/
Or Getting Or Getting

Or Getting - PowerPoint Presentation

cheryl-pisano
cheryl-pisano . @cheryl-pisano
Follow
378 views
Uploaded On 2016-08-11

Or Getting - PPT Presentation

Worms for lt 50 Babbys First Honeypot Noah Nadeau NN Installation Prerequisites Workstation with SD Card Reader Alternatively buy a microSD card with distro preinstalled Installed Linux ID: 442771

opt dionaea dev include dionaea opt include dev lib raspbian xinetd installation usr var run card config raspberry bin

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Or Getting" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Or Getting Worms for < $50

Babby’s First Honeypot

Noah Nadeau

NNSlide2

Installation Prerequisites

Workstation with SD Card ReaderAlternatively, buy a microSD card with distro pre-installed

Installed Linux

distro

(Native or LiveCD)Bootice might also workRaspbian distroHardwareRaspberry Pi B+ - case optionalHigh speed 16 GB microSD card (logs can get big)1.0A Micro USB PowerCat 5(e) cableHDMI cable & USB keyboard (for initial configuration)

Prerequisites

SetupSlide3

What’s Needed

Raspberry Pi HoneypotSlide4

Raspbian

Download stripped Linux distro (Raspbian)

Image

distro

to microSD card using ddRun through raspi-configRun update/upgrade commandsFinal modificationsInstall nepenthes

thpot dionaea

Wait

View Logs

Image

Config

Updates

Installation

Follow-UpSlide5

http://www.raspberrypi.org/downloads/

Download the Raspbian imageUse dd

to image to

microSD

carddd if={image location} of={sd card slot in /dev/} bs=512KValidate the imageNote: (g)parted will have issues viewing the created partitions (particularly the boot sector) prior to system restartPart 1Raspbian InstallationSlide6

raspi-config

Connect peripherals (HDMI, Keyboard, Cat 5) and power onConnect to network, find its IP and SSHThen run raspi-configFirst-time installation notes:

Expand

Filesystem

Intationalisation Options (thanks Obama)Change Locale, Timezone, and Keyboard LayoutChange Password (do this *after* changing the keyboard)Boot to Desktop / Scratch (leave as command line)Part 2Raspbian InstallationSlide7

Final UpdatesRun your standard update commands

apt-get updateapt-get upgradeapt-get autoclean

apt-get

autoremove

Optional: Remove unused librariesScratch, others…Part 3Raspbian InstallationSlide8

Basic Steps

# mkdir

/

var

/log/hpot# chown

nobody:nobody

/

var

/log/

hpot

#

chmod

700 /

var

/log/

hpot

# ./

iptables.rules

#

cp

./

xinetd.d

/* /

etc

/

xinetd.d

/

# service

portmap

restart

#

pmap_set

< /

usr

/local/

thp

/

fakerpc# service xinetd restart

Simple, low-configuration honeypot

t

inyhoneypotSlide9

Dependent on portmap and xinetd

#

chown

nobody:nogroup /var/log/

t

hpot

#

chmod

700 /

var

/log/

t

hpot

# ./

iptables.rules

#

cp

./

xinetd.d

/* /

etc

/

xinetd.d

/

# service

rpcbind

restart

#

pmap_set

< /

usr

/local/

thp

/

fakerpc

# service xinetd restart

FFFFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUUUU

t

inyhoneypotSlide10

Nepenthes

Replaced by dionaea

Debian

install instructions at http://dionaea.carnivore.it///#compiling…

Take 2Slide11

DEV installation on Kali Works fine

./configure --with-lcfg

-include=/opt/

dionaea

/include/ --with-lcfg-lib=/opt/dionaea/lib --with-python=/opt/dionaea

/bin/python3.2 --with-

cython

-

dir

=/opt/

dionaea

/bin --with-

udns

-include=/opt/

dionaea

/include/ --with-

udns

-lib=/opt/

dionaea

/lib --with-emu-include=/opt/

dionaea

/include/ --with-emu-lib=/opt/

dionaea

/lib/ --with-

gc

-include=/

usr

/include/

gc

--with-

ev

-include=/opt/

dionaea

/include --with-

ev

-lib=/opt/

dionaea

/lib --with-nl-include=/usr/include --with-nl-lib=/usr/lib --with-curl-

config=/

usr

/bin/ --with-

pcap

-include=/opt/

dionaea

/include --with-

pcap

-lib=/opt/

dionaea

/lib

/makemake install

Dry Run: Kali

DionaeaSlide12

Raspbian

DionaeaSlide13

Kali VM with x86_64 architecture ≠ Raspbian on ARM

Additional packages:

libffi-dev

gettextGlib version must be <= 2.32.Raspbian runs glib v2.40. Changes break

dionaeaKali runs 2.32 or olderGlib 2.40 introduced

g_info

g_thread_init

and

g_mutex_new

deprecated

Even with changes to source, compiling is broken

Lessons Learned

DionaeaSlide14

dionaea ARM packages are available from a different source (thanks yerry pi):

nano /

etc

/apt/

sources.list (add the line:)deb http://packages.s7t.de/raspbian wheezy main

apt-get update

apt-get install libglib2.0-dev

libssl-dev

libcurl-openssl-dev

libreadline-dev

libsqlite3-dev

libtool

automake

autoconf

build-essential subversion

git

-core flex bison

pkg-config

libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev

liblcfg

libemu

libev

dionaea

-python

dionaea-cython

lipcap

udns

dionaea liblcfgTake 3DionaeaSlide15

cp

/opt/dionaea

/

etc

/dionaea.conf.dist /opt/dionaea/etc

/dionaea.conf

chown

nobody:nogroup

/opt/

dionaea

/ -R

dionaea

-u nobody -g

nogroup

-r /opt/

dionaea

-w /opt/

dionaea

-p /opt/

dionaea

/

var

/

dionaea.pid

/opt/

dionaea

/bin/

dionaea

–l all,-debug –L ‘*’ –D

nano

/opt/

dionaea

/

readlogsqltree

(change first line:

)

#!/opt/

dionaea

/bin/python3.2

Configuration

DionaeaSlide16

The Payoff…

DionaeaSlide17

Access Attempts

DionaeaSlide18
Slide19

Technical:Found 3 rogue systems at work (with DEV Kali deployment alone)2 in LAN, 1 at HQ

First probe on PROD within 90 minutes of setting up.First active attack 14 hours later (mssql)Academic:

Going the long way around, you’ll learn / remember more about C/C++ and

makefiles

than you wish you couldSocial:When playing Crash and Compile: 1) do it with your own sourcecode; 2) don’t try to beat your old score.Lessons LearnedDionaeaSlide20

MSSQL Attack:http://pastebin.com/4dkmukPp Slide21

Possible Improvements

Install Vagrant / mhnReplication and centralized controlAddition of p0fPassive remote machine identification

Understanding

bistreams

Locate the pcapsExtend for HTTPWhat to do with this information?Next StepsDionaeaSlide22

References / Additional Reading

Dionaea homepage:http://dionaea.carnivore.it/Nathan Yee – Deploying

Dionaea

on a Raspberry Pi

https://github.com/threatstream/mhn/wiki/Deploying-Dionaea-on-a-Raspberry-PiYerry Pi – Dionaea on Raspberry Pihttp://droidtoo.blogspot.com/2013/05/setting-up-dionaea-on-raspberry-pi.htmlIn ur networks, nabbing ur exploits

DionaeaSlide23

Questions?

Related Contents


Next Show more