Subscribe to Windows IT Pro
March 06, 2001 12:00 AM

Honeypots and Resource-Integrity Tools

Michael Howard
Windows IT Pro
InstantDoc ID #19930
Rating: (0)
Downloads
19930.zip

Sweetening Your Honeypot
Your honeypot needs to entice attackers without compromising your network's security. The following tips can help you attract more attackers to your honeypot and still protect your network:

  • Your honeypot's content must relate to your organization's business so that your trap isn't apparent to attackers. For example, if the honeypot computer belongs to a toy retailer, don't litter the machine with top-secret military plans. If your honeypot mimics a corporation's computer network, consider using .xls and .doc files with names such as stockplan.xls and budget01.doc to generate interest among attackers.
  • Consider the type of material that would keep an attacker interested. Your goal is to make the attacker stick around. If you're using SQL Server to set up a database application, set an easy-to-guess sa password and create tables that contain interesting data. Better yet, set up some Active Server Pages (ASP) that connect to a SQL Server database, and set a user account in the connection string. Attackers who access the source code to the ASP page probably will try to access the SQL Server database next.
  • Install a high-quality network monitor in front of the honeypot so that you can reconstruct any event. I use Win2K's Network Monitor because it has excellent packet-parsing support, but any sniffer will work. Also, consider adding a good intrusion-detection tool to the honeypot. The tool will help you correlate data from the network monitor, applications, and the OS.
  • Compile as much logging data as possible. You'll find it easier to reconstruct an attacker's movements if you have adequate logging information.

Resource-Integrity Tools
Resource-integrity tools are useful security devices because they can tell you whether files, configuration data, user-account information, or other system data (i.e., resources) have changed. For example, an IIS server includes files that make up the Web content, as well as registry data and metabase data that determine how the Web server operates. If any of these resources change, the Web server operation changes. A resource-integrity tool can tell you which resources have changed.

Attackers who modify a Web site's appearance can achieve that goal in several ways. The most-obvious way is to change the Web site's default.htm, default.asp, or index.html file on an IIS server. However, a less-obvious way to change the site's appearance is to upload a new file and set the Web server to point to the new file. In this case, attackers change metabase data and add a new page, but the default Web page file doesn't change. A resource-integrity tool can tell you which system resources have changed or are new, and you can use that information to track down and repair the damage.

Most resource-integrity tools gather file data such as filename, file directory, and the date the file was last modified. The tools also collect one or more hashes—either an MD5 or Secure Hash Algorithm-1 (SHA-1) hash, or both—of the file contents. A hash function produces a small digest, usually 128 or 160 bits in length, of a large body of data. Each digest is a unique representation of the data that it's based on. A small change in the originating data creates a massive change in the resulting digest, and you can't realistically create data that exactly matches a specific digest. You also can't determine the original data by looking only at the digest. A good analogy for a digest is your thumbprint. A thumbprint uniquely identifies you but tells nothing about you or what you know. Also, no other thumbprints are identical to yours.

Resource-integrity tools create a baseline file and perform all verifications by comparing changes with the baseline. Therefore, you need to protect the baseline file. After I create a baseline file, I store the file on a CompactFlash card, which I securely store off site. CompactFlash cards are small, convenient, and high capacity, and they can function like a disk drive, which makes them easy to use with a resource-integrity tool.

A Do-It-Yourself Integrity Tool
I've created a simple resource-integrity tool named FileAlarm, which you can see an excerpt of in Listing 2 (you can download the entre listing from the Code Library on the Security Administrator Web site, at http://www.secadministrator.com). FileAlarm.pl checks a file system for changes and outputs a report. FileAlarm can evaluate and create a snapshot of any file and directory in the file system, and by default the tool writes the baseline log file to the directory in which FileAlarm resides. To store the baseline log file in a location that you select, change the source code's $LOGFILE variable (which you can see at callout A in Listing 2) to a path and filename of your choice (e.g., C:\\MyLog\\Alarm.log). A sample run of FileAlarm on an intranet site yielded the output that Figure 1 shows.

These results show a new file (i.e., index.html) and an updated file (i.e., default.asp). The default.asp file had changes in the update time and the SHA-1 hash of the file, but the file size remained the same at 3654 bytes. The results show that the file content changed, but not the file size. Using these results, you can investigate whether an authorized user or an attacker changed the file. I've used this tool to detect file changes on several Web sites and security-sensitive installations, and in almost every instance, the changes were valid updates that authorized users performed. FileAlarm doesn't check registry or metabase contents, but it tells you whether the metabase file changed.

ActiveState Tool offers several Perl packages that can help you create resource-integrity tools. For example, the SHA package lets you create SHA-1 hashes, the File::Find package performs depth-first searches of a file system, and the Win32::FileSecurity package lets you read ACLs.

Useful Tools
Honeypots and resource-integrity tools can help you see when your network is under attack. Honeypots are useful not only for tracking how intruders move about within a system but for studying the methods that attackers use in trying to probe your system. Resource-integrity tools let you determine whether an attacker might have altered a file or other resource in your system.

Administrators often overlook the value of honeypots and resource-integrity tools. However, the tools can be useful additions to the tools and technologies that you use to ensure your network's security.

Related Articles
You can obtain the following articles from Windows 2000 Magazine's Web site, at http://www.win2000mag.com.

RANDY FRANKLIN SMITH
"Top 10 Security Tools in the Win2K Server Resource Kit," December 2000, InstantDoc ID 15969
"Monitoring Privileges and Administrators in the NT Security Log," June 2000, InstantDoc ID 8696
"Interpreting the NT Security Log," April 2000, InstantDoc ID 8288
"Introducing the NT Security Log," March 2000, InstantDoc ID 8056

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
    There are no comments to display. Be the first one!
You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.