or getting worms for < $50 babby’s first honeypot noah nadeau nn
TRANSCRIPT
Installation PrerequisitesWorkstation with SD Card Reader
Alternatively, buy a microSD card with distro pre-installed
Installed Linux distro (Native or LiveCD)
Bootice might also work
Raspbian distro
Hardware
Raspberry Pi B+ - case optional
High speed 16 GB microSD card (logs can get big)
1.0A Micro USB Power
Cat 5(e) cable
HDMI cable & USB keyboard (for initial configuration)
Prerequisites
Setup
Raspbian
Download stripped Linux distro (Raspbian)
Image distro to microSD card using dd
Run through raspi-config
Run update/upgrade commands
Final modifications
Install nepenthes thpot dionaea
Wait
View Logs
Image Config
Updates Installation Follow-Up
http://www.raspberrypi.org/downloads/
Download the Raspbian image
Use dd to image to microSD card
dd if={image location} of={sd card slot in /dev/} bs=512K
Validate the image
Note: (g)parted will have issues viewing the created partitions (particularly the boot sector) prior to system restart
Part 1
Raspbian Installation
raspi-config
Connect peripherals (HDMI, Keyboard, Cat 5) and power on
Connect to network, find its IP and SSH
Then run raspi-config
First-time installation notes:
Expand Filesystem
Intationalisation Options (thanks Obama)Change Locale, Timezone, and Keyboard Layout
Change Password (do this *after* changing the keyboard)
Boot to Desktop / Scratch (leave as command line)
Part 2
Raspbian Installation
Final Updates
Run your standard update commands
apt-get update
apt-get upgrade
apt-get autoclean
apt-get autoremove
Optional: Remove unused libraries
Scratch, others…
Part 3
Raspbian Installation
Basic Steps
# mkdir /var/log/hpot
# chown nobody:nobody /var/log/hpot
# chmod 700 /var/log/hpot
# ./iptables.rules
# cp ./xinetd.d/* /etc/xinetd.d/
# service portmap restart
# pmap_set < /usr/local/thp/fakerpc
# service xinetd restart
Simple, low-configuration honeypot
tinyhoneypot
Dependent on portmap and xinetd
# chown nobody:nogroup /var/log/thpot
# chmod 700 /var/log/thpot
# ./iptables.rules
# cp ./xinetd.d/* /etc/xinetd.d/
# service rpcbind restart
# pmap_set < /usr/local/thp/fakerpc
# service xinetd restart
FFFFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUUUU
tinyhoneypot
Nepenthes
Replaced by dionaeaDebian install instructions at http://dionaea.carnivore.it///#compiling
…
Take 2
DEV installation on Kali Works fine./configure --with-lcfg-include=/opt/dionaea/include/ --with-lcfg-lib=/opt/dionaea/lib --with-python=/opt/dionaea/bin/python3.2 --with-cython-dir=/opt/dionaea/bin --with-udns-include=/opt/dionaea/include/ --with-udns-lib=/opt/dionaea/lib --with-emu-include=/opt/dionaea/include/ --with-emu-lib=/opt/dionaea/lib/ --with-gc-include=/usr/include/gc --with-ev-include=/opt/dionaea/include --with-ev-lib=/opt/dionaea/lib --with-nl-include=/usr/include --with-nl-lib=/usr/lib --with-curl-config=/usr/bin/ --with-pcap-include=/opt/dionaea/include --with-pcap-lib=/opt/dionaea/lib/
make
make install
Dry Run: Kali
Dionaea
Kali VM with x86_64 architecture ≠ Raspbian on ARMAdditional packages: libffi-dev gettextGlib version must be <= 2.32.
Raspbian runs glib v2.40. Changes break dionaea
Kali runs 2.32 or older
Glib 2.40 introduced g_info
g_thread_init and g_mutex_new deprecated
Even with changes to source, compiling is broken
Lessons Learned
Dionaea
dionaea ARM packages are available from a different source (thanks yerry pi):nano /etc/apt/sources.list (add the line:)deb http://packages.s7t.de/raspbian wheezy main
apt-get update
apt-get install libglib2.0-dev libssl-dev libcurl-openssl-dev libreadline-dev libsqlite3-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev liblcfg libemu libev dionaea-python dionaea-cython lipcap udns dionaea liblcfg
Take 3
Dionaea
cp /opt/dionaea/etc/dionaea.conf.dist /opt/dionaea/etc/dionaea.conf
chown nobody:nogroup /opt/dionaea/ -R
dionaea -u nobody -g nogroup -r /opt/dionaea -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid
/opt/dionaea/bin/dionaea –l all,-debug –L ‘*’ –D
nano /opt/dionaea/readlogsqltree (change first line:)
#!/opt/dionaea/bin/python3.2
Configuration
Dionaea
Technical:
Found 3 rogue systems at work (with DEV Kali deployment alone)2 in LAN, 1 at HQ
First probe on PROD within 90 minutes of setting up.
First active attack 14 hours later (mssql)
Academic:
Going the long way around, you’ll learn / remember more about C/C++ and makefiles than you wish you could
Social:
When playing Crash and Compile: 1) do it with your own sourcecode; 2) don’t try to beat your old score.
Lessons Learned
Dionaea
Possible Improvements
Install Vagrant / mhn
Replication and centralized control
Addition of p0f
Passive remote machine identification
Understanding bistreams
Locate the pcaps
Extend for HTTP
What to do with this information?
Next Steps
Dionaea
References / Additional Reading
Dionaea homepage:http://dionaea.carnivore.it/
Nathan Yee – Deploying Dionaea on a Raspberry Pihttps://github.com/threatstream/mhn/wiki/Deploying-Dionaea-on-a-Raspberry-Pi
Yerry Pi – Dionaea on Raspberry Pihttp://droidtoo.blogspot.com/2013/05/setting-up-dionaea-on-raspberry-pi.html
In ur networks, nabbing ur exploits
Dionaea