Or Getting Worms for < $50

Babby’s First Honeypot

Noah Nadeau

NN

Installation PrerequisitesWorkstation with SD Card Reader

Alternatively, buy a microSD card with distro pre-installed

Installed Linux distro (Native or LiveCD)

Bootice might also work

Raspbian distro

Hardware

Raspberry Pi B+ - case optional

High speed 16 GB microSD card (logs can get big)

1.0A Micro USB Power

Cat 5(e) cable

HDMI cable & USB keyboard (for initial configuration)

Prerequisites

Setup

What’s Needed

Raspberry Pi Honeypot

Raspbian

Download stripped Linux distro (Raspbian)

Image distro to microSD card using dd

Run through raspi-config

Run update/upgrade commands

Final modifications

Install nepenthes thpot dionaea

Wait

View Logs

Image Config

Updates Installation Follow-Up

http://www.raspberrypi.org/downloads/

Download the Raspbian image

Use dd to image to microSD card

dd if={image location} of={sd card slot in /dev/} bs=512K

Validate the image

Note: (g)parted will have issues viewing the created partitions (particularly the boot sector) prior to system restart

Part 1

Raspbian Installation

raspi-config

Connect peripherals (HDMI, Keyboard, Cat 5) and power on

Connect to network, find its IP and SSH

Then run raspi-config

First-time installation notes:

Expand Filesystem

Intationalisation Options (thanks Obama)Change Locale, Timezone, and Keyboard Layout

Change Password (do this *after* changing the keyboard)

Boot to Desktop / Scratch (leave as command line)

Part 2

Raspbian Installation

Final Updates

Run your standard update commands

apt-get update

apt-get upgrade

apt-get autoclean

apt-get autoremove

Optional: Remove unused libraries

Scratch, others…

Part 3

Raspbian Installation

Basic Steps

# mkdir /var/log/hpot

# chown nobody:nobody /var/log/hpot

# chmod 700 /var/log/hpot

# ./iptables.rules

# cp ./xinetd.d/* /etc/xinetd.d/

# service portmap restart

# pmap_set < /usr/local/thp/fakerpc

# service xinetd restart

Simple, low-configuration honeypot

tinyhoneypot

Dependent on portmap and xinetd

# chown nobody:nogroup /var/log/thpot

# chmod 700 /var/log/thpot

# ./iptables.rules

# cp ./xinetd.d/* /etc/xinetd.d/

# service rpcbind restart

# pmap_set < /usr/local/thp/fakerpc

# service xinetd restart

FFFFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUUUU

tinyhoneypot

Nepenthes

Replaced by dionaeaDebian install instructions at http://dionaea.carnivore.it///#compiling

…

Take 2

DEV installation on Kali Works fine./configure --with-lcfg-include=/opt/dionaea/include/ --with-lcfg-lib=/opt/dionaea/lib --with-python=/opt/dionaea/bin/python3.2 --with-cython-dir=/opt/dionaea/bin --with-udns-include=/opt/dionaea/include/ --with-udns-lib=/opt/dionaea/lib --with-emu-include=/opt/dionaea/include/ --with-emu-lib=/opt/dionaea/lib/ --with-gc-include=/usr/include/gc --with-ev-include=/opt/dionaea/include --with-ev-lib=/opt/dionaea/lib --with-nl-include=/usr/include --with-nl-lib=/usr/lib --with-curl-config=/usr/bin/ --with-pcap-include=/opt/dionaea/include --with-pcap-lib=/opt/dionaea/lib/

make

make install

Dry Run: Kali

Dionaea

Raspbian

Dionaea

Kali VM with x86_64 architecture ≠ Raspbian on ARMAdditional packages: libffi-dev gettextGlib version must be <= 2.32.

Raspbian runs glib v2.40. Changes break dionaea

Kali runs 2.32 or older

Glib 2.40 introduced g_info

g_thread_init and g_mutex_new deprecated

Even with changes to source, compiling is broken

Lessons Learned

Dionaea

dionaea ARM packages are available from a different source (thanks yerry pi):nano /etc/apt/sources.list (add the line:)deb http://packages.s7t.de/raspbian wheezy main

apt-get update

apt-get install libglib2.0-dev libssl-dev libcurl-openssl-dev libreadline-dev libsqlite3-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev liblcfg libemu libev dionaea-python dionaea-cython lipcap udns dionaea liblcfg

Take 3

Dionaea

cp /opt/dionaea/etc/dionaea.conf.dist /opt/dionaea/etc/dionaea.conf

chown nobody:nogroup /opt/dionaea/ -R

dionaea -u nobody -g nogroup -r /opt/dionaea -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid

/opt/dionaea/bin/dionaea –l all,-debug –L ‘*’ –D

nano /opt/dionaea/readlogsqltree (change first line:)

#!/opt/dionaea/bin/python3.2

Configuration

Dionaea

The Payoff…

Dionaea

Access Attempts

Dionaea

Technical:

Found 3 rogue systems at work (with DEV Kali deployment alone)2 in LAN, 1 at HQ

First probe on PROD within 90 minutes of setting up.

First active attack 14 hours later (mssql)

Academic:

Going the long way around, you’ll learn / remember more about C/C++ and makefiles than you wish you could

Social:

When playing Crash and Compile: 1) do it with your own sourcecode; 2) don’t try to beat your old score.

Lessons Learned

Dionaea

MSSQL Attack:

http://pastebin.com/4dkmukPp

Possible Improvements

Install Vagrant / mhn

Replication and centralized control

Addition of p0f

Passive remote machine identification

Understanding bistreams

Locate the pcaps

Extend for HTTP

What to do with this information?

Next Steps

Dionaea

References / Additional Reading

Dionaea homepage:http://dionaea.carnivore.it/

Nathan Yee – Deploying Dionaea on a Raspberry Pihttps://github.com/threatstream/mhn/wiki/Deploying-Dionaea-on-a-Raspberry-Pi

Yerry Pi – Dionaea on Raspberry Pihttp://droidtoo.blogspot.com/2013/05/setting-up-dionaea-on-raspberry-pi.html

In ur networks, nabbing ur exploits

Dionaea

Questions?