Norwegian Honeynet Project


A chapter of the Honeynet Project

ISF conference

September 2nd, 2010 by Tor Inge Skaar (0) News

Yesterday we had the pleasure of doing a presentation at the Norwegian infosec conference “ISF“. Our presentation gave a brief introduction to the Honeynet Project in general, but the main part introduced to the audience a lot of the tools developed by the project together with a few external tools as well. The presentation is available for download in several formats: PDF, ODP or PPT.

Forensic Challenge 2010-5

September 1st, 2010 by Tor Inge Skaar (0) Challenge

The Honeynet Project is pleased to announce the next forensic challenge: Log Mysteries. This challenge takes you into the world of virtual systems and confusing log data. Figure out what happened to a virtual server using all the logs from a possibly compromised server.

Challenge 5 has been created by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, and Sebastien Tricaud from the French Chapter.

Submission deadline is September 30th and we will be announcing winners around October 21st. We have a few small prizes for the top three submission.

Good luck, and enjoy!

Another VoIP hacking in Norway

July 28th, 2010 by sjur (0) News

The latest month of scanning has seemed valuable for the hackers. A Norwegian municipality has been hacked and their PBX has been calling Somalia and a lot of others destinations we have picked up on our VoIP honeypots during the last month.

If you have an unsecure IP PBX on the net, now it will only take hours before it will be detected. Most normal cause for this is misconfiguration. The people setting up the IP PBX has not taken security seriously and the IP PBX is wide open for calling.

The simplest ways is that inbound calls is routed out again if no local destination is found.  A little harder is to just brute-force the password on extensions. I can only say, there will be more like this!

Norwegian version

English version

The hacker can sell this “gateway” to a third party dealing with calling cards. I have investigated frauds in Norway where they managed to send 1,2 million NOK (approx 200 000 USD) within 10 days. This was a Cisco installation, but misconfigured Asterisk installations are also abused a lot.

VoIP Challenge released! Real attack data!

June 1st, 2010 by sjur (0) Challenge

The Honeynet Project has released a real VoIP attack challenge! It is real data and YOU must find out how the intruders does the attack! Are you up for it? You will learn more about VoIP and get an understanding of the current VoIP attack methods! Go for it here! Deadline in three weeks! Prizes for the best answers!

The Chinese speaking members of the Honeynet Project has translated it even to simplified Chinese! Have fun and learn a lot!

Update (26. jun): NB! Only a few days left to submit your answer! The deadline is June 30th.

Update (28. jul): The solution and the winners of this challenge is available here.

Firefox prefetch

May 18th, 2010 by Tor Inge Skaar (0) Tips & Tricks

Are you aware of the effects of the network-prefetch-next preference in Firefox? It’s actually quite an old feature (according to this site it was introduced way back in 2003), but I’m pretty sure not everyone know the possibly scary side effect of this smart(tm) feature. It tries to make the browser being one step ahead of its user, by prefetching sites it assumes the user will click on next.

This is what’s being logged on honeynor.no when I (84.215.x.y) google the word “honeynor“.

84.215.x.y - - [18/May/2010:23:42:55 +0200] "GET / HTTP/1.1" 200 17832 "http://www.google.com/ \
search?hl=en&source=hp&q=honeynor&aq=f&aqi=g-s1g-sx7&aql=&oq=&gs_rfai=&fp=64bbd6d9727d98e0" \
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) \
Firefox/3.6.3"

I haven’t left google yet!, but my very intelligent browser thinks I might click on the first link (www.honeynor.no) so it goes ahead and access the site, way before my puny brain has had any chance on processing the search output. In true PKD-style, I hereby accuse firefox of a precrime!

Why is this action bad? Let me answer the question with a question; Do you always want to access the sites presented to you when you search the web? I can think of several cases where I’m not keen on letting some third party know of my interest in them; either that’s during an analysis or in case of possible repercussions against me for accessing a site in an unexpected or socially engineered manner.

It seems google is in cahoots with firefox on this one, because I’m unable to reproduce the same result using bing, yahoo or alltheweb. Only on google is the prefetch mechanism activated.

So, how can you disable this feature? Luckily it very easy; go to about:config in your firefox/mozilla browser and set the parameter network.prefetch-next to false. That’s it!

Firefox 3.6.x and vmrc

May 4th, 2010 by Tor Inge Skaar (0) Tips & Tricks

Recently I upgraded to the 3.6 series of Firefox (3.6.3 to be exact), and suddenly my VMware Remote Console (vmrc) was broken. We use VMware Server 2.0.1, but upgrading to the latest 2.0.2, didn’t help. At closer inspection, the problem was not with the server nor with vmrc itself, but rather with the integration of the plugin used with Firefox 3.6 (I’m using VMware Remote Console Plug-in 2.5.0.122581). Whether the problem is related to the plug-in or FF 3.6′s plug-in framework (or a combination of the two), I do not know. What I do know though, is that you don’t have to downgrade to FF 3.5.x if you use the following workaround.

On your vmware server, go to the following directory:
/usr/lib/vmware/webAccess/tomcat/ \
apache-tomcat-6.0.16/webapps/ui/plugin/

Copy the appropriate vmrc plugin for your client platform (mine was a 32 bit Ubuntu 10.04 Desktop, so I grabbed vmware-vmrc-linux-x86.xpi).

On your client, unzip the xpi-file:

$ unzip vmware-vmrc-linux-x86.xpi

Run the vmrc executable (it’s actually just a wrapper script) manually by specifying the absolute path (I extracted the contents to /tmp):

$ /tmp/vmrc/plugins/vmware-vmrc

The vmrc UI starts, and you can connect to your vmware server by either specifying it’s hostname or it’s IP-address, together with your username and password (I also had to specify the port, e.g. <IP>:8333). When a connection has been established with the server, you will be presented with a selection of virtual machines you may connect to.

Forensic Challenge 2010-3

March 28th, 2010 by Tor Inge Skaar (1) Challenge

The Honeynet Project is proud to present our third Forensic Challenge 2010 created by Josh Smith and Matt Cote from The Rochester Institute of Technology Chapter, Angelo Dell’Aera from the Italian Chapter and Nicolas Collery from the Singapore Chapter. This challenge is a bit different than the previous two, as it involves investigating a memory image of an infected virtual machine. Read all the questions for this challenge over at the main blog and submit your answers by 17:00 EST, Sunday, April 18th 2010. Good luck!

UPDATE (12.Apr): There are now additional third-party incentives to participate in this forensics challenge. Both Volatile Systems and MANDIANT are offering their own prices to the top three winners that apply their memory analysis tools; The Volatility Framework, Memoryze and Audit Viewer respectively. But remember, there are now only a few days left until deadline, so get moving!

UPDATE (19.Apr): The submission deadline for this challenge has been extended till April 26th.

UPDATE (14.May): The solution and the winners of this challenge is available here.

The solution and winners of the second challenge are shown here.

Enhanced CC2ASN

March 23rd, 2010 by Tor Inge Skaar (0) News,Tools

For over 9 months we’ve run our CC2ASN service, allowing you to lookup up ISO-3166 country codes and get back all ASNs, IPv4 or IPv6 prefixes for that specific country. Now the time had come to do an update.

A major issue with the RIR data (delegated-feeds) used by the CC2ASN service, is ASNs registered to a region instead of a specific country. There are currently two regions in use; European Union (EU) and Asia Pacific (AP). The reason for using this is the ever increasing globalization of corporations and organizations, and hence quite understandable. But when you want a list of AS numbers for any given country code, the regional registrations have to be included.

This is where the enhanced database comes into action. In this database we’ve manually overridden the country code assignments for those ASNs that in the RIR data were registered to either EU or AP. In addition we’ve also corrected a few other ASNs that we knew had a wrong country code. The list we’ve compiled is publicly available: asn_override.txt.

It’s all been a manual job, going through all the EU and AP ASNs, plus a good portion of the CCs also. The CC override decision is based on one or more of the following actions:

  • Looking at references to location in whois descr, address or country records.
  • Using location info in router names from tracepath of the AS prefixes.
  • The nationality of peers and upstream providers.
  • Location of corporate headquarters or regional headquarters.
  • General googling/binging.

And this is a continuing job, whenever new ASNs are allocated to either EU or AP.

So, how do you access this new database? From the CC2ASN web-interface make sure you check the box labeled “Use Enhanced Database“. The database is also available by directly querying port 44/tcp (the normal CC2ASN database is available on standard whois port 43/tcp). Note that the enhanced database only outputs ASNs, not prefixes.

$ echo "GB" | nc atari.honeynor.no 44

Every day, when the latest RIR data are downloaded and parsed, all changes to the enhanced database are recorded. This allows us to provide you with an ASN history tool; CC2ASN Delta. The main page lists changes over the last 90 days for ASNs registered to a spesific country. By clicking on a county, you get a textual representation of all registered changes for that country. By further clicking on an ASN, you get a listing of potential country changes for that AS.

For more information, take a look at the documentation.

GSoC 2010

March 19th, 2010 by Tor Inge Skaar (0) News

The Honeynet Project has once again been accepted as a mentor organization in Google Summer of Code (GSoC). During the next week or so, we’ll keep updating our GSoC-2010 page, especially the page of proposed ideas.

We’ve got a wide range of projects and develop tools using most of the popular programming languages, so if you are an eligible student interested in open source software, information security or honeynet technologies and think spending your summer being paid by Google to work on an exciting software development project sounds like a great plan, we look forward to hearing from you.

Simply connect to #gsoc-honeynet on irc.freenode.net to chat to our organizational admins and project mentors. Do remember that you don’t have to apply for one of our pre-defined project ideas, you can also propose your own project topic which we’ll try to find a suitable mentor for too. Google will start accepting student applications from Monday, March 29 at 19:00 UTC.

Forensic Challenge 2010-2

February 17th, 2010 by Tor Inge Skaar (1) Challenge

The Honeynet Project is proud to present our second Forensic Challenge 2010 created by by Nicolas Collery from the Singapore Chapter and Guillaume Arcas from the French Chapter. Provided with our pcap file, you’re challenged to answer ten questions before the deadline at March 1. Read all about it at honeynet.org. Good Luck!

The solution and winners of the first challenge are shown here.

« Previous Entries
© Norwegian Honeynet Project 2010. Powered by Wordpress/Arcsin.
valid CSS valid XHTML