Security Circus

Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.

Course Overview

The subject of this course is to use the Honeynet/pot technologies as a tool to discover and learn existing and new threats to networked/distributed information system and better understand attackers behaviour. The course includes a project to build a custom honeypot or related tools to turn the theory into a practical session. The course requires a high involvement from the participants. The student will have access to an operational system during the sessions to operate a real world honeypot.

Warning Student will get access to real malicious data and information. A high level of ethic is required during his/her participation.

Project Detail

During the period of the course, there will be a specific project to realize. The project is fully integrated into the course sessions that means some topics covered will help to enhance or complete your work.

Project definition and group composition (2 max) should be known for the 2013-12-13. Project will be released under a free software license and using one of the following programming language: Python, Perl, Ruby, Go, Lua, Bash or Zsh. As the development of the project will be done on an operational system, the project along with its tools might evolve following the feedback received from the attackers themselves. The project can be an improvement to an existing free software security project including extensions, documentation, improvements or even bug fixes. If you don’t have any ideas, I’m sure we can find something in a world surrounded by information security issues, insecure technologies and potential innovative technical solutions (also sometime insecure).

Project Ideas

Project should be usually selected by the student but if you lack some ideas. A list of project ideas is proposed and can be used as basis for discussion.

Guessing time zone and checking time consistency within a network capture (1)

Time is a critical component in any forensic analysis. The main issue is to find an accurate time reference while analysing packet captures especially when the acquisition device is unsynchronized. As an example, you can find time references in the response of an HTTP server:

HTTP/1.1 200 OK
Date: Thu, 13 Dec 2012 21:08:31 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html

By checking with the timestamp, the deviation time can be calculated from each packet captured and its evolution over time.

1.2.3.4|dev:40sec

The tool should be easily extendable to add new potential time references.

Annotation tool for pcap files

While doing network forensic, it’s common to annotate your investigation. The idea is to help investigator to do annotation on standard pcap files. In network forensic, the integrity of the analyzed capture is critical. To keep such integrity, the project must use a separate file to store the annotation meta-data (e.g. JSON files).

Annotation can be done on a packet, on a set of packets or a specific data range inside a packet. The bpf filter expression can be extended in order to provide an easy interface way to annotate the packets.

An example vty interface to add a note for a specific filter:

annotate -a "Google DNS name resolution" "udp port 53 and tcp port 53 and host 8.8.8.8"

You can also delete or update specific notes. Then you can display packet capture with or without notes. Your tool can be a wrapper around tcpdump or rely on a standard libpcap library.

Extending Malcom

Extending cve-search

Automatic vulnerability assessment from network capture (1)

The project objective is to use a pcap file (or a live pcap stream) to extract potential indicators that can be used for the vulnerability (or the non-vulnerability) assessment of software seen in the network capture.

Various cases for vulnerability assesment via pcap
  • Assess your software in your infrastructure without installing software components on the local systems and only by network monitoring (e.g. a simple port mirror on an internal switch).

  • Assess the software used by an attacker abusing a honeypot to know the level of their competencies or potentially abuse those attackers.

To lookup for the vulnerabilities, you can already use an existing free software called cve-search to have a local database of CVE/CPE entries. This will allow you to query locally the information collected in a fast way while ensuring the privacy of the information checked.

The software can be separated in two distinct parts following the Unix Philosophy.

Pseudo/Logic (Python) Code for the indicator code.
def findandextract(packet):
        return extract(findindicator(packet))
def findindex(packet):
        if packet(contains "User-Agent:"|"SSH handshake"|"Server:"):
                return (packet)
        return (packet(source ip),payload(packet))
for packet in pcap(file|capture):
        findandextract(version Indicator)

The indicator code will return a list of like the following:

192.168.1.1|User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/20100101 Firefox/16.0

The indicator code output will be used by another small program doing the indicator lookup into cve-search and giving a risk indicator per software detected.

192.168.1.1|cpe:/a:mozilla:firefox:16.0|8.9

Operational Aspect

The system to be used for the project is shared among the class including the system administration of the system. Security and system administration is part of the overall project. This includes adequate system administration, OpenSSH key management, logging management and security monitoring on wild Internet. Git will be extensively used during the courses.

You must also create a GitHub account where all your project including its documentation will be available (publicly).

Workstation Requirements During Classes

The major part of the work during the classes is a mixture of practical exercises, real-life experiments and sometime a kind of theory. The main requirement is that your workstation is an operational Unix-based system (e.g. a recent GNU/Linux distribution like Ubuntu 12.xx/13.xx or a BSD flavor like OpenBSD or FreeBSD) with system administrator privileges.

Language

Courses will be given in French with the technical support being in English. Your project will be in English as your code and documentation will be available to the Internet community at large.

Evaluation

The evaluation will be mainly based on your project. The evaluation is not an objective and the objective is to have fun while learning all together.

Caveats

You may find that the subject is sometime too experimental and not yet mature for real-life application. If you have any issue with the course (including the way I teach it), don’t hesitate to talk about as early as possible.

Sessions

Date/Time/Where

Subjects and Supports

Additional Information and Dataset

2013-11-28 10:00→12:00 and 14:00→18:00 @ E116

pcap file 1 (MD5:65ca24413de7ab0ad6423ed2b6329056) pcap file 2 (MD5:db066fcd23e505349978236de5fb8977)

2013-12-13 10:00→12:00 and 14:00→18:00 @ E116

Pocket guide IP, TCP, UDP headers Pcap malware dataset (given during the courses)

2013-12-20 10:00→12:00 and 14:00→18:00 @ E116

2014-01-11 09:00→13:00 @ E116

import argparse
import sys
argParser = argparse.ArgumentParser(description='Pcap classifier')
argParser.add_argument('-f', action='append', help='Filename')
args = argParser.parse_args()
if args.f is not None:
    filename = args.f
    for line in sys.stdin:
        print (line.split(",")[0])
else:
    argParser.print_help()
  • Dataset of 4257 pcap with network traffic from malware executed in a sandbox (given during the course).

  • Redis server installation

2014-01-18 09:00→13:00 @ E116

  • Dataset of 4257 pcap with network traffic from malware executed in a sandbox (given during the course).

  • Python 3.x + the following modules:

  • Gephi

2014-01-25 09:00→13:00 @ E116

  • Projects review

    • Description and overall objective

    • Scope and limit of the project

    • Logistic and technical aspects

  • CIRCLean how to contribute and extend the project (by the author himself)

  • Description of the project to be pushed on GitHub

2014-02-08 09:00→13:00 @ E116

  • Initial capture.cap dataset

2014-02-15 09:00→13:00 @ E116

  • Initial capture.cap dataset

  • Sample leaked documents from attackers

Bibliography