« NICT Daedalus Cyber-attack alert system

A small fix in HoneyDrive’s README.txt »

Dec 26 2012

HoneyDrive Desktop released!

Hello! Merry X-Mas to all :)

I am very happy to be in the position to announce the newest addition to my projects: HoneyDrive (Desktop).

What is it? Here is a brief but informative description:

HoneyDrive is a virtual appliance (OVA) with Xubuntu Desktop 12.04 32-bit edition installed. It contains various honeypot software packages such as Kippo SSH honeypot, Dionaea malware honeypot, Honeyd low-interaction honeypot and more. Additionally it includes useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, and much more. Lastly, many other helpful security, forensics and malware related tools are also present in the distribution.

The latest version (0.1) of HoneyDrive Desktop (aka Santa edition), which was officially released on December 26, 2012 will be hosted at SourceForge.net. The appliance (around 2.7GBs in size) has been uploaded and you can get it from this project link: http://sourceforge.net/projects/honeydrive/

The installation procedure is pretty straightforward: after downloading the file, you simply have to import the virtual appliance to your virtual machine manager/hypervisor (suggested software: Oracle VM VirtualBox). Please take a look at the README.txt file on SourceForge (also included inside the virtual disk) to see where everything is located.

Below is a comprehensive list of HoneyDrive’s features, ready to be used for promotional purposes :)

  • Virtual appliance based on Xubuntu 12.04 Desktop.
  • Distributed as a single OVA file, ready to be imported.
  • Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin.
  • Kippo SSH Honeypot, plus Kippo-Graph, Kippo2MySQL and other helpful scripts.
  • Dionaea malware honeypot, plus phpLiteAdmin and other helpful scripts.
  • Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts.
  • LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator, INetSim and SimH.
  • A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, ClamAV, ettercap, Automater, UPX, pdftk, Flasm, pdf-parser, Pyew, dex2jar and more.
  • Firefox plugins pre-installed, plus extra helpful software such as GParted, Terminator, VYM, Xpdf and more.

Finally, three screenshots from the appliance, I hope you will find them pretty!

For comments, suggestions, fixes, please use the HoneyDrive page: http://bruteforce.gr/honeydrive

  • BlackSeptember

    Hey Ion!

    Looks very interesting, thaks!

    Merry xmas!

    • Ion

      Thanks BlackSeptember :)
      Waiting for your review and suggestions.
      Regards.

      • BlackSeptember

        Just started the download now (…i hate when my professional life interferes with my geek life…), read trough the README.txt and watched the “TekTip ep18 - HoneyDrive”.

        Looks like you´ve been very busy since the last release, if the TekTip video and the README.txt holds true, id sa this is pretty damn solid work - kudos!

        Ill be taking a closer look and promise to give you my response ofcoz :)

        There is a couple of questions id like to ask, my apologies for being off topic here.

        - The honeypots included here are either low- or medium-interaction.
        Have you ever thought about creating any high-interaction ones thats Linux based?

        - I had some high-interaction honeynet a couple of years back to study attacks on the Windows platform.
        Those honeynets were built using Honeywall (https://projects.honeynet.org/honeywall/) as the data control/collection entity and the Sebek client (https://projects.honeynet.org/sebek/) to capture the activity on the Windows servers/clients.

        I´ve seen threads about using Sebek on Linux, most of them ending in problems, but never tried it my self.
        Do you have any experience/suggestions about this?

        Sorry for asking questions that don’t concern the actual HoneyDrive.

      • Ion

        Hello again Black September.

        Thanks for your interest in HoneyDrive and your kind words. I’ll be waiting for your review :)

        Now, about the other questions:

        I chose low and medium interaction honeypots for the fact that an easy to use deployment distro/utility like Honeywall does not exist for them, let alone a bundle of honeypot related tools ready to be used. Most honeypots are not very easy to setup for the beginner infosec enthusiast or the new sysadmin and many times the process ends in frustration. HoneyDrive’s purpose is to save time and make this task successful. On the other hand, in my opinion the best tool for high interaction honeypot deployments is Honeywall and I didn’t want to “compete” or replace it since I think it does a good job. My aim was to fill the void in the low and medium interaction space. Unfortunately, my high interaction honeypot deployments were done using Honeywall so I don’t have any experience running Sebek standalone. Is there a particular reason you don’t want to use Honeywall again?

        By the way, there are a lot more to come to HoneyDrive. In this first version I’ve just included the major stuff. There are other things in my TODO list, such as web honeypots, honeyclients, malware collectors, IDSes, etc. So, practice with and review v0.1 so we can be sure that the next version can be safely be built on it :)

        Regards.

      • BlackSeptember

        Hi

        I know that HI honeypots can be a bit daunting for someone new to infosec. Your HoneyDrive project is perfect for these people, but its also fantastic to use for someone thats used to honeypots - as you say; they are easy to deploy and maintain. This is what makes HoneyDrive so popular - and i believe it will keep gaining popularity.

        Some clarification:
        I used the Honeywall in conjunction with Sebek - not as a stand alone.

        There is no reason why in not going to use Honeywall again, in fact this is what im planning to do :)
        Since you know a lot about honeypots/nets i just wanted to know if you had any experience with using
        Honeywall + Sebek on Linux distros.

        Anyways…Will get back to you about your new release.

        Happy new years!

      • BlackSeptember

        After login on a new system/distro i always check what services are running,
        I noticed that there are three persistent outbound connections from the HoneyDrive
        to these addresses:

        privacy.is:9001
        vpn-service.biz:9001
        tor-proxy.carl.kau:9001

        Any idea/explanation to these connections and why the HoneyDrive initiates them?

      • Ion

        Hello BlackSeptember, these connections (and others using the same port) are initiated from Tor/Vidalia which is installed on HoneyDrive.
        Regards.

      • BlackSeptember

        Hey, thanks for the quick reply.
        Okay good to know, since you are the mind behind it; will it cause any issues if they are disabled?

      • Ion

        Hello, no, you can disable them if you don’t want Tor running. I have included it just in case it might be needed, they are not really necessary. Regards.

  • Leon van der Eijk

    Greate work mate ! Can’t wait to give it a spin. Maybe it’s a good idea to incorporate the thug honeyclient in future releases ? Just an idea….

    • Ion

      Hello Leon. Thanks as always :)

      I have various other honeypots/honeyclients in mind. In this release, being the first one, I thought I should include the major ones and then build from there. I also want to include network monitoring tools, intrusion detection systems, etc. Time will tell when a new version will be available.

      Regards :)

  • McB

    Ion,
    HoneyDrive is fantastic!
    Took a little tweaking between iptables and vbox nat to get kippo on port 22, but the distro is clean and preconfigured to perfection…
    Thank you for a great X-Mas gift!

    • Ion

      Hello McB. Thanks for your positive comment!
      Happy holidays and happy hunting with HoneyDrive 😉
      Let me know if you have any suggestions, comments, etc. I’d appreciate it a lot.
      Regards.

  • Rob

    For those who want to open this in VMware, you may need to use VMwares ovftool (can be downloaded from here)

    run the tool CLI and use

    ovftool -lax -st=ova PATH_TO_SOURCE\HoneyDrive_0.1_Santa_edition.ova PATH_TO_DEST\HoneyDrive.vmx

    hope this helps anyone stuck

    • Ion

      Hello Rob. Thanks for your comment!
      Is this the only way to make it work in VMware or does it work out of the box as well?
      A reader was stuck trying to import HoneyDrive in ESXi, perhaps your comment can help him out.
      Regards.

      • Rob

        Hello Ion,

        I tried running it natively in Workstation 9 but it was having some issues and wasn’t loading the EULA properly, so it could not be run from there on. I found this fix and it has seemed to have work.

        There are different switches within ovftool that can be used for ESxi but basically the same principle so should work :)

        I haven’t had chance to have a proper play with this yet, but it looks very good! thank you for your work! :)

        have a happy new year!

  • Richard Bejtlich

    I also ran into issues when trying to open the .ova with VMWare Workstation 8. I ended up extracted the .ova using 7-Zip. Then I used ovftool.exe from VMWare to create a new .vmx using the syntax mentioned elsewhere:

    C:\Program Files (x86)\VMware\VMware Workstation\OVFTool>ovftool.exe -lax -st=o
    va c:\Users\richard\Downloads\HoneyDrive_0.2_Nectar_edition.ova c:\Users\richard
    \Downloads\HoneyDrive_0.2_Nectar_edition.vmx

    When I tried to open the new VM, I got the EULA license error mentioned previously, but I was able to see that the VM had 1 CPU, 768 MB RAM, 16 GB HDD, etc.

    So, I deleted the .vmx and created a new VM, but used the existing .vmdk. After that I was able to start the VM in Workstation.

    • Ion

      Hello Mr Bejtlich! I am very happy to see that you took an interest in trying out HoneyDrive. Surely you must be pretty busy, so thanks!

      Yes, VMware products had some difficulties with the OVA file. I suppose I should make the source .vdi/.vmdk file available as well and let users create a virtual machine manually. I’ll make sure to upload it tomorrow.

      Bare in mind that Ubuntu keeps a record of the MAC addresses for each NIC, so since you created a new VM from scratch I think that the virtual NIC inside HoneyDrive might have changed its name to eth1 from eth0 (on the contrary, importing the OVA retains the generated MAC). This shouldn’t be a problem (as far as I remember defining a specific interface is not required in any of the honeypot software), although it can be fixed very easily by editing udev rules (see: http://www.kkoncepts.net/node/107) for “normalization” reasons.

      If you have any suggestions, ideas or other criticism I’d appreciate if you share it with us.

      PS. Good luck on your new book endeavour! Tao of NSM is considered a classic as I’ve seen and I am very much inclined to get a copy myself :) I’m pretty interested in the monitoring and detecting side of things, hence my involvement with honeypots.

  • Pingback: Setup HoneyDrive on VMware (Workstation, ESXi, etc) - BruteForce Lab's Blog()

  • asd

    snort and also argos honeypot as a high level of interaction and 0 day vul. detector can be good improvement ,it will be more effective for collecting data if it contains high interaction honeypot
    and hope if a copy working on vmware 9 is up loaded

  • Can0beans

    Can you post the md5 or sha1 of the file?

    • Ion

      SHA1: 4c8e04a1240c43cf553bafc1462aaa3dea6d275b
      MD5: f6aa9d7687eea635e79d42bc342a4563

  • Pwchange

    How to change all passwords for security reason? e.g root password/user password/service passwords

    • Ion

      Hi,
      every service/component has its own way of changing passwords. HoneyDrive is a typical Ubuntu-based distro, running commonly used services like MySQL.

      The way to change the passwords if you need to, is no different than what you would have done in any other case, like ‘passwd’, etc.

      Regards, Ion

More in Blog News, Honeypots, Malware, Virtualization, Visualization
NICT Daedalus Cyber-attack alert system
Kippo2MySQL v0.2
Kippo-Graph: version 0.7.4 released!
Kippo-Graph: version 0.7.3 released!
Work on BruteForce Lab’s projects
Close