Openstuff Wiki : HowtoHoneypot

HomePage :: Categories :: PageIndex :: RecentChanges :: RecentlyCommented :: Login/Register

How to install a virtual honeypot in a private environment


The goal of this document is to explain how to install a Virtual honeynet with only one single computer and one public IP address. All of this, in a private environment. To do this, we will use Honeywall for data capture functionality and VMWare for virtualization.

A very short introduction


Honeynet allows you to capture and analyze suspect activities, like Worms propagation or hackers.
For more information of what is a Honeypot refer to "Know Your Enemy" papers of the honeynet project.

Overview


I have an ADSL connection, with only one public IP address. My ISP gave me a magic box, That's a sort of modem which allows me to connect to the Internet. This box has one Ethernet (RJ45) connector and one PCMCIA Wireless card (Wifi) with routing capabilities. This device can be replaced by a Gnu/Linux gateway.

I have two PC, one for the virtual honeypot and another one for my daily tasks. Here is the diagram of my configuration :
Simple configuration diagram

We are going to install two virtual OS on the VMware box:

The network diagram looks like this one:
Complete configuration diagram
The ISP modem must NAT all incoming packets (destination: public IP address) to the private honeypot address (192.168.128.3). Do NOT do this now ! The NAT must be done after all the installations, configurations ant tests !

Finally, here is the VMware view of the network diagram.:
Complete configuration diagram
The Honeywall is connected to the Vmnet0 interface which is bridged to the eth0 device. It is also connected to the Vmnet1 interface like the honeypot. This configuration allows us to have a complete independent network between the two virtual OS (access are not possible from the outside). Vmnet2, like Vmnet1, is a host only interface and it is used for the Honeywall administration.

In our configuration, the honeypot must be connected with an Ethernet link and it is not possible to use Wifi. In fact, Wireless LAN cards do not work in a WMware bridged setup. The reason is the following : a wireless adapter cannot send packets that have a different MAC address than its own. With bridged networking, VMware software creates packets from the guest operating system using the guest's MAC address, which is different from the MAC address of the actual network adapter. Thus a wireless adapter will not send
those packets.

VMware Box install


1. Gnu/Linux install


First of all, install you preferred distribution. On this article, an Ubuntu has been chosen (Ubuntu 6.06 Server i386). Once installed, proceed with the basic configuration.

Network Configuration


My ISP Box acts as a DHCP server. I have a web interface which allows me to assign static IP addresses. In this way, the DHCP server assigns the same IP based on the MAC address of the host. If you are using a Linux gateway configure your DHCP to have this behaviour.

Here is the MAC address and the network configuration.
$ ifconfig
eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
$ cat /etc/network/interfaces
[...]
auto eth0
iface eth0 inet dhcp


Basic services


Configure apt source list. Here is mine:
$ cat /etc/apt/sources.list

deb http://fr.archive.ubuntu.com/ubuntu/ dapper main restricted
deb-src http://fr.archive.ubuntu.com/ubuntu/ dapper main restricted

deb http://fr.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb-src http://fr.archive.ubuntu.com/ubuntu/ dapper-updates main restricted

deb http://security.ubuntu.com/ubuntu dapper-security main restricted
deb-src http://security.ubuntu.com/ubuntu dapper-security main restricted


Install the latest update:
$ sudo apt-get update
$ sudo apt-get dist-upgrade


Finish with all required packages:
# We need to access remotely to the host ... SSH server is a good start !
$ sudo apt-get install ssh-server
# French locales please !
$ sudo locale-gen fr_FR
$ export LANG=fr_FR
# VMware GUI needs a x server ...
$ sudo apt-get install xubuntu-desktop


2. VMware install


Out of the box, your system probably does not have a C compiler and kernel header. To install these packages with an apt compatible system:
$ sudo apt-get install gcc make autoconf automake linux-headers libc6-dev


VMware Install:
$ tar zxvf VMware-workstation-5.5.1-19175.tar.gz
$ cd vmware-distrib/
$ sudo ./vmware-install.pl


Configuration is done by executing the command 'vmware-config.pl'. Here is the network part :
Do you want networking for your virtual machines? (yes/no/help) [yes]

Configuring a bridged network for vmnet0.

The following bridged networks have been defined:

. vmnet0 is bridged to eth0

All your ethernet interfaces are already bridged.

Do you want to be able to use NAT networking in your virtual machines? (yes/no) [yes]

Configuring a NAT network for vmnet8.

Do you want this program to probe for an unused private subnet? (yes/no/help) [yes]

Probing for an unused private subnet (this can take some time)...

The subnet 172.16.100.0/255.255.255.0 appears to be unused.

The following NAT networks have been defined:

. vmnet8 is a NAT network on private subnet 172.16.100.0.

Do you wish to configure another NAT network? (yes/no) [no]

Do you want to be able to use host-only networking in your virtual machines? [yes]

Configuring a host-only network for vmnet1.

Do you want this program to probe for an unused private subnet? (yes/no/help) [yes]

Probing for an unused private subnet (this can take some time)...

The subnet 192.168.54.0/255.255.255.0 appears to be unused.

The following host-only networks have been defined:

. vmnet1 is a host-only network on private subnet 192.168.54.0.

Do you wish to configure another host-only network? (yes/no) [no] yes

Configuring a host-only network for vmnet2.

Do you want this program to probe for an unused private subnet? (yes/no/help) [yes] 

Probing for an unused private subnet (this can take some time)...

The subnet 192.168.249.0/255.255.255.0 appears to be unused.

The following host-only networks have been defined:

. vmnet1 is a host-only network on private subnet 192.168.54.0.
. vmnet2 is a host-only network on private subnet 192.168.249.0.

Do you wish to configure another host-only network? (yes/no) [no] 

[...]
Starting VMware services:
   Virtual machine monitor                                             done
   Virtual ethernet                                                    done
   Bridged networking on /dev/vmnet0                                   done
   Host-only networking on /dev/vmnet1 (background)                    done
   Host-only networking on /dev/vmnet2 (background)                    done
   Host-only networking on /dev/vmnet8 (background)                    done
   NAT service on /dev/vmnet8                                          done

Run ifconfig. You should see at least five network interfaces :
vmnet0 (bridge network) does not appear. If the VMnet interfaces do not show up immediately, wait for a minute, then run the command again. These interfaces should have different IP addresses on separate subnets.


3. VMware Configuration


The honeywall needs to be in promiscuous mode on the two network virtual interfaces. Gnu/Linux does not allow the VMware virtual Ethernet adapter to go into promiscuous mode for a standard user. Running VMware as root is not a good thing for the Honeypot security, that's why we have to modify the starting script. To grant standard users read and write access to the VMnet0 and VMnet1 devices just enter the following commands:
chgrp <usergroup> /dev/vmnet0
chgrp <usergroup> /dev/vmnet1
chmod g+rw /dev/vmnet0
chmod g+rw /dev/vmnet1

To have this automatically done after the boot process, edit VMware starting script (/etc/init.d/vmware). At the end of the start section add these previous lines.

4.1 VMware guest OS #1 - Honeywall


Now, launch VMware with the vmware command, and configure a New Virtual Machine. Choose Custom virtual machine configuration, New Workstation 5 format, Linux Guest OS (Linux 2.6). One processor, 192 MB of RAM. Network connection bridged and LSI adapter. Create new virtual disk (8Go).
Once created, edit the virtual machine settings, and add two more network adapters to have the following configuration:

Get the Honeywall ISO here. Once it downloaded, mount it on vmware virtual cdrom. Proceed with roo install. When done, login with user roo and default password honey. You can have root access by doing a
$ su -

The root password is the same as the roo user. Type halt to stop the machine.

We need to have static MAC addresses for ethernet0 and ethernet1 cards. To do this, edit the vmx file:
vi ~/vmware/Honeywall/Honeywall.vmx


Replace addressType = "generated" with addressType = "static". Comment generatedAddress and generatedAddressOffset. Add an address directive. You should have something like that :
#ethernet0.addressType = "generated"
#ethernet1.addressType = "generated"
ethernet0.addressType = "static"
ethernet1.addressType = "static"
ethernet2.addressType = "generated"
[...]
#ethernet0.generatedAddress = "00:0c:29:8e:06:28"
#ethernet0.generatedAddressOffset = "0"
ethernet0.address = "00:50:56:06:06:28"
#ethernet1.generatedAddress = "00:0c:29:8e:06:32"
#ethernet1.generatedAddressOffset = "10"
ethernet1.address = "00:50:56:06:06:32"
ethernet2.generatedAddress = "00:0c:29:8e:06:3c"
ethernet2.generatedAddressOffset = "20"


We need also to disable the VMware DHCP for vmnet1 device. vmnet0 is a bridge device and it does not need any modification (the virtual DHCP does not exist for this device).
vi /etc/vmware/vmnet1/dhcpd/dhcpd.conf


Comment all lines :
#allow unknown-clients;
#default-lease-time 1800;               # 30 minutes
#max-lease-time 7200;                   # 2 hours
#
#subnet 172.16.3.0 netmask 255.255.255.0 {
#    range 172.16.3.128 172.16.3.254;
#    option broadcast-address 172.16.3.255;
#    option domain-name-servers 172.16.3.1;
#    option domain-name "localdomain";
#
#}


Now we can restart the virtual OS, and configure it. Log with user roo and become root. An automatic configuration will begin. Choose Honeywall configuration and Interview mode. Here is a sample of my answer :

Verify that you have access to the management interface from the Vmware Box. It is not possible to connect from the outside, you must first connect to your VMware box before getting access to the honeywall. If you want to modify the configuration, you can use the menu command. Do not forget to change default roo and root password !

All your honeywall configuration is in the /hw/conf/ directory. There is an ASCII configuration file /etc/honeywall.conf which contains all of these configuration values.

The honeywall management interface is linked to the VMware host-only interface ... so we can not access the Internet once connected to the honeywall. This is a big problem, because it means no mail alert ! To correct this, we have to activate routing packets and add an IPtables rule on the VMware box. We need to masquerade all honeywall management incoming packets to let them go outside. This must be done on the boot process, so add this to your firewall rules:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -s 192.168.249.2 -o eth0 -j MASQUERADE

Verify it's working... DNS resolution with host, ping and time synchronization with ntpdate is a good start.

4.2 VMware guest OS #2 - Honeypot


Here you can install Gnu/Linux, Solaris, Windows or *BSD system, just make your choice... (sebek is not available for other platforms). This Howto continues with an Ubuntu system.

The VMware configuration is the same. The Network host configuration is simple: Ethernet 1 with Host-only network. After this, the Honeywall will be connected to the Honeypot. This network is independent and separated to the outside network: packets must pass thru the bridge.

Like the honeypot, mount the distribution iso, and proceed the installation.

This is my network configuration:
$ cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
		address 192.168.128.3
		netmask 255.255.255.0
		network 192.168.128.0
		broadcast 192.168.128.255
		gateway 192.168.128.254
		# dns-* options are implemented by the resolvconf package, if installed
		dns-nameservers 212.27.54.252 212.27.53.252


4.2.1 Sebek client install


Sebek is a kernel based data capture tool. It is an open-source tool based on a client-server architecture. The Sebek client uses similar kernel-based rootkits techniques to gather and capture information. These data are then exported to the Sebek Server. For more information see http://www.honeynet.org/papers/sebek.pdf


So, we are going to compile sekeb on our real host, and then we will install it on honeypot guest OS.

Download Sebek Linux client and uncompress it:
$ tar zxvf sebek-lin26-3.1.2b.tar.gz
$ cd sebek-lin26-3.1.2b/


We have only one honeypot so we can disable raw socket replacement (--disable-raw-socket-replacement). See the BUILD file for more info. By disabling the raw socket replacement, sebek will no longer hide itself, it's seems to be a little bug. To force sebek module from hiding (if you do not do this, you will see an "sbk" module), edit the main source code file src/sebec.c. In the sebek_init(void) function, replace:
 if(!BLOCK[TESTING_OFFSET] & 0x00000001){
        start_raw_sock_hiding();
        hide_module();
  }

by:
 //if(!BLOCK[TESTING_OFFSET] & 0x00000001){
  //      start_raw_sock_hiding();
        hide_module();
  //}


Now edit the file sbk_install.sh and configure these values:
Leave all other values unchanged.

Then continue the compilation process:
$ ./configure --disable-raw-socket-replacement
$ make


Make a VMware snapshot of your initial honeypot install. In case of doing something wrong, you can revert to this snapshot.

Copy the sebek-lin26-3.1.2b-bin.tar.gz archive on your honeypot
$ scp sebek-lin26-3.1.2b-bin.tar.gz admin@192.168.128.3:~


Then, connect to your honeypot, and install it:
$ tar zxvf sebek-lin26-3.1.2b-bin.tar.gz
$ cd sebek-lin26-3.1.2b-bin/
$ sudo ./sbk_install.sh


Make a new VMware snapshot. If your honeypot is compromise, you will be able to restore the initial system before the intrusion. Do not forget to clean your bash_history.

4.2.2 Sebek test


Sebek server is already install with the Honeywall. So let's verify it's works ...

On the honeypot:
$ ls -al
[...]
$ date
samedi 29 juillet 2006, 15:19:31 (UTC+0200)
$ id
uid=1000(admin) gid=1000(admin) [...]


On the honeywall:
# /usr/sbin/sbk_extract -i eth1 -p 1101 2>/dev/null | /usr/sbin/sbk_ks_log.pl
[2006-07-29 13:19:30 Host:192.168.128.3 UID:1000 PID:3897 FD:0 INO:2 COM:bash ]#ls -al
[2006-07-29 13:19:31 Host:192.168.128.3 UID:1000 PID:3897 FD:0 INO:2 COM:bash ]#date
[2006-07-29 13:19:39 Host:192.168.128.3 UID:1000 PID:3897 FD:0 INO:2 COM:bash ]#id


5. Remote Exploitation


Now we are going to see how to manage our VMware box remotely. All of this is made with a SSH connection from a remote host. For testing all of this, activate the forwarding packet on your ISP Box administration console or on your gateway: all Internet incoming packets have to be NAT to the VMware box (192.168.128.2). At the end, after testing our network, we will change the NAT to point to our honeypot (192.168.128.3).

5.1 Automated boot


First of all, VMware required a GUI to start. We need X server up and running automatically on boot. To do that, configure gdm to make an automatic login :
$ gdmsetup

This will show you a dialog box. In Security activate Enable Timed Login.

5.2 Enhanced VMware command line interface


VMware needs a GUI to start but we do not need to have access on it. We just need an SSH access. So, let's see how starting VMware without any X11 forwarding or VNC stuff !

Vmware provide vmrun command for managing virtual machines and snapshots. You can create, delete, list, and go to specific snapshots.
$ vmrun      
vmrun version 5.5.1 build-19175

Usage: vmrun COMMAND [PARAMETERS]

COMMAND          PARAMETERS                  DESCRIPTION
list                                         List all running VMs
start            Path to vmx or vmtm file    Start a VM or Team
stop             Path to vmx or vmtm file    Stop a VM or Team
reset            Path to vmx or vmtm file    Reset a VM or Team
suspend          Path to vmx or vmtm file    Suspend a VM or Team
upgradevm        Path to vmx file            Upgrade VM file format, virtual hw
installtools     Path to vmx file            Install Tools in Guest OS
listSnapshots    Path to vmx file            List all snapshots in a VM
snapshot         Path to vmx file            Create a snapshot of a VM
				 Snapshot name
deleteSnapshot   Path to vmx file            Remove a snapshot from a VM
				 Snapshot name
revertToSnapshot Path to vmx file            Set VM state to a snapshot
				 Snapshot name


An example of use, once X server is started on the VMware box:
$ vmrun listSnapshots /home/stan/vmware/Honeypot/Honeypot.vmx
Total snapshots: 1
Snapshot 1
$ vmrun revertToSnapshot /home/stan/vmware/Honeypot/Honeypot.vmx "Snapshot 1"
$ DISPLAY=:0.0 vmrun start /home/stan/vmware/Honeypot/Honeypot.vmx


DISPLAY=:0.0 allows you to use the existing X server on the VMware box. :0.0 is default for primary X server, it may be different.


Here is my control script for launching the Honeywall and the Honeypot snapshot :
$ cat ./vmctrl.sh
#!/bin/sh

if [ "$1" == "start" ]
then
        echo "Starting Honeywall ..."
        DISPLAY=:0.0 vmrun start /home/stan/vmware/Honeywall/Honeywall.vmx
        echo "Starting Honeypot ..."
        vmrun revertToSnapshot /home/stan/vmware/Honeypot/Honeypot.vmx "Snapshot 1"
        DISPLAY=:0.0 vmrun start /home/stan/vmware/Honeypot/Honeypot.vmx
fi

if [ "$1" == "stop" ]
then
        echo "Stopping Honeywall ..."
        vmrun stop /home/stan/vmware/Honeywall/Honeywall.vmx
        echo "Stopping Honeypot ..."
        vmrun stop /home/stan/vmware/Honeypot/Honeypot.vmx
fi

echo
vmrun list


5.3 Web Interface


The Web interface named Walleye helps you for your every day remote Honeywall administration. It also provides data analysis functionality. To use it, launch your favorite browser and go to https://ww.xx.yy.zz where ww.xx.yy.zz is the IP address of your honeywall management interface (192.168.249.2 for me). In our configuration we can only access it localy on the VMware box.

If you want to access it from your remote computer, we need to add few IPtables rules on the VMware box (add this to your firewall rules) :
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport https -j DNAT --to 192.168.249.2


For remote access to Walleye, let's use our SSH connection to redirect Honeywall HTTPS port to our local 1234 port :
$ sudo ssh stan@vmwarebox -L 1234:192.168.249.2:443

Then point your browser to https://127.0.0.1:1234/.

5.4 Tests


Test your architecture !


5.5 Start having fun


Once you have tested your config, snapshot your VMware virtual hosts. Now you can start having fun :)

For my first test I decided to create a dumb login/password system account like admin/admin or mysql/mysql. These accounts can be accessed remotely via SSH. You can also run unsecured PHP site, like old PhpBB forum... All is possible !

When your honeypot is ready to have visitors, change your ISP Box or gateway configuration to NAT all Internet incoming packets to the honeypot (192.168.5.3). Configure also a special port redirect to have a remote access to the VMware box. The SSH daemon must listen on this special port. You can also configure a port knocking to be more furtive.

With this first testing environment, it takes only one hour to have an unauthorised access ... here is what was appended:
All of this was made in few seconds. Then, a real person comes ... and install an IRC bot, connecting the honeypot to a Botnet.

Security issue


There are a lot of documents on SecurityFocus web site about security and best practices. Here are some links:
Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki
Page was generated in 0.1818 seconds