A honeypot is a system designed to appear vulnerable to attackers. The goal of a honeypot is to log all the attackers’ activities to study their behaviour, log their Ips, track their location, collect zero-days. The idea of “honeypot” is nothing but a server that offers any kind of services to the attacker, from SSH to telnet, showing several well known exploitable ports opened like 22, 23, 445, 135, 139 and so on. The server appears to have critical vulnerabilities but it actually rejects connections so it is not really exploitable. It could happen that a honeypot is really compromised but this would be the case of a bad configured honeypot and this argument goes beyond the scope of this article. Keep also in mind that your honeypot can be configured to emulate all possible systems from Apache servers to Windows XP machines, appearing to run all possible softwares and services. In this article we will start implementing a rudimental honeypot on your linux machine that logs all unwanted activities performed against your personal computer, to finally create different kinds of honeypot servers with complicated configurations to catch hackers all over the internet. Dealing with such configurations would be a pain for most of us, so we’ll find a workaround to pre-install default configurations.
Pentbox: Your Personal Honeypot
Pentbox is a little piece of software that allows you to open a port on your host and listen for incoming connections (eventually refused) from outside.
1 – Download Pentbox:
2 – Unpack
tar -zxvf pentbox-1.8.tar.gz
3 – Move to the Pentbox’s directory
4 – Run Pentbox
Now you should see an introductive message like this:
Select 2, then you’ll see the subsequent menu:
Select 3 and fast auto configuration:
Then you’ll see “honeypot activated on port 80”. Just open your browser, connect to your VM’s IP and you’ll see an “access denied message”, while in your Pentbox terminal you’ll see the attack has been logged successfully! You can also choose to open different ports, in this case select the manual configuration and enable port forwarding on your router to make the external connections to those ports redirected to your honeypot.
HoneyDrive: The Honeypot Paradise
HoneyDrive is the honeypot paradise. HoneyDrive is a linux distribution that comes with 15 different honeypots preconfigured for you and a set of more than 30 forensic tools. Exploring the world of honeypots you will see that a lot of varieties exist. Honeyd, Kippo and Dionaea are only few of them. To install and configure each of these servers would be a chaos and it would require a lifetime to you. HoneyDrive, starting from a Xubuntu Desktop 12.04.4, installs and configures all these honeypots for you so you only have to become familiar with them without worrying about messing arround with incomprehensible “.config” files. Nevertheless it is highly recommended that you become familiar with these kind of files and how they are built in order to better understand what you are really doing.
1 – Download HoneyDrive here.
2 – Double click on the .ova file.
3 – Now your VirtualBox (yes I suppose you have one) will start and will automatically install the new virtual machine with the pre-built guest additions.
4 – Once the installation process is finished, you will have your HoneyDrive up and running ! The desktop should look like this:
The interesting thing you should worry about is the readme file, a simple text file in which are saved the file paths and commands of the several honeypots installed; the portion for Kippo should look like this:
Before starting to play with our new honeypots, keep in mind that you should really spend some time to update your system to a new Xubuntu release.
Setting Up Kippo
You can find all the subsequent instructions in the readme file but I will enlighten the most important:
1 – cd /honeydrive/kippo/
2 – /honeydrive/kippo/start.sh
3 – ifconfig (to find the ip of the virtual honeypot)
4 – load this IP in your browser and you will see this page:
Now that your server works correctly, you can enable port-forwarding navigating to your router page so that the incoming traffic is redirected to your honeypot. After that you can go to http://yourip/kippo-graph/ to watch some interesting graphics about password attempted by the attackers, usernames, IPs, and other awesome stuff.
Setting Up Dionaea
From the developers’ site:
Dionaea “the Nepenthes successor” is a malware capturing honeypot initially developed under The Honeynet Project’s 2009 Google Summer of Code (GSoC). Dionaea aims to trap malware exploiting vulnerabilities exposed by services offered over a network, and ultimately obtain a copy of the malware.
Dionaea features a modular architecture, embedding Python as its scripting language in order to emulate protocols. Much superior to its predecessor (Nepenthes), it is able to detect shellcodes using LibEmu and supports IPv6 and TLS.
1) start Dionaea
2) in another terminal
3) Tell Dionaea to collect data
python manage.py collectstatic
4) python manage.py runserver honeypotip:8000
where honeypotip is the ip of your honeypot that you can find using ifconfig
now go to your honeypotip:8000 in your browser and you will see this page:
Dionaea has really awesome features: if you look at the panel, it will show you the IPs of the attackers, their location in the world, the services and ports attacked, the malwares uploaded and other interesting things.
Now that you have an idea of what a honeypot is and how to install one, try to take a look to the other honeypots developed in honeydrive, take some time to play with them and try to change the configurations’ files assigning to your servers different features, services and opened ports. Playing with honeypots can be very instructive but pay attention, cause it’s not actually a game.