Whitepapers

These papers are a result of the Honeynet Project. They discuss the tools, tactics, and motives of the blackhat community. Feel free to copy / link / distribute any of the papers.

You can also download the papers and read them offline. Note: The papers includes data captured in the wild, such as rootkits. Your anti-virus may flag this data as infected. It poses no risk to you unless you manually install the code on a Linux system.

You can find translated papers here:
(Francais, Deutsch, suomi, Slovene, Korean, Russian, Italian, Spanish, Chinese, Polski)

Know Your Enemy - 21 July, 2000

The tools and methodology of the most common black-hat threat on the Internet, the Script Kiddie. By understanding how they attack and what they are looking for, you can better protect your systems and network

Know Your Enemy: II - 18 June, 2001

How to determine what the enemy is doing by analyzing your system log files. Includes examples based on two commonly used scanning tools, sscan and nmap.

Know Your Enemy: III - 27 March, 2000

What happens after the script kiddie gains root. Specifically, how they cover their tracks while they monitor your system. The paper goes through step by step on a system that was compromised, with system logs and keystrokes to verify each step.

Know Your Enemy: A Forensics Analysis - 23 May, 2000

This paper studies step by step a successful attack of a system. However, instead of focusing on the tools and tactics used, we focus on our analysis techniques and how we pieced the information together. The purpose is to give you the skills necessary to analyze and learn on your own the threats your organization faces. MSNBC has released an interactive, online video of the this paper.

Know Your Enemy: Motives - 27 June, 2000

This paper studies the motives and psychology of the black-hat community, in their own words.

Know Your Enemy: Worms at War - 7 November, 2000

See how worms probe for and compromise vulnerable Microsoft Windows systems. Based on the first Microsoft honeypot compromised in the Honeynet Project.

Know Your Enemy: Passive Fingerprinting - 04 March, 2002

This paper details how to passively learn about the enemy, without them knowing about it. Specifically, how to determine the operating system of a remote host using passive sniffer traces only.

Know Your Enemy: Honeynets - 15 August, 2002

This paper focuses on what a Honeynet is, its value to the security community, how it works, and the risks/issues involved. This paper has been updated to include GenI, GenII, and Virtual Honeynet technologies.

Know Your Enemy: Statistics - 23 July, 2001

This paper analyzes eleven months of data collected by the Honeynet Project. Based on this data, we demonstrate just how active the blackhat community is. We also demonstrate that it may be possible to predict future attacks.

Know Your Enemy: Defining Virtual Honeynets - 04 September, 2002

This paper defines what a Virtual Honeynet is, its advantages and disadvantages, and the different way they can be deployed.