Another work of Cryptography, this time on Security in systems information area. Me and Pedro Pereira choose the Honeypot project. The idea is to understand and if possible experiment tools to implement Honeypots.
The Honeynet Project
The Honeynet project began in 1999 by the initiative of Lance Spitzner. It is an international nonprofit project. The idea of this project is to increase security on the Internet without any cost to the public. This is a project with strong bases on OpenSource believes. This project has several years of experience in defense information systems. In his website you can have access to a lot of documentation and software to create Honeynets and Honeypots.
In fact we have started to watch this presentation from HITBSecConf2007 in Dubai by Lance Spitzner. If you feel interested and have 40 minutes I recommend to watch.
Reading about Honeypots
The are 2 kinds of honeypots, client and server. The client surf the web interacting with other computers, and the server wait until someone request a service. And more 2 kind, low and high interaction, that means, if the honeypot is virtual or real (a real machine).
Our work is focused on the study of some solutions to create Honeypots. We start to read some good papers about the subject. After reading Malicious Web Servers, from Know Youy Enemy series, and later the Behind the Scenes of Malicious Web Servers, we start to get involved by the idea of deploying our own Honeypot. So we decide to use Honeyd tool to create them.
In this post I will talk about the process of install and configure a Honepot with the help of Honeyd.
Honeyd
Honeyd is a low interaction honeypot client that create virtual hosts (Honeypots) in a network. These Honeypots can be configured to act like a real operative system, in fact there are approximately 1000 personalities of OS’s that we can chose. At the same time we can configure those operative systems to activate certains services like FTP, HTTP, Telnet, etc.
Honeyd enables a single host to claim multiple addresses – I have tested up to 65536 – on a LAN for network simulation.
The quote is from Niels Provos, the creator of Honeyd.
Installing Honeyd
If you are in debian (like me), the only thing you have to do (and I think you are accustomed to it :P) is:
hydra:~# apt-get install honeyd honeyd-common
The package honeyd-common came with a lot of scripts to emulate the services that we will run in our Honeypot.
If you are running another one download the version I will use, and install it.
Preparing the field for Honeyd
All the system configurations we found was with the intention of running Honeyd in a local network.
And we have a router between us and the Internet. The router do NAT to the internal network, so we only have one IP. So we decide to only implement one honeypot to start testing.
In the router we determined that the computer that has the Honeyd installed (192.168.1.72) can be accessed from outside by ssh throw the port 2222, and HTTP by 8080 (to see the statistics). We also add that our honeypot (192.168.1.50) would be visible from the Internet with a quantity of open ports. This ports we show further on.
In fact we still have a problem, the router don’t know our honeypot (192.168.1.50). To solve this we run in Honeyd computer:
hydra:~# farpd 192.168.1.50 -i eth0
farpd is a program made by Niels Povos. With that program the computer with Honeyd (192.168.1.72) will send is MAC address when a ARP request is made to the network. This ARP request happens because the router don’t know who is 192.168.1.50. After 192.168.1.72 sending his MAC address the router will send the package to Honeyd computer (192.168.1.72), and Honeyd program will take care of them, sending it to the virtual host.
Now we have to configure how Honeyd will run, the file can be found in /etc/defaults/honeyd
Agora temos que configurar como o hd~vai correr, para isso utilizamos o seguinte textit{script}:
# File: /etc/defaults/honeyd # Defaults for honeyd initscript # run as a daemon RUN="yes" # Network interface where honeyd will listen INTERFACE="eth0" # Network under control od honeyd (in my case: just one host) NETWORK=192.168.1.50 # Options # -c hostname:port:username:password OPTIONS="-c localhost:12345:username:password"
The -c flag will collect to us some statistics, that we will put in a pie chart further. This flag receives the hostname, the port, username and password to can access to the statistics.
You may want to configure also the /etc/init.d/honeyd file, here are the first lines of the file:
. . . PATH=/bin:/usr/bin:/sbin:/usr/sbin # Daemon locations DAEMON=/usr/bin/honeyd # Daemon names NAME=honeyd # Pidfiles PIDFILE=/var/run/honeyd.pid # Labels LABEL="Honeyd daemon" DEFAULT=/etc/default/honeyd LOGDIR="/var/log/honeypot" DAEMONLOG="$LOGDIR/daemon.log" . . .
Note that log files from Honeyd will be written in LOGDIR directory.
honeydstats
With all the statistics being collected by honeyd (with the flag -c activated) the only thing we need is a program to read them, and show them in a human way.
To do that job honeyd came with program honeydstats. To run that command, and start collecting statistics from you honeyd do:
hydra:~# honeydstats --os_report /etc/honeypot/os.honeydstats
--port_report /etc/honeypot/port.honeydstats
--spammer_report /etc/honeypot/spam.honeydstats
--country_report /etc/honeypot/country.honeydstats
-f /etc/honeypot/honeydstats.conf -l localhost -p 12345
I have choose to write all files in the /etc/honeypot/ directory for convenience. The command above start collecting statistics in port 12345 and host localhost, the –*_report flags indicate the statistics honeydstats collect. The file /etc/honeypot/honeydstats.conf contains the username and the password in the form:
# File: /etc/honeypot/honeydstats.conf username:password
honeypot Configuration
This is the configuration file for my honeypot (192.168.1.50). I use a default one, with a little changes, you can find a lot of this files in the Internet.
create win2k set win2k personality "Microsoft Windows 2000 SP2" set win2k default tcp action reset set win2k default udp action reset set win2k default icmp action block set win2k uptime 3567 set win2k droprate in 13 add win2k tcp port 23 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/telnetd.sh $ipsrc $sport $ipdst $dport" add win2k tcp port 21 "sh /usr/share/honeyd/scripts/win32/win2k/msftp.sh $ipsrc $sport $ipdst $dport" add win2k tcp port 25 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-smtp.sh $ipsrc $sport $ipdst $dport" add win2k tcp port 80 "sh /usr/share/honeyd/scripts/win32/win2k/iis.sh $ipsrc $sport $ipdst $dport" add win2k tcp port 110 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-pop3.sh $ipsrc $sport $ipdst $dport" add win2k tcp port 143 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-imap.sh $ipsrc $sport $ipdst $dport" add win2k tcp port 389 "sh /usr/share/honeyd/scripts/win32/win2k/ldap.sh $ipsrc $sport $ipdst $dport" add win2k tcp port 5901 "sh /usr/share/honeyd/scripts/win32/win2k/vnc.sh $ipsrc $sport $ipdst $dport" add win2k udp port 161 "perl /usr/share/honeyd/scripts/unix/general/snmp/fake-snmp.pl public private --config=/usr/share/honeyd/scripts/unix/general/snmp" # This will redirect incomming windows-filesharing back to the source add win2k udp port 137 proxy $ipsrc:137 add win2k udp port 138 proxy $ipsrc:138 add win2k udp port 445 proxy $ipsrc:445 add win2k tcp port 137 proxy $ipsrc:137 add win2k tcp port 138 proxy $ipsrc:138 add win2k tcp port 139 proxy $ipsrc:139 add win2k tcp port 445 proxy $ipsrc:445 bind 192.168.1.50 win2k
Here I create a win2k operative system (Microsoft Windows 2000 with SP2) with a lot of open ports {23,21,25,80,110,143,389,5901,137,138,139}TCP and {161,137,138,445}UDP. These port’s must be open in your router, and pointing to the honeypot – 192.168.1.50.
And now we are ready to run honeyd:
hydra:~# /etc/init.d/honeyd start
Generating graphical statistics
Here is the problem of Honeyd, don’t have a graphical interface or a webpage to visualize all the information that are being saved to the .log, just honeydstats…
Well, I’ve found these perl script and these perl system file.
you:/etc/honeypot$ wget http://www.alunos.di.uminho.pt/~a43175/code/perl/customPie.pm -O /etc/honeypot/customPie.pm you:/etc/honeypot$ wget http://www.alunos.di.uminho.pt/~a43175/code/perl/buildPie.pl -O /etc/honeypot/buildPie.pl
The file buildPie.pl receives files in the form:
#13# Linux 2.6 .1-7# #1# Solaris 10 beta# #1# Windows 2000 # #1# Windows 98 # #15# Windows XP SP1# #27# unknown#
and we have files in the form:
Linux 2.6 .1-7: 0 1 13
Solaris 10 beta: 0 0 1
Windows 2000 : 0 0 1
Windows 98 : 0 0 1
Windows XP SP1: 0 0 15
unknown: 0 2 26
Now I’m gonna to use the these files generated by honeydstats {os,port,spam,country} to put the files in #n#id# form. Here we need to use the program txt2html, so, better you install it. Now we just have to get out the rust of sed command and we are ready!
# File: /etc/honeypot/generate-stats.sh
#!/bin/sh
#
# Country
cat /etc/honeypot/country | sort -rn | head | awk '{print $4" "$1}' | sed 's/^/#/g' | sed 's/$/#/g' | sed 's/ /#/g' | sed 's/://g' | perl /etc/honeypot/buildPie.pl /var/www/img/country
cat /etc/honeypot/country | txt2html > /var/www/img/country.html
# Operative System
cat /etc/honeypot/os | sed 's/(.*):([^0-9]*)([^ ]*)([^0-9]*)([^ ]*)([^0-9]*)([^ ]*).*/#7#1#/g' | perl /etc/honeypot/buildPie.pl /var/www/img/os
cat /etc/honeypot/os | txt2html > /var/www/img/os.html
# Spam
cat /etc/honeypot/spam | sort -rn | head | awk '{print $4" "$1}' | sed 's/^/#/g' | sed 's/$/#/g' | sed 's/ /#/g' | sed 's/://g' | perl /etc/honeypot/buildPie.pl /var/www/img/spam
cat /etc/honeypot/spam | txt2html > /var/www/img/spam.html
# Ports
cat /etc/honeypot/port | sort -rn | head | awk '{print $4" "$1}' | sed 's/^/#/g' | sed 's/$/#/g' | sed 's/ /#/g' | sed 's/://g' | perl /etc/honeypot/buildPie.pl /var/www/img/port
cat /etc/honeypot/port | txt2html /var/www/img/port.html
Now get the index.html to put in the /var/www/img directory:
you:/etc/honeypot$ mkdir /var/www/img/ you:/etc/honeypot$ wget http://www.alunos.di.uminho.pt/~a43175/code/html/index.html.txt -O /var/www/img/index.html
Add a cronjob:
you:/etc/honeypot# vi /etc/crontab
And add these line to the end of file:
6 * * * * root /etc/honeypot/generate-stats.sh
And we are done! For now on, you should have these nice graphics in your index.html file:
Future work
Well, the honeypot still running, and more and more statistics are being collected, in fact we already have make a very good discovers, but in a future post I will talk about that.
We are also thinking in use another kind of honeypot, a low interaction client honeypot, maybe HoneyC to identify malicious servers on the web, and maybe experiment by our selfs what we have read about client honeypots.
Ulisses Costa Blog 