首页 > *nix技术, 网络安全, 网络攻防 > 云舒创业公司默安科技的幻盾产品是做什么的?【标题党,哈哈哈】

云舒创业公司默安科技的幻盾产品是做什么的?【标题党,哈哈哈】

2016年11月6日 发表评论 阅读评论 1,387 次浏览

云舒,知乎大V,很有个性的一位大神,之前离开阿里后进行创业,和好基友组建了默安科技,从目前推出的产品幻盾来看,这属于伪装技术一块。关于伪装技术的应用,从宣传来看,另一家安全公司“元支点”也颇有建树。不过,本文不多描述具体产品,纯粹介绍一下伪装这门安全技术,因为我个人对这个也非常感兴趣。

之前安全讲防御,现在安全你只讲防御都没人理你,更多的安全关注点落在了检测和响应上,而伪装技术作为威胁检测和响应的有利技术得到了极大的注重,并被Gartner列为2016年十大信息安全技术之一。

摘抄一下:

伪装技术: 这种技术的本质就是有针对性地对攻击者进行网络、应用、终端和数据的伪装,欺骗攻击者,尤其是攻击者的工具中的各种特征识别,使得那些工具失效,扰乱攻击 者的视线,将其引入死胡同,延缓攻击者的时间。譬如可以设置一个伪目标/诱饵,诱骗攻击者对其实施攻击,从而触发攻击告警。Gartner预测到2018 年10%的企业将采用这类技术,主动地与黑客进行对抗。

光看文字描述有点模糊,实际演练一下理解能够更加深入,伪装的概念很广,作为一项持续发展的传统技术,目前可以找到很多这方面的开源,例如Kippo。

Kippo当前的官网在这里:https://github.com/desaster/kippo
但根据介绍来看,更多的更新都在另外一个项目:https://github.com/micheloosterhof/cowrie
因此,这里就试试cowrie,看看到底怎么玩。

1,系统环境:

lenky@lenky-virtual-machine:~$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l

lenky@lenky-virtual-machine:~$ uname -a
Linux lenky-virtual-machine 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

2,安装依赖环境:

lenky@lenky-virtual-machine:~$ sudo apt-get install git virtualenv libmpfr-dev libssl-dev libmpc-dev libffi-dev build-essential libpython-dev python2.7-minimal

3,创建一个独立用户:

lenky@lenky-virtual-machine:~$ sudo adduser --disabled-password cowrie
lenky@lenky-virtual-machine:~$ sudo su - cowrie

4,把cowrie代码弄上来,git克隆比较慢,直接从github下载zip文件会比较快:

cowrie@lenky-virtual-machine:~$ ls
cowrie-master  cowrie-master.zip
cowrie@lenky-virtual-machine:~$ cd cowrie-master/
cowrie@lenky-virtual-machine:~/cowrie-master$ ls
bin           cowrie           data  doc  honeyfs     log        requirements.txt  start.sh  twisted  var
CHANGELOG.md  cowrie.cfg.dist  dl    etc  INSTALL.md  README.md  share             stop.sh   txtcmds

5,建立虚拟环境(创建过程需要一点时间,耐心等待):

cowrie@lenky-virtual-machine:~/cowrie-master$ virtualenv cowrie-env

6,使用虚拟环境,并安装依赖库:

cowrie@lenky-virtual-machine:~/cowrie-master$ source cowrie-env/bin/activate
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ pip install -r requirements.txt

爆出一些错误,例如:
Could not find a version that satisfies the requirement twisted>=15.2.1 (from -r requirements.txt (line 1)) (from versions: )

版本号没区分开?没管了,直接一个个安装,有的可能会出错,请根据提示解决:

(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ pip install incremental
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ pip install twisted
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ pip install cryptography
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ pip install configparser pyopenssl gmpy2 service_identity pycrypto python-dateutil tftpy

7,创建DSA密钥:

(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ cd data/
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master/data$ ssh-keygen -t dsa -b 1024 -f ssh_host_dsa_key
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master/data$ cd ..

8,准备配置文件,试运行:

(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ cp cowrie.cfg.dist cowrie.cfg
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ ./start.sh 
Starting cowrie with extra arguments [] ...
(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ ps aux | grep cowrie.pid
cowrie    11955  0.0  1.6 100856 48168 ?        S    18:01   0:00 /home/cowrie/cowrie-master/cowrie-env/bin/python2 /home/cowrie/cowrie-master/cowrie-env/bin/twistd -l log/cowrie.log --umask 0077 --pidfile var/run/cowrie.pid cowrie
cowrie    12111  0.0  0.0  15984  1016 pts/21   S+   18:02   0:00 grep --color=auto cowrie.pid

9,测试一下:
在客户端Windows上的xshell里使用ssh进行连接:

1$ ssh 192.168.19.129 2222


Connecting to 192.168.19.129:2222...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.


The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

richard@svr04:~$  

连接的账号采用richard/fout(来之cowrie文件data/userdb.txt)。
在连接的终端里进行一些操作,再回过头来看cowrie的日志信息:

(cowrie-env) cowrie@lenky-virtual-machine:~/cowrie-master$ cat log/cowrie.log 
...
2016-11-10T19:28:48+0800 [cowrie.ssh.factory.CowrieSSHFactory] New connection: 192.168.19.1:24209 (192.168.19.129:2222) [session: 27125b68]
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] Remote SSH version: SSH-2.0-nsssh2_5.0.0031 NetSarang Computer, Inc.
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] kex alg, key alg: 'diffie-hellman-group-exchange-sha256' 'ssh-rsa'
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] outgoing: 'aes128-cbc' 'hmac-sha1' 'none'
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] incoming: 'aes128-cbc' 'hmac-sha1' 'none'
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] NEW KEYS
2016-11-10T19:28:48+0800 [HoneyPotSSHTransport,2,192.168.19.1] starting service 'ssh-userauth'
2016-11-10T19:28:54+0800 [SSHService 'ssh-userauth' on HoneyPotSSHTransport,2,192.168.19.1] 'richard' trying auth 'none'
2016-11-10T19:28:57+0800 [SSHService 'ssh-userauth' on HoneyPotSSHTransport,2,192.168.19.1] 'richard' trying auth 'password'
2016-11-10T19:28:57+0800 [SSHService 'ssh-userauth' on HoneyPotSSHTransport,2,192.168.19.1] login attempt [richard/fout] succeeded
2016-11-10T19:28:59+0800 [SSHService 'ssh-userauth' on HoneyPotSSHTransport,2,192.168.19.1] 'richard' authenticated with 'password'
2016-11-10T19:28:59+0800 [SSHService 'ssh-userauth' on HoneyPotSSHTransport,2,192.168.19.1] starting service 'ssh-connection'
2016-11-10T19:28:59+0800 [SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] got channel 'session' request
2016-11-10T19:28:59+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] channel open
2016-11-10T19:28:59+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] pty request: 'xterm' (29, 115, 0, 0)
2016-11-10T19:28:59+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] Terminal Size: 29 115
2016-11-10T19:28:59+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] getting shell
2016-11-10T19:28:59+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] Opening TTY Log: log/tty/20161110-192859-27125b68-0i.log
2016-11-10T19:29:07+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] CMD: ls
2016-11-10T19:29:08+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] Command found: ls 
2016-11-10T19:29:09+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] CMD: dir
2016-11-10T19:29:09+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] Command found: dir 
2016-11-10T19:29:10+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] CMD: lasdf
2016-11-10T19:29:10+0800 [SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,2,192.168.19.1] Command not found: lasdf
...
2016-11-10T19:59:18+0800 [-] exitCode: 1
2016-11-10T19:59:18+0800 [-] sending request 'exit-status'

可以看到cowrie把客户端的操作完整的记录下来。这样看有些乱,cowrie提供把日志记录到数据库,这需要修改配置文件cowrie.cfg的[output_mysql]段内信息,数据库表参考doc/sql/mysql.sql进行创建,这里不多叙述。

看一下cowrie源码目录里值得关注的文件:
data/userdb.txt : 客户端进行ssh连接的账号信息,例如上面采用的richard/fout就来之这个文件。
dl/* : 客户端通过sftp等上传的文件存于这个目录。
doc/* : 有用的三方帮助文档,例如配置mysql的话,如何创建表结构就可以参考这个目录下的sql/mysql.sql文件。
honeyfs/* : 自定义一些伪装信息,例如系统版本信息,则可以修改etc/issue。
log/* : cowrie的日志文件,分析蜜罐内行为的主要依据。
txtcmds/* : 虚拟命令,实际为文本文件。

参考:
http://www.gartner.com/newsroom/id/3347717
http://www.sec-un.org/gartner2016-top-ten-years-of-information-security-technologies-including-interpretation.html
https://github.com/micheloosterhof/cowrie/blob/master/INSTALL.md

转载请保留地址:http://www.lenky.info/archives/2016/11/2542http://lenky.info/?p=2542


备注:如无特殊说明,文章内容均出自Lenky个人的真实理解而并非存心妄自揣测来故意愚人耳目。由于个人水平有限,虽力求内容正确无误,但仍然难免出错,请勿见怪,如果可以则请留言告之,并欢迎来讨论。另外值得说明的是,Lenky的部分文章以及部分内容参考借鉴了网络上各位网友的热心分享,特别是一些带有完全参考的文章,其后附带的链接内容也许更直接、更丰富,而我只是做了一下归纳&转述,在此也一并表示感谢。关于本站的所有技术文章,欢迎转载,但请遵从CC创作共享协议,而一些私人性质较强的心情随笔,建议不要转载。

法律:根据最新颁布的《信息网络传播权保护条例》,如果您认为本文章的任何内容侵犯了您的权利,请以Email或书面等方式告知,本站将及时删除相关内容或链接。

  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.