Hacking the honeypot

Now that I got a basic handle on dionaea’s configuration, running exploits on it is next.

I learned from various readins that dionaea is good with CIFS/SMB attacks, so I started there.

Loaded metasploit up and exploited….

[*] Started reverse handler on XXX.XXX.XXX.XXX:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[-] Exploit failed: Rex::Proto::SMB::Exceptions::NoReply The SMB server did not reply to our request

As, expected, the exploit didn’t run, but I did get copious amounts of feedback on the honeypot. Here’s a clip.

[29112012 19:25:40] rpcservices dionaea/smb/rpcservices.py:76-info: Calling SRVSVC NetPathCanonicalize (1f) maybe MS08-67 exploit?

[29112012 19:25:40] rpcservices dionaea/smb/rpcservices.py:3453-debug: ref 0xb5f742c3 server_unc b'P\x00E\
x00T\x00C\x00U\x00N\x00\x00\x00' path b'\\\x00fywVqBYtwRowYwSoZJrhCkuIjHhVhuJluLLyzsttTNgEtMHPmBFayICEHlaQ
DqupARoNZMsemWPoOpcHPzeaZbhAYpCzNaKaPNWk\'\x05\x9bF\xe0\x08\xd6\x90\xb2\xa8<g-\x98\x99$,IA"\xe1+\xf5\x93f\
x92O\xba\xeb\x04\xfd\xa9q \xfc\xf9\xb5=\xbeC7\xb6J?\xb3\xb4KH\xb7\x14\x9f\xbf\x97B)\xf8\xd4%\xb15\x1d\x8d\
xb9G4\x1c\x91\xfc\xbb\xca\x8b\x1aW\xeb\x0c^V1\x1e\xad\x01\xc3\x85\xc0u\xf7\xc3\xe8\xef\xff\xff\xffKON

Clearly, the honeypot had a clue that the MS08-067 exploit was being used. It may have not recognized any payload, but that’s ok.

Success!

Honeypots – The OWASP presentation

I just verbally committed to do a talk on the honeypot research I’ve been doing at OWASP – LA. In this talk I aim to…

1. Not have expert level material
2. Demonstrate observations
3. Promote awareness of the changes
4. Influence possibility for security operations

Abstract

Honeypots have been an important part of the cyber-security arsenal for over a decade, predominantly in the open source arena. Over time, their use brings benefit to individual security researchers performing malware analysis and reverse engineering. At the community scale, honeynet projects and emerging vendors work to develop a network of honeypots, delivering IP Reputation lists, a relatively untapped resource. Security vendors who have identified opportunity in this area aim to provide valuable security solutions so that customers can quickly and reliably perform remediations for more efficient and secure operations.

Dionaea – configuration

If there’s an expert out there that knows how to configure this HP, holla my way. This isn’t easy and appears to be finiky. Last night I ran the HP and managed to fil a log file to be 43G. Useless. Anyhow more trial error is needed.

A good resource is here. It appears that surfnetIDS is a group that uses open source honeypots to create a distributed IDS/IPS.

They have completed alot of the legwork on 3 honeypots. (Dionaea, Kippo, and Nepenthes)

As expected Dionaea lacks functionality, notably for http/https. I guess I’ll have to rely on Nepenthes for HTTP activity. Kippo is for SSH. I’ll take a peek at it later.

dionaea – 1st crack

I got dionaea running and it’s first connect samples. I’ll get some screenshot/log clips later, but it’s clear the network I was on blocked all incoming TCP traffic and most UDP traffic. All I got were some connects on the fake SIP service running from some fairly nasty IPs in other countries.

Honeypots – Project Honeypot and Dionaea

Project Honeypot is a virtual community that allows you to contribute to provide information back to a network that tracks malicious behavior. It appears that only spam and harvesting activities are forwarded over. No malware capturing seem to be performed.

Dionaea is a honeypot that you can deploy and capture various traffic and attacks. It will capture malware for you. Here is a good link to get started if you run Ubuntu. It’s strength is in SMB. Handling HTTP and SSH type attacks seem to be less than desirable, but I’m not 100% certain at this point.

Kippo <- SSH honeypot.

Glastof, Jsunpack-n <- Webapp honeypots