Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.

Course Overview

The subject of this course is to use the Honeynet/pot technologies as a tool to discover and learn existing and new threats to networked/distributed information system and better understand attackers behaviour. The course includes a project to build a custom honeypot or related tools to turn the theory into a practical session. The course requires a high involvement from the participants. The student will have access to an operational system during the sessions to operate a real world honeypot.

Important Important. Student will get access to real malicious data and information. A high level of ethic is required during his/her participation.

Project Detail

During the period of the course, there will be a specific project to realize. The project is fully integrated into the course sessions that means some topics covered will help to enhance or complete your work.

Project definition and group composition (2 max) should be known for the 2012-12-07. Project will be released under a free software license and using one of the following programming language: Python, Perl, Ruby, Go, Lua, Bash or Zsh. As the development of the project will be done on an operational system, the project along with its tools might evolve following the feedback received from the attackers themselves. The project can be an improvement to an existing free software security project including extensions, documentation, improvements or even bug fixes. If you don’t have any ideas, I’m sure we can find something in a world surrounded by information security issues, insecure technologies and potential innovative technical solutions (also sometime insecure).

Projects Ideas

If you don’t feel comfortable to start on your own on a specific project, here is some projects that could be done in the time constraint.

Automatic vulnerability assessment from network capture (1)

The project objective is to use a pcap file (or a live pcap stream) to extract potential indicators that can be used for the vulnerability (or the non-vulnerability) assessment of software seen in the network capture.

Various cases for vulnerability assesment via pcap
  • Assess your software in your infrastructure without installing software components on the local systems and only by network monitoring (e.g. a simple port mirror on an internal switch).

  • Assess the software used by an attacker abusing a honeypot to know the level of their competencies or potentially abuse those attackers.

To lookup for the vulnerabilities, you can already use an existing free software called cve-search to have a local database of CVE/CPE entries. This will allow you to query locally the information collected in a fast way while ensuring the privacy of the information checked.

The software can be separated in two distinct parts following the Unix Philosophy.

Pseudo/Logic (Python) Code for the indicator code.
def findandextract(packet):
        return extract(findindicator(packet))
def findindex(packet):
        if packet(contains "User-Agent:"|"SSH handshake"|"Server:"):
                return (packet)
        return (packet(source ip),payload(packet))
for packet in pcap(file|capture):
        findandextract(version Indicator)

The indicator code will return a list of like the following:|User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/20100101 Firefox/16.0

The indicator code output will be used by another small program doing the indicator lookup into cve-search and giving a risk indicator per software detected.|cpe:/a:mozilla:firefox:16.0|8.9

Modular entropy calculation from network capture (2)

The project objective is to use a pcap file (or a live pcap stream) to calculate the entropy of the TCP and UDP payload of packets seen.

Pseudo/Logic (Python) Code for the entropy program.
for packet in pcap(file|capture):
        data = extractpayload(packet,offset=OFFSET_OPTION,block=BLOCK_OPTION)
        return calculateentropy(data, algorithm=OPTION)

The software must follow the Unix Philosophy by providing an output that can be used into other programs like R, ploticus for analysis or/and visualization.

Extracting geolocation artifact from network capture to validate IP geolocation (3)

Geolocation on IP is usually inaccurate but you can extract not only the IP address geolocation but you can assess the localisation by looking at additional artifacts.

One of the source could be the localisation of the assigned ASN number via Team Cymru services.

Additional artifacts could be a charset definition from server or client (e.g. deducing language from content, limiting a charset to a country/region,…)|BE|charset:iso-8859-1|Latin (list of countries)

Guessing time zone and checking time consistency within a network capture (4)

Various time artifacts are present within a network capture. As example, you can calculate the deviation from HTTP server time deviation from the pcap timestamp.

HTTP/1.1 200 OK
Date: Thu, 13 Dec 2012 21:08:31 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html

By checking with the timestamp, you can calculate the deviation from each packet captured and its evolution over time.|dev:40sec

Operational Aspect

The system to be used for the project is shared among the class including the system administration of the system. Security and system administration is part of the overall project. This includes adequate system administration, OpenSSH key management, logging management and security monitoring on wild Internet. Git will be extensively used during the courses.

You must also create a GitHub account where all your project including its documentation will be available (publicly).

Workstation Requirements During Classes

The major part of the work during the classes is a mixture of practical exercises, real-life experiments and sometime a kind of theory. The main requirement is that your workstation is an operational Unix-based system (e.g. a recent GNU/Linux distribution like Ubuntu 12.xx or a BSD flavor like OpenBSD or FreeBSD) with system administrator privileges.


Courses will be given in French with the technical support being in English. Your project will be in English as your code and documentation will be available to the Internet community at large.


The evaluation will be mainly based on your project. The evaluation is not an objective and the objective is to have fun while learning all together.


You may find that the subject is sometime too experimental and not yet mature for real-life application. If you have any issue with the course (including the way I teach it), don’t hesitate to talk about as early as possible.


Table 1. Agenda
Date/Time/Where Topics and Support Additional Information and Dataset

2012-11-30 10:00→12:00 and 14:00→18:00 @ E116

Introduction to Honeypot Technologies A Tool For Improving Network Forensic Analysis - The Attackers’ Principles The shortest, fastest and cheapest path : a common method for compromising information system

pcap file 1 (MD5:65ca24413de7ab0ad6423ed2b6329056) pcap file 2 (MD5:db066fcd23e505349978236de5fb8977)

2012-12-07 10:00→12:00 and 14:00→18:00 @ E116

Network Forensic Analysis, Berkeley Packet Capture and Related Technologies IP, TCP, UDP headers + TCP state transition diagram from TCP/IP illustrated, Volume 1 git and socat

Classroom notes about capture.cap

2012-12-14 10:00→12:00 and 14:00→18:00 @ E116

rootkit and basic malware analysis. Labs with git, tcpflow, httpry, ipsumdump.

jubrowska capture (SHA1:f84ea94bcc952f2e42aa1cceb41b4448e64f528b) Classroom notes about network packet entropy

2012-12-21 10:00→12:00 and 14:00→18:00 @ E116

Learning from the attackers ipsumdump and information visualization to ease the understanding of large dataset with moowheel and dygraphs.

2013-01-11 09:00→13:00 @ E116

Project reviews and status. Master internship proposal: Designing a Certificate Revocation Datastore and Query Interface The Art of Breaking Stuff To Improve It

Metasploit Social Engineer Toolkit

2013-01-19 09:00→13:00 @ E116 (might be late depending of the weather condition)

(Lab) A practical view of Red October/sputnik malware and what an IT security dept might do (based on what you learned during the course). Shared notes on etherpad. (from network analysis to honeypot) - A similar exercise for your exam will be asked.

CIRCL Artefacts on how to detect Red October/sputnik malware Malware.lu Analysis of the sample "Red October" - Part 1 Malware.lu C&C for Red October/Sputnik Kaspersky original post

2013-01-25 09:00→13:00 @ E116

Passive DNS

2 new private pcap

2013-02-01 No courses

Don’t forget to work on your project

2013-02-09 09:00→13:00 @ E116

Forensic analysis (lab) Acquiring memory dump and basic analysis of the memory using volatility

volatility memory dump tools Lest We Remember: Cold Boot Attacks on Encryption Keys Forensic Data Recovery from Flash Memory

2013-02-16 09:00→13:00 @ E116 (closing session)

Project review - forensic analysis of a raw disk

Test raw FAT file system - MD5:4aeb06ecd361777242ab78735d51ace6 - sleuthkit.org