Description
Distinguishing honeypots from real targets on the internet is an important
task for attackers who are trying not to give away the secret of their newest
exploits. In this thesis we look at the Server Message Block (SMB) file shar-
ing protocol and show how to distinguish honeypots from real servers with
minimal effort during the negotiation phase of the protocol. Furthermore,
we use these techniques to perform internet-wide scans and uncover hon-
eypots. We analyzed 8 different implementations of the protocol on small
implementation deviations and used them to establish unique fingerprints
for each implementation. In order to be able to measure the differences
between the implementations, we designed a similarity metric which we
used to categorize unknown responses and subsequently recognize those
originating from honeypots. During our scans we were able to discover
1 407 518 SMB hosts of which 2 321 were honeypots. We conclude that it is
feasible to distinguish honeypots from real servers.
|
