Leading hackers down the garden path

Suen Yek Edith Cowan University syek@student.ecu.edu.au

Abstract
Canahackerbecontrolledbypredetermineddeception?Limitingthedecisionmakingcapabilitiesofhackersis onetechniqueofnetworkcountermeasurethatahoneynetenables.Byfurnishingahoneynetwitharealistic range of services but restricted vulnerabilities, a hacker may be forced to direct their attacks to the only availableexploits.ThisresearchdiscussesthedeploymentofahoneynetconfiguredwithadeceptiveTELNET and TFTP exploit. Four hackers were invitedto attack the honeynet andtheanalysis of their compromise identifiediftheyengagedinaguidedpathwaytotheintendeddeception.Handtraceanalysiswasperformedon networklogfilestodeterminetheirprimaryattackvector.Conceptualanalysisandfrequencyanalysesmethods wereadoptedtoverifythehackerscompromiseandsubsequentdeception.Theresultsdemonstratedhowthree outoffourhackerswereleaddownamisguidedpathwayofnetworkdeception. Keywords honeynet, attack vector, Leximancer conceptual analysis, network deception

INTRODUCTION
Intherealmsofnetworksecurity,deceptivetechniquesmayprovideanadvantagebydeterringhackersfrom genuinesystemsandthegoalmaybetomonitorthemodusoperandiofanattack.Honeypotsaredigitalentities thatutilisedeceptionastheirprimarymechanismandmaydosobyemulatingthebehavioursofasingledevice or whole network of devices. Additionally, the honeypot may be constructed to emulate network services utilisingtheTransmissionControlProtocol/InternetProtocol(TCP/IP)suiteofprotocols.Deceptivetechniques canbeusedtoprevent,detect,andgatherinformationonhackeractivity.Thereexistanearinfinitenumberof honeypotvariantarchitecturestoselectfromwhenconstructingadeceptivenetwork andtherearenumerous opensourceandcommercialhoneypotsolutions. Honeyd is atypeofhoneynetimplementation thatcreatesvirtual devicesandnetworksbysimulating the operatingnetworkstackofconfiguredhosts.Honeydisabletodeceivedirectedandautomatedattacksthrough thepurposefulsimulationoflowerandupperlayernetworkprotocolswithintheOpenSystemsInterconnect (OSI)referencemodel.Thisresearchutilisedapurposebuilthoneydhoneynetthatemulatedawirelessbridgeas anentrypointtoavirtualLocalAreaNetwork(LAN)ofservers,clientmachinesandnetworkinginfrastructure. Eachofthehostswereconfiguredwitharangeofservicesandapplicationsandnetworkroutingenabledthe discoveryofthenetworkstopology.Thehoneynetemulatedchosenvulnerabilitiesthatweredesignedtodirect thehackerscompromiseofanemulatedTELNETvulnerabilityonaCisco7206routerrunningIOS11.7anda subsequentTrivialFileTransferProtocol(TFTP)vulnerabilityonthehoneynetgateway. Studieshaveshownhowattackvectorscanbepredictedandreliablycontrolledbyarticulateddeceptioninduced byahoneynet.CohenandKoike investigatedhowtypesofnetworkattackwereimpactedbythedeceptive strategyused.Theauthorsdesignedattacktreestoidentifypathwaysofattack.Inthisresearch,itwasintended thatthehoneynetconfigurationwouldlimitahackersdecisionmakingcapabilitiesandleadthemtoexploitthe onlyavailablevulnerabilitiesthatweretailoredbythehoneynet.Thehoneynetslogfilesforeachhackerwas collectedandacombinationofanalyseswasperformedtodeterminethepathwayofattackthehackerspursued toreachtheintendedexploits. Theauthorperformedhandtraceanalysisonthehoneynetlogfilecollectedfromeachhacker.Thehandtrace analysisinvolvedmanualtracingofeachnetworkpackettodeterminethechronologicalandsequentialactivities ofthehackers.Fromthehandtraces,theprimaryattackvectorofeachhackerwasdetermined.Theattack

vectorsillustratedthepathwayofactivitieseachhackerengagedintoreachtheintendedTELNETandTFTP vulnerabilitiesinthehoneynet.Theresearchshowedthatthreeoutoffourhackersweredeceivedbythehoneynet andtheirdirecteddeceptioncouldbeidentified. Theresultsofthehandtracedanalysisandsubsequentattackvectors ofeachhackerwereverifiedthrough contentandfrequencyanalysesofthenetworkdata.TheStatisticalPackagefortheSocialScienceswasusedto summarisethefrequencydistributionsofsourceIP,destinationIPandprotocolactivityinvolvingthehoneynet. Contentanalysisofthehoneynetscollectedlogfilesforeachhackerwasperformedusingthedataminingtool Leximancer.ThedescriptivestatisticsgeneratedbySPSSandtheconceptualmapscreatedbyLeximancerwere abletovalidatethehackersexploitoftheintendedTELNETandTFTPvulnerabilitiesthatweredirectedbythe honeynet. Explanation of the honeynets emulated vulnerabilities ACiscorouterexploitwaschosenastheemulatedvulnerabilityforhackerstodiscoverandexploitfortwo reasons.Firstly,routersareatargetedpointbecauseoftheirpotentialaccessibilitytotheentirenetwork.Routers maybeusedasaplatformtoconductnetworkscanningandasalaunchingpointforDenialofService(DoS) attacksinternallyorexternallytothenetwork. Secondly,thereisanoverwhelmingnumberofDoSvulnerabilitiesonroutersortheuseofroutersfornetwork compromise,asindicatedbythenumberofCERTincidentsandvulnerabilitiesreportedpredominantlyinvolving theCisco IOSplatforms .The CiscoSimpleNetworkManagementProtocol (SNMP) exploitforgaininga routers configuration file viaTFTP and construction ofa Generic Routing Encapsulation (GRE)tunnel is particularlywelldocumented. Forthesereasons,aTELNETservicewascreatedononeofthehoneynetshoststhatemulatedaCisco7206 routerrunningIOS11.7.ThisCiscorouterstoredaconfigurationfilethatcouldbeviewedthroughbruteforced guessingoftheroutersTELNETloginusernameandpassword.Therouterconfigurationfilecouldbeviewed throughtheTELNETservicewhichwasvulnerabletotheTFTPweakness.Throughdetectingandviewingthe AccessListControls(ACLs)intheroutersconfigurationfile,ahackercoulddownloadandviewthefileand subsequentlyresendamodifiedconfigurationfilebacktothehoneynet.Thisstageoftheexploitwasaproofof conceptandifthehackeraccomplishedaTFTPGETandSETofamodifiedconfigurationfile,theconjecture wasthatthehoneynetwasabletodirecttheirexploitthroughdeception. Figure1showsalogicalconfigurationofthehoneynetsemulatedhostsandnetworktopology.Theintended exploitsweredesignedasaTELNETservicethatallowedremotewirelessaccessintotherouterconfiguration dialogue.ThisexploitwasemulatedontheCisco7206routerrunningIOS11.1ontheIPaddress172.16.3.1. TherouterconfigurationfilefortheCiscoroutercouldbedownloadedusingTFTPfromthehoneynetsgateway IPaddressof192.168.1.1.ThehackerswererequiredtospooftheirIPaddressto192.168.1.2according totherouterconfigurationsACL.Byviewingtherouterconfigurationfile,theACLspermittingTFTPaccess couldbediscoveredandsubsequentlyexploited.

Ether
Cisco WGB350 802.11b WorkGroup Bridge 172.16.1.2 DSL Router : Flowpoint 144/22XX v3.0.8 or SpeedStream 5851 v4.0.5.1 172.16.1.1
1U

Lantronix EPS 2 print server Version V3.5/2(970721) 172.16.2.5 FreeBSD 5.0RELEASE 172.16.2.4 NetBSD 1.6 172.16.2.3 FreeBSD 5.0RELEASE 172.16.2.2

3Com Access Builder 4000 Switch 172.16.2.1

DMZ

Cisco 7206 router (IOS 11.1(17) 172.16.4.1

` ` `

Cisco 7206 router (IOS 11.1(17) 172.16.3.1

Cisco 7206 router (IOS 11.1(17) 172.16.5.1

Windows Desktop PC 172.16.4.3-172.16.4.13 Apple Color LaserWriter 12/660 PS (Model No. M3036) 172.16.4.2 NetBSD 1.6 172.16.3.2 NetBSD 1.6 172.16.3.3

Apple Mac OS 7.1 172.16.5.3-172.16.5.13

Apple Color LaserWriter 600 Printer 172.16.5.2

Figure1

Honeynetlogicalconfigurationofhostsandnetworktopology

METHOD
Theaimofthehandtraceanalysiswastoestablishtheattackvectoradoptedbythehackersandtodetermine whether they followed the predetermined pathway of deception to the intended TELNET and TFTP vulnerabilitiesimplementedthroughthehoneynet. Thehandtraceanalysiswasconductedbytheauthorby manuallyexaminingthelogfilesandillustratingthestagesofactivitythehackersengagedinfromtheirchoice ofsourceanddestinationIPaddressesandprotocolsused.Thehoneynetslogfileswerenotalteredforthis analysisandsubsequently,thehandtracesshowedthedifferentpathwayseachhackerpotentiallyadopted. Ellipsescontainingthehackersactivityweredrawntoidentifytheattackpathwaytakenbythehackertoreach theintendedexploits.Inthehandtraces,severalactivitiesappeartobeclusteredtogetherorstemfromasingle nexus,whichindicatedthatthehackerattemptedseveraloptionsbeforediscoveryofanexuspointfromwhich theycouldadvancefurtherfrom.Theredencircledellipsesidentifytheprimaryattackvectorforeachhacker. Thecollectedhoneynetlogfileswerethenfilteredforthestatisticalanalysis.ThesourceanddestinationIP addressesofthehackersandthehoneynet,inadditiontotheprotocolsassociatedwiththoseIPaddresseswere usedtoperformfrequencyanalysis.Thedatawasstatisticallyanalysedusingdescriptiveanalysis,whichwasa methodofsummarisingthelogfiles.FrequencydistributionofthehackerssourceIPs,thehackerschoiceof destinationIPswithinthehoneynet,andtheprotocolsthehackersusedwasthedatautilisedforgeneratingthe descriptiveinformation.TheuseofstatisticalsoftwarepackagessuchasSPSSfacilitatedtheanalysisprocessby eliminatinghumanerrorandspeedinguptheanalyticalprocessinthecaseoflargedatasetssuchasthelogfiles. ContentanalysiswasperformedonthelogfilesusingthetoolLeximancer.Leximancercreatesconceptualmaps from data mining and analysing the content of information. The tool is able to visually display identified conceptualthemes,theirattributesandtheinterrelationshipsbetweenconcepts.Theprocessofcontentanalysis integratesasystematicapproachtoidentifyingcontentcategoriesfromtextusingexplicitcodingrules.The combinedhandtrace,frequencyanalysisandcontentanalysesmethodswereusedtoidentify ifthehackers followed the predetermined pathway set by the honeynets deceptive strategies and verified if the exploits occurred.

HACKER ANALYSIS
Hacker 1 Analysis Thehandtraceanalysisofthehoneynetlogfileforhacker1isshowninFigure3.Theredcircleshighlightedthe primaryattackvectortakentoreachtheintendedexploits.OnlytheIPaddressesrepresentinghostswithinthe honeynet, the honeynet IP address of 192.168.1.1 and the hackers chosen source IP address(es) were identifiedintheattackvector.Thereasonforlimitingtheattackvectortothesehostswasbecausetheresearch intendedtodemonstratewherethehoneynetwasabletodirectthehackers.OtherIPaddressspacesthatwerenot withinthe172.16.0.0/24networkofthehoneynetwereshowninthehandtrace,althoughnotintheattack vector.Thehoneynetfirewallwouldhaveblockedresponsestonetworkpacketsthatweredirectedtodestination IPaddressesnotwithinthehoneynet. Theprimaryattackvectorforhacker1inFigure2indicatedthefollowingactivitiesinthehoneynet: hacker1adoptedtheIPaddress192.168.1.2 ICMPPINGrequestto192.168.1.1 attemptedTELNETon172.16.1.2 NMAPSYNscanon172.16.1.2 ICMPPINGrequestto172.16.2.1 ICMPPINGrequestto172.16.3.1 initiatedTELNETon172.16.3.1 attemptedTFTPon172.16.3.1 initiatedTFTPon192.168.1.1
ICMP 172.16.1.1 NMAP SYN SCAN 172.16.0.0 ICMP 172.16.1.3 NMAP SYN SCAN 172.16.1.0 ICMP 172.16.1.10

ICMP 192.168.1.1 HACKER 1 192.168.1.2 ICMP 172.16.1.1 TELNET 172.16.1.1 TELNET 172.16.1.2

NMAP SYN SCAN 172.16.1.1

NMAP SYN SCAN 172.16.1.2

NMA SC 172. ICMP 172.16.3.1 TELNET 172.16.3.1

ICMP 172.16.2.1 TELNET 172.16.1.2 ICMP 172.17.1.1 ICMP 172.16.100.1

ICMP 172.16.50.1

router.conf

SYN SCAN 172.16.100.1

Figure2

Handtracedattackvectorofhacker1

Frequency statistics generated by SPSS for the destination IP addresses within the honeynet that hacker 1 interactedwithshowedthathost 172.16.3.1 receivedthemostnetworkpackets.Thishostwasthe Cisco 7206router(IOS11.1(17) containingtheTELNETvulnerability anditsfrequencywas61,038occurrences. Hacker1interactedwiththreeotherhostswithinthehoneynet,whichwere172.16.1.1,172.16.1.2and 172.16.2.1 in addition to the honeynet gateway 192.168.1.1. The frequencies of these hosts were significantlylessthanthe172.16.3.1hostwithlessthan10,000occurrences.The192.168.1.1hostwith theTFTPvulnerabilityreceived2,326networkpacketsfromhacker1. Table1showsthefrequencyoftheprotocolsforeachofthedestinationIPaddressesidentifiedinFigure1.In Table1,onlyonesourceIPaddresswasdetectedbySPSS,whichwas192.168.1.2asindicatedintheattack vector.ForthedestinationIPaddress 172.16.3.1,theTELNETandTFTPprotocolsarehighlighted.The protocolfrequencyfortheTELNETserviceondestinationIPaddress172.16.3.1wasthehighestcompared toTELNETattemptsmadeonotherdestinationIPaddresses. TheTFTPprotocolwasalsohighlightedforthedestinationIPaddress172.16.3.1asthecalculatedfrequency washighestat3,060.EventhoughtheTFTPconnectionscouldnotbeachievedonthe 172.16.3.1host,it wasidentifiedintheattackvectorthathacker1originallyattemptedtheTFTPexploitonthathostrunningthe remoteCiscorouterconfigurationthroughTELNET.TheTFTPprotocolwasalsodetectedwithafrequencyof 66,whichwasthenext highest frequencydetected,forthedestination IPaddress 192.168.1.1.ThisIP address was the intended host for the hacker to initiate the TFTP connection and download the router configurationfile.Table1alsoindicatedthatthehighestfrequencyfortheprotocolsusedbyhacker1wasTCP. Table1 ProtocolfrequenciesperdestinationIPaddressforhacker1 SOURCE IP DESTINATION IP PROTOCOL FREQUENCY 192.168.1.2 172.16.1.1 ICMP 97 TCP 5,110 TELNET 53 HTTP 1 UDP 21 172.16.1.2 ICMP 14 TCP 6,809 TELNET 37 UDP 8 172.16.2.1 ICMP 23 TCP 1 172.16.3.1 ICMP 1,149 TCP 56,638 TELNET 189 TFTP 3,060 UDP 2 192.168.1.1 ICMP 2,260 TFTP 66

Figure3showsaconceptualmapofhacker1sexploit.Thelargecirclesidentifymajorconceptssuchasthe source and destination IP address 192.168.1.2 as Leximancer detected that IP address occurring most frequentlyinthelogfile.OthermajorconceptsidentifiedincludetheprotocolTFTPandtheattributesthatwere locatedincloseproximityofthatprotocol.Theseattributesareshowninthelargeredboxandincludethewords Acknowledgement,file router,netasciiandoctet.ThesmallerredboxhighlightstheTELNET activity.AttributesthatwereassociatedwithTELNETonhost 172.16.3.1 showninFigure3includethe sourceIP172.16.3.1,Telnet_Dataandlogin.

Figure3 Hacker 2 Analysis

Conceptualmapofhacker1sexploit

Hackers2and3chosetoperformtheirattackstogether. FouridentitieswereusedtonamefourdifferentIP addressesinthisroundofattack.Shadowedellipsesindicatedthatbothhackersengagedinthesameactivityat approximatelythesametime.Figure4illustratestheattackvectorforhacker2;however,thehandtraceforboth thehackerswascombinedinthesameanalysis.Figure4indicatedasourceIPaddressof192.168.1.10for hacker2and192.168.1.100forhacker3.HackerXandhackerYwerelabelledindependentlyasthelogfile indicatedmultiplesourceaddressesnotoriginatingfromthehoneynet.ThepositioningofhackerXatsourceIP address172.16.1.2indicatestheapproximatetimewhenthisIPaddressappearedinthelogfile.Therewere lessthenfivepacketsgeneratedfromthissourceIPaddress,excludingthehoneynet;therefore,theydidnot impactontheresultsoranalysis. ThelocationofhackerYatsourceIPaddress192.168.1.11wasalsopositionedinthehandtraceanalysisat theapproximatetimewhentheIPaddressappearedinthelogfile.Fromthesequenceofactivities,itwas determinedthathackerXandYweremostlikelyhacker2.Thisdeductionmeantthathacker2adoptedtwoor moresimultaneousIPaddressesduringtheirattack.Theauthorsobservationonhacker2sconversationto hacker3alsosupportedthisinference. Thehandtraceanalysisofhackers2and3commencedwitharangeofICMPv6,SimpleServiceDelivery Protocol(SSDP),DomainNameService(DNS),MulticastDNS(MDNS)andtheInternetGroupManagement Protocol(IGMP)packetsthatdidnotidentifyasourceIPaddress.Itcouldbedeterminedthattheyoriginated fromhacker2becausethishackerinitiallyutilisedanAppleMactintoshlaptopdevice,whichtheMDNSis specificto.Hacker2thenchangedtheirlaptoptoanIBMduringtheirattackallegingproblemswiththeformer device.Thischangeofdevicemostlikelycoincidedwiththeadoptionofthe192.168.1.11sourceIPaddress indicatedashackerX. Theactivitiesinvolvedinhacker2sprimaryattackvectorwasasfollows: hacker2adoptedtheIPaddress192.168.1.10 NMAPTCPon192.168.1.1 SYNon192.168.1.1inparallelwithICMPPING192.168.1.1

TCPSYNon172.16.1.1 TCPSYNon172.16.1.2 hacker2adoptedtheIPaddress192.168.1.11 TCPSYNon172.16.3.1 TCPSYNon172.16.5.1 TCPSYNon172.16.4.1&172.16.4.254 TCPSYNon172.16.3.2 initiatedTELNETon172.16.3.1 hacker2adoptedtheIPaddress192.168.1.2 attemptedTFTPon172.16.3.1 initiatedTELNETon172.16.3.1 initiatedTFTPon192.168.1.1

TELNET 172.16.3.1 FTP REQUEST 172.16.3.2 RSH 172.16.3.2 SSH 172.16.3.2 TFTP 172.16.3.2 TELNET 172.16.3.1 ICMP 172.16.3.2
netascii traceroute

TCP SYN 172.16.4.1 & 172.16.4.254 TCP SYN 172.16.3.2 ICMP 172.16.3.1172.16.3.4
traceroute

SSH 172.16.3.2 TCP SYN 172.16.3.2 FTP DATA 172.16.3.2 RSH 172.16.3.2

TCP SYN 172.16.5.1

TCP SYN 172.16.8.2

ICMP 172.16.3.24

TCP SYN 172.16.3.1

TFTP 192.168.1.1

read request

TCP SYN 172.16.254.2

TELNET 172.16.3.1

TELNET 172.16.3.1

IP UNKNOWN 172.16.3.1

HACKER 2 192.168.1.2

TELNET 172.16.3.1 TFTP 172.16.3.1

TCP SYN 172.16.254.1

telnet

ICMP 172.16.5.0/24

TCP ACK 172.16.5.0/24

traceroute

ICMP 172.16.5.1

IP UNKNOWN 172.16.3.2

ICMP 192.168.1.1

file not found write request

netascii

TCP SYN 172.16.3.1

HACKER Y 192.168.1.11

TCP SYN SCAN 172.16.2.0

TELNET 172.16.3.1

TCP SYN 172.16.1.1

TCP SYN 172.16.1.2

ICMP 172.16.4.255

ICMP 172.16.1.0/24

TCP ACK 172.16.1.0/24

SYN SCAN 172.16.2.1

HACKER X 172.16.1.2

SYN SCAN 172.16.2.0

ICMP 172.16.3.0/24

TCP ACK 172.16.3.0/24

SYN SCAN 172.16.3.0/24

ICMP 172.16.4.0172.16.4.255

TCP SYN SCAN 192.168.1.1

SYN SCAN 172.16.3.0172.16.3.3

ICMP many random IPs

TCK ACK many random IPs

ICMP 172.16.2.0172.16.6.255 ICMP 172.16.1.0172.16.1.2 ICMP 172.16.0.0172.16.0.255

TCP ACK 172.16.2.0172.16.7.255 TCP ACK 172.16.1.0172.16.1.2

ICMPv6 multicast
http

SYN RST 172.16.0.1

SSDP 239.255.255.250
http

SYN SCAN 172.16.0.0172.16.0.255

TCP ACK SCAN 172.16.1.0

DNS 192.168.1.1

HACKER 2 192.168.1.10

SYN SCAN 172.16.0.0172.16.0.255 blocks of 30 IPS

SYN SCAN 192.168.1.1

ICMP 192.168.1.1

TCP SYN SCAN 192.168.1.1

MDNS 244.0.0.251

HACKER 3 192.168.1.100

ICMP 192.168.1.1

IGMP 244.0.0.2

Figure4

Handtracedattackvectorofhacker2

TheSPSSstatisticalanalysisperformedonthehoneynetslogfileofhacker2sattackshowedthethreesource IPaddressesidentifiedinhacker2shandtracedanalysis.ThedestinationIPaddresswiththehighestfrequency was the 172.16.3.1 host with 12,533 occurrences. The host 172.16.3.2 received the second highest frequencywith7,706occurrencesfollowedbythe192.168.1.1hostwith6,884occurrences. In Table 2, the three destination IP addresses that hacker 2 interacted with using the source IP address 192.168.1.10isshown.ThesedestinationIPaddressescorroboratewiththedestinationIPaddresseswithin the honeynet of the hand traced attack vector. From the source IP address 192.168.1.2, the protocol frequenciesforthedestinationIPaddress172.16.3.1showTELNETwith1,068occurrences,whichwasthe highest occurrence of TELNET activity for any destination IP address. The TFTP protocol frequency for destinationIPaddresses172.16.3.1and192.168.1.1show15and24occurrencesrespectively.Table2 alsoshowsaTELNETfrequencyof943forthedestinationIPaddress172.16.3.1whenusingthesourceIP address 192.168.1.11, which was before hacker 2 spoofed their IP address to 192.168.1.2. All the protocolfrequenciesforeachdestinationIPaddresscouldnotbeshownasthetablewastoolarge.However,the table provided the protocol frequencies for the destination IP addresses which SPSS detected as the most frequentlyvisitedacrossallsourceIPaddressesforhacker2. SOURCE IP 192.168.1.10 DESTINATION IP 172.16.1.1 PROTOCOL ICMP TCP TELNET 172.16.1.2 192.168.1.1 192.168.1.2 172.16.3.1 ICMP TCP ICMP TCP ICMP TCP TELNET UDP TFTP 192.168.1.1 ICMP TCP TFTP 192.168.1.11 172.16.3.1 ICMP TCP TELNET Table2 ProtocolfrequenciesperdestinationIPaddressforhacker2 Figures5and6showconceptualmapsthatLeximancergeneratedfromthehoneynetslogfileofhacker2s attack. In Figure 5, the red box highlights the main concept which wasthe TFTP protocol. The attributes detected by Leximancer that were associated with the TFTP protocol included router_config, Read_Request,Data_Packet,andTransferincloseproximitytooneanother.InFigure6,theredbox highlighted concepts and attributes that were associated with TELNET protocol. The identified attributes includedTelnet_DataandthedestinationIPaddress172.16.3.1. FREQUENCY 4 3,362 1 1 1,675 5 6,658 2 5,364 1,086 2 15 10 6 24 3 5,112 943

Figure5

Conceptualmapofhacker2sexploitoftheTFTPvulnerabilityonhost192.168.1.1

Figure6 Hacker 3 Analysis

Conceptualmapofhacker2sexploitoftheTELNETvulnerabilityonhost172.16.3.1

Figure7illustratesthehandtracedattackvectorforhacker3,whichaftertheICMPPINGrequestsandTCP SYNscansonnetwork172.16.0.0/16wasasuccessionofscanactivityonadiverserangeofIPaddresses.

Itwasfoundintheanalysisthathacker3didscannumeroushostandnetworkIPaddressesthatwerenotwithin thespecifiedrangeofthehoneynet;howevereachnonhostIPaddresswasdroppedbythehoneynetsfirewall.
TELNET 172.16.3.1 FTP REQUEST 172.16.3.2 RSH 172.16.3.2 SSH 172.16.3.2 TFTP 172.16.3.2 TELNET 172.16.3.1 ICMP 172.16.3.2
netascii traceroute

TCP SYN 172.16.4.1 & 172.16.4.254 TCP SYN 172.16.3.2 ICMP 172.16.3.1172.16.3.4
traceroute

SSH 172.16.3.2 TCP SYN 172.16.3.2 FTP DATA 172.16.3.2 RSH 172.16.3.2

TCP SYN 172.16.5.1

TCP SYN 172.16.8.2

ICMP 172.16.3.24

TCP SYN 172.16.3.1

TFTP 192.168.1.1

read request

TCP SYN 172.16.254.2

TELNET 172.16.3.1

TELNET 172.16.3.1

IP UNKNOWN 172.16.3.1

HACKER 3 192.168.1.2

TELNET 172.16.3.1 TFTP 172.16.3.1

TCP SYN 172.16.254.1

telnet

ICMP 172.16.5.0/24

TCP ACK 172.16.5.0/24

traceroute

ICMP 172.16.5.1

IP UNKNOWN 172.16.3.2

ICMP 192.168.1.1

file not found write request

netascii

TCP SYN 172.16.3.1

HACKER Y 192.168.1.11

TCP SYN SCAN 172.16.2.0

TELNET 172.16.3.1

TCP SYN 172.16.1.1

TCP SYN 172.16.1.2

ICMP 172.16.4.255

ICMP 172.16.1.0/24

TCP ACK 172.16.1.0/24

SYN SCAN 172.16.2.1

HACKER X 172.16.1.2

SYN SCAN 172.16.2.0

ICMP 172.16.3.0/24

TCP ACK 172.16.3.0/24

SYN SCAN 172.16.3.0/24

ICMP 172.16.4.0172.16.4.255

TCP SYN SCAN 192.168.1.1

SYN SCAN 172.16.3.0172.16.3.3

ICMP many random IPs

TCK ACK many random IPs

ICMP 172.16.2.0172.16.6.255 ICMP 172.16.1.0172.16.1.2 ICMP 172.16.0.0172.16.0.255

TCP ACK 172.16.2.0172.16.7.255 TCP ACK 172.16.1.0172.16.1.2

ICMPv6 multicast
http

SYN RST 172.16.0.1

SSDP 239.255.255.250
http

SYN SCAN 172.16.0.0172.16.0.255

TCP ACK SCAN 172.16.1.0

DNS 192.168.1.1

HACKER 2 192.168.1.10

SYN SCAN 172.16.0.0172.16.0.255 blocks of 30 IPS

SYN SCAN 192.168.1.1

ICMP 192.168.1.1

TCP SYN SCAN 192.168.1.1

MDNS 244.0.0.251

HACKER 3 192.168.1.100

ICMP 192.168.1.1

IGMP 244.0.0.2

Figure7

Handtracedattackvectorofhacker3

Hacker 3 performed a series of TCP ACK and ICMP PING requests on the 172.16.1.0/24, 172.16.2.0/24, 172.16.3.0/24, 172.16.4.0/24 and 172.16.7.0/24 networks. Additionally, hundredsofrandomIPswerescannedinblocksofapproximately30IPaddresses.Thenatureofthelogged packetsindicatedthathacker3utilisedatooltoselectandscanarbitraryIPaddresses.Thistechniquewould havebeenineffectivehostandnetworkreconnaissanceasthehoneynetwouldnothaverespondedtoanyofthe IPsoutsideofthedesignated172.16.0.0/24networkofthehoneynet.Thistechniqueseemedunusualand hacker3sattackvectordidnotappeartofollowameaningfulpathwayofactivity. Hacker3sproposedattackvectorincludedthefollowingactivitiesinvolvingthehoneynet: hacker3adoptedtheIPaddress192.168.1.100 ICMPPINGon192.168.1.1 TCPSYNon192.168.1.1 TCPACKandICMPPINGon172.168.1.1 - 172.16.1.2 TCPACKandICMPPINGon172.16.2.1-172.16.2.5

TCPSYNon192.168.1.1andICMPPINGon172.16.3.1-172.16.3.3 SYNscanon172.16.3.1-172.16.3.3 TCPACKon172.16.5.1-172.16.5.13 attemptedTELNETon172.16.3.1 TCPSYNon172.16.3.2 ICMPPING172.16.3.1-172.16.3.3 TCPSYN172.16.3.1 initiatedTELNETon172.16.3.1 Thefrequencyanalysisperformedonthehoneynetlogfilesforhacker3detected27uniquedestination IP addresses.Intheanalysis,hacker3sentmostnetworkpacketstohost172.16.3.1,whichhadafrequencyof 20,579;host172.16.3.2hadafrequencyof8,715andhost192.168.1.1hadthethirdhighestfrequencyof 7,008.Giventhattheprotocolfrequenciesforeachofthe27uniquedestinationIPaddressescouldnotbeshown insingletable,theprotocolfrequenciesofthethreemaindestinationIPaddresseswereshowninsteadinTable3. SOURCE IP 192.168.1.100 DESTINATION IP 172.16.3.1 PROTOCOL ICMP TCP TELNET IP UDP 172.16.3.2 192.168.1.1 ICMP TCP ICMP TCP FREQUENCY 92 18,846 659 888 8 43 8,595 66 6,942

Table3

ProtocolfrequenciesperdestinationIPaddressforhacker3

Figure8

Conceptualmapofhacker3sattemptedexploit

Table3identifiedtheprotocolfrequenciesforthethreemaindestinationIPaddresseshacker3interactedwith. Accordingtothehandtracedanalysisofhacker3,TELNETwasattemptedonthe 172.16.3.1 hostwitha frequencyof659.TheTCPandICMPprotocolshadthehighestfrequenciesformosthosts.Protocolssuchas FTP,RSHandSSHwerealsodetectedbySPSSonthe172.16.3.2hostbutarenotshowninthetable.No TFTP protocols weredetected for the 192.168.1.1 host or the 172.16.3.1 host. Figure 8 shows the conceptual mapping of hacker 3s attack. In the red box, the attributes Telnet_Data and destination IP 172.16.3.1 which were in close proximity to one another. No TFTP attributes were shown around the 172.16.3.1or192.168.1.1destinationIPaddresses. Hacker 4 Analysis Thehandtraceanalysisandproposedattackvectorofhacker4isshowninFigure9.Theinitialpacketlogs showedICMPv6multicast,routersolicitationandneighboursolicitationpacketswithoutasourceIPaddress. ThehackerinitiallyadoptedtheIPaddress 192.168.1.100 andsubsequentlychangedtheirIPaddressto 192.168.1.20.Theactivitiesinvolvedinhacker4sattackvectorwiththehoneynetwasasfollows: hacker4adoptedtheIPaddress192.168.1.100 hacker4adoptedtheIPaddress192.168.1.20 TCPSYNon172.16.1.1-172.16.1.2 TCPSYNon172.16.4.1-172.16.4.13 ICMPPINGon172.16.4.1-172.16.4.13 ICMPPINGon172.16.5.1-172.16.5.13 ICMPPINGon172.16.1.1-172.16.1.2 TCPSYNon192.168.1.1

TCPSYNon172.16.3.1 initiatedTELNETon172.16.3.1 hacker4adoptedtheIPaddress192.168.1.2 initiatedTFTPon172.16.3.1 TheSPSSfrequencyanalysisofthehoneynetslogfilefromhacker4showedthatallthehostswithinthe honeynet received network packets from hacker 4. The hosts detected with the highest frequency was 172.16.1.2 with 88,777 occurrences, 172.16.5.3 with63,590occurrences,followedby 172.16.3.1 with 52,789 occurrences. Host 172.16.3.1 was the third most frequent destination IP address and the destinationIPaddress192.168.1.1wasthefourthmostfrequentwith13,736occurrences.Asalltheprotocol frequenciesforeachdestinationIPaddressescouldnotbeshowninasingletable,thereducedinformationis showninTable4. SOURCEIP 192.168.1.100 192.168.1.2 192.168.1.20 DESTINATIONIP 192.168.1.1 192.168.1.1 172.16.3.1 PROTOCOL ICMP TFTP ICMP TCP TELNET FREQUENCY 1 7 43 51,953 742

Table4 ProtocolfrequenciesforthedestinationIPaddressesdetectedforhacker4 Table 4 shows the three source IP addresses that hacker 4 adopted and the protocol frequencies for the destinationIPaddressesassociatedwithTELNETandTFTP.Hacker4didnotconductmuchnetworkactivity whenusingthesourceIPaddress 192.168.1.1 asindicatedbytheirhandtraceanalysisandattackvector. However,theTFTPprotocolwasdetectedwhenhacker4spoofedtothe192.168.1.2IPaddressandonly7 packetswereidentifiedwiththisdestinationIPaddress.Theconceptualmapsgeneratedforhacker4sattackis showninFigure10andFigure11.TheredhighlightedboxinFigure9showstheattributesRead_Request, FileandBlockandsourceIP192.168.1.2associatedwiththeTFTPprotocolconcept.Figure10shows theTelnetattributeassociatedwiththedestinationIP172.16.3.1concept.

HACKER 4 192.168.1.2
telnet_data

TELNET 172.16.3.1

TFTP 192.168.1.1

write request router_config

TCP SYN SCAN 192.168.1.1

TCP SYN SCAN 172.16.3.1

ACKNOWLEDGE DATA_PACKET

ICMP 172.16.5.1172.16.5.14

TCP SYN SCAN 172.16.5.1172.16.5.14 ICMP 172.16.1.1172.16.1.255 ICMP 172.16.6.1 ICMP TIMESTAMP 172.16.4.0/24 ICMP 172.16.4.0172.16.4.13 ICMP 172.16.2.0/ 24

ICMP 172.0.0.1172.0.0.255 ICMP 172.0.0.0/ 16-172.16.4.0/16

TCP NMAP SCAN 172.0.0.0/16172.16.4.0/16

ICMP 172.16.5.0172.16.5.14

SNMP GET 172.16.2.0/24

FRAGMENTED IP 172.16.4.0/24

FRAGMENTED IP 172.16.3.0/24

FRAGMENTED IP 172.16.2.0/24

TCP SYN SCAN 172.16.4.0/24

TCP SYN SCAN 172.16.3.0/24

TCP SYN SCAN 172.16.2.0/24

ICMP 172.16.1.2 ICMPv6 multicast DNS query 192.168.1.1 ICMPv6 router solicitation HACKER 4 192.168.1.100 HACKER 4 192.168.1.20

FRAGMENTED IP 172.16.1.0/24

NBNS 172.16.1.0/ 24

SNMP GET NEXT 172.16.0.0/24 blocks of 20 IPs TCP SYN SCAN 172.16.0.0/24 blocks of 20 IPs
telnet smpt http ssh finger snmp ftp

SNMP GET NEXT 172.16.1.0/24 blocks of 20 IPs TCP SYN SCAN 172.16.1.0/24 blocks of 20 IPs

ICMPv6 neighbour solicitation

Figure9

Handtracedattackvectorofhacker4

Figure10

Conceptualmapofhacker4sexploitoftheTFTPvulnerabilityonhost192.168.1.1

Figure11

Conceptualmapofhacker4sexploitoftheTELNETvulnerabilityonhost172.16.3.1

DISCUSSION OF RESULTS
Fromtheidentifiedattackvectorofhacker1,itmaybeinferredthatthishackerpredominantlyfocusedonhosts in the honeynet that were networking infrastructure. These hosts included the Cisco WGB350 802.11b WorkGroupBridgeonIPaddress172.16.1.2,theDSLRouter:Flowpoint144/22XXv.3.0.0orSpeedStream 5851 v4.0.5.1 on IP address 172.16.1.1 and the Cisco 7206 router (IOS 11.1(17) on IP address 172.16.3.1. From the hand trace analysis, it could be determined that hacker 1 focused on identifying TELNETservicestypicallyrunningoninfrastructuretypeoperatingsystems(OSs).Hacker1didperformsome NMAPTCP/IPportscanning,whichisoftenusedtodeterminehostOSnames,versionnumbers,andservicesor applicationsrunningonports.However,hacker1didnotappeartoexploitservicesotherthenTELNETonother hosts.Fromhacker1shandtraceanalysisandattackvector,itmaybeinferredthattheywereaimingtodiscover andexploitCiscoroutersrunningTELNET. The frequency analysis indicated that hacker 1 had reached the intended TELNET vulnerability on the 172.16.3.1hostandmadecontinuousattemptstoguesstheloginandpassword.Thegeneratedconceptmap providedanalternatevisualrepresentationoftheintendedexploitsoccurring.Theprimaryconceptsidentified byLeximancerscontentanalysisincludedhacker1sIPaddressandnetworkpacketdataassociatedwiththe TELNETandTFTP exploits. Whencombinedwiththehandtraceanalysisandfrequencystatistics,it was deducedthathacker1wasdeceivedbythehoneynetandwasdirectedtoexploittheintendedTELNETand TFTPvulnerabilities. From hacker 2s hand trace analysis, it could be inferred that their attack involved mostly scanning and identificationofhosts.Hacker2attemptedtoexploitmanyservicesthatwerediscoveredtorunonthehoststhey scannedusingNMAPSYNandRSTsetnetworkpackets.Theattackvectorforhacker2indicatedthatthe TELNETserviceondestinationIPaddress172.16.3.1wasdiscoveredaftersomescanningwasconductedon the 192.168.1.1 host, and hosts in the 172.16.1.0/24, 172.16.3.0/24, 172.16.4.0/24 and 172.16.5.0/24networks. Whenhacker2discoveredtheTELNETserviceondestinationIPaddress 172.16.3.1,theywereableto guesstheloginandpasswordandaccessedtherouterconfigurationfile.Hacker2thenspoofedtheirIPaddress from192.168.1.11to192.168.1.2tomatchtheACLandattemptedaTFTPoftherouterconfiguration fileonthe172.16.3.1hostashacker1haddone.Thisattemptwasunsuccessfulandhacker2resumedthe TELNETsessiononhost 172.16.3.1,mostlikelytorereadtherouterconfigurationfileandACLs.This hacker subsequently initiated a TFTP connection to the correct 192.168.1.1 destination IP address and downloadedtherouterconfigurationfile.Amodifiedrouterconfigurationfilewassentbackto192.168.1.1 andtheexploitwascomplete. Accordingtohacker3sattackvector,theydidnotexploittheintendedTELNETandTFTPvulnerabilities.Their attackvectorindicatedthattheyusedvarioustypesofNMAPscanningtechniquesandsentICMPPINGrequests tohosts.Aroundthetimehacker2(shownashackerY)discoveredtheTELNETservicewasaccessibleonthe host 172.16.3.1,hacker3changedtheirnetworkactivity.Inhacker3shandtraceanalysis,therewasan apparentshiftfromrandomlyscanningandPINGingthe172.16.5.0/24networktoattemptingTELNETon the 172.16.3.1 host.Thisbehaviourwasmost likelyexplainedbyhacker2informing hacker3oftheir discovery. ItwashighlylikelythatbothhackerswerecolludingwhenSSH,RSH,andFTPdatatransferswereattemptedon the172.16.3.2hostbyhacker3.Anearmirrorimageoftheseparticularactivitieswasreflectedinhacker2s handtraceanalysis.Subsequenttothefailedattemptsonservicesrunningonthe172.16.3.2host,hacker3 sent packets which the log file recorded as IP UNKNOWN payloads to both the 172.16.3.1 and 172.16.3.2 hosts. They may have been deliberately malformed packetssent to the target hosts to illicit informationfromthem.Hacker3thenretriedTELNETattemptsonhost172.16.3.1.Atthisstage,hacker2 hadcompletedtheexploitandhacker3ceasedtheirattackaswell.Itwasnotapparentifhacker3wasfollowing

adistinctpathway,thehandtraceanalysisandattackvectorindicatedtheyusedrandomtechniquesindicativeof confusion. Theconceptualmappingofhacker3sattemptedexploitindicatedthathacker3madeanattemptontheintended TELNETvulnerabilityinthehoneynet.Thehoneynetdidnotdirectthedeceptionofhacker3andfromthe proposedattackvector,hacker3mayhaveadoptedrandomscanningtechniquesindicativeofanaveattacker. Thisinferencemaybesupportedbytheamountofscanningthathacker3conductedonIPaddressesthatwere welloutsidethehoneynets172.16.0.0/24network. Hacker4focusedprimarilyonreconnaissanceofhostsandthenetwork,whichwasindicativefromtheamount ofscanningthatwasperformed.Thehandtraceanalysisandproposedattackvectorforhacker4indicatedthat thishackerconductedlargeamountsofscanningusingmultipletoolstoverifytheirresults.Thistechnique resultedinprotocolfrequencieshigherthanthepreviousthreehackers.Hacker4wasabletodetecttheTELNET service on destination IP 172.16.3.1 and guess the login and password. Hacker 4 appeared to have comprehendedtherouterconfigurationfileandACLsontheirfirstattemptbecausetheydidnotattemptto initiateaTFTPconnectiontothesame172.16.3.1hostashacker1and2haddone.Thishackerspoofedtheir IPaddresstomatchtheACLoftherouterconfigurationfileimmediatelyaftertheirdiscoveryandwasableto successfullyuseTFTPtoacquireandmodifytherouterconfigurationfilebeforesendingitbacktothehoneynet. Itcouldnotbedeterminedwhyhacker4focussedonthehosts 172.16.1.2 and 172.16.5.3;although, fromtheattackvector,itwasvisiblethathacker3didreachthe 172.16.3.1 host.TheTFTPprotocolwas detectedwhenhacker4spoofedtothe192.168.1.2IPaddressandonly7packetswereidentifiedwiththis destinationIPaddress.Thissupportedthedeductionthathacker4didnotrequiremultipleattemptstoexploitthe TFTP vulnerability. The 172.16.3.1 host received mostly TCP network packets; however, the TELNET protocolwasdetectedalso.TheconceptualmapsindicatedthattheintendedTELNETandTFTPexploitswere achievedbyhacker4.

CONCLUSION
CohenandKoikes studyshowedthatnetworkattackwasimpactedbythedeceptivestrategyused.Inthis research,thedeceptivestrategiesofthehoneynetwerebasedonthepurposefulemulationoftheTCP/IPsuiteof protocolsfornetworkdeception.Thehoneynetutilisedthehoneydprogramtocreatevirtualhostsandanetwork, whichwasabletorespondtothehackersTCP/IPscanning.Honeydchangesnetworkpacketheaderssothatthey appeartobegeneratedfromgenuineOShosts.Theresultwasthatthehackersinteractionwiththehoneynetwas controlledanddirectedfromtheTCP/IPleveloftheOSImodel. ThetypesofactivitiesdetectedineachhackersattackvectoridentifiedNMAPscantechniques,whichutilised manipulatedTCP/IPnetworkpacketsandICMPPINGrequests.Fromthisnetworklevelinteraction,thehackers wereabletodiscoverhosts,andtheservicesandapplicationsthatwererunningonthehosts.Thisstageof reconnaissancewascontrolledbythehoneynetbyallowinghostOSplatformsandversionstobediscovered throughTCP/IPnetworkscanning,whichisalsocalledTCP/IPfingerprinting.HoneydincorporatestheAddress ResolutionProtocol(ARP)toallowcreatedhoststobeboundtoanIPaddressandthehoneynetsfirewall blockedICMPrequeststoallotherdestinationIPaddressesnotwithinthehoneynetsIPnetwork.Thistechnique allowedthehoneynettocontrolresponsestotheICMPPINGrequestssentbythehackers.Bycontrollingthe responsestoTCP/IPscanningandICMPPINGrequests,thehoneynetwasabletolimitthehackersabilityto scanandidentifypotentialhostsforexploit. TheTELNETvulnerabilitywasalsoemulatedthroughaPERLscriptthatmanipulatedtheTCP/IPnetwork packetstoshowthattheservicewasreal.Honeydmanipulatedthepacketheaderssothattheyappearedtobe generatedfromahostrunningtheTELNETserviceandtheTELNETemulationwasachievedbytheTELNET PERLscriptextractingpacketdatasuchastheloginandthecommandsused.ThePERLcodeinstructedthe honeynettorespondtothecorrectcommandsandissueerrormessagestoroutercommandsthatthehoneynetdid notintendthehackerstogainaccessto.EventhoughTELNETrunsattheApplicationlayeroftheOSImodel, theemulationwasperformedattheNetworkinglayeroftheOSI.Therefore,thehackerscouldbedeceived

abouttheTELNETservicebecausethetoolsandtechniquestheyreliedonutilisedTCP/IPconnections.The honeynetwasthusabletolimitthehackerstotheTELNETcommandsleadingonlytotheTFTPexploit. The TFTP service wasenabledon thehoneynets gatewayIP address of 192.168.1.1.The service was listeningforconnectionsusingtheTFTPSETandGETcommands.Therefore,thehoneynetwaspreconfigured fortheexploit.ThehackersweredirectedtothisexploitbecausetheremoteTELNETserviceonlyallowedthe commandstologinandviewtherouterconfigurationfile.Fromthiscapability,thehackerswerealertedtothe potential weakness of the router in that TFTP connections were permitted from a single IP address. Subsequently,threeoutofthefourhackersweredirectedanddeceivedbythehoneynetintopursuingtheTFTP exploit. Itcouldbeinferredthatwhenahoneynetprovidesabaitedvulnerability,suchastheTELNETandTFTP vulnerabilities,hackersaredrawntotheopportunity.Bylimitingthenetworkattackopportunitiesthroughthe deceptivecapabilitiesofthehoneynet,hackersmaybedeceivedintwoways.Firstly,ifthehoneynetisableto emulateitshostandnetworkcapabilitiesattheTCP/IPnetworkpacketlevel,thetoolsandtechniquesutilisedby hackersdeceivethehackersthroughtheauthenticityofnetworkresponses.Secondly,bydirectingthehackers abilitytoexploitvulnerabilities,thehoneynetcouldguidethehackertotheintendeddeceptionwithoutthe hackersknowledgethattheywerebeingcontrolled.Theoutcomeoftheresearchindicatedthathackersmaybe directedanddeceivedbyahoneynetthroughpredeterminednetworkdeceptionattheTCP/IPlevel.

REFERENCES COPYRIGHT
[SuenYek]2006.Theauthor/sassignSCISSEC&EdithCowanUniversityanonexclusivelicensetousethis documentforpersonaluseprovidedthatthearticleisusedinfullandthiscopyrightstatementisreproduced. TheauthorsalsograntanonexclusivelicensetoSCISSEC&ECUtopublishthisdocumentinfullinthe ConferenceProceedings.SuchdocumentsmaybepublishedontheWorldWideWeb,CDROM,inprintedform, andonmirrorsitesontheWorldWideWeb.Anyotherusageisprohibitedwithouttheexpresspermissionofthe authors.