Jul 26 2014

HoneyDrive 3 Royal Jelly edition

Dear security enthusiasts, it’s been around one year and a half since the last release of HoneyDrive Desktop. Upon learning that my honeypots workshop has been accepted at BSides Las Vegas 2014, the thought of upgrading HoneyDrive has been greatly intensified in my mind, to the point that I decided to make it a reality!

So, it is my great pleasure to announce that HoneyDrive 3 is here, codenamed Royal Jelly!

I am proud to say that it is the most complete Linux distribution that I know of in terms of honeypot technology, also surpassing by far the previous version.

For those in need of a more official description or for people that haven’t heard of HoneyDrive before, here is one:

honeydrive 3 logo 150x150 HoneyDrive 3 Royal Jelly editionHoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.

DOWNLOAD:

Important!

Download HoneyDrive 3 from SourceForge.net: http://sourceforge.net/projects/honeydrive/
Make sure to examine the README.txt file for information about the installed software.

What you need to know (PLEASE READ):

1) HoneyDrive 3 has been created entirely from scratch. It is based on Xubuntu Desktop 12.04.4 LTS edition and it is distributed as a standalone OVA file that can be easily imported as a virtual machine using virtualization software such as VirtualBox and VMware.

2) All the honeypot programs from the previous version of HoneyDrive are included, while they have also been upgraded to their latest versions and converted almost entirely to cloned git repos for easier maintenance and updating. This latter fact on its own could be considered reason enough to release the new version.

3) Many new honeypot programs have been installed that really make HoneyDrive 3 “complete” in terms of honeypot technology, plus around 50(!) new security related tools in the fields of malware analysis, forensics and network monitoring.

4) The main honeypot software packages and BruteForce Lab’s projects reside in /honeydrive. The rest of the programs reside in /opt. The location of all software can be found inside the README.txt file on the desktop.

5) HoneyDrive 3 doesn’t make itself as known to the outside world as the previous version. There are no descriptive messages and apart from Kippo-Graph and Honeyd-Viz every other piece of software is not accessible from the outside (unless if you configure them otherwise, or even lock down Kippo-Graph and Honeyd-Viz as well).

A note on versioning: previous versions of HoneyDrive started with a zero (0.1 and 0.2) which seemed confusing to some. I didn’t like it either and in the end I decided to “renumber” those as versions 1 and 2, essentially making this new version HoneyDrive 3, .i.e the third official release.

CHANGELOG:

  • Upgraded ALL existing honeypot software to the corresponding latest versions.
  • Converted ALL existing honeypot software to cloned git repos for easier maintenance.
  • Removed distinguishable HoneyDrive artifacts and secured access to web tools.
  • Added Kippo-Malware and Kippo2ElasticSearch.
  • Added Conpot SCADA/ICS honeypot.
  • Added PhoneyC honeyclient.
  • Added maltrieve malware downloader.
  • Added the ELK stack (ElasticSearch, Logstash, Kibana).
  • Added the following security tools: dnstop, MINI DNS Server, dnschef, The Sleuth Kit + Autopsy, TekCollect, hashMonitor, corkscrew, cryptcat, socat, hexdiff, pdfid, disitool, exiftool, Radare2, chaosreader, netexpect, tcpslice, mitmproxy, mitmdump, Yara, Recon-ng, SET (Social-Engineer Toolkit), MASTIFF + MASTIFF2HTML, Viper, Minibis, Nebula, Burp Suite, xxxswf, extract_swf, Java Decompiler (JD-GUI), JSDetox, extractscripts, AnalyzePDF, peepdf, officeparser, DensityScout, YaraGenerator, IOCExtractor, sysdig, Bytehist, PackerID, RATDecoders, androwarn, passivedns, BPF Tools, SpiderFoot, hashdata, LORG.
  • Added the following extra software: 7zip, Sagasu.
  • Added the following Firefox add-ons: Disconnect, Undo Closed Tabs Button, PassiveRecon.
  • Removed the following software: Kojoney, mwcrawler, Vidalia, ircd-hybrid, DNS Query Tool, DNSpenTest, VLC, Parcellite, Open Penetration Testing Bookmarks Collection (Firefox).

For comments, suggestions, fixes, please use the HoneyDrive page: http://bruteforce.gr/honeydrive

Jul 25 2014

How to stop Logstash from auto-starting on boot

If you have installed Logstash from the deb package like me, you will notice that both logstash (agent) and logstash-web start themselves on boot under the logstash user. The usual removal/disabling via update-rc.d doesn’t work in this case.

To stop both of them from auto-starting you’ll have to edit the files located at: /etc/init/logstash.conf and /etc/logstash/logstash-web.conf. There, change the line reading “start on virtual-filesystems” to “start on never”. That’s it!

Jul 23 2014

Vagrant configuration for Thug honeyclient

I am happy to announce another small side-project. This time, I decided to make a Thug honeyclient VM available with one command (no kidding!)

I have previously done the same with Dionaea-Vagrant, and while I was working on the next version of HoneyDrive the past days, news came out that Thug 0.5 was released today. So, I followed again the lengthy installation procedure and thought that I should make it easily replicable.

Thus, I have created a simple shell script to automate the installation of Thug, which is applied to a VM upon launch. To use it, first install VirtualBox and Vagrant itself for your OS version.

The files are located in a GitHub repo here: https://github.com/ikoniaris/thug-vagrant

So, you can now have a working Thug VM up and running in minutes by simply issuing:

git clone https://github.com/ikoniaris/thug-vagrant && cd thug-vagrant
vagrant up

This will download (only the first time) a virtual disk, create a new Ubuntu 12.04 LTS VM on the fly and start it, install Thug and all of its dependencies. And that’s it!

You can then login into the machine by typing “vagrant ssh” or using an SSH client (e.g. PuTTY) and connect to localhost:2222 — username: vagrant, password: vagrant. Once inside the VM, you will find Thug in the /opt/thug/ directory and the main script located at: /opt/thug/src/thug.py.

If you want to stop the machine type “vagrant halt” (on the outer terminal, not inside the machine). Every time you want to start the honeypot VM a simple “vagrant up” issued inside the thug-vagrant directory is enough! (hint: see the list of CLI commands for more)

Enjoy and if you have any feedback let me know!

PS. If you want to refer to this project you can use this dedicated page: http://bruteforce.gr/thug-vagrant

Jul 18 2014

Kippo-Graph 1.2: pull master or re-download

Dear honeypot enthusiasts, a quick note: I made some last minute changes to v1.2 of Kippo-Graph and recreated the archive. Please pull master or re-download the file (the checksums have also changed). Thanks for your support!

Jul 17 2014

Kippo-Graph 1.2 released!

This is the release of another version of Kippo-Graph, reaching version 1.2!

Kippo-Graph 1.2 is mostly a maintenance release, but I’ve also fixed and added more features so updating is strongly recommended!

The most significant change concerns the virus scanning of attackers’ downloaded files. Unfortunately, NoVirusThanks have stopped offering their service due to costs of maintenance, but I switched to Gary’s Hood Online Virus Scanner so it should be working again! I have actually added a new module called “Kippo-Scanner” which will serve as the basis for future functionality on AV and anti-malware submissions.

A new language, Czech, has been added and lastly, Kippo-Graph now ships with a “config.php.dist” file that you should copy as “config.php”.

Download: kippo-graph-1.2 or clone/pull from GitHub: https://github.com/ikoniaris/kippo-graph

MD5 Checksum: 71BC1E8CA7886FF130AC2D5071A7FF06
SHA-1 Checksum: 4D3D968AC42F3E0141DA3DAF44165FD6A5E7D923

CHANGES:

Version 1.2:
+ Substituted the defunct NoVirusThanks with Gary’s Hood Online Virus Scanner.
+ Added Kippo-Scanner module to handle (future) AV and anti-malware submissions.
+ Added IP-address.com’s tracer to Kippo-Geo IPs.
+ Added Czech language support.
+ Added robots.txt file to disallow crawling by bots.
+ Added .gitgnore to exclude config.php file from VCS.

For comments, suggestions, fixes, please use the Kippo-Graph page: http://bruteforce.gr/kippo-graph

Jul 15 2014

Honeypots workshop at BSidesLV 2014!

I am very happy to announce that a honeypots workshop will take place during BSides Las Vegas this year! BSides is a fantastic community driven InfoSec convention and Las Vegas is the best place to be in August!

The workshop is titled “You Hack, We Capture: Attack Analysis with Honeypots“, lasts half a day (4 hours) and will be presented by me.

It takes place on Wednesday the 6th of August, from 10AM to 1PM.

Spots are numbered and limited to 28 participants! If you want to reserve a seat, you can do so via this Eventbright page: https://www.eventbrite.com/e/bsides-lv-2014-workshops-tickets-12279453175 (it’s 4th on the list)

Here is the workshop’s description:

Honeypots are systems aimed at deceiving malicious users or software that launch attacks against the infrastructure of various organizations. They can be deployed as protection mechanisms for an organization’s real systems, or as research units to analyze the methods employed by human hackers or malware. In this workshop we will study the operation of two research honeypots. A honeypot system will undertake the role of a web trap for attackers who target the SSH service. Another one will undertake the role of a malware collector, usually deployed by malware analysts to gather and store malicious binary samples. We will also talk about post-capturing activities and further analysis techniques. Furthermore, visualization tools and techniques will be presented, plus a honeypot bundle Linux distribution that contains pre-configured versions of the above tools and much more related utilities, which can make the deployment of honeypots an easy task.

bsideslv 300x300 Honeypots workshop at BSidesLV 2014! Hope to see you all in Vegas!

Jul 13 2014

Dionaea-Vagrant demo

Dionaea-Vagrant demonstration: setting up a Dionaea malware honeypot in under 8 minutes with a single (almost) command!

Page 1 of 2712345...1020...Last »