Aug 09 2014

Adding ElasticSearch support to Kippo SSH honeypot

I am very fond of ElasticSearch as a storage infrastructure and I do believe it is very useful for storing attack data, especially from honeypots. If you follow my blog, you would have seen my first attempts at transferring Kippo’s data to ElasticSearch, or creating Kibana dashboards to visualize SSH attacks. These eventually led to the Kippo2ElasticSearch script, a simple way to transfer your logged Kippo data from MySQL to an ES instance.

But, having just a script (which keeps no state by the way) is not the best way to go about it. So I decided to add ElasticSearch support to Kippo itself. For that purpose I have created a fork of Kippo which is now available for testing. The git repo is hosted on GitHub: https://github.com/ikoniaris/kippo

The way it works is by filling out a new section in Kippo’s config file, where you put all the details regarding your ES instance. An example is shown below:

[database_elasticsearch]
host = 127.0.0.1
port = 9200
index = kippo
type = auth

Before you use it you will have to install two additional requirements:

  1. pyes: https://pypi.python.org/pypi/pyes
  2. GeoIP: https://pypi.python.org/pypi/GeoIP

You then have to make sure the ES service is running and you’re ready to start Kippo. Using this fork, every connection attempt against your honeypot will be logged in your ElasticSearch instance automatically. You can then use the exported dashboard (.json file) from Kippo2ElasticSearch to visualize your data with Kibana. And just a extra note, the logging components of Kippo can be used together, so you can have MySQL and ES logging enabled at the same time.

I have also submitted my changes as a pull request to be included in the official Kippo codebase, hopefully it will be accepted. Until then you can help a lot if you give this fork a try and report back some feedback!

Aug 07 2014

Getting started with honeyd

This is a quick guide to honeyd (which is included in HoneyDrive of course) inspired by Jonathan whom I had the pleasure to meet at BSides where we discussed about honeypots and some problems related to honeyd’s operation.

I will be explaining the following common scenario: we have a home router with a port forwarding/DMZ feature and we utilize the latter to send traffic to a honeypot emulating an old Linux server to catch some attacks. Details:

  • Public IP address (WAN): <something, e.g. dynamic>
  • IP address of the honeyd VM (LAN): 192.168.1.77
  • IP address of the virtual honeypot (LAN): 192.168.1.50

The first thing to notice is that there are actually two honeypot related machines above. We have the honeyd VM and a “virtual honeypot”. This is because honeyd doesn’t actually run the (fake) services we define by itself so to speak, but it creates “virtual honeypots” for machines we want to emulate. You can think of a virtual honeypot as a separate tiny virtual machine created and controlled by honeyd.

Honeyd can create many virtual honeypots like that and even whole network topologies consisting of many. Each of these virtual honeypots are normally bound to a private IP (let’s say in the 192.168.1.0/24 range). The problem with this scenario is that the router we have on our network doesn’t know where exactly to deliver packets that are destined to one of the virtual honeypots. For this reason we must use a tool called farpd, which affects the operation of the ARP protocol. Using farpd we essentially tell to the router to send every package destined to our virtual honeypot (192.168.1.50) to the honeypot VM (192.168.1.77) instead, where honeyd will get it and “deliver” it properly to the virtual honeypot.

Installing honeyd and farpd is easy via apt:

# apt-get install honeyd farpd

After the installation, a new file should have been created at /etc/default/honeyd which is responsible for the initialization of honeyd. In that file we need to edit the INTERFACE and NETWORK variables where we need to enter appropriate values depending on the network topology we are trying to achieve. In our case these should be “eth0″ (normally) and “192.168.1.50″ accordingly. And if we want to use the init script we need to set RUN to “yes” as well.

Honeyd also creates its primary configuration file at /etc/honeypot/honeyd.conf. This is where we should enter all the virtual honeypots and all their fake services. Here is an example of a honeyd configuration file:

# FTP Linux server template

create linuxftp

set linuxftp personality "Linux 2.4.7 (X86)"
set linuxftp default tcp action reset
set linuxftp default udp action block
set linuxftp default icmp action open

add linuxftp tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/proftpd.sh $ipsrc $sport $ipdst $dport"

bind 192.168.1.50 linuxftp

After creating our honeyd configuration file, we need to start farpd as mentioned above. This is easily done as:

# farpd 192.168.1.77 -i eth0

And only then we are ready to start honeyd:

# /etc/init.d/honeyd start

The last command actually starts honeyd with its default settings. The full command to achieve the same would have been:

# /usr/bin/honeyd -f /etc/honeypot/honeyd.conf -l /var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a /etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x /etc/honeypot/xprobe2.conf -u 1000 -g 1000 -i eth0 192.168.1.50

From now on, FTP connections to 192.168.1.50 will arrive to 192.168.1.77 and honeyd will deliver them to the virtual honeypot where they will be handled by the script we specified in the config file.

Honeyd writes to the honeyd.log file which you can transfer to a MySQL database using Honeyd2MySQL and then visualize the data with Honeyd-Viz.

Aug 02 2014

HoneyDrive 3 VMware guide

I’ve recently become a happy owner of VMware Fusion and my first goal was to see how can HoneyDrive be imported to it and used with the same features as those of VirtualBox (which I mainly use to develop HoneyDrive in the first place).

So, here is a step by step guide for converting the HoneyDrive 3 OVA file to a VMware-compatible virtual machine. I am using OS X Mavericks, VMware Fusion 6.0.4, OVF Tool 3.5.2 and VMware Tools 9.6.2.

The procedure should be the same for all the other VMware products as well (Workstation, ESXi, etc).

Instructions:

  1. Download OVF Tool 3.5.2 (needs a free account registration) from: https://my.vmware.com/web/vmware/details?downloadGroup=OVFTOOL352&productId=352
  2. Convert HoneyDrive OVA to VMX:
    $ cd /Applications/VMware\ OVF\ Tool/
    $ ./ovftool --lax -st=ova ~/HoneyDrive_3_Royal_Jelly.ova ~/HoneyDrive_3_Royal_Jelly.vmx
    
    Opening OVA source: /Users//HoneyDrive_3_Royal_Jelly.ova
    Opening VMX target: /Users//HoneyDrive_3_Royal_Jelly.vmx
    Warning:
    - Line 386: Unsupported hardware family 'virtualbox-2.2'.
    - Line 427: OVF hardware element 'ResourceType' with instance ID '5': No support for the virtual hardware device type '20'.
    - Line 444: OVF hardware element 'ResourceType' with instance ID '7': No support for the virtual hardware device type '35'.
    Writing VMX file: /Users//HoneyDrive_3_Royal_Jelly.vmx
    Progress: XX%
    

    This might take 5-15 minutes depending on your machine. After a while you will see:

    Transfer Completed
    
    Warning:
    - No manifest entry found for: 'HoneyDrive_3_Royal_Jelly-disk1.vmdk'.
    - No manifest file found.
    Completed successfully
    
  3. These two new files should have been created: HoneyDrive_3_Royal_Jelly-disk1.vmdk (around 9.5 GB) and HoneyDrive_3_Royal_Jelly.vmx. Import/open the new virtual machine by double clicking the .vmx file. You might see an error message in VMware Fusion saying: “Cannot connect the virtual device ide1:0 because no corresponding device is available on the host. Do you want to to try to connect this virtual device every time you power on the virtual machine?” Press “No” and it won’t be shown again.
  4. Inside the HoneyDrive virtual machine, open Terminator (on the desktop) and type the following to uninstall the VirtualBox Guest Additions:
    $ sudo aptitude purge -P virtualbox-guest-dkms virtualbox-guest-utils virtualbox-guest-x11
    $ sudo reboot
    
  5. Once HoneyDrive is running again, click on “Virtual Machine” –> “Install VMware Tools” from the menu. This will mount a virtual disk with VMware Tools. Open Terminator again and type:
    $ cp /media/VMware\ Tools/VMwareTools-<version>.tar.gz ~/
    $ tar zxvf VMwareTools-<version>.tar.gz
    $ cd vmware-tools-distrib
    $ sudo ./vmware-install.pl -d
    $ sudo reboot
    

That’s it, enjoy HoneyDrive in VMware!

Jul 26 2014

HoneyDrive 3 Royal Jelly edition

Dear security enthusiasts, it’s been around one year and a half since the last release of HoneyDrive Desktop. Upon learning that my honeypots workshop has been accepted at BSides Las Vegas 2014, the thought of upgrading HoneyDrive has been greatly intensified in my mind, to the point that I decided to make it a reality!

So, it is my great pleasure to announce that HoneyDrive 3 is here, codenamed Royal Jelly!

I am proud to say that it is the most complete Linux distribution that I know of in terms of honeypot technology, also surpassing by far the previous version.

For those in need of a more official description or for people that haven’t heard of HoneyDrive before, here is one:

honeydrive 3 logo 150x150 HoneyDrive 3 Royal Jelly editionHoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.

DOWNLOAD:

Important!

Download HoneyDrive 3 from SourceForge.net: http://sourceforge.net/projects/honeydrive/
Make sure to examine the README.txt file for information about the installed software.

What you need to know (PLEASE READ):

1) HoneyDrive 3 has been created entirely from scratch. It is based on Xubuntu Desktop 12.04.4 LTS edition and it is distributed as a standalone OVA file that can be easily imported as a virtual machine using virtualization software such as VirtualBox and VMware.

2) All the honeypot programs from the previous version of HoneyDrive are included, while they have also been upgraded to their latest versions and converted almost entirely to cloned git repos for easier maintenance and updating. This latter fact on its own could be considered reason enough to release the new version.

3) Many new honeypot programs have been installed that really make HoneyDrive 3 “complete” in terms of honeypot technology, plus around 50(!) new security related tools in the fields of malware analysis, forensics and network monitoring.

4) The main honeypot software packages and BruteForce Lab’s projects reside in /honeydrive. The rest of the programs reside in /opt. The location of all software can be found inside the README.txt file on the desktop.

5) HoneyDrive 3 doesn’t make itself as known to the outside world as the previous version. There are no descriptive messages and apart from Kippo-Graph and Honeyd-Viz every other piece of software is not accessible from the outside (unless if you configure them otherwise, or even lock down Kippo-Graph and Honeyd-Viz as well).

A note on versioning: previous versions of HoneyDrive started with a zero (0.1 and 0.2) which seemed confusing to some. I didn’t like it either and in the end I decided to “renumber” those as versions 1 and 2, essentially making this new version HoneyDrive 3, .i.e the third official release.

CHANGELOG:

  • Upgraded ALL existing honeypot software to the corresponding latest versions.
  • Converted ALL existing honeypot software to cloned git repos for easier maintenance.
  • Removed distinguishable HoneyDrive artifacts and secured access to web tools.
  • Added Kippo-Malware and Kippo2ElasticSearch.
  • Added Conpot SCADA/ICS honeypot.
  • Added PhoneyC honeyclient.
  • Added maltrieve malware downloader.
  • Added the ELK stack (ElasticSearch, Logstash, Kibana).
  • Added the following security tools: dnstop, MINI DNS Server, dnschef, The Sleuth Kit + Autopsy, TekCollect, hashMonitor, corkscrew, cryptcat, socat, hexdiff, pdfid, disitool, exiftool, Radare2, chaosreader, netexpect, tcpslice, mitmproxy, mitmdump, Yara, Recon-ng, SET (Social-Engineer Toolkit), MASTIFF + MASTIFF2HTML, Viper, Minibis, Nebula, Burp Suite, xxxswf, extract_swf, Java Decompiler (JD-GUI), JSDetox, extractscripts, AnalyzePDF, peepdf, officeparser, DensityScout, YaraGenerator, IOCExtractor, sysdig, Bytehist, PackerID, RATDecoders, androwarn, passivedns, BPF Tools, SpiderFoot, hashdata, LORG.
  • Added the following extra software: 7zip, Sagasu.
  • Added the following Firefox add-ons: Disconnect, Undo Closed Tabs Button, PassiveRecon.
  • Removed the following software: Kojoney, mwcrawler, Vidalia, ircd-hybrid, DNS Query Tool, DNSpenTest, VLC, Parcellite, Open Penetration Testing Bookmarks Collection (Firefox).

For comments, suggestions, fixes, please use the HoneyDrive page: http://bruteforce.gr/honeydrive

Jul 25 2014

How to stop Logstash from auto-starting on boot

If you have installed Logstash from the deb package like me, you will notice that both logstash (agent) and logstash-web start themselves on boot under the logstash user. The usual removal/disabling via update-rc.d doesn’t work in this case.

To stop both of them from auto-starting you’ll have to edit the files located at: /etc/init/logstash.conf and /etc/init/logstash-web.conf. There, change the line reading “start on virtual-filesystems” to “start on never”. That’s it!

Jul 23 2014

Vagrant configuration for Thug honeyclient

I am happy to announce another small side-project. This time, I decided to make a Thug honeyclient VM available with one command (no kidding!)

I have previously done the same with Dionaea-Vagrant, and while I was working on the next version of HoneyDrive the past days, news came out that Thug 0.5 was released today. So, I followed again the lengthy installation procedure and thought that I should make it easily replicable.

Thus, I have created a simple shell script to automate the installation of Thug, which is applied to a VM upon launch. To use it, first install VirtualBox and Vagrant itself for your OS version.

The files are located in a GitHub repo here: https://github.com/ikoniaris/thug-vagrant

So, you can now have a working Thug VM up and running in minutes by simply issuing:

git clone https://github.com/ikoniaris/thug-vagrant && cd thug-vagrant
vagrant up

This will download (only the first time) a virtual disk, create a new Ubuntu 12.04 LTS VM on the fly and start it, install Thug and all of its dependencies. And that’s it!

You can then login into the machine by typing “vagrant ssh” or using an SSH client (e.g. PuTTY) and connect to localhost:2222 — username: vagrant, password: vagrant. Once inside the VM, you will find Thug in the /opt/thug/ directory and the main script located at: /opt/thug/src/thug.py.

If you want to stop the machine type “vagrant halt” (on the outer terminal, not inside the machine). Every time you want to start the honeypot VM a simple “vagrant up” issued inside the thug-vagrant directory is enough! (hint: see the list of CLI commands for more)

Enjoy and if you have any feedback let me know!

PS. If you want to refer to this project you can use this dedicated page: http://bruteforce.gr/thug-vagrant

Jul 18 2014

Kippo-Graph 1.2: pull master or re-download

Dear honeypot enthusiasts, a quick note: I made some last minute changes to v1.2 of Kippo-Graph and recreated the archive. Please pull master or re-download the file (the checksums have also changed). Thanks for your support!

Page 1 of 2712345...1020...Last »