HoneyDrive

HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.

DOWNLOAD HoneyDrive:

Please take a look at the README.txt file on SourceForge (also included inside the virtual disk) to see where everything is located.

INSTALLATION:

After downloading the file, you simply have to import the virtual appliance to your virtual machine manager. The recommended virtualization software is Oracle VM VirtualBox; a simple double click on the OVA file is enough. If you want to use HoneyDrive with VMware products (Workstation, Fusion, ESXi, etc) start here for VMware Fusion: Easy Importing of HoneyDrive to VMware Fusion. If that doesn’t work then read this: HoneyDrive 3 VMware guide and perhaps (the older but not outdated): Setup HoneyDrive on VMware (Workstation, ESXi, etc) and for Hyper-V server this: Run HoneyDrive 3 on Hyper-V server.

FEATURES:

  • Virtual appliance based on Xubuntu 12.04.4 LTS Desktop.
  • Distributed as a single OVA file, ready to be imported.
  • Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin.
  • Kippo SSH honeypot, plus Kippo-Graph, Kippo-Malware, Kippo2MySQL and other helpful scripts.
  • Dionaea malware honeypot, plus DionaeaFR and other helpful scripts.
  • Amun malware honeypot, plus helpful scripts.
  • Glastopf web honeypot, along with Wordpot WordPress honeypot.
  • Conpot SCADA/ICS honeypot.
  • Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts.
  • LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator and INetSim.
  • Thug and PhoneyC honeyclients for client-side attacks analysis, along with Maltrieve malware collector.
  • ELK stack: ElasticSearch, Logstash, Kibana for log analysis and visualization.
  • A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, Recon-ng, ClamAV, ettercap, MASTIFF, Automater, UPX, pdftk, Flasm, Yara, Viper, pdf-parser, Pyew, Radare2, dex2jar and more.
  • Firefox add-ons pre-installed, plus extra helpful software such as GParted, Terminator, Adminer, VYM, Xpdf and more.

HoneyDrive 3 RELEASE NOTES:

1) HoneyDrive 3 has been created entirely from scratch. It is based on Xubuntu Desktop 12.04.4 LTS edition and it is distributed as a standalone OVA file that can be easily imported as a virtual machine using virtualization software such as VirtualBox and VMware.

2) All the honeypot programs from the previous version of HoneyDrive are included, while they have also been upgraded to their latest versions and converted almost entirely to cloned git repos for easier maintenance and updating. This latter fact on its own could be considered reason enough to release the new version.

3) Many new honeypot programs have been installed that really make HoneyDrive 3 “complete” in terms of honeypot technology, plus around 50(!) new security related tools in the fields of malware analysis, forensics and network monitoring.

4) The main honeypot software packages and BruteForce Lab’s projects reside in /honeydrive. The rest of the programs reside in /opt. The location of all software can be found inside the README.txt file on the desktop.

5) HoneyDrive 3 doesn’t make itself as known to the outside world as the previous version. There are no descriptive messages and apart from Kippo-Graph and Honeyd-Viz every other piece of software is not accessible from the outside (unless if you configure them otherwise, or even lock down Kippo-Graph and Honeyd-Viz as well).

A note on versioning: previous versions of HoneyDrive started with a zero (0.1 and 0.2) which seemed confusing to some. I didn’t like it either and in the end I decided to “renumber” those as versions 1 and 2, essentially making this new version HoneyDrive 3, .i.e the third official release.

FREQUENTLY ASKED QUESTIONS:

  1. Why use HoneyDrive?
    HoneyDrive saves you time! It has all the major honeypot-related software pre-installed and pre-configured to work out of the box (or with some configuration options of your liking). As I have seen many times in comments or support requests I get, setting up a honeypot system is not always something easy. This is especially true for new infosec enthusiasts or sysadmins and “hard” to set up software like Dionaea for example.
  2. What utilities and software are included in HoneyDrive?
    HoneyDrive contains all the major honeypot-related software and a ton more useful tools. For a complete list you’ll have to take a look at the README.txt file included in the virtual appliance (you’ll find it on the desktop) or online at the downloads section of SourceForge (link above).
  3. Why isn’t [insert-name-here] included in HoneyDrive?
    Unfortunately I can’t keep track of every different piece of software. But, I’m very open to suggestions about HoneyDrive! If you know a tool that could be of benefit please let me know by leaving a comment on this page and it will be included in the next release of HoneyDrive.
  4. What is the password for [insert-name-here]?
    Again, your best bet is reading the README.txt file included in the virtual appliance or found online at the downloads section of SourceForge (link above). Every password you will need is included in its appropriate section.

SCREENSHOTS:

CHANGELOG:

HoneyDrive 3

  • Upgraded ALL existing honeypot software to the corresponding latest versions.
  • Converted ALL existing honeypot software to cloned git repos for easier maintenance.
  • Removed distinguishable HoneyDrive artifacts and secured access to web tools.
  • Added Kippo-Malware and Kippo2ElasticSearch.
  • Added Conpot SCADA/ICS honeypot.
  • Added PhoneyC honeyclient.
  • Tested HoneyDrive3 on the live commercial website including sub-pages titled compression sock sizes and 2020 guide to best compression socks for men. All these popular sub-page articles were tested with HoneyDrive in order to capture spammers, bots, and malware. Captured 103 new bot footprints.
  • Added maltrieve malware downloader.
  • Added the ELK stack (ElasticSearch, Logstash, Kibana).
  • Tested HoneyDrive3 on Ubuntu 16.04. Software working. No unusual web activity.
  • Added maltrieve malware downloader.
  • Tested HoneyDrive3 on the live commercial website a site about ways to market posture alignment devices. Captured 11 new bot footprints. Fixed 2 small software bugs.
  • Added the following security tools: dnstop, MINI DNS Server, dnschef, The Sleuth Kit + Autopsy, TekCollect, hashMonitor, corkscrew, cryptcat, socat, hexdiff, pdfid, disitool, exiftool, Radare2, chaosreader, netexpect, tcpslice, mitmproxy, mitmdump, Yara, Recon-ng, SET (Social-Engineer Toolkit), MASTIFF + MASTIFF2HTML, Viper, Minibis, Nebula, Burp Suite, xxxswf, extract_swf, Java Decompiler (JD-GUI), JSDetox, extractscripts, AnalyzePDF, peepdf, officeparser, DensityScout, YaraGenerator, IOCExtractor, sysdig, Bytehist, PackerID, RATDecoders, androwarn, passivedns, BPF Tools, SpiderFoot, hashdata, LORG.
  • Tested HoneyDrive3 on a website that was previously getting a lot of visitors from strange IP addresses. The HoneyPot was successful in finding (and ultimately stopping) significant bot traffic. The company emailed to tell their search traffic increased at both the primary website and related amazon page. HoneyDrive was not used on the Amazon page. It looks like the traffic increase was a secondary benefit of cleaning up the company's main website traffic and increasing page load speeds as a result.
  • Added the following extra software: 7zip, Sagasu.
  • Tested Firefox add-ons on 3 random commercial websites scraped from reddit forums. Found 42 malicious bots.
  • Added the following Firefox add-ons: Disconnect, Undo Closed Tabs Button, PassiveRecon.
  • Removed the following software: Kojoney, mwcrawler, Vidalia, ircd-hybrid, DNS Query Tool, DNSpenTest, VLC, Parcellite, Open Penetration Testing Bookmarks Collection (Firefox).

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

  • 1aNormus

    Thanks for putting this out. Been playing with the distro for the last few hours, and I am impressed with the package. This will be perfect for some honeypot training I plan to put out soon.

    Thank you,
    1aN0rmus

    • Ion

      Hello Normus, thanks for your comment!

      I plan to include more software to it soon (so be sure to check from time to time) and perhaps create a lightweight desktop version (think Xubuntu/Lubuntu) with some GUI tools as well.

      The current version includes everything that has to do with Kippo SSH honeypot. It’s a good start in the domain of honeypots and you’ll get some interesting results. I’d be happy to see some of them.

      Regards.

      • letrath

        Hello. i tried to contact you via contact form but its not working i guess? could u send me your mail address to ask a question pls. i wanted you to show it on my private ip if you have time.thanx.

  • nexus

    Hello, this is very nice,i am very new in this stuff, i downloaded the honeybox but now what ?
    from the several VMDK drives in the rar witch one i must use. Any info on how to install this in VB ?

    I am Sorry for my noobiness but i would love some assistance.

    Thank you very much
    Nexus

    • Ion

      Hello Nexus, it’s quite simple really: you have to extract the files, create a new virtual machine and select the “HoneyBox.vmdk” file as its hard disk drive (ignore the other files but don’t delete them!). You can then start Kippo by executing the “start.sh” script residing inside the /home/honeybox/kippo dir.

      See the README file here: http://sourceforge.net/projects/honeybox/files/HoneyBox%20v0.1%20%5BKippo%20in%20a%20Box!%5D/ for more information.

      Regards.

  • nexus

    Thank you very much Ion, i appreciate your assistance.I will test it ASAP 🙂

    Regards
    Nexus

  • George

    Hi Ion,

    I am George again!

    I have two questions about Honeybox.

    1) Honeybox, your function is similar to that of Dionaea? Simulates services to catch malware?

    2) Is it necessary to use a virtual machine? or I can install HoneyBox on a physical machine? You recommend me Debian or Ubuntu?

    Regards.

    • Ion

      Hello again George.

      1) No yet. So far only Kippo is installed. Dionaea and other honeypots will be included in future versions.

      2) The format of the drive is VMDK which is used by virtual machines. I don’t fully recommended it but you can convert a virtual drive to a physical one. See this: https://www.vmware.com/support/v2p/index.html. Also, Debian and Ubuntu are both fine, but I tend to go with Ubuntu.

      Regards.

  • J.H. Speed

    Hi Ion!

    Thanks for providing us with an excellent site! 🙂

    Was really looking forward to trying you this HoneyDrive, looks like the download link is broken.
    Hope you are able to remedy this soon.

    Regards.

    • Ion

      Hello there.

      I have changed the name from HoneyBox to HoneyDrive for copyright/trademark reasons, and SourceForge has not yet completed the changes to the project. But, you can get the latest VMDK file by clicking on this link: http://sourceforge.net/projects/honeybox/files/latest/download

      Regards.

      Edit: Seems like the direct download link above does not work anymore. I guess we should wait some time for SourceForge to complete the changes.

      • J.H. Speed

        Yes, you are correct, looks like sourceforge is experiencing problems with this download.

        Is there any other sites that can be used for download?

  • Black September

    Hi Ion!

    I finally got to download Honeydrive after the project had to change its name and i´d like to give you some feedback.

    + Honeydrive is ridiculously easy to set up
    + The builtin Kippo-Graph looks great and is easy to use
    + Its an excellent tool for gathering statistics and malware analysis
    + It will save hours and hours of my spare time reading trough logs (yep, that made the wife happy too :))
    - The NIC would not start during, had to start it manually - not a big deal 🙂

    Even tho I only started scratching the surface, it has already exceeded my expectations - 10/10!

    I have some questions tho:

    1 - Honeydrive is running on a Ubuntu Server 11.10, would you recommend to stay with this version or will it survive and update?

    2 - Kippo has a pseudo file system, but there are two real directories as well - /etc and /proc. From your experience, would you add additional files/directories or leave it as it is?

    3 - Do you know of any other ready-to-use python scripts that can be added to the kippo/kippo/commands directory or will i have to build them myself?

    Again, great stuff, thanks a million!

    • Ion

      Hello Black September 🙂

      Thanks very much for the feedback, I appreciate it! It’s nice to hear that it works as it is supposed to 🙂

      About your questions:
      1) I use 11.10 because it just “works”. You can upgrade it if you like, yes.
      2) You can either leave them as is, or you can add your own files. It’s entirely up to you. You can also modify the existing files to add more bogus info (these are called honeytokens), for example new accounts in the /etc/passwd file.
      3) No sorry, I guess you will have to code any further commands.

      Regards!

      • Black September

        Thanks for your reply Ion.

        Yepp, i basically figured that much.

        Already started using the createfs.py and editing the current python scripts to mirror a OpenBSD filesystem and environment.

        Looking forward to 0.2 🙂

        //BlackSept.

  • mike

    excellent project, i might suggest releasing your next version in OVF template format.

    http://en.wikipedia.org/wiki/Open_Virtualization_Format

    within VMware workstation is a simple File -> Export to OVF option, there is still a packaging issue.

    i much prefer to work with an OVF template, it facilitates the movement unto ESX so much more reliably.

    keep up the good work!

    • Ion

      Hello mike 🙂
      Thanks for your comment and for the suggestion!

      Unfortunately I don’t use VMware but VirtualBox. Although, it has a similar export option that I will use in the future version 🙂

      Regards.

  • jim

    so I have kippo started and listening on port 22. however, I cannot ssh to it with putty i just get connection refused. however, an nMap is actually showing open.

    • jim

      nevermind. I realized the problem. for some reason, I am unable to connect directly from the same native machine hosting the VM itself. weird.

      • Ion

        Hello jim.
        Glad to hear you have figured this out.
        Let me know how HoneyDrive works for you.
        Regards.

  • Alex

    Hi,

    I’ve been running honeydrive for a few hours now, and trowed a few attacks with medusa, and hydra and it does not pick up the automated attacks, however when I try by hands there are no problems, any ideas of what could have gone wrong or is it simple an undefined behaviour ?

    Alex.

  • Wilhelm-Jan

    @Alex:

    As currently only Kippo is included, I think thats just normal behaviour.
    I run my own Kippo/Dinoeae bases honey pots, and for kippo it’s only SHH thats being logged.

    So depending on what kind of automatic attack you’re running; It might not be noticed since it might not be on the kippo port.

    I myself run a Snort inline logging firewall/gateway (basically Honeywall), with behind it a couple of honeypots. Kippo logs everything on port 22 (low interaction part), and the gateway logs everything else (high interaction part).

    • Ion

      Thanks for stepping in Wilhelm 🙂
      PS. I had to rewrite your comment by myself after a wordpress hiccup.

  • ziplock

    it doesn’t include Dionaea or Honeyd as advertized in the “update” section of this page. As far as I can see, it only has Kippo. Am I overlooking something? Also, sourceforge says it has Dionaea and Honeyd… ???

    • Ion

      Hello ziplock, as mentioned here: http://bruteforce.gr/announcing-honeydrive.html, “NOTE: The description is not very accurate for the current state of HoneyDrive. Right now only Kippo SSH honeypot and its related tools are included, but all of the above will be present in future releases.”

      Sorry about that, I guess. I will release a new HoneyDrive version based on Xubuntu (with GUI) including the missing tools plus some other honeypot/malware-related utilities.

      Regards.

    • Ion

      If you are subscribed to new comments, just to let you know that HoneyDrive Desktop version was released and it includes Kippo, Honeyd, Dionaea and much more! 🙂

  • Jon

    Anyone have any luck getting this running on ESXi 5?
    When I try to install the OVA via “Deploy OVF Template” I get an error regarding unsupported hardware (Virtualbox). When I extract the OVA into a VMDK, a custom VM creation does not even let me see or select the VMDK file.

    • Ion

      Hello Jon, thanks for reporting this.

      I have found some similar complaints online (not related to HoneyDrive). Perhaps it has to do with the pre-installed VirtualBox Guest Additions, I’m not sure. Take a look here: https://dev.uabgrid.uab.edu/wiki/VirtualboxToEsxi and perhaps here: https://forums.virtualbox.org/viewtopic.php?f=1&t=42311 to see if anything comes up and let me know please. I could try to upload the original VDI/VMDK file if this persists.

      Regards.

    • Ion

      Jon, also take a look at this comment by Rob: http://bruteforce.gr/honeydrive-desktop-released.html#comment-5167

  • Ken Pryor

    Hello! I have imported and am successfully running HoneyDrive. However, I am having one problem with Dionaea and I was hoping you could suggest a solution. When I start the program, it is never able to bind port 80. I have put in the specific IP address of the HoneyDrive vm in the dionaea,conf instead of going with the default, but it is still unable to bind the port. No other ports are having this problem, only port 80. Do you have any suggestions on how I might fix this?

    Thank you very much for your hard work putting this great VM together!

    Ken

  • Ken Pryor

    Please disregard, I believe I have it figured out. Thanks!
    Ken

    • Ion

      Hello Ken. Glad you found the solution.
      Did it happen because of Apache was previously binding on that port? By the way, Dionaea mostly focuses on port 445 (SMB/CIFS), that’s the mechanism for capturing malware and the like. Ports 80 and 443 are mostly to log connections (if any).
      Regards.

    • shahrooz

      Hi Ken

      I have the same problem with SMB. I got ports 80, 443, 1433 and 3306, but no SMB. How did you solve it?

      Thanks
      Shahrooz

  • Ken Pryor

    Hi! Yes, Apache was the problem. I got it sorted now. So far, I’m getting lots of connections on ports 80, 443, 1433 and 3306, but no SMB unfortunately. Hoping that will change. I have my firewall set to forward all port 445 requests from the Internet to my HoneyDrive, so hope it will eventually get something.

    Ken

  • Ken Pryor

    I went to grc.com from my HoneyDrive and used the Shields Up page to scan my ports and see what’s showing as available. It reports port 445 is “stealth”, meaning it is not reporting itself as being in existence to the scanner. Any idea why the scan might not be able to see 445? This may be why I’m not getting any binaries or 445 connections.

  • Ken Pryor

    Sorry to keep posting, but thought I’d update a little. I ran an nmap scan from the host computer to the HoneyDrive vm and found that port 445 on the HoneyDrive is open. I have it open on my firewall too, so I’m starting to wonder if the port is being blocked by my ISP. The ISP told me they don’t block ports, but I’m starting to wonder.

    • Ion

      Hello Ken and happy new year. No problem, do keep us updated.

      I was about to suggest the same thing. My (Greek) ISP seemed to have been blocking port 445 as well on my home connection (I didn’t ask them about it though). The reality is, this might be a “good” move by them. I have set up Dionaea on a VPS and the amount of automated exploits by worms on 445 is just enormous! Microsoft themselves advocates filtering specific ports related to SMB/CIFS on public IP addresses. I guess this might be the case here. My advice would be to call your ISP support and speak with the technical office (not the first-line of staff) who will inform you correctly on this matter.

      Regards.

  • Ken Pryor

    I think that must be the case. I made sure 445 was open here locally and then ran the online nmap scan against my public IP. It reported 445 among the ports being filtered. Many of my other ports are open, like 21, 22, 80, 443, so I’m still getting traffic, just not smb traffic. Having a vps would be nice, but can’t do that at the moment.

    • Ken Pryor

      Since 445 seems to be filtered by my ISP, I decided to give Kippo a try. I haven’t received any “real” traffic on it yet, but I have tested it and am sure real traffic can get to it. Looking forward to giving Kippo a long run. Thanks again for HoneyDrive, it sure makes it easy to get started!
      Ken

  • AdrianPas

    Hello Ion,

    Nice job, I want to ask you is it possible to have and ovf compatible with Vmware Esxi 5. I have tried to imported and unfortunately I receive this error:
    “Error: OVF Package is not supported by target:
    - Line 265: Unsupported hardware family ‘virtualbox-2.2’.
    Completed with errors”

    I suppose it is because you have used VirtualBox and there may be a compatibility issue with Vmware.

    • Ion

      Hello Adrian, thanks for your comment.

      I have seen this complaint before, so yeah I think I should release it in OVF and perhaps straight VMDK/VDI as well! In the meantime please see these and let me know if it worked: http://bruteforce.gr/honeydrive-desktop-released.html#comment-5167 and https://dev.uabgrid.uab.edu/wiki/VirtualboxToEsxi

      Regards.

  • Mezzomix

    hey ion,

    i tried the inetsim on the honeydrive and i had some trouble to get it running.

    the dns port is already in use by the dnsmasq small dns server which comes with ubuntu. i have to disable it with sudo gedit /etc/NetworkManager/NetworkManager.conf and #dns=dnsmasq.

    http port 80 is also in use by apache. sudo apachectl -k stopp and sudo service apache2 stop worked for me. the irc port is used by ircd-hybrid an can be stopped with sudo service ircd-hybrid stop.

    furthermroe i edited /etc/resolv.conf with #nameserver

    probably not the best way to get inetsim running.

    • Ion

      Hello Mezzomix, thanks for your comment!

      Yeah, I guess this is not an efficient way and I should change the auto-start program list in the next version, or post your corrections just in case. Let me know of any other problems or comments in general!

      Regards,
      Ion.

      • Mezzomix

        /etc/resolv.conf should not be edited. i was wrong the post before.

        i seems, that the inetsim.conf isn’t read by inetsim itself. only starting inetsim with sudo inetsim -bind-adress= works fine. but starting a dns query returns the default ip address 127.0.0.1 and not the one i wrote in the inetsim.conf file.

        thats not a problem in your honeydrive, it is the same with a clean ubuntu 12.04 installation.

      • Mezzomix

        okay for uncommenting the statements in the inetsim.conf file i had to delte the #. i didn’t thought about it, because everything is written with #.
        i am still learning^^ now everything is fine

        P.S.: cuckoo sandbox and volatility are interesting malware analyzing tools. maybe they are suiting your honeydrive.

        thx for your work so far

  • mfh17

    Hi … I’m having some installation issues; maybe you can help ? When i try to import into VirtualBox, i get issues with the VMDK being corrupt. So, I tried extracting the OVF so i access to the files inside, but half-way through, I get a 7-zip error of “… vmdk:file is broken”

    Have you seen either issue elsewhere, and what can I do to get past them. I am installing onto Windows 7

    • Ion

      Hello mfh17 and thanks for trying (to try) out HoneyDrive 🙂

      Importing the OVA into VirtualBox shouldn’t raise any problems. So I guess that the file might be truly corrupted after all, mostly due to a download error or something. Please try downloading it again and verify that the MD5 value is equal to: “f6aa9d7687eea635e79d42bc342a4563”. You can use a utility like this one: http://www.softoxi.com/md5-sha-1-checksum-utility.html to calculate the MD5.

      Regards,
      Ion.

    • m

      hello,
      honeydrive is very helpful,but the honeyD is giving me some problems,i wrote my own honeyd configuration file,,when i start the honeyd ,it responds,but when i check to see if the specified ports in the configuration file are opened using nmap,it shows they are closed,my log file shows logs of this scans,pls do any one have an idea of what is wrong.tried using the default configuration file on honeyd but that didnt work either

  • Drafter

    hi, I’m having problems with the root account , any help please..

    • Ion

      Hello, what kind of problem do you have? As per the instructions, the default username/password combination is: honeydrive/honeydrive. You can then “sudo” from inside the system. Regards.

      • Togr Lamht R Butarbutar

        sir, how i can enter to root acount?
        when i login in honeydrive account, then i type su in terminal
        i use password honeydrive, but the result authentication failure
        thanks

      • Ion

        Hey Togar, try “sudo su” instead.

        Regards, Ion.

  • Krytical

    When I attempt to import the VM, I get a message that I must accept some agreement before I can import… a window comes up but no agreement text… just an agree and disagree button… so I hit agree… the window closes and opens back up… rinse and repeat… any ideas?

  • Ashraf Luffy

    can you give me example of topology to do this honeypot

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

    • Ion

      Hello Mara, not sure why this happens, but in any case HoneyDrive was not designed to be uploaded to the cloud. Okeanos is great by the way 🙂 Regards.

      • Mara

        So, what would you suggest?
        I need to have HoneyDrive running continuously… maybe use OpenVZ??
        My thesis is about honeypots and I would like to include HoneyDrive results…
        your work has been very helpful by the way, thank you!!! 🙂
        …(I am waiting for Okeanos’ admin’s answer about why I can’t connect to HoneyDrive)…

      • Ion

        Hm, I don’t know. I suggest you try again one more time before concluding it doesn’t work out of the box. Otherwise, you can always setup your own honeypots on the VPS. Is there a particular honeypot you need to test? (eg Kippo). Regards.

      • Mara

        No, no particular honeypot..
        I have installed Kippo, Dionaea and Glastopf and played a little…
        and HoneyDrive has a lot more so I think it is worth a try… (and my supervisor thinks the same) 😛

        by the way, I think it might work on the cloud… 😉
        I still have some connection issues but Okeanos’ helpdesk has been very helpful and immediate… 🙂
        if it works, I will feedback…

      • Ion

        That is nice! Let me know how it turns out because I want to try uploading it to Okeanos as well when i find some free time. By the way, you can directly contact me through the contact form on the menu with more info on your thesis. I have completed a similar thesis for my undergrad studies and also written two conference papers on the subject and I am always interested 🙂 Regards.

  • klokurdiladem

    does anybody have checksum for this honeydrive??? doesn’t make sense you’ll get a corrupt file after download it

    • Ion

      Hello there. Here are the checksums:

      MD5: f6aa9d7687eea635e79d42bc342a4563
      SHA1: 4c8e04a1240c43cf553bafc1462aaa3dea6d275b

      If you get a corrupt file I suggest you download it again from SourceForge, perhaps selecting a different mirror.

      Regards, Ion.

      • klokurdiladem

        thank u so much

  • plaastik

    Would it be possible to get HoneyDrive as a torrent? My downloading of the VM keeps aborting halfway…

    • Ion

      Hello plaastik.

      Yeah that would be possible, BUT it need seeders :/ Some guy actually bothered to create a torrent file here: http://thepiratebay.sx/torrent/8062657/HoneyDrive_v._0.2_%28Nectar_Edition%29_Virtual_Appliance but I don’t think you’ll get anything.

      If your download keeps being aborted it’s a problem with SourceForge. The easiest solution is to select another mirror 🙂 I’ve just downloaded the OVA file a couple of hours ago with no problem. So it would work I guess.

      FYI, these are the checksums of the OVA file (HoneyDrive 2.0):
      MD5: f6aa9d7687eea635e79d42bc342a4563
      SHA1: 4c8e04a1240c43cf553bafc1462aaa3dea6d275b

      Let me know how it goes.

      Regards,
      Ion.

    • Black September

      Hi Plaastik.

      We had a similar issue a while back, i dont know if you tested it, but using ‘wget’ we were able to get it to download without interuprions.

      Command:
      wget http://surfnet.dl.sourceforge.net/project/honeydrive/HoneyDrive%200.2%20Nectar%20edition/HoneyDrive_0.2_Nectar_edition.ova

      Hope you are able to solve it:)

      //Black September

      • Ion

        Hey Black September, thanks for your input! 🙂
        And FYI, in Windows I got it using jDownloader (http://jdownloader.org/).

        Regards.

      • plaastik

        Thanks

  • Sahhid Uddin

    Hi people connect to kippo and use the password 123456 why can they not get root access?

    • Sahhid Uddin

      They need to use root as username in combination.

  • Sahhid Uddin

    Hi i used the kippo it was brilliant thanks so much, but i was wondering about the honeyD.

    I want to use honeyd but have no idea where to start like kippo.sh started kippo for me and logged all activity it was simple but honeyD on this is already set up and configured, so i am wondering how do i start honeyD? Which file starts it and where is it?

    Is there a guide to honeyD? Or can you tell me here quickly. Thanks

    • Ion

      Hello Sahhid. Yeah, honeyd is not as easy as Kippo, but there are many guides online as it is one of the oldest and best low interaction honeypots around. Just Google for it and you will find some material.

      Regards,
      Ion

      • Sahhid Uddin

        Very well thank you very much for this awesomeness made my dissertation so much easier.

    • Ion

      Here is a report on Honeyd I stumbled upon at while browsing Packet Storm Security: http://packetstorm.foofus.com/papers/general/honeyd_report.pdf

      Enjoy 🙂

      • varsha

        hey i’m working on honeyd but i’m stuck as in ping and nmap to my virtual honeypot works but not telnet…pls reply as soon as possible…

  • Josh

    I’m trying to import the OVA using VMware 9 on Windows 8. I keep getting a License Agreement Nag screen that persists after clicking ‘Accept’.

  • Sahhid Uddin

    I have a question for my tty logs how do i veiw them? Gedit does not work obviously please respond 🙂

    • Ion

      Hello. I think it’s working. It’s just that the attacker or whoever logged in the honeypot didn’t type any commands.Try it yourself, login using PuTTY/terminal, type some commands and then play it with playlog. But, the thing is, why bother with files? Just enable MySQL logging in the config file and then see the sessions in the database. Regards, Ion.

    • Black September

      Hi Sahhid!

      You will see a lot of “empty” tty logs. When a bruteforce attacks succeeds it will generate a log from when the password was entered. These logs are all of the same size, 622b if i recall correctly.

      As for using playlog.py

      When standing in /opt/kippo/utils, this is the command i use

      $ python playlog.py -f -m 1 ../logs/tty/.log

      You can see more options about the playlog.py script by executing

      $ python playlog.log
      Usage: playlog.py [-bfhi] [-m secs] [-w file]
      -f keep trying to read the log until it’s closed
      -m maximum delay in seconds, to avoid boredom or fast-forward
      to the end. (default is 3.0)
      -i show the input stream instead of output
      -b show both input and output streams
      -c colorify the output stream based on what streams are being received
      -h display this help

      Hope this helps you out, if not, let me know.

      I appologise for any of this being incorrect, i dont have a honeypot in front of me right now.

      //BlackSeptember

    • Black September

      wow…i see the message got a bit f***d up when i pasted it 😛

      • Ion

        Great reply nonetheless! 🙂

  • /CS

    I disabled the following services/applications running on boot: ntop, tor, apache2, ircd-hybrid. I think it’s better for the user to decide what he needs. I noticed that zeitgeist daemon is also included, is it needed somewhere or can possibly be removed???

    • Ion

      Hello CS, thanks for trying out HoneyDrive! Your feedback is much appreciated, I already had in mind to disable some of these services on startup for the next version 🙂 Regards, Ion

  • JB

    Hi all,

    I am running kippo (awesome bit of kit), I had a naughty guy try to connect to an FTP server but couldn’t get ftp to work, How do i enable the command so the bad guys can download from an ftp? any help wll be greatly appriciated

    JB

    • JB

      BTW, the Kippo graph issue i had was sorted, i just re-installed a new image 🙂 thanks to ION for all your help 🙂

      JB

    • Ion

      Hello JB.

      This is not easy, it has be done programatically by the developer of Kippo. Your only option right now is to enable some output for the “ftp” command, by adding a file in “txtcmds” folder. But that won’t help the attacker to actually connect or interact with an FTP server.

      Regards, Ion.

  • Agli Pançi

    Hello everyone,
    can HoneyDrive configured to save all the data to a central server (to work as a sensor). I have many points where i need to have for each one a honeypot and then i need to collect all the data to a main server for analysing.

    What do you suggest?

    • BlackSeptember_

      Hi Agli!

      HoneyDrive is running of a Xubuntu base.

      I have never done this with HD myself, but i believe you would be able to make this work, saving/backing up all the data to a central server, using something like rsync (http://www.howtogeek.com/135533/how-to-use-rsync-to-backup-your-data-on-linux/) or rsyslog (http://www.freeklijten.nl/home/2011/08/16/A-tutorial-on-remote-logging-with-rsyslog).

      If you´r looking to consolidate multiple sql databases (I.E. KippoGraph) i beleive you might be able to do this as well, but sadly i have no idea how you would go about to setup remote logging of this.

  • DiBa

    Hello everybody,

    I’m trying to setup my home honeypot but i’m having problems with my honeyd installation. No matter what configuration and settings i try,when trying to start honeyd i get the same error :” aborting dhclient on interface eth0 after 12 tries” .
    Has anybody encountered the same error?

    Any help appriciated.

    DB

    • Ion

      Hello DiBa,

      it seems that honeyd tries to get an IP from a DHCP server but it’s not working. Please see the comments section here: http://travisaltman.com/honeypot-honeyd-tutorial-part-1-getting-started/ where your error is mentioned by some other people to see if anybody found a solution. Sorry if I can’t offer more help.

      Regards,
      Ion.

      • DiBa

        Thanks for the quick reply.
        The strange thing is that after that honeyd gets an IP and it starts logging. Though i’m not sure about the quality of the logs.

        DB.

      • Ion

        Hi DiBa, if you want you can paste here a small segment of your log file and I can tell you if it looks normal 🙂 Regards, Ion.

      • DiBa

        Hello Ion, thanks for your help.

        Here is a small sample

        2013-11-19-17:22:01.5238 honeyd log started ——
        2013-11-19-17:22:01.5239 udp(17) - 202.133.58.82 58847 192.168.1.70 51413: 48
        2013-11-19-17:22:01.5303 udp(17) - 95.160.168.208 37149 192.168.1.70 51413: 348
        2013-11-19-17:22:01.5381 tcp(6) - 78.147.189.105 24634 192.168.1.70 55434: 52 FA
        2013-11-19-17:22:01.5382 tcp(6) - 192.168.1.70 55434 78.147.189.105 24634: 52 A
        2013-11-19-17:22:01.5394 udp(17) - 95.160.168.208 37149 192.168.1.70 51413: 348
        2013-11-19-17:22:01.5539 udp(17) - 74.104.206.63 18231 192.168.1.70 51413: 58
        2013-11-19-17:22:01.5540 udp(17) - 192.168.1.70 51413 74.104.206.63 18231: 58
        2013-11-19-17:22:01.5649 udp(17) - 111.68.32.160 45682 192.168.1.70 51413: 1025
        2013-11-19-17:22:01.5650 udp(17) - 192.168.1.70 51413 111.68.32.160 45682: 48
        2013-11-19-17:22:01.5716 tcp(6) - 46.99.22.155 65348 192.168.1.70 29662: 40 A
        2013-11-19-17:22:01.5799 udp(17) - 95.160.168.208 37149 192.168.1.70 51413: 348
        2013-11-19-17:22:01.6055 tcp(6) - 78.101.229.8 51413 192.168.1.70 47084: 353 PA
        2013-11-19-17:22:01.6056 tcp(6) - 192.168.1.70 47084 78.101.229.8 51413: 52 A
        2013-11-19-17:22:01.6130 udp(17) - 130.43.27.43 36424 192.168.1.70 51413: 48
        2013-11-19-17:22:01.6180 udp(17) - 130.43.27.43 36424 192.168.1.70 51413: 48
        2013-11-19-17:22:01.6304 tcp(6) - 2.216.49.100 12831 192.168.1.70 36311: 60 SA
        2013-11-19-17:22:01.6305 tcp(6) - 192.168.1.70 36311 2.216.49.100 12831: 52 A
        2013-11-19-17:22:01.6305 tcp(6) - 192.168.1.70 36311 2.216.49.100 12831: 120 PA
        2013-11-19-17:22:01.6410 udp(17) - 2.80.92.170 61362 192.168.1.70 51413: 48
        2013-11-19-17:22:01.6422 udp(17) - 46.189.28.229 56419 192.168.1.70 51413: 58
        2013-11-19-17:22:01.6423 udp(17) - 192.168.1.70 51413 46.189.28.229 56419: 58
        2013-11-19-17:22:01.6424 udp(17) - 192.168.1.70 51413 46.189.28.229 56419: 48
        2013-11-19-17:22:01.6458 tcp(6) - 79.131.73.130 61992 192.168.1.70 53776: 69 PA
        2013-11-19-17:22:01.6459 tcp(6) - 192.168.1.70 53776 79.131.73.130 61992: 52 A
        2013-11-19-17:22:01.6549 udp(17) - 93.175.96.87 52539 192.168.1.70 51413: 48
        2013-11-19-17:22:01.6612 udp(17) - 192.168.1.70 51413 95.160.168.208 37149: 48
        2013-11-19-17:22:01.6745 udp(17) - 89.180.6.224 7777 192.168.1.70 51413: 48
        2013-11-19-17:22:01.6775 udp(17) - 89.180.6.224 7777 192.168.1.70 51413: 48

      • Ion

        Hi DiBa, it seems fine to me! Why don’t you try Honeyd2MySQL and then Honeyd-Viz to see some stats/graphs from you log? Let us know how it goes. Regards, Ion.

  • wysegy66

    Just installed HoneyDrive and it’s telling me there are 400+ updates available. Is it safe to upgrade without breaking anything?

    • Ion

      Hi wysegy66, I am not sure about this, I suggest that you keep a snapshot of the imported VM just in case, upgrade it to see if something breaks and then let us know! 🙂 Regards, Ion.

  • Hawkie

    I am making a vmware converted version of the honeydrive. Will post it as a torrent, but expect help seeding it in the longterm. Will post link in a short while

    • Hawkie

      http://thepiratebay.se/torrent/9402030/Honeydrive_0.2_nectar_edition_vmware_image

      This is the link to the ready made vmware image of honeydrive

  • Nick

    Hey. Is there any way to setup the services to run on startup? I’d like to have kippo, dionaea and glastopf startup when I boot the VM.

  • ckaspar

    Is there a LiveCD or bootable ISO for Honeydrive? I am running HD from a VM but I have an empty box that could work as a standalone machine.

    Thanks in advance.

    • Ion

      Hi ckaspar, no unfortunately there is no LiveCD or ISO version of HoneyDrive.

      If you box is good enough, one suggestion is to install a Linux server version, headless version of VirtualBox with phpVirtualBox [1] for frontend and then install HoneyDrive there.

      [1] http://sourceforge.net/projects/phpvirtualbox/

      Regards,
      Ion

  • RichM

    I have kippo running fine but I can’t seem to get TinyHoneypot to work. When I run ./thpot I see the process running, but nothing new is listening when I nmap the box. I tried shutting down apache and nmapping again, but I don’t see port 80 open for IIS like I expected (since I have http configured to be IIS in the tinyhoneypot config). I see some articles online about setting up thpot but some of the directories are different from the Honeydrive version of thpot. I feel like I’m missing a step. Can someone help with instructions on how to start tinyhoneypot in Honeydrive specifically?

    • Ion

      Hi RichM, sorry for late replying.

      TinyHoneypot is pretty old I would say. But you can start here if you want to give it a try: http://edgis-security.org/honeypot/tiny-honeypot/. Also, tinyhoneypot has been installed via the package manager AFAIR.

      Regards,
      Ion

  • asda

    How to change passwords?

    • Ion

      Hi, change passwords for what exactly?

  • help

    I´d like to have a littel beginners guide that says how to start. How to use honeydrive for productive purpose: e.g enable mail notification; what has to be observed manuelly; what services shell I ran?

    thanksy

    • Ion

      Hi,
      this depends on: a) what you are trying to accomplish, b) which specific honeypot software you will use. For example, there is no universal notification system, you’ll have to set up the existing notification system for each honeypot software (if any) to alert you.

      I would start by using Kippo. You can find a number of articles about it in this blog. But it’s ready to be used. Just “./start.sh” and enjoy (details about it can be found in the text file accompanying HoneyDrive. Then you might want to move on to Dionaea.

      Regards, Ion

  • RobW

    Hello Ion, really silly newbie question here. I’m trying to run kippo for the first time on honeydrive 0.2. Running the script I get a ‘no such file or directory’ error. If I type sudo and then run the script opt/kippo/start.sh it returns an unhandled error. I’ve looked in the file system and the path seems to be right, as you might expect. I don’t really know my way around linux at all so this is probably a really stupid question but would you be able to tell me, by any chance, what I’m doing wrong here?

    • Ion

      Hi Rob, can you copy-paste exactly what you type in the console?

      • RobW

        Hi, sure I have: honeydrive@honeydrive:~$ /opt/kippo/start.sh

      • Ion

        Hi RobW, yes, it could the case. Make sure you put the VM in a Host-only network or a Public network.

      • RobW

        Hi Ion, I just went back to this problem today and it seems all that was wrong was that I was trying to run with root privileges. Boy do I feel like a idiot right now. Anyway it seems to work at least. 🙂

  • Niels

    Is it possible to run this on the raspberry pi? or to create a separate distro for it? I would like to use Pi’s with honeyDrive in our corporate network as cheap honeypots for a.o. malware detection.

    • Ion

      Hi,
      it could be the case, if you can run a VirtualBox headless version on the RaspberryPi on a lightweight host distro and then import the OVA. But I don’t know how efficiently this might work. You have to try and give us feedback! If you succeed I can also do a blog post with you about it 🙂

      Another solution is to setup Kippo directly on the RaspberryPi, like for example: http://bob.k6rtm.net/kippo.html. For Dioanea you can use the “setupDionaea.sh” script from my Dionaea-Vagrant project (you can find the file on GitHub) to automate the setup.

      Anyway, best of luck and keep us updated 🙂

  • Jonathan

    Is there any way that I can contribute with your project, besides downloading and testing the OS image?

    • Ion

      Hi Jonathan,
      very good question, I think I should even add the following to the FAQ:

      Generally, not to the actual development. I develop HoneyDrive on my own machine, so it doesn’t exist in any remote environment where we can collaborate while building it. And there ins’t any schedule for releases so even if we enabled remote collaboration, a new release will probably take *some* time before getting planned.

      But, here are all the ways you can help in general:

      1. Actually, testing is of great importance. There are a lot of things going on on HoneyDrive. Installing over 30 tools from source and managing their dependancies (which could be conflicting some times) isn’t the best deal. So it’s great if there are testers that can check that all the tools are actually working as they should by trying them out in real scenarios (and learning a lot in the process!).

      2. If you can code, then you can contribute to all the other projects around security visualization, etc or to the honeypots themselves. From my side, I am very open to this and have already accepted pull requests. If you know PHP and/or Python let me know. The code for all the projects is hosted on GitHub.

      3. Ideas/feedback. Again, this sounds trivial but it’s not. The tools need to be kept current and also become enhanced. Again, I am very open to this and some things like for example the Kippo-IP and Kippo-Playlog components of Kippo-Graph were added by some people who decided to contribute! This is relevant to the point above as well, but even if you can’t code the suggestions and requirements drafting for these are equally important.

      4. Information sharing. If you use it, share the results. Some of the honeypots have integrated a logging system called hpfeeds: http://heipei.github.io/2013/05/11/Using-hpfriends-the-social-data-sharing-platform/. You will find it in their configuration files with an option to enable it or not. Sharing data via hpfeeds helps the developers of the honeypot platforms and organizations like the Honeynet Project to gather much needed data about attacks. Even if you decide not to share via hpfeeds, you can help by letting us know what kind of stuff you capture, if you see any patterns, if from the logs you suspect that attackers found a new way to identify the honeypots etc.

      5. Lastly, there is a small donation button on the right side for people that appreciate this work 🙂

      Thanks again for your question and the willingness to help.

      Best regards,
      Ion

  • Jonny

    I’m trying to import the OVA but keep receiving the message seen here:
    http://i.imgur.com/UMEtaWd.png
    Any advice?

    • Ion

      Yeah, as the error said it was probably a corrupted file.

    • shan molly

      if any body need ovf that work on vmware please emaile me at

      mostanad2008@yahoo.com

  • Petro

    I’m a big fan of this blog and kippo that I have used in the past. Does this updated version include the SFTP patch/fix in kippo?

    • Ion

      Hi Petro, thanks for your message.

      Regarding your question, no, I used the official Kippo version, that is actually being actively developed again: https://github.com/desaster/kippo

  • Panix

    I’m having problems in HoneyDrive v3. Apparently, something is up with the key exchange. When I try to connect to Kippo, nothing happens. Once I press ‘Enter’, it starts the key exchange. My log file shows tons of connections but 0 login attempts.

    Any idea with what could be wrong?

    • Ion

      Hi Panix, thanks for your message. I’ve just tried it (VirtualBox VM with HoneyDrive 3 in bridged mode and SSH login from my OS X Mavericks) and it worked fine. My SSH client asked me to verify the fingerprint and then Kippo correctly asked me for passwords. From what kind of machine are you trying to login into Kippo?

    • Ion

      Ah, I re-read your post once more. So, you’re having Kippo in “production” but noone seems to be able to connect. Let me get back to you on this after I get some feedback from other people.

      • Panix

        They can connect but once the connection is accepted, the key exchange doesn’t take place til I hit ‘Enter’ on the keyboard.

        If you want, I can provide you with my hostname so you can see what I’m saying. I haven’t made any changes since I downloaded the VM on the day it came out.

  • Raina

    I am trying to run honeyd in honydrive3. I am getting a error in log file i.e permission denied in /var/log/honeypot/ directory. I already tried chmod and chown command but nothing works out. PFB screenshot for your reference. Plz guide…. thnx in advance ..

    • Ion

      Hi Raina, thanks for your messages.

      It seems that you need to run `sudo touch /var/log/honeypot/honeyd.log && sudo chmod -R /var/log/honeypot` for it to work. Of course it’s better to run honeyd as a “service” using the /etc/init.d script. See my latest blog post for more info (posting it in seconds).

      Regards,
      Ion

      • Raina

        Hi,
        I tried the same but nothing work out for me.I tried the instruction that you give in your new blog but it still gives the same error. Plz find the below screenshot.
        Thanks and Regards
        Raina

      • Ion

        Hi Raina, whoops, I forgot to write the actual mode (number 777) in the command I wrote in the previous message. I edited the comment, please re-run the command and let me know.

      • Raina

        Hi,
        thanks it works..:)

  • mark_orion

    Would it be possible to distribute honeydrive via bittorrent instead or in addition to Sourceforge ? I have a fairly unstable rural broadband connection and while SF downloads usually break with even short interruptions, bittorrent is much mure resilient (and faster).

    • Ion

      Hi mark_orion, thanks for your suggestion.

      That would be possible, but then I’d have to pay for a seedbox or something just for this since the file is a big one and I doubt many seeders would be available at any given time. Unless of course someone “sponsors” his bandwidth specifically for this. Until then, SF provides a good service I think.

      Regards,
      Ion

      • mark_orion

        Hi Ion, I understand that problem - had it once myself and helped me with someone who “colocated” a Raspberry PI as seedbox in a datacentre. And its no more a problem as I pulled the file overnight with wget. Thanks for this great piece of work ! Mark

  • Tomato-

    a) i want the honeydrive installed directly on my server instead of virtual machine. is there any tutorial about how to install it step by step?
    b) i have many servers to install honeydrive. i want to realize the entralized management over all of them. how should i do? is there any application like DionaeaFR for Dionaea ?

    • Ion

      Hi Tomato,

      a) HoneyDrive is distributed as an OVA file, so this is not possible. Although I have seen that AWS and Linode for example have some resources to transfer a VM to their infrastructure, I haven’t tried it. Perhaps you can try and let us know? That would be fantastic!

      b) HoneyDrive is self-contained and self-managed, so no. But I am thinking of creating something to facilitate that in the future. You can “manage” the individual honeypots centrally though. For example, if you have 5 Kippo honeypots, just make all of them write to the same MySQL database so you can have an overall visibility. Also see this project as an alternative: http://threatstream.github.io/mhn/. Regarding the last question (DionaeaFR for Dionaea), it seems that you’ve made a mistake? Let me know again.

      Regards,
      Ion

      • Tomato-

        a) what i mean is that i want to know how you integrate all the modules you mentioned above ( Full LAMP stack, Kippo SSH honeypot, ELK stack, etc.) together to your VM work station, if you have notes during your development, then i could follow yours to install directly on my sever.

        b) yeah, the last question (DionaeaFR for Dionaea) is my misunderstanding and i got it now. your answer will help me a lot .

        Thanks very much for your apply. (˘❥˘)

      • Ion

        Hi Tomato,
        unfortunately I don’t have notes (I should have kept some but I got carried away). So I guess you can just follow the official guides of the software you want to use or the tutorials I have written in the past.

        Regards,
        Ion

      • Tomato-

        Hi,
        Ok, i will search for other tutorials then.
        thank you lon 🙂

  • Beso

    Hi guys

    how i can generate kippo graphs on honeyDrive 3 ?!! can you answer me ASAP pleeeeeease.

  • Jon Gerdes

    Great work, thanks. Works nicely on a VMware 5.5 ESXi cluster. Someone may find this Upstart script handy for Kippo, put this in /etc/init/kippo and it will start on boot:
    ————————8<————————
    description "Simple Kippo upstart script for honeydrive3"

    start on started networking

    setuid honeydrive
    setgid honeydrive

    script
    exec start-stop-daemon -start
    -chdir /honeydrive/kippo
    -exec /usr/bin/twistd — -y kippo.tac -l log/kippo.log
    end script
    ————————8<————————

  • sbilly

    Great job!

  • oxygen

    Hey! I have some PCAP files I want to process and analyse (determine what sites have been visited, how often, etc) - Would Honeydrive be able to do this with ease? If so, can you please walk me through it (I will donate some money if it works)!

    • Ion

      Hi oxygen,
      of course you can do it with HoneyDrive. Here is a nice guide with instructions: http://www.sans.org/reading-room/whitepapers/protocols/analyzing-network-traffic-basic-linux-tools-34037

      Regards,
      Ion

      • oxygen

        I was hoping to do it with Bro then make use of the ELK stack to review the data generated from the bro logs? If this is possible, can you guide me through it? Cheers!

      • Ion

        Hi again,
        I haven’t played around with Bro but I think it’s possible (loading the pcap files). Other than that, many people have created Logstash config files to parse Bro IDS logs, e.g.: http://www.appliednsm.com/parsing-bro-logs-with-logstash/

        Regards,
        Ion

  • scott sattler

    Any plans for amazon AMI?

    • Ion

      Hi!

      Yes, it’s in the TODO list. I’ll also try to make it usable as part of the free tier by resizing the volume.

      Regards,
      Ion

  • Todd

    If anyone is interested I wrote a little guide on how to convert and run HoneyDrive in Hyper-V. http://www.compnetsec.com/blog

    • Ion

      Hi Todd,
      that was a wonderfully informative blog post. I took the liberty of reposting it here on the main site. A great contribution, thanks!

      Regards,
      Ion

  • vivek

    Hi, guys can i to run honeyd low interaction honeypot for creating deceptiveness as xp, ubuntu and also can i run kippo honeypot simultaneously for tracking the hackers activities and getting them sql .can you please suggest which is the best honeyd or kippo, but honeyd can be deceptived as all kind of operating system but kippo as only ubuntu

    • Ion

      Hi vivek,
      if you want to track and save activities inside the honeypot then Kippo is better. You can also make it emulate other Linux-based systems by feeding it data from your real filesystem.

      Regards,
      Ion

  • NeoStryker

    Can anyone give any suggestions for minimum system requirements to run this software suite? Or at least provide some sort of insight into hardware resource consumption. Thanks

    • Ion

      Hi NeoStryker, it’s a Xubuntu based virtual machine, with generally low requirements. 512+ RAM would be fine.

  • Yago

    Hi,

    I’ve just installed HoneyDrive and try to config xmpp im kippo.cfg.

    I uncommented:
    [database_xmpp]
    server = sensors.carnivore.it
    user = anonymous@sensors.carnivore.it
    password = anonymous

    And had an error:
    honeydrive@honeydrive:/honeydrive/kippo$ ./start.sh
    Starting kippo in the background…
    Loading dblog engine: mysql
    Loading dblog engine: xmpp
    Failed to load application: No module named wokkel.xmppim

    What’s wrong?

    • Ion

      Hi Yago,
      unfortunately I haven’t tried setting up XMPP with Kippo ever. Not sure what’s the problem.

      Wokkel seems to be a library with enhancements to the Twisted framework that Kippo uses: https://pypi.python.org/pypi/wokkel. Maybe you can solve your problem simply with `pip install wokkel`.

      Let me know how it goes,
      Ion.

      • Yago

        Thanks!
        You were right! Please add “wokkel”to the next release of HoneyDrive! 🙂

  • Rendy Mahar

    why the timestamp cannot list on graph? i use dionaea FR.
    please help me.

  • Rendy Mahar

    why malware cannot download on dionaea.
    i use ip local (10.1.0.60) not ip public on setting connection virtual honeydrive.
    may i use ip public?
    where i setting ip public? on virtual honeydrive or physical computer?
    i use windows xp on physical computer.

    please help me…

    • Tahir

      hi
      I am having the same problem

      Can you help me if you have the solution

  • Lotte

    Hello everyone,

    I’m currently working on setting up a honeypot using honeyd through the honeydrive distro and have been unsuccessful in getting the correct fingerprints to be matched when running an nmap scan of the targeted IP. I configured honeyd to create a Microsoft Windows Server 2003 Standard Edition as the fingerprint but have been unable to get that as a result of the nmap scans. The results of the scan gives me “No exact OS matched for the host”. I was wondering if anyone had any insight on how to solve this issue.

    Thanks.

  • Alfred Gimigu

    Hi, I tried to install the Honeydrive on my VMware but was unsuccessful due to compliance related issue, what can be the best version of VMware and how do I get a copy of that? Thanks

    • Ion

      Hey Alfred, in my case I was using VMware Fusion Professional Version 6.0.6 on OS X and it worked fine (the 2nd time, clicking Retry to lax the OVF conformance checks). Regards.

    • DenMiLu

      Hi Alfred Gimigu, you can use vmware convert tool to convert honeydrive to VMware format and then use VMware 10 for running honeydrive3. Google for how to convert 🙂

  • newuser

    Is there a way to have activity from a tool forwarded via syslog? In particular I am referencing Kippo, but if not Kippo then perhaps one of the other tools?

    • Ion

      Hi, I haven’t tried/seen this. It needs to be added to the codebase.

  • vikram

    i am trying to run the MALTRIEVE tool in honeydrive 3 but it couldn’t
    run …….can anyone know about the how to install it run it properlly
    i am giving a error text of regarding issue with maltrive plz help me

    {honeydrive@honeydrive:/opt$ cd maltrieve
    honeydrive@honeydrive:/opt/maltrieve$ python maltrieve.py
    URL http://lifescience.sysu.edu.cn/filees/guuu16pesche.asp stored as 6061a2e39c9ecd5e9deef61175f183ab
    Traceback (most recent call last):
    File “maltrieve.py”, line 290, in
    main()
    File “maltrieve.py”, line 246, in main
    now.day), proxies=cfg[‘proxy’]).text
    File “/usr/local/lib/python2.7/dist-packages/requests/api.py”, line 55, in get
    return request(‘get’, url, **kwargs)
    File “/usr/local/lib/python2.7/dist-packages/requests/api.py”, line 44, in request
    return session.request(method=method, url=url, **kwargs)
    File “/usr/local/lib/python2.7/dist-packages/requests/sessions.py”, line 456, in request
    resp = self.send(prep, **send_kwargs)
    File “/usr/local/lib/python2.7/dist-packages/requests/sessions.py”, line 559, in send
    r = adapter.send(request, **kwargs)
    File “/usr/local/lib/python2.7/dist-packages/requests/adapters.py”, line 375, in send
    raise ConnectionError(e, request=request)
    requests.exceptions.ConnectionError:
    HTTPConnectionPool(host=’www.sacour.cn’, port=80): Max retries exceeded
    with url: /list/2015-7/201579.htm (Caused by : [Errno 110] Connection timed out)
    honeydrive@honeydrive:/opt/maltrieve$ }

    • DenMiLu

      Hi vikram,

      your problem is at the site http://lifescience.sysu.edu.cn/filees/guuu16pesche.asp and http://www.sacour.cn could not load. Please check 2 sites above before running python script.

  • DenMiLu

    Hi Ion,
    I have a problem when drawing new chart on Kibana4.1.1 with pair of top 10 user/pass, how can I filter like you do on kippo2elasticsearch.json?

  • clown

    can u tell me what is root‘s password

    • Ion

      You should login with username/password: honeydrive/honeydrive. Then become root (if needed) with “sudo su”.

  • Pete Desfigies

    I recently re-installed honeydrive3 again and noticed this time around that
    kippo seems to be constantly crashing.. anytime that a command is given that involves a “/”, it kills the connection. For exampled.. if the attacke changes directory to cd /etc. it crashes, or even cd /.. crashes.. anyone else have experience with this or know what is causing this?

    • Ion

      Hm, I haven’t heard that before. I’ll try to test it. But, please `git pull` in the Kippo directory to make sure you have the latest version. Let me know if that fixes it.

  • stevenchung63

    Is a license needed to use Honeydrive for a commercial purpose? And if yes, where can I find more information about it ? Thanks a lot!!

    • Ion

      Hi Steven, not really, you can use it as you would normally use an Ubuntu linux distro. Having said that, individual honeypot/other software inside HoneyDrive that you’d like to use might have different licenses (although I can’t think of any off the top of my head). Thanks.

  • morenike oniyide

    Please i am seeing the following error on honeydrive after using the following command:

    python manage.py collectstatic #type yes when asked

    python manage.py runserver 0.0.0.0:8000

    Then i try to open with http://SERVER-REMOTE-IP:8000, which is my honeydrive IP

    … Can anybody help with this please

    Request Method: GET

    Request URL: http://192.168.15.4:8000/

    Django Version: 1.6.5

    Exception Type: DatabaseError

    Exception Value:

    database disk image is malformed

    Exception Location: /usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py in execute, line 451

    Python Executable: /usr/bin/python

    Python Version: 2.7.3

  • stevenchung63

    Is there a SHA 256 or MD5 checksum for the honeydrive download? Thanks a lot!

    • Ion

      Hi Steven, SHA1 is 693e9448dc9bd384917d9655b72f482c70ac1f8b and MD5 is ef3e5baa960207958a71cdb88cc66d55.

  • Scott Sciarrino

    Is there a easy way to put it on a USB stick and run a Live version on some old hardware..Thanks..

    • Ion

      Hey Scott, since this is distributed as an OVA I don’t think so… sorry.

  • Rob Z

    I’m wondering if you can create your own folders/subfolders in kippo and if so how to go about it.

    • Ion

      Hi, do you mean creating your own content inside the honeypot? Yes that’s doable. You can copy/create file in honeyfs/ and then use utils/createfs.py. It’s better if you use Cowrie instead of Kippo though. See this: https://sehque.wordpress.com/2015/07/23/how-to-configure-and-deploy-a-cowrie-ssh-honeypot-for-beginners/

  • Martha Whitmore

    thanks for this valuable article. I am really impressed by your site.

  • Archana

    hi i am unable to log into honeydrive with the default password as honeydrive it says sorry wrong password!

    Please help.

    • Ion

      That is strange, you should be able to login as user “honeydrive” with password “honeydrive”. Are you trying to login as root perhaps?

      • Archana

        hello, can you make a tutorial on honeyd (honeydrive)?

        things to be covered
        0) how to start (commands) - because honeyd -d -f filename.conf doesnt work
        1)a simple config file and how to deploy it
        2)how to deploy a honeypot
        3)mimicking of a server
        4)a small network simulation

        please kindly throw some light on the above mentioned topics!! please!

      • Ion

        Hi. I’ve written something already here: https://bruteforce.gr/getting-started-honeyd.html

  • Abraham Sinai

    Hello,

    Is this a 32 bits or 64 bits machine?

    • Ion

      Hi, it’s based on Xubuntu 32-bit.

  • Abraham Sinai

    Hello, What about trying to install the Security Onion tools, Snort, Suricata, Bro, OSSEC and so on into HoneyDrive? Is it recommended?

    • Ion

      Hi, it’s up to you. Of course you can do it.

  • Tahir

    Hi
    I am having troubles in downloading malware. Although I am getting thousands of connections but 0 downloads. Can you please help me.

    Regards

  • Paul

    I’m having issues with LaBrea. “Couldn’t open libdnet link interface”

    • Paul

      Disreguard. Apparently it needed a ‘sudo su’

  • Arnie Torrete

    My colleagues were wanting CA FL-190 a few weeks ago and were informed of a website that hosts a ton of fillable forms . If people are requiring CA FL-190 too , here’s https://goo.gl/DEHHUI

  • Artie Gregorsome

    Fantastic article ! Incidentally if people are looking for a a form , my boss discovered a sample form here https://goo.gl/H1UCFh

  • Nathan

    Should you change the username/passwords on the Honeydrive installation? ^^

  • Tom

    Trying to get honeyd on honeydrive3 running to add to my active defenses. On startup using honeyd -d -f test.CONF -p /home/honeydrive/Downloads/hhac-code/nmap-os-db -i eth0 This is the current nmap-os-db, I get the same error with the one that came with honeydrive3.

    I get this mysterious error:

    34: No personality for “MatchPoints”
    honeyd: parsing personality file failed

    Any clue how to fix it. A google search doesn’t reveal much either. I don’t know if it is the DB file or the conf file honeyd is using to lookup personalities in the DB. I am close but no cigar, and I cannot afford the store bought Nova project version.

  • Tom

    Idea for HoneyDrive4 - install the opensource Nova project on it, honeyd on steroids.

Read previous post:
Contact Form
Δημιουργία ενός botnet, από την αρχή!
Botnets: Φοβεροί, τρομεροί αλλά και συναρπαστικοί στρατοί από zombies!
DeltaBot
Web Application Security - CSD AUTH (survey - Greek)
Close