Getting up and running using Vagrant

Jason Trost edited this page Aug 20, 2014 · 9 revisions

Make sure you have vagrant installed and a compatible VM provider. Most of us use Virtual Box for this.

From your dev workstation, run these commands:

git clone https://github.com/threatstream/mhn.git
cd mhn
vagrant up

At this point, you should have 2 VMs running and you can access them by using these commands.
Note: you must be in the mhn directory for these commands to work.

vagrant ssh server
vagrant ssh honeypot

Using the included Vagrantfile config the two machines will be deployed together on a private network. Here are the machines' IPs on the private network. These are only needed for communications between these two VMs and likely will not work elsewhere.

MHN Server:   10.254.254.100  <== this important when configuring MHN below
MHN Honeypot: 10.254.254.101

Now, lets walk through an install of MHN server and a dionaea honeypot

# from your "mhn" directory
$ vagrant ssh server

# you should now be logged into the server VM
$ sudo su -
$ apt-get install -y git
$ cd /opt/
$ git clone https://github.com/threatstream/mhn.git
$ cd mhn/scripts
$ ./install_hpfeeds.sh ; ./install_mnemosyne.sh ; ./install_honeymap.sh

# After this, check the supervisor process to make it all components were installed
# Your output should look like mine
$ supervisorctl status
geoloc                           RUNNING    pid 29334, uptime 0:02:22
honeymap                         RUNNING    pid 29335, uptime 0:02:22
hpfeeds-broker                   RUNNING    pid 10253, uptime 0:07:33
mnemosyne                        RUNNING    pid 28222, uptime 0:06:09

Now, this is very important. Since this is a private network deployment, you need to change a mnemosyne config option to support this. Edit /opt/mnemosyne/mnemosyne.cfg and change ignore_rfc1918 to False. It defaults to True because MHN is primarily used for public facing deployments.

[normalizer]
ignore_rfc1918 = False

Now restart mnemosyne:

$ supervisorctl restart mnemosyne

Now install MHN Server:

$ ./install_mhnserver.sh

# When you get to the config portion, use the same options (expect the email/password)
# Note: Use 10.254.254.100 for server urls):

===========================================================
  MHN Configuration
===========================================================
Do you wish to run in Debug mode?: y/n n
Superuser email: YOUR-EMAIL@YOUR-SITE.com
Superuser password: 
Superuser password: (again): 
Server base url ["http://1.2.3.5"]: http://10.254.254.100
Honeymap url ["http://1.2.3.5:3000"]: http://10.254.254.100:3000
Mail server address ["localhost"]: 
Mail server port [25]: 
Use TLS for email?: y/n y
Use SSL for email?: y/n y
Mail server username [""]:  
Mail server password [""]: 
Mail default sender [""]: 
Path for log file ["mhn.log"]: 

# Wait for the script to finish.

Now open a web browser and visit http://10.254.254.100, login with the credentials created during MHN configuration above.

Click through the various tabs. Everything should work, but you should have now sensors and no attacks.

attacks-0-attacks

sensors-0-sensors

So, lets deploy dionaea to the honeypot VM. Visit the deploy page (http://10.254.254.100/ui/manage-deploy/) and select "Ubuntu 12.04 Dionaea" from the drop down menu.

select-script

Now copy the deploy command.

deploy-command

Now, from your dev workstation, in the "mhn" directory, login to the honeypot VM and become root. Then paste the deploy command. Do not copy my deploy command below, it will not work since your API Key will be different.

$ vagrant ssh honeypot
$ sudo su -
$ wget "http://10.254.254.100/api/script/?text=true&script_id=1" -O deploy.sh && sudo bash deploy.sh http://10.254.254.100 TXDY189p

Wait for the commands to complete. It should take a couple minutes depending on your network connection. Now run this command to ensure that the install worked. You should see similar output.

$ supervisorctl status
dionaea          RUNNING    pid 4368, uptime 0:00:26

Visit http://10.254.254.100/ui/sensors/ and you should now have a new sensor named mhn-honeypot.

sensors-no-attacks

Let's generate some attack traffic. Logout of the honeypot and log back into the MHN server. For the sake of this demo we are going to generate attack traffic from here. You should be able to use your dev workstation as well.

$ sudo apt-get install -y nmap

# this may take a while, pressing <ENTER> at any time should provide status info
$ nmap -sV -P0 10.254.254.101
Starting Nmap 5.21 ( http://nmap.org ) at 2014-06-27 18:23 UTC
Nmap scan report for 10.254.254.101
Host is up (0.0012s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp
22/tcp   open  ssh           OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)
42/tcp   open  tcpwrapped
80/tcp   open  http?
111/tcp  open  rpcbind
135/tcp  open  msrpc?
443/tcp  open  ssl/https?
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s?
3306/tcp open  mysql         MySQL 5.0.54
5060/tcp open  sip           (SIP end point; Status: 200 OK)
5061/tcp open  ssl/sip       (SIP end point; Status: 200 OK)
7 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port21-TCP:V=5.21%I=7%D=6/27%Time=53ADB6B5%P=x86_64-unknown-linux-gnu%r
SF:(NULL,20,"220\x20Welcome\x20to\x20the\x20ftp\x20service\r\n")%r(Generic
SF:Lines,20,"220\x20Welcome\x20to\x20the\x20ftp\x20service\r\n")%r(Help,46
SF:,"220\x20Welcome\x20to\x20the\x20ftp\x20service\r\n530\x20Please\x20log
SF:in\x20with\x20USER\x20and\x20PASS\.\r\n")%r(SMBProgNeg,20,"220\x20Welco
SF:me\x20to\x20the\x20ftp\x20service\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=5.21%I=7%D=6/27%Time=53ADB6B5%P=x86_64-unknown-linux-gnu%r
SF:(GetRequest,133,"HTTP/1\.0\x20200\x20OK\r\nContent-type:\x20text/html;\
SF:x20charset=iso8859-1\r\nContent-Length:\x20204\r\nConnection:\x20close\
SF:r\n\r\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20
SF:Final//EN\"><html>\n<title>Directory\x20listing\x20for\x20/</title>\n<b
SF:ody>\n<h2>Directory\x20listing\x20for\x20/</h2>\n<hr>\n<ul>\n<li><a\x20
SF:href=\"\.\./\">\.\./</a>\n</ul>\n<hr>\n</body>\n</html>\n")%r(HTTPOptio
SF:ns,5A,"HTTP/1\.0\x20200\x20OK\r\nAllow:\x20OPTIONS,\x20GET,\x20HEAD,\x2
SF:0POST\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n")%r(RTSPR
SF:equest,5A,"HTTP/1\.0\x20200\x20OK\r\nAllow:\x20OPTIONS,\x20GET,\x20HEAD
SF:,\x20POST\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n")%r(F
SF:ourOhFourRequest,1C6,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-type:
SF:\x20text/html;\x20charset=iso8859-1\r\nContent-Length:\x20344\r\nConnec
SF:tion:\x20close\r\n\r\n<\?xml\x20version=\"1\.0\"\x20encoding=\"iso8859-
SF:1\"\?>\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x
SF:20Transitional//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\
SF:.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\.dtd\">\n<html\x20xmlns=\"ht
SF:tp://www\.w3\.org/1999/xhtml\"\x20xml:lang=\"en\"\x20lang=\"en\">\n\x20
SF:<head>\n\x20\x20<title>404\x20-\x20Not\x20Found</title>\n\x20</head>\n\
SF:x20<body>\n\x20\x20<h1>404\x20-\x20Not\x20Found</h1>\n\x20</body>\n</ht
SF:ml>\n")%r(SIPOptions,5A,"HTTP/1\.0\x20200\x20OK\r\nAllow:\x20OPTIONS,\x
SF:20GET,\x20HEAD,\x20POST\r\nContent-Length:\x200\r\nConnection:\x20close
SF:\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port443-TCP:V=5.21%T=SSL%I=7%D=6/27%Time=53ADB6BB%P=x86_64-unknown-linux-gnu%r(GetRequest,133,"HTTP/1\.0\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l;\x20charset=iso8859-1\r\nContent-Length:\x20204\r\nConnection:\x20clo
SF:se\r\n\r\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\
SF:x20Final//EN\"><html>\n<title>Directory\x20listing\x20for\x20/</title>\
SF:n<body>\n<h2>Directory\x20listing\x20for\x20/</h2>\n<hr>\n<ul>\n<li><a\
SF:x20href=\"\.\./\">\.\./</a>\n</ul>\n<hr>\n</body>\n</html>\n")%r(HTTPOp
SF:tions,5A,"HTTP/1\.0\x20200\x20OK\r\nAllow:\x20OPTIONS,\x20GET,\x20HEAD,
SF:\x20POST\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n")%r(RT
SF:SPRequest,5A,"HTTP/1\.0\x20200\x20OK\r\nAllow:\x20OPTIONS,\x20GET,\x20H
SF:EAD,\x20POST\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n")%
SF:r(FourOhFourRequest,1C6,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-ty
SF:pe:\x20text/html;\x20charset=iso8859-1\r\nContent-Length:\x20344\r\nCon
SF:nection:\x20close\r\n\r\n<\?xml\x20version=\"1\.0\"\x20encoding=\"iso88
SF:59-1\"\?>\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.
SF:0\x20Transitional//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\"http://w
SF:ww\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\.dtd\">\n<html\x20xmlns=\
SF:"http://www\.w3\.org/1999/xhtml\"\x20xml:lang=\"en\"\x20lang=\"en\">\n\
SF:x20<head>\n\x20\x20<title>404\x20-\x20Not\x20Found</title>\n\x20</head>
SF:\n\x20<body>\n\x20\x20<h1>404\x20-\x20Not\x20Found</h1>\n\x20</body>\n<
SF:/html>\n")%r(SIPOptions,5A,"HTTP/1\.0\x20200\x20OK\r\nAllow:\x20OPTIONS
SF:,\x20GET,\x20HEAD,\x20POST\r\nContent-Length:\x200\r\nConnection:\x20cl
SF:ose\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port445-TCP:V=5.21%I=7%D=6/27%Time=53ADB6BA%P=x86_64-unknown-linux-gnu%
SF:r(SMBProgNeg,7D,"\0\0\0y\xffSMBr\0\0\0\0\x98\x01@\0\0\0\0\0\0\0\0\0\0\0
SF:\0\xff\xff@\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\x10\0\0\0\0\x01\0
SF:\0\0\0\0\xfd\xe3\0\0\xc1\xc2\xc2>3\x92\xcf\x01\xc4\xff\x004\0W\0O\0R\0K
SF:\0G\0R\0O\0U\0P\0\0\0H\0O\0M\0E\0U\0S\0E\0R\0-\x003\0A\0F\x006\0F\0E\0\
SF:0\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1433-TCP:V=5.21%I=7%D=6/27%Time=53ADB6BF%P=x86_64-unknown-linux-gnu
SF:%r(ms-sql-s,2B,"\x04\x01\0\+\0\0\0\0\0\0\x1a\0\x06\x01\0\x20\0\x01\x02\
SF:0!\0\x01\x03\0\"\0\0\x04\0\"\0\x01\xff\x08\0\x02\x10\0\0\x02\0\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5060-TCP:V=5.21%I=7%D=6/27%Time=53ADB6C1%P=x86_64-unknown-linux-gnu
SF:%r(SIPOptions,10A,"SIP/2\.0\x20200\x20OK\r\nContent-Length:\x200\r\nVia
SF::\x20SIP/2\.0/TCP\x20nm;branch=foo\r\nFrom:\x20sip:nm@nm;tag=root\r\nAc
SF:cept:\x20application/sdp\r\nTo:\x20sip:nm2@nm2\r\nContact:\x20sip:nm2@n
SF:m2\r\nCSeq:\x2042\x20OPTIONS\r\nAllow:\x20REGISTER,\x20OPTIONS,\x20INVI
SF:TE,\x20CANCEL,\x20BYE,\x20ACK\r\nCall-ID:\x2050000\r\nAccept-Language:\
SF:x20en\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5061-TCP:V=5.21%T=SSL%I=7%D=6/27%Time=53ADB6CF%P=x86_64-unknown-linux-gnu%r(SIPOptions,10A,"SIP/2\.0\x20200\x20OK\r\nContent-Length:\x200\r\nV
SF:ia:\x20SIP/2\.0/TCP\x20nm;branch=foo\r\nFrom:\x20sip:nm@nm;tag=root\r\n
SF:Accept:\x20application/sdp\r\nTo:\x20sip:nm2@nm2\r\nContact:\x20sip:nm2
SF:@nm2\r\nCSeq:\x2042\x20OPTIONS\r\nAllow:\x20REGISTER,\x20OPTIONS,\x20IN
SF:VITE,\x20CANCEL,\x20BYE,\x20ACK\r\nCall-ID:\x2050000\r\nAccept-Language
SF::\x20en\r\n\r\n");
Service Info: Host: the; OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.33 seconds

Open your attacks page http://10.254.254.100/ui/attacks/ and you should see the connections from nmap's scans.

attacks-with-attacks

Viewing the dashoard (http://10.254.254.100/ui/dashboard/) should should some stats on the attacks.

dashboard-with-attacks

Viewing the sensors page (http://10.254.254.100/ui/sensors/) should show how many attacks for your sensor.

sensors-with-attacks

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.