Live Honeypots!

Welcome back my aspiring honeypot hacker enthusiasts! I previously wrote an article on catching malware with Dionaea. This was a great way to get introduced to the world of honeypots. I then had to step up my game, creating a real live honeypot network. I'll begin explaining this in detail to my all It brothers reading this. Please note: This takes a lot of time to setup/trial/error, you will want to pull out your hair at times, you might even throw your cat across the room, who knows? but note, after all the frustration, it will be worth it.

Step 1)

We will first need to pick a VPS provider that lets us have a cheap windows VPS. I got some 10$ per VPS setup with Windows 7 64bit. They also offer other Windows versions. I choose to run all on Windows 7 64 for starters.

Step 2)

We will be using the following software:

-Microsoft OSM for log details (https://www.microsoft.com/en-us/cloud-platform/operations-management-suite)
-Microsoft Azure for deploying ( https://azure.microsoft.com)
-PPEE
-Reg shot
-Virus total up-loader
-Malware bytes (if you want)
-Wireshark
-Processhacker
-Sysmon (https://technet.microsoft.com/en-us/sysinternals/sysmon)

Step 3)

The Windows 7 versions on the VPS sites usually do not have the latest patches installed. So we do not need to remove anything usually. For example the patches for SMB1 which Wanna cry uses (KB4013389). You can go through and add patches if you are trying to collect only certain types of malware or exploits. Also, although it is controversial, I turned the Windows firewall COMPLETELY off. Some people choose to open only certain ports and limit outbound traffic. If we deploy a lot of honeypots after infection, we can always reformat anyways.

Step 4)

We are going to setup in Microsoft Azure (https://azure.microsoft.com) After we made an account in there and OSM (its free BTW). We are going to create a "work-group". Click the plus button and search for "Log Analytic s". Once this is created the work-group is made.



Step 5)

We will then add in Servicemap, Security and Audit, and Wiredata 2.0. These will pull the logs from our honeypots and put them into OSM for us. I think of Azure as the deploy point and each OSM as where the log information is stored.



Step 6)

You will have to install the InstallDependencyAgent and the WindowsAgent on the honeypot servers. I choose to email these to myself with my Protonmail account as you have keys you will need to copy. Also, it is easier to send files to yourself for setting up.


Step 7)

I wrote a script in Powershell to download software, so I wouldn't have to keep downloading it manually when I kept erasing my honeypot. PLEASE NOTE, this script will only work on Powershell 2 that I know of, so if you applied patches and using another version it might not work. You can also tweak it to your liking as you can see.

Script

$url = "https://1.eu.dl.wireshark.org/win64/Wireshark-win64-2.2.7.exe"
$path = "C:\Wireshark-win64-2.2.7.exe"
# param(string$url, string$path)
if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
} "Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)
$path

$url = "https://data-cdn.mbamupdates.com/web/mb3-setup-consumer/mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092.exe"
$path = "C:\mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092.exe"
# param(string$url, string$path)
if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}
"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)
$path

$url = "https://github.com/processhacker2/processhacker2/releases/download/v2.39/processhacker-2.39-setup.exe"
$path = "C:\processhacker-2.39-setup.exe"
# param(string$url, string$path)
if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
} "Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)
$path

$url = "http://www.rarlab.com/rar/winrar-x64-55b4.exe"
$path = "C:\winrar-x64-55b4.exe"
# param(string$url, string$path)
if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
} "Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)
$path

$url = "https://download.microsoft.com/download/5/B/C/5BC5DBB3-652D-4DCE-B14A-475AB85EEF6E/vcredist_x86.exe"
$path = "C:\vcredist_x86.exe"
# param(string$url, string$path)
if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
} "Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)
$path

$url = "https://svwh.dl.sourceforge.net/project/regshot/regshot/1.9.0/Regshot-1.9.0.7z"
$path = "C:\Regshot-1.9.0.7z"
# param(string$url, string$path)
if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}
"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)
$path

$url = "http://download.microsoft.com/download/E/D/B/EDB22276-C316-4982-AFED-6367255D0824/InstallDependencyAgent-Windows.exe"
$path = "C:\InstallDependencyAgent-Windows.exe"
# param(string$url, string$path)
if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}
"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)
$path

$url = "https://download.microsoft.com/download/8/4/3/84312DF3-5111-4C13-9192-EBF2DF81B19B/MMASetup-AMD64.exe"
$path = "C:\MMASetup-AMD64.exe"
# param(string$url, string$path)
if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}
"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)
$path

$url = "https://www.virustotal.com/static/bin/vtuploader2.2.exe"
$path = "C:\vtuploader2.2.exe"
# param(string$url, string$path)
if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
} "Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)
$path

$url = "https://download.sysinternals.com/files/Sysmon.zip"
$path = "C:\Sysmon.zip"
# param(string$url, string$path)
if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}
"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)
$path

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

sc.exe query mrxsmb10
sc.exe query mrxsmb20

Restart-Computer

The above commands ("sc.exe query mrxsmb10" and "sc.exe query mrxsmb20") show us if SMB1 and SMB 2 are running, the commands on top of that enable SMB 1 and 2 so it can be exploited. I added them in the script to make sure they were on and working correctly.

Step 8 ) Sysmon! (https://technet.microsoft.com/en-us/sysinternals/sysmon) We will extract sysmon to the C:\ folder and run the follow commands sysmon -accepteula -i -h md5,sha256 -n -l This will enable hashing and network alarms, more information on the symon website to tweak it.

We will be using this to see when events are created or processes, aka malware, are dropped on the system, changes were done, etc

We can create custom Sysmon event logs in event viewer. Open event viewer and "Create Custom View", click by source and choose "sysmon". You can then pick what event ID's you want to sort by. (once again check out the website https://technet.microsoft.com/en-us/sysinternals/sysmon)

Step 9 ) Install the software you are going to use before disabling your firewall. Fire up Wireshark, process hacker etc. Make sure that your OSM shows your honeypots connected and is pulling data back to them. Disable the firewall and you're in business!

Step 10) Catch some exploits or Malware, have fun! A lot of things can be tweaked on here, OS's, Patches, Add-ons, Sysmon events, This is just a basic guide to get you started.

Random helpful links

https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf

https://doublepulsar.com/eternalpot-lessons-from-building-a-global-nation-state-smb-exploit-honeypot-infrastructure-3f2a0b064ffe

https://www.splunk.com/blog/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/

https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

https://aka.ms/dependencyagentwindows

https://docs.microsoft.com/en-us/azure/operations-management-suite/operations-management-suite-service-map-configure

Contact Information

Red_Team611@protonmail.com

Disclaimer

This site is used for information purposes and not intended for anything illegal. Do not test anything or use any tools on networks you do not have permission to. I give credit to anyone I have mentioned or linked their work in my tutorials.