By ro0ted | January 12, 2015 - 01:13 | Posted in /b/ | 9 Comments
#ro0ted #OpNewblood What the Blackhats don’t want you to know: Honeydrive the honeypot distro

Today we will using a Linux Honeypot Distro, Honeydrive. This wasn’t the honeypot I had instore for you but the fact is most machines wouldn’t be able to run it smoothly. In the next tutorials in What the Blackhats don’t want you to know, we will be covering Honeypots. This is how we target blackhats. It’s like fishing. Ever gone fishing? Just doesn’t take as long. – https://twitter.com/ro0ted/

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through +

 

Tools Needed:

Virtual Box
Honeydrive

 

In order to run Honeydrive you MUST have a virtual machine.

First what’s a honeypot?

A honey pot is a computer system on the Internet that is expressly set up to attract and “trap” people who attempt to penetrate other people’s computer systems.

Okay what’s honeydrive?

From Sourceforge:

Description

HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.

In my words; Honeydrive is a Virtual Machine that runs an Ubuntu environment and has a beginners All-in-One kit for honeypots that’s are already built together. Which is great because explaining how to set up a honeypot on your own is a real pain in the ass!

Okay download Virtual Box for your machine. I’m doing this off Windows 7 as my Debian system is too slow to run the distro.

After that download honeydrive. Make sure Virtualbox is completely installed before opening honeydrive. Now double click honeydrive and it will automatically import in Virtual Box.

Untitled

 

You should have a screen like this:

u

First thing first, let’s update our machine. Open up terminator and type:

sudo apt-get upgrade

u

After that type:

sudo apt-get update

 

To get a good idea what’s on this machine read the readme file on the desktop or read it here:

https://cyberguerrilla.org/paste/?a9a1c128734a7b91#s01MKHHAbMFkqbAGdIGz/TsfNTlY5Npe3shYmk9fn0U=

Let’s go through a lil walk through in what we see in the Readme. What do some of these programs do?

Lets start here:

[Kippo]
Location:        /honeydrive/kippo/
Start script:         /honeydrive/kippo/start.sh
Stop script:        /honeydrive/kippo/stop.sh
Downloads:         /honeydrive/kippo/dl/
TTY logs:         /honeydrive/kippo/log/tty/
Credentials:         /honeydrive/kippo/data/userdb.txt
MySQL database:     kippo
MySQL user/password:     root/honeydrive

[Kippo-Graph]
Location:         /var/www/kippo-graph/
Configuration:         /var/www/kippo-graph/config.php
URL:             http://local-or-remote-address/kippo-graph/
MySQL database:     kippo
MySQL user/password:     root/honeydrive

[Kippo-Malware]
Location:        /honeydrive/kippo-malware/

[Kippo2MySQL]
Location:         /honeydrive/kippo2mysql/
MySQL database:     kippo2mysql
MySQL user/password:     root/honeydrive

[Kippo2ElasticSearch]
Location:        /honeydrive/kippo2elasticsearch/
MySQL database:        kippo
MySQL user/password:    root/honeydrive
ElasticSearch index:    kippo
ElasticSearch type:    auth
Kibana dashboard:    http://localhost/kibana/#/dashboard/elasticsearch/Kippo2ElasticSearch

[Kippo-Scripts]
Location:         /honeydrive/kippo-scripts/
Scripts:        + kippo-sessions
            + kippo-stats
            + kippo2wordlist

Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.

https://github.com/desaster/kippo

 


 

 

[Dionaea]
Location:         /opt/dionaea/
Start script:        /honeydrive/dionaea-vagrant/runDionaea.sh
Binary:         /opt/dionaea/bin/dionaea
Configuration:         /opt/dionaea/etc/dionaea/dionaea.conf
Logs:             /opt/dionaea/var/log/
SQLite database:     /opt/dionaea/var/dionaea/logsql.sqlite
Malware samples:     /opt/dionaea/var/dionaea/binaries/
Log rotation:        enabled
phpLiteAdmin:         /var/www/phpliteadmin/
+ password:         honeydrive
+ allow only localhost:    enabled
+ URL:             http://localhost/phpliteadmin/phpliteadmin.php

[DionaeaFR]
Location:         /honeydrive/DionaeaFR/
Script:         /honeydrive/DionaeaFR/manage.py

[Dionaea-Scripts]
Location:         /honeydrive/dionaea-scripts/
Scripts:        + mimic-nepstats
            + dionaea-sqlquery

Dionaea is a low-interaction honeypot that captures attack payloads and malware.

http://dionaea.carnivore.it/

 


 

 

[Honeyd]
Binaries:         + /usr/bin/honeyd
            + /usr/bin/honeydstats
Init file:         /etc/default/honeyd
Configuration:         /etc/honeypot/honeyd.conf
Scripts:         /usr/share/honeyd/scripts/
Logs:             /var/log/honeypot/honeyd.log

[Honeyd2MySQL]
Location:         /honeydrive/honeyd2mysql/
MySQL database:     honeyd2mysql
MySQL user/password:     root/honeydrive

[Honeyd-Viz]
Location:         /var/www/honeyd-viz/
Configuration:         /var/www/honeyd-viz/config.php
URL:             http://local-or-remote-address/honeyd-viz/
MySQL database:     honeyd2mysql
MySQL user/password:     root/honeydrive

[Honeyd-Scripts]
Location:         /honeydrive/honeyd-scripts/
Scripts:        + honeyd-geoip
            + honeyd-geoip-cymru

Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.

http://www.honeyd.org/

 


 

 

[Amun]
Location:         /honeydrive/amun/
Start script:         /honeydrive/amun/amun_server.py
Configuration:         /honeydrive/amun/conf/amun.conf
Malware samples:     /honeydrive/amun/malware/
Logs:             /honeydrive/amun/logs/
MySQL database:     amun_db
MySQL root/password:     root/honeydrive

[Amun-Scripts]
Location:         /honeydrive/amun-scripts/
            + amun_statistics

Amun is a python honeypot

http://amunhoney.sourceforge.net/

 


 

 

[Glastopf]
Location:         /honeydrive/glastopf/
Honeypot location:    /honeydrive/glastopf-honeypot/
Configuration:         /honeydrive/glastopf-honeypot/glastopf.cfg
Start script:         /usr/local/bin/glastopf-runner
Logs:             /honeydrive/glastopf-honeypot/log/glastopf.log
SQLite database:    /honeydrive/glastopf-honeypot/db/glastopf.db
phpLiteAdmin:         /var/www/phpliteadmin/
+ password:         honeydrive
+ allow only localhost:    enabled
+ URL:             http://localhost/phpliteadmin/phpliteadmin.php

Glastopf is a small Python webserver which emulates thousands of web application vulnerabilities.

https://github.com/glastopf/glastopf

 


 

 

[Conpot]
Location:        /honeydrive/conpot/
Configuration:        /honeydrive/conpot/conpot/conpot.cfg
Start script:        /honeydrive/conpot/bin/conpot
Logs:            /honeydrive/conpot/conpot.log
SQLite database:    /honeydrive/conpot/logs/conpot.db
phpLiteAdmin:        /var/www/phpliteadmin/
+ password:        honeydrive
+ allow only localhost:    enabled
+ URL:            http://localhost/phpliteadmin/phpliteadmin.php

Conpot is an ICS honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems

https://github.com/glastopf/conpot

 


 

 

[Wordpot]
Location:         /honeydrive/wordpot/
Configuration:         /honeydrive/wordpot/wordpot.conf
Start script:         /honeydrive/wordpot/wordpot.py
Logs:             /honeydrive/wordpot/logs/

Wordpot is a WordPress honeypot.

https://github.com/gbrindisi/wordpot

 


 

 

[Thug]
Location:         /honeydrive/thug/
Start script:         /honeydrive/thug/src/thug.py
Logs:             /honeydrive/thug/logs/
Malware samples:    /honeydrive/thug/samples/

Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents.

https://github.com/buffer/thug

 


 

 

[PhoneyC]
Location:        /honeydrive/phoneyc
Start script:        /honeydrive/phoneyc/phoneyc.py
Logs:            /honeydrive/phoneyc/log/
Downloads:        /honeydrive/phoneyc/log/downloads/
Malware samples:    /honeydrive/phoneyc/samples/

PhoneyC is a virtual client honeypot, meaning it is not a real application but rather an emulated client. By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.

https://code.google.com/p/phoneyc/

 


 

 

[LaBrea]
Binary:         /usr/sbin/labrea
Configuration:         /etc/labrea/labrea.conf

A program that creates a tarpit or, as some have called it, a “sticky honeypot” LaBrea takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet. The program answers connection attempts in such a way that the machine at the other end gets “stuck”, sometimes for a very long time.

http://labrea.sourceforge.net/labrea-info.html

 


 

 

[Tiny Honeypot]
Location:        /usr/share/thpot/
Binary:         /usr/sbin/thpot
Configuration:         /etc/thpot/thp.conf
Examples:         /usr/share/doc/tinyhoneypot/examples/
Logs:             /var/log/thpot/

Tiny Honeypot (thp) is a simple honey pot program based on iptables redirects and an xinetd listener. It listens on every TCP port not currently in use, logging all activity and providing some feedback to the attacker. The responders are entirely written in Perl, and provide just enough interaction to fool most automated attack tools, as well as quite a few humans, at least for a little while. With appropriate limits (default), thp can reside on production hosts with negligible impact on performance.

http://freecode.com/projects/thp

 


 

 

[INetSim]
Location:        /usr/share/inetsim/
Binary:            /usr/bin/inetsim
Configuration:         /etc/inetsim/inetsim.conf
Logs:             /var/log/inetsim/

INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples.

http://www.inetsim.org/

 


 

 

[Maltrieve]
Location:         /opt/maltrieve/
Script:         /opt/maltrieve/maltrieve.py
Configuration:        /opt/maltrieve/maltrieve.cfg
Logs:            /opt/maltrieve/maltrieve.log
Malware samples:    /opt/maltrieve/archive/
Malware categorizer:    /opt/maltrieve/maltrievecategorizer.sh

Virus total uses this tool. The tool retrieves malware directly from the source for security researchers.

https://github.com/technoskald/maltrieve

 


 

In the next tut we will use one of these bad boys.

 

ro0ted

 

(Visited 2,093 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

9 Responses to #ro0ted #OpNewblood What the Blackhats don’t want you to know: Honeydrive the honeypot distro

  1. I love you so much! I want learn everything about hacking if i had the time. PEACE!

  2. I’m only starting to learn and am currently taking Networking course at a college.

  3. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want u to know | Packing & Crypting, there’s a difference

    […] Introduction to Honeydrive: A Brief Walk Through […]

  4. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: ASM Injecting Part 4

    […] Introduction to Honeydrive: A Brief Walk Through […]

  5. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Reversing your mobile device

    […] Introduction to Honeydrive: A Brief Walk Through […]

  6. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?

    […] Introduction to Honeydrive: A Brief Walk Through […]

  7. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Infected Machine? Create a memory dump

    […] Introduction to Honeydrive: A Brief Walk Through […]

  8. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the Blackhats don’t want you to know series

    […] Introduction to Honeydrive: A Brief Walk Through […]

  9. Pingback: Tutoriales sobre ingeniería inversa | Cyberhades

    […] Introduction to Honeydrive: A Brief Walk Through […]