Detect When You Get Pwned Using
Honeytokens
By Adel Karimi / @0x4D31
About me
- Adel "0x4D31" Karimi
- Honeynet Project member & ex-chapter lead
- Trapbits honeypot community, Founder
Agenda
An Introduction to Honey{*}
Honeytoken Workshop
Honeypots
A resource whose value lies in being probed, attacked, or compromised!
- Lance Spitzner
No honey{*} has any authorized use
ANY interaction with honeypot indicates malicious or unauthorized activity!
Honeytokens
The Other Honeypot
A honeypot that is not a computer!
Honeytokens come in many different forms...
- Extremely flexible
- Can be adapted to any environment
A Honeytoken can be a...
- Beacon document
- Fake credentials/accounts
- Database record
- URL or HTTP endpoint
- Fake file
- DNS record
- QR code!
- Anything you can think of!
What about decoy mobile applications?
- "Using Decoys to Identify Mobile Device Attackers", RSA Conference 2015
Secret Keeper
Post breach detection
Depending on where/how you implement honeytokens, you may detect ...
Human attackers / intruders
Malicious insiders
Content scrapers or Bad bots
And even your snooping partner! 😜
Lure the attackers into revealing themselves
...
Post-compromise activities
A part of Linux ATT&CK matrix
A part of Windows ATT&CK matrix
{Honey}tokening!
Files!
Documents with false information or deceptive content
Purpose: point attackers to traps/honey{*}
- Generating deceptive content {Google Ben Whitham + honey file}Fake monitored files:
file access auditing
Purpose: alert when accessed
Beacon files such as token'd
DOC or XLS files
Purpose: phone home when opened!
Credentials!
Honey hash: fake credentials in memory
Pass-the-hash attack
Fake API access tokens, e.g. AWS Access Keys
Fake credentials in:
- Password managers e.g. Web browser, KeePass
- Log and configuration files
- Documents e.g. instructions for remote access
- Email, Messengers, etc.
URL {honey}token
Web bug
Network tokens
Hosts file, ARP table, Open connections
Beeswarm active IDS
Workshop
Honeytoken {Creation | Placement | Detection}
A Serverless Trap!
Create & monitor fake HTTP endpoints (ie. URL honeytokens) automatically
Features
Remote config: Amazon S3
Customize the HTTP response for each token
Threat Intelligence report (Source IP lookup)
Based on Serverless framework
--> pay-what-you-use
TODO: SSL client fingerprint, de-anonymization, automatic decoy generation
Slack, Email and SMS alerts
Setup & Deploy
https://gist.github.com/0x4D31/093653b52f3e9e05e48a61701ca6de99{Test}
Email alert
HoneyLambda Config
{
"default-http-response": {
"content-type": "text/html",
"body": "static/poc.html"
},
"traps": {
"/examplec26b4d5e2c1e713/index14": {
"t=email": {
"note": "tracking pixel in email",
"http-response": {
"content-type": "image/png",
"body": "static/pixel.png"
}
},
"t=doc": {
"note": "beacon pixel embedded in doc",
"http-response": {
"content-type": "image/png",
"body": "static/pixel.png"
}
},
"t=html": {
"note": "secret link"
}
}
},
"alert": {
"slack": {
"enabled": "false",
"webhook-url": ""
},
"email": {
"enabled": "true",
"to_email": "example.honeylambda14@mailinator.com",
"smtp_server": "smtp.gmail.com",
"smtp_port": 465,
"smtp_user": "example@gmail.com",
"smtp_password": "examplepassword"
},
"sms": {
"enabled": "false",
"to_number": "",
"from_number": "",
"twilio_account_sid": "",
"twilio_auth_token": ""
}
},
"threat-intel-lookup": {
"enabled": "false",
"cymon2-user": "",
"cymon2-pass": ""
}
}
Honeybits
A simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs & honeytokens across your production servers and workstations to lure the attacker toward your honeypots
Honeybits Config
path:
bashhistory: /home/test/.bash_history
awsconf: /home/test/.aws/config
awscred: /home/test/.aws/credentials
hosts: /etc/hosts
randomline:
bashhistory: true
confile: false
honeypot:
addr: 192.168.1.66
# Fake files
honeyfile:
enabled: true
monitor: none # Options: go-audit, auditd, none
goaudit-conf: /etc/go-audit.yaml # Only if you use go-audit
traps:
# Format: - file_path:content_type:template
## content_type: rdpconn, txtemail,
## template: config (read from config file: contentgen.xxx.template), template file path (/tmp/sampletemplate.txt)
- /tmp/test.rdp:rdpconn:config
- /tmp/email.txt:txtemail:template/txtemail
# Content generator for honeyfiles or file honeybits
contentgen:
rdpconn:
user: administrator
pass: 12345
domain: example.com
template: "screen mode id:i:2\ndesktopwidth:i:1024\ndesktopheight:i:768\nuse multimon:i:1\nsession bpp:i:24\nfull address:s:%s\ncompression:i:1\naudiomode:i:2\nusername:s:%s\ndomain:s:%s\nauthentication level:i:0\nclear password:s:%s\ndisable wallpaper:i:0\ndisable full window drag:i:0\ndisable menu anims:i:0\ndisable themes:i:0\nalternate shell:s:\nshell working directory:s:\nauthentication level:i:2\nconnect to console:i:0\ngatewayusagemethod:i:0\ndisable cursor setting:i:0\nallow font smoothing:i:1\nallow desktop composition:i:1\nredirectprinters:i:0\nprompt for credentials on client:i:1\nuse redirection server name:i:0"
# server: 192.168.1.66 # Default is 'honeypot addr'
txtemail:
user: dave
pass: 12345
# template: "From: Adel 0x \nSubject: Re: Monitoring system\nDate: March 22, 2017 at 21:59:15 GMT+11\nTo: Dave Cohen \nCc: security \n\nHi,\n\nAh, sorry I forgot to send you the new address: http://%s\nI also reset your password (user: %s) to the default pass: %s\n\nPlease set the MFA (multi-factor authentication) ASAP.\n\nCheers,\nAdel\n\nOn 22 Mar 2017, at 9:57 pm, Dave Cohen wrote:\n\nHi Adel,\n\nI just wanted to login to the Monitoring system, but I get 404 error. Could you please have a look at it?\n\nThanks\nDave\n\nThe information contained in this email and any attachments is confidential and/or privileged. This email and any attachments are intended to be read only by the person named above. If the reader of this email, and any attachments, is not the intended recipient, you are hereby notified that any review, dissemination or copying of this email and any attachments is prohibited. If you have received this email and any attachments in error, please notify the sender by email or telephone and delete it from your email client."
# server: 192.168.1.66 # Default is 'honeypot addr'
honeybits:
# Fake records in config files
awsconf:
enabled: false
profile: devsecops
region: us-east-1
accesskeyid: AKIAIOSFODNN7EXAMPLE
secretaccesskey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
hostsconf:
enabled: false
# ip: 192.168.1.66 # Default is 'honeypot addr'
name: mysql-srv
# Fake records in bash_history
ssh:
enabled: false
# server: 192.168.1.66 # Default is 'honeypot.addr'
port: 2222
user: root
sshpass: false
pass: 123456
wget:
enabled: false
url: http://192.168.1.66:8080/backup.zip
ftp:
enabled: false
# server: 192.168.1.66 # Default is 'honeypot.addr'
port: 2121
user: backup
pass: b123
rsync:
enabled: false
# server: 192.168.1.66 # Default is 'honeypot.addr'
port: 2222
user: root
remotepath: /var/db/backup.tar.gz
localpath: /tmp/backup.tar.gz
sshpass: false
pass: 12345
scp:
enabled: false
# server: 192.168.1.66 # Default is 'honeypot.addr'
port: 2222
user: root
remotepath: /var/db/backup.tar.gz
localpath: /tmp/backup.tar.gz
mysql:
enabled: false
# server: 192.168.1.66 # Default is 'honeypot.addr'
port: 3306
user: dbadmin
pass: 12345
command: show databases
# dbname: clients
aws:
enabled: false
profile: devops
region: us-east-2
command: ec2 describe-instances
accesskeyid: AKIAIOSFODNN7EXAMPLE
secretaccesskey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# custom honeybits in bash_history
custom:
- telnet 192.168.1.66 25
- nano /tmp/backup/credentials.txt
Canarytokens
References
- http://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html
- https://www.topspinsec.com/blog/busting-honeypot-really-way-attackers-detect-deception
- https://github.com/0x4D31/honeyLambda
- https://github.com/0x4D31/honeybits
- https://github.com/0x4D31/honeybits-win
- https://github.com/thinkst/canarytokens-docker
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
