lukas.rist's blog

Gas Tank Monitoring System Honeypot

The Conpot team is following closely the latest developments in Honeypot research and the methods and technologies used. If you look at the topics presented on security conferences, you might have also noticed an increased interest in ICS security and honeypot technologies in the last two years. One presentation from this years Blackhat’15 conference caught my attention also knowing previous research done by Kyle and Stephen: “The little pump gauge that could: Attacks against gas pump monitoring systems” [link] If you are interested in their findings, I recommend their white paper: “The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems“ [link, pdf] by Kyle Wilhoit and Stephen Hilt from Trend Micro’s Forward-Looking Threat Research team.

So we had the great idea to add exactly that feature to Conpot...

Get STIX Reports from ICS Honeypot Conpot

The team working on the ICS/SCADA honeypot Conpot, just merged in a more mature support for STIX (Structured Threat Information eXpression) formatted reporting via TAXII (Trusted Automated eXchange of Indicator Information) into the master branch on Github.

Introducing Conpot

We proudly announce the first release of our Industrial Control System honeypot named Conpot.

Until now setting up an ICS honeypot required substantial manual work, real systems which are usually either inaccessible or expensive and lecture of quite tedious protocol specifications. With implementing a master server for a larger set of common industrial communication protocols and virtual slaves which are easy to configure, we provide an easy entry into the analysis of threats against industrial infrastructures and control systems.

Glastopf v3 aka Glaspot released

We where glad to announce yet another tool during our annual workshop in San Francisco. Glaspot is the third version of the web application honeypot Glastopf and it come with some very powerful new features:

  • A build-in PHP sandbox for code injection emulation, allowing us to bring vulnerability emulation to a new level
  • Hooked up to the HPFeeds generic data feed system for centralized data collection and tight integration into our sandbox and web server botnet monitoring system
  • Modular implementation: Turn your web application into a honeypot with a few easy steps
  • Runs in his own lightweight Python server or as a WSGI module in common web server environments
  • Automated attack surface generation and expansion

GlastopfNG release

Before we are getting worse than Duke Nukem Forever, we decided to finally release the next generation of the web application honeypot Glastopf, aka GlastopfNG!

Glastopf Project: A Look Ahead

On January the 22nd I met Sven. Sven is a bachelor student at the Bern university of applied sciences and will write his thesis about Glastopf. During his work he will rewrite the current Glastopf unstable version, but when he will be finished the new version will have at least the same features like the previous version. The goals are: A much better modular structure, this means there is one core which directs every request to the modules. They store the data, emulating the vulnerability and compose the response which the core gives back to the attacker. There will be a much better classification of incoming attacks and the rules used for this will be totally detached from the source code to distribute them easily between different sensors. I will post some details as soon as we started the work. This also means that we will freeze the current unstable version to put all effort into the new version.

Glastopf retrospection

Today I make a retrospection on my work on the Glastopf Web Honeypot during the Google Summer of Code Program. My goal was to push forward the development on a Honeypot for an attack vector in web security which is really underestimated in current discussions. The main objectives could be merged into one intention: Increasing our attractiveness and answering every request as close as possible to a real world system. This got achieved with the new PHP file parser and the dynamic Google dork list which we provide for the Google crawler.

Glastopf's new vulnerability emulator

The number of attacks against the Webhoneypot depends strongly on his PHP parser. So keeping the pattern matching mechanism up to date was one of the major future works. One of my goals for the Google Summer of Code time is to improve the parser and to reduce upcoming changes in attack patterns. The old parser was very simple: collect all lines containing echo calls, look for known patterns and generate the appropriate response.

Improving Glastopf

Last saturday I've finally released a new Glastopf version. There are some new features and many changes under the hood.

Introducing Glastopf, a Web Application Honeypot

Hello, this initial blog post is used to introduce me and to provide a brief overview of my GSoC Project.

My name is Lukas Rist (my personal blog) and I am currently studying Math and Physics at the University of Kaiserslauter in Germany. This is my first time in GSoC and I will be working with Thorsten Holz on Glastopf, a Web Application Honeypot.

Syndicate content