Honeypot

honeypot(蜜罐)
用來吸引攻擊者並記錄攻擊方式而建立之系統環境

honeypot用途
只要專注看攻擊log,所以可以減少要分析的資料
結合ips,firewall,…等做深層防禦
電腦犯罪取證

honeypot advantages:
small data sets
reduced false positives
reduced false negatives
cost effective
simplicity
honeypot disadvantages:
limited view
risks


types of honeypots
low-interaction honeypot: simulates only some parts
簡單的模擬系統,不處理攻擊成功後的模擬
ex:specter,honeyd,kfsensor
high-interaction honeypot: simulates all aspects of an operating system.
高度模擬系統,包括攻擊成功後的模擬
ex:honeynets

ps:
physical honeypots: 較不方便,但環境真實較難被查覺
virtual honeypots: 方便,但部份惡意程式有辦法知道是honeypot



detect honeypot tool:
send-safe honeypot hunter
nessus security scanner

###############################################################

常見的honeypot介紹

Kippo
an SSH honeypot that can log brute force attacks, where remote the remote attempts to guess logon credentials of an SSH server. Best of all, Kippo is able to record and replay the attacker’s interactions with the emulated shell on the fake SSH server.

Glastopf(server-side honeypots)
a web application honeypot. It emulates often-exploited web vulnerabilities, such as remote and local file inclusion and SQL injection. Glastopf examines the attacker’s HTTP request and attempts to respond according to expectations to, for instance, download malicious files.

Dionaea(server-side honeypots,low-interaction honeypot)
a honeypot for collecting malware. It emulates vulnerabilities in Windows services often targeted by malware, such as SMB, HTTP, TFP and FTP. Dionaea’s handling of the SMB protocol is particularly liked by researchers, as is its ability to emulate the execution of the attacker’s shellcode.

thug(client-side honeypots,low-interaction honeypot)
Thug is a honeypot focused on the detection of malicious web pages. It emulates the behaviour of a typical web browser.
The tool uses the Google V8 JavaScript engine and implements its own Document Object Model (DOM).

Nepenthes
one of the most well-known and widely deployed low-interaction honeypots on the Internet. Markus Kötter and Paul Bächer first developed it in 2005. Nepenthes includes several modules for emulating Microsoft vulnerabilities that can be remotely exploited by systems scanning the Internet. In this section, you’ll learn how to collect malware samples, monitor attacks with IRC logging, and accept web-based submissions of malware from your nepenthes sensors.



其他opensource honeypot:
bubblegum proxypot
jackpot
backofficer friendly
bait-n-switch
bigeye
honeyweb
deception toolkit
labrea tarpit
honeyd
honeynets
sendmail spam trap
tiny honeypot

其他commerical honeypot:
KFSensor
NetBait
ManTrap
Specter

ps:
honeyclient:模擬用戶端瀏覽網路,發生安全問題會阻擋


refer
https://zeltser.com/honeypots-for-malware-ssh-web-attacks/
Malware Analyst’s Cookbook and DVD.pdf

###############################################################

Honeypot Dionaea

Dionaea
https://github.com/rep/dionaea


1
Deploy by honeydrive

download honeydrive and eanble by virtual box or vmware
https://sourceforge.net/projects/honeydrive/
ps
honeydrive ova to vmx of esxi
refer
http://bruteforce.gr/honeydrive-3-vmware-guide.html


2
configuration and enable honeypot

#edit configuration
/opt/dionaea/etc/dionaea/dionaea.conf
#run script
/honeydrive/dionaea-vagrant/runDionaea.sh
#check honeypot is enable
ps aux | grep dionaea

ps:
#dionaea log path
/opt/dionaea/var/log/dionaea.log
/opt/dionaea/var/dionaea/logsql.sqlite
ps:
#catched malware(binaries) and shellcode(bitstreams) path
/opt/dionaea/var/dionaea/binaries
/opt/dionaea/var/dionaea/bistreams

3
other tool

#manage by dionaeaFR
python /honeydrive/DionaeaFR/manager.py runserver 0.0.0.0:8000

#statistic by mimic-nepstats.py
python /honeydrive/dionaea-script/mimic-nepstats.py
refer
https://bruteforce.gr/some-dionaea-statistics.html

# manage by sqllite web
http://localhost/phpliteadmin/phpliteadmin.php

#readlogsqltree(only support python3)
to display attacks from the previous day. The script queries the logsql sqlite database for attacks, and prints out all related information for every attack.
This tool provides information about the exploited vulnerability, the time, the attacker, information about the shellcode, and the file offered for download (if any).
ex:
python3 /opt/dionaea/bin/readlogsqltree -t $(date ‘+%s’)-24*3600 /opt/dionaea/var/dionaea/logsql.sqlite


refer
https://bruteforce.gr/starting-with-dionaea-malware-honeypot.html
https://bruteforce.gr/some-dionaea-statistics.html
https://bruteforce.gr/visualizing-dionaeas-results-with-dionaeafr.html

………………………………………………………..

honeypot後續設定

###password configuration
$ passwd honeydrive

###time configuration
# choose honeypot time zone
$ sudo tzselect
# replace time zone file
$ sudo cp /usr/share/zoneinfo/Aisa/Taipei /etc/localtime
# time update
$ sudo ntpdate time.stdtime.gov.tw
# time update by crontab
$ sudo crontab -e
@daily /usr/sbin/ntpdate time.stdtime.gov.tw > /dev/null
# write time value to BIOS
$ sudo hwclock -w

###iptable configuration
ex:

iptables -P INPUT DROP
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 137 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1433 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

###network configuration
ex:

$sudo vi /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address < your ip>
netmask < your mask>
gateway < your gateway>

$ sudo /etc/init.d/networking restart