Babby`s First Honeypot

Report
Babby’s First Honeypot
Or Getting Worms for < $50
Noah Nadeau
NN
Setup
Prerequisites
Installation Prerequisites
Workstation with SD Card Reader
Alternatively, buy a microSD card with distro pre-installed
Installed Linux distro (Native or LiveCD)
Bootice might also work
Raspbian distro
Hardware
Raspberry Pi B+ - case optional
High speed 16 GB microSD card (logs can get big)
1.0A Micro USB Power
Cat 5(e) cable
HDMI cable & USB keyboard (for initial configuration)
Raspberry Pi Honeypot
What’s Needed
Raspbian
Download
stripped Linux
distro (Raspbian)
Updates
Run
update/upgrade
commands
Image
Image distro to
microSD card
using dd
Installation
Config
Run through
raspi-config
Follow-Up
Final modifications
Wait
Install nepenthes
thpot dionaea
View Logs
Raspbian Installation
Part 1
http://www.raspberrypi.org/downloads/
Download the Raspbian image
Use dd to image to microSD card
dd if={image location} of={sd card slot in /dev/} bs=512K
Validate the image
Note: (g)parted will have issues viewing the created partitions
(particularly the boot sector) prior to system restart
Raspbian Installation
Part 2
raspi-config
Connect peripherals (HDMI, Keyboard, Cat 5) and power on
Connect to network, find its IP and SSH
Then run raspi-config
First-time installation notes:
Expand Filesystem
Intationalisation Options (thanks Obama)
Change Locale, Timezone, and Keyboard Layout
Change Password (do this *after* changing the keyboard)
Boot to Desktop / Scratch (leave as command line)
Raspbian Installation
Part 3
Final Updates
Run your standard update commands
apt-get update
apt-get upgrade
apt-get autoclean
apt-get autoremove
Optional: Remove unused libraries
Scratch, others…
tinyhoneypot
Simple, low-configuration honeypot
Basic Steps
#
#
#
#
#
#
#
#
mkdir /var/log/hpot
chown nobody:nobody /var/log/hpot
chmod 700 /var/log/hpot
./iptables.rules
cp ./xinetd.d/* /etc/xinetd.d/
service portmap restart
pmap_set < /usr/local/thp/fakerpc
service xinetd restart
tinyhoneypot
FFFFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUUUU
Dependent on portmap and xinetd
#
#
#
#
#
#
#
chown nobody:nogroup /var/log/thpot
chmod 700 /var/log/thpot
./iptables.rules
cp ./xinetd.d/* /etc/xinetd.d/
service rpcbind restart
pmap_set < /usr/local/thp/fakerpc
service xinetd restart
Take 2
…
Nepenthes
Replaced by dionaea
Debian install instructions at http://dionaea.carnivore.it///#compiling
Dionaea
Dry Run: Kali
DEV installation on Kali Works fine
./configure --with-lcfg-include=/opt/dionaea/include/ --with-lcfglib=/opt/dionaea/lib --with-python=/opt/dionaea/bin/python3.2 --with-cythondir=/opt/dionaea/bin --with-udns-include=/opt/dionaea/include/ --with-udnslib=/opt/dionaea/lib --with-emu-include=/opt/dionaea/include/ --with-emulib=/opt/dionaea/lib/ --with-gc-include=/usr/include/gc --with-evinclude=/opt/dionaea/include --with-ev-lib=/opt/dionaea/lib --with-nlinclude=/usr/include --with-nl-lib=/usr/lib --with-curl-config=/usr/bin/ --withpcap-include=/opt/dionaea/include --with-pcap-lib=/opt/dionaea/lib/
make
make install
Dionaea
Raspbian
Dionaea
Lessons Learned
Kali VM with x86_64 architecture ≠ Raspbian on ARM
Additional packages: libffi-dev gettext
Glib version must be <= 2.32.
Raspbian runs glib v2.40. Changes break dionaea
Kali runs 2.32 or older
Glib 2.40 introduced g_info
g_thread_init and g_mutex_new deprecated
Even with changes to source, compiling is broken
Dionaea
Take 3
dionaea ARM packages are available from a different source
(thanks yerry pi):
nano /etc/apt/sources.list (add the line:)
deb http://packages.s7t.de/raspbian wheezy main
apt-get update
apt-get install libglib2.0-dev libssl-dev libcurlopenssl-dev libreadline-dev libsqlite3-dev libtool
automake autoconf build-essential subversion git-core
flex bison pkg-config libnl-3-dev libnl-genl-3-dev
libnl-nf-3-dev libnl-route-3-dev liblcfg libemu libev
dionaea-python dionaea-cython lipcap udns dionaea
liblcfg
Dionaea
Configuration
cp /opt/dionaea/etc/dionaea.conf.dist
/opt/dionaea/etc/dionaea.conf
chown nobody:nogroup /opt/dionaea/ -R
dionaea -u nobody -g nogroup -r /opt/dionaea -w
/opt/dionaea -p /opt/dionaea/var/dionaea.pid
/opt/dionaea/bin/dionaea –l all,-debug –L ‘*’ –D
nano /opt/dionaea/readlogsqltree (change first line:)
#!/opt/dionaea/bin/python3.2
Dionaea
The Payoff…
Dionaea
Access Attempts
Dionaea
Lessons Learned
Technical:
Found 3 rogue systems at work (with DEV Kali deployment alone)
2 in LAN, 1 at HQ
First probe on PROD within 90 minutes of setting up.
First active attack 14 hours later (mssql)
Academic:
Going the long way around, you’ll learn / remember more about
C/C++ and makefiles than you wish you could
Social:
When playing Crash and Compile: 1) do it with your own
sourcecode; 2) don’t try to beat your old score.
MSSQL Attack:
http://pastebin.com/4dkmukPp
Dionaea
Next Steps
Possible Improvements
Install Vagrant / mhn
Replication and centralized control
Addition of p0f
Passive remote machine identification
Understanding bistreams
Locate the pcaps
Extend for HTTP
What to do with this information?
Dionaea
In ur networks, nabbing ur exploits
References / Additional Reading
Dionaea homepage:
http://dionaea.carnivore.it/
Nathan Yee – Deploying Dionaea on a Raspberry Pi
https://github.com/threatstream/mhn/wiki/Deploying-Dionaea-on-a-Raspberry-Pi
Yerry Pi – Dionaea on Raspberry Pi
http://droidtoo.blogspot.com/2013/05/setting-up-dionaea-on-raspberry-pi.html
Questions?

similar documents