Jan 25 2012

Πώς να ενεργοποιήσετε το Nessus στο BackTrack 5 R1

Θέλοντας να σκανάρω στα πλαίσια δοκιμής ενός λειτουργικού συστήματος που ήθελα να εγκαταστήσω (σύντομα λεπτομέρειες) έναν υπολογιστή στο δίκτυο μου με το Nessus, ανακάλυψα πως αυτό δεν είναι καν εγκατεστημένο στο BackTrack 5 R1. Στην έκδοση 5 ναι μεν ήταν εγκατεστημένο αλλά όχι λειτουργικό αφού πρώτα ήθελε κάποιες ρυθμίσεις. Δε ξέρω γιατί αλλά στην έκδοση 5 R1 δεν το έχουν βάλει καθόλου (μάλλον λόγω προτίμησης στο open source OpenVAS).

Η εγκατάσταση του πάντως είναι πολύ εύκολη καθώς αρκεί ένα

apt-get install nessus

Κατόπιν πρέπει να γίνουν οι ίδιες ρυθμίσεις όπως και στην έκδοση 5: Πώς να ενεργοποιήσετε το Nessus στο BackTrack 5

Status update

I got a message about Kippo-Geo page displaying a warning, telling you that you need a valid Google Maps API key. This started rather randomly some days ago. There are two solutions: 1) You do nothing. Yes, the Google Map is working as expected, and you can just ignore the warning. 2) Get a Google Maps API key by following the instructions on the warning link. You then need to enter your key into /kippo-graph/include/qgooglevisualapi/QApikeyGoogleGraph.class.php.

Jan 19 2012

Some Kojoney results

I had my Kojoney SSH Honeypot running for about a week or so. The operation was smooth, I didn’t experience any crashes and the logging function keeps enough interesting data. Since I’ll be moving on to other systems/projects soon, I thought I should share some data before ending its operation.

The honeypot.log file has grown to 121.447 lines and 9.0M in size.

Kojoney Statistics:

Total successful logins: 698
Total failed logins: 7818
Total number of different credentials used: 8516
Total logins with null password: 12
Total logins with or without password: 8883
Number of times a remote shell was opened: 687

Total number of distinct IP addresses: 55
Most prominent countries (by number of appearances): China (CN), Russian Federation (RU), Italy (IT), United States (US), Spain (ES).

Some interesting/funny credentials I spotted include: vagelis, slayer, sims, sims2, reebok, lammer, harrypoter, ferrari, counterstrike, adidas.

Interesting commands executed: unset HISTFILE HISTSIZE HISTSAVE
Interesting files downloaded: http://anonym.to/?http://publick11.110mb.com/tomo/gma.tgz

I’m attaching 4 graphs: top 15 successful logins, top 15 failed logins, top 15 IPs (by number of connections) along with their country of origin, top 10 commands executed by attackers.

All in all, I can recommend Kojoney as an alternative to Kippo (which is easier to setup and has better logging capabilities ie MySQL, plus you can use Kippo-Graph of course! :) )

Video

Γκι-Φιλίπ Γκόλντσταιν: πώς οι κυβερνοεπιθέσεις απειλούν την ειρήνη του πραγματικού κόσμου

Jan 10 2012

Kojoney SSH Honeypot, installation (CentOS) and configuration

I decided to give the second well-known SSH honeypot a try, the software that Kippo was inspired by: Kojoney. It is a low interaction honeypot that emulates the SSH service, and it’s written in Python like Kippo.

I’m using a system with CentOS 5 32-bit installed, but the following should work for higher versions as well. Login as root and let’s start…

1. First of all, since we’ll still want to be able to connect to our own machine, we must change the default SSH port 22 to something else:

vi /etc/ssh/sshd_config

You need to uncomment the “#Port 22″ line and change “22” to whatever you want (take note of it), let’s say 2222.

Restart the ssh server for the change to take effect:

/etc/init.d/sshd restart

At this stage you might want to logout of the system and connect again using the new port.

2. Let’s update the system and install required software:

yum update

Kojoney requires the following packages that can be installed through yum:

yum install gcc python python-devel

3. Download Kojoney itself:

cd /tmp
wget http://dfn.dl.sourceforge.net/project/kojoney/kojoney-0.0.4.2.tar.gz
tar -xvf kojoney-0.0.4.2.tar.gz

4. (OPTIONAL) The Iran Honeynet Project has created some updated packages to use with Kojoney making its geolocation feature better and also adding new sections to the report file. It would be good to install them:

cd /tmp
wget http://www.honeynet.ir/software/kojoney-update/TwisteConch-0.6.0.tar.gz
wget http://www.honeynet.ir/software/kojoney-update/IP-Country-2.27.tar.gz
wget http://www.honeynet.ir/software/kojoney-update/Geography-Countries-2009041301.tar.gz
wget http://www.honeynet.ir/software/kojoney-update/kojreport
/bin/cp -vf /tmp/TwisteConch-0.6.0.tar.gz /tmp/kojoney/libs/
/bin/cp -vf /tmp/kojreport /tmp/kojoney/reports/
rm -rfv /tmp/kojoney/reports/ip_country/*
/bin/cp -vf /tmp/IP-Country-2.27.tar.gz /tmp/kojoney/reports/ip_country/
/bin/cp -vf /tmp/Geography-Countries-2009041301.tar.gz /tmp/kojoney/reports/ip_country/

The above files are also stored here for backup purposes: kojoney-update-files

5. Let’s install Kojoney and run it:

cd /tmp/kojoney
sh INSTALL.sh

I got an error here because the script wasn’t able to locate the man directory. Hopefully it asks for it so type the following: /usr/share/man/man1 (“1″ is not a typo) if required.

echo "/etc/init.d/kojoney start" >> /etc/rc.local
/etc/init.d/kojoney start

You can check that everything is working alright by using

ps aux | grep kojoney

where you should see something like:

root  1573  0.0  1.4  14904  7748 ?  S  Jan09  0:33 python /usr/bin/kojoneyd

and also:

netstat -antp

where you should see something like this:

Proto Recv-Q Send-Q Local Address  Foreign Address  State   PID/Program name
tcp        0      0  0.0.0.0:22     0.0.0.0:*       LISTEN   1573/python

6. Where is what? Kojoney itself is installed at “/usr/share/kojoney/” by default. You can go there to have a look at its source files. The log file it creates is located at “/var/log/honeypot.log“. Kojoney already has a built-in list of common username and password combinations, stored at “/etc/kojoney/fake_users“. If somebody enters a combo found in this file, he’s got access. Finally, the binary is stored at “/usr/bin/kojoneyd“.

7. There is a script distributed with it to make log parsing and statistics display easy. It is called kojreport and you can test it like this:

/usr/share/kojoney/kojreport /var/log/honeypot.log 0 0 1 > /tmp/report.txt
cat /tmp/report.txt

8. Kojoney has some problems like Kippo. The responses for various commands are hardcoded and you might need to change them. You can alter the existing ones or create your own as well.

There are specifically two files you need to pay attention to. Both of them are located at the base directory (/usr/share/kojoney/) and are called coret_fake.py and coret_honey.py.

“coret_fake.py” includes all the responses to various commands. I would suggest changing at least the following: FAKE_SSH_SERVER_VERSION, FAKE_OS (your own or uncomment and edit another one from the list), FAKE_SHELL and FAKE_W.

The second file, “coret_honey.py” is used when you want to add responses for new commands. You first write your response constant variable into “coret_fake.py” and then add it to “coret_honey.py”. For example, if I was to create a response for the “uptime” command:

a) I would write something like:

FAKE_UPTIME = " 02:32:28 up 1 day, 21:20,  1 user,  load average: 0.00, 0.00, 0.06"

into “coret_fake.py” and

b) I would add it to “coret_honey.py” file (lines 6 & 7 below):

if uname_re.match(data):
        transport.write(FAKE_OS)
    elif ls_re.match(data):
        for line in FAKE_LS:
            transport.write(line + '\r\n')
    elif data == "uptime":
        transport.write(FAKE_UPTIME)

And of course we need to restart the Kojoney service for the changes to take effect:

/etc/init.d/kojoney stop
/etc/init.d/kojoney start

9. Trying out Kojoney was not really in my plans (since I have invested time and effort in Kippo) until I found these two excellent resources that inspired me to give it a try: How To Set Up Kojoney SSH Honeypot On CentOS 5.5, Using and Extending Kojoney SSH Honeypot

Sample results will be published soon!

Jan 08 2012

Some Dionaea statistics

I thought I should share some statistics from the Dionaea honeypot, after ~4 days of operation.

My dionaea.log file is around 135MB, the SQLite database is around 68MB, and the system downloaded 45MB of malware. Automatic uploading to VirusTotal did not work for some reason though.

Using Infosanity’s script , here is the output:

python mimic-nepstats.py
Statistics engine written by Andrew Waite - www.infosanity.co.uk
Number of submissions: 21923
Number of unique samples: 205
Number of unique source IPs: 473
First sample seen: 2012-01-04 22:50:12.268572
Last sample seen: 2012-01-08 23:18:50.717549
System Uptime: 4 days, 0:28:38.448977
Average daily submissions: 5480
Most recent submissions:
2012-01-08 23:18:50.717549, 77.253.165.169, http://77.253.165.169:6015/fdqnmrfc, 78c9042bbcefd65beaa0d40386da9f89
2012-01-08 23:18:40.942690, 89.132.115.66, http://89.132.115.66:6028/bfnmzb, 0c059b0d1d5a03f69a21185987c17d5c
2012-01-08 23:18:27.638438, 186.92.211.27, http://186.92.211.27:3229/mxxyknng, 393e2e61ff08a8f7439e3d2cfcb8056f
2012-01-08 23:18:10.518064, 178.151.189.78, http://178.151.189.78:7117/pasxx, 9500da313ac9708847c5f920325027e3
2012-01-08 23:17:23.842580, 77.253.165.169, http://77.253.165.169:6015/fdqnmrfc, 78c9042bbcefd65beaa0d40386da9f89

And here are the results of the gnuplotsql script:

./python3.2 gnuplotsql -d /opt/dionaea/var/dionaea/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd

Jan 07 2012

Kippo-Graph note

Two quick notes about Kippo-Graph: 1st, even if it doesn’t take any user input etc, I have scanned it with RIPS and Websecurify Scanner and it’s a secure web app to have in your server, just in case someone wondered. 2nd, you don’t actually have to upload it to your remote server. If you set up remote MySQL access you can get the data from your honeypot while having Kippo-Graph installed in your local machine.

Page 25 of 29« First...1020...2324252627...Last »