Transcript Babby`s First Honeypot
Babby’s First Honeypot
Or Getting Worms for < $50
Noah Nadeau NN
Setup Prerequisites
Installation Prerequisites
Workstation with SD Card Reader Alternatively, buy a microSD card with distro pre-installed Installed Linux distro (Native or LiveCD) Bootice might also work Raspbian distro Hardware Raspberry Pi B+ - case optional High speed 16 GB microSD card (logs can get big) 1.0A Micro USB Power Cat 5(e) cable HDMI cable & USB keyboard (for initial configuration)
Raspberry Pi Honeypot What’s Needed
Raspbian
Download stripped Linux distro (Raspbian)
Image
Image distro to microSD card using dd
Updates
Run update/upgrade commands
Config
Run through raspi-config
Installation
Final modifications Install nepenthes thpot dionaea
Follow-Up
Wait View Logs
Raspbian Installation Part 1
http://www.raspberrypi.org/downloads/
Download the Raspbian image Use dd to image to microSD card dd if={image location} of={sd card slot in /dev/} bs=512K Validate the image Note: (g)parted will have issues viewing the created partitions (particularly the boot sector) prior to system restart
Raspbian Installation Part 2
raspi-config
Connect peripherals (HDMI, Keyboard, Cat 5) and power on Connect to network, find its IP and SSH Then run raspi-config First-time installation notes: Expand Filesystem Intationalisation Options (thanks Obama) Change Locale, Timezone, and Keyboard Layout Change Password (do this *after* changing the keyboard) Boot to Desktop / Scratch (leave as command line)
Raspbian Installation Part 3
Final Updates
Run your standard update commands apt-get update apt-get upgrade apt-get autoclean apt-get autoremove Optional: Remove unused libraries Scratch, others…
tinyhoneypot Simple, low-configuration honeypot
Basic Steps
# mkdir /var/log/hpot # chown nobody:nobody /var/log/hpot # chmod 700 /var/log/hpot # ./iptables.rules
# cp ./xinetd.d/* /etc/xinetd.d/ # service portmap restart # pmap_set < /usr/local/thp/fakerpc # service xinetd restart
tinyhoneypot FFFFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUUUU
Dependent on portmap and xinetd
# chown nobody:
nogroup
/var/log/
t
hpot # chmod 700 /var/log/
t
hpot # ./iptables.rules
# cp ./xinetd.d/* /etc/xinetd.d/ # service
rpcbind
restart # pmap_set < /usr/local/thp/fakerpc # service xinetd restart
Take 2 …
Nepenthes
Replaced by dionaea Debian install instructions at http://dionaea.carnivore.it///#compiling
Dionaea Dry Run: Kali
DEV installation on Kali Works fine
./configure --with-lcfg-include=/opt/dionaea/include/ --with-lcfg lib=/opt/dionaea/lib --with-python=/opt/dionaea/bin/python3.2 --with-cython dir=/opt/dionaea/bin --with-udns-include=/opt/dionaea/include/ --with-udns lib=/opt/dionaea/lib --with-emu-include=/opt/dionaea/include/ --with-emu lib=/opt/dionaea/lib/ --with-gc-include=/usr/include/gc --with-ev include=/opt/dionaea/include --with-ev-lib=/opt/dionaea/lib --with-nl include=/usr/include --with-nl-lib=/usr/lib --with-curl-config=/usr/bin/ --with pcap-include=/opt/dionaea/include --with-pcap-lib=/opt/dionaea/lib/ make make install
Dionaea Raspbian
Dionaea Lessons Learned
Kali VM with x86_64 architecture ≠ Raspbian on ARM Additional packages: libffi-dev gettext Glib version must be <= 2.32.
Raspbian runs glib v2.40. Changes break dionaea Kali runs 2.32 or older Glib 2.40 introduced g_info g_thread_init and g_mutex_new deprecated Even with changes to source, compiling is broken
Dionaea Take 3
dionaea ARM packages are available from a different source (thanks yerry pi): nano /etc/apt/sources.list (add the line:) deb http://packages.s7t.de/raspbian wheezy main apt-get update apt-get install libglib2.0-dev libssl-dev libcurl openssl-dev libreadline-dev libsqlite3-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev liblcfg libemu libev dionaea-python dionaea-cython lipcap udns dionaea liblcfg
Dionaea Configuration
cp /opt/dionaea/etc/dionaea.conf.dist
/opt/dionaea/etc/dionaea.conf
chown nobody:nogroup /opt/dionaea/ -R dionaea -u nobody -g nogroup -r /opt/dionaea -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid
/opt/dionaea/bin/dionaea –l all,-debug –L ‘*’ –D nano /opt/dionaea/readlogsqltree (change first line:) #!/opt/dionaea/bin/python3.2
Dionaea The Payoff…
Dionaea Access Attempts
Dionaea Lessons Learned
Technical: Found 3 rogue systems at work (with DEV Kali deployment alone) 2 in LAN, 1 at HQ First probe on PROD within 90 minutes of setting up.
First active attack 14 hours later (mssql) Academic: Going the long way around, you’ll learn / remember more about C/C++ and makefiles than you wish you could Social: When playing Crash and Compile: 1) do it with your own sourcecode ; 2) don’t try to beat your old score.
MSSQL Attack: http://pastebin.com/4dkmukPp
Dionaea Next Steps
Possible Improvements
Install Vagrant / mhn Replication and centralized control Addition of p0f Passive remote machine identification Understanding bistreams Locate the pcaps Extend for HTTP What to do with this information?
Dionaea In ur networks, nabbing ur exploits
References / Additional Reading
Dionaea homepage: http://dionaea.carnivore.it/ Nathan Yee – Deploying Dionaea on a Raspberry Pi https://github.com/threatstream/mhn/wiki/Deploying-Dionaea-on-a-Raspberry-Pi Yerry Pi – Dionaea on Raspberry Pi http://droidtoo.blogspot.com/2013/05/setting-up-dionaea-on-raspberry-pi.html