HoneyDrive

HoneyDrive is a virtual appliance (OVA) with Xubuntu Desktop 12.04 32-bit edition installed. It contains various honeypot software packages such as Kippo SSH honeypot, Dionaea malware honeypot, Honeyd low-interaction honeypot, Glastopf web honeypot along with Wordpot, Thug honeyclient and more. Additionally it includes useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, and much more. Lastly, many other helpful security, forensics and malware related tools are also present in the distribution.

DOWNLOAD HoneyDrive:

Important!

The latest version (0.2) of HoneyDrive Desktop (Nectar edition), released on January 16, 2012 is hosted at SourceForge.net: http://sourceforge.net/projects/honeydrive/

Please take a look at the README.txt file on SourceForge (also included inside the virtual disk) to see where everything is located.

INSTALLATION:

After downloading the file, you simply have to import the virtual appliance to your virtual machine manager/hypervisor (suggested software: Oracle VM VirtualBox). If you want to use HoneyDrive in VMware products (Workstation, ESXi, etc) please read this: Setup HoneyDrive on VMware

FEATURES:

  • Virtual appliance based on Xubuntu 12.04 Desktop.
  • Distributed as a single OVA file, ready to be imported.
  • Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin.
  • Kippo SSH honeypot, plus Kippo-Graph, Kippo2MySQL and other helpful scripts.
  • Dionaea malware honeypot, plus DionaeaFR and other helpful scripts.
  • Amun malware honeypot, plus helpful scripts.
  • Kojoney SSH honeypot, plus helpful scripts.
  • Glastopf web honeypot, along with Wordpot WordPress honeypot.
  • Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts.
  • LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator and INetSim.
  • Thug honeyclient for client-side attacks analysis, along with mwcrawler malware collector.
  • A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, ClamAV, ettercap, Automater, UPX, pdftk, Flasm, pdf-parser, Pyew, dex2jar and more.
  • Firefox plugins pre-installed, plus extra helpful software such as GParted, Terminator, Adminer, VYM, Xpdf and more.

FREQUENTLY ASKED QUESTIONS:

  1. Why use HoneyDrive?
    HoneyDrive saves you time! It has all the major honeypot-related software pre-installed and pre-configured to work out of the box (or with some configuration options of your liking). As I have seen many times in comments or support requests I get, setting up a honeypot system is not always something easy. This is especially true for new infosec enthusiasts or sysadmins and “hard” to set up software like Dionaea for example.
  2. What utilities and software are included in HoneyDrive?
    HoneyDrive contains all the major honeypot-related software and many more useful tools. For a complete list you’ll have to take a look at the README.txt file included in the virtual appliance (you’ll find it on the desktop) or online at the downloads section of SourceForge (link above).
  3. Why isn’t [insert-name-here] included in HoneyDrive?
    I’m not a security guru and unfortunately can’t keep track of every different piece of software. But, I’m very open to suggestions about HoneyDrive! If you know a tool that could be of benefit please let me know by leaving a comment on this page and it will be included in the next release of HoneyDrive.
  4. How do I get started? How do I login?
    You just have to download the OVA file from SourceForge (link above) and import it in your virtual machine manager/hypervisor. You can then login using the password “honeydrive” (without the quotes).
  5. What is the password for [insert-name-here]?
    Again, your best bet is reading the README.txt file included in the virtual appliance or found online at the downloads section of SourceForge (link above). Every password you will need is included in its appropriate section.

SCREENSHOTS:

  • http://Tekdefense.com 1aNormus

    Thanks for putting this out. Been playing with the distro for the last few hours, and I am impressed with the package. This will be perfect for some honeypot training I plan to put out soon.

    Thank you,
    1aN0rmus

    • http://bruteforce.gr Ion

      Hello Normus, thanks for your comment!

      I plan to include more software to it soon (so be sure to check from time to time) and perhaps create a lightweight desktop version (think Xubuntu/Lubuntu) with some GUI tools as well.

      The current version includes everything that has to do with Kippo SSH honeypot. It’s a good start in the domain of honeypots and you’ll get some interesting results. I’d be happy to see some of them.

      Regards.

      • letrath

        Hello. i tried to contact you via contact form but its not working i guess? could u send me your mail address to ask a question pls. i wanted you to show it on my private ip if you have time.thanx.

  • nexus

    Hello, this is very nice,i am very new in this stuff, i downloaded the honeybox but now what ?
    from the several VMDK drives in the rar witch one i must use. Any info on how to install this in VB ?

    I am Sorry for my noobiness but i would love some assistance.

    Thank you very much
    Nexus

    • http://bruteforce.gr Ion

      Hello Nexus, it’s quite simple really: you have to extract the files, create a new virtual machine and select the “HoneyBox.vmdk” file as its hard disk drive (ignore the other files but don’t delete them!). You can then start Kippo by executing the “start.sh” script residing inside the /home/honeybox/kippo dir.

      See the README file here: http://sourceforge.net/projects/honeybox/files/HoneyBox%20v0.1%20%5BKippo%20in%20a%20Box!%5D/ for more information.

      Regards.

  • nexus

    Thank you very much Ion, i appreciate your assistance.I will test it ASAP :)

    Regards
    Nexus

  • George

    Hi Ion,

    I am George again!

    I have two questions about Honeybox.

    1) Honeybox, your function is similar to that of Dionaea? Simulates services to catch malware?

    2) Is it necessary to use a virtual machine? or I can install HoneyBox on a physical machine? You recommend me Debian or Ubuntu?

    Regards.

    • http://bruteforce.gr Ion

      Hello again George.

      1) No yet. So far only Kippo is installed. Dionaea and other honeypots will be included in future versions.

      2) The format of the drive is VMDK which is used by virtual machines. I don’t fully recommended it but you can convert a virtual drive to a physical one. See this: https://www.vmware.com/support/v2p/index.html. Also, Debian and Ubuntu are both fine, but I tend to go with Ubuntu.

      Regards.

  • J.H. Speed

    Hi Ion!

    Thanks for providing us with an excellent site! :)

    Was really looking forward to trying you this HoneyDrive, looks like the download link is broken.
    Hope you are able to remedy this soon.

    Regards.

    • http://bruteforce.gr Ion

      Hello there.

      I have changed the name from HoneyBox to HoneyDrive for copyright/trademark reasons, and SourceForge has not yet completed the changes to the project. But, you can get the latest VMDK file by clicking on this link: http://sourceforge.net/projects/honeybox/files/latest/download

      Regards.

      Edit: Seems like the direct download link above does not work anymore. I guess we should wait some time for SourceForge to complete the changes.

      • J.H. Speed

        Yes, you are correct, looks like sourceforge is experiencing problems with this download.

        Is there any other sites that can be used for download?

  • Black September

    Hi Ion!

    I finally got to download Honeydrive after the project had to change its name and i´d like to give you some feedback.

    + Honeydrive is ridiculously easy to set up
    + The builtin Kippo-Graph looks great and is easy to use
    + Its an excellent tool for gathering statistics and malware analysis
    + It will save hours and hours of my spare time reading trough logs (yep, that made the wife happy too :) )
    - The NIC would not start during, had to start it manually – not a big deal :)

    Even tho I only started scratching the surface, it has already exceeded my expectations – 10/10!

    I have some questions tho:

    1 – Honeydrive is running on a Ubuntu Server 11.10, would you recommend to stay with this version or will it survive and update?

    2 – Kippo has a pseudo file system, but there are two real directories as well – /etc and /proc. From your experience, would you add additional files/directories or leave it as it is?

    3 – Do you know of any other ready-to-use python scripts that can be added to the kippo/kippo/commands directory or will i have to build them myself?

    Again, great stuff, thanks a million!

    • http://bruteforce.gr Ion

      Hello Black September :)

      Thanks very much for the feedback, I appreciate it! It’s nice to hear that it works as it is supposed to :)

      About your questions:
      1) I use 11.10 because it just “works”. You can upgrade it if you like, yes.
      2) You can either leave them as is, or you can add your own files. It’s entirely up to you. You can also modify the existing files to add more bogus info (these are called honeytokens), for example new accounts in the /etc/passwd file.
      3) No sorry, I guess you will have to code any further commands.

      Regards!

      • Black September

        Thanks for your reply Ion.

        Yepp, i basically figured that much.

        Already started using the createfs.py and editing the current python scripts to mirror a OpenBSD filesystem and environment.

        Looking forward to 0.2 :)

        //BlackSept.

  • mike

    excellent project, i might suggest releasing your next version in OVF template format.

    http://en.wikipedia.org/wiki/Open_Virtualization_Format

    within VMware workstation is a simple File -> Export to OVF option, there is still a packaging issue.

    i much prefer to work with an OVF template, it facilitates the movement unto ESX so much more reliably.

    keep up the good work!

    • http://bruteforce.gr Ion

      Hello mike :)
      Thanks for your comment and for the suggestion!

      Unfortunately I don’t use VMware but VirtualBox. Although, it has a similar export option that I will use in the future version :)

      Regards.

  • jim

    so I have kippo started and listening on port 22. however, I cannot ssh to it with putty i just get connection refused. however, an nMap is actually showing open.

    • jim

      nevermind. I realized the problem. for some reason, I am unable to connect directly from the same native machine hosting the VM itself. weird.

      • http://bruteforce.gr Ion

        Hello jim.
        Glad to hear you have figured this out.
        Let me know how HoneyDrive works for you.
        Regards.

  • Alex

    Hi,

    I’ve been running honeydrive for a few hours now, and trowed a few attacks with medusa, and hydra and it does not pick up the automated attacks, however when I try by hands there are no problems, any ideas of what could have gone wrong or is it simple an undefined behaviour ?

    Alex.

  • Wilhelm-Jan

    @Alex:

    As currently only Kippo is included, I think thats just normal behaviour.
    I run my own Kippo/Dinoeae bases honey pots, and for kippo it’s only SHH thats being logged.

    So depending on what kind of automatic attack you’re running; It might not be noticed since it might not be on the kippo port.

    I myself run a Snort inline logging firewall/gateway (basically Honeywall), with behind it a couple of honeypots. Kippo logs everything on port 22 (low interaction part), and the gateway logs everything else (high interaction part).

    • http://bruteforce.gr Ion

      Thanks for stepping in Wilhelm :)
      PS. I had to rewrite your comment by myself after a wordpress hiccup.

  • ziplock

    it doesn’t include Dionaea or Honeyd as advertized in the “update” section of this page. As far as I can see, it only has Kippo. Am I overlooking something? Also, sourceforge says it has Dionaea and Honeyd… ???

    • http://bruteforce.gr Ion

      Hello ziplock, as mentioned here: http://bruteforce.gr/announcing-honeydrive.html, “NOTE: The description is not very accurate for the current state of HoneyDrive. Right now only Kippo SSH honeypot and its related tools are included, but all of the above will be present in future releases.”

      Sorry about that, I guess. I will release a new HoneyDrive version based on Xubuntu (with GUI) including the missing tools plus some other honeypot/malware-related utilities.

      Regards.

    • http://bruteforce.gr Ion

      If you are subscribed to new comments, just to let you know that HoneyDrive Desktop version was released and it includes Kippo, Honeyd, Dionaea and much more! :)

  • Jon

    Anyone have any luck getting this running on ESXi 5?
    When I try to install the OVA via “Deploy OVF Template” I get an error regarding unsupported hardware (Virtualbox). When I extract the OVA into a VMDK, a custom VM creation does not even let me see or select the VMDK file.

  • Ken Pryor

    Hello! I have imported and am successfully running HoneyDrive. However, I am having one problem with Dionaea and I was hoping you could suggest a solution. When I start the program, it is never able to bind port 80. I have put in the specific IP address of the HoneyDrive vm in the dionaea,conf instead of going with the default, but it is still unable to bind the port. No other ports are having this problem, only port 80. Do you have any suggestions on how I might fix this?

    Thank you very much for your hard work putting this great VM together!

    Ken

  • Ken Pryor

    Please disregard, I believe I have it figured out. Thanks!
    Ken

    • http://bruteforce.gr Ion

      Hello Ken. Glad you found the solution.
      Did it happen because of Apache was previously binding on that port? By the way, Dionaea mostly focuses on port 445 (SMB/CIFS), that’s the mechanism for capturing malware and the like. Ports 80 and 443 are mostly to log connections (if any).
      Regards.

  • Ken Pryor

    Hi! Yes, Apache was the problem. I got it sorted now. So far, I’m getting lots of connections on ports 80, 443, 1433 and 3306, but no SMB unfortunately. Hoping that will change. I have my firewall set to forward all port 445 requests from the Internet to my HoneyDrive, so hope it will eventually get something.

    Ken

  • Ken Pryor

    I went to grc.com from my HoneyDrive and used the Shields Up page to scan my ports and see what’s showing as available. It reports port 445 is “stealth”, meaning it is not reporting itself as being in existence to the scanner. Any idea why the scan might not be able to see 445? This may be why I’m not getting any binaries or 445 connections.

  • Ken Pryor

    Sorry to keep posting, but thought I’d update a little. I ran an nmap scan from the host computer to the HoneyDrive vm and found that port 445 on the HoneyDrive is open. I have it open on my firewall too, so I’m starting to wonder if the port is being blocked by my ISP. The ISP told me they don’t block ports, but I’m starting to wonder.

    • http://bruteforce.gr Ion

      Hello Ken and happy new year. No problem, do keep us updated.

      I was about to suggest the same thing. My (Greek) ISP seemed to have been blocking port 445 as well on my home connection (I didn’t ask them about it though). The reality is, this might be a “good” move by them. I have set up Dionaea on a VPS and the amount of automated exploits by worms on 445 is just enormous! Microsoft themselves advocates filtering specific ports related to SMB/CIFS on public IP addresses. I guess this might be the case here. My advice would be to call your ISP support and speak with the technical office (not the first-line of staff) who will inform you correctly on this matter.

      Regards.

  • Ken Pryor

    I think that must be the case. I made sure 445 was open here locally and then ran the online nmap scan against my public IP. It reported 445 among the ports being filtered. Many of my other ports are open, like 21, 22, 80, 443, so I’m still getting traffic, just not smb traffic. Having a vps would be nice, but can’t do that at the moment.

    • Ken Pryor

      Since 445 seems to be filtered by my ISP, I decided to give Kippo a try. I haven’t received any “real” traffic on it yet, but I have tested it and am sure real traffic can get to it. Looking forward to giving Kippo a long run. Thanks again for HoneyDrive, it sure makes it easy to get started!
      Ken

  • AdrianPas

    Hello Ion,

    Nice job, I want to ask you is it possible to have and ovf compatible with Vmware Esxi 5. I have tried to imported and unfortunately I receive this error:
    “Error: OVF Package is not supported by target:
    – Line 265: Unsupported hardware family ‘virtualbox-2.2′.
    Completed with errors”

    I suppose it is because you have used VirtualBox and there may be a compatibility issue with Vmware.

  • Mezzomix

    hey ion,

    i tried the inetsim on the honeydrive and i had some trouble to get it running.

    the dns port is already in use by the dnsmasq small dns server which comes with ubuntu. i have to disable it with sudo gedit /etc/NetworkManager/NetworkManager.conf and #dns=dnsmasq.

    http port 80 is also in use by apache. sudo apachectl -k stopp and sudo service apache2 stop worked for me. the irc port is used by ircd-hybrid an can be stopped with sudo service ircd-hybrid stop.

    furthermroe i edited /etc/resolv.conf with #nameserver

    probably not the best way to get inetsim running.

    • http://bruteforce.gr/ Ion

      Hello Mezzomix, thanks for your comment!

      Yeah, I guess this is not an efficient way and I should change the auto-start program list in the next version, or post your corrections just in case. Let me know of any other problems or comments in general!

      Regards,
      Ion.

      • Mezzomix

        /etc/resolv.conf should not be edited. i was wrong the post before.

        i seems, that the inetsim.conf isn’t read by inetsim itself. only starting inetsim with sudo inetsim –bind-adress= works fine. but starting a dns query returns the default ip address 127.0.0.1 and not the one i wrote in the inetsim.conf file.

        thats not a problem in your honeydrive, it is the same with a clean ubuntu 12.04 installation.

      • Mezzomix

        okay for uncommenting the statements in the inetsim.conf file i had to delte the #. i didn’t thought about it, because everything is written with #.
        i am still learning^^ now everything is fine

        P.S.: cuckoo sandbox and volatility are interesting malware analyzing tools. maybe they are suiting your honeydrive.

        thx for your work so far

  • mfh17

    Hi … I’m having some installation issues; maybe you can help ? When i try to import into VirtualBox, i get issues with the VMDK being corrupt. So, I tried extracting the OVF so i access to the files inside, but half-way through, I get a 7-zip error of “… vmdk:file is broken”

    Have you seen either issue elsewhere, and what can I do to get past them. I am installing onto Windows 7

    • http://bruteforce.gr/ Ion

      Hello mfh17 and thanks for trying (to try) out HoneyDrive :)

      Importing the OVA into VirtualBox shouldn’t raise any problems. So I guess that the file might be truly corrupted after all, mostly due to a download error or something. Please try downloading it again and verify that the MD5 value is equal to: “f6aa9d7687eea635e79d42bc342a4563″. You can use a utility like this one: http://www.softoxi.com/md5–sha-1-checksum-utility.html to calculate the MD5.

      Regards,
      Ion.

  • Drafter

    hi, I’m having problems with the root account , any help please..

    • http://bruteforce.gr/ Ion

      Hello, what kind of problem do you have? As per the instructions, the default username/password combination is: honeydrive/honeydrive. You can then “sudo” from inside the system. Regards.

  • Krytical

    When I attempt to import the VM, I get a message that I must accept some agreement before I can import… a window comes up but no agreement text… just an agree and disagree button… so I hit agree… the window closes and opens back up… rinse and repeat… any ideas?

  • http://www.facebook.com/ashrafluffy Ashraf Luffy

    can you give me example of topology to do this honeypot

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

    • http://bruteforce.gr/ Ion

      Hello Mara, not sure why this happens, but in any case HoneyDrive was not designed to be uploaded to the cloud. Okeanos is great by the way :) Regards.

      • Mara

        So, what would you suggest?
        I need to have HoneyDrive running continuously… maybe use OpenVZ??
        My thesis is about honeypots and I would like to include HoneyDrive results…
        your work has been very helpful by the way, thank you!!! :-)
        …(I am waiting for Okeanos’ admin’s answer about why I can’t connect to HoneyDrive)…

      • http://bruteforce.gr/ Ion

        Hm, I don’t know. I suggest you try again one more time before concluding it doesn’t work out of the box. Otherwise, you can always setup your own honeypots on the VPS. Is there a particular honeypot you need to test? (eg Kippo). Regards.

      • Mara

        No, no particular honeypot..
        I have installed Kippo, Dionaea and Glastopf and played a little…
        and HoneyDrive has a lot more so I think it is worth a try… (and my supervisor thinks the same) :-P

        by the way, I think it might work on the cloud… ;-)
        I still have some connection issues but Okeanos’ helpdesk has been very helpful and immediate… :-)
        if it works, I will feedback…

      • http://bruteforce.gr/ Ion

        That is nice! Let me know how it turns out because I want to try uploading it to Okeanos as well when i find some free time. By the way, you can directly contact me through the contact form on the menu with more info on your thesis. I have completed a similar thesis for my undergrad studies and also written two conference papers on the subject and I am always interested :) Regards.

Read previous post:
Contact Form
Δημιουργία ενός botnet, από την αρχή!
Botnets: Φοβεροί, τρομεροί αλλά και συναρπαστικοί στρατοί από zombies!
DeltaBot
Web Application Security – CSD AUTH (survey – Greek)
Close