think it is of practical significance to study the intranet attack awareness and attack early warning in the intranet security at that time, so that the network administrator can timely detect that the internal network is being attacked and can locate the attack source and then take measures, without being unaware when the important information assets are infringed.

Before determining the topic of the thesis, I actually tested and built honeypots based on MHN modern secret net and raspberry pie, and also wrote an article "deployment of raspberry pie honeypot nodes based on MHN open source project". The main reason is that at that time, the senior brother who studied abroad thought that honeypot was a good direction and worth studying, so let me try it. Honeypot is a kind of false service (device) with loopholes and exposed in the network. Its value lies in being scanned, attacked and captured.

If system is not open to the public, any real service then any connection attempt to it is suspicious

Compared with the traditional firewall technology and intrusion detection technology, honeypot technology is more active and covert. The main advantage of honeypot is that it can induce and record the network attack behavior, prevent or delay its attack on the real target, and record the attack log, which is convenient for audit and backtracking. But just like the small experiment in the article "deployment of raspberry pie honeypot node based on MHN open source project", if honeypot is deployed to the Internet, a large number of attack logs can be recorded every day, many of which are just batch scans, not targeted attacks. These behaviors do not show any problems. But it's different in the intranet, because by default, we don't think that normal users of the intranet will scan or attack. Once the honeypot of the intranet catches suspicious connection attempts, it can be considered that there is an attack. Therefore, I think that when honeypot technology is applied to the attack perception of the intranet, the problem of false positives will not be considered too much, and the problem will be more focused. So at that time, I felt that the direction of honeypot and intranet security was of practical application value to me. I could also accept the difficulty. Moreover, honeypot had not been on fire again at that time, and I could make some achievements and small innovations with great efforts. The key is that I'm very interested in it. I'm interested in it. I've also had a passion in the process. I've made several different shell styles for the light raspberry pie honeypot terminal, which is fun~

Soon after I finished my paper, I also found that the application of honeypot began to be discussed again in some security meetings, such as: it shows that the topic of honeypot was quite advanced at that time, happy ~ of course, I'm just making a fuss here. The Daniel team, who applies honeypot technology to intrusion deception and makes excellent products in the industry, such as mo'an and Jinhang, is very desirable. Strive for the opportunity to feel their products.

After the direction of the paper is determined, I think that since we want to do it, we should try to implement the demo system, which is learning for application. I have thought about the code of the system for a long time, and determined a very satisfactory name (considering that the retrieval period of the paper may usually take 2-3 years, and the project is likely to continue after my graduation, not to mention the system name, code JY for the time being), The moral of the name is that only by forging with fire can you refine your eyes. In the journey to the west, after being tempered by the fire in the alchemy furnace of the Supreme Lord for seventy-nine days, Monkey King can see through the true faces of the demons and ghosts, but the shortage of the eyes is that it is difficult to trace the origin of the demons, so Monkey King has to go everywhere to ask about the origin of the demons. The code JY is to hope that all the research, attempts and efforts of this subject will be like a golden flame, a thousand hammers, a thousand chisels, a burning fire, and finally create a "golden eye" that can sense the risk, and also hope that this subject can continue on the basis of this paper in the future, so that JY will continue to evolve, and realize positioning and traceability on the basis of perceived attack.

Series of articles, to be continued

Reprint please indicate the source: sosly rookie notes

WeChat rookie note: sosly official account is also welcome.