Deploying Honeypots with Honeyd

8 12 2008

Another work of Cryptography, this time on Security in systems information area. Me and Pedro Pereira choose the Honeypot project. The idea is to understand and if possible experiment tools to implement Honeypots.

The Honeynet Project


The Honeynet project began in 1999 by the initiative of Lance Spitzner. It is an international nonprofit project. The idea of this project is to increase security on the Internet without any cost to the public. This is a project with strong bases on OpenSource believes. This project has several years of experience in defense information systems. In his website you can have access to a lot of documentation and software to create Honeynets and Honeypots.

In fact we have started to watch this presentation from HITBSecConf2007 in Dubai by Lance Spitzner. If you feel interested and have 40 minutes I recommend to watch.

Reading about Honeypots

The are 2 kinds of honeypots, client and server. The client surf the web interacting with other computers, and the server wait until someone request a service. And more 2 kind, low and high interaction, that means, if the honeypot is virtual or real (a real machine).

Our work is focused on the study of some solutions to create Honeypots. We start to read some good papers about the subject. After reading Malicious Web Servers, from Know Youy Enemy series, and later the Behind the Scenes of Malicious Web Servers, we start to get involved by the idea of deploying our own Honeypot. So we decide to use Honeyd tool to create them.

In this post I will talk about the process of install and configure a Honepot with the help of Honeyd.

Honeyd

Honeyd is a low interaction honeypot client that create virtual hosts (Honeypots) in a network. These Honeypots can be configured to act like a real operative system, in fact there are approximately 1000 personalities of OS’s that we can chose. At the same time we can configure those operative systems to activate certains services like FTP, HTTP, Telnet, etc.

Honeyd enables a single host to claim multiple addresses – I have tested up to 65536 – on a LAN for network simulation.

The quote is from Niels Provos, the creator of Honeyd.

Installing Honeyd

If you are in debian (like me), the only thing you have to do (and I think you are accustomed to it :P) is:

hydra:~# apt-get install honeyd honeyd-common

The package honeyd-common came with a lot of scripts to emulate the services that we will run in our Honeypot.

If you are running another one download the version I will use, and install it.

Preparing the field for Honeyd

All the system configurations we found was with the intention of running Honeyd in a local network.
And we have a router between us and the Internet. The router do NAT to the internal network, so we only have one IP. So we decide to only implement one honeypot to start testing.

In the router we determined that the computer that has the Honeyd installed (192.168.1.72) can be accessed from outside by ssh throw the port 2222, and HTTP by 8080 (to see the statistics). We also add that our honeypot (192.168.1.50) would be visible from the Internet with a quantity of open ports. This ports we show further on.

In fact we still have a problem, the router don’t know our honeypot (192.168.1.50). To solve this we run in Honeyd computer:

hydra:~# farpd 192.168.1.50 -i eth0

farpd is a program made by Niels Povos. With that program the computer with Honeyd (192.168.1.72) will send is MAC address when a ARP request is made to the network. This ARP request happens because the router don’t know who is 192.168.1.50. After 192.168.1.72 sending his MAC address the router will send the package to Honeyd computer (192.168.1.72), and Honeyd program will take care of them, sending it to the virtual host.

Now we have to configure how Honeyd will run, the file can be found in /etc/defaults/honeyd
Agora temos que configurar como o hd~vai correr, para isso utilizamos o seguinte textit{script}:

# File: /etc/defaults/honeyd
# Defaults for honeyd initscript

# run as a daemon
RUN="yes"
# Network interface where honeyd will listen
INTERFACE="eth0"
# Network under control od honeyd (in my case: just one host)
NETWORK=192.168.1.50
# Options
# -c hostname:port:username:password
OPTIONS="-c localhost:12345:username:password"

The -c flag will collect to us some statistics, that we will put in a pie chart further. This flag receives the hostname, the port, username and password to can access to the statistics.

You may want to configure also the /etc/init.d/honeyd file, here are the first lines of the file:

. . .
PATH=/bin:/usr/bin:/sbin:/usr/sbin
# Daemon locations
DAEMON=/usr/bin/honeyd
# Daemon names
NAME=honeyd
# Pidfiles
PIDFILE=/var/run/honeyd.pid
# Labels
LABEL="Honeyd daemon"
DEFAULT=/etc/default/honeyd
LOGDIR="/var/log/honeypot"
DAEMONLOG="$LOGDIR/daemon.log"
. . .

Note that log files from Honeyd will be written in LOGDIR directory.

honeydstats

With all the statistics being collected by honeyd (with the flag -c activated) the only thing we need is a program to read them, and show them in a human way.
To do that job honeyd came with program honeydstats. To run that command, and start collecting statistics from you honeyd do:

hydra:~# honeydstats --os_report /etc/honeypot/os.honeydstats
      --port_report /etc/honeypot/port.honeydstats
      --spammer_report /etc/honeypot/spam.honeydstats
      --country_report /etc/honeypot/country.honeydstats
      -f /etc/honeypot/honeydstats.conf -l localhost -p 12345

I have choose to write all files in the /etc/honeypot/ directory for convenience. The command above start collecting statistics in port 12345 and host localhost, the –*_report flags indicate the statistics honeydstats collect. The file /etc/honeypot/honeydstats.conf contains the username and the password in the form:

# File: /etc/honeypot/honeydstats.conf
username:password

honeypot Configuration

This is the configuration file for my honeypot (192.168.1.50). I use a default one, with a little changes, you can find a lot of this files in the Internet.

create win2k
set win2k personality "Microsoft Windows 2000 SP2"
set win2k default tcp action reset
set win2k default udp action reset
set win2k default icmp action block
set win2k uptime 3567
set win2k droprate in 13
add win2k tcp port 23 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/telnetd.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 21 "sh /usr/share/honeyd/scripts/win32/win2k/msftp.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 25 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-smtp.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 80 "sh /usr/share/honeyd/scripts/win32/win2k/iis.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 110 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-pop3.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 143 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-imap.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 389 "sh /usr/share/honeyd/scripts/win32/win2k/ldap.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 5901 "sh /usr/share/honeyd/scripts/win32/win2k/vnc.sh $ipsrc $sport $ipdst $dport"
add win2k udp port 161 "perl /usr/share/honeyd/scripts/unix/general/snmp/fake-snmp.pl public private --config=/usr/share/honeyd/scripts/unix/general/snmp"

# This will redirect incomming windows-filesharing back to the source

add win2k udp port 137 proxy $ipsrc:137
add win2k udp port 138 proxy $ipsrc:138
add win2k udp port 445 proxy $ipsrc:445
add win2k tcp port 137 proxy $ipsrc:137
add win2k tcp port 138 proxy $ipsrc:138
add win2k tcp port 139 proxy $ipsrc:139
add win2k tcp port 445 proxy $ipsrc:445

bind 192.168.1.50 win2k

Here I create a win2k operative system (Microsoft Windows 2000 with SP2) with a lot of open ports {23,21,25,80,110,143,389,5901,137,138,139}TCP and {161,137,138,445}UDP. These port’s must be open in your router, and pointing to the honeypot – 192.168.1.50.

And now we are ready to run honeyd:

hydra:~# /etc/init.d/honeyd start

Generating graphical statistics

Here is the problem of Honeyd, don’t have a graphical interface or a webpage to visualize all the information that are being saved to the .log, just honeydstats…
Well, I’ve found these perl script and these perl system file.

you:/etc/honeypot$ wget http://www.alunos.di.uminho.pt/~a43175/code/perl/customPie.pm -O /etc/honeypot/customPie.pm
you:/etc/honeypot$ wget http://www.alunos.di.uminho.pt/~a43175/code/perl/buildPie.pl -O /etc/honeypot/buildPie.pl

The file buildPie.pl receives files in the form:

#13#           Linux 2.6 .1-7#
#1#          Solaris 10 beta#
#1#            Windows 2000 #
#1#              Windows 98 #
#15#           Windows XP SP1#
#27#                  unknown#

and we have files in the form:

           Linux 2.6 .1-7:       0       1      13
          Solaris 10 beta:       0       0       1
            Windows 2000 :       0       0       1
              Windows 98 :       0       0       1
           Windows XP SP1:       0       0      15
                  unknown:       0       2      26

Now I’m gonna to use the these files generated by honeydstats {os,port,spam,country} to put the files in #n#id# form. Here we need to use the program txt2html, so, better you install it. Now we just have to get out the rust of sed command and we are ready!

# File: /etc/honeypot/generate-stats.sh
#!/bin/sh
#
# Country
cat /etc/honeypot/country | sort -rn | head | awk '{print $4" "$1}'  | sed 's/^/#/g' | sed 's/$/#/g' | sed 's/ /#/g' | sed 's/://g'  | perl /etc/honeypot/buildPie.pl /var/www/img/country
cat /etc/honeypot/country | txt2html > /var/www/img/country.html

# Operative System
cat /etc/honeypot/os | sed 's/(.*):([^0-9]*)([^ ]*)([^0-9]*)([^ ]*)([^0-9]*)([^ ]*).*/#7#1#/g' | perl /etc/honeypot/buildPie.pl /var/www/img/os
cat /etc/honeypot/os | txt2html > /var/www/img/os.html

# Spam
cat /etc/honeypot/spam | sort -rn | head | awk '{print $4" "$1}'  | sed 's/^/#/g' | sed 's/$/#/g' | sed 's/ /#/g' | sed 's/://g' | perl /etc/honeypot/buildPie.pl /var/www/img/spam
cat /etc/honeypot/spam | txt2html > /var/www/img/spam.html

# Ports
cat /etc/honeypot/port | sort -rn | head | awk '{print $4" "$1}'  | sed 's/^/#/g' | sed 's/$/#/g' | sed 's/ /#/g' | sed 's/://g' | perl /etc/honeypot/buildPie.pl /var/www/img/port
cat /etc/honeypot/port | txt2html /var/www/img/port.html

Now get the index.html to put in the /var/www/img directory:

you:/etc/honeypot$ mkdir /var/www/img/
you:/etc/honeypot$ wget http://www.alunos.di.uminho.pt/~a43175/code/html/index.html.txt -O /var/www/img/index.html

Add a cronjob:

you:/etc/honeypot# vi /etc/crontab

And add these line to the end of file:

6  *    * * *   root    /etc/honeypot/generate-stats.sh

And we are done! For now on, you should have these nice graphics in your index.html file:

Future work

Well, the honeypot still running, and more and more statistics are being collected, in fact we already have make a very good discovers, but in a future post I will talk about that.

We are also thinking in use another kind of honeypot, a low interaction client honeypot, maybe HoneyC to identify malicious servers on the web, and maybe experiment by our selfs what we have read about client honeypots.





foldr the magic function

20 11 2007

Recursion

In Haskell we essentially use recursion, this mean defining a function using itself definition.
A recursive function is, for example the factorial:

in haskell we define it like that:

fact 0 = 1
fact n = n * fact (n-1)

As you can see Haskell is authentic mathematic, pure functional language.

My point here is to show you the magic of the function foldr in Haskell, so I will assume that you already know Haskell, and maybe are accustomed to use foldr function.

ok…

Seeing the magic

The definition of the function length could be something like this:

length [] = 0
length (h:t) = 1 + length t

The definition of the function sum could be something like this:

sum [] = 0
sum (h:t) = h + sum t

And the definition of the function mult could be something like this:

mult [] = 1
mult (h:t) = h * mult t

As you can see in all three definitions we have a pattern and we can generalize it:

functionName [] = stopCase
functionName (h:t) = constant operator (functionName t)

We always need the stopping case of the function!

And the same happens in other functions like reverse:

reverse [] = []
reverse (h:t) = reverse t ++ [h]

In this case we have:

functionName [] = stopCase
functionName (h:t) = (functionName t) operator constant

So, we will always use the function applied to the tail of the list!

If we use some of lambda notation we can see one more pattern, the real one:

sum [] = 0
sum (h:t) = (a b -> a + b) h (sum t)

reverse [] = []
reverse (h:t) = (a b -> b ++ [a]) h (reverse t)

Our lambdas functions have arity 2, because those are the parts in which we can see the lists (head + tail).

Now we can generalize even more, considering function have arity 2:

functionName [] = stopCase
functionName (h:t) = function h (functionName t)

well, that’s not right for Haskell. Because it doesn’t know what function represents, that’s because the definition of functionName doesn’t receive that argument. And the same happens with stopCase.

functionName function stopCase [] = stopCase
functionName function stopCase (h:t)
     = function h (functionName function stopCase t)

Et voilá.

In fact the last definition is the true one for foldr. Easy right?

Functions with foldr’s

Well… Now we can redefine previous functions just with foldr’s:

length l = foldr (a b -> 1 + b) 0 l
sum l = foldr (+) 0 l
mult l = foldr (*) 1 l
reverse l = foldr (a b -> b ++ [a]) [] l

And all the functions over list’s…

and l = foldr (&&) True l
or l = foldr (||) False l

More magic

Foldr is more magical than this, it is one catamorphism! A Catamorphism over this data type:

data [a] = [] | a : [a]

Haskell List’s!

That means that foldr functions “knows” the recursive pattern over List’s.

Foldr also allows you to use Pointfree notation, witch I like. Formal explanation.

length = foldr (a b -> 1 + b) 0

More foldr’s

We can also write foldr’s functions to every data type that we create, and “explain” how recursive patterns works for our new data type:

data BTree a where
    Empty :: BTree a
    Node :: a -> BTree a -> BTree a -> BTree a

foldrBTree :: (a -> b -> b -> b) -> b -> BTree a -> b
foldrBTree op k Empty = k
foldrBTree op k (Node a l r) = op a (foldrBTree op k l) (foldrBTree op k r)

Now if we have a Binary Tree and want to know how many nodes it has, we just have to do this:

countNodes = foldrBTree (\a nodesLeft nodesRight ->a+nodesLeft+nodesRight) 0

If we want to know how many Empty’s our tree has:

countEmpty = foldrBTree (\_ nodesLeft nodesRight -> nodesLeft + nodesRight) 1

and so on…

Fold’s are really a genuine help for your code.
Later on I will talk more about catamorphisms…





Configurar eduroam wpa_supplicant

9 11 2007

Como muita gente vem ter aqui ao blog por pesquisar “eduroam linux uminho” ou coisas parecidas, aqui vai o método que eu usei.

Configurações para a rede eduroam na UMinho por wpa_supplicant para Linux, funciona em Ubuntu{7.04, 7.10}, não testei em mais nenhuma distro, mas certamente funciona em qualquer Linux:

Sacar estes 3 ficheiros.

# wget -r --no-parent -R "*.html*"
   http://caos.di.uminho.pt/~ulisses/code/confs_ubuntu/

# cd caos.di.uminho.pt/~ulisses/code/confs_ubuntu/

Copiar o ficheiro cacert-scom.cer, interfaces e wpa_supplicant.conf para os devidos sitios:

# cp cacert-scom.cer /etc/ssl/certs/
# cp interfaces /etc/network/
# cp wpa_supplicant.conf /etc/wpa_supplicant/

No ficheiro wpa_supplicant.conf substitui-se ALUNO pelo número de aluno e PASSWORD pela respectiva.

Está feito! De seguida apenas temos que nos autenticar na rede, desta forma, onde INTERFACE é, na maioria dos casos eth1.

# iwconfig INTERFACE essid eduroam enc open
# wpa_supplicant -Dwext -i INTERFACE -c /etc/wpa_supplicant/wpa_supplicant.conf

depois de receber uma mensagem de sucesso de autenticação apenas temos que pedir um IP;

# dhclient INTERFACE -r
# dhclient INTERFACE

Agora sim… com isto já devemos de ter net na Universidade do Minho.

Ainda existe um outro método, que está comentado no ficheiro interfaces, mas esse método serve-se do acima descrito.

As configurações para Windows estão bem mais facilitadas, neste zip.