{"id":419,"date":"2017-07-09T21:52:00","date_gmt":"2017-07-09T13:52:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=419"},"modified":"2025-07-27T18:25:56","modified_gmt":"2025-07-27T10:25:56","slug":"honeypot","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/419","title":{"rendered":"Honeypot"},"content":{"rendered":"\n

honeypot(\u871c\u7f50)<\/strong>
\u7528\u4f86\u5438\u5f15\u653b\u64ca\u8005\u4e26\u8a18\u9304\u653b\u64ca\u65b9\u5f0f\u800c\u5efa\u7acb\u4e4b\u7cfb\u7d71\u74b0\u5883<\/p>\n\n\n\n

honeypot\u7528\u9014<\/strong>
\u53ea\u8981\u5c08\u6ce8\u770b\u653b\u64calog,\u6240\u4ee5\u53ef\u4ee5\u6e1b\u5c11\u8981\u5206\u6790\u7684\u8cc7\u6599
\u7d50\u5408ips,firewall,…\u7b49\u505a\u6df1\u5c64\u9632\u79a6
\u96fb\u8166\u72af\u7f6a\u53d6\u8b49<\/p>\n\n\n\n

honeypot advantages:<\/strong>
small data sets
reduced false positives
reduced false negatives
cost effective
simplicity
honeypot disadvantages:<\/strong>
limited view
risks<\/p>\n\n\n\n


…<\/p>\n\n\n\n

types of honeypots<\/strong>
low-interaction honeypot<\/strong>: simulates only some parts
\u7c21\u55ae\u7684\u6a21\u64ec\u7cfb\u7d71,\u4e0d\u8655\u7406\u653b\u64ca\u6210\u529f\u5f8c\u7684\u6a21\u64ec
ex:specter,honeyd,kfsensor
high-interaction honeypot<\/strong>: simulates all aspects of an operating system.
\u9ad8\u5ea6\u6a21\u64ec\u7cfb\u7d71,\u5305\u62ec\u653b\u64ca\u6210\u529f\u5f8c\u7684\u6a21\u64ec
ex:honeynets<\/p>\n\n\n\n

ps:
physical honeypots: \u8f03\u4e0d\u65b9\u4fbf,\u4f46\u74b0\u5883\u771f\u5be6\u8f03\u96e3\u88ab\u67e5\u89ba
virtual honeypots: \u65b9\u4fbf,\u4f46\u90e8\u4efd\u60e1\u610f\u7a0b\u5f0f\u6709\u8fa6\u6cd5\u77e5\u9053\u662fhoneypot<\/p>\n\n\n\n



detect honeypot tool:<\/strong>
send-safe honeypot hunter
nessus security scanner<\/p>\n\n\n\n

###############################################################<\/p>\n\n\n\n

\u5e38\u898b\u7684honeypot\u4ecb\u7d39<\/h2>\n\n\n\n

Kippo<\/strong>
an SSH honeypot that can log brute force attacks, where remote the remote attempts to guess logon credentials of an SSH server. Best of all, Kippo is able to record and replay the attacker’s interactions with the emulated shell on the fake SSH server.<\/p>\n\n\n\n

Glastopf<\/strong>(server-side honeypots)
a web application honeypot. It emulates often-exploited web vulnerabilities, such as remote and local file inclusion and SQL injection. Glastopf examines the attacker’s HTTP request and attempts to respond according to expectations to, for instance, download malicious files.<\/p>\n\n\n\n

Dionaea<\/strong>(server-side honeypots,low-interaction honeypot)
a honeypot for collecting malware. It emulates vulnerabilities in Windows services often targeted by malware, such as SMB, HTTP, TFP and FTP. Dionaea’s handling of the SMB protocol is particularly liked by researchers, as is its ability to emulate the execution of the attacker’s shellcode.<\/p>\n\n\n\n

thug<\/strong>(client-side honeypots,low-interaction honeypot)
Thug is a honeypot focused on the detection of malicious web pages. It emulates the behaviour of a typical web browser.
The tool uses the Google V8 JavaScript engine and implements its own Document Object Model (DOM).<\/p>\n\n\n\n

Nepenthes<\/strong>
one of the most well-known and widely deployed low-interaction honeypots on the Internet. Markus K\u00f6tter and Paul B\u00e4cher first developed it in 2005. Nepenthes includes several modules for emulating Microsoft vulnerabilities that can be remotely exploited by systems scanning the Internet. In this section, you’ll learn how to collect malware samples, monitor attacks with IRC logging, and accept web-based submissions of malware from your nepenthes sensors.<\/p>\n\n\n\n



\u5176\u4ed6opensource honeypot:<\/strong>
bubblegum proxypot
jackpot
backofficer friendly
bait-n-switch
bigeye
honeyweb
deception toolkit
labrea tarpit
honeyd
honeynets
sendmail spam trap
tiny honeypot<\/p>\n\n\n\n

\u5176\u4ed6commerical honeypot:<\/strong>
KFSensor
NetBait
ManTrap
Specter<\/p>\n\n\n\n

ps:
honeyclient:\u6a21\u64ec\u7528\u6236\u7aef\u700f\u89bd\u7db2\u8def,\u767c\u751f\u5b89\u5168\u554f\u984c\u6703\u963b\u64cb<\/p>\n\n\n\n


refer
https:\/\/zeltser.com\/honeypots-for-malware-ssh-web-attacks\/
Malware Analyst’s Cookbook and DVD.pdf

###############################################################<\/p>\n\n\n\n

Honeypot Dionaea<\/h2>\n\n\n\n

Dionaea
https:\/\/github.com\/rep\/dionaea<\/p>\n\n\n\n


1
Deploy by honeydrive<\/strong>
download honeydrive and eanble by virtual box or vmware
https:\/\/sourceforge.net\/projects\/honeydrive\/
ps
honeydrive ova to vmx of esxi
refer
http:\/\/bruteforce.gr\/honeydrive-3-vmware-guide.html<\/p>\n\n\n\n


2
configuration and enable honeypot<\/strong>
#edit configuration
\/opt\/dionaea\/etc\/dionaea\/dionaea.conf
#run script
\/honeydrive\/dionaea-vagrant\/runDionaea.sh
#check honeypot is enable
ps aux | grep dionaea<\/p>\n\n\n\n

ps:
#dionaea log path
\/opt\/dionaea\/var\/log\/dionaea.log
\/opt\/dionaea\/var\/dionaea\/logsql.sqlite
ps:
#catched malware(binaries) and shellcode(bitstreams) path
\/opt\/dionaea\/var\/dionaea\/binaries
\/opt\/dionaea\/var\/dionaea\/bistreams<\/p>\n\n\n\n

3
other tool<\/strong><\/p>\n\n\n\n

#manage by dionaeaFR
python \/honeydrive\/DionaeaFR\/manager.py runserver 0.0.0.0:8000<\/p>\n\n\n\n

#statistic by mimic-nepstats.py
python \/honeydrive\/dionaea-script\/mimic-nepstats.py
refer
https:\/\/bruteforce.gr\/some-dionaea-statistics.html<\/p>\n\n\n\n

# manage by sqllite web
http:\/\/localhost\/phpliteadmin\/phpliteadmin.php<\/p>\n\n\n\n

#readlogsqltree(only support python3)
to display attacks from the previous day. The script queries the logsql sqlite database for attacks, and prints out all related information for every attack.
This tool provides information about the exploited vulnerability, the time, the attacker, information about the shellcode, and the file offered for download (if any).
ex:
python3 \/opt\/dionaea\/bin\/readlogsqltree -t $(date ‘+%s’)-24*3600 \/opt\/dionaea\/var\/dionaea\/logsql.sqlite<\/p>\n\n\n\n


refer
https:\/\/bruteforce.gr\/starting-with-dionaea-malware-honeypot.html
https:\/\/bruteforce.gr\/some-dionaea-statistics.html
https:\/\/bruteforce.gr\/visualizing-dionaeas-results-with-dionaeafr.html<\/p>\n\n\n\n

………………………………………………………..<\/p>\n\n\n\n

honeypot\u5f8c\u7e8c\u8a2d\u5b9a<\/strong><\/p>\n\n\n\n

###password configuration
$ passwd honeydrive<\/p>\n\n\n\n

###time configuration
# choose honeypot time zone
$ sudo tzselect<\/code>
# replace time zone file
$ sudo cp \/usr\/share\/zoneinfo\/Aisa\/Taipei \/etc\/localtime<\/code>
# time update
$ sudo ntpdate time.stdtime.gov.tw<\/code>
# time update by crontab
$ sudo crontab -e<\/code>
@daily \/usr\/sbin\/ntpdate time.stdtime.gov.tw > \/dev\/null<\/code>
# write time value to BIOS
$ sudo hwclock -w<\/code><\/p>\n\n\n\n

###iptable configuration
ex:<\/p>\n\n\n\n

iptables -P INPUT DROP\niptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT\niptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT\niptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 137 -j ACCEPT\niptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT\niptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT\niptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1433 -j ACCEPT\niptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<\/code><\/pre>\n\n\n\n
###network configuration
ex:<\/p>\n\n\n\n
$sudo vi \/etc\/network\/interfaces\nauto lo\niface lo inet loopback\n\nauto eth0\niface eth0 inet static\naddress < your ip>\nnetmask < your mask>\ngateway < your gateway>\n\n$ sudo \/etc\/init.d\/networking restart<\/code><\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
honeypot(\u871c\u7f50)\u7528\u4f86\u5438\u5f15\u653b\u64ca\u8005\u4e26\u8a18\u9304\u653b\u64ca\u65b9\u5f0f\u800c\u5efa\u7acb\u4e4b …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[370],"tags":[],"class_list":["post-419","post","type-post","status-publish","format-standard","hentry","category-blue-team"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=419"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/419\/revisions"}],"predecessor-version":[{"id":2419,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/419\/revisions\/2419"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}