1 / 23

Or Getting Worms for < $50

Or Getting Worms for < $50. Babby’s First Honeypot. Noah Nadeau NN. Installation Prerequisites. Workstation with SD Card Reader Alternatively, buy a microSD card with distro pre-installed Installed Linux distro (Native or LiveCD ) Bootice might also work Raspbian distro

shoshana-klein
Download Presentation

Or Getting Worms for < $50

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Or Getting Worms for < $50 Babby’s First Honeypot Noah Nadeau NN

  2. Installation Prerequisites • Workstation with SD Card Reader • Alternatively, buy a microSD card with distro pre-installed • Installed Linux distro (Native or LiveCD) • Bootice might also work • Raspbiandistro • Hardware • Raspberry Pi B+ - case optional • High speed 16 GB microSD card (logs can get big) • 1.0A Micro USB Power • Cat 5(e) cable • HDMI cable & USB keyboard (for initial configuration) • Prerequisites • Setup

  3. What’s Needed Raspberry Pi Honeypot

  4. Raspbian • Download stripped Linux distro (Raspbian) • Image distro to microSD card using dd • Run through raspi-config • Run update/upgrade commands • Final modifications • Install nepenthesthpotdionaea • Wait • View Logs • Image • Config • Updates • Installation • Follow-Up

  5. http://www.raspberrypi.org/downloads/ • Download the Raspbian image • Use dd to image to microSD card • dd if={image location} of={sd card slot in /dev/} bs=512K • Validate the image • Note: (g)parted will have issues viewing the created partitions (particularly the boot sector) prior to system restart • Part 1 • Raspbian Installation

  6. raspi-config • Connect peripherals (HDMI, Keyboard, Cat 5) and power on • Connect to network, find its IP and SSH • Then run raspi-config • First-time installation notes: • Expand Filesystem • Intationalisation Options (thanks Obama) • Change Locale, Timezone, and Keyboard Layout • Change Password (do this *after* changing the keyboard) • Boot to Desktop / Scratch (leave as command line) • Part 2 • Raspbian Installation

  7. Final Updates • Run your standard update commands • apt-get update • apt-get upgrade • apt-get autoclean • apt-get autoremove • Optional: Remove unused libraries • Scratch, others… • Part 3 • Raspbian Installation

  8. Basic Steps # mkdir /var/log/hpot # chownnobody:nobody /var/log/hpot # chmod 700 /var/log/hpot # ./iptables.rules # cp ./xinetd.d/* /etc/xinetd.d/ # service portmap restart # pmap_set < /usr/local/thp/fakerpc # service xinetd restart • Simple, low-configuration honeypot • tinyhoneypot

  9. Dependent on portmap and xinetd # chownnobody:nogroup /var/log/thpot # chmod 700 /var/log/thpot # ./iptables.rules # cp ./xinetd.d/* /etc/xinetd.d/ # service rpcbindrestart # pmap_set < /usr/local/thp/fakerpc # service xinetd restart • FFFFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUUUU • tinyhoneypot

  10. Nepenthes Replaced by dionaea Debianinstall instructions at http://dionaea.carnivore.it///#compiling • … • Take 2

  11. DEV installation on Kali Works fine • ./configure --with-lcfg-include=/opt/dionaea/include/ --with-lcfg-lib=/opt/dionaea/lib --with-python=/opt/dionaea/bin/python3.2 --with-cython-dir=/opt/dionaea/bin --with-udns-include=/opt/dionaea/include/ --with-udns-lib=/opt/dionaea/lib --with-emu-include=/opt/dionaea/include/ --with-emu-lib=/opt/dionaea/lib/ --with-gc-include=/usr/include/gc --with-ev-include=/opt/dionaea/include --with-ev-lib=/opt/dionaea/lib --with-nl-include=/usr/include --with-nl-lib=/usr/lib --with-curl-config=/usr/bin/ --with-pcap-include=/opt/dionaea/include --with-pcap-lib=/opt/dionaea/lib/ • make • make install • Dry Run: Kali • Dionaea

  12. Raspbian Dionaea

  13. Kali VM with x86_64 architecture ≠ Raspbian on ARM • Additional packages: libffi-devgettextGlib version must be <= 2.32. • Raspbian runs glib v2.40. Changes break dionaea • Kali runs 2.32 or older • Glib 2.40 introduced g_info • g_thread_init and g_mutex_new deprecated • Even with changes to source, compiling is broken • Lessons Learned • Dionaea

  14. dionaea ARM packages are available from a different source (thanks yerry pi): • nano /etc/apt/sources.list (add the line:) • deb http://packages.s7t.de/raspbian wheezy main • apt-get update • apt-get install libglib2.0-dev libssl-devlibcurl-openssl-devlibreadline-dev libsqlite3-dev libtoolautomakeautoconf build-essential subversion git-core flex bison pkg-config libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev liblcfglibemulibevdionaea-python dionaea-cythonlipcapudnsdionaealiblcfg • Take 3 • Dionaea

  15. cp /opt/dionaea/etc/dionaea.conf.dist /opt/dionaea/etc/dionaea.conf • chownnobody:nogroup /opt/dionaea/ -R • dionaea -u nobody -g nogroup -r /opt/dionaea -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid • /opt/dionaea/bin/dionaea –l all,-debug –L ‘*’ –D • nano /opt/dionaea/readlogsqltree (change first line:) • #!/opt/dionaea/bin/python3.2 • Configuration • Dionaea

  16. The Payoff… Dionaea

  17. Access Attempts Dionaea

  18. Technical: • Found 3 rogue systems at work (with DEV Kali deployment alone) • 2 in LAN, 1 at HQ • First probe on PROD within 90 minutes of setting up. • First active attack 14 hours later (mssql) • Academic: • Going the long way around, you’ll learn / remember more about C/C++ and makefiles than you wish you could • Social: • When playing Crash and Compile: 1) do it with your own sourcecode; 2) don’t try to beat your old score. • Lessons Learned • Dionaea

  19. MSSQL Attack: • http://pastebin.com/4dkmukPp

  20. Possible Improvements • Install Vagrant / mhn • Replication and centralized control • Addition of p0f • Passive remote machine identification • Understanding bistreams • Locate the pcaps • Extend for HTTP • What to do with this information? • Next Steps • Dionaea

  21. References / Additional Reading • Dionaea homepage: • http://dionaea.carnivore.it/ • Nathan Yee – Deploying Dionaea on a Raspberry Pi • https://github.com/threatstream/mhn/wiki/Deploying-Dionaea-on-a-Raspberry-Pi • Yerry Pi – Dionaea on Raspberry Pi • http://droidtoo.blogspot.com/2013/05/setting-up-dionaea-on-raspberry-pi.html • In ur networks, nabbing ur exploits • Dionaea

  22. Questions?

More Related