Etude des attaques
Cette opération consiste à déterminer le système d'exploitation, les services ouverts ainsi que leur version afin de pouvoir déterminer les éventuelles failles et les exploiter
One of the most popular and powerful tools is Nmap It enables techniques such as half-scan, which does not establish a connection, using the command "nmap -sS IP_address." Additionally, Nmap facilitates fingerprinting for operating system detection with the command "nmap -sS -O IP_address."
There are various tools available to identify vulnerabilities within a system For instance, SuperScan is a well-known tool frequently utilized by attackers on Windows platforms In the final section, I use it to gather information about virtual machines.
Après avoir obtenu les informations nécessaires sur les OS ou services ouvertes, l’attaquant va chercher les vulnérabilités et les méthodes d’attaque correspondantes
Le craquage par mot de passe
One of the most common methods hackers use to obtain passwords is through dictionary attacks In this type of attack, hackers utilize a list of words and proper names, testing each one individually to determine if it matches the valid password These attacks are conducted using software capable of guessing thousands of passwords per second, even when they are hashed This process is further simplified by allowing hackers to test variations of words, including reverse spellings, mixed case letters, and the addition of numbers at the end of the word.
Le sniffing des mots de passe et des paquets
If a hacker cannot guess a password, they may resort to other methods, such as sniffing Most networks use broadcast technology, like Ethernet, where all computers except the intended recipient will ignore messages not meant for them However, many computers can be configured to monitor all messages on the network in promiscuous mode, allowing programs to capture data and identify passwords Users connecting to remote computers via insecure protocols (such as telnet, rlogin, and ftp) risk exposing their passwords, as they may be visible in plaintext within the data stream Popular sniffing tools include Esniff and TCPDump, but sniffers can also be advantageous for network administrators by identifying security vulnerabilities before hackers do For instance, Ethereal v0.8.12 on Linux can log events defined by the administrator and is compatible with Cisco router log files.
Ethereal est téléchargeable à l'adresse suivante : http://www.ethereal.com/
Voici ci-dessous une liste d'autres sniffers disponibles dans le commerce
Analyzer http://www.networkassociates.com Décode plus de 250 protocoles
Century LAN Analyzer http://www.shomiti.com Supporte le standard Ethernet et fonctionne sous Windows 95/98 et NT PacketView de Klos
The FTP sniffer available at ftp.klos.com/demo/pvdemo.zip is a DOS-based tool designed for optimal performance in Ethernet environments Additionally, the Network Probe 8000, accessible at http://www.netcommcorp.com, analyzes approximately 13 different protocols, including TCP/IP, Microsoft protocols, NFS, and Novell, making it a versatile choice for network analysis.
LANWatch http://www.guesswork.com Marche sous DOS, Windows 9x et NT EtherPeek http://www.aggroup.com Pour Windows et plates-formes
Macintosh Ethload http://www.computercraft.com/nopro gs/ethld104.zip
Sniffer qui permet de surveiller les sessions rlogin et telnet
Linux sniffer Sniffer de mots de passe uniquement, en langage C
La meilleure défense contre l'attaque de sniffers est l'utilisation d'un protocole de chiffrement comme SSL (Secure Socket Layer)
An IP address is essential for identifying a computer on the internet A significant issue arises when using source IP routing, as it allows a hacker's computer to masquerade as a trusted device.
IP source routing is a technique that allows for the specification of a direct route to a destination while directing the return path back to the sender This routing method can involve the use of additional routers or servers that would not typically be utilized for forwarding packets to the final destination For instance, it can be employed in a way that makes the intruder's computer appear as if it is the certified computer recognized by the server.
• L'agresseur change l'adresse IP de son ordinateur pour faire croire qu'il est un client certifié par le serveur,
He will then establish a source route to the server, which will define the direct path that IP packets must follow to reach the server and the route they must take to return to the attacker's computer, utilizing the certified client as the final step in the route to the server.
• L’agresseur envoie une requête client au serveur en utilisant la route source,
• Le serveur accepte la requête du client comme si elle provenait directement du client certifié et retourne une réponse au client,
• Le client, utilisant la route source, faire suivre le paquet à l'ordinateur de l'agresseur
Many Unix machines accept source-routed packets and redirect them accordingly, although some routers may be configured to block such packets for security reasons A simpler method for spoofing a client involves waiting for the client's system to shut down and then impersonating it Companies often use PCs along with TCP/IP and NFS protocols to connect to Unix servers, allowing access to server directories and files Since NFS authenticates clients solely based on IP addresses, an intruder could easily configure a PC with the same name and IP address as a legitimate machine, attempting to connect to the Unix server as if they were the genuine client Consequently, routers should reject connections from machines with matching internal IP addresses that are located outside the local network Email is particularly vulnerable to spoofing due to its simplicity; without an electronic signature, emails cannot be considered reliable Using Telnet to connect directly to the SMTP port (port 25) allows individuals to send commands that the server trusts upon identification, making it easy to spoof emails by using a different sender address Other services, such as DNS, can also be spoofed, though with greater difficulty than email These security concerns necessitate that firewall routers regularly update their log files to monitor hacking attempts, and these logs must be secured to prevent malicious alterations.
A scanner is a program that identifies open ports on a given machine While hackers use scanners to plan their attacks, these tools can also help prevent such attacks One of the most well-known network scanners is WS_Ping ProPack, available at http://www.ipswitch.com/french/wsping.html It is crucial that the log files generated by scanners remain unalterable by unauthorized users.
A Trojan horse is a type of malicious software that disguises itself within a seemingly harmless program When the victim runs this program, they inadvertently activate the hidden Trojan Some of the most commonly used Trojans include Back Orifice 2000, Backdoor, Netbus, Subseven, and Socket de Troie To protect against these harmful programs, it is essential to use a reliable antivirus solution, such as Norton 2000 or Network Associates Additionally, specialized software like Lockdown 2000 can monitor connection attempts on scanned ports, performing a traceroute on any detected IP The latest version of Lockdown 2000 includes a library of 488 Trojan signatures For Linux systems, it is crucial to have an antivirus that can detect both viruses and Trojans.
A worm is a self-replicating program that can spread without the need for another program or human intervention On each computer it infects, the worm generates a new list of targeted remote machines.
- essaie de trouver les mots de passe des comptes utilisateurs,
Hackers often attempt to infiltrate target machines by impersonating legitimate users after cracking their passwords, utilizing an old bug in the finger protocol to identify connected users on remote machines Although worm attacks are becoming increasingly rare due to the enhanced performance of internet servers like Windows NT Server and Apache, they remain a tactic employed by hackers whenever a new vulnerability is discovered in an operating system Worms enable attackers to compromise multiple sites quickly It is crucial that firewalls do not solely focus on filtering worms; rather, the operating system's quality should effectively prevent such attacks.
A trapdoor is an entry point into a computer system that bypasses standard security measures Typically, it is a hidden program or electronic component that renders the protective system ineffective.
Additionally, traps are often triggered by normal events or actions, such as those found in early versions of Internet Explorer 5 Similar to previous types of attacks, traps are programs that remain undetectable at the IP level but can be identified at the application level through signatures Therefore, it is the responsibility of antivirus software and the operating system to eliminate these traps.
Etude bibliographique des parades au DoS et DDoS
TFN (Tribal Flood Network)
The first widely recognized Denial of Service attack tool utilizes a two-layer architecture It consists of a client that controls agents or demons, which execute distributed attacks on the targeted victim according to the client's specified attack type These TFN agents operate as hidden network services on compromised machines, capable of receiving commands from the client embedded within the normal flow of network communications Both the client's and agents' addresses are spoofed in all communications and attacks.
- Protocole de la communication entre Client/Agent : ICMP
- L’attaque sur les protocoles : IP / TCP / UDP / ICMP
The TFN client operates via command line to send commands to TFN agents Communication between the client and agents occurs using ICMP echo-reply packets, which contain 16-bit binary values embedded in the ID field, along with various arguments included in the packet's data section These binary values are customizable.
TFN2K
TFN2K is an advanced version of TFN, originally built on a two-layer architecture and now utilizing a three-layer system It enhances communication security between the client and its agents through the implementation of BlowFish encryption, making it more challenging to detect The architecture of TFN2K closely resembles that of its predecessor, TFN.
- Communication entre master et agent sont TCP, UDP, ICMP ou aléatoire entre les trois
- Méthode d'attaque sont TCP/SYN, UDP, ICMP/PING ou broadcast PING (smurf) paquet flood
- L'en-tête du paquet entre master et agent est aléatoire sauf ICMP
TFN2K remains silent and does not acknowledge the commands it receives To ensure that the daemon processes each command at least once, the client resends each command up to 20 times.
- Toutes les commandes sont chiffrées en utilisant l'algorithme CAST-256 (RFC 2612) Le clé est définie au moment de compilation et utilisé comme mot de passe pout lancer tfn2k client
- Toutes les données chiffrées sont Base 64 encoded avant de l'envoie
Trin00
Trin00 operates on a three-layer architecture consisting of clients/intruders that send commands, including attack targets, to master/handler servers managing a subnet of agents/daemons This intermediate layer complicates the identification of the attack's origin; however, Trin00 is less effective at concealing its communications within network traffic Unlike TFN, Trin00 does not seek the attack's origin, and victims can detect the agents Additionally, Trin00 employs only a single type of DoS attack, specifically UDP.
- L’attaquant communique avec les masters par le protocole TCP sur la destination porte 27665
- Les masters communiquent avec les deamons par le protocole UDP sur la destination porte 27444
- Un deamon réponds aux masters par le protocole UDP sur la destination porte 31335
- Les deamons attaquent ô flood ằ la victime en utilisant le protocole UDP avec une destination porte aléatoire
When a Trinoo daemon is initiated, it announces its presence by sending a UDP packet containing the string *HELLO* to the pre-configured Trinoo masters In response, it receives UDP packets that contain the string *PONG*.
All communications to the masters on port 27665/UDP require a password, which is stored in the daemon library in an encrypted format Additionally, communications with the daemons on port 27444/UDP must include a UDP packet containing the string "l44" (note that the "L" is in lowercase).
Stacheldraht
Stacheldraht is a hybrid of TFN and Trin00, obscuring the source of communications while employing various TFN attack methods It operates on a three-layer architecture inspired by Trin00, utilizing advanced techniques that surpass those of its predecessors.
Defending against denial-of-service attacks is challenging due to the prevalence of insecure machines with numerous vulnerabilities across the internet The existence of a DDoS tool on one system likely indicates its undetected installation on many others, suggesting that the system has been fully compromised and may harbor backdoors or rootkits, such as Adore Therefore, it is crucial to disconnect the affected machine from the network and conduct a thorough inspection before considering reinstallation To identify such tools, one can look for suggestive names among the installed software.
Victime processus système s'il n'y a pas de rootkit installé et si l'attaquant à laissé un nom par défaut Ces noms peuvent être regroupés dans la liste suivante (non exhaustive):
Agent: shaftnode mstream Handler: master
Trinity Agent: /usr/lib/idle.so
Portshell: /var/spool/uucp/uucico
Alt Portshell: /var/spool/uucp/fsflush
Il peut ờtre ộgalement fort utile de connaợtre les outils (au nombre de 4, principalement) utilisés par les hackers Des analyses sont disponibles pour 3 d'entres eux :
- http://staff.washington.edu/dittrich/misc/trinoo.analysis
- http://staff.washington.edu/dittrich/misc/tfn.analysis
- http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
A scientific conference report on the topic offers valuable insights for defense and recovery after such incidents For more information, you can access the report at http://www.cert.org/reports/dsit_workshop.pdf.
Le Pushback : une contre-mesure en développement
In response to the increasing threats posed by such attacks, scientists are increasingly exploring techniques to counter them, with one of the latest being the Pushback technique For more detailed information, all related papers can be found on the ACC and Pushback website.
This technique aims to identify DoS and DDoS attacks through heuristics, counteract them by tracing their source, and protect legitimate traffic that often suffers from congestion caused by these attacks It employs congestion control based on aggregates, where an aggregate is defined as a subset of traffic exhibiting identifiable characteristics.
- Paquets IP dont les checksums sont incorrects
The goal is to identify the aggregates responsible for congestion and eliminate them to restore normal traffic flow Once the signature, which is the identifying characteristic of the attack, is established, the traffic is compared in real-time at the nearest router to the DDoS target This router begins to drop packets that match the signature and sends an alert message to upstream routers regarding the malicious traffic This alert includes the signature, enabling these routers to also discard the corresponding packets from the attack Additionally, these routers will send alert messages to their upstream counterparts.
This recursive technique offers the advantage of tracing back to the sources of the attack while alleviating congestion at the core of the network, a feat unattainable with methods focused solely on protecting the target Although some legitimate traffic may still be lost, the overall outcomes remain largely positive.
Etude des HoneyPot
Honeypot est un système des ressources informatiques dont valeur est calculée sur l'utilisation malicieuse ou illicite de ces ressources
A honeypot is a security resource that is intentionally left inactive to attract malicious activities, including viruses and spam This article will explore various examples of honeypots and their significance in enhancing security Since honeypots do not host legitimate activities, any interaction with them indicates potential threats or attacks Consequently, connections to a honeypot are viewed as probes or attempts at compromise Despite their simplicity, honeypots come with both significant advantages and disadvantages in the realm of cybersecurity.
Honeypots est une conception très simple qui leur donne des puissantes
Honeypots collect a small amount of high-value data, logging approximately 1 MB per day instead of 1 GB Rather than generating thousands of alerts daily, they typically produce only about 10, focusing solely on malicious activities Each interaction with a honeypot indicates unauthorized or dangerous behavior, significantly reducing noise by capturing only relevant data This targeted approach makes it easier and more cost-effective to analyze the collected information, providing valuable insights specifically related to attackers.
- Nouveaux outils et tactiques: Honeypot est élaboré pour capturer tous les choses qui le sont envoyés Y compris les outils et les tactiques que l'on ne voit pas encore à l'avant
- Ressource minimale: Un honeypot a besoin une ressource minimale pour capturer les mauvaise activités Un ancien Pentium ordinateur avec 128Mo de mémoire peut facilement contrôler la classe B du réseau
Encryption and IPv6: Unlike many security technologies such as Intrusion Detection Systems (IDS), honeypots perform effectively in IPv6 environments or when dealing with encrypted data Any data, whether instructions or commands sent by an attacker, will be detected, captured, and analyzed.
- Simplicité: En fin, l'honeypot est simple, il n'y a pas d'algorithme à développer et il est facile à configurer
Comme tous les technologies, l'honeypot a aussi des faibles Parce qu'il ne remplace aucune technologie courante, mais il travail avec les technologies existantes
- Vue limité: l'honeypot ne peut détecter et capturer qu'aux activités interactives directement avec lui L'honeypot ne capturera pas des attaques contre les autres systèmes
All security technologies come with inherent risks Firewalls may be breached, encryption can be compromised, and Intrusion Detection Systems (IDS) may generate false positives Additionally, honeypots carry their own risks, including the potential for attackers to take control and use them to harm other systems The risks associated with honeypots vary depending on their specific type.
There are two categories of honeypots: low-interaction and high-interaction honeypots Understanding these categories provides insights into the types of interactions they facilitate, along with their strengths and weaknesses Low-interaction honeypots allow limited interactions, typically simulating services and operating systems For instance, a simulated FTP service on port 21 can mimic FTP session openings and support basic FTP commands The main advantage of low-interaction honeypots is their simplicity, as they are easy to deploy and maintain with minimal risk They require software installation and the selection of services or operating systems to simulate, making them accessible for various organizations Additionally, simulated services mitigate risks by containing attacker activities, preventing access to the main operating system However, the primary drawback is that the logged information is limited and often pertains to known activities, making it easier for attackers to detect low-interaction honeypots compared to high-interaction ones Even well-configured low-interaction honeypots can be identified by skilled attackers Examples of low-interaction honeypots include Spector, Honeyd, and KFSensor.
High-interaction honeypots are complex solutions that utilize real applications and operating systems, providing attackers with genuine environments instead of simulations For instance, to create a Linux honeypot with an FTP server, a real Linux system is set up to run the server This approach offers two main advantages: it allows for extensive information capture by observing the attacker's behaviors in a real system, and it creates an open environment that records all activities without preconceived notions about the attacker's actions However, this also increases risks, as attackers may exploit the real system to target non-honeypot systems Overall, high-interaction honeypots can perform all functions of low-interaction honeypots while offering deeper insights, but they are more complex to deploy and maintain Examples include Symantec Decoy Server and Honeynet.
Pour mieux comprendre comment fonctionnent les deux types ci-dessus, on va commencer par le low-interaction honeypot Honeyd
Honeyd is a low-interaction honeypot developed by Niels Provos, designed as open-source software for Unix systems It monitors unused IP spaces and accepts connections to these addresses, simulating a victim to engage with attackers By default, Honeyd detects and logs any connections to TCP and UDP ports, and it can be configured to simulate specific services, such as an FTP server on port 21 When an attacker connects to a simulated service, Honeyd not only logs the activity but also captures the interactions, potentially revealing the account used and the commands issued The effectiveness of Honeyd's simulation depends on its configuration, as it is programmed to expect specific behaviors and respond accordingly However, if an attacker behaves unexpectedly, Honeyd typically generates an error message, reflecting a limitation common to low-interaction honeypots.
Some honeypots, like Honeyd, can simulate not only services but also current operating systems, appearing as devices such as Cisco routers, Windows XP web servers, or Linux DNS servers This capability offers several advantages, including better integration into existing networks by mimicking the appearance and behavior of real systems Additionally, specific attackers can be targeted by offering systems and services that align with their objectives or areas of interest The simulation involves two key elements: the simulated service and the operating system's behavior For instance, if a web server service is simulated to appear as a Windows 2000 server, it can mimic the behavior of an IIS web server, while a Linux server might simulate an Apache web server Most honeypots adopt this approach, but more sophisticated ones, like Honeyd, simulate at a deeper level, including the IP stack When an attacker employs active fingerprinting to identify the operating system, most honeypots respond with the IP stack of the installed system Honeyd uniquely deceives by responding with both service and IP stack information The level of simulation and sophistication varies based on the honeypot technology used.
Honeynet is an example of a high-interaction honeypot, functioning as a network architecture designed to be attacked rather than a software product installed on a computer This setup creates a controlled environment where all activities are monitored and captured, allowing real applications to run Attackers engage with the system without realizing they are in a Honeynet, as their actions—including encrypted SSH sessions, emails, and file downloads—are recorded without their knowledge This is achieved by integrating modules into the victim system's kernel to track the attackers' actions Simultaneously, Honeynet manages the attackers' activities through a Honeywall gateway, which permits incoming traffic to the victim system while controlling outgoing traffic using instruction prediction technology This approach provides attackers with interaction flexibility while preventing them from harming non-Honeynet systems.
L'exemple du déploiement de honeynet est dans la figure suivante:
There are two main categories of honeypots: those used for research and those used as a protective product for organizations When utilized for productive purposes, honeypots aid in prediction, detection, and response to attacks, thereby safeguarding the organization Conversely, in a research context, honeypots are employed to gather valuable information, which can vary in significance depending on the organization's goals Some organizations focus on studying attacker trends, while others prioritize early warning and prediction Typically, low-interaction honeypots are more commonly used for productive purposes, whereas high-interaction honeypots are often utilized for research However, the objectives of these honeypots can be interchangeable.
A honeypot helps prevent attacks in several ways Firstly, it defends against automated attacks such as worms or auto-rooters These attacks utilize tools that randomly scan network entities to identify system vulnerabilities If a vulnerability is detected, these automated tools will exploit it to gain unauthorized access to the system.
Honeypots serve as a valuable defense mechanism against cyberattacks by delaying scans and distracting potential attackers By employing adhesive honeypots, they can engage all unused IP addresses, effectively responding to scanning activities and slowing down the attacker’s progress through various methods, such as zero-window techniques These honeypots protect organizations from human attackers by creating an environment of deception and deterrence, forcing attackers to waste time interacting with them This allows the organization to detect malicious activities and respond appropriately Even if attackers are aware of the honeypots, they cannot distinguish between legitimate systems and honeypots, increasing their risk of engaging with a decoy and potentially opting not to attack An example of such a honeypot is the Deception Toolkit, which operates as a low-interaction honeypot.
Intégration des HoneyPot dans une architecture globale de
In this section, we will explore the integration of honeypots into a comprehensive security framework, specifically focusing on the installation of Honeyd for low-interaction honeypots It is essential to understand the distinct characteristics of low-interaction and high-interaction honeypots to effectively incorporate them into your protection strategy.
Honeyd is a type of honeypot that enables the deployment of virtual machines on a network using unused IP addresses, facilitating the detection of fraudulent activities Its primary objective is to identify both known attacks and uncover new threats by monitoring the behavior of attackers.
Honeyd operates on Unix, Solaris, and BSD derivatives, and is also ported to Windows by Roger A Grimes This daemon creates virtual hosts on the network using unassigned IP addresses, allowing for configuration through templates to mimic specific operating systems For optimal functionality, Honeyd must be used alongside either the Arpd tool or proxy ARP, with Arpd managing unallocated IP addresses and redirecting attacks to Honeyd In turn, Honeyd handles data exchanges with attackers to simulate services and respond to ICMP requests Without Arpd or proxy ARP, Honeyd cannot function effectively.
Les librairies nécessaires pour compiler honeyd: libpcap, libdnet, et libevent
Supposez que les packages nécessaires sont téléchargés:
Et ils sont mis dans le même répertoire
# tar xzf libevent-1.7.tar.gz
# tar xzf libpcap-0.8.1.tar.gz
# tar xzf libdnet-1.7.tar.gz
# tar xzf honeyd-0.8.tar.gz
- Pour installer tous les packages ci-dessus, il est besoins beaucoup de librairies différentes Si votre système ne les a pas, vous devez les installer d’abord : Byson, aycc, python…
If you are using honeyd and do not have Python installed on your system, you can avoid using Python as the default command compiler by including the –without-python parameter in the /configure line.
- Si vous avez encore des difficultés concernant à l’installation ou à l’utilisation honeyd, vous pouvez télécharger la version pré compilée de
Dans cette partie, je ne concentre pas sur comment utiliser les commandes pour élaborer un fichier de configuration
Si vous voulez savoir en détail, veuillez accéder au lien : http://www.citi.umich.edu/u/provos/honeyd/honeyd-man.pdf
Je ne concentre que sur les architectures du réseau simulées par Honeyd Le fichier de configuration va être inclus dans la commande pour honeyd comme un paramètre suivie l’option –f.
Par exemple : /honeyd –f honeyd.conf
Honeyd va lire le contenu de fichier configuration et puis générer tous les composants nécessaires selon les commandes corresponde à chaque ligne
- Nmap.fingerprints : Stocker tous les personnalités corresponde aux noms définis Les personnalités peut être utilisées dans le fichier configuration pour modifier le comportement d’un pile TCP simulé
- Nmap.assoc : Compris les styles empreints pour xprobe
- Xprobe2.conf : Déterminer comment honeyd faire une réaction aux utiles ICMP empreintes
Configurer un réseau virtuel simple
Supposons que l’on veut créer deux machines Windows sur un réseau virtuel avec les adresses IP sont : 192.168.160.3 et 192.168.160.4 Le nom de fichier de configuration est honey.conf.simple
Son contenu est : create Windows #Créer un template set Windows personality ô Microsoft Windows XP
#Choix le système d’exploitation et ses empreintes dans la base de données add Windows tcp port 80 ô sh scripts/web.sh ằ #Comportement du port 80
To set up a simulated web server on Windows, ensure that TCP port 139 and UDP ports 137 and 135 are open, while also configuring TCP port 137 Set the default action for TCP and UDP to reset Bind the first Windows machine to the IP address 192.168.160.3 and the second Windows machine to 192.168.160.4.
The purpose of a template is to establish a universal configuration for machines exhibiting similar behavior Instead of configuring ten Windows XP machines individually, a single template can be created for all By utilizing the bind command, it is easy to link ten IP addresses to this template, resulting in the setup of ten machines efficiently.
In the above configuration, four open ports are added: two for the TCP protocol and two for the UDP protocol, with the default action set to reset for these protocols.
La figure suivante illustre le réseau virtuel simple
Configurer un réseau virtuel avec un routeur
The goal of this configuration is to establish a network with sub-networks connected by a router In this setup, two Windows machines will be added with IP addresses 192.168.161.11 and 192.168.161.12, situated behind a router that has the IP address 192.168.160.100.
192.168.160.1/24 create Windows #Créer un template set Windows personality ô Microsoft Windows XP
#Choix le système d’exploitation et ses empreintes dans la base de données add Windows tcp port 80 ô sh scripts/web.sh ằ #Comportement du port 80
To set up a simulated web server, open TCP ports 139 and 137, as well as UDP ports 137 and 135 on Windows Configure the default TCP and UDP actions to reset Bind the first Windows machine to the IP address 192.168.160.3 and the second Windows machine to 192.168.160.4 Additionally, create a Cisco router and set its personality to Cisco IOS 11.3.
When selecting the type of router, ensure to set the default TCP action to reset for optimal performance Assign the Router UID and GID as 32767 to maintain proper access control Additionally, add TCP port 23 to enable the execution of Perl scripts, specifically for telnet operations.
#Comportement du routeur bind 192.168.160.100 Router #L’adresse du routeur route entry 192.168.160.100 network
#Réseau accéder par routeur route 192.168.160.100 link 192.168.161.0/16 #Réseau accéder par routeur bind 192.168.161.11 Windows #Créer 3 ère machine windows
Bind 192.168.161.12 Windows #Créer 4 ère machine windows
La figure suivante illustre le réseau virtuel avec routeur
Le fichier de configuration est honeyd.conf.router
Configurer un réseau virtuel relié aux machines réelles
Dans cette architecture, j’utilise celle précédente et ajoute une machine réelle ayant l’adresse IP 192.168.160.2/24 en ajoutant une seule ligne dans le fichier de configuration : bind 192.168.160.2 to ethernet
Dans notre cas, l’ethernet est vmnet1 car j’utilise vmware
Le fichier de configuration est honeyd.conf.reel
Configurer un réseau virtuel complexe
In this setup, I will utilize different fingerprints to create both Windows and Linux machines The network includes a router and a real Windows machine, which will be used for testing purposes The configuration file is named honeyd.conf.compl, and to create a Windows template, the personality is set to Microsoft Windows XP.
#Empreints add Windows tcp port 80 ô sh scripts/web.sh ằ #Comportement du port 80
To configure a simulated web server on Windows, open TCP ports 139 and 137, as well as UDP ports 137 and 135 Set the default TCP and UDP actions to reset Bind the first Windows machine to the IP address 192.168.160.3 and the second to 192.168.160.4 Create a Windows template with the personality set to Microsoft Windows XP.
To configure a Windows system, open TCP ports 139 and 137, as well as UDP ports 137 and 135, while setting the default TCP and UDP actions to reset Bind the IP address 192.168.160.5 to the Windows machine Additionally, create the first Linux machine and set up a Cisco router with the personality set to Cisco IOS 11.3.
When selecting a router, it's essential to configure its settings correctly Set the default TCP action to reset, ensuring optimal performance Assign the Router UID and GID to 32767 for proper access control Additionally, add TCP port 23 to facilitate communication with Perl scripts, specifically for telnet operations.
#Comportement du routeur bind 192.168.160.100 Router #L’adresse du routeur route entry 192.168.160.100 network
#Réseau accéder par routeur route 192.168.160.100 link 192.168.161.0/16 #Réseau accéder par routeur bind 192.168.161.11 Windows #Créer 3 ère machine windows bind 192.168.161.12 Windows #Créer 4 ère machine windows
Outils aide à créer fichier de configuration honeyd
C’est un petit outil qui permet de créer facilement un fichier de configuration dans
The graphical interface allows users to complete tasks in just five minutes Developed in a KDevelop and QT environment on Mandrake 9.2 during an internship, it features three main categories: Template, Bind, and Route Key commands include add and set, while external functions enable users to open configuration files, save configurations to a file, and organize lines within the configuration.
C’est la version 1 donc il y a encore des restrictions Mais dans la version suivante, je les corrigerai
L’image suivant illustre l’interface principale de cet outil
Lancer Honeyd et analyser les données capturées
- La machine host est une machine Linux Redhat 9.0 avec l’adresse IP : 192.168.160.1 dans laquelle on installe arpd et honeyd
- Une autre machine, appelant machine de teste fonctionne sous Windows