Sponsor

Security Videos

Entries in Honeydrive (5)

Sunday
Feb102013

Tektip ep21 - Drive Traffic to your Honeypot 


In this episode of TekTip, I am going to show a unique method to drive traffic to your Honeypot.  While I use Kippo as the example this approach will work for any Honeypot.

*If you do not know what Kippo is, shame on you. Watch this, this, and this to get caught up.

Now let's get to it.  The first thing we need to do is prep our Kippo Instance so that we can measure the results of the approach. Log into your Kippo Honeypot, probably on HoneyDrive.  Once logged in go to your kippo install directory and navigate to the data folder.

If using Honeydrive it will look something like this:

cd /opt/kippo/data

Now use the cat command to see what you currently have as allowable credentials in your userdb.txt.

cat userdb.txt
root:0:123456
root:0:abc123
root:0:p@ssw0rd

This is what I have.  As you can see I allow 3 of the top 10 most used passwords.  Now we want to add credentials that will be unique enough that they should not be attempted by your average attacker. Open userdb.txt in your favorite text editor and add a new line with the credentials you want to use. I added one for root:0:IamSo1337!. Running "cat userdb.txt" again shows the following:

cat userdb.txt

root:0:123456
root:0:abc123
root:0:p@ssw0rd
root:0:IamSo1337!

That takes care of the prep. Now if you are doing this with something other than Kippo, those previous steps won't apply. If whatever Honeypot you are using has the ability to let attackers authenticate you will want to set up a unique set of credentials for the experiment.  If not, press on.

We will now use Social Networks against are attackers.  To put it simply we are going to post login information for our Honeypot on a public site like pastebin, and then alert attackers to the information by posting a link to the paste file on social networks like Twitter.

You may want to keep the rest of the activity as anonymous as possible, so fire up Tor Browser or use proxychains to hide your IP information. Once anonymized go to pastebin.com.

The trick to getting this to work properly is to utilize keywords that attackers may have PasteLerts set up for. For instance you will want to include keywords such as ssh, login, username, password, root, and many others.  Make sure you use some of these keywords in the title as well.  Here is a sample one I put together:

Submit this and get your pastebin url.  Now this will be enough to bring in a few extra hits already, from people who are monitoring pastebin. To get even more folks to see this though we will need to take it a step further.

While still anonymizing your activity create a throwaway twitter account. As many people as there are that monitor pastebin, there are even more that monitor twitter (at least I am guessing so). In particular there are certain twitter users and list that people follow to get password dumps as they occur. My favorite of these is @PastebinDorks.

With your new twitter account create a tweet that mentions @PastebinDorks or another account like that.  Have it say something along the lines of, "Check out this one! http://pastebin.com/qi7wzp8h".  Now anyone that follows @PastebinDorks will see your post.  You may get lucky enough to have someone retweet it a few times.

Now you can just sit back and wait for the conenctions to roll in.  While I used twitter and pastebin in my example, this can be done with any like tools. The point is to get the data out there in the public and then use social networks to increase exposure.

To monitor your kippo logs to see when attackers use the user/pass combination you specified in the userdb.txt. navigate to your kippo logs directory and and do the following:

 

honeydrive@honeydrive:/opt/kippo/log$ cat kippo.log | grep 'login attempt'

2013-02-10 13:04:46+0000 [SSHService ssh-userauth on HoneyPotTransport,9237,193.200.88.100] login attempt [root/abcd1234] failed

2013-02-10 13:04:48+0000 [SSHService ssh-userauth on HoneyPotTransport,9238,193.200.88.100] login attempt [root/1234] failed

2013-02-10 13:04:53+0000 [SSHService ssh-userauth on HoneyPotTransport,9239,193.200.88.100] login attempt [root/redhat] failed

2013-02-10 13:04:59+0000 [SSHService ssh-userauth on HoneyPotTransport,9240,193.200.88.100] login attempt [oracle/oracle] failed

2013-02-10 13:05:02+0000 [SSHService ssh-userauth on HoneyPotTransport,9241,193.200.88.100] login attempt [test/test] failed

2013-02-10 13:05:04+0000 [SSHService ssh-userauth on HoneyPotTransport,9242,193.200.88.100] login attempt [root/1] failed

2013-02-10 13:05:07+0000 [SSHService ssh-userauth on HoneyPotTransport,9243,193.200.88.100] login attempt [root/123] failed

2013-02-10 13:05:09+0000 [SSHService ssh-userauth on HoneyPotTransport,9244,193.200.88.100] login attempt [root/123456789] failed

2013-02-10 13:05:12+0000 [SSHService ssh-userauth on HoneyPotTransport,9245,193.200.88.100] login attempt [root/12345678] failed

2013-02-10 13:05:14+0000 [SSHService ssh-userauth on HoneyPotTransport,9246,193.200.88.100] login attempt [root/1234567] failed

2013-02-10 13:05:17+0000 [SSHService ssh-userauth on HoneyPotTransport,9247,193.200.88.100] login attempt [root/12345] failed

2013-02-10 13:05:20+0000 [SSHService ssh-userauth on HoneyPotTransport,9248,193.200.88.100] login attempt [teamspeak/teamspeak] failed

2013-02-10 13:05:22+0000 [SSHService ssh-userauth on HoneyPotTransport,9249,193.200.88.100] login attempt [teamspeak/ts3] failed

2013-02-10 13:05:25+0000 [SSHService ssh-userauth on HoneyPotTransport,9250,193.200.88.100] login attempt [nagios/nagios] failed

2013-02-10 13:05:28+0000 [SSHService ssh-userauth on HoneyPotTransport,9251,193.200.88.100] login attempt [postgres/postgres] failed

2013-02-10 13:05:30+0000 [SSHService ssh-userauth on HoneyPotTransport,9252,193.200.88.100] login attempt [root/qwe] failed

2013-02-10 13:05:33+0000 [SSHService ssh-userauth on HoneyPotTransport,9253,193.200.88.100] login attempt [root/1q2w3e] failed

2013-02-10 13:05:40+0000 [SSHService ssh-userauth on HoneyPotTransport,9254,193.200.88.100] login attempt [root/1q2w3e4r] failed

2013-02-10 13:05:43+0000 [SSHService ssh-userauth on HoneyPotTransport,9255,193.200.88.100] login attempt [root/qweqwe123] failed

2013-02-10 13:05:45+0000 [SSHService ssh-userauth on HoneyPotTransport,9256,193.200.88.100] login attempt [root/qazwsxedc] failed

2013-02-10 13:05:48+0000 [SSHService ssh-userauth on HoneyPotTransport,9257,193.200.88.100] login attempt [root/1qa2ws3ed] failed

2013-02-10 13:05:57+0000 [SSHService ssh-userauth on HoneyPotTransport,9258,193.200.88.100] login attempt [root/123123] failed

2013-02-10 13:06:00+0000 [SSHService ssh-userauth on HoneyPotTransport,9259,193.200.88.100] login attempt [root/abcd1234] failed

2013-02-10 13:06:03+0000 [SSHService ssh-userauth on HoneyPotTransport,9260,193.200.88.100] login attempt [root/qazwsx123] failed

2013-02-10 13:06:05+0000 [SSHService ssh-userauth on HoneyPotTransport,9261,193.200.88.100] login attempt [root/abc123] succeeded

2013-02-10 13:06:22+0000 [SSHService ssh-userauth on HoneyPotTransport,9262,193.200.88.100] login attempt [root/toor] failed

2013-02-10 13:015:24+0000 [SSHService ssh-userauth on HoneyPotTransport,9263,64.185.229.236] login attempt [root/IamSo1337!] succeeded

If you have any other tips or tricks like this, let me know by leaving a comment or sending me an email at 1aN0rmus@TekDefense.com 

Friday
Feb082013

The Kippo Kronicles - Ep2 OMG APT

In this episode of the Kippo Kroicles we replay the attack of the most advanced of all attackers, the APT Attacker.  Okay, not quite.  In fact calling this guy (or maybe gal) an APT'er is like calling your chubby friend slim.  I get typing dir in once on accident, but to repeatedly try to type dir in linux, come on now.  Anyways, I have a ton of logs stored up and ready to videotize.  More to come.

Tuesday
Jan222013

The Kippo Kronicles - Ep1

Welcome to the first of many Kippo Kronicles.  In this series I will use the replay function of Kippo to show what attackers have attempted to do on my honeypot.  I hope you enjoy.

Sunday
Dec302012

TekTip ep18 - HoneyDrive

As promised in the previous review of HoneyDrive, here is the video review/tutorial video on HoneyDrive.  To see a txt version of what I cover in this video please go to that article

-1aN0rmus

Thursday
Dec272012

HoneyDrive - Review

Our friends over at BruteForce Labs decided to give us all a little present this holiday season.  As I have spoke about on TekTip episodes in the past, BruteForce Labs has been working on a distro that combines many of the different honeypot projects and their addon modules.  As Backtrack is to offense, and The Security Onion is to defense, HoneyDrive is the premiere honeypot distro.

HoneyDrive includes and is configured to run the following honeypots out of the box:

  • Kippo: Medium interaction SSH honeypot.  Includes Kippo-Graph and Kippo2MySQL.
  • Honeyd: Low interaction flexible honeypot.  Includes Honeyd2MySQL and Honeyd-Viz
  • Dionaea: Honeypot designed to collect malware and exploits.
  • Misc Honeypots: Sticky honeypot, Tiny honeypot, IIS Emulator (for Honeyd), InetSim, and SimH.

In addition to the honeypot software Honeydrive also includes a suite of tools for analysis, forensics, monitoring, and reverse engineering.  Included in this list is our own tool Automater!.  Some of the other tools are:

  • ntop
  • p0f
  • EtherApe
  • nmap
  • DFF
  • Wireshark
  • ClamAV
  • ettercap
  • Automater
  • UPX
  • pdftk
  • Flasm
  • pdf-parser
  • Pyew
  • dex2ja

As if this wasn't enough HoneyDrive also includes a few extra tools, utilities, and addons, and scripts that will assist users with maintaining the system.

While I will not go over each tool, at least not in this post I will hit up the major features.

Installation:  Ease of use, and configuration is so important when bringing highly technical tools like this into one arsenal.  Many of you have probably already attempted to create your own honeypot using some of this software before.  If your experiences were anything like mine there was most likely a bit of cursing and frustration involved.  Especially as you introduce addons and extensions for these tools.  HoneyDrive is very simple to install and works mostly without any extra configuration.  To install simply download the .ova from the HoneyDrive Sourceforge page.  If you are using Virtualbox, simply doubleclick the .ova once downloaded to launch the virtual machine importer for HoneyDrive.  The VM should import without issue. 

*I should note that I had to change the network settings when I imported to utilize a different interface than the default.

After the import simply startup the VM and you will be able to login with the credentials provided in the readme.

Using Kippo:

As I have already done a TekTip episode on Kippo I will spare you all the gory details of the product and instead point you to the video.  I will be skipping the replay functionality mostly.  Kippo is one of the most automated honeypots in the distro.  It requires very little interaction to get it working.

It is important to know where all the files reside in this distro in relation to Kippo.  From the readme:

[Kippo]
Start: /opt/kippo/start.sh
Downloads: /opt/kippo/dl/
TTY logs: /opt/kippo/log/tty/
Credentials: /opt/kippo/data/userdb.txt
MySQL database: kippo
MySQL user/password: root/honeydrive
[Kippo-Graph]
Location: /var/www/kippo-graph/
Config: /var/www/kippo-graph/config.php
URL: http://local-or-remote-IP-address/kippo-graph/
MySQL database: kippo
MySQL user/password: root/honeydrive
[Kippo2MySQL]
Location: /opt/kippo2mysql/
MySQL database: kippo2mysql
MySQL user/password: root/honeydrive

To start kippo, open a terminal and navigate to /opt/kippo/ and run start.sh

cd /opt/kippo/

./start.sh

That is it!  You are now running an SSH honeypot.  Again I am skipping a lot of details on what Kippo is but you can go to my video to see the full info.

Now before showing the visualization features, I need to generate some SSH traffic to that honeypot.  I did this manually, from a few other machines.  

*Remember the default password is 123456 for Kippo.

Once some traffic has occurred either via actual connections to your honeypot or simulated ones from yourself open a web browser and navigate to http://localhost/kippo-graph/ on your VM.  Here you will need to click on the text that states "GENERATE_THE_KIPPO_GRAPHS".  This will manually pull the data that was already imported into mysql from your kippo logs and display them in graphs that help tell a visual story of connections.

These graphs will show statistics on passwords, usernames, inputs, connections, and many other details.  This distro would be will worth the time spent on it just to have Kippo pre-installed and configured to work with Kippo-Graph, but that is only one feature.

Using Honeyd:

Honeyd is a flexible low interaction honeypot.  Created by Niels Provos (currently employed by Google), honeyd can be used to emulate a myraid of services and machines.  With Honeyd you can create templates of behaviors for machines and then deploy numerous instances of these templates on a single machine effectively emulating a full network. 

Honeyd takes a little more work than Kippo to get running properly on this distro, but it is still much better than getting it functioning on your own.  Like Kippo it is best to start off with where the important files reside:

[Honeyd]

Bin: /usr/bin/honeyd, + /usr/bin/honeydstats

Config: /etc/honeypot/

Scripts: /usr/share/honeyd/scripts/

Logs: /var/log/honeypot/

 

[Honeyd2MySQL]

Location: /opt/honeyd2mysql/ 

MySQL database: honey2mysql

MySQL user/password: root/honeydrive

 

[Honeyd-Viz]

Location: /var/www/honeyd-viz/

Config: /var/www/honeyd-viz/config.php

URL: http://local-or-remote-IP-address/honeyd-viz/

MySQL database: honeyd2mysql

MySQL user/password: root/honeydrive

 

[Honeyd-Scripts]

Location: /opt/honeyd-scripts/

+ honeyd-geoip

+ honeyd-geoip-cymru

The first step to getting honeyd up and running is with the configuration file.  Here is where you will want to setup your templates and bindings.  By default the config will bind to 10.x.x.x addresses.  That may work for some of you, but I wanted it to leverage DHCP.  To do this, you have to ensure that you have the template machine bind with a MAC that is not the same as the Honeydrive box.  Here is my basic config:

create default

set default default tcp action block

set default default UDP action block

set default default ICMP action block

 

create windows

set windows personality "Microsoft Windows XP Professional SP1"

set default tcp action reset

set windows ethernet "73:D5:DF:84:5A:17"

add windows tcp port 135 open

add windows tcp port 139 open

add windows tcp port 445 open

add windows tcp port 21 open

 

dhcp windows on eth0

Once you have the config set the way you want run honeyd:

sudo honeyd -d -f /etc/honeypot.conf -l /var/log/honeypot/honeyd.log

Be sure you log to that exact path and file.  If you do not you will need to modify the honeyd2mysql.pl script to look at where you have the logs going.  I used the -d above inorder to be able to troubleshoot, if you leave the -d out honeyd will run in the background.

Now that honeyd is up and running, generate some scan activty so the log has something in it.  An nmap scan will work fine.  

While Kippo transfers the logs to MySQL automatically, honeyd does not, as far as I can tell (perhaps I am doing something wrong).  So we must run the honeyd2mysql script.

cd /opt/honeyd2mysql/

./honeyd2mysql.pl

Now we can generate graphs just as we did with kippo.

Open a web browser and connect to http://localhost/Honeyd-viz/index.php.  Click on the link that states "GENERATE_THEHONEYD_GRAPHS".  This will now create graphs from the data we imported into MySQL.

Dionaea:

Dionaea is a honeypot designed to collect malware and exploits.  It does this by emulating services and collecting what the attacker or malicious software sends their way.  The Malware Analyst's Cookbook does a great write up on this honeypot that you should check out if you haven't already.  As with the others lets check out the useful files:

[Dionaea]

Location: /opt/dionaea/

Bin: /opt/dionaea/bin/dionaea

Config: /opt/dionaea/etc/dionaea/dionaea.conf

Logs: /opt/dionaea/var/log/

SQLite database: /opt/dionaea/var/dionaea/logsql.sqlite

Malware samples: /opt/dionaea/var/dionaea/binaries/

+ phpLiteAdmin: /var/www/phpliteadmin,

+ password: honeydrive, 

+ URL: http://localhost/phpliteadmin/phpliteadmin.php

 

[Dionaea-Scripts]

Location: /opt/dionaea-scripts/

+ mimic-nepstats

+ dionaea-sqlquery

Like with the other honeypots, you need to take a look at the config and ensure it meets your needs.  The default worked for me.  Once the config is ready simply run dionaea.  If you want to test that it is working just fire up Metasploit on another OS and send some exploits at dionaea.  Phplite is included and configured by default.

LaBrea:

Labrea is part IDS and part sticky honeypot.  Now some of you are probably asking, "What the heck is a sticky honeypot?".  So a sticky honeypot or tarpit is used to slow down attackers as they reach the honeypot. To learn more about how it works and why to use it checkout http://labrea.sourceforge.net/Intro-History.html

 

[LaBrea]

Bin: /usr/sbin/labrea

Config: /etc/labrea/labrea.conf

Before running Labrea be sure to read the Labrea readme.  Labrea has the potential to cause issues on your network if it is not configured and run properly.  For those who just want to rush in though, the following command from the Labrea FAQ will get you started. Be warned though.

labrea -z -s -o -b -p 10000 -i eth1

Tiny Honeypot:

Tiny Honeypot will listen on all TCP ports not currently in use and provide very limited responses back to attackers. The responses should be enough to trick most automated attack tools.

[Tiny Honeypot]

Bin: /usr/sbin/thpot

Config: /etc/thpot/thp.conf

Examples: /usr/share/doc/tinyhoneypot/examples/

Logs: /var/log/thpot/

In the config file you can modify what interface is used, and control what some of the responses are. To run Tiny Honeypot for a single service simple navigate to /usr/sbin and run the following:

sudo ./thpot ftp

Of course you can replace FTP with whatever service you want to put in.  There is a lot more that can be done with Tiny Honeypot.  Look in the examples directory and of course checkout the readme to find out more.

INetSim:

INetSim is a tool for simulating some common services.  Back in one of the first TekTip video I showed INetSim and its use for malware analysis.  For instance if we wanted malware to think it was talking to it's CnC (C2) server we could forward that traffic via some DNS (ApateDNS) manipulation to INetSim which would respond with enough data to hopefully fool our malware.  The important files can be found at:

[INetSim]

Bin: /usr/bin/inetsim

Config: /etc/inetsim/inetsim.conf

Logs: /var/log/inetsim/

You can manipulate the config to fit your needs of course but INetSim will run with default configs just fine.  Navigate to /usr/bin and run inetsim.

sudo ./inetsim

Example output once it is running is as such:

INetSim 1.2.3 (2012-10-01) by Matthias Eckert & Thomas Hungenberg

Main logfile '/var/log/inetsim/main.log' does not exist. Trying to create it...

Main logfile '/var/log/inetsim/main.log' successfully created.

Sub logfile '/var/log/inetsim/service.log' does not exist. Trying to create it...

Sub logfile '/var/log/inetsim/service.log' successfully created.

Debug logfile '/var/log/inetsim/debug.log' does not exist. Trying to create it...

Debug logfile '/var/log/inetsim/debug.log' successfully created.

Using log directory:      /var/log/inetsim/

Using data directory:     /var/lib/inetsim/

Using report directory:   /var/log/inetsim/report/

Using configuration file: /etc/inetsim/inetsim.conf

Parsing configuration file.

Configuration file parsed successfully.

=== INetSim main process started (PID 2732) ===

Session ID:     2732

Listening on:   127.0.0.1

Real Date/Time: Fri Dec 28 21:38:19 2012

Fake Date/Time: Fri Dec 28 21:38:19 2012 (Delta: 0 seconds)

 Forking services...

Couldn't create TCP socket: Address already in use at /usr/lib/perl5/Net/DNS/Nameserver.pm line 90

Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr', 127.0.0.1, 'LocalPort', 53, 'ReplyHandler', 'CODE(0xa91215c)', 'Verbose', 0, ...) called at /usr/share/perl5/INetSim/DNS.pm line 37

INetSim::DNS::dns called at /usr/share/perl5/INetSim.pm line 74

INetSim::fork_services() called at /usr/share/perl5/INetSim.pm line 396

INetSim::main() called at ./inetsim line 22

Couldn't create UDP socket: Address already in use at /usr/lib/perl5/Net/DNS/Nameserver.pm line 109

Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr', 127.0.0.1, 'LocalPort', 53, 'ReplyHandler', 'CODE(0xa91215c)', 'Verbose', 0, ...) called at /usr/share/perl5/INetSim/DNS.pm line 37

INetSim::DNS::dns called at /usr/share/perl5/INetSim.pm line 74

INetSim::fork_services() called at /usr/share/perl5/INetSim.pm line 396

INetSim::main() called at ./inetsim line 22

  * dns_53_tcp_udp - failed!

  * irc_6667_tcp - started (PID 2744)

  * ntp_123_udp - started (PID 2745)

  * ident_113_tcp - started (PID 2747)

  * finger_79_tcp - started (PID 2746)

  * tftp_69_udp - started (PID 2743)

  * syslog_514_udp - started (PID 2748)

  * echo_7_tcp - started (PID 2753)

  * echo_7_udp - started (PID 2754)

  * time_37_tcp - started (PID 2749)

  * discard_9_udp - started (PID 2756)

  * time_37_udp - started (PID 2750)

  * chargen_19_tcp - started (PID 2759)

  * daytime_13_tcp - started (PID 2751)

  * pop3s_995_tcp - started (PID 2740)

  * smtps_465_tcp - started (PID 2738)

  * dummy_1_udp - started (PID 2762)

  * smtp_25_tcp - started (PID 2737)

  * discard_9_tcp - started (PID 2755)

  * daytime_13_udp - started (PID 2752)

  * quotd_17_tcp - started (PID 2757)

  * chargen_19_udp - started (PID 2760)

  * https_443_tcp - started (PID 2736)

  * dummy_1_tcp - started (PID 2761)

  * ftps_990_tcp - started (PID 2742)

  * pop3_110_tcp - started (PID 2739)

  * quotd_17_udp - started (PID 2758)

  * http_80_tcp - failed!

  * ftp_21_tcp - started (PID 2741)

 done.

Simulation running.

Misc Tools:

As I mentioned previously in addition to the honeypots, there are many other tools included.  Automater is of course one of those tools but there are many more.  From the readme:

[Security/Forensics/Anti-Malware Tools]

EtherApe

PuTTY SSH Client

nmap, + Zenmap, Umit Network Scanner

Wireshark, + tshark

Vidalia

DNS Query Tool

ClamAV, + ClamTk

ettercap

htop

ntop, + "admin" 

ngrep

p0f

Flawfinder

Automater

Netcat

VBinDiff

UPX

ssdeep

md5deep

pdftk

Flasm

dex2jar

DFF (Digital Forensics Framework)

DNSpenTest

pdf-parser

NASM

Dissy

HT Editor

shellcode2exe

Pyew, + Bokken GUI

 

[Firefox Add-ons]

Firebug

NoScript

Adblock Plus

JavaScript Deobfuscator

 

[Extra Software]

Furius ISO Mount

GParted

gedit

Parcellite

Shutter

Terminator

VYM - View Your Mind

WebHTTrack Website Copier

UNetbootin

RecordMyDesktop

VLC media player

gURLChecker

Xpdf

Conclusion:

Honeydrive 0.1 is a great start to a promising distro.  It includes most of the major honeypot software.  The suite of tools should allow users a very flexible solution that can adapt to fit home, lab, and even production networks.  Adding a few more tools and automating the startup of the rest will help a lot with users who have not dealt with these tools in the past. As the community for this distro grows I would expect documentation on the software to grow which of course will help us all.  Expect to see a video format of this review on this Sundays edition of TekTip.

-1aN0rmus (1aN0rmus@TekDefense.com)