A Seminar Presentation

HoneyPots and SQL Injection

Presented By : Rajat Jangid

Final Year, Computer Engineering
Index
 HoneyPots  SQL Injection
 Introduction – HoneyPots
 Dare to do it
 Types of HoneyPots
 SQL
 Research HoneyPots
 SQL Injection
 Uses
 How common is it
 Challenges
 Magic Strings
 Production HoneyPots
 SQL Injection Charecters
 Uses
 Implementation Of HoneyPots  Live Demonstration

 Low Involved HoneyPots

 High Involved HoneyPots
 Pro’s – HoneyPots

 Con’s – HoneyPots

 SoftPicks – HoneyPots

 HoneyNets
HoneyPots - Introduction

 In computer terminology, a HoneyPot is a trap set to detect, deflect, or in

some manner counteract attempts at unauthorized use of information
systems.

 Resource with variety of Different Uses whose value lies in its unauthorized
or illicit use. Used for monitoring, detecting and analyzing attacks.

 It consists of a computer, data, or a network site that appears to be part of a

network but which is actually isolated, (un)protected, and monitored, and
which seems to contain information or a resource that would be of value to
attackers.
 In Other words, A HoneyPot is USELESS if malicious users do not attack it
or try to attack it.
HoneyPots - Introduction

 A HoneyPot is valuable as a surveillance and early-warning tool.

 A HoneyPot Resource has no REAL use, Normal users will never connect
to it.

 It is a setup ONLY to lure malicious users to attack it.

 Since a HoneyPot resource has no REAL use, thus if a system

administrator notices a user connecting to it, then 99% of times, the user is
a malicious one.

 HoneyPots do not solve a specific problem, instead they are a tool that
contribute to your overall security architecture.
HoneyPot Timeline
 1990/1991 The Cuckoo’s Egg and Evening with Berferd

 1997 - Deception Toolkit

 1998 - CyberCop Sting

 1998 - NetFacade (and Snort)

 1998 - Back Officer Friendly

 1999 - Formation of the HoneyNets Project

 2001 - Worms captured

 2002 - Exploit capture and so on…

Types of HoneyPots

 HoneyPots can be classified based on their deployment and based on their

level of involvement.

 The two main types of HoneyPots are as follows:

 Resource HoneyPots

 Production HoneyPots

 Negative HoneyPots
Research HoneyPots

 Research HoneyPots are run by a volunteer, non-profit research

organization or an educational institution to gather information about the
motives and tactics of the Blackhat community targeting different networks.

 The Biggest problem that system administrators face nowadays is that, they
DO NOT know their own attackers.

 They do not know what techniques, tools, methods etc are being employed
by their attackers.

 Without this knowledge it is impossible to protect one’s system on the

internet.
 This is where Research HoneyPots come in!
Research HoneyPots - Uses

 Such HoneyPots are setup for the following reasons:

 To research on the attackers(Tools, methods, techniques, exploits)

 To access general trend in the security industry and Understand Motives,

Behavior, and Organization
.
 Early Warning and Prediction

 Develop Analysis and Forensic Skills

 Research HoneyPots do not provide security to your network and are merely
used for RESEARCH PURPOSES only.
Resource HoneyPots - Challenges

 The biggest problem with Research HoneyPots is that they introduce High
security risk in the network.

 For HoneyPot to work successfully, it must be attacked.

 A typical research HoneyPot will have certain ports open AND few
vulnerable services running.

 If somebody were to penetrate through the Research HoneyPot, then the

network might get compromised also.
Production HoneyPots

 Production HoneyPots are used for improving the security of a particular

network.

 Some of its useful features are:

 Tricks the attacker to attacking the HoneyPot system instead of actual

system(s).

 Helps in detection of attacks:

 Reduces false positives

 Reduce false negatives and it detects almost all attacks
Production HoneyPots

 Log files are easy to read.

 Works with encryption and IPv6 environments.

 Any traffic going to HoneyPot will be 99% times malicious.

 Helps in Computer forensics

 Evidence is not tampered

 HoneyPot can easily be disconnected, as soon as an attack is detected.
 Are less risky than research HoneyPots
Negative HoneyPots

 Negative HoneyPots are usually the Spam which we see on visiting any
particular website.

 Usually the people get confused on the point that the Advertisements are
also Negative HoneyPots.

 These are sometimes malicious and might also cause real damage to the
user or a person whoever gets trapped into it.
Negative HoneyPots
 Free Screen savers
Negative HoneyPots
 Yeah!!! You really are Lucky…
Consequences
 Credit Card Details gone to a Malicious User
Negative HoneyPots
 Free Smiley's
Negative HoneyPots
 Fake login Trap
Consequences

 Your Username and Password Details are gone to a Malicious User.

 Your account may be used for some malicious activities.

Implementation of HoneyPots

 On the basis of Implementation of HoneyPots they can be categorized into

the following:

 Low involved HoneyPots

 High Involved HoneyPots

Low Involved HoneyPots

 A typical Low involved HoneyPots will have Few ports open, so that
administrator knows what ports the attackers are trying to connect.

 The attacker will NOT be allowed to do anything else on the server and
hence they are less risky.

 Low Involved HoneyPots do not give us must insight into the attacker,
hence, they are normally used as PRODUCTION HONEYPOTS.
High Involved HoneyPots

 A typical high Involved HoneyPots will have a few ports open AND a few
vulnerable services running.

 The attacker is allowed to actually break into the high involved HoneyPots,
which makes them risky.

 High Involved HoneyPots can be used to gather a lot of insight on the tools,
techniques and methods used by the attacker. Hence they are normally
used as RESEARCH HONEYPOTS.
Pros of HoneyPots

 Pro’s

 Records minimal BUT extremely important data. For Example:

 Recording the activity of malicious user.

 Efficient: Centralized Log files or IDS log files might drop a few lines due
to high activity and the bandwidth.

 Works with Encryption and IPv6 as well

Cons of HoneyPots

 Con’s

 Worthless: If NOBODY attacks the HoneyPots, then it is Practically

useless.

 Risky: A Typical HoneyPot Introduces varied amount of risks in the

overall security of network involved.

 BOTTOM LINE: For a HoneyPot to be successful the following must be

fulfilled:
 Malicious user must attack it.

 Security Risk Involved MUST NOT be too high.

SoftPicks - HoneyPots

 BackOffice friendly
 Windows Based Low involved HoneyPot.

 Emulates services like FTP, Telnet, Http, etc.

 Records Scans, probes etc.

 Specter
 Linux Based Low involved HoneyPot.

 Emulates services like FTP, Telnet, Http, etc.

 Emulates different Operating Systems as well.

SoftPicks - HoneyPots

 HoneyD
 Open Source Low involved HoneyPot.

 Emulates services like FTP, Telnet, Http, etc.

 Emulates different Operating Systems as well.

 ManTrap
 High involved HoneyPot.

 Emulates services like FTP, Telnet, Http, etc.

 Emulates different Operating Systems as well.

HoneyNets

 A HoneyNet is a network consisting of highly involved research HoneyPot

systems that have been setup with a sole intention of being attacked.

 Within a HoneyNet Network, real computers with real applications are setup,
inviting attackers.

 Attackers fall for the trap and all their activities are recorded by the research
HoneyPots.

 HoneyNet research website www.honeynet.org

HoneyPot Farm
A Typical Client Side HoneyPot
SQL Injection
What is SQL?

 SQL stands for Structured Query Language

 Allows us to access a database
 ANSI and ISO standard computer language
 SQL can:
 execute queries against a database

 retrieve data from a database

 insert new records in a database

 delete records from a database

 update records in a database

SQL is a Standard BUT

 There are many different versions of the SQL language.

 They support the same major keywords in a similar manner (such as

SELECT, UPDATE, DELETE, INSERT, WHERE, and others).

 Most of the SQL database programs also have their own proprietary
extensions in addition to the SQL standard!
SQL Injection
 SQL injection is a code injection technique that exploits a security
vulnerability occurring in the database layer of an application.

 The vulnerability is present when user input is either incorrectly filtered for
string literal escape characters embedded in SQL statements or user input
is not strongly typed and thereby unexpectedly executed.

 It is an instance of a more general class of vulnerabilities that can occur

whenever one programming or scripting language is embedded inside
another.

 SQL injection attacks are also known as SQL insertion attacks.

Dare to Do it
 DO NOT ATTEMPT Sql injection other than on our ideal server in the
examples that I have built or you build yourself

 It is ILLEGAL to crack someone’s password or access any system.

 Perpetrators could face jail time

How common is it

 It is probably the most common Website vulnerability today!

 It is a flaw in "web application" development, it is not a DB or web server

problem
 Most programmers are still not aware of this problem

 A lot of the tutorials & demo “templates” are vulnerable

 Even worse, a lot of solutions posted on the Internet are not good

enough

 In our pen tests over 60% of our clients turn out to be vulnerable to SQL
Injection
Magic/Input Strings
 The Magic Strings are as follows
For String
 FormUser = ' or 1=1 – –

and FormPwd = anything

 FormUser= admin’ OR 1=1--

and FormPwd= =‘or’’=‘

PHP/MySQL Login(Numeric)
 Username= 1 or 1=1#

Password=1111
 Final query would look like this:
 SELECT * FROM users

WHERE username = ' ' or 1=1 – – AND password = 'anything'

SQL Injection Characters

 ' or " Character String Indicators

 -- or # Single-line comment
 /*…*/ Multiple-line comment
 + Addition, concatenate (or space in url)
 || (Double pipe) concatenate
 % Wildcard attribute indicator
 ?Param1=foo&Param2=bar URL Parameters
 PRINT Useful as non transactional command
 @variable Local variable
 @@variable Global variable
 waitfor delay '0:0:10' Time delay
Live Demonstration of SQL Injection

 SQL Injection Live Demonstration

QUERIES ???
Thank You !!