Honeypots: The Other Kind of Tease
Been working a lot lately, so I haven't had much time to devote to this, but I wanted to wait until I had something interest to show you guys, and the more I've been playing around with malware, the more I've wanted to spread it. Spreading the fun of playing with it, of course, not that I'd... ever... send payloads to pe- what were we talking about again? Malware? Honeypots? Yes, let's dive in. (The article is split into three levels, first being someone who has little to no infoSec knowledge, second being someone who'd like to get more practice, third being seasoned infoSec who know what they're doing)
Malware: A Quick Primer
I don't want to spend too much time on this topic, as I'm sure the InfoSec people reading are champing at the bit about what I'm going to be showing you, or they've already scrolled to the source at the bottom, but for those of you who aren't as versed in security, here's the skinny on the basics of Malware.
"Malware" is, by definition, any code that performs an underhanded, secret, malicious, or inherently "bad" action. You'll often hear the term "virus" conflated with malware, though I prefer to refer to "viruses" as a subsection of malware that is designed to spread, either by its own autonomous action or by socially-engineering the victim into spreading the malware without their knowledge, such as a malicious PDF document that the victim is urged to send to other people in their office, as it contains "important information regarding new office procedures" or somesuch.
Malware comes in many shapes and sizes, they're written for every platform (yes, there is malware for Macs, Linux, Windows, iPhone, Android, and I wouldn't be surprised if there's a malware strain out there that is meant to exploit a flaw in your car's sound system.) and are written for any number of purposes, and for a variety of reasons. Malware these days is generally written for one reason; money. There's little to no point in creating malware that performs malicious actions just for the sake of doing so (though the LulzSec gang taught us that there's no shortage of "lulz" that can be had, so long as you're willing to deal with the jail time), as the amount of money that can be made from malware is quite promising for infoSec people, especially those living in areas of the world where the number of jobs in our field is quite limited.
For-profit malware will often try to steal personal information that can either be sold to interested parties, or be used by the authors themselves. If its not your personal information they're after, they'll likely try to gain control of your computer in order to harness its computing power for whatever they have need for, a proxy, another bot in a denial-of-service botnet, maybe even BitCoin mining; really, the sky's the limit when they have control.
"Where could one obtain such a honeypot?"
The subtitle above is something a friend of mine asked of me, and at first, it got me a little worried. Don't get me wrong, I'm a big fan of people being interested in Information Security, but diving head first into malware analysis can be dangerous and daunting, even if you don't get accidentally infected, you could attract the notice of the authors; or worse, the authors customers (read: Russian Mafia, sometimes), so host-based protection and network-based protection are key concepts to follow here.
So, first of all, what is a Honeypot? A honeypot is essentially bait for gypsies, tramps, and thieves, it appears to the outside world to be a vulnerable computer running whatever services you specify (web server, FTP, SIP, SQL, SMB, etc) that is just asking to be attacked. The attacker is intrigued, and launches whatever attack they have and tries to execute malicious code on the machine, but what the honeypot actually does is record all interaction between the attacker and the honeypot, and nab a copy of the malware the attacker tried executing. The attacker doesn't get back the response he expected, that machine is still there, out in the open, but what he sent at it didn't work. You would probably get a bit mad at this point, and embarrassed that you fell for a honeypot. This is why it's important that you don't host the honeypot at home, because the next thing they're probably going to do is hit the honeypot with some manner of denial-of-service attack to try and starve that machine of resources and crash it, not to mention the horrifying bandwidth cost you'd have to deal with, and your ISP asking why 900 computers from Belarus all decided to say "hello" at once.
A Virtual Private Server is the way to go, and there are many companies that offer them for as little as $24.99 a year, and depending on their terms of service, will be fine with you running a honeypot on their infrastructure.
Once you have a VPS, let's talk about my current Honeypot of choice: Dionaea. Dionaea is pretty simple to set up, and when combined with this script can provide some nice report stats on how many connections the honeypot has received, how many malware samples it's pulled in, and information on the last few that have been found. The setup process will differ depending on what kind of distribution you set it up on, I'm an Arch Linux guy myself, so the package in the AUR was my one-stop shop to set it up quickly. The config file can be tweaked to your heart's content, but it can mostly be left alone.
Here's a little systemd file I wrote for Dionaea, should save you a bit of time;
ExecStart=/opt/dionaea/bin/dionaea -D -u dionaea -g dionaea -r /opt/dionaea/ -w /opt/dionaea/ -p /opt/dionaea/var/dionaea.pid -l message
But, if you're new to the field or you just like it when your stuff "works", there's a decent set-up guide by Andrew Michael Smith for getting it going in Ubuntu, though I don't recommend it, as it is not set up in such a way that you can chroot it easily. Chroot, for the uninitiated, is forcing the process to acknowledge the specified "chroot directory" as the "root directory", meaning that's as high up the directory tree it can go, it will not be able to make any reads/writes/executions higher up than the chroot directory. This is good for malware or a process that you're expecting to be attacked, so if something goes wrong, they're locked in there, and won't be able to touch anything outside of it. However, the root user can bypass this, which is why it is imperative that you specify the -u and -g switches to run the honeypot as a user other than root (it will appear that you're running the honeypot twice if you do this, one as root, and the other as the specified user, but the root process is merely a handler to perform tasks that would require root, like writing to logs and such).
Really, no matter what distro you use, I suggest that, if you have the aptitude, compile and install it yourself, that way you can set it up exactly how you'd like to.
I spy, with my little eye, something that begins with "Fed"
As great as Dionaea is, it's only going to fool the most basic of attackers. Honeypots rely greatly on careless attackers who use automated scripts to attack targets, and unsophisticated scripts at that. As Mikael Keri pointed out, there are a few hardcoded values in Dionaea that make it pretty easy to detect with nmap, if an attacker simply runs these scripts before attacking you, they'll see that you're not a legitimate target, and will move on to someone else. We don't want that to happen.
Let's break down the three ways that Mikael's scripts detect Dionaea; hardcoded values, timestamps, and the SSL certificate.
Hardcoded values are easy to fix, just run a script that randomizes the "names" that the honeypot reports, you should only have to do this once after install.
Timestamps are a bit trickier, I had a bit of trouble getting timestamps to dynamically update (stupid datetime.datetime.now() not wanting to be represented as a string properly), but by changing the "timestamp" to something other than a timestamp, some attacker scripts will just break and you might not be detected as a honeypot.
The SSL cert is also an unfortunate obstacle, as a self-signed cert would raise a red flag for the attacker, it is better to just remove HTTPS and SIP from Dionaea's configuration, as they don't often pull in as much malware as, say, SMB or FTP (at least in my experience)
And since we're all inherently lazy, here's a python script that should work for any set-up of Dionaea, provided you know where your libraries for Dionaea are (whereis dionaea is a fun command, y'all).
#Author: Andrew "TurnipCannon" Turnsek - http://turnsekurity.com/
#A simple script that randomizes the fixed names included in the default Dionaea
#install, will thwart basic scripts that rely on these values in order to detect a
#Dionaea honeypot, such as those by Mikael Keri at http://blog.prowling.nu/2012/04/detecting-dionaea-honeypot-using-nmap.html
#Features to add: find a way to have SMB report current time in actual real time
str = ""
for i in range(0,random.randint(5,15)):
letter = random.choice(string.ascii_letters)
str += letter
directory = input("What directory is Dionaea installed to? (just enter a forward slash if you're unsure): ")
if directory is "/":
libDir = input("What's the lib directory for Dionaea? (check /lib or /usr/lib, might depend on 32/64-bit): ")
etcDir = "/etc/"
libDir = str(directory) + "lib/"
etcDir = str(directory) + "etc/"
os.system("sed -i 's/Learn SQL!/" + randomName() + "/g' " + libDir + "dionaea/python/dionaea/mysql/mysql.py")
smbname = randomName()
os.system("sed -i 's/HOMEUSER-3AF6FE/" + smbname + "/g' " + libDir + "dionaea/python/dionaea/smb/rpcservices.py")
os.system("sed -i 's/HOMEUSER-3AF6FE/" + smbname + "/g' " + libDir + "dionaea/python/dionaea/smb/include/smbfields.py")
os.system("sed -i 's/datetime.datetime.now()/\"" + randomName() + "\"/g' " + libDir + "dionaea/python/dionaea/smb/include/smbfields.py") #Basically mangles the way that some scripts try to detect uptime. Had a script that actually updated this variable dynamically, but all it really did was cause the attacker's script to break. Feel free to find a more elegant solution and publish a fix.
os.system("sed -i 's/HOMEUSER-3AF6FE/" + randomName() + "/g' " + libDir + "dionaea/python/dionaea/mssql/include/tds.py")
os.system("sed -i 's/\"https\", //g' " + etcDir + "dionaea/dionaea.conf")
os.system("sed -i 's/\"sip\",//g' " + etcDir + "dionaea/dionaea.conf")
print("Dionaea is patched, please restart Dionaea for changes to take effect.")
Have fun, and, as with all things that are fun and potentially filthy, use the proper protection.