Flylib.com
Z
Previous page
Table of content
Next page
List of Figures
Honeypots for Windows
by Roger A. Grimes
Apress
2005
Chapter 1: An Introduction to Honeypots
Figure 1-1: A honeynet example
Figure 1-2: A sample honeypot deployment
Figure 1-3: VMware running Windows NT Server 4.0 and Windows 98 on a Windows 2000 Professional computer
Figure 1-4: GenII honeypot setup
Chapter 2: A Honeypot Deployment Plan
Figure 2-1: Example of a production honeynet
Figure 2-2: Honeynet created using a hub
Figure 2-3: Wiring schematic for receive-only Ethernet cable
Figure 2-4: Example of port mirroring
Figure 2-5: Example of NAT routing
Figure 2-6: Honeynet Project’s Honeywall Administration menu
Figure 2-7: Example of a simple router segment IP address scheme
Figure 2-8: Example of a complex honeynet IP address scheme
Figure 2-9: External placement of a honeypot
Figure 2-10: Internal honeypot placement
Figure 2-11: Honeypot DMZ placement
Chapter 4: Windows Honeypot Deployment
Figure 4-1: A Microsoft Longhorn screen
Figure 4-2: Microsoft patching pathway
Figure 4-3: Windows Firewall remote-monitoring port exceptions
Figure 4-4: Windows Computer Management Services console
Figure 4-5: Configuring a service logon
Figure 4-6: Example of Group Policy Object security settings
Chapter 5: Honeyd Installation
Figure 5-1: Honeyd with multiple templates
Figure 5-2: Honeyd screen activity summary example
Figure 5-3: Confirming WinPcap’s successful installation in Add/Remove Programs
Figure 5-4: Windump.exe
−
D output example verifying a correctly installed WinPcap driver
Figure 5-5: Cygwin Setup – Select Packages dialog box
Figure 5-6: An Ethereal screen
Chapter 7: Honeyd Service Scripts
Figure 7-1: Example of the Router-telnet Perl script in action
Figure 7-2: Ms-ftp.sh script emulating a Microsoft FTP server
Chapter 8: Other Windows-Based Honeypots
Figure 8-1: Back Officer Friendly interface
Figure 8-2: LaBrea’s screen console
Figure 8-3: SPECTER’s main Control screen
Figure 8-4: SPECTER’s on-screen log
Figure 8-5: SPECTER’s Log Analyzer tool
Figure 8-6: KFSensor’s Setup Wizard components (port listeners) selection
Figure 8-7: KFSensor monitor in Ports view
Figure 8-8: KFSensor’s Edit Sim Banner dialog box
Figure 8-9: KFSensor emulated IIS 6.0 Under Construction error page
Figure 8-10: FTP client screen when attaching to KFSensor’s emulated FTP server
Figure 8-11: KFSensor’s Event Details screen for an FTP session
Figure 8-12: Example of KFSensor’s SMTP sim standard server
Figure 8-13: Results of running Nbtscan.exe against KFSensor’s NetBIOS sim banner server
Figure 8-14: KFSensor SMTP alert configuration dialog box
Figure 8-15: KFSensor log example showing an FTP login session
Figure 8-16: Windows event log message generated by an FTP login session
Figure 8-17: KFSensor’s anti-DoS settings dialog box
Figure 8-18: PatriotBox’s interface and HTTP configuration dialog box
Figure 8-19: Jackpot’s console screen showing SMTP connection activity
Figure 8-20: Example of a connected SMTP Jackpot session from the spammer’s computer
Figure 8-21: Jackpot main administration screen
Chapter 9: Network Traffic Analysis
Figure 9-1: The OSI model
Figure 9-2: TCP/IP protocol flow example
Figure 9-3: IP packet structure
Figure 9-4: TCP packet structure
Figure 9-5: UDP packet structure
Figure 9-6: The main Ethereal screen with packet-capture data
Figure 9-7: Ethereal showing HTTP traffic on a port other than 80
Figure 9-8: Ethereal’s middle pane shows packet layer information.
Figure 9-9: Ethereal Capture Options dialog box
Figure 9-10: Ethereal’s TCP Conversation screen
Figure 9-11: Ethereal showing packets of a captured hacker session
Figure 9-12: Ethereal showing the TCP stream (using the Follow TCP Stream) feature for a packet
Figure 9-13: WinDump screen
Figure 9-14: Snort packet pathway
Figure 9-15: Executing Snort with the -v option captures header information only.
Figure 9-16: Snort in full packet capture mode
Figure 9-17: A Snort binary log file
Figure 9-18: A Snort alert file
Chapter 10: Honeypot Monitoring
Figure 10-1: Honeypot data-collection strategy
Figure 10-2: Winfingerprint in action
Figure 10-3: WinInterrogate scanning local files
Figure 10-4: Winalysis snapshot comparison screen
Figure 10-5: Sysinternal’s Regmon utility
Figure 10-6: Several SecurIT utilities monitoring system processes
Figure 10-7: Event Viewer snap-in console monitoring several computers
Figure 10-8: Kiwi Syslog collecting events from a honeypot system
Figure 10-9: Event Viewer filtering successful logins
Figure 10-10: Snort IDScenter SMTP alerting options
Figure 10-11: A NET SEND console alert message
Chapter 11: Honeypot Data Analysis
Figure 11-1: Example of
dd --list
command output
Figure 11-2: Example of event ID 528
Figure 11-3: Main KFSensor screen showing some of the 1,022 events
Figure 11-4: Ethereal generating a protocol distribution report
Figure 11-5: Portion of Ethereal protocol distribution report
Figure 11-6: KFSensor logs showing the first IIS attack
Figure 11-7: KFSensor log detail for one of the attacks
Figure 11-8: Ethereal capture showing Windows Media Services buffer overflow attack
Figure 11-9: KFSensor’s logs of the spam open relay
Figure 11-10: Hacker’s malicious folder structure
Figure 11-11: Bogus .system directory
Figure 11-12: R_bot.ini IRC configuration file
Chapter 12: Malware Code Analysis
Figure 12-1: Executable code pathway
Figure 12-2: Programming interface choices
Figure 12-3: Using the Debug register command
Figure 12-4: Strings.exe revealing text strings in a malicious file
Figure 12-5: MASM disassembly of the Thing Trojan showing called Windows APIs
Figure 12-6: Sampling of MASM disassembly of the Thing Trojan
Figure 12-7: IDA Pro disassembling Netlog1.exe instructions
Figure 12-8: An IDA Pro logic diagram
Figure 12-9: PE Explorer disassembing Netlog1.exe
Figure 12-10: Borg disassembling Netlog1.exe
Previous page
Table of content
Next page
Honeypots for Windows (Books for Professionals by Professionals)
ISBN: 1590593359
EAN: 2147483647
Year: 2006
Pages: 119
Authors:
Roger A. Grimes
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
The Guiding Principles of Agile Project Management
Employ Iterative, Feature-Based Delivery
Simplify
Practice: Performance Requirements Cards
Practice: Daily Team Integration Meetings
CISSP Exam Cram 2
Security-Management Practices
Answers to Exam Prep Questions
Answers to Exam Prep Questions
Cryptography
Cryptographic Services
The Java Tutorial: A Short Course on the Basics, 4th Edition
Numbers
How to Throw Exceptions
Questions and Exercises
General Programming Problems
Swing-Based Applets
Junos Cookbook (Cookbooks (OReilly))
Introduction
Scheduling the Activation of a Configuration
Extracting Software Inventory Information with SNMP
Logging SNMP Access to the Router
Using Fast Reroute to Reduce Packet Loss Following a Link Failure
Python Standard Library (Nutshell Handbooks) with
The pickle Module
The repr Module
The base64 Module
The ConfigParser Module
The mailbox Module
Python Programming for the Absolute Beginner, 3rd Edition
Canvas
Grids
PyView: An Image and Notes Slideshow
Hand-Coded Parsers
That s the End of the Book, Now Here s the Meaning of Life
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy
This website uses cookies. Click
here
to find out more.
Accept cookies