Linux Honeypots

Welcome back my honey pot masters in training! Today we will be installing the Modern Honeypot Network. This is a cool tool that lets us deploy multiple honeypots and provides a map of live connections/attacks. Below you will find some honeypots MHN provides.

Snort: Snort is not a honeypot per se but an IDS/IPS very helpful to detect attacks on your network, Sourcefire (the creator of Snort) was acquired by Cisco but the product Snort remains OpenSource
Suricata: Suricata is also an IDS/IPS, it has not been as longer as Snort but has a great community and is fast.
Dionaea: Dionaea is a low interaction honeypot it exposes services like MSSQL, SIP, HTTP, FTP, TFTP, etc….
Conpot: Conpot is a low interaction Industrial Control Systems honey pot and basically emulates some protocols used in industrial environments.
Kippo: Kippo is a medium interaction ssh honeypot, has the ability to upload and download files and other nice features
Amun: Amun is another low interaction Honeypot but it is not actively maintained, there are no updates since 2012.
Glastopf: Glastopf is a very popular Honeypot that has the ability to emulate thousands of web vulnerabilities, it is actively maintained
Wordpot: Wordpot is a WordPress emulator honeypot it is still maintained and could be expanded using plugins
ShockPot: ShockPot is a webapp honeypot that exposes the vulnerability CVE-2014-6271
p0f: p0f is a tool that uses passive fingerprinting to identify the OS behind a TCP connection

We will focus more on Dionaea for catching malware but you can install anything you want. We will be installing these on the DigitalOcean VPS.

First, we will use the following commands in Linux. Make sure we install Ubuntu version 14.04 64bit on our Digitalocean VPS. (5$ 512ram 1 gig will work)

cd /opt/
sudo apt-get install git -y
sudo git clone https://github.com/threatstream/mhn.git
cd mhn/
sudo ./install.sh
Once this process is done you will come to the command prompt to pick your settings. If you choose to integrate Splunk select yes at the prompt.


Once you input all your settings and the install is complete you can browse to your ip address and login with the email and pw you have created.


Once you are on the main page, you can deploy honeypots under the deploy section. Note when installing Dionaea, this is not the most up to date version. This will not catch smb vulnerabilities like wanna-cry etc. If you would like to catch wanna-cry in the wild you can use the script below. You will have to deploy this script on each honeypot you have. (Ex: "nano install.sh" paste the script, save it and run with "bash install.sh"


#Deploy this script on each honeypot
# Update
sudo apt-get -y update
sudo apt-get -y upgrade
# Get dionaea v1.0
wget "http://youripaddresshere/api/script/?text=true&script_id=2" -O deploy.sh && sudo bash deploy.sh http://youripaddresshere QViGmo2N
# update curl############################################
#! /usr/bin/env bash
# Install any build dependencies needed for curl
sudo apt-get -y build-dep curl
# Get latest (as of Feb 25, 2016) libcurl
mkdir ~/curl
cd ~/curl
wget http://curl.haxx.se/download/curl-7.50.2.tar.bz2
tar -xvjf curl-7.50.2.tar.bz2
cd curl-7.50.2
# The usual steps for building an app from source
# ./configure
# ./make
# sudo make install
./configure --prefix=/usr
make
sudo make install
# Resolve any issues of C-level lib
# location caches ("shared library cache")
sudo ldconfig
# remove smb files
rm /usr/lib/dionaea/python/dionaea/smb/smb.py
rm /usr/lib/dionaea/python/dionaea/smb/include/smbfields.py
rm /usr/lib/dionaea/python/dionaea/util.py
cd /usr/lib/dionaea/python/dionaea/
wget https://raw.githubusercontent.com/gento/dionaea/17da8e1590f0318f66de47c10e7ed8b43548cadb/modules/python/scripts/util.py
cd /usr/lib/dionaea/python/dionaea/smb/
wget https://raw.githubusercontent.com/gento/dionaea/17da8e1590f0318f66de47c10e7ed8b43548cadb/modules/python/scripts/smb/smb.py
cd /usr/lib/dionaea/python/dionaea/smb/include/
wget https://raw.githubusercontent.com/gento/dionaea/d17ebf359f71b8e53c42a943dccba1e623a9e278/modules/python/scripts/smb/include/smbfields.py
curl -V
echo "Make sure curl says 7.50!"
echo "Script is done! Rebooting"
sudo ufw disable
#changes time zone to eastern
sudo timedatectl set-timezone America/New_York
sudo supervisorctl status
sudo reboot
Once the script is running it will reboot the system, once back online your honeypot should be up and running. You can look at the live map by going to http://yourip:3000


Helpful commands/folders

*Make sure you have Curl 7.50 installed or the honeypot won’t catch binaries correctly

/var/dionaea/binaries -Binaries Folder
dionaea.log – Dionaea’s text-based log file
dionaea.sqlite – Dionaea’s SQLite log file
cd /var/log/dionaea tail -f dionaea.log
sudo supervisorctl start
sudo supervisorctl status
sudo supervisorctl restart

Contact Information

Red_Team611@protonmail.com

Disclaimer

This site is used for information purposes and not intended for anything illegal. Do not test anything or use any tools on networks you do not have permission to. I give credit to anyone I have mentioned or linked their work in my tutorials.