I created a quick Regular Expressions (Regex) quiz to help students with a basic understanding of Regex begin to understand patterns that it can be applied to. You can find the google doc version of this quiz here. If you are not familiar with Regex already you can view a tutorial here.
For those who prefer to see the questions directly on TekDefense, here they are:
1. Write a Regular Expression that will match a date that follows the following standard “YYYY-MM-DD”.
2. Write a Regular Expression that will match a traditional SSN.
3. Write a Regular Expression that will match an IPv4 address.
4. Write a Regular Expression that will match an email address.
5. Given the example text that follows, which of the Regular Expressions will match only the MD5 hashes. Circle all that apply.
A. \w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w B. \w{32} C. [a-f0-9]{32} D. [a-f0-9]+
6. From your answer to question 5 which of the valid Regular Expressions for an MD5 hash is the most specific and reusable for finding MD5 hashes in the future.
** Warning Answers below this line **
--------------------------------------------
Answers: Keep in mind that as this is Regex, there are many right answers. If you have something different than what I have below it may still be right. The best way to check is to test it out. You can test with Notepad++ or take a different route such as RegExr. The answer to the fourth question will not work with all email addresses. There are much more complex expressions that will catch a greater sum of the email addresses. This one is focused on the format of john@example.com.
In this episode of TekTip, I am going to show a unique method to drive traffic to your Honeypot. While I use Kippo as the example this approach will work for any Honeypot.
*If you do not know what Kippo is, shame on you. Watch this, this, and this to get caught up.
Now let's get to it. The first thing we need to do is prep our Kippo Instance so that we can measure the results of the approach. Log into your Kippo Honeypot, probably on HoneyDrive. Once logged in go to your kippo install directory and navigate to the data folder.
If using Honeydrive it will look something like this:
cd /opt/kippo/data
Now use the cat command to see what you currently have as allowable credentials in your userdb.txt.
cat userdb.txt
root:0:123456
root:0:abc123
root:0:p@ssw0rd
This is what I have. As you can see I allow 3 of the top 10 most used passwords. Now we want to add credentials that will be unique enough that they should not be attempted by your average attacker. Open userdb.txt in your favorite text editor and add a new line with the credentials you want to use. I added one for root:0:IamSo1337!. Running "cat userdb.txt" again shows the following:
cat userdb.txt
root:0:123456
root:0:abc123
root:0:p@ssw0rd
root:0:IamSo1337!
That takes care of the prep. Now if you are doing this with something other than Kippo, those previous steps won't apply. If whatever Honeypot you are using has the ability to let attackers authenticate you will want to set up a unique set of credentials for the experiment. If not, press on.
We will now use Social Networks against are attackers. To put it simply we are going to post login information for our Honeypot on a public site like pastebin, and then alert attackers to the information by posting a link to the paste file on social networks like Twitter.
You may want to keep the rest of the activity as anonymous as possible, so fire up Tor Browser or use proxychains to hide your IP information. Once anonymized go to pastebin.com.
The trick to getting this to work properly is to utilize keywords that attackers may have PasteLerts set up for. For instance you will want to include keywords such as ssh, login, username, password, root, and many others. Make sure you use some of these keywords in the title as well. Here is a sample one I put together:
Submit this and get your pastebin url. Now this will be enough to bring in a few extra hits already, from people who are monitoring pastebin. To get even more folks to see this though we will need to take it a step further.
While still anonymizing your activity create a throwaway twitter account. As many people as there are that monitor pastebin, there are even more that monitor twitter (at least I am guessing so). In particular there are certain twitter users and list that people follow to get password dumps as they occur. My favorite of these is @PastebinDorks.
With your new twitter account create a tweet that mentions @PastebinDorks or another account like that. Have it say something along the lines of, "Check out this one! http://pastebin.com/qi7wzp8h". Now anyone that follows @PastebinDorks will see your post. You may get lucky enough to have someone retweet it a few times.
Now you can just sit back and wait for the conenctions to roll in. While I used twitter and pastebin in my example, this can be done with any like tools. The point is to get the data out there in the public and then use social networks to increase exposure.
To monitor your kippo logs to see when attackers use the user/pass combination you specified in the userdb.txt. navigate to your kippo logs directory and and do the following:
In this episode of the Kippo Kroicles we replay the attack of the most advanced of all attackers, the APT Attacker. Okay, not quite. In fact calling this guy (or maybe gal) an APT'er is like calling your chubby friend slim. I get typing dir in once on accident, but to repeatedly try to type dir in linux, come on now. Anyways, I have a ton of logs stored up and ready to videotize. More to come.
Automator as most of you know, pulls IP and URL information from various sources in order to make analysis easier on the analyst. Recently IPVoid changed up their site a bit, because of this I needed to make some modifications to Automater to get it to function appropriatley. To be specific I needed to modify the regular expressions to match the format of the new site.
I have some other changes that I will be making soon as well:
Extra export options (csv, html)
Malware domainlist checker
Source engine selection
Re-write to utilize BeautifulSoup
If anyone has any other feature requests please let me know.
To see more about what Automater is and how it functions check out the tutorial.
Welcome to the first of many Kippo Kronicles. In this series I will use the replay function of Kippo to show what attackers have attempted to do on my honeypot. I hope you enjoy.
Sunday, February 10, 2013 at 1:46PM 