Worms for lt 50 Babbys First Honeypot Noah Nadeau NN Installation Prerequisites Workstation with SD Card Reader Alternatively buy a microSD card with distro preinstalled Installed Linux ID: 442771
Download Presentation The PPT/PDF document "Or Getting" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Or Getting Worms for < $50
Babby’s First Honeypot
Noah Nadeau
NNSlide2
Installation Prerequisites
Workstation with SD Card ReaderAlternatively, buy a microSD card with distro pre-installed
Installed Linux
distro
(Native or LiveCD)Bootice might also workRaspbian distroHardwareRaspberry Pi B+ - case optionalHigh speed 16 GB microSD card (logs can get big)1.0A Micro USB PowerCat 5(e) cableHDMI cable & USB keyboard (for initial configuration)
Prerequisites
SetupSlide3
What’s Needed
Raspberry Pi HoneypotSlide4
Raspbian
Download stripped Linux distro (Raspbian)
Image
distro
to microSD card using ddRun through raspi-configRun update/upgrade commandsFinal modificationsInstall nepenthes
thpot dionaea
Wait
View Logs
Image
Config
Updates
Installation
Follow-UpSlide5
http://www.raspberrypi.org/downloads/
Download the Raspbian imageUse dd
to image to
microSD
carddd if={image location} of={sd card slot in /dev/} bs=512KValidate the imageNote: (g)parted will have issues viewing the created partitions (particularly the boot sector) prior to system restartPart 1Raspbian InstallationSlide6
raspi-config
Connect peripherals (HDMI, Keyboard, Cat 5) and power onConnect to network, find its IP and SSHThen run raspi-configFirst-time installation notes:
Expand
Filesystem
Intationalisation Options (thanks Obama)Change Locale, Timezone, and Keyboard LayoutChange Password (do this *after* changing the keyboard)Boot to Desktop / Scratch (leave as command line)Part 2Raspbian InstallationSlide7
Final UpdatesRun your standard update commands
apt-get updateapt-get upgradeapt-get autoclean
apt-get
autoremove
Optional: Remove unused librariesScratch, others…Part 3Raspbian InstallationSlide8
Basic Steps
# mkdir
/
var
/log/hpot# chown
nobody:nobody
/
var
/log/
hpot
#
chmod
700 /
var
/log/
hpot
# ./
iptables.rules
#
cp
./
xinetd.d
/* /
etc
/
xinetd.d
/
# service
portmap
restart
#
pmap_set
< /
usr
/local/
thp
/
fakerpc# service xinetd restart
Simple, low-configuration honeypot
t
inyhoneypotSlide9
Dependent on portmap and xinetd
#
chown
nobody:nogroup /var/log/
t
hpot
#
chmod
700 /
var
/log/
t
hpot
# ./
iptables.rules
#
cp
./
xinetd.d
/* /
etc
/
xinetd.d
/
# service
rpcbind
restart
#
pmap_set
< /
usr
/local/
thp
/
fakerpc
# service xinetd restart
FFFFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUUUU
t
inyhoneypotSlide10
Nepenthes
Replaced by dionaea
Debian
install instructions at http://dionaea.carnivore.it///#compiling…
Take 2Slide11
DEV installation on Kali Works fine
./configure --with-lcfg
-include=/opt/
dionaea
/include/ --with-lcfg-lib=/opt/dionaea/lib --with-python=/opt/dionaea
/bin/python3.2 --with-
cython
-
dir
=/opt/
dionaea
/bin --with-
udns
-include=/opt/
dionaea
/include/ --with-
udns
-lib=/opt/
dionaea
/lib --with-emu-include=/opt/
dionaea
/include/ --with-emu-lib=/opt/
dionaea
/lib/ --with-
gc
-include=/
usr
/include/
gc
--with-
ev
-include=/opt/
dionaea
/include --with-
ev
-lib=/opt/
dionaea
/lib --with-nl-include=/usr/include --with-nl-lib=/usr/lib --with-curl-
config=/
usr
/bin/ --with-
pcap
-include=/opt/
dionaea
/include --with-
pcap
-lib=/opt/
dionaea
/lib
/makemake install
Dry Run: Kali
DionaeaSlide12
Raspbian
DionaeaSlide13
Kali VM with x86_64 architecture ≠ Raspbian on ARM
Additional packages:
libffi-dev
gettextGlib version must be <= 2.32.Raspbian runs glib v2.40. Changes break
dionaeaKali runs 2.32 or olderGlib 2.40 introduced
g_info
g_thread_init
and
g_mutex_new
deprecated
Even with changes to source, compiling is broken
Lessons Learned
DionaeaSlide14
dionaea ARM packages are available from a different source (thanks yerry pi):
nano /
etc
/apt/
sources.list (add the line:)deb http://packages.s7t.de/raspbian wheezy main
apt-get update
apt-get install libglib2.0-dev
libssl-dev
libcurl-openssl-dev
libreadline-dev
libsqlite3-dev
libtool
automake
autoconf
build-essential subversion
git
-core flex bison
pkg-config
libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev
liblcfg
libemu
libev
dionaea
-python
dionaea-cython
lipcap
udns
dionaea liblcfgTake 3DionaeaSlide15
cp
/opt/dionaea
/
etc
/dionaea.conf.dist /opt/dionaea/etc
/dionaea.conf
chown
nobody:nogroup
/opt/
dionaea
/ -R
dionaea
-u nobody -g
nogroup
-r /opt/
dionaea
-w /opt/
dionaea
-p /opt/
dionaea
/
var
/
dionaea.pid
/opt/
dionaea
/bin/
dionaea
–l all,-debug –L ‘*’ –D
nano
/opt/
dionaea
/
readlogsqltree
(change first line:
)
#!/opt/
dionaea
/bin/python3.2
Configuration
DionaeaSlide16
The Payoff…
DionaeaSlide17
Access Attempts
DionaeaSlide18Slide19
Technical:Found 3 rogue systems at work (with DEV Kali deployment alone)2 in LAN, 1 at HQ
First probe on PROD within 90 minutes of setting up.First active attack 14 hours later (mssql)Academic:
Going the long way around, you’ll learn / remember more about C/C++ and
makefiles
than you wish you couldSocial:When playing Crash and Compile: 1) do it with your own sourcecode; 2) don’t try to beat your old score.Lessons LearnedDionaeaSlide20
MSSQL Attack:http://pastebin.com/4dkmukPp Slide21
Possible Improvements
Install Vagrant / mhnReplication and centralized controlAddition of p0fPassive remote machine identification
Understanding
bistreams
Locate the pcapsExtend for HTTPWhat to do with this information?Next StepsDionaeaSlide22
References / Additional Reading
Dionaea homepage:http://dionaea.carnivore.it/Nathan Yee – Deploying
Dionaea
on a Raspberry Pi
https://github.com/threatstream/mhn/wiki/Deploying-Dionaea-on-a-Raspberry-PiYerry Pi – Dionaea on Raspberry Pihttp://droidtoo.blogspot.com/2013/05/setting-up-dionaea-on-raspberry-pi.htmlIn ur networks, nabbing ur exploits
DionaeaSlide23
Questions?