Setup a honeypot and intercept some attacks in the wild using Modern Honey Network (MHN)
15 hours
The OS I used to build all this was through Ubuntu 16.04 Xenial.
We will be building an Admin VM and Honeypot VMs using the Modern Honey Network and Google Cloud Platform (GCP).
The first thing to do is to create a free account on GCP's Free Tier.
The VMs will be running Ubuntu 14.04 Trusty.
- Create an environment variable for the correct distro
export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)"
- Add the Cloud SDK URL distro to sources.list
echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
- Import Google Cloud public key
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
- Update and install the SDK
sudo apt-get update && sudo apt-get install google-cloud-sdk
- Start GCloud
gcloud init
- Set Respective Zone and Region
gcloud config set compute/region us-central1gcloud config set compute/zone us-central1-c
- Verify GCloud config with the following command:
gcloud config list
- Full documentation here
Details:
- Create the MHN Admin VM on Google Cloud Platform
- SSH into the MNH Admin VM, update it, install git, and clone the Modern Honey Network (MHN) from RedolentSun.
- Edit scripts/install_hpfeeds.sh file within repo
- Instead of using HurricaneLabs, use couozu repo
- From
pip install -e git+https://github.com/HurricaneLabs/pyev.git#egg=pyevto:pip install -e git+https://github.com/couozu/pyev.git#egg=pyev
- Run install scripts
Demonstration:
Steps:
- Conduct an update on the OS
sudo apt-get update
- Download git
sudo apt-get install git -y
- cd into /opt/ and clone MHN repo
cd /opt/; sudo git clone https://github.com/RedolentSun/mhn.git
- Edit scripts/install_hpfeeds.sh within repo
- From
pip install -e git+https://github.com/HurricaneLabs/pyev.git#egg=pyevto:pip install -e git+https://github.com/couozu/pyev.git#egg=pyev
- From
- Install using script
sudo ./install.sh
- Make sure to verify supervisorctl status, that all services are running, per the following:
-
Issues:
- Admin console did not come up, suspected firewall issues
- To fix, create a firewall rule to open http as demonstrated next
- Once rule is complete, make sure MHN VM has port 80 open (UFW/iptables)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
The honeypot VMs are easily deployable, and will be shown below on how exactly to deploy/use them. We will be using the following:
- Ubuntu - Dionaea with HTTP - Documentation
- Ubuntu - Snort - Documentation
- Ubuntu - p0f - Documentation
- Ubuntu - Glastopf - Installation and Documentation
- Ubuntu - Suricata - Documentation
- Ubuntu - Conpot - Documentation and Conpot GitHub
- Ubuntu - Kippo as vulnerable Juniper Netscreen - Kippo GitHub
Details:
- Create the Dionaea Honeypot on Google Cloud Platform
- SSH into the Dionaea Honeypot and deploy script
- Verify on MHN Admin Console
- NOTE: These details will be the same for all the other honeypots following this
Demonstration:
Steps:
- First, create firewall rule to allow incomign traffic on all ports
gcloud beta compute firewall-rules create mhn-allow-honeypot --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=all --source-ranges=0.0.0.0/0 --target-tags=mhn-honeypot
- Next, create the VM for the honeypot, we'll call it mhn-honeypot-1
gcloud compute instances create "mhn-honeypot-1" --machine-type "f1-micro" --subnet "default" --maintenance-policy "MIGRATE" --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring.write","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" --tags "mhn-honeypot","http-server" --image "ubuntu-1404-trusty-v20171010" --image-project "ubuntu-os-cloud" --boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "mhn-honeypot-1"
- On the admin console, go to the Deploy tab and select "Ubuntu - Dionaea with HTTP"
- Use the script to on the Honeypot VM to deploy it and it'll add to the list of sensors on the admin console (shown above on the gif)
Demonstration:
Secondary Attack using Sn1per
- The report from the recon scan is here
- The gif of the attack is here
- A brief summary of the report above:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-19 03:55 CST
Nmap scan report for 200.222.226.35.bc.googleusercontent.com (35.226.222.200)
Host is up (1.2s latency).
Not shown: 258 closed ports, 204 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
42/tcp open nameserver
53/tcp open domain
80/tcp open http
135/tcp open msrpc
443/tcp open https
1433/tcp open ms-sql-s
1723/tcp open pptp
3306/tcp open mysql
5060/tcp open sip
11211/tcp open memcache
27017/tcp open mongod
[+] URL's Discovered:
/usr/share/blackwidow/35.226.222.200_80/35.226.222.200_80-urls-sorted.txt
__________________________________________________________________________________________________
[+] Dynamic URL's Discovered:
/usr/share/blackwidow/35.226.222.200_80/35.226.222.200_80-dynamic-sorted.txt
__________________________________________________________________________________________________
[+] Form URL's Discovered:
/usr/share/blackwidow/35.226.222.200_80/35.226.222.200_80-forms-sorted.txt
__________________________________________________________________________________________________
[+] Unique Dynamic Parameters Discovered:
/usr/share/blackwidow/35.226.222.200_80/35.226.222.200_80-dynamic-unique.txt
__________________________________________________________________________________________________
[+] Sub-domains Discovered:
/usr/share/blackwidow/35.226.222.200_80/35.226.222.200_80-subdomains-sorted.txt
__________________________________________________________________________________________________
[+] Emails Discovered:
/usr/share/blackwidow/35.226.222.200_80/35.226.222.200_80-emails-sorted.txt
__________________________________________________________________________________________________
[+] Phones Discovered:
/usr/share/blackwidow/35.226.222.200_80/35.226.222.200_80-phones-sorted.txt
__________________________________________________________________________________________________
[+] Loot Saved To:
/usr/share/blackwidow/35.226.222.200_80/
Issues:
- Payloads were not registered on the MHN Admin Console
- Decided to look on the backend and look at sql logs and came up with some good data and captures
- SQLITE file was easy readable using SQLITE3, more logs attached in the Summary below
Demonstration:
Demonstration:
Demonstration:
Demonstration:
After doing analysis and an assessment on the honeypot VMs, pulling a log for the purposes of reviewing and reporting is relatively simple
- Log into the Admin VM
- Run the following command to generate a json file of all activities per each Honeypot VM
mongoexport --db mnemosyne --collection session > session.json
- Retrieve the file from your personal PC using the following command
gcloud compute scp mhn-admin:~/session.json ./session.json
- NOTE: The above command "gcloud compute scp" is useful to getting into the Honeypot VMs in case you need to retrieve files specifically from them
| Number | Hostname | IP | Honeypot | UUID | Attacks |
|---|---|---|---|---|---|
| 1 | mhn-honeypot-1 | 35.226.222.200 | dionaea | 4a3e4a5e-ea40-11e8-9599-42010a800002 | 10517 |
| 2 | mhn-honeypot-2 | 35.202.198.20 | snort | cd43e14c-ea4b-11e8-9599-42010a800002 | 2134 |
| 3 | mhn-honeypot-3 | 35.192.2.246 | p0f | 9784f9b8-eb92-11e8-9599-42010a800002 | 961 |
| 4 | mhn-honeypot-4 | 35.225.72.209 | glastopf | 5286be14-ea52-11e8-9599-42010a800002 | 0 (reported) |
| 5 | mhn-honeypot-5 | 35.184.249.204 | suricata | 4c91dbd6-ea54-11e8-9599-42010a800002 | 7193 |
| 6 | mhn-honeypot-6 | 35.238.38.58 | conpot | 903087dc-ea97-11e8-9599-42010a800002 | 300+ |
| 7 | mhn-honeypot-7 | 35.238.9.117 | kippo | e0ddd6ee-ea56-11e8-9599-42010a800002 | 301 |
NOTE:
- Each specific log is listed above in the chart under "Attacks" per honeypot.
- Also, the glastopf VM didn't seem to be completely working, although it did have a page standing, which does log if any attempts are made against it, this was the front page.
- It should be known that payloads had to be dug up for the Dionaea machine, as I had noted above. The logs for dionaea will show the payloads logged into a sqlite
- It should also be known that conpot has 0 on my attack chart on my MHN Admin Console, but looking at the auth.log in /var/log on the VM determined that there were numerous hits of attackers trying to get in and succeeding. The charts above also support this claim.
- I lost access to kippo within hours, I was not able to pull any logs from the VM itself, but the admin console did capture traffic going through ssh (port 22), the charts also support this claim.
In my findings, I pulled out logs from each VM to get a better idea what specific transactions were taken place per honeypot. A more broader summary of data collected from the honeypots are listed here: session.json.
Standing up these honeypots indicate one thing, that the cyber world of exploitation and attacking is very real and alive. My data was collected for the course of 3 days, and the amount of attacks were staggering. With over 20,000 attacks, with close to 7,000 attacks committed per day, it's hard not to phathom a world without strong security practices. These honeypots prove that the existence of vulnerabilities whether having real threat surfaces or not, in our case in honeypot snares, that nobody is absolutely safe. This is why cyber security must be taken seriously in every field, in every industry, and coming up with solutions based off data collected in instances like this help us understand our enemies better.