On Honeypot Technology Using Honeyd to emulate network services By Daniel de Jager
Page 1 of 51
TABLE OF CONTENTS TABLE OF CONTENTS..................................................................................................................................... 2 Background - A Lesson from the Ghost Army ............................................................................................... 3 Introduction - A honeyd installation on Ubuntu ........................................................................................... 4 What is HoneyD?....................................................................................................................................... 5 Classification of Honeypots....................................................................................................................... 5 Installing Honeyd ...................................................................................................................................... 6 Configuring HoneyD ...................................................................................................................................... 7 Honeyd Architecture ................................................................................................................................. 8 Operating System Fingerprinting ............................................................................................................ 13 Experiment 1 - Setup a Simple DHCP based Windows XP Host .................................................................. 14 Experiment 2 - A Single Vulnerable Cisco Router ....................................................................................... 17 Experiment 3 - Enumerating Vulnerabilities on the Single Cisco Router .................................................... 21 Experiment 4 - Configuring a Vulnerable Linux Honeypot.......................................................................... 30 A Perl Script to Integrate Data into MySQL ................................................................................................ 38 Commands used for Honeyd Networking................................................................................................... 41 ROUTE ENTRY .......................................................................................................................................... 41 LINK ......................................................................................................................................................... 41 ADD NET .................................................................................................................................................. 42 Experiment 1 - One router and two hosts .................................................................................................. 43 Experiment 2 - Two Routers and Two Hosts ............................................................................................... 45 Experiment 3 - A Large Class A Network ..................................................................................................... 47 References .................................................................................................................................................. 51
Page 2 of 51
Background - A Lesson from the Ghost Army Deception is at the core of Warfare and can mean the difference between victory and defeat. One of the more fascinating stories of World War 2 (WW2) was the establishment of a Ghost Army by Allied Forces, which sole responsibility was to deceive the Axis.
The deception was based physically as well as logically, in the sense that Allied Forces used dummy tanks, aircraft as well as fake radio signals which the Axis intercepted, to create a belief about a certain fact.
In the same light, honeypots as a tool can be used to deceive attackers in thinking that vulnerable services exist on a corporate network. In fact, one can strategically deploy a framework for deception in order to protect business operations. It is a known fact, which Major Business Events, results in increased reconnaissance activities on a network. Log collectors will normally process more recon-like event data based on these business events.
In such a scenario, organisations should look to deploy a honeynet network, and create false Internet network traffic (analogous to signal processing) and deploy fake and vulnerable network services, while in parallel deploying secure services, in order to lure attackers away from the protected environment.
Below are some memories from WW2 and the Ghost Army.
Page 3 of 51
Figure 1 Ghost Army Images (Murphy)
Introduction - A honeyd installation on Ubuntu I have decided to explore the installation, configuration and use of honeyd, a honeypot solution based on Linux. The platform that I've opted use is Ubuntu version 12.
The aim of the project is then to use Honeyd, be able to configure different services and to discover means for data science applications. This will be a crucial exercise since it will assist in threat analysis and threat sharing exercises for projects in the future.
This introduction is to assist the reader to become familiarised with the concept of a honeypot and to quickly install honeyd on their respective Linux distribution.
Page 4 of 51
What is HoneyD? Honeyd is a framework, used to emulate certain network services such as http, ssh, telnet etc. There is no need to actually install actual web servers, ssh servers or telnet servers. All these services are emulated using scripts written in Python, Perl and Shell.
Honeyd, runs as a daemon on Linux, and is easy to install but needs some insight to configure appropriately. Honeyd is therefore classified as a low-interaction honeypot only providing network based services to an attacker.
Honeypots are classified based on their use, the interaction level, the hardware deployment type and then lastly the role of the honeypot. Let's quickly discuss the different classifications of honeypots.
Classification of Honeypots
The following classification scheme is presented by Joshi & Sardana (2011):
1. Production Honeypots - Mostly used to protect an organisation’s IT Infrastructure. 2. Research Honeypots - Used to collect techniques and processes used by blackhats to gain an understanding of the threats. 3. Low Interaction Honeypots - Safe to use, since attackers can only take down the emulated services provided by low interaction honeypots. 4. Medium Interaction Honeypots - Mostly used for forensic analysis of threats like malware. 5. High Interaction Honeypots - Provides a real operating system to attack, but exposing the system to major risk. A high interaction honeypot is more valuable for threat assessments and mostly used in the research arena.
Page 5 of 51
Installing Honeyd
Honeyd can be installed using Ubuntu's built in Software Center; however we will install honeyd using a terminal with the apt-get command. Firstly, open a terminal window, and type in the following command: sudo apt-get install honeyd
You will notice that Linux will prompt to continue and then type in “Y� to continue. After installing honeyd, you can start the honeyd daemon by using the following command: sudo service honeyd start.
Check out this video tutorial (https://www.youtube.com/watch?v=Fp7T3FMc6LE) on installation and starting of the service.
Honeyd is now running. In the next few sections, we will start configuring honeyd to emulate common services.
Stopping the service is just as easy. Use the following command to stop the honeyd daemon: sudo service honeyd stop
Page 6 of 51
NOTE:
You do not necessarily have to start honeyd as a background process as above. Use the following command to run honeyd in the foreground and output debug logs to STDOUT as well as log to a logfile and log service logs to a service log file:
honeyd
-d
-f
honeyd.conf
-i
eth0
-l
/var/log/honeypot/logfile.log
-s
/var/log/honeypot/service.log
The following parameters have the following meaning:
-d Do not run honeyd as a background process. Output debug logs to STDOUT
-f Indicates which file to use as the configuration file
-i Indicates which network interface to intercept traffic from (note you can add specific ip addresses as well)
-l indicates the location of the log file (remember permissions)
-s indicates the service log file location (remember permissions)
Configuring HoneyD As stated in the introduction, honeyd is a low interaction honeypot only providing emulated network services to an attacker. To fully comprehend the configuration of a honeyd instance, it is necessary to gain a fundamental understanding of the design of honeyd.
Page 7 of 51
Honeyd Architecture Honeyd's main components are a Configuration Database, Personality Engine and a Packet Dispatcher. The Packet Dispatcher function is to manipulate IP packets after receiving them from the the network, classifies them as either being TCP, UDP or ICMP, after which different services are created to handle the traffic. Packets are then sent back to the network by the Personality Engine, which manipulates packets to match the personality or characteristics of the emulated network service (Lui, Peng, Li, 2011).
Important Directories The following directories are of importance to honeyd: Page 8 of 51
/etc/honeypot/ (contains the nmap.prints and honeyd configuration file)
/var/log/honeypot/ (contains the log files, debug and syslog)
/usr/share/honeypot/ (contains all the scripts required for services)
Basic Configuration Normally located in the /etc/honeypot/ directory, you can find the honeyd.conf file. This is the default honeyd configuration file when honeyd is installed. Logfiles are normally kept in the /vat/log/honeypot/ directory and can be named during honeyd execution. Honeyd runs as the nobody user, it is therefore crucial that the correct permissions are assigned to the logfile files, since they are protected.
A video has been provided to highlight the key configuration steps required, using a cisco router as an example: https://www.youtube.com/watch?v=enXRU_YHlDk&feature=youtu.be
Page 9 of 51
The configuration file is used to set default behaviour as well as create templates. Templates are used to create the emulated personalities such as Microsoft Windows, Linux or Cisco. These personalities are located in the nmap.prints file located under /etc/honeypot.
The following steps are required to create a personality using the configuration file:
1. Create a default template. If any misconfiguration occur, then this is the template that honeyd will default to. 2. Create the personality that you want to emulate. 3. Set the default TCP, UDP and ICMP actions for the personality. 4. Add any open ports and indicate the protocol. In some cases you want to point the protocol and port to a shell script or perl script. Page 10 of 51
5. Set uptime/drop rates if required. 6. Bind an available IP address, or a DHCP requested IP address to the interface that is to be monitored.
The following configuration was demonstrated in the above video: create default set default default tcp action block set default default udp action block set default default icmp action block create cisco set cisco personality "Cisco router running IOS 12.2(8)T" set cisco default tcp action block set cisco default udp action block set disco default icmp action block add cisco tcp port 80 open add cisco tcp port 23 "/usr/bin/perl /usr/share/honeyd/scripts/routertelnet.pl" set cisco ethernet "00:42:68:00:42:68" dhcp cisco on eth0
To start honeyd we use the following instruction on the terminal: sudo honeyd -d -f /etc/honeypot/honeyd.conf -l /var/log/honeypot/honeyd.conf -s /var/log/honeypot/service.log
The above is explained as follows: 1. honeyd is started using sudo 2. -d means that we do not want honeyd to run as a background process. We want to see the output from honeyd as connections are made. 3.
-f indicates the configuration file that is to be used.
4.
-l points honeyd to write log data to a file we specify.
5.
-s points honeyd to write service events to a file we specify.
Testing the configuration against a Nessus Scan (all plugins selected) we see the following results:
Page 11 of 51
One Medium Vulnerability was detected being an unencrypted Telnet Server. The following output is presented by Nessus: Description The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an unencrypted channel is not recommended as logins, passwords, and commands are transferred in cleartext. This allows a remote, man-in-the-middle attacker to eavesdrop on a Telnet session to obtain credentials or other sensitive information and to modify traffic exchanged between a client and server. SSH is preferred over Telnet since it protects credentials from eavesdropping and can tunnel additional data streams such as an X11 session. Solution Disable the Telnet service and use SSH instead. Output Nessus collected the following banner from the remote Telnet server : ------------------------------ snip -----------------------------Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, and law enforcement personnel, as well as to authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized site. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
User Access Verification Username: ------------------------------ snip ------------------------------
Page 12 of 51
Operating System Fingerprinting
Every Operating System has a unique TCP/IP Fingerprint, which forms the basis for remote Operating System detection technologies such as Nessus or NMAP. The mechanism used for testing a remote host's operating system involves sending specially crafted packets in a sequence and observing the results. The results obtained forms a basis for Remote Operating System identification. This process is called Fingerprinting (Valli, 2003).
The following sequence of packets is sent to a remote host:
1. Tseq : This is a TCP sequenceability test 2. T1 : a SYN packet with TCP options set 3. T2 : a NULL packet w/option to an open port 4. T3 : a SYN/FIN/URG/PSH packet w/option to an open port 5. T4 : an ACK packet to an open port 6. T5 : a SYN packet sent to a closed port 7. T6 : an ACK packet packet to a closed port 8. T7 : a FIN/PSH/URG to a closed port 9. Pu : an UDP packet to a closed port Honeyd has a built in OS Fingerprinting database, a file called nmap.prints. This file contains the TCP/IP Fingerprints required for OS Detection.
Page 13 of 51
It might be worthwhile looking into Evasion Techniques for OS Fingerprinting, not really to implement as a security control, since many legitimate in-house tools/scanners have a legitimate purpose of identifying remote operating systems. I have looked into a few techniques to evade OS Fingerprinting .
In Linux, OS Fingerprint Evasion can be achieved on the Kernel level, which would require, in some cases, a kernel rebuild to take place. Since this topic is out of scope for the purposes of this project, we refer readers to view the following article located at https://nmap.org/misc/defeat-nmap-osdetect.html.
Experiment 1 - Setup a Simple DHCP based Windows XP Host ‘ For our first experiment, we are setting up a Microsoft Windows Host running Service Pack 1. All ports are down, with the exception of 135, 139 and 445. These ports are representative of the services of msrpc, netbios-ssn and microsoft-ds respectively.
We configure honeyd as follows: create default set default default tcp action block set default default udp action block set default default icmp action block
Page 14 of 51
create windows set windows personality "Microsoft Windows XP Professional SP1" set windows default tcp action reset add windows tcp port 135 open add windows tcp port 139 open add windows tcp port 445 open set windows ethernet "00:00:24:ab:8c:12" dhcp windows on eth0
starting up honeyd with the following parameters : sudo honeyd -d -f honeyd.conf -i eth0 gives the following output:
Page 15 of 51
Analysis
Port Scan
Nessus has successfully completed a Nessus SYN scan, which is an attempt to enumerate services, based on the ports that are available. The SYN scan attempts to complete a TCP handshake. Based on the output from the Nessus SYN Scan Plug-in, it successfully connected to the ports that we have made available.
Page 16 of 51
Ethernet Card Manufacturer Detection Note that in the configuration wiki, we explain the configuration of Ethernet MAC addresses. Nessus has determined that the remote host's Ethernet Manufacturer is “Connect AS”.
OS Identification
Nessus failed to determine the host Operating System. Although one or more fingerprints from the remote system were computed, Nessus does not know how to use them to identify the overall system. Refer to the Configuration Wiki to learn more about supported personalities.
Output from Nessus OS Identification
Experiment 2 - A Single Vulnerable Cisco Router For experiment 2, we are trying to emulate a Cisco Router running IOS 12.0, in order to fool a Nessus Scanner. First and foremost, it is imperative that the following Nessus plugins are enabled in a scan policy in order to detect the corresponding honeyd configuration:
Plugin ID: 11936 - OS Identification
Plugin ID: 35716 - Ethernet Card Manufacturer
Plugin ID: 45590 - Common Platform Enumeration (CPE) Page 17 of 51
Our experiment is to emulate a Cisco Router in such a way, so that Nessus enumerates vulnerabilities. For Phase 1, we only interested in the correct basic configuration to detect the Operating System and to use the correct Ethernet MAC address.
Phase 2 is concerned around providing Nessus with a telnet response on an unprotected port 23. We want Nessus to perform a banner grab in order to populate the underlying scripts with more information to kick off enumeration scripts.
Phase 1
Using the IEEE Public Listing for IEEE Standards Registration Authority (IEEE.org, 2016), we select a listed entry for Cisco Systems Incorporated (IEEE, 2016). The file nmap.print provides a list of Cisco Routers with IOS versions. More details about these two resources can be found in the configuration wiki.
Honeyd.conf configuration: create default set default default tcp action block set default default udp action block set default default icmp action block create cisco set cisco peronality "Cisco Router running IOS 12.2(8)T" set cisco default tcp action reset add cisco tcp port 22 open add cisco port 23 open set cisco ethernet "00:42:68:00:42:68" dhcp cisco on etho
Nessus Scan Output The following results are observed from Nessus which proves our honeyd configuration is configured correctly.
Page 18 of 51
Page 19 of 51
In the next phase we consider how to configure scripts to respond to telnet and ssh requests. Page 20 of 51
See this video on the process (https://www.youtube.com/watch?v=236DUOdnzls&feature=youtu.be)
Experiment 3 - Enumerating Vulnerabilities on the Single Cisco Router
For this experiment we are interested in capturing credentials over telnet using some brute force tool and using honeyd as an analysis data source.
The following configuration has been set in honeyd.conf: create default set default default tcp action block set default default udp action block set default default icmp action block create cisco set cisco personality "Cisco router running IOS 12.2(8)T" set cisco default tcp action block set cisco default udp action block set cisco default icmp action block add cisco tcp port 23 "/usr/bin/perl /usr/share/honeyd/scripts/routertelnet.pl" set cisco ethernet "00:42:68:00:42:68" dhcp cisco on eth0
Running a Nessus Scan, we see that there is an unencrypted telnet port open. Nessus provides the following output:
Page 21 of 51
You will notice on the honeyd official website (http://www.honeyd.org/contrib.php) that there are existing scripts that can be downloaded such as the below:
Page 22 of 51
Just a note that since these scripts have been developed back in 2003, that there exists a possibility that they will not function 100% correctly on your Linux distribution today.
Many permissions errors will come up when you try and either compile the scripts or when you test the service scripts from a remote machine. It is important that the router-telnet.pl script captures and saves the username/password combinations in order for us to query the data. Perl based router-telnet.pl code is below, and a video explanation provided here: (https://www.youtube.com/watch?v=xNomKqtAkSk&feature=youtu.be) !/usr/bin/perl # Copyright 2002 Niels Provos <provos@citi.umich.edu> # All rights reserved. # # For the license refer to the main source code of Honeyd. # # Don't echo Will Echo Will Surpress Go Ahead $return = pack('ccccccccc', 255, 254, 1, 255, 251, 1, 255, 251, 3); syswrite STDOUT, $return, 9; $string = "Users (authorized or unauthorized) have no explicit or\r implicit expectation of privacy. Any or all uses of this\r system may be intercepted, monitored, recorded, copied,\r audited, inspected, and disclosed to authorized site,\r and law enforcement personnel, as well as to authorized\r officials of other agencies, both domestic and foreign.\r By using this system, the user consents to such\r interception, monitoring, recording, copying, auditing,\r inspection, and disclosure at the discretion of authorized\r site.\r \r Unauthorized or improper use of this system may result in\r administrative disciplinary action and civil and criminal\r
Page 23 of 51
penalties. By continuing to use this system you indicate\r your awareness of and consent to these terms and conditions\r of use. LOG OFF IMMEDIATELY if you do not agree to the\r conditions stated in this warning.\r \r \r \r User Access Verification\r "; syswrite STDOUT, $string; $count = 0; while ($count < 3) { do { $count++; syswrite STDOUT, "\r\n"; $word = read_word("Username: ", 1); } while (!$word && $count < 3); if ($count >= 3 && !$word) { exit; } $password = read_word("Password: ", 0); if (!$password) { syswrite STDOUT, "% Login invalid\r\n"; } else { syswrite STDERR, "Attempted login: $word/$password"; syswrite STDOUT, "% Access denied\r\n"; } } exit; sub read_word { local $prompt = shift; local $echo = shift; local $word; syswrite STDOUT, "$prompt"; $word = ""; $alarmed = 0; eval { local $SIG{ALRM} = sub { $alarmed = 1; die; }; alarm 30; $finished = 0; do { $nread = sysread STDIN, $buffer, 1; die unless $nread; if (ord($buffer) == 0) { ; #ignore } elsif (ord($buffer) == 255) { sysread STDIN, $buffer, 2; } elsif (ord($buffer) == 13 || ord($buffer) == 10) { syswrite STDOUT, "\r\n" if $echo; $finished = 1; } else {
Page 24 of 51
syswrite STDOUT, $buffer, 1 if $echo; $word = $word.$buffer; } } while (!$finished); alarm 0; }; syswrite STDOUT, "\r\n" if $alarmed || ! $echo; if ($alarmed) { syswrite STDOUT, "% $prompt timeout expired!\r\n"; return (0); } return ($word); }
The objective of this experiment is to understand the concept of username and password capturing on the honeypot. This information can be used to obtain a username and password database of those used by attackers for attempted logins.
In order to execute on the objective, we configured Nmap on 192.168.1.4 to run a script called telnet-brute, and supplied it with a usernames.txt file and passwords.txt file. The Nmap instruction is set to the following: nmap -sS --script telnet-brute --script-args "userdb=c:\\datafiles\\usernames.txt, passdb=c:\\datafiles\\passwords.txt" 192.168.1.9
Page 25 of 51
Note that the (-s) parameter is used for the service log and used to log output from honeyd, whereas the (-l) parameter logs connection orientated information such as Source IP, Source Port, Destination IP, Destination Port.
Opening the service log file for this experiment we can clearly see the attempted logins from Nmap.
Page 26 of 51
Based on the above data, we can start analyzing for intelligence purposes:
Page 27 of 51
Page 28 of 51
Page 29 of 51
Experiment 4 - Configuring a Vulnerable Linux Honeypot In this experiment, I build upon the knowledge learnt from the ISWWW course where I performed whitebox code review on ProFTPD version 1.3.2c which was vulnerable to remote code execution due to a flaw that allows buffer overflow. The vulnerability is listed formally as CVE-2010-4221 (https://www.cvedetails.com/cve/CVE-2010-4221/).
I wrote a custom NASL script to test for the potential vulnerability of a host listed here: if(description) { script_id(900098); script_version("$Revision: 1.00 $"); script_cve_id("CVE-1999-0001"); script_name(english:"Proof of Concept NASL to check proFTPD 1.3.3a"); script_description(english:"This script establishes a connection to the remote host on port 21 and extracts the banner"); script_summary(english:"retrieves the remote HTTP banner"); script_category(ACT_GATHER_INFO); script_family(english:"FTP"); script_copyright(english:"(C) 2016 Dimension Data"); exit(0); } display("This is a remote check for CVE-2010-4221 - ProFTPD 1.3.2rc3 1.3.3b Telnet IAC Buffer Overflow (Linux)\n"); soc = open_sock_tcp(21); if (!soc) { security_note(port:21,data:"\nThe remote FTP Port is closed"); exit(0); } banner = recv_line(socket:soc, length:4096); display("\nThe remote FTP banner is : " + banner); close(soc); for (i=0;i<=17;i++) { potentialTarget = potentialTarget + banner[i]; } if (potentialTarget == "220 ProFTPD 1.3.3a" || potentialTarget = "220 ProFTPD 1.3.2rc3" || potentialTarget = "220 ProFTPD 1.3.3b") { display("\nPotential Vulnerable Version of ProFTPD Found\n"); } else {
Page 30 of 51
display("\nRemote Target is not ProFTPD version 1.3.3a"); exit(0); } soc = open_sock_tcp(22); if (!soc) { security_note(port:22,data:"SSH port is closed"); exit(0); } close(soc);
The output from the scripts reads:
…and configured the honeypot to emulate a linux operating system as follows: create default set default default tcp action block set default default udp action block set default default icmp action block create linux set linux personality "Linux Kernel 2.4.20" set linux default tcp action block set linux default udp action block set linux default icmp action block
Page 31 of 51
add linux tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/proftpd.$ set linux ethernet "dell" dhcp linux on eth0
The proftpd script (perl) reads as follows: #!/bin/bash # # FTP (WU-FTPD) Honeypot-Script intended for use with # Honeyd from Niels Provos # -> http://www.citi.umich.edu/u/provos/honeyd/ # # Author: Maik Ellinger # Last modified: 13/06/2002 # Version: 0.0.8 # # Changelog: # 0.0.8; some ftp comamnds implemented: PWD, TYPE, MODE, PORT (by Fabian Bieker) # # 0.0.7; psyeudo filesystem added (by Fabian Bieker) # # 0.0.6; some ftp comamnds implemented (MKD) # # 0.0.4; some ftp comamnds implemented (CWD) # # 0.0.3: some bugfixes/new commands implemented # # 0.0.1: initial release # . /usr/share/honeyd/scripts/misc/base.sh SRCIP=$1 SRCPORT=$2 DSTIP=$3 DSTPORT=$4 SERVICE="pro-ftpd/FTP" HOST="bps-pc10" AUTH="no" PASS="no" DATFILES="/usr/share/honeyd/scripts/suse8.0/dat/proftpd.files" pwd="/" passive=0 #dataport=1234 dataport=$[$SRCPORT+1] type="A" mode="S" my_start
Page 32 of 51
echo -e "220 ProFTPD 1.3.3b Server (SuSE) [$HOST.$DOMAIN] ready.\r" while read incmd parm1 parm2 parm3 parm4 parm5 do # remove control-characters incmd=`echo $incmd | sed s/[[:cntrl:]]//g` parm1=`echo $parm1 | sed s/[[:cntrl:]]//g` parm2=`echo $parm2 | sed s/[[:cntrl:]]//g` parm3=`echo $parm3 | sed s/[[:cntrl:]]//g` parm4=`echo $parm4 | sed s/[[:cntrl:]]//g` parm5=`echo $parm5 | sed s/[[:cntrl:]]//g` # convert to upper-case incmd_nocase=`echo $incmd | gawk '{print toupper($0);}'` #echo $incmd_nocase # log user input echo "$incmd $parm1 $parm2 $parm3 $parm4 $parm5" >> $LOG # check for login if [ "$AUTH" == "no" ] then if [ "$incmd_nocase" != "USER" ] then if [ "$incmd_nocase" != "QUIT" ] then echo -e "530 Please login with USER and PASS.\r" continue fi fi fi # parse cmds case $incmd_nocase in QUIT* ) echo -e "221 Goodbye.\r" my_stop ;; SYST* ) echo -e "215 UNIX Type: L8\r" ;; HELP* ) echo =>'s unimplemented).\r" echo NLST MKD CDUP\r" echo SITE XMKD XCUP\r" echo SYST RMD STOU\r" echo STAT XRMD SIZE\r" echo HELP PWD MDTM\r" echo NOOP XPWD\r"
-e "214-The following commands are recognized (* -e "
USER
PORT
STOR
MSAM*
RNTO
-e "
PASS
PASV
APPE
MRSQ*
ABOR
-e "
ACCT*
TYPE
MLFL*
MRCP*
DELE
-e "
SMNT*
STRU
MAIL*
ALLO
CWD
-e "
REIN*
MODE
MSND*
REST
XCWD
-e "
QUIT
RETR
MSOM*
RNFR
LIST
Page 33 of 51
echo -e "214 Direct comments to ftp@$domain.\r" ;; USER* ) parm1_nocase=`echo $parm1 | gawk '{print toupper($0);}'` if [ "$parm1_nocase" == "ANONYMOUS" ]; then echo -e "331 Guest login ok, send your complete e-mail address as a password.\r" AUTH="ANONYMOUS" else echo -e "331 Password required for $parm1\r" AUTH=$parm1 fi ;; PASS* ) PASS=$parm1 if [ "$AUTH" == "ANONYMOUS" ]; then rand=`head -c 4 /dev/urandom | hexdump | sed -e 's/[0 a-z]//g' | head -c 2` echo -e "230-Hello User at $SRCIP,\r" echo -e "230-we have $rand users (max 100) logged in in your class at the moment.\r" echo -e "230-Local time is: $DATE\r" echo -e "230-All transfers are logged. If you don't like this, disconnect now.\r" echo -e "230-\r" echo -e "230-tar-on-the-fly and gzip-on-the-fly are implemented; to get a whole\r" echo -e "230-directory \"foo\", \"get foo.tar\" or \"get foo.tar.gz\" may be used.\r" echo -e "230-Please use gzip-on-the-fly only if you need it; most files already\r" echo -e "230-are compressed, and I will kill your processes if you waste my\r" echo -e "230-ressources.\r" echo -e "230-\r" echo -e "230-The command \"site exec locate pattern\" will create a list of all\r" echo -e "230-path names containing \"pattern\".\r" echo -e "230-\r" echo -e "230 Guest login ok, access restrictions apply.\r" else echo -e "530 Login incorrect.\r" fi ;; MKD* ) if [ `echo "$parm1" | grep ^/ 2>&1 >/dev/null && echo 1` ]; then if [ `cat $DATFILES | sed -e 's!/.*/$!/!' | grep "$parm1.*\[.*w.*\]" 2>&1 >/dev/null && echo 1` ]; then echo -e "257 \"$parm1\" new directory created.\r" echo -e "$parm1/\t[drwx]" | sed 's!//*!/!g' >> $DATFILES else
Page 34 of 51
echo -e "550 $parm1: Permission denied.\r" fi else if [ `grep "$pwd.*\[.*w.*\]" $DATFILES 2>&1 >/dev/null && echo 1` ]; then echo -e "257 \"$pwd/$parm1\" new directory created.\r" echo -e "$pwd/$parm1/\t[drwx]" | sed 's!//*!/!g' >> $DATFILES else echo -e "550 $parm1: Permission denied.\r" fi fi ;; RMD* ) if [ `echo "$parm1" | grep ^/ >/dev/null && echo 1` ]; then if [ `cat $DATFILES | sed -e 's!/.*/$!/!' | grep "$parm1.*\[.*w.*\]" 2>&1 >/dev/null && echo 1` ]; then echo -e "257 \"$parm1\" directory deleted.\r" #echo -e "$parm1/\t[drwx]" | sed 's!//*!/!g' >> $DATFILES else echo -e "550 $parm1: Permission denied.\r" fi else if [ `grep "$pwd.*\[.*w.*\]" $DATFILES 2>&1 >/dev/null && echo 1` ]; then echo -e "257 \"$pwd/$parm1\" directory deleted.\r" #echo -e "$pwd/$parm1/\t[drwx]" | sed 's!//*!/!g' >> $DATFILES else echo -e "550 $parm1: Permission denied.\r" fi fi ;; CWD* ) oldpwd=$pwd if [ `echo $parm1 | grep ^/` ]; then pwd=`echo $parm1 | sed -e 's!//*!/!g' | sed -e 's!/[^/][^/]*/\.\.!!g'` else
Page 35 of 51
pwd=`echo $pwd/$parm1 | sed -e 's!//*!/!g' | sed -e 's!/[^/][^/]*/\.\.!!g'` fi if [ `grep "$pwd" $DATFILES 2>&1 >/dev/null && echo 1` ]; then if [ `grep "$pwd.*\[.*[dx].*[dx].*\]" $DATFILES 2>&1 >/dev/null && echo 1` ]; then echo -e "250 CWD command successful.\r" else echo -e "550 $parm1: Permission denied.\r" fi else echo -e "550 $parm1: No such file or directory\r" pwd=$oldpwd fi ;; PWD* ) echo -e "257 \"$pwd\" is current directory.\r" ;; LIST* ) if [ `grep "$parm1" $DATFILES 2>&1 >/dev/null && echo 1` ]; then if [ `grep "$pwd/$parm1.*\[.*r.*\]" $DATFILES 2>&1 >/dev/null && echo 1` ]; then if [ $passive -eq 1 ]; then #echo -e "hallo\r" | nc -w 1 -l -p $dataport sleep 6 echo -e "425 Can't build data connection: Connection Timeout\r" else #grep -E "`echo "^$pwd/$parm1/" | sed -e 's!//*!/!g'`[^/][^/]*/[^/]*$" $DATFILES | \ #sed -e 's!/.*/\(.*\)/!\1!' | sed -e 's!//*!!g' | \ #sed -e 's/\[\(.*\)d\(.*\)\]/\1\2/' | \ #awk '{printf "drwx%s%s\t8\tftp\tftp\t4096\tFeb 28 22:11 %s\r\n", $2, $2, $1}' #| \ #echo -e "nc -w 1 -s 172.16.1.100 -p 20 172.16.1.5 $dataport\r" #echo -e "hallo\r\n\r\n" | nc -w 1 -s 172.16.1.100 -p 20 172.16.1.5 $dataport #nc -w 1-s $DSTIP -p 20 localhost $dataport #echo -e "150 Opening ASCII mode data connection for file list.\r" #echo -e "226 Transfer complete.\r" #echo -e "226 Quotas off\r" echo -e "425 Can't build data connection: Connection refused\r" fi
Page 36 of 51
else echo -e "550 $parm1: Permission denied.\r" fi else echo -e "550 $parm1: No such file or directory\r" fi ;; RETR* ) if [ `grep "$parm1" $DATFILES 2>&1 >/dev/null && echo 1` ]; then if [ $passive -eq 1 ]; then sleep 6 echo -e "425 Can't build data connection: Connection Timeout\r" else echo -e "425 Can't build data connection: Connection refused\r" fi else echo -e "550 $parm1: No such file or directory\r" fi ;; STOR* ) echo -e "550 $parm1: No such file or directory\r" ;; NOOP* ) echo -e "200 NOOP command successful.\r" ;; PASV* ) echo -e "227 Entering Passive Mode (192,168,1,2,165,53)\r" passive=1 dataport=42293 ;; PORT* ) #echo -e "500 Illegal PORT command.\r" echo -e "200 PORT command successfull.\r" #echo "parm1: $parm1" #dataport=$parm1 ;; ALLO* ) echo -e "202 No storage allocation necessary.\r" ;; TYPE*) echo -e "200 Type set to $parm1.\r" type=$parm1 ;; MODE*) echo -e "200 Mode set to $parm1.\r" mode=$parm1
Page 37 of 51
;; ACCT* ) echo -e "502 $incmd command not implemented.\r" ;; SMNT* ) echo -e "502 $incmd command not implemented.\r" ;; REIN* ) echo -e "502 $incmd command not implemented.\r" ;; MLFL* ) echo -e "502 $incmd command not implemented.\r" ;; MAIL* ) echo -e "502 $incmd command not implemented.\r" ;; MSND* ) echo -e "502 $incmd command not implemented.\r" ;; MSON* ) echo -e "502 $incmd command not implemented.\r" ;; MSAM* ) echo -e "502 $incmd command not implemented.\r" ;; MRSQ* ) echo -e "502 $incmd command not implemented.\r" ;; MRCP* ) echo -e "502 $incmd command not implemented.\r" ;; MLFL* ) echo -e "502 $incmd command not implemented.\r" ;; * ) echo -e "500 '$incmd': command not understood.\r" ;; esac done my_stop
A Perl Script to Integrate Data into MySQL Some background on the location of the script, including analysis and explanation of how it works (https://www.youtube.com/watch?v=tE32bEPtUCU&feature=youtu.be)
See this video to view the structure and actual integration of log data to MySQL (https://www.youtube.com/watch?v=zZokPfL3Vn8&feature=youtu.be)
Page 38 of 51
#!/usr/bin/perl -w # # Honeyd2MySQL v0.3 # # A simple script to populate a MySQL database # with data extracted from honeyd honeypot's log. # # A web interface for the results will be published soon # on the website mentioned below. # # Please leave feedback at: bruteforce.gr/honeyd2mysql # # This file is a modified version of "honeyd_importer" perl script originally # writen by Joshua Gimer and shared through "honeypots" mailing list. # # This file is distributed under the terms of GPLv3. # use strict; use warnings; use DBI; #The path to honeyd's log file - change accordingly! my $logfile='/var/log/honeypot/honeyd.log'; #MySQL server values - change accordingly! my $sql_user = 'root'; my $sql_password = 'dc10xh!'; my $database = 'honeyd'; my $hostname = 'localhost'; open(FILE, "$logfile"); #Connect to the MySQL database my $dbh = DBI>connect("dbi:mysql:database=$database;host=$hostname;port=3306", $sql_user, $sql_password); #Create the required database table my $SQL = "create table connections(id integer primary key auto_increment not null, date_time datetime not null, proto varchar(4) not null, source_ip varchar(15) not null," . "source_port integer not null, dest_ip varchar(15) not null, dest_port integer not null)"; my $CreateTable = $dbh->do($SQL); print "\n\tHoneyd2MySQL: a simple script to populate a MySQL database with data from honeyd log files.\n"; print "\n\tDepending on the size of your logfile this operation might take some minutes,\n\tseat back and relax, don't worry if your terminal seems idle for a long time.\n\n"; sleep(3); #Start parsing honeyd logfile... while (<FILE>) { print "\nChecking logfile line: $_";
Page 39 of 51
if (!($_ =~ /honeyd log started/)) { print "Check passed - OK\n"; my ($date_time, $proto, $start_end, $src_ip, $src_port, $dest_ip, $dest_port); if ( (/icmp/) || (/dsr/) || (/gre/) ) { ($date_time, $proto, $start_end, $src_ip, $dest_ip, $dest_port) = split(/ /, "$_"); $dest_port =~ s/\(\d+\):?//; $src_port = '00'; } else { ($date_time, $proto, $start_end, $src_ip, $src_port, $dest_ip, $dest_port) = split(/ /, "$_"); } $date_time =~ s/-(\d\d):/ $1:/; $date_time =~ s/\.\d.*$//; $proto =~ s/\(\d\)//; $proto =~ s/\s/udp/; $proto =~ s/\(\d+\)//; $dest_port =~ s/://; unless ($start_end eq "E") { print "Inserting Values:\nDate-Time: $date_time\nProtocol: $proto\nSource IP and Port: $src_ip:$src_port\nDestination IP and Port: $dest_ip:$dest_port\n"; $dbh->do("INSERT INTO connections (id, date_time, proto, source_ip, source_port, dest_ip, dest_port) VALUES('', \'$date_time\', \'$proto\', \'$src_ip\', \'$src_port\', \'$dest_ip\', \'$dest_port\');"); } } #if } #while #Fix protocol column (if any) and remove trailing ':' from dest_ip for icmp connections $dbh->do("UPDATE connections set proto = 'udp' where proto='';"); $dbh->do("UPDATE connections set dest_ip = substring(dest_ip, 1, length(dest_ip)-1) where proto='icmp';"); close(FILE);
Page 40 of 51
Commands used for Honeyd Networking
Before we begin with networking experiments, it is important that we understand the commands used in the honeyd configuration file to specify the routing requirements we have for our network.
ROUTE ENTRY The Route Entry command is used to specify which â&#x20AC;&#x153;routerâ&#x20AC;? must be accessible at the entry point of the network. For this we use the route entry command.
The route entry command format is shown below. The first parameter indicated what the IP address of the router is. The second parameter indicates the network that is reachable from the IP address.
route entry <ip of router> <reachable network>
Example:
route entry 172.12.0.1 172.20.0.0/16 route entry 10.0.0.1 10.5.1.0/24
In the above example we define two routers, 172.12.0.1 and 10.0.0.1. The ranges 172.20.255.254, and 10.5.1.254 is reachable from 172.12.0.1 and 10.0.0.1 respectively. Note that 10.5.1.0/24 is not reachable from 172.12.0.1, and 172.20.0.0/16 is not reachable from 10.0.0.1. LINK
The link command is used to tell which network is DIRECTLY ACCESSIBLE from a router. It takes both the route command and link command to establish a direct network as follows: Page 41 of 51
ROUTE <IP of ROUTER> LINK <NETWORK DIRECTLY ACCESSIBLE>
Example:
route 172.20.0.1 link 172.20.0.0/24
ADD NET
The add net command is used to link one router with another. It is preceded with the Route command. It takes three parameters in the configuration. The first <ip of router> is the existing router on the network, and <ip of new router>, is the ip of the newly added router connected to the existing one. <reachable network> indicates which network is being services by the new router.
route <ip of router> add net <reachable network> <ip of new router>
Example:
route 10.0.0.500 add net 10.10.0.0/16 10.0.10.400 route 10.0.1.100 add net 10.1.1.0/24 10.1.0.100 latency 50ms loss 0.1 bandwidth 1Mbps
In the above example, we add a new router, 10.0.10.400 directly next to 10.0.0.500. The network that 10.0.0.500 services is 10.10.0.16. Normally we must use the Link command afterwards to make 10.0.0.0/16 directly accessible from 10.0.10.400.
In the second example above, note that we add network characteristics to the new router. We can indicate the latency that must be experienced in milliseconds, packet loss as a ratio, and the bandwidth as Mbps.
Page 42 of 51
Using the above three commands, ROUTE, ROUTE ENTRY, LINK, ADD NET, we can create almost any type of network.
Experiment 1 - One router and two hosts For this specific experiment, we want to segment our network into four areas and on a per experiment basis, start adding networks to the honeyd configuration. For our first experiment, we only are interested in adding the 192.168.1.33/27 network with one router. The subnet calculations are shown below:
Page 43 of 51
We then present the following network diagram:
Honeyd is then configured in this way: route entry 192.168.1.12 network 192.168.1.32/27 route 192.168.1.12 link 192.168.1.32/27 create default set default default tcp action block set default default udp action block set default default icmp action block create cisco1 set cisco1 personality "Cisco router running IOS 12.2(8)T" set cisco1 default tcp action block set cisco1 default udp action block set cisco1 default icmp action block add cisco1 tcp port 80 open add cisco1 tcp port 23 "/usr/bin/perl /usr/share/honeyd/scripts/routertelnet.p$ set cisco1 ethernet "00:42:68:00:42:68" bind 192.168.1.12 cisco1 create linux1
Page 44 of 51
set linux1 personality "Linux Kernel 2.4.20" set linux1 default tcp action block set linux1 default udp action block set linux1 default icmp action block add linux1 tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/proftpd$ set linux1 ethernet "dell" bind 192.168.1.34 linux1 bind 192.168.1.35 linux1
Experiment 2 - Two Routers and Two Hosts Our goal for this experiment is to simulate two networks, 172.16.0.0/16 and 172.20.0.0/16, both Class B with a CDIR of 16. The network diagram for this experiment is as follows:
In order for the Windows 7 host to be able to reach the 172.16.0.0/16 and 172.20.0.0/16 network, routes must be added to the routing table. This can be achieved through the ROUTE ADD command. The following command was executed in the CMD Prompt of Windows. ROUTE ADD 172.16.0.0/16 192.168.1.8 ROUTE ADD 172.20.0.0/16 192.168.1.8
Both commands will add 192.168.1.8, the honeyd host, as a gateway to the 172.16.0.0/16 and 172.20.0.0/16 networks. Use the ROUTE PRINT command to view the routing table of the windows host.
Page 45 of 51
In order for the above pings to function, we use the following Honeyd configuration: route entry 192.168.1.8 network 172.16.0.0/24 route 192.168.1.8 link 192.168.1.128/25 route 192.168.1.8 add net 172.16.0.0/24 172.16.0.1 latency 10ms loss 0.1 route 192.168.1.8 add net 172.20.0.0/24 172.20.0.1 latency 10ms loss 0.1 route 172.16.0.1 link 172.16.0.0/24 route 172.16.0.1 add net 172.20.0.0/24 172.20.0.1 latency 10ms loss 0.1 route 172.20.0.1 link 172.20.0.0/24 create default set default default tcp action block set default default udp action block set default default icmp action block create set r1 set r1 set r1 add r1 add r1
r1 personality default tcp default udp tcp port 80 tcp port 23
"Cisco router running IOS 12.2(8)T" action block action block open "/usr/bin/perl /usr/share/honeyd/scripts/router-telnet.pl"
create l1 set l1 personality "Linux Kernel 2.4.20" set l1 default tcp action block set l1 default udp action block add l1 tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/proftpd.sh $
Page 46 of 51
clone l2 l1 clone r2 r1 bind bind bind bind
172.16.0.1 172.16.0.2 172.20.0.1 172.20.0.2
r1 l1 r2 l2
Experiment 3 - A Large Class A Network It is crucial that a network is planned up front, before anything configured. Ensure that you do not have any overlapping ip addresses, or routes that will not function. The following network diagram is presented below.
It consists of two entry routers router 1 : 10.0.0.100 and router 2: 10.0.0.200. Note that these two routers are responsible to act as entry points into the rest of the network.
10.0.0.100 only link another router 10.0.1.100 and in turn 10.1.0.100. 10.0.0.100 does not have any hosts configured, however 10.1.0.100 have three honeypots H5 to H7 configured.
Page 47 of 51
Router 2, 10.0.0.200, has its own hosts namely h1, and h2 and router 4, also have two honeypots, h3 and h4.
For the purposes of simplicity, we will configure the same honeypots in each subnet. Note the following steps to configure this network:
Step1: Define the router configuration create set r1 set r1 set r1 add r1 add r1
r1 personality default tcp default udp tcp port 80 tcp port 23
"Cisco router running IOS 12.2(8)T" action block action block open "/usr/bin/perl /usr/share/honeyd/scripts/router-telnet.pl"
Step 2: Add an entry route for Router 1 and Router 2. Note that the network keyword indicated which network is reachable through the router. Why /16? We want to limit the networks that goes into the honeynet. 10.0.0.0/16 gives us ip addresses from 10.0.0.1 to 10.0.255.254. 10.2.0.0/16 gives us ip addresses from 10.2.0.1 to 10.2.255.254 route entry 10.0.0.200 network 10.2.0.0/16 route entry 10.0.0.100 network 10.0.0.0/16
Step 3: Routers need to be linked to each other. We achieve this by using the add net keyword. This is used to add a router to an existing router followed by the network range that be reached by the new router as well as the ip address of the new router. route 10.0.0.100 add net 10.1.0.0/16 10.0.1.100 route 10.0.1.100 add net 10.1.1.0/24 10.1.0.100 latency 10ms loss 0.4 bandwidth$ route 10.0.0.200 add net 10.2.1.0/24 10.2.0.100
Step 4: Indicate which subnets are directly accessible from each router The link keyword is used to link the specific subnets to the routers. We use /24 because we are only using 255 ip addresses per â&#x20AC;&#x153;networkâ&#x20AC;? or subnet.
Page 48 of 51
route route route route
10.0.1.100 10.1.0.100 10.0.0.200 10.2.0.100
link link link link
10.1.0.0/16 10.1.1.0/24 10.2.0.0/16 10.2.1.0/24
#Router #Router #Router #Router
3 5 2 4
Step 5 : Bind the IP Addresses of the Routers To bind the ip addresses of the routers, or to assign IP addresses to the routers, use the bind command followed by the personality name: (Note: You can also use the clone keyword). bind bind bind bind bind
10.0.0.100 10.0.0.200 10.2.0.100 10.0.1.100 10.1.0.100
r1 r1 r1 r1 r1
Step 6: Define the hosts that are the honeypots Note that I have used the linux host that I have used throughout the wiki for this experiment. create l1 set l1 personality "Linux Kernel 2.4.20" set l1 default tcp action block set l1 default udp action block add l1 tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/proftpd.sh $
Step 7: Bind IP addresses to the Linux hosts bind bind bind bind bind bind bind bind bind
10.2.0.51 10.2.0.52 10.2.1.51 10.2.1.52 10.1.1.51 10.1.1.52 10.1.1.52 10.0.1.52 10.0.1.53
l1 l1 l1 l1 l1 l1 l1 l1 l1
Lastly, routes must be added to our windows 7 host. We use the route add command as follows: Route add 10.0.0.0/8 192.168.1.8
Page 49 of 51
Results: All hosts are pingable, except for the entry routers. At this point in time I am still troubleshooting the reasons. However, all the linux hosts and routers on the network are pingable since icmp traffic is allowed as per the template we have provided.
Page 50 of 51
References Cassio, L., 2007. How to discover your network card real manufacturer. Available online: http://www.hardwaresecrets.com/how-to-discover-your-network-card-realmanufacturer/2/. [Accessed : 1 April 2016] Charlton, C.,2015. How the â&#x20AC;&#x153;Ghost Armyâ&#x20AC;? helped foil the Nazi's. Available online: http://www.dailymail.co.uk/news/article-3167435/How-Ghost-Army-helped-foil-Nazis-Alliedforces-used-decoy-unit-called-23rd-Headquarters-Special-Troops-comprised-artists-soundtechnicians-trick-enemy-Second-World-War.html. Accessed: 2 April 2016
IEEE.org, 2016. IEEE Standards Association Registration Authority. Available online : https://regauth.standards.ieee.org/standards-ra-web/pub/view.html#registries/. [Accessed : 1 April 2016] Joshi, R.C. and Sardana, A. eds., 2011. Honeypots: A New Paradigm to Information Security. CRC Press. Lui, X., Peng, L., Li, C. 2011. The Dynamic Honeypot Design and Implementation Based on Honeyd. In CSEE 2011 - Communications in Computer and Information Science. Ed by: S. Lin and X. Huang. Vol. 214. Advances in Computer Science, Environment, Ecoinformatics and Education. Springer, 2011, pp. 93 - 98. Murphy, J., 2005. Patton's Ghost Army. Available Online: http://www.americainwwii.com/articles/pattons-ghost-army/. Accessed: 2 April 2016 Valli, C., 2003. Honeyd - An OS Fingerprinting Artifice. 1st Australian Computer, Network & Information Forensics Conference, 2003. Available online:https://pdfs.semanticscholar.org/a178/5a5d4166104bc90731ffac09a8e46ba8899 8.pdf. Accessed: 5 April 2016.
Page 51 of 51