ANALIZAR LAS CAUSAS DEL SUBDESARROLLO ESQUEMA DE REFERENCIA 28 Factores externos

Like BOF, Specter will listen on the respective ports for any of the services or traps you have selected. If your system has the netstat-a command, it will show the ports you have selected and enabled as open and listening. Specter shares the same limitations as BOF. Specifically, it cannot listen on or monitor a port that is already owned by another application. If you have some service listening on the FTP port (port 21), then Specter is unable to monitor on that port. If you are running your own personal Web server on the honeypot, then Specter cannot monitor port 80. Specter can only monitor ports that are not owned by any other applications.

As we mentioned earlier, Specter also has the capability of emulating different operating systems. This is done by changing the behavior of the services to mimic the selected operating system. For example, if you select your honeypot to function as a Windows XP server, then the emulated services behave as a Windows XP system. When you connect to port 80, the Web server, you are greeted by an IIS (Microsoft Internet Information Server) Web server page, exactly like what you would expect to find on a newly installed Windows XP server (see Figure 7-2). The traps do not alter their behavior based on the selected OS, since they do not emulate specific services. They only monitor the ports for activity. All operating systems emulation is done by the seven services.

Figure 7-2. Specter honeypot emulating a Windows XP server. The Web server, one of seven emulated services, adjusts its behavior based on the selected OS.

If you select your operating system to be Solaris (a version of Unix), then the seven emulated services behave as a Solaris server. For example, when you connect to the very same Web server port, you get a different Web page. In most cases, Solaris Web servers do not run Microsoft applications, such as IIS Web server. Instead, they run different types of Web servers, such as an Apache or iPlanet Web server. So if you configure your honeypot to emulate a Solaris system, then the emulated services must behave accordingly. In the case of Solaris, the emulated Web server acts as a newly installed Apache Web server (see Figure 7-3), one of the most commonly used Web applications for Unix systems.

Figure 7-3. Changing the OS type of the Specter honeypot causes it to change the behavior of the Web server.

All seven emulated services share similar intelligence, having the ability to act as the selected operating system. If you configure your honeypot to be a Linux system, whenever an attacker Telnets to the box, she will get a Linux login banner. If you select the operating system to be MacOS, then when an attacker FTP's to the box, she will get a MacOS FTP login banner.

Another example of application emulation is the use of passwords. Specter has a set of fake passwords that are available for "capture" by attackers. The password file is really a plant, placed on the honeypot to be deliberately taken by the attacker. The operating system you select will dictate what type of password attackers can capture. If the honeypot is a Windows-based system, such as Microsoft 2000, then the captured password database will be in Windows format. If you configure Specter to emulate a Unix-based operating system, such as Solaris or Linux, then the password database will be in Unix format. Once again, Specter has the intelligence at the application level to respond as the appropriately configured operating system.

Unfortunately, when emulating an operating system, Specter only operates at the application level. This means it only emulates the chosen operating system based on the seven emulated services. The IP stack is not emulated. Even though your honeypot and the honeypot services are emulating a Linux server or the MacOS, the

underlying IP stack is still Microsoft. This means all IP-based communications to and from the honeypot use the underlying operating system's IP stack. Specter currently runs only on Windows based systems, so it will always use the Windows IP stack. Every operating system has its own unique characteristics that can be used to positively identify the system.

Fyodor, a highly skilled security programmer, has developed the network scanning tool Nmap. [1] As a port scanning tool, Nmap can remotely determine what services a system is running. This is used by many system administrators to identify any vulnerabilities in their network. Nmap also has the capability to actively determine the type of operating system of a remote system. The tool does this by sending a variety of unique packets to the target. The remote system's response to these packets is then captured and recorded. This logged information is then compared to a database of operating system signatures, a database that has recorded how most known types of operating systems behave. Based on these signatures, one can determine a system's operating type. Fyodor has written an outstanding paper on Active OS Fingerprinting, explaining this process in technical detail. Another security engineer, Ofir Arkin, has demonstrated the same techniques using only ICMP packets. [2] He developed a tool called X that accomplishes the same functionality as Nmap but using standard ICMP traffic. Both of these tools and papers on them can be found on the CD-ROM.

Tools such as these can potentially be used to identify Specter systems as a honeypot. When Specter is emulating any non-Windows operating system, there will be a discrepancy between the emulated services and the

underlying IP stack. Even though Specter is emulating a Solaris system at the application level, the IP stack can be identified as a Microsoft-based system. This discrepancy can indicate honeypot behavior and is not limited to Specter. Combining IP stack and application emulation is a challenge for most low-interaction solutions. However, keep in mind this only applies when Specter is emulating non-Windows-based systems. Whenever Specter emulates a Windows-based system, the IP stack should be the same, since Specter is based on the Windows platform.

One effective method for Windows honeypots is having an exact match for the base operating system and the emulated Windows honeypot. If you intend to have Specter to emulate a Windows XP honeypot, then use a Windows XP underlying operating system. If you want Specter to emulate a Windows NT honeypot, then use a Windows NT underlying operating system. This will make Specter look like a more realistic target.