Jul 23 2014

Vagrant configuration for Thug honeyclient

I am happy to announce another small side-project. This time, I decided to make a Thug honeyclient VM available with one command (no kidding!)

I have previously done the same with Dionaea-Vagrant, and while I was working on the next version of HoneyDrive the past days, news came out that Thug 0.5 was released today. So, I followed again the lengthy installation procedure and thought that I should make it easily replicable.

Thus, I have created a simple shell script to automate the installation of Thug, which is applied to a VM upon launch. To use it, first install VirtualBox and Vagrant itself for your OS version.

The files are located in a GitHub repo here: https://github.com/ikoniaris/thug-vagrant

So, you can now have a working Thug VM up and running in minutes by simply issuing:

git clone https://github.com/ikoniaris/thug-vagrant && cd thug-vagrant
vagrant up

This will download (only the first time) a virtual disk, create a new Ubuntu 12.04 LTS VM on the fly and start it, install Thug and all of its dependencies. And that’s it!

You can then login into the machine by typing “vagrant ssh” or using an SSH client (e.g. PuTTY) and connect to localhost:2222 — username: vagrant, password: vagrant. Once inside the VM, you will find Thug in the /opt/thug/ directory and the main script located at: /opt/thug/src/thug.py.

If you want to stop the machine type “vagrant halt” (on the outer terminal, not inside the machine). Every time you want to start the honeypot VM a simple “vagrant up” issued inside the thug-vagrant directory is enough! (hint: see the list of CLI commands for more)

Enjoy and if you have any feedback let me know!

PS. If you want to refer to this project you can use this dedicated page: http://bruteforce.gr/thug-vagrant

Jul 18 2014

Kippo-Graph 1.2: pull master or re-download

Dear honeypot enthusiasts, a quick note: I made some last minute changes to v1.2 of Kippo-Graph and recreated the archive. Please pull master or re-download the file (the checksums have also changed). Thanks for your support!

Jul 17 2014

Kippo-Graph 1.2 released!

This is the release of another version of Kippo-Graph, reaching version 1.2!

Kippo-Graph 1.2 is mostly a maintenance release, but I’ve also fixed and added more features so updating is strongly recommended!

The most significant change concerns the virus scanning of attackers’ downloaded files. Unfortunately, NoVirusThanks have stopped offering their service due to costs of maintenance, but I switched to Gary’s Hood Online Virus Scanner so it should be working again! I have actually added a new module called “Kippo-Scanner” which will serve as the basis for future functionality on AV and anti-malware submissions.

A new language, Czech, has been added and lastly, Kippo-Graph now ships with a “config.php.dist” file that you should copy as “config.php”.

Download: kippo-graph-1.2 or clone/pull from GitHub: https://github.com/ikoniaris/kippo-graph

MD5 Checksum: 71BC1E8CA7886FF130AC2D5071A7FF06
SHA-1 Checksum: 4D3D968AC42F3E0141DA3DAF44165FD6A5E7D923

CHANGES:

Version 1.2:
+ Substituted the defunct NoVirusThanks with Gary’s Hood Online Virus Scanner.
+ Added Kippo-Scanner module to handle (future) AV and anti-malware submissions.
+ Added IP-address.com’s tracer to Kippo-Geo IPs.
+ Added Czech language support.
+ Added robots.txt file to disallow crawling by bots.
+ Added .gitgnore to exclude config.php file from VCS.

For comments, suggestions, fixes, please use the Kippo-Graph page: http://bruteforce.gr/kippo-graph

Jul 15 2014

Honeypots workshop at BSidesLV 2014!

I am very happy to announce that a honeypots workshop will take place during BSides Las Vegas this year! BSides is a fantastic community driven InfoSec convention and Las Vegas is the best place to be in August!

The workshop is titled “You Hack, We Capture: Attack Analysis with Honeypots“, lasts half a day (4 hours) and will be presented by me.

It takes place on Wednesday the 6th of August, from 10AM to 1PM.

Spots are numbered and limited to 28 participants! If you want to reserve a seat, you can do so via this Eventbright page: https://www.eventbrite.com/e/bsides-lv-2014-workshops-tickets-12279453175 (it’s 4th on the list)

Here is the workshop’s description:

Honeypots are systems aimed at deceiving malicious users or software that launch attacks against the infrastructure of various organizations. They can be deployed as protection mechanisms for an organization’s real systems, or as research units to analyze the methods employed by human hackers or malware. In this workshop we will study the operation of two research honeypots. A honeypot system will undertake the role of a web trap for attackers who target the SSH service. Another one will undertake the role of a malware collector, usually deployed by malware analysts to gather and store malicious binary samples. We will also talk about post-capturing activities and further analysis techniques. Furthermore, visualization tools and techniques will be presented, plus a honeypot bundle Linux distribution that contains pre-configured versions of the above tools and much more related utilities, which can make the deployment of honeypots an easy task.

bsideslv 300x300 Honeypots workshop at BSidesLV 2014! Hope to see you all in Vegas!

Jul 13 2014

Dionaea-Vagrant demo

Dionaea-Vagrant demonstration: setting up a Dionaea malware honeypot in under 8 minutes with a single (almost) command!

Link

An (old) interesting paper by Vesselin Bontchev: The Bulgarian and Soviet Virus Factories

Abstract: It is now well known that Bulgaria is leader in computer virus production and the USSR is following closely. This paper tries to answer the main questions: Who makes viruses there, What viruses are made, and Why this is done. It also underlines the impact of this process on the West, as well as on the national software industry.

Video

DEFCON 17: Identifying, Exploring, and Predicting Threats in the Russian Hacker Community

Page 1 of 2612345...1020...Last »