Video

s06 Bringing PWNED To You Interesting Honeypot Trends Elliott Brink

Video

Black Hat USA 2014 – Incident Response: Secure Because Math A Deep Dive on Machine Learning

Sep 07 2014

How to install Perl DBD on Mac OS X Mavericks with MAMP Stack

Today I decided to work on Honeyd-Viz a bit which I feel I have abandoned the last year. In order to do so, I needed to have a sample database to play with. As you know, you can create a MySQL database with entries from Honeyd’s honeyd.log file using the Honeyd2MySQL script. Honeyd2MySQL uses Perl’s DBI::DBD module for MySQL operations. I have also been using MAMP Stack from BitNami for development. The problem I had was the installation of DBI::DBD on my Mac OS X which I needed in order to use the DBD::mysql driver. If you’re having troubles you can follow the guide below (written with some help from StackOverflow):

  1. Install XCode from the App Store. Then, open XCode, go to the Preferences –> Downloads menu and install the Command Line Tools.

  2. Install MAMP Stack from BitNami. Write down or take a mental note of the password value for MySQL’s root user. Choose to start the services (Apache & MySQL).

  3. Add MAMP’s MySQL binaries to your PATH (this is particularly needed for mysql_config). Example:

    locate mysql_config
    /Applications/mampstack-5.4.32-0/mysql/bin/mysql_config

    Get that directory and add it to your .bash_profile file, appending it to the PATH variable:

    nano ~/.bash_profile
    PATH={ ... }:/Applications/mampstack-5.4.32-0/mysql/bin

    Logout and open a new shell session.

  4. Create symlinks for MySQL’s lib files in your local lib path:

    cd /usr/local
    mkdir lib #it might already exist, e.g. if you're using Homebrew
    cd lib
    sudo ln -s /Applications/mampstack-5.4.32-0/mysql/lib/plugin/ plugin
    sudo ln -s /Applications/mampstack-5.4.32-0/mysql/lib/*.dylib .

  5. Initialize CPAN and install cpanm:

    cpan #accept defaults
    sudo cpan App::cpanminus

  6. Install DBI and download DBD::mysql:

    sudo cpanm DBI
    sudo perl -MCPAN -e 'shell' #opens a CPAN shell session
    cpan> get DBD::mysql
    cpan> exit

  7. Manually install DBD::mysql:

    cd ~/.cpan/build/DBD*
    sudo perl Makefile.PL --testuser='root' --testpassword='<mysql_root_password>' #use the password you entered during MAMP's installation
    sudo make install

  8. (optional) Symlink your MAMP’s MySQL sock file if needed (e.g. if you get an error while trying to connect to MySQL server running on ‘localhost’):

    ln -s /Applications/mampstack-5.4.32-0/mysql/tmp/mysql.sock /tmp/mysql.sock
    chmod 777 /tmp/mysql.sock

That’s it! Hopefully everything would be good to go.

Aug 25 2014

DionaeaFR: adding parameterized date range

UPDATE: this change has been merged into the official DionaeaFR repo.

As you might know, DionaeaFR is a very good frontend for Dionaea malware honeypot. It is developed by @rubenespadas, is written in Python and uses the Django web framework. I have covered DionaeaFR in the past in my post Visualizing Dionaea’s results with DionaeaFR and of course I have included it in HoneyDrive.

But, DionaeaFR had an issue that was bugging me a lot; it only displayed data for the last 7 days (starting from the current day and going backwards). This is a problem when dealing with old databases or when you want to get a more comprehensive overall impression of the honeypot’s activity or when you simply decided to stop your capturing activities for some days and then want to visualize what was going on.

So, I decided to fix it (along with some other small issues). You can find a fork of DionaeaFR on my GitHub account here: https://github.com/ikoniaris/DionaeaFR where there is a RESULTS_DAYS variable in the settings.py file that you can set to the number of days you want DionaeaFR to show data for (starting from the current day and going backwards). I have also submitted that as a pull request but I haven’t got a response yet, thus I decided to post this.

Enjoy, and please let me know of any feedback.

Aug 24 2014

Kippo-Graph 1.3 released!

This is the release of another version of Kippo-Graph, reaching 1.3!

Kippo-Graph 1.3 brings some significant changes to the codebase, the most important one being that all SQL operations now use the RedBeanPHP library. This change adds a new requirement: Kippo-Graph needs PHP version 5.3.4 or higher. Another change worth noting is the addition of VirusTotal IP lookup in Kippo-Geo.

Download: kippo-graph-1.3 or clone/pull from GitHub: https://github.com/ikoniaris/kippo-graph

MD5 Checksum: 8F50AE28646A8277077117130A0C69D6
SHA-1 Checksum: B79004DB6B5408258A32AB275436ADD6E44FC125

CHANGES:

Version 1.3:
+ Switched all SQL operations to the RedBeanPHP library.
+ Reformatted and standardized all SQL queries.
+ Added VirusTotal IP lookup in Kippo-Geo.
+ Fix XSS problem in Kippo-IP (AJAX requester).
+ Updated README.md file.
– Removed manual DIR_ROOT configuration.

For comments, suggestions, fixes, please use the Kippo-Graph page: http://bruteforce.gr/kippo-graph

Aug 09 2014

Adding ElasticSearch support to Kippo SSH honeypot

I am very fond of ElasticSearch as a storage infrastructure and I do believe it is very useful for storing attack data, especially from honeypots. If you follow my blog, you would have seen my first attempts at transferring Kippo’s data to ElasticSearch, or creating Kibana dashboards to visualize SSH attacks. These eventually led to the Kippo2ElasticSearch script, a simple way to transfer your logged Kippo data from MySQL to an ES instance.

But, having just a script (which keeps no state by the way) is not the best way to go about it. So I decided to add ElasticSearch support to Kippo itself. For that purpose I have created a fork of Kippo which is now available for testing. The git repo is hosted on GitHub: https://github.com/ikoniaris/kippo

The way it works is by filling out a new section in Kippo’s config file, where you put all the details regarding your ES instance. An example is shown below:

[database_elasticsearch]
host = 127.0.0.1
port = 9200
index = kippo
type = auth

Before you use it you will have to install two additional requirements:

  1. pyes: https://pypi.python.org/pypi/pyes
  2. GeoIP: https://pypi.python.org/pypi/GeoIP

You then have to make sure the ES service is running and you’re ready to start Kippo. Using this fork, every connection attempt against your honeypot will be logged in your ElasticSearch instance automatically. You can then use the exported dashboard (.json file) from Kippo2ElasticSearch to visualize your data with Kibana. And just a extra note, the logging components of Kippo can be used together, so you can have MySQL and ES logging enabled at the same time.

I have also submitted my changes as a pull request to be included in the official Kippo codebase, hopefully it will be accepted. Until then you can help a lot if you give this fork a try and report back some feedback!

Aug 07 2014

Getting started with honeyd

This is a quick guide to honeyd (which is included in HoneyDrive of course) inspired by Jonathan whom I had the pleasure to meet at BSides where we discussed about honeypots and some problems related to honeyd’s operation.

I will be explaining the following common scenario: we have a home router with a port forwarding/DMZ feature and we utilize the latter to send traffic to a honeypot emulating an old Linux server to catch some attacks. Details:

  • Public IP address (WAN): <something, e.g. dynamic>
  • IP address of the honeyd VM (LAN): 192.168.1.77
  • IP address of the virtual honeypot (LAN): 192.168.1.50

The first thing to notice is that there are actually two honeypot related machines above. We have the honeyd VM and a “virtual honeypot”. This is because honeyd doesn’t actually run the (fake) services we define by itself so to speak, but it creates “virtual honeypots” for machines we want to emulate. You can think of a virtual honeypot as a separate tiny virtual machine created and controlled by honeyd.

Honeyd can create many virtual honeypots like that and even whole network topologies consisting of many. Each of these virtual honeypots are normally bound to a private IP (let’s say in the 192.168.1.0/24 range). The problem with this scenario is that the router we have on our network doesn’t know where exactly to deliver packets that are destined to one of the virtual honeypots. For this reason we must use a tool called farpd, which affects the operation of the ARP protocol. Using farpd we essentially tell to the router to send every package destined to our virtual honeypot (192.168.1.50) to the honeypot VM (192.168.1.77) instead, where honeyd will get it and “deliver” it properly to the virtual honeypot.

Installing honeyd and farpd is easy via apt:

# apt-get install honeyd farpd

After the installation, a new file should have been created at /etc/default/honeyd which is responsible for the initialization of honeyd. In that file we need to edit the INTERFACE and NETWORK variables where we need to enter appropriate values depending on the network topology we are trying to achieve. In our case these should be “eth0″ (normally) and “192.168.1.50” accordingly. And if we want to use the init script we need to set RUN to “yes” as well.

Honeyd also creates its primary configuration file at /etc/honeypot/honeyd.conf. This is where we should enter all the virtual honeypots and all their fake services. Here is an example of a honeyd configuration file:

# FTP Linux server template

create linuxftp

set linuxftp personality "Linux 2.4.7 (X86)"
set linuxftp default tcp action reset
set linuxftp default udp action block
set linuxftp default icmp action open

add linuxftp tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/proftpd.sh $ipsrc $sport $ipdst $dport"

bind 192.168.1.50 linuxftp

After creating our honeyd configuration file, we need to start farpd as mentioned above. This is easily done as:

# farpd 192.168.1.77 -i eth0

And only then we are ready to start honeyd:

# /etc/init.d/honeyd start

The last command actually starts honeyd with its default settings. The full command to achieve the same would have been:

# /usr/bin/honeyd -f /etc/honeypot/honeyd.conf -l /var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a /etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x /etc/honeypot/xprobe2.conf -u 1000 -g 1000 -i eth0 192.168.1.50

From now on, FTP connections to 192.168.1.50 will arrive to 192.168.1.77 and honeyd will deliver them to the virtual honeypot where they will be handled by the script we specified in the config file.

Honeyd writes to the honeyd.log file which you can transfer to a MySQL database using Honeyd2MySQL and then visualize the data with Honeyd-Viz.

Page 1 of 2712345...1020...Last »