Kippo and bits and bits and bits

all right well uh first of all thanks everybody for coming I will try not to wander I tend to wander around the stage and I will try not to do that um as John said my name is Chris torski and the first talk is on uh SSH honey potting um or as I called it kios kippo and bits and bits and bits um so first of all a little bit about me as I said my name is Chris torski I'm a dad and a husband um I just recently started as a security analyst for EMC Rubicon um that is emc's uh Cloud offering um I'm a full-time geek I am at Cano beans on Twitter and um I'll put my

little plugin here um the CT that I have that I'm the most proud of is the ocp which is the offensive security Hands-On um pen testing shirt and it's very inexpensive and it is the shirt that I have like I said that I'm the most proud of um it's it's a hell of a bargain and you'll learn a ton if if you take it um not getting paid for saying this or anything I just it's I was really really impressed um with the class and and what they offer um the other thing I promised my boss I would say is we are hiring um so we have two security positions open um on my team they are 100% work from

home positions um one of them is a senior level position and one is a mid-level position um so I can't guarantee you a job but I can gu guarantee I can get your resume to the right people if you want to get it to me um and like I said you can be anywhere in the country so um because it is 100% work from home so I did promise I would put that in and that's quite enough about me and let's get down to the talk um so let's talk about what a Honeypot is first of all um a Honeypot is a system on your network that serves no purpose other than to be a target for a

bad guy right that's that's a essentially what a Honeypot is um and I would break honeypots down into two different categories um there's an analysis uh things like honey D the honey net project these are things where you can install your Honeypot and learn about what the attackers are doing um then there's also the delay now these are things like the laa tarpit that's a project that's been around forever um essentially what that does is when an attacker hits it they get tarp pitted they get stuck in it and you know scanners and things take a long time to run through the tarpit so it's designed to slow them down um again the idea is that this

resource exists solely to be compromised right that's the only reason it exists it doesn't offer any other services and that's important because the only traffic it should ever see is illegitimate traffic it shouldn't ever be seeing legitimate traffic um so when I when I started this talk um I started when I decided to do this talk I started doing a lot of research into um the Honeypot um and what I call the the rise and fall and Rise Again of the Honeypot um the first reference in print anyways to a Honeypot is Cliff sto's book The Cuckoo egg which was written 1989 um if you haven't read the book I highly recommend it it's an easy read um

Cliff was working for Berkeley labs and noticed a discrepancy in the way they were billing CPU time and then discovered that someone had accessed their computers and was completely was continually accessing their computers so he set up a Honeypot to capture these um Intruders and uh like I said it's it's a it's a very it's a very interesting read um in the early 2000s honeypots were a hot idea uh when you Google Honeypot you'll find lots of stuff from you know 105 years ago that talks about honeypots there were a lot of Manufacturers there were a lot of commercial Honeypot products s out there um sanch was selling a product called Man Trap uh there was Spectre netbait KF sensor um

but all these products kind of were there and then gone um and so um if you look at now there there's there's there's honeypots out there most of them are non-commercial and I'll get to that in a second so while I was Googling um I did run across this product and 's an inside security Community joke coming up so just so you um just so you're you're ready for that I did come across this product and and I was very interested in it at first because I was like oh wow look this is a commercial Honeypot um and then I started reading about it and yeah it kind of is and then I saw that it hadn't

been updated in a long time and then a lot of the wording on it just seemed weird like they were calling it an IDs and I guess I can see how you would say a Honeypot is an IDs an intrusion detection system but it's it's not really exactly the same thing um and then uh the more I read about it the more I thought it sounded like something this guy wrote um and so for any of you who don't know this is the world's number one hacker um Gregory Evans um who has is quite Infamous for his um his uh his bravado and his lack of abilities um so we'll just kind of we'll just kind

of leave it at that um so as I was as I was researching this I started to wonder why the Honeypot had kind of its why there was all this commercial interest in Honey Pot in 2000 and then by 2005 2006 it seemed like everybody had exited the market you know what what happened why was it why why was the interest lost so I went to Twitter because that's what I do and said hey why is what's what's up with the Honeypot like why is no one interested in the Honeypot anymore um and and Nick Harbor who was at the time a malare analyst for Mandy I'm not sure if he still is um responded to me and he

said maybe because it's a waste of time and never improv security and I was like ah gez that hurts because I think this is a pretty cool idea and to say that it was a waste of time and never improved security I don't know that just so I started thinking about it myself and I started thinking about again after I after I kind of went through the exercises that I went through to prepare for this talk um I realized that I think my theory anyways on why honeypots lost lost their their their Glamour and why they lost interest is because I don't think any of them at the at the time were kind of that click click drool tool

where you could just kind of get really easy intelligence out of them um and so that's my suspicion I don't really know what what happened I mean it could just be they weren't selling well right I mean that that could be what it was but but interest was definitely was definitely lost um now in 2011 I think it is here um sanch announced that they were going to start selling a Honeypot product again but only to their large Enterprises in government um and I don't know what the status of this currently is this offering um what I do know is that all of the all of the AV manufacturers you know run honey pots honey Nets because they're collecting

malware right so they can they can watch for it and apparently this basically sanch was turning around and um and taking their you know what they were using internally and marketing it to these to these large customers um and and according to the article uh both their competitors were rather surprised that they were doing this and again you know I think it it must have been a tough sell to to uh to market the Honeypot um so that's kind of all the bad stuff that people have said about honey Poots and what why honeypots are not um maybe not in favor as much as they as I think they should be um but I think uh Lenny zeltzer who teaches Sans

uh the forensics the maare analysis class and you know he's he's uh does a lot of maare analysis and a lot of um um does a lot of a lot of teaching um he posted this at one point about honeypots and I mean you guys are all very capable of reading but I think the important part there is he talks about um in this he talks about it being part of a mature Enterprise and I think that's probably one of the big Keys um is that Honeypot should not be the first thing you deploy shouldn't be the second thing you deploy shouldn't even be the third thing right you should really be a mature program

before you even consider deploying honeypots um and maybe that's why they fell out of favor because in my experience there's not a lot of mature Security Programs um and that could be why you know why the interest was was lost the other thing to remember is that um deploying a honey poot as cool as I think it is it's not a Panacea um you know if you have compliance requirements that you have to meet and you have an auditor come in who finds this intentionally vulnerable box it may be a tough sell um I think it depends on the auditor you know um if you have an intentionally vulnerable Windows box again that's you know it doesn't look

patched you know that looks like a big black mark to a to a qsa or to an auditor um so there are there are real challenges to to deploying a Honeypot but for me it's a really fun Friday night right because this is how I want to spend my time and this is what I want to do and I don't have to worry about Auditors or um or uh Qs usas or terms of service or anything like that um so let's talk about kippo that's what I said we'd be talking about and we're going to start with kippo but we're not going to end with kippo um kippo is defined as a medium interaction SSH

Honeypot and so honeypots are kind of broken down from low interaction medium interaction High interaction so low interaction is basically it mimics a service so it opens a port and says hey I'm net bios and that's it that's a as far as it goes right that's and it's just to see if someone's probing you um then you have the medium interaction Honeypot where kippo kipo mimics the entire shell so it looks and feels like SSH it's not but it looks and feels like it so when you connect to it it's very hard to tell that you're not actually on a real SSH connection and then of course a high interaction would be something like a full-blown operating system right

that you have that you're watching what's going on so Kip is a piece of cake to install um it's really easy to get running those are the requirements um it's written in Python it's it's a piece of cake it's it's you know basically that will get you ready for kippo on Debian or UB 2 in the case that I I used UB 2 um that'll get you ready to go you download and you extract it and you execute it that's it I mean it's super simple um sort of now you do want to tweak the config file uh there is the SSH Port is set the host name which is what the system mimics right what it thinks what you want it to

announce its host name as and the password now the password obviously if you want to let attackers in needs to be terrible um because you want them to successfully Brute Force this right that's that's kind of the idea um so you you set that and you're and you're set and ready to go um this should be obvious if you care if you care about the box that you're running this on if you don't want the the base OS that you're running this on to get compromised don't run at his route kipo is Well written well tested but gez don't do that um because if they manage to escape out of kippo they are going to be owning your box um and so

you know that that could be a very bad situation now kippo will warn you if you try to do that it'll say hey dum dum what are you doing stop it checks right but again just putting that out there don't don't do that now what that's going to mean is you're going to have to run on an unprivileged Port Which is less than ideal because you want to be running on 22 so that little IP table rule the default kipo Port is 2222 that little IP table rule will redirect anything coming in on 22 to 2222 which essentially gets you to appear as though you have SSH running on the standard SSH port so once you get this all set up and

running you just wait and they'll get you my the password that I used um most was 1 two 3 4 5 six and the Box got owned over and over and over again um as as one would expect now what kippo does is these are the folders that you're going to be interested in kippo so DL is the download folder so anything that you're and again this is on your BOS where you're seeing this not inside the not inside the kippo faked shell um anything that your attacker attempts to download gets stored in that download folder so you can go back and take a look and see what they downloaded the log will show all of the Brute Force

attempts so any username and password that they attempt gets written to the log so you'll have all that and then your TTY is the the uh the coolest directory because inside there what kippo gives you is what they call VCR like playback of the shell session so you can see everything the attacker did while they were interacting with your shell right so you can play it back in in real time and watch them interact with your shell so now this is the live demo God so we're going to try to watch a kipo a kipo playback and we're going to see if this is going to if this is going to

work

okay

so should only be the one file in there yes so kippo comes with a script called play log that is designed to play the log sorry about that okay so this is what you're seeing right here at the bottom of the screen there is the actual attacker interacting with my with my session I called the host name remember I said you could set the host name I called it SSL web server so they're clearing the history file right to hide their their tracks and then they start looking to see exactly what kind of system they're interacting with now they're going to set the root password they're going to change the password to something they they know

obviously their password uh I don't know I don't know but I'll get to that P the password stuff in a second um so you know they take a look to see and kipo fakes all of this right this is all this is all this is all fake stuff um so they're going to download their their tools right which is what they're doing with the WG there so they download the tool do yeah yeah so as you see they're typos right they're making mistakes I mean you can tell this is a person right this is not an automated script this is a person sitting there so now is when kippo will will show its some of its weaknesses

right because it's not really the OS so they're trying to run their tools and their tools are exploding so so they're running through this and now they're going to start looking to see because you know obviously this created a little confusion because why isn't this tool

working yeah exactly that's what I said that's the thing I love about this is you can actually it's clearly a person um and and my favorite this is this is old this is probably two years old now um so look they're going to check the you know to see because they're they're confused what what you know what kernel is this running who's logged in um so then this is the awesome thing about kippo so they type exit but kippo won't actually let them out right so so it says Local Host and now and now we start getting confused right he's running end map and he I think he exits again he's like okay I get what's going

on here so all his commands from his previous session are still in the history flag right right it it it absolutely should be so I believe so now he's checking his interfaces right because he's like where am I so he exits again and he gets Dro back to the kipo prompt

again so he exits again right he's and and he's back to the kipo prompt again um so like I said as I imagine this was incredibly confusing to this to this individual

okay so that's it so that's so he gets smart at that point and and finally actually

disconnects so so despite that last display here's what I learned from my kippo is and I say they're smarter than I thought because um there were a bunch of people who clearly were doing this who knew how to identify a kippo host right there were limits to what kippo can do and there were places they looked so for example by default kipo's Etsy password is empty so some of them would go immediately and Cat Etsy password and then they disappear they knew they they'd hit a Honeypot right so um so they they were smarter than I thought they they had they had learned ways to identify a Honeypot so what that meant was I had to keep tweaking so for

example because you can add stuff to kipo's file system so I took a real Etsy password from one of my machines and copied it in there so now I knew that hurdle but there were other things that they were checking that like I said they they realized that this was that this was a Honeypot um and I said they are Chinese because a vast majority of the IPS that I was collecting were coming from China um and actually at the time I'm like uh that's kind of boring because that's what I expected right like I don't I don't know why I expected the the the kippo host that I were running these on I was using two vpss

that were were um uh actually not the VPS provider that's here um but I was using um two VPS providers and uh hosting these out there so they were both us IPS and um they were in different parts of the country um and like I said I was just kind of disappointed because I was like oh well they're they that's that's exactly what I expected like this is kind of this is kind of boring um so after doing all this I said okay well there's a problem in that I can't really see what they want to do once they compromise this host right because they compromise it and they can't run their tools because their tools don't

actually work because it's a mimicked it's a faked OS right so I want to see what they're going to do if they were allowed to fully compromise a host right that's the next that's the next place I want to go um so I'll put this disclaimer out here um I have a very good friend who lives up in Pittsburgh who's an attorney who after he saw this was like you need to tell people not to do this this is a very bad idea um so I I'll put the disclaimer out there the stuff that I did ended up in with my box getting compromised and my box being used despite my best efforts in real attacks

um I did my best to uh limit that possibility but as you'll see my box was actually used in a real attack and had that been tracked back it would have come back to my IP and I would have I would have had some splaining to do um so so you know doing this could end you up with a pair of these um it could which in turn might end up with some of that um but more than likely you're going to end up with that because you violated your isp's terms of service because I was running this at my house and so you're going to end up with no internet um so that's my disclaimer you

know do do with this information what you will so this is the way I set up my home network um what I did was I you know this this right here is my external firewall and then over here this is actually a single ESX host VMware ESX host and it is hosting a PF sense box a Linux box with a horrible password snort and a client machine and I'll explain the client machine in a moment um and then over here was my home network or where I keep my porn um and that needed to be safe from the attackers right that was that was key um so the Linux box with a horrible password had the password of 1 two 3 4 5

six again um and it was done using um non-persistent dis in VMware so that allowed me to reboot the box and wipe out anything the attackers had done so I could basically kick them out and and start over from scratch um but what that also meant was that if that box rebooted I lost any evidence that I had collected right because it was reset back to where it was so so this Linux box was set up here with two interfaces so I would power that box on when I needed to move data out of that Linux that the horrible Linux box the horrible password Linux box so that's what that client was for I had snored out there watching stuff

honestly um I didn't end up using it much because pfSense has a neat little feature where it can do full packet captures all the time so I just turned that on and relied on my own ability to go through through the packet captures and take a look at what was going on um so that was my setup that's what I did I then opened SSH on my you know my consumer uh it was a Verizon internet connection at the time and said okay have at it guys um so the way I configured my Honeypot was I used uh pseudo sh which is a shell that allows that VCR like playback that we got out of kipo I really didn't want to lose

that because that's a really cool thing to watch what they're actually doing I really wanted to be able to see what keystrokes they were entering now Pudo when you look at what shell is set for the user shows up as pseudo sh so I said okay well I'm going to hide this so I called it ksh even though it was clearly bash and they and that that was fine again I wasn't doing a lot of effort to really mask what I was doing I said I didn't try to be very I didn't try very hard to be secretive um I also hacked the SSH binary that was installed on there because one of the other things kippo

again I'm kind of trying to mimic kippo on a live system one of the other things kippo does is it provides you with a list of all of the IPS the username and passwords that were attempted in The Brute Force I still wanted to collect that uh SSH would hide that because it would have been encrypted so um I am not a c programmer so I'll put that out there I hacked this the the off password. C and made it write a log file um I'm sure there's more elegant ways to do this I'm sure there's just downright better ways to do it um forget Elegance just better um but it's out there so if

you like it uh feel free I just hacked it up recompiled it and put it out there and it writes all of the username and passwords to a clear text file so obviously don't use this on a production machine because it will write your username and password in clear text um so it's out there help yourselves and again you know improve it because I'm sure there's improvements that could be made um but that's that's the little bit of code I changed I it really wasn't a hard hard hack to get it in um so these are the logs that I started to collect on this machine so again as you can see this is what the log looks

like it just gets its time uh password or username password and an originating IP um so nothing nothing spectacular um so I set it up and I waited and of course the Box gets owned over and over and over again um I'm pulling stuff off and one of the interesting things that that I saw and again I saw this in kippo as well um one of the things they do is they download Windows service packs my guess is that they are using that as a benchmark for Speed that they're trying to see what kind of connection they're sitting on that's the only thing I can come up with because they clearly know they're on Linux boxes and they're

downloading Windows service packs my guess is it's a big file they know Microsoft has a big pipe so they just want to get an idea of what kind of bandwidth they're they're up against or it's the script or it's the script other than I mean it we we'll get into that we'll get yeah no we'll get into that um so as I said obviously the Box gets owned over and over and over again it was almost always the same malware and there was usually a IRC command and control and that might be on another slide I might getting ahead of myself um there was an IRC command and control there was usually a Deni of Service Tool

um there was a um another an SSH Brute Force scanning tool and password username and password lists there almost always the same thing that appeared on there um and they were almost always hidden in the same places um so they didn't vary a lot in where they in where they hid these files um but this time I had a little more more than I had with the kipo Box because now I had packet captures um so I could see everything they were doing inbound and outbound um and how much time do I have my I'm right at 30 minutes okay so let's oops so let's go ahead and so this is just to give you an

idea I have a pseudo sh capture here um and basically you're going to see the same thing um

see okay so I called the Box Phoenix because of course it burns in the fire and then reemerges um but basically like I said you'll see that they they it's pretty much the same stuff you know he's going through his tools I have this sped up a little so if it looks like he's typing real fast I have it at Double speed just so we get through it quicker um so again this is a Live Host this is actual you know he has he has root access to this box at this

point so again downloading tools um the the a couple rules I put in on my PF sense box while this is running um my suspicion was and again because I couldn't actually see what they were doing with kipo my suspicion was that they were using these boxes to send out spam so I blocked uh 25 outbound um and I also blocked SSH well I blackold SSH um so that they scanned and just got no responses and they did scan from my box they would use my box as a pivot point to try to scan to compromise other hosts um so as you can see like I said you get the idea of what you get with pseudo sh

this is not a particularly um you know there's no humor in this one um let's put it that way so we'll get out of that but you get the idea pseudos gets you the same kind of playback um which I think might be useful ultimately if you have audit requirements that require you to see what's going on at a at a command line so I think it might have uses outside of just uh watching what the bad guys are doing um so like I said these are the tools that showed up all the time um you had IRC mchb which was for command and control uh the PS scan or some variant of it which was for SSH brute forcing um

different denial of services tools lots of them in Pearl um and a user and password list now what was interesting thing about the user and password list is they all dropped username and password lists and um I grabbed the largest of them like I said I was pulling data off of that machine rather regularly and then rebooting it and starting it over again um and I grabbed the largest of the um of the password lists and it was like 230,000 passwords if I remember correctly and then I uniqued it and there was only like 130,000 unique passwords so they were doing all kinds of redundant work um which got me interested in in very curious about um

kind of the skill level of these individuals like it seemed it seemed kind of odd to me that that's what was going on but um I did have these packet captures now so you probably can't see that this is them attempting to SSH Brute Force something so I mean they're just blasting away at SSH again my firewall is you see just sins because my firewall is PF sense box is just tossing it away it's just ignoring it and not responding um the other thing you have here this is so this was actually my box being used in a denial of service attack um I had blocked outbound ports that I thought they would use right the obvious

stuff um this was one I hadn't thought of and so they were attacking somebody they were doing a UDP deny service which was successful because I didn't block that so that that went out and I participated um but then the other thing was um I said they had dropped IRC command and control so I had IRC being in clear text they weren't using SSL so everything was in clear text so I could actually see what was going on um so this is them connecting to their their owned box connecting back to IRC for command and control um and I apologize that that's that that's so small so when I looked at the um when I was going through all the

packet captures and I was kind of looking at what the packet capture contained um and looked at the IRC stuff you can't yeah I apologize that's so small um one of the channels they joined was uh I'm going to call I'm going to say it's Picolo Pi o l l o um and that's significant because I started thinking well I'm going to join this IRC Channel and see what what the deal is right like what's going on here so I put Picolo into Google and Google said do you mean Picolo which apparently is a Dragon Ball Z character nothing I'm familiar with but um I said okay so there's my cover again it's a silly stupid cover but I'm

going to go in and I'm going to create a fake identity for myself and I'm going to say that I am a 16-year-old kid although clearly not 16 but I'm a 16-year-old kid and I'm really interested in Dragon Ball Z and I'm going to join the channel and see and see how it goes so I did I joined the channel um and this is what I was first greeted with so as I joined the channel there was no password on it there was nothing protecting it I just joined and I see all these names and then I see someone saying say a and then all the Bots respond a now one of the things I

will tell you is I sanitized all of this um so that those are not real IRC names and and I will explain that as we get to the end why I did that um so those are not those are not real names so say a so one of the first things I did was I said well say a right when he said say a and then I said well why isn't it doing what I want it to do and let me see which slide's next um okay so actually here it is so I said okay I'm gon to I'm going to become friends with these guys right like I'm going to see if I can get them to start

talking to me so I said um as you can see there so my name that I came in was fava Bean which again my handle is canab beans um so it wasn't very far from actually who I wasn't doing a lot to really protect my to protect who I was um so I came in his FAA bean and um he says fava bean and I said say a and he says a right the Bots don't respond because they're not supposed to respond to me um and I said how come it doesn't work for me and then I start with my Dragon Ball Z thing I'm a big fan of Dragon Ball Z and he asked me how old I

am and I said 16 how old are you 24 and I said oh you're not too old for Dragon Ball Z and he said well I've seen cartoons once and I said once and I said I thought this was a Dragon Ball Z Channel and he said evenings we've seen and I said are you in Japan or us and he said Europa and I was like well this is not what I expected right like I thought I was dealing I was honestly expecting to see a lot of Chinese language fly flying back and forth well I hung out on the channel a lot and what I watched was um a language going back and forth that

I didn't recognize and I started copying and pasting it into Google translate and all of it was what I discovered was rpt or Romanian persistent Threat all of the language that was being spoken was Romanian which was clear which was not at all what I expected um and so um it was it was a daunting task because I don't speak Romanian so I'm sitting there trying to copy and paste in out of IRC to at least get an idea of what they're talking about um in you know into Google translate well unfortunately and I I assume it would be the same going from English to if you took an English IRC Channel there was a ton of slang being

thrown around which Google had no idea what to do with so um so there was a lot of stuff that was being said that I didn't understand so once I realized that um I started asking lots of questions um because some of them started some of them would talk to me now clearly some of them were saying don't talk to him right I mean I caught some of that in Romanian it was we don't know who this is don't talk to him um so you know I started asking you know what's what's you see as I join the channel the first thing it's say a and I say a right and then because he thinks

I'm a bot at this point and then he you know he tries to get me to change my Nick and I say Nick and then I said why are you saying these things and it's that point he realizes that I'm a real person right um and I said you know why are you guys doing with all this say a stuff I see you do it all the time and then I asked so this was the command that they issue the uh bang SSH that's the command that they were issuing to their to Ping their bot to see if it was alive and you know I said what does it do and he said it pings La

server and I said said why are there so many servers um being pinged and he says excuse me and disappears like I don't know if I if he got nervous but he just he never talked to me again he was done with me um so I quickly dropped the Dragon Ball Z thing because obviously they had no idea what I was talking about um so I asked them where they're from and he said I'm one of the other ones said I'm Romanian and so then I was like okay now I'm going to appeal to a sense of nationalism I'm going to give that a try so I started um talking a lot about Romania and asking lots of questions and

I'm really interested in in Romania and so I'm you know I said I'm reading Wikipedia on it now and he says good and that actually worked like that got they were interested that I was interested in in Romania um and then it got very interesting because when I said um I said how old are you he said said 23 and I said do you work or go to school and he said I'm stealing in other countries I mean he just came right out and said I'm stealing in other countries and I said what and he said to survive and I said I don't understand you know what what are you stealing and he said all of

it we steal all of it I was like okay all right well this is interesting now the other interesting thing that I discovered is there is in fact honor Amongst Thieves I spent a lot of time in this channel just lurking um chatting as much as I could again translating a lot of what was going back and forth and so I'm gonna call this person ruca um again name changed um so ruca became my buddy ruca liked to talk to me a lot um and ruca uh wanted to help seemed to want to help me out um and I think part of it was because uh ruca was close in age AG to the character that I had created now

what this conversation is between ruca and I um again I'm I after the whole you know I want to learn about Romania I started that I want to learn what you guys do like I want to learn how you how you're doing this I'm really curious to know what you're doing and so someone on the uh IRC Channel said um I'll sell you a root if you want to buy a root that was that was the terminology they used they referred to them as roots that's what they were selling and I said okay um at the time I said okay H how do I get the money to you because he said he would sell it to me for a dollar and I

said well how do I get the money to you and again I'm playing that I'm a 16-year-old kid and I said I got to get my mom's PayPal account and so I said hold on I'm gonna get my mom's PayPal account so I can pay you and then I said well do I need Romanian PayPal like I don't know how this works and as soon as I was chatting with this individual I got a private message from ruca and as you see ruca says man stay chill don't buy Roots like a dollar they're not roots and I said I don't understand and he said those are you send him money he give you nothing and or he gives you root and

takes it back so I'm like wow this guy's talking to me and he's protecting me so this is the guy I want to ask questions of so I asked him I said well how much should a good rot cost and he said10 to20 Euro um which was way more than I expected it to be and he said for a good route um it's you know he he said $1 roots are and I saidwell is that us or Euro and he said euro um so again continued the conversation is it really a bad idea to use my mom's PayPal he tells me I need to ask her before I do it okay so I mean like I said there

there are honor there is honor Amongst Thieves um and I said you know I'll tell her I'm buying Dragon Ball Z stuff from eBay like that was my excuse and so he starts explaining to me that he's scanning for more Roots like he shows me what he's doing and he's telling me that he's scanning 3500 IPS and he said from those he'll get 10 to 20 Roots so I'm putting myself in his shoes at 16 if I had 200 bucks coming in um and that's you know in the US I would imagine € 200 euro in Romania goes a little bit further um that's I'd do a lot of stupid things with that money um so he said you

know it's a lot of money and um he said sometimes it gets no money it all depends um so again we continued this conversation he and I talked a lot and he actually went as far as to tell me where he lived and What street he lived on um so now we'll get into why I changed names um like I said he told me where he lived he told me what street he told me like he he was excited that I was Googling that I was looking up what street he lived on um and so there it is that's that's where he lives um now um one of the reasons that I changed his the names is because the

more I got into this the more I started realizing that I wasn't sure exactly who I was dealing with right now my assumption is that this was a kid who was just supplementing his income but I don't know right I don't know he could be doing this under duress right I don't I don't know the situation and I suddenly started getting concerned that as I give this talk somebody recognizes those names and you know and we have we have trouble on our hands um he has trouble on his hands I don't because I'm far removed from it so that's why I went ahead and changed all the names and um and everything is you know

um has been sanitized so he goes on to explain how to do what he's doing right he says um you know he down I asked if I can download a tool and he says you have to have root if you want to use it it's a scanner and he says you scan IPS in brute force and he says it tries 1,00 2,000 user a password and an IP if it matches Bingo you got root and 20 bucks um and I said do you ever get in trouble and he says no I'm under 18 and he said if he was over 18 he could go to jail for this' but because he's under 18 his plan was to do it

until he hit 18 and then he would stop um so what's funny was I started explaining to him I asked him I said well because I was surprised that he was like I can get off scott free if I'm under 18 and so I said well don't you guys have juvie like don't you have the equivalent of that and he's like what's that and I started explaining to it and when you explain it to someone and you're like well it's a prison for kids it just it just it starts not not sounding very good right and I was like let's let's not let's not talk about that um so you know I said so what do

you guys do with all these like I see you getting them what do you do with them and I said do you use them to play games right like what do you do and he says we scan for other Roots we can flood we can spam we can make money um so what I asked him was I said you know well who was buying these which was the one question he wouldn't answer his answer every single time was haaha people like you that was his only answer so I still don't know who they're actually selling these to my suspicion is still it's used for spam that's my suspicion because I can't figure out what else I mean botnet I guess but I

just it seems like an awful lot of money to be paying to have root to get root access to it um now um the next the next slide that I'm going to show um was something that was dumped into the IRC Channel this to me looked like an accidental copy and paste um because it was followed by nothing else other than this um this appears to be someone's complete identity um and again I sanitized all of this um I don't know how legitimate it is but if you look here the thing that really made me think it was right was the um ATM pin matches the birth date so that made me go oh this is really

somebody's ID and that's really when I started when this happened was when I really started going whoa I don't know who I'm messing with here like I don't know you know it could be Eastern European organized crime I mean I have no idea who I'm messing with and that was when I said okay I got to sanitize all this stuff and I I got to be careful because again um as interesting as is as this is to me I don't want somebody getting hurt because of my stupid presentation here um so so that was kind of of the end of my my uh activities um I stopped following the channel stopped participating in it um and so the

question is so all of this after all of this you know what does this all mean like what's the takeaway for us this is all really interesting and it's it's an interesting story but what's the takeaway so the things that I learned were first of all that these guys were really script kitties for higher and to the person who commented about following a script um these guys did not consider themselves hackers I asked them I said oh you guys are hackers and he's like no you have to know SQL injection if you want to be a hacker that was that was the bar for them and they said you know we're we're just following we're

following a script essentially we're we have a you know we have steps that we walk through and that seemed to be the extent of what they knew um so these were not you know these were not technical wizards they were just kind of following um and I think the password with all of the you know how hard is it to Unique a username name and password file right I mean it's really easy um but so I think that kind of speaks to their to their technical uh prowess so the other things that I learned um use strong passwords obviously um so those were what the passwords looked like that were in their file route two3 password one23 beas but

sole selection 123 and whatever that is was also in that list so they they did have some long ugly passwords in there where that came from no idea but the one thing that I noticed is not a single one of their passwords had a space in it not a single one so at least the list that I saw if you had a space in your password even if you had password space one two3 they wouldn't get you um so you know feel free to use those special characters use spaces make those passwords long and ugly um all of the tools they were running were on Port 22 everything was looking for standard SSH Port so um not a fan of

security through obscurity however it will lower the noise that you have to look at not saying you can ignore it and not look at the activity on that Port if you move it but again you'll you'll you know these guys will you know you will you will squelch them pretty significantly um also fail to band fail to band's awesome if you don't have it deployed uh really look at it it will uh automatically add an IP table uh Blacklist to a machine that is trying to to an IP that is trying to brw force you so you can configure that and you can say you know what you get six failed attempts as an example and then I put an

IP table Block in for you for 15 minutes so that would essentially kill these guys like they they'd be done at that point um so and it's not just for SSH you can do it for FTP and other services um so that's it uh there any questions I don't know how much time I have I we still good on time you don't know okay we're good on time then I have 10 minutes so is there any questions what did you do to your IP address absolutely nothing um so uh that was a nice lob up there Tom um because Tom knows that I did nothing um I so the one thing that I did was um when I was

connecting to IRC um I didn't use my home IP address for that because I knew my home IP address was showing up in their bot list all the time right as a compromised host and I didn't want to show up because I wanted that them to be separate I they weren't doing any kind of analytics I don't think they would have noticed but I just wanted to be on the safe side so I used a Verizon AirCard anytime I connected so it was a separate IP address um that was the only thing I did as far as any kind of obscurity goes um you know when I was running it at my house it was running on my my ISP

provided IP address like I said which could have probably got me into some trouble um depending on what they were doing um so but other than that I didn't do anything to to obscure the the the one thing that I did do was I knew that my Verizon AirCard IP if they did any kind of uh geolocation of the IP would come back to at the time I was living um outside of Pittsburgh so my my identity that I created I said I was from around Pittsburgh because I just wanted those to match up that if they started looking um that they wouldn't get curious because that IP didn't match so anything else yeah

M well yeah so um they so I don't the way they operated I don't think they weren't scanning internal IP addresses I never saw them look at RFC 1918 addresses um so even if they were and my box had one right because it was inside my it was inside my network it was behind the PF sense box so I never saw them probe outside of outside of that box they always went to the internet again I don't think these guys are um they're following a script right they're they're they're just they're they're trying to get um the most boxes in the least amount of time right that's that's really seems to be what they're after um I didn't do I mean

they were allowed out on my network out 80 and and FTP right those those those weren't blocked um I don't recall seeing a lot of traffic that way I mean they seem to be the traffic that I saw going out 80 was the wgs they were fetching files to see you know their files and then testing the speed of the network yeah no so so I didn't right right I didn't let it run that long I would I would reboot Bo the box and wipe it out um so yeah I that would be interesting to see to see I don't know how I would know when they when they sold it right that's that would be the

only problem of but yeah it would be interesting to see where they um what happens once it's sold again my my suspicion is it's it's spam um because that seems like that would be the biggest bang for the buck um you know and you can Blast away a ton of spam and then it gets blacklisted and you don't care because you know because it's not your box you just move on to the next to the next compromise toast yeah were you still seeing Chinese IPS or were you so no they were almost always smart enough there were some Romanian IPS that so that um the UDP Doss attack that I showed you that was one of them attacking another one of

them um so and I did see some of that there was kind of there was some drawing back and forth and you would see people get blasted off IRC so they were attacking each other but they almost always used a jump host to to attack you know again as soon as they compromised my box they started using it to scan for other things so they seemed smart enough to not have it track back to where they to where they were um and again a lot of Chinese IPS um and I can't I can't really explain why because when I did it at my house I didn't see it was there were a lot of Chinese IPS but it wasn't exclusively

Chinese IPS but when I was looking at the other boxes it was so heavily towards Chinese IPS that I I can't really explain why why the difference unless it's a different group right I mean because I don't know on those kippo boxes where they were really coming from because I didn't have the same the same kind of packet capture so it is possible that it was a different group else yeah start oh they get comp with a bad password like that um it within hours it was compromised I mean within hours um so I mean I don't know if you if you run I mean all you have to if you run any Linux box on the internet with an

open SSH Port if you look at your logs they're hitting you all the time all the time if you if you look at that log they're just banging away constantly on SSH um so I mean it doesn't take long with a bad password I'm sure it you know I don't know where one two 3 four 5 sixes in their list but um you know I'm sure if you put password it would be even quicker right because they would just it would just cut it down a little bit on how long it took them to get there um make think it was more I I don't know 1 two 3 4 5 6 is such a

horrible password but it but I don't know but but again with the Linux box it was a full-on Linux box like they could they could compile they could you know they could do whatever they wanted to do on that box um so it wasn't like the kipo box where they could we where they could where they had easy ways to tell that it was a Honeypot you think anything else any for so um I have tried to um get some interest in different Employers in in honeypots um uh at a previous employer we had a proof of concept um that might still be running I don't know um uh it um the suspicion was that we would see

more than we actually did um so the bad thing about that is they people kind of lose interest in it because they're like well why are we doing this if we're not really seeing anything off of it right um so and again it's a you know deploying an intentionally vulnerable box so in that case I actually used um I used honey D and had it mimic an XP box um and now in that case all it did was offer xp- like Services it does that kind of low interaction where it looks like XP um but once they actually try to do something to it it it it won't let him go any further um and uh but we didn't see a lot of um

we didn't see a lot of traffic uh the most of the traffic we saw was legitimate it was um asset inventory stuff like sweeping every IP address and it would trip the Honeypot and the Honeypot would go ah I got a hit and it was just asset inventory looking for stuff um so um but I haven't given up on that idea so um I'm hoping that there's an opportunity um in my new position to kind of revisit that with time SCS were p no they that's what I'm they weren't they were command and control mebo uh they they were completely again I think these guys were just following a script they had a set of tools they

didn't really think about what they were doing that because they were just kids 16 years old I mean I take him at his word he seemed to be honest um they were just yeah true you're true you're right you're right it could be I mean you're ABS you're absolutely right um and uh so yeah so they just seem like they're um just following a script so anything else all right thanks

everybody