HoneyDrive

HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.

DOWNLOAD HoneyDrive:

Important!

The latest version of HoneyDrive Desktop, released on July 2014, is hosted at SourceForge.net: http://sourceforge.net/projects/honeydrive/

Please take a look at the README.txt file on SourceForge (also included inside the virtual disk) to see where everything is located.

INSTALLATION:

After downloading the file, you simply have to import the virtual appliance to your virtual machine manager/hypervisor (suggested software: Oracle VM VirtualBox). If you want to use HoneyDrive in VMware products (Workstation, ESXi, etc) please read this: Setup HoneyDrive on VMware

FEATURES:

  • Virtual appliance based on Xubuntu 12.04.4 LTS Desktop.
  • Distributed as a single OVA file, ready to be imported.
  • Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin.
  • Kippo SSH honeypot, plus Kippo-Graph, Kippo-Malware, Kippo2MySQL and other helpful scripts.
  • Dionaea malware honeypot, plus DionaeaFR and other helpful scripts.
  • Amun malware honeypot, plus helpful scripts.
  • Glastopf web honeypot, along with Wordpot WordPress honeypot.
  • Conpot SCADA/ICS honeypot.
  • Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts.
  • LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator and INetSim.
  • Thug and PhoneyC honeyclients for client-side attacks analysis, along with Maltrieve malware collector.
  • ELK stack: ElasticSearch, Logstash, Kibana for log analysis and visualization.
  • A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, Recon-ng, ClamAV, ettercap, MASTIFF, Automater, UPX, pdftk, Flasm, Yara, Viper, pdf-parser, Pyew, Radare2, dex2jar and more.
  • Firefox add-ons pre-installed, plus extra helpful software such as GParted, Terminator, Adminer, VYM, Xpdf and more.

HoneyDrive 3 RELEASE NOTES:

1) HoneyDrive 3 has been created entirely from scratch. It is based on Xubuntu Desktop 12.04.4 LTS edition and it is distributed as a standalone OVA file that can be easily imported as a virtual machine using virtualization software such as VirtualBox and VMware.

2) All the honeypot programs from the previous version of HoneyDrive are included, while they have also been upgraded to their latest versions and converted almost entirely to cloned git repos for easier maintenance and updating. This latter fact on its own could be considered reason enough to release the new version.

3) Many new honeypot programs have been installed that really make HoneyDrive 3 “complete” in terms of honeypot technology, plus around 50(!) new security related tools in the fields of malware analysis, forensics and network monitoring.

4) The main honeypot software packages and BruteForce Lab’s projects reside in /honeydrive. The rest of the programs reside in /opt. The location of all software can be found inside the README.txt file on the desktop.

5) HoneyDrive 3 doesn’t make itself as known to the outside world as the previous version. There are no descriptive messages and apart from Kippo-Graph and Honeyd-Viz every other piece of software is not accessible from the outside (unless if you configure them otherwise, or even lock down Kippo-Graph and Honeyd-Viz as well).

A note on versioning: previous versions of HoneyDrive started with a zero (0.1 and 0.2) which seemed confusing to some. I didn’t like it either and in the end I decided to “renumber” those as versions 1 and 2, essentially making this new version HoneyDrive 3, .i.e the third official release.

FREQUENTLY ASKED QUESTIONS:

  1. Why use HoneyDrive?
    HoneyDrive saves you time! It has all the major honeypot-related software pre-installed and pre-configured to work out of the box (or with some configuration options of your liking). As I have seen many times in comments or support requests I get, setting up a honeypot system is not always something easy. This is especially true for new infosec enthusiasts or sysadmins and “hard” to set up software like Dionaea for example.
  2. What utilities and software are included in HoneyDrive?
    HoneyDrive contains all the major honeypot-related software and a ton more useful tools. For a complete list you’ll have to take a look at the README.txt file included in the virtual appliance (you’ll find it on the desktop) or online at the downloads section of SourceForge (link above).
  3. Why isn’t [insert-name-here] included in HoneyDrive?
    Unfortunately I can’t keep track of every different piece of software. But, I’m very open to suggestions about HoneyDrive! If you know a tool that could be of benefit please let me know by leaving a comment on this page and it will be included in the next release of HoneyDrive.
  4. What is the password for [insert-name-here]?
    Again, your best bet is reading the README.txt file included in the virtual appliance or found online at the downloads section of SourceForge (link above). Every password you will need is included in its appropriate section.

SCREENSHOTS:

CHAGELOG:

HoneyDrive 3

  • Upgraded ALL existing honeypot software to the corresponding latest versions.
  • Converted ALL existing honeypot software to cloned git repos for easier maintenance.
  • Removed distinguishable HoneyDrive artifacts and secured access to web tools.
  • Added Kippo-Malware and Kippo2ElasticSearch.
  • Added Conpot SCADA/ICS honeypot.
  • Added PhoneyC honeyclient.
  • Added maltrieve malware downloader.
  • Added the ELK stack (ElasticSearch, Logstash, Kibana).
  • Added the following security tools: dnstop, MINI DNS Server, dnschef, The Sleuth Kit + Autopsy, TekCollect, hashMonitor, corkscrew, cryptcat, socat, hexdiff, pdfid, disitool, exiftool, Radare2, chaosreader, netexpect, tcpslice, mitmproxy, mitmdump, Yara, Recon-ng, SET (Social-Engineer Toolkit), MASTIFF + MASTIFF2HTML, Viper, Minibis, Nebula, Burp Suite, xxxswf, extract_swf, Java Decompiler (JD-GUI), JSDetox, extractscripts, AnalyzePDF, peepdf, officeparser, DensityScout, YaraGenerator, IOCExtractor, sysdig, Bytehist, PackerID, RATDecoders, androwarn, passivedns, BPF Tools, SpiderFoot, hashdata, LORG.
  • Added the following extra software: 7zip, Sagasu.
  • Added the following Firefox add-ons: Disconnect, Undo Closed Tabs Button, PassiveRecon.
  • Removed the following software: Kojoney, mwcrawler, Vidalia, ircd-hybrid, DNS Query Tool, DNSpenTest, VLC, Parcellite, Open Penetration Testing Bookmarks Collection (Firefox).

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

  • http://Tekdefense.com 1aNormus

    Thanks for putting this out. Been playing with the distro for the last few hours, and I am impressed with the package. This will be perfect for some honeypot training I plan to put out soon.

    Thank you,
    1aN0rmus

    • http://bruteforce.gr Ion

      Hello Normus, thanks for your comment!

      I plan to include more software to it soon (so be sure to check from time to time) and perhaps create a lightweight desktop version (think Xubuntu/Lubuntu) with some GUI tools as well.

      The current version includes everything that has to do with Kippo SSH honeypot. It’s a good start in the domain of honeypots and you’ll get some interesting results. I’d be happy to see some of them.

      Regards.

      • letrath

        Hello. i tried to contact you via contact form but its not working i guess? could u send me your mail address to ask a question pls. i wanted you to show it on my private ip if you have time.thanx.

  • nexus

    Hello, this is very nice,i am very new in this stuff, i downloaded the honeybox but now what ?
    from the several VMDK drives in the rar witch one i must use. Any info on how to install this in VB ?

    I am Sorry for my noobiness but i would love some assistance.

    Thank you very much
    Nexus

    • http://bruteforce.gr Ion

      Hello Nexus, it’s quite simple really: you have to extract the files, create a new virtual machine and select the “HoneyBox.vmdk” file as its hard disk drive (ignore the other files but don’t delete them!). You can then start Kippo by executing the “start.sh” script residing inside the /home/honeybox/kippo dir.

      See the README file here: http://sourceforge.net/projects/honeybox/files/HoneyBox%20v0.1%20%5BKippo%20in%20a%20Box!%5D/ for more information.

      Regards.

  • nexus

    Thank you very much Ion, i appreciate your assistance.I will test it ASAP :)

    Regards
    Nexus

  • George

    Hi Ion,

    I am George again!

    I have two questions about Honeybox.

    1) Honeybox, your function is similar to that of Dionaea? Simulates services to catch malware?

    2) Is it necessary to use a virtual machine? or I can install HoneyBox on a physical machine? You recommend me Debian or Ubuntu?

    Regards.

    • http://bruteforce.gr Ion

      Hello again George.

      1) No yet. So far only Kippo is installed. Dionaea and other honeypots will be included in future versions.

      2) The format of the drive is VMDK which is used by virtual machines. I don’t fully recommended it but you can convert a virtual drive to a physical one. See this: https://www.vmware.com/support/v2p/index.html. Also, Debian and Ubuntu are both fine, but I tend to go with Ubuntu.

      Regards.

  • J.H. Speed

    Hi Ion!

    Thanks for providing us with an excellent site! :)

    Was really looking forward to trying you this HoneyDrive, looks like the download link is broken.
    Hope you are able to remedy this soon.

    Regards.

    • http://bruteforce.gr Ion

      Hello there.

      I have changed the name from HoneyBox to HoneyDrive for copyright/trademark reasons, and SourceForge has not yet completed the changes to the project. But, you can get the latest VMDK file by clicking on this link: http://sourceforge.net/projects/honeybox/files/latest/download

      Regards.

      Edit: Seems like the direct download link above does not work anymore. I guess we should wait some time for SourceForge to complete the changes.

      • J.H. Speed

        Yes, you are correct, looks like sourceforge is experiencing problems with this download.

        Is there any other sites that can be used for download?

  • Black September

    Hi Ion!

    I finally got to download Honeydrive after the project had to change its name and i´d like to give you some feedback.

    + Honeydrive is ridiculously easy to set up
    + The builtin Kippo-Graph looks great and is easy to use
    + Its an excellent tool for gathering statistics and malware analysis
    + It will save hours and hours of my spare time reading trough logs (yep, that made the wife happy too :))
    - The NIC would not start during, had to start it manually – not a big deal :)

    Even tho I only started scratching the surface, it has already exceeded my expectations – 10/10!

    I have some questions tho:

    1 – Honeydrive is running on a Ubuntu Server 11.10, would you recommend to stay with this version or will it survive and update?

    2 – Kippo has a pseudo file system, but there are two real directories as well – /etc and /proc. From your experience, would you add additional files/directories or leave it as it is?

    3 – Do you know of any other ready-to-use python scripts that can be added to the kippo/kippo/commands directory or will i have to build them myself?

    Again, great stuff, thanks a million!

    • http://bruteforce.gr Ion

      Hello Black September :)

      Thanks very much for the feedback, I appreciate it! It’s nice to hear that it works as it is supposed to :)

      About your questions:
      1) I use 11.10 because it just “works”. You can upgrade it if you like, yes.
      2) You can either leave them as is, or you can add your own files. It’s entirely up to you. You can also modify the existing files to add more bogus info (these are called honeytokens), for example new accounts in the /etc/passwd file.
      3) No sorry, I guess you will have to code any further commands.

      Regards!

      • Black September

        Thanks for your reply Ion.

        Yepp, i basically figured that much.

        Already started using the createfs.py and editing the current python scripts to mirror a OpenBSD filesystem and environment.

        Looking forward to 0.2 :)

        //BlackSept.

  • mike

    excellent project, i might suggest releasing your next version in OVF template format.

    http://en.wikipedia.org/wiki/Open_Virtualization_Format

    within VMware workstation is a simple File -> Export to OVF option, there is still a packaging issue.

    i much prefer to work with an OVF template, it facilitates the movement unto ESX so much more reliably.

    keep up the good work!

    • http://bruteforce.gr Ion

      Hello mike :)
      Thanks for your comment and for the suggestion!

      Unfortunately I don’t use VMware but VirtualBox. Although, it has a similar export option that I will use in the future version :)

      Regards.

  • jim

    so I have kippo started and listening on port 22. however, I cannot ssh to it with putty i just get connection refused. however, an nMap is actually showing open.

    • jim

      nevermind. I realized the problem. for some reason, I am unable to connect directly from the same native machine hosting the VM itself. weird.

      • http://bruteforce.gr Ion

        Hello jim.
        Glad to hear you have figured this out.
        Let me know how HoneyDrive works for you.
        Regards.

  • Alex

    Hi,

    I’ve been running honeydrive for a few hours now, and trowed a few attacks with medusa, and hydra and it does not pick up the automated attacks, however when I try by hands there are no problems, any ideas of what could have gone wrong or is it simple an undefined behaviour ?

    Alex.

  • Wilhelm-Jan

    @Alex:

    As currently only Kippo is included, I think thats just normal behaviour.
    I run my own Kippo/Dinoeae bases honey pots, and for kippo it’s only SHH thats being logged.

    So depending on what kind of automatic attack you’re running; It might not be noticed since it might not be on the kippo port.

    I myself run a Snort inline logging firewall/gateway (basically Honeywall), with behind it a couple of honeypots. Kippo logs everything on port 22 (low interaction part), and the gateway logs everything else (high interaction part).

    • http://bruteforce.gr Ion

      Thanks for stepping in Wilhelm :)
      PS. I had to rewrite your comment by myself after a wordpress hiccup.

  • ziplock

    it doesn’t include Dionaea or Honeyd as advertized in the “update” section of this page. As far as I can see, it only has Kippo. Am I overlooking something? Also, sourceforge says it has Dionaea and Honeyd… ???

    • http://bruteforce.gr Ion

      Hello ziplock, as mentioned here: http://bruteforce.gr/announcing-honeydrive.html, “NOTE: The description is not very accurate for the current state of HoneyDrive. Right now only Kippo SSH honeypot and its related tools are included, but all of the above will be present in future releases.”

      Sorry about that, I guess. I will release a new HoneyDrive version based on Xubuntu (with GUI) including the missing tools plus some other honeypot/malware-related utilities.

      Regards.

    • http://bruteforce.gr Ion

      If you are subscribed to new comments, just to let you know that HoneyDrive Desktop version was released and it includes Kippo, Honeyd, Dionaea and much more! :)

  • Jon

    Anyone have any luck getting this running on ESXi 5?
    When I try to install the OVA via “Deploy OVF Template” I get an error regarding unsupported hardware (Virtualbox). When I extract the OVA into a VMDK, a custom VM creation does not even let me see or select the VMDK file.

  • Ken Pryor

    Hello! I have imported and am successfully running HoneyDrive. However, I am having one problem with Dionaea and I was hoping you could suggest a solution. When I start the program, it is never able to bind port 80. I have put in the specific IP address of the HoneyDrive vm in the dionaea,conf instead of going with the default, but it is still unable to bind the port. No other ports are having this problem, only port 80. Do you have any suggestions on how I might fix this?

    Thank you very much for your hard work putting this great VM together!

    Ken

  • Ken Pryor

    Please disregard, I believe I have it figured out. Thanks!
    Ken

    • http://bruteforce.gr Ion

      Hello Ken. Glad you found the solution.
      Did it happen because of Apache was previously binding on that port? By the way, Dionaea mostly focuses on port 445 (SMB/CIFS), that’s the mechanism for capturing malware and the like. Ports 80 and 443 are mostly to log connections (if any).
      Regards.

    • shahrooz

      Hi Ken

      I have the same problem with SMB. I got ports 80, 443, 1433 and 3306, but no SMB. How did you solve it?

      Thanks
      Shahrooz

  • Ken Pryor

    Hi! Yes, Apache was the problem. I got it sorted now. So far, I’m getting lots of connections on ports 80, 443, 1433 and 3306, but no SMB unfortunately. Hoping that will change. I have my firewall set to forward all port 445 requests from the Internet to my HoneyDrive, so hope it will eventually get something.

    Ken

  • Ken Pryor

    I went to grc.com from my HoneyDrive and used the Shields Up page to scan my ports and see what’s showing as available. It reports port 445 is “stealth”, meaning it is not reporting itself as being in existence to the scanner. Any idea why the scan might not be able to see 445? This may be why I’m not getting any binaries or 445 connections.

  • Ken Pryor

    Sorry to keep posting, but thought I’d update a little. I ran an nmap scan from the host computer to the HoneyDrive vm and found that port 445 on the HoneyDrive is open. I have it open on my firewall too, so I’m starting to wonder if the port is being blocked by my ISP. The ISP told me they don’t block ports, but I’m starting to wonder.

    • http://bruteforce.gr Ion

      Hello Ken and happy new year. No problem, do keep us updated.

      I was about to suggest the same thing. My (Greek) ISP seemed to have been blocking port 445 as well on my home connection (I didn’t ask them about it though). The reality is, this might be a “good” move by them. I have set up Dionaea on a VPS and the amount of automated exploits by worms on 445 is just enormous! Microsoft themselves advocates filtering specific ports related to SMB/CIFS on public IP addresses. I guess this might be the case here. My advice would be to call your ISP support and speak with the technical office (not the first-line of staff) who will inform you correctly on this matter.

      Regards.

  • Ken Pryor

    I think that must be the case. I made sure 445 was open here locally and then ran the online nmap scan against my public IP. It reported 445 among the ports being filtered. Many of my other ports are open, like 21, 22, 80, 443, so I’m still getting traffic, just not smb traffic. Having a vps would be nice, but can’t do that at the moment.

    • Ken Pryor

      Since 445 seems to be filtered by my ISP, I decided to give Kippo a try. I haven’t received any “real” traffic on it yet, but I have tested it and am sure real traffic can get to it. Looking forward to giving Kippo a long run. Thanks again for HoneyDrive, it sure makes it easy to get started!
      Ken

  • AdrianPas

    Hello Ion,

    Nice job, I want to ask you is it possible to have and ovf compatible with Vmware Esxi 5. I have tried to imported and unfortunately I receive this error:
    “Error: OVF Package is not supported by target:
    – Line 265: Unsupported hardware family ‘virtualbox-2.2′.
    Completed with errors”

    I suppose it is because you have used VirtualBox and there may be a compatibility issue with Vmware.

  • Mezzomix

    hey ion,

    i tried the inetsim on the honeydrive and i had some trouble to get it running.

    the dns port is already in use by the dnsmasq small dns server which comes with ubuntu. i have to disable it with sudo gedit /etc/NetworkManager/NetworkManager.conf and #dns=dnsmasq.

    http port 80 is also in use by apache. sudo apachectl -k stopp and sudo service apache2 stop worked for me. the irc port is used by ircd-hybrid an can be stopped with sudo service ircd-hybrid stop.

    furthermroe i edited /etc/resolv.conf with #nameserver

    probably not the best way to get inetsim running.

    • http://bruteforce.gr/ Ion

      Hello Mezzomix, thanks for your comment!

      Yeah, I guess this is not an efficient way and I should change the auto-start program list in the next version, or post your corrections just in case. Let me know of any other problems or comments in general!

      Regards,
      Ion.

      • Mezzomix

        /etc/resolv.conf should not be edited. i was wrong the post before.

        i seems, that the inetsim.conf isn’t read by inetsim itself. only starting inetsim with sudo inetsim –bind-adress= works fine. but starting a dns query returns the default ip address 127.0.0.1 and not the one i wrote in the inetsim.conf file.

        thats not a problem in your honeydrive, it is the same with a clean ubuntu 12.04 installation.

      • Mezzomix

        okay for uncommenting the statements in the inetsim.conf file i had to delte the #. i didn’t thought about it, because everything is written with #.
        i am still learning^^ now everything is fine

        P.S.: cuckoo sandbox and volatility are interesting malware analyzing tools. maybe they are suiting your honeydrive.

        thx for your work so far

  • mfh17

    Hi … I’m having some installation issues; maybe you can help ? When i try to import into VirtualBox, i get issues with the VMDK being corrupt. So, I tried extracting the OVF so i access to the files inside, but half-way through, I get a 7-zip error of “… vmdk:file is broken”

    Have you seen either issue elsewhere, and what can I do to get past them. I am installing onto Windows 7

    • http://bruteforce.gr/ Ion

      Hello mfh17 and thanks for trying (to try) out HoneyDrive :)

      Importing the OVA into VirtualBox shouldn’t raise any problems. So I guess that the file might be truly corrupted after all, mostly due to a download error or something. Please try downloading it again and verify that the MD5 value is equal to: “f6aa9d7687eea635e79d42bc342a4563″. You can use a utility like this one: http://www.softoxi.com/md5–sha-1-checksum-utility.html to calculate the MD5.

      Regards,
      Ion.

    • m

      hello,
      honeydrive is very helpful,but the honeyD is giving me some problems,i wrote my own honeyd configuration file,,when i start the honeyd ,it responds,but when i check to see if the specified ports in the configuration file are opened using nmap,it shows they are closed,my log file shows logs of this scans,pls do any one have an idea of what is wrong.tried using the default configuration file on honeyd but that didnt work either

  • Drafter

    hi, I’m having problems with the root account , any help please..

    • http://bruteforce.gr/ Ion

      Hello, what kind of problem do you have? As per the instructions, the default username/password combination is: honeydrive/honeydrive. You can then “sudo” from inside the system. Regards.

      • Togr Lamht R Butarbutar

        sir, how i can enter to root acount?
        when i login in honeydrive account, then i type su in terminal
        i use password honeydrive, but the result authentication failure
        thanks

      • http://bruteforce.gr/ Ion

        Hey Togar, try “sudo su” instead.

        Regards, Ion.

  • Krytical

    When I attempt to import the VM, I get a message that I must accept some agreement before I can import… a window comes up but no agreement text… just an agree and disagree button… so I hit agree… the window closes and opens back up… rinse and repeat… any ideas?

  • http://www.facebook.com/ashrafluffy Ashraf Luffy

    can you give me example of topology to do this honeypot

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

  • Mara

    I cannot connect to HoneyDrive via ssh.. (putty)
    I get message “Network error: Connection Timed Out”..
    I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
    (ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
    Do you have any idea??

    • http://bruteforce.gr/ Ion

      Hello Mara, not sure why this happens, but in any case HoneyDrive was not designed to be uploaded to the cloud. Okeanos is great by the way :) Regards.

      • Mara

        So, what would you suggest?
        I need to have HoneyDrive running continuously… maybe use OpenVZ??
        My thesis is about honeypots and I would like to include HoneyDrive results…
        your work has been very helpful by the way, thank you!!! :-)
        …(I am waiting for Okeanos’ admin’s answer about why I can’t connect to HoneyDrive)…

      • http://bruteforce.gr/ Ion

        Hm, I don’t know. I suggest you try again one more time before concluding it doesn’t work out of the box. Otherwise, you can always setup your own honeypots on the VPS. Is there a particular honeypot you need to test? (eg Kippo). Regards.

      • Mara

        No, no particular honeypot..
        I have installed Kippo, Dionaea and Glastopf and played a little…
        and HoneyDrive has a lot more so I think it is worth a try… (and my supervisor thinks the same) :-P

        by the way, I think it might work on the cloud… ;-)
        I still have some connection issues but Okeanos’ helpdesk has been very helpful and immediate… :-)
        if it works, I will feedback…

      • http://bruteforce.gr/ Ion

        That is nice! Let me know how it turns out because I want to try uploading it to Okeanos as well when i find some free time. By the way, you can directly contact me through the contact form on the menu with more info on your thesis. I have completed a similar thesis for my undergrad studies and also written two conference papers on the subject and I am always interested :) Regards.

  • klokurdiladem

    does anybody have checksum for this honeydrive??? doesn’t make sense you’ll get a corrupt file after download it

    • http://bruteforce.gr/ Ion

      Hello there. Here are the checksums:

      MD5: f6aa9d7687eea635e79d42bc342a4563
      SHA1: 4c8e04a1240c43cf553bafc1462aaa3dea6d275b

      If you get a corrupt file I suggest you download it again from SourceForge, perhaps selecting a different mirror.

      Regards, Ion.

      • klokurdiladem

        thank u so much

  • plaastik

    Would it be possible to get HoneyDrive as a torrent? My downloading of the VM keeps aborting halfway…

    • http://bruteforce.gr/ Ion

      Hello plaastik.

      Yeah that would be possible, BUT it need seeders :/ Some guy actually bothered to create a torrent file here: http://thepiratebay.sx/torrent/8062657/HoneyDrive_v._0.2_%28Nectar_Edition%29_Virtual_Appliance but I don’t think you’ll get anything.

      If your download keeps being aborted it’s a problem with SourceForge. The easiest solution is to select another mirror :) I’ve just downloaded the OVA file a couple of hours ago with no problem. So it would work I guess.

      FYI, these are the checksums of the OVA file (HoneyDrive 2.0):
      MD5: f6aa9d7687eea635e79d42bc342a4563
      SHA1: 4c8e04a1240c43cf553bafc1462aaa3dea6d275b

      Let me know how it goes.

      Regards,
      Ion.

    • Black September

      Hi Plaastik.

      We had a similar issue a while back, i dont know if you tested it, but using ‘wget’ we were able to get it to download without interuprions.

      Command:
      wget http://surfnet.dl.sourceforge.net/project/honeydrive/HoneyDrive%200.2%20Nectar%20edition/HoneyDrive_0.2_Nectar_edition.ova

      Hope you are able to solve it:)

      //Black September

      • http://bruteforce.gr/ Ion

        Hey Black September, thanks for your input! :)
        And FYI, in Windows I got it using jDownloader (http://jdownloader.org/).

        Regards.

      • plaastik

        Thanks

  • Sahhid Uddin

    Hi people connect to kippo and use the password 123456 why can they not get root access?

    • Sahhid Uddin

      They need to use root as username in combination.

  • Sahhid Uddin

    Hi i used the kippo it was brilliant thanks so much, but i was wondering about the honeyD.

    I want to use honeyd but have no idea where to start like kippo.sh started kippo for me and logged all activity it was simple but honeyD on this is already set up and configured, so i am wondering how do i start honeyD? Which file starts it and where is it?

    Is there a guide to honeyD? Or can you tell me here quickly. Thanks

    • http://bruteforce.gr/ Ion

      Hello Sahhid. Yeah, honeyd is not as easy as Kippo, but there are many guides online as it is one of the oldest and best low interaction honeypots around. Just Google for it and you will find some material.

      Regards,
      Ion

      • Sahhid Uddin

        Very well thank you very much for this awesomeness made my dissertation so much easier.

    • http://bruteforce.gr/ Ion

      Here is a report on Honeyd I stumbled upon at while browsing Packet Storm Security: http://packetstorm.foofus.com/papers/general/honeyd_report.pdf

      Enjoy :)

      • varsha

        hey i’m working on honeyd but i’m stuck as in ping and nmap to my virtual honeypot works but not telnet…pls reply as soon as possible…

  • Josh

    I’m trying to import the OVA using VMware 9 on Windows 8. I keep getting a License Agreement Nag screen that persists after clicking ‘Accept’.

  • Sahhid Uddin

    I have a question for my tty logs how do i veiw them? Gedit does not work obviously please respond :)

    • http://bruteforce.gr/ Ion

      Hello. I think it’s working. It’s just that the attacker or whoever logged in the honeypot didn’t type any commands.Try it yourself, login using PuTTY/terminal, type some commands and then play it with playlog. But, the thing is, why bother with files? Just enable MySQL logging in the config file and then see the sessions in the database. Regards, Ion.

    • Black September

      Hi Sahhid!

      You will see a lot of “empty” tty logs. When a bruteforce attacks succeeds it will generate a log from when the password was entered. These logs are all of the same size, 622b if i recall correctly.

      As for using playlog.py

      When standing in /opt/kippo/utils, this is the command i use

      $ python playlog.py -f -m 1 ../logs/tty/.log

      You can see more options about the playlog.py script by executing

      $ python playlog.log
      Usage: playlog.py [-bfhi] [-m secs] [-w file]
      -f keep trying to read the log until it’s closed
      -m maximum delay in seconds, to avoid boredom or fast-forward
      to the end. (default is 3.0)
      -i show the input stream instead of output
      -b show both input and output streams
      -c colorify the output stream based on what streams are being received
      -h display this help

      Hope this helps you out, if not, let me know.

      I appologise for any of this being incorrect, i dont have a honeypot in front of me right now.

      //BlackSeptember

    • Black September

      wow…i see the message got a bit f***d up when i pasted it :P

      • http://bruteforce.gr/ Ion

        Great reply nonetheless! :)

  • /CS

    I disabled the following services/applications running on boot: ntop, tor, apache2, ircd-hybrid. I think it’s better for the user to decide what he needs. I noticed that zeitgeist daemon is also included, is it needed somewhere or can possibly be removed???

    • http://bruteforce.gr/ Ion

      Hello CS, thanks for trying out HoneyDrive! Your feedback is much appreciated, I already had in mind to disable some of these services on startup for the next version :) Regards, Ion

  • JB

    Hi all,

    I am running kippo (awesome bit of kit), I had a naughty guy try to connect to an FTP server but couldn’t get ftp to work, How do i enable the command so the bad guys can download from an ftp? any help wll be greatly appriciated

    JB

    • JB

      BTW, the Kippo graph issue i had was sorted, i just re-installed a new image :) thanks to ION for all your help :)

      JB

    • http://bruteforce.gr/ Ion

      Hello JB.

      This is not easy, it has be done programatically by the developer of Kippo. Your only option right now is to enable some output for the “ftp” command, by adding a file in “txtcmds” folder. But that won’t help the attacker to actually connect or interact with an FTP server.

      Regards, Ion.

  • Agli Pançi

    Hello everyone,
    can HoneyDrive configured to save all the data to a central server (to work as a sensor). I have many points where i need to have for each one a honeypot and then i need to collect all the data to a main server for analysing.

    What do you suggest?

  • DiBa

    Hello everybody,

    I’m trying to setup my home honeypot but i’m having problems with my honeyd installation. No matter what configuration and settings i try,when trying to start honeyd i get the same error :” aborting dhclient on interface eth0 after 12 tries” .
    Has anybody encountered the same error?

    Any help appriciated.

    DB

    • http://bruteforce.gr/ Ion

      Hello DiBa,

      it seems that honeyd tries to get an IP from a DHCP server but it’s not working. Please see the comments section here: http://travisaltman.com/honeypot-honeyd-tutorial-part-1-getting-started/ where your error is mentioned by some other people to see if anybody found a solution. Sorry if I can’t offer more help.

      Regards,
      Ion.

      • DiBa

        Thanks for the quick reply.
        The strange thing is that after that honeyd gets an IP and it starts logging. Though i’m not sure about the quality of the logs.

        DB.

      • http://bruteforce.gr/ Ion

        Hi DiBa, if you want you can paste here a small segment of your log file and I can tell you if it looks normal :) Regards, Ion.

      • DiBa

        Hello Ion, thanks for your help.

        Here is a small sample

        2013-11-19-17:22:01.5238 honeyd log started ——
        2013-11-19-17:22:01.5239 udp(17) – 202.133.58.82 58847 192.168.1.70 51413: 48
        2013-11-19-17:22:01.5303 udp(17) – 95.160.168.208 37149 192.168.1.70 51413: 348
        2013-11-19-17:22:01.5381 tcp(6) – 78.147.189.105 24634 192.168.1.70 55434: 52 FA
        2013-11-19-17:22:01.5382 tcp(6) – 192.168.1.70 55434 78.147.189.105 24634: 52 A
        2013-11-19-17:22:01.5394 udp(17) – 95.160.168.208 37149 192.168.1.70 51413: 348
        2013-11-19-17:22:01.5539 udp(17) – 74.104.206.63 18231 192.168.1.70 51413: 58
        2013-11-19-17:22:01.5540 udp(17) – 192.168.1.70 51413 74.104.206.63 18231: 58
        2013-11-19-17:22:01.5649 udp(17) – 111.68.32.160 45682 192.168.1.70 51413: 1025
        2013-11-19-17:22:01.5650 udp(17) – 192.168.1.70 51413 111.68.32.160 45682: 48
        2013-11-19-17:22:01.5716 tcp(6) – 46.99.22.155 65348 192.168.1.70 29662: 40 A
        2013-11-19-17:22:01.5799 udp(17) – 95.160.168.208 37149 192.168.1.70 51413: 348
        2013-11-19-17:22:01.6055 tcp(6) – 78.101.229.8 51413 192.168.1.70 47084: 353 PA
        2013-11-19-17:22:01.6056 tcp(6) – 192.168.1.70 47084 78.101.229.8 51413: 52 A
        2013-11-19-17:22:01.6130 udp(17) – 130.43.27.43 36424 192.168.1.70 51413: 48
        2013-11-19-17:22:01.6180 udp(17) – 130.43.27.43 36424 192.168.1.70 51413: 48
        2013-11-19-17:22:01.6304 tcp(6) – 2.216.49.100 12831 192.168.1.70 36311: 60 SA
        2013-11-19-17:22:01.6305 tcp(6) – 192.168.1.70 36311 2.216.49.100 12831: 52 A
        2013-11-19-17:22:01.6305 tcp(6) – 192.168.1.70 36311 2.216.49.100 12831: 120 PA
        2013-11-19-17:22:01.6410 udp(17) – 2.80.92.170 61362 192.168.1.70 51413: 48
        2013-11-19-17:22:01.6422 udp(17) – 46.189.28.229 56419 192.168.1.70 51413: 58
        2013-11-19-17:22:01.6423 udp(17) – 192.168.1.70 51413 46.189.28.229 56419: 58
        2013-11-19-17:22:01.6424 udp(17) – 192.168.1.70 51413 46.189.28.229 56419: 48
        2013-11-19-17:22:01.6458 tcp(6) – 79.131.73.130 61992 192.168.1.70 53776: 69 PA
        2013-11-19-17:22:01.6459 tcp(6) – 192.168.1.70 53776 79.131.73.130 61992: 52 A
        2013-11-19-17:22:01.6549 udp(17) – 93.175.96.87 52539 192.168.1.70 51413: 48
        2013-11-19-17:22:01.6612 udp(17) – 192.168.1.70 51413 95.160.168.208 37149: 48
        2013-11-19-17:22:01.6745 udp(17) – 89.180.6.224 7777 192.168.1.70 51413: 48
        2013-11-19-17:22:01.6775 udp(17) – 89.180.6.224 7777 192.168.1.70 51413: 48

      • http://bruteforce.gr/ Ion

        Hi DiBa, it seems fine to me! Why don’t you try Honeyd2MySQL and then Honeyd-Viz to see some stats/graphs from you log? Let us know how it goes. Regards, Ion.

  • wysegy66

    Just installed HoneyDrive and it’s telling me there are 400+ updates available. Is it safe to upgrade without breaking anything?

    • http://bruteforce.gr/ Ion

      Hi wysegy66, I am not sure about this, I suggest that you keep a snapshot of the imported VM just in case, upgrade it to see if something breaks and then let us know! :) Regards, Ion.

  • Hawkie

    I am making a vmware converted version of the honeydrive. Will post it as a torrent, but expect help seeding it in the longterm. Will post link in a short while

  • Nick

    Hey. Is there any way to setup the services to run on startup? I’d like to have kippo, dionaea and glastopf startup when I boot the VM.

  • ckaspar

    Is there a LiveCD or bootable ISO for Honeydrive? I am running HD from a VM but I have an empty box that could work as a standalone machine.

    Thanks in advance.

    • http://bruteforce.gr/ Ion

      Hi ckaspar, no unfortunately there is no LiveCD or ISO version of HoneyDrive.

      If you box is good enough, one suggestion is to install a Linux server version, headless version of VirtualBox with phpVirtualBox [1] for frontend and then install HoneyDrive there.

      [1] http://sourceforge.net/projects/phpvirtualbox/

      Regards,
      Ion

  • RichM

    I have kippo running fine but I can’t seem to get TinyHoneypot to work. When I run ./thpot I see the process running, but nothing new is listening when I nmap the box. I tried shutting down apache and nmapping again, but I don’t see port 80 open for IIS like I expected (since I have http configured to be IIS in the tinyhoneypot config). I see some articles online about setting up thpot but some of the directories are different from the Honeydrive version of thpot. I feel like I’m missing a step. Can someone help with instructions on how to start tinyhoneypot in Honeydrive specifically?

    • http://bruteforce.gr/ Ion

      Hi RichM, sorry for late replying.

      TinyHoneypot is pretty old I would say. But you can start here if you want to give it a try: http://edgis-security.org/honeypot/tiny-honeypot/. Also, tinyhoneypot has been installed via the package manager AFAIR.

      Regards,
      Ion

  • asda

    How to change passwords?

    • http://bruteforce.gr/ Ion

      Hi, change passwords for what exactly?

  • help

    I´d like to have a littel beginners guide that says how to start. How to use honeydrive for productive purpose: e.g enable mail notification; what has to be observed manuelly; what services shell I ran?

    thanksy

    • http://bruteforce.gr/ Ion

      Hi,
      this depends on: a) what you are trying to accomplish, b) which specific honeypot software you will use. For example, there is no universal notification system, you’ll have to set up the existing notification system for each honeypot software (if any) to alert you.

      I would start by using Kippo. You can find a number of articles about it in this blog. But it’s ready to be used. Just “./start.sh” and enjoy (details about it can be found in the text file accompanying HoneyDrive. Then you might want to move on to Dionaea.

      Regards, Ion

  • RobW

    Hello Ion, really silly newbie question here. I’m trying to run kippo for the first time on honeydrive 0.2. Running the script I get a ‘no such file or directory’ error. If I type sudo and then run the script opt/kippo/start.sh it returns an unhandled error. I’ve looked in the file system and the path seems to be right, as you might expect. I don’t really know my way around linux at all so this is probably a really stupid question but would you be able to tell me, by any chance, what I’m doing wrong here?

    • http://bruteforce.gr/ Ion

      Hi Rob, can you copy-paste exactly what you type in the console?

      • RobW

        Hi, sure I have: honeydrive@honeydrive:~$ /opt/kippo/start.sh

      • http://bruteforce.gr/ Ion

        Hi RobW, yes, it could the case. Make sure you put the VM in a Host-only network or a Public network.

      • RobW

        Hi Ion, I just went back to this problem today and it seems all that was wrong was that I was trying to run with root privileges. Boy do I feel like a idiot right now. Anyway it seems to work at least. :)

  • Niels

    Is it possible to run this on the raspberry pi? or to create a separate distro for it? I would like to use Pi’s with honeyDrive in our corporate network as cheap honeypots for a.o. malware detection.

    • http://bruteforce.gr/ Ion

      Hi,
      it could be the case, if you can run a VirtualBox headless version on the RaspberryPi on a lightweight host distro and then import the OVA. But I don’t know how efficiently this might work. You have to try and give us feedback! If you succeed I can also do a blog post with you about it :)

      Another solution is to setup Kippo directly on the RaspberryPi, like for example: http://bob.k6rtm.net/kippo.html. For Dioanea you can use the “setupDionaea.sh” script from my Dionaea-Vagrant project (you can find the file on GitHub) to automate the setup.

      Anyway, best of luck and keep us updated :)

  • Jonathan

    Is there any way that I can contribute with your project, besides downloading and testing the OS image?

    • http://bruteforce.gr/ Ion

      Hi Jonathan,
      very good question, I think I should even add the following to the FAQ:

      Generally, not to the actual development. I develop HoneyDrive on my own machine, so it doesn’t exist in any remote environment where we can collaborate while building it. And there ins’t any schedule for releases so even if we enabled remote collaboration, a new release will probably take *some* time before getting planned.

      But, here are all the ways you can help in general:

      1. Actually, testing is of great importance. There are a lot of things going on on HoneyDrive. Installing over 30 tools from source and managing their dependancies (which could be conflicting some times) isn’t the best deal. So it’s great if there are testers that can check that all the tools are actually working as they should by trying them out in real scenarios (and learning a lot in the process!).

      2. If you can code, then you can contribute to all the other projects around security visualization, etc or to the honeypots themselves. From my side, I am very open to this and have already accepted pull requests. If you know PHP and/or Python let me know. The code for all the projects is hosted on GitHub.

      3. Ideas/feedback. Again, this sounds trivial but it’s not. The tools need to be kept current and also become enhanced. Again, I am very open to this and some things like for example the Kippo-IP and Kippo-Playlog components of Kippo-Graph were added by some people who decided to contribute! This is relevant to the point above as well, but even if you can’t code the suggestions and requirements drafting for these are equally important.

      4. Information sharing. If you use it, share the results. Some of the honeypots have integrated a logging system called hpfeeds: http://heipei.github.io/2013/05/11/Using-hpfriends-the-social-data-sharing-platform/. You will find it in their configuration files with an option to enable it or not. Sharing data via hpfeeds helps the developers of the honeypot platforms and organizations like the Honeynet Project to gather much needed data about attacks. Even if you decide not to share via hpfeeds, you can help by letting us know what kind of stuff you capture, if you see any patterns, if from the logs you suspect that attackers found a new way to identify the honeypots etc.

      5. Lastly, there is a small donation button on the right side for people that appreciate this work :)

      Thanks again for your question and the willingness to help.

      Best regards,
      Ion

  • Jonny

    I’m trying to import the OVA but keep receiving the message seen here:
    http://i.imgur.com/UMEtaWd.png
    Any advice?

Read previous post:
Contact Form
Δημιουργία ενός botnet, από την αρχή!
Botnets: Φοβεροί, τρομεροί αλλά και συναρπαστικοί στρατοί από zombies!
DeltaBot
Web Application Security – CSD AUTH (survey – Greek)
Close