Virtual Threat Contributing Writer
In this “Virtual Threat” how-to article, I’ll discuss the ins and outs of setting up a Dionaea honeypot. For those unfamiliar with the term, a honeypot at its core is a “computer system expressly set up to attract and ‘trap’ people who attempt to penetrate other people’s computer systems.”
A boatload of pre-built honeypots have been created over the years, first from the wonderful hacking novel “A Cuckoo’s Egg,” where Clifford Stoll basically allowed a hacker to breeze through the entirety of Berkeley’s network unchecked, to more recently Honeyd, Kippo (which is focused on providing specifically an SSH honeypot), to nepenthes, which Dionaea is meant to be a successor to.
The entire point of honeypots is the discovery of unknown new attack vectors… honeypots such as Kippo can go as far as simulating a real SSH shell for the script kidde attacker, automatically downloading and saving off any code the attacker tries to download (for further analysis by the researcher who is running the honeypot) and logging every single command the attacker runs.
One can only imagine how interesting and informative the detailed logging of an attacker’s sessions could be, and the Dionaea realizes many of the things one can imagine. Dionaea will save binaries that are uploaded to ‘fake’ services it hosts, it will save pcaps of interesting traffic, and complete logging into a sqlite database (accessible via easy to use Python scripts) are all baked-in features. Another nice aspect of Dionaea are traffic graphs that are easily built using scripts that come with Dionaea’s source.:
This particular graph is an analysis of specifically smb data, and indicates that shellcode and file offers have been uploaded to my honeypot. The binaries of each of these transfers were all captured by Dionaea, and I ran the binaries through VirusTotal. Every one of them are a Trojan horse of some kind.
Ordinarily, setting up a honeypot at your own house can be a somewhat laborious task… building a system dedicated to running the honeypot software, getting the OS installed, exposing it to the Internet, leaving the “box” up 24/7 using power from your house and making noise… as one can imagine this is quite a bit of trouble just in the name of some cursory academic interest in watching hackers. Fortunately nowadays with the advent of “cloud computing” (which is really just at its essence a harkening back to the old time shared system days), slinging a Linux box onto the Internet is as easy as pointing and clicking. With some added work and elbow grease, standing up a Honeypot is as easy as following a few steps in a tutorial, at minimal cost. The honeypot I build on Joyent’s servers costs me all of $20 a month. So without further ado, let’s get to it!
For this tutorial I have built from scratch a Joyent VM, in their US East datacenter. I used Joyent’s pre-built VM image of Debian 6.03, which is conveniently named “debian-6.03.”
For the size I simply picked their smallest option, “Extra Small,” which gives you 512 megs of RAM and 15 gigs of hard drive space for $.03 cents an hour… plenty of room for what we’re doing.
After the VM is provisioned, the next step is to ssh out to the VM and do an ‘apt-get update’ and an ‘apt-get upgrade’ so that the VM is completely up to date. Right off the bat I had 60 packages to update:
After a reboot into the new kernel that was just updated we’re good to go, so from here on out we’re basically following the Dionaea installation guide (which is somewhat hairy and detailed, hence this howto). The guide is located here: http://dionaea.carnivore.it/#compiling and I’m essentially following the ‘Ubuntu’ instructions, with some tweaks because of missing packages that Debian does not have by default in it repositories.
So first of all we need to install some packages, for the various dependencies Dionaea has (copy the following text and paste it into an ssh session you’ve established to your Joyent VM):
apt-get –yes install libglib2.0-dev libssl-dev \
libreadline-dev libsqlite3-dev python-dev \
libtool automake autoconf build-essential \
subversion git-core flex bison pkg-config gnuplot
If you’ve pasted it in correctly, Debian should go ahead and automatically install a collection of packages. Now let’s get to the Dionaea prerequisites!
The first dependency is liblcfg… for this we’ll make a directory to store the source code for all this stuff (in /opt/dionaea/src) we’ll pull down a bunch of source code and we’ll build all the dependencies needed.
The first thing we’ll install is liblcfg, from carnivore.it (makers of Dionaea):
git clone git://git.carnivore.it/liblcfg.git liblcfg
Next up is libemu, also from carnivore.it:
git clone git://git.carnivore.it/libemu.git libemu
Next up to install is libnl (this differs from the carnivore.it instructions, because the git repository in their instructions is apparently broken):
git clone https://github.com/tgraf/libnl.git
Next is libev:
tar xfz libev-4.04.tar.gz
We’re basically done with the custom Dionaea dependencies, so now we’re going to “roll our own” build of Python, specifically Python 3.2, for Dionaea to use.
tar xfz Python-3.2.2.tgz
./configure –enable-shared –prefix=/opt/dionaea \
–with-computed-gotos –enable-ipv6 \
Now per the instructions we need to build Cython:
tar xfz Cython-0.15.tar.gz
/opt/dionaea/bin/python3 setup.py install
Almost done, next we’re going to build udns:
tar xfz udns_0.0.9.tar.gz
cp udns.h /opt/dionaea/include/
cp *.so* /opt/dionaea/lib/
ln -s libudns.so.0 libudns.so
Finally, we’re going to build a specific version of libpcap:
tar xfz libpcap-1.1.1.tar.gz
OK, so now at this point all the dependencies for Dionaea should be built and installed in the right places. As a final step, we’re going to build and install Dionaea itself:
git clone git://git.carnivore.it/dionaea.git dionaea
./configure –with-lcfg-include=/opt/dionaea/include/ \
If you’ve copied and pasted all these commands and everything has built correctly (which it all should… I tested this entire howto on a clean VM I stood up on Joyent), then congratulations! You now have a Dionaea honeypot set up. The next steps involve starting the Dionaea service and ensuring it’s receiving traffic. I’ll also briefly go over building the traffic charts, and reading from the Dionaea logs.
Starting the Dionaea daemon
Starting Dionaea is quite simple:
By ‘tailing’ the output of the Dionaea logs, we can see that it started successfully:
Doing a ‘netstat’ we can see that Dionaea is listening on a number of different ports as well (note all the ports with state “LISTEN” and the PID/Program name of Dionaea):
Checking Dionaea Logs
Aside from just tailing dionaea.log, there is a utility provided that queries the Dionaea internal sqlite database that allows you to see connections from particular IP addresses. The following command shows connections from the last 24 hours:
/opt/dionaea/bin/python3 /opt/dionaea/bin/readlogsqltree \
-t $(date ‘+%s’)-24*3600 /opt/dionaea/var/dionaea/logsql.sqlite
On my test VM that I just built, there haven’t been any connections yet, but on the Dionaea VM that has been up for 3 months there are 60 connections from the last 24 hours.
Building Dionaea graphs, and viewing the graphs
Before we go ahead and build the graphs, first we need to install the Apache web server and configure it to listen on a non-standard port (because our honeypot is already listening on the common web ports!)
First we need to install the Apache packages (it will fail to start and there will be an error, that’s OK):
apt-get –yes install apache2
Then we need to modify the port Apache listens on and start Apache:
cp ports.conf ports.conf.original
cat ports.conf.original | sed ‘s/Listen 80/Listen 8000/’ > ports.conf
chown www-data /etc/apache2/htdocs
Next we change over to where the web content is stored, and we’re going to build our graphs. The graphs are by default put into /tmp/dionaea-gnuplot
-d /opt/dionaea/var/dionaea/logsql.sqlite \
-p smbd -p epmapper -p mssqld -p httpd -p ftpd
After the command runs, we need to move the content that was created over to the web directory:
mv /tmp/dionaea-gnuplot/* .
At this point, if you do an ‘ifconfig eth0’ on your Joyent VM and note the public IP that was assigned, you should be able to open a web browser and point it at http://<Your VM IP>:8000/ and see graphs from Dionaea
Other Interesting Stuff
There is some interesting stuff under /opt/dionaea/var/dionaea – for example, under /opt/dionaea/var/dionaea/binaries, any binaries that Dionaea ‘captures’ from remote attackers are stored. Running ‘file’ on these binaries usually reveals that these are “PE32 executable for MS Windows (GUI) Intel 80386 32-bit” or “MS-DOS executable, MZ for MS-DOS.” I pulled down the binaries on my honeypot, uploaded them to VirusTotal.com and this revealed that they were all various different types of Trojans. The next step would be to build Windows VMs and attempt running the exes.
Q and A
Q: Can this same VM be implemented on Amazon’s EC2?
A: This is entirely possible, but I wanted to try out Joyent’s services, and there is already talk on the interwebs that honeypots in general are a violation of Amazon’s Terms of Service (see the discussion here for more details: http://www.reddit.com/r/netsec/comments/11yezx/want_to_setup_a_honeypot_for_free_to_log/)
I deliberately chose Joyent because they’re more of an “off beat” cloud provider, so at least if one were to be “busted” by Joyent it wouldn’t jeopardize any Amazon services.