Z

skip navigation

honeypots for windows
List of Figures
Honeypots for Windows
by Roger A. Grimes
Apress 2005
progress indicator progress indicatorprogress indicator progress indicator

Chapter 1: An Introduction to Honeypots

Figure 1-1: A honeynet example
Figure 1-2: A sample honeypot deployment
Figure 1-3: VMware running Windows NT Server 4.0 and Windows 98 on a Windows 2000 Professional computer
Figure 1-4: GenII honeypot setup

Chapter 2: A Honeypot Deployment Plan

Figure 2-1: Example of a production honeynet
Figure 2-2: Honeynet created using a hub
Figure 2-3: Wiring schematic for receive-only Ethernet cable
Figure 2-4: Example of port mirroring
Figure 2-5: Example of NAT routing
Figure 2-6: Honeynet Project’s Honeywall Administration menu
Figure 2-7: Example of a simple router segment IP address scheme
Figure 2-8: Example of a complex honeynet IP address scheme
Figure 2-9: External placement of a honeypot
Figure 2-10: Internal honeypot placement
Figure 2-11: Honeypot DMZ placement

Chapter 4: Windows Honeypot Deployment

Figure 4-1: A Microsoft Longhorn screen
Figure 4-2: Microsoft patching pathway
Figure 4-3: Windows Firewall remote-monitoring port exceptions
Figure 4-4: Windows Computer Management Services console
Figure 4-5: Configuring a service logon
Figure 4-6: Example of Group Policy Object security settings

Chapter 5: Honeyd Installation

Figure 5-1: Honeyd with multiple templates
Figure 5-2: Honeyd screen activity summary example
Figure 5-3: Confirming WinPcap’s successful installation in Add/Remove Programs
Figure 5-4: Windump.exe D output example verifying a correctly installed WinPcap driver
Figure 5-5: Cygwin Setup – Select Packages dialog box
Figure 5-6: An Ethereal screen

Chapter 7: Honeyd Service Scripts

Figure 7-1: Example of the Router-telnet Perl script in action
Figure 7-2: Ms-ftp.sh script emulating a Microsoft FTP server

Chapter 8: Other Windows-Based Honeypots

Figure 8-1: Back Officer Friendly interface
Figure 8-2: LaBrea’s screen console
Figure 8-3: SPECTER’s main Control screen
Figure 8-4: SPECTER’s on-screen log
Figure 8-5: SPECTER’s Log Analyzer tool
Figure 8-6: KFSensor’s Setup Wizard components (port listeners) selection
Figure 8-7: KFSensor monitor in Ports view
Figure 8-8: KFSensor’s Edit Sim Banner dialog box
Figure 8-9: KFSensor emulated IIS 6.0 Under Construction error page
Figure 8-10: FTP client screen when attaching to KFSensor’s emulated FTP server
Figure 8-11: KFSensor’s Event Details screen for an FTP session
Figure 8-12: Example of KFSensor’s SMTP sim standard server
Figure 8-13: Results of running Nbtscan.exe against KFSensor’s NetBIOS sim banner server
Figure 8-14: KFSensor SMTP alert configuration dialog box
Figure 8-15: KFSensor log example showing an FTP login session
Figure 8-16: Windows event log message generated by an FTP login session
Figure 8-17: KFSensor’s anti-DoS settings dialog box
Figure 8-18: PatriotBox’s interface and HTTP configuration dialog box
Figure 8-19: Jackpot’s console screen showing SMTP connection activity
Figure 8-20: Example of a connected SMTP Jackpot session from the spammer’s computer
Figure 8-21: Jackpot main administration screen

Chapter 9: Network Traffic Analysis

Figure 9-1: The OSI model
Figure 9-2: TCP/IP protocol flow example
Figure 9-3: IP packet structure
Figure 9-4: TCP packet structure
Figure 9-5: UDP packet structure
Figure 9-6: The main Ethereal screen with packet-capture data
Figure 9-7: Ethereal showing HTTP traffic on a port other than 80
Figure 9-8: Ethereal’s middle pane shows packet layer information.
Figure 9-9: Ethereal Capture Options dialog box
Figure 9-10: Ethereal’s TCP Conversation screen
Figure 9-11: Ethereal showing packets of a captured hacker session
Figure 9-12: Ethereal showing the TCP stream (using the Follow TCP Stream) feature for a packet
Figure 9-13: WinDump screen
Figure 9-14: Snort packet pathway
Figure 9-15: Executing Snort with the -v option captures header information only.
Figure 9-16: Snort in full packet capture mode
Figure 9-17: A Snort binary log file
Figure 9-18: A Snort alert file

Chapter 10: Honeypot Monitoring

Figure 10-1: Honeypot data-collection strategy
Figure 10-2: Winfingerprint in action
Figure 10-3: WinInterrogate scanning local files
Figure 10-4: Winalysis snapshot comparison screen
Figure 10-5: Sysinternal’s Regmon utility
Figure 10-6: Several SecurIT utilities monitoring system processes
Figure 10-7: Event Viewer snap-in console monitoring several computers
Figure 10-8: Kiwi Syslog collecting events from a honeypot system
Figure 10-9: Event Viewer filtering successful logins
Figure 10-10: Snort IDScenter SMTP alerting options
Figure 10-11: A NET SEND console alert message

Chapter 11: Honeypot Data Analysis

Figure 11-1: Example of dd --list command output
Figure 11-2: Example of event ID 528
Figure 11-3: Main KFSensor screen showing some of the 1,022 events
Figure 11-4: Ethereal generating a protocol distribution report
Figure 11-5: Portion of Ethereal protocol distribution report
Figure 11-6: KFSensor logs showing the first IIS attack
Figure 11-7: KFSensor log detail for one of the attacks
Figure 11-8: Ethereal capture showing Windows Media Services buffer overflow attack
Figure 11-9: KFSensor’s logs of the spam open relay
Figure 11-10: Hacker’s malicious folder structure
Figure 11-11: Bogus .system directory
Figure 11-12: R_bot.ini IRC configuration file

Chapter 12: Malware Code Analysis

Figure 12-1: Executable code pathway
Figure 12-2: Programming interface choices
Figure 12-3: Using the Debug register command
Figure 12-4: Strings.exe revealing text strings in a malicious file
Figure 12-5: MASM disassembly of the Thing Trojan showing called Windows APIs
Figure 12-6: Sampling of MASM disassembly of the Thing Trojan
Figure 12-7: IDA Pro disassembling Netlog1.exe instructions
Figure 12-8: An IDA Pro logic diagram
Figure 12-9: PE Explorer disassembing Netlog1.exe
Figure 12-10: Borg disassembling Netlog1.exe

progress indicator progress indicatorprogress indicator progress indicator


Honeypots for Windows
Honeypots for Windows (Books for Professionals by Professionals)
ISBN: 1590593359
EAN: 2147483647
Year: 2006
Pages: 119

Similar book on Amazon
Honeypots: Tracking Hackers
Honeypots: Tracking Hackers
Know Your Enemy: Learning about Security Threats (2nd Edition)
Know Your Enemy: Learning about Security Threats (2nd Edition)
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net