Openstuff Wiki : HowtoHoneypot

HomePage :: Categories :: PageIndex :: RecentChanges :: RecentlyCommented :: Login/Register

Revision [638]

Last edited on 2008-10-16 20:41:18 by StanKju
Additions:
address 192.168.128.3
netmask 255.255.255.0
network 192.168.128.0
broadcast 192.168.128.255
gateway 192.168.128.254
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 212.27.54.252 212.27.53.252
start_raw_sock_hiding();
hide_module();
hide_module();
~- Destination MAC: 00:50:56:06:06:32 (honeywall MAC address)
Snapshot name
Snapshot name
Snapshot name
echo "Starting Honeywall ..."
DISPLAY=:0.0 vmrun start /home/stan/vmware/Honeywall/Honeywall.vmx
echo "Starting Honeypot ..."
vmrun revertToSnapshot /home/stan/vmware/Honeypot/Honeypot.vmx "Snapshot 1"
DISPLAY=:0.0 vmrun start /home/stan/vmware/Honeypot/Honeypot.vmx
echo "Stopping Honeywall ..."
vmrun stop /home/stan/vmware/Honeywall/Honeywall.vmx
echo "Stopping Honeypot ..."
vmrun stop /home/stan/vmware/Honeypot/Honeypot.vmx
Deletions:
address 192.168.128.3
netmask 255.255.255.0
network 192.168.128.0
broadcast 192.168.128.255
gateway 192.168.128.254
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 212.27.54.252 212.27.53.252
start_raw_sock_hiding();
hide_module();
hide_module();
~- Destination MAC: 00:50:56:06:06:32 (honeypot MAC address)
Snapshot name
Snapshot name
Snapshot name
echo "Starting Honeywall ..."
DISPLAY=:0.0 vmrun start /home/stan/vmware/Honeywall/Honeywall.vmx
echo "Starting Honeypot ..."
vmrun revertToSnapshot /home/stan/vmware/Honeypot/Honeypot.vmx "Snapshot 1"
DISPLAY=:0.0 vmrun start /home/stan/vmware/Honeypot/Honeypot.vmx
echo "Stopping Honeywall ..."
vmrun stop /home/stan/vmware/Honeywall/Honeywall.vmx
echo "Stopping Honeypot ..."
vmrun stop /home/stan/vmware/Honeypot/Honeypot.vmx


Revision [362]

Edited on 2007-08-01 19:29:50 by StanKju
Additions:
Configure apt source list. Here is mine:
All your honeywall configuration is in the /hw/conf/ directory. There is an ASCII configuration file /etc/honeywall.conf which contains all of these configuration values.
Deletions:
Configure apt source list. Here is the mine one:
All your honeywall configuration is in the /hw/conf/ directory. There is an ASCII configuration file /etc/honeywall.conf which contains all of these configuration values. This is mine:
{{files}}


Revision [198]

Edited on 2006-11-18 18:13:31 by StanKju
Additions:
First of all, install you preferred distribution. On this article, an Ubuntu has been chosen (Ubuntu 6.06 Server i386). Once installed, proceed with the basic configuration.
Install the latest update:
Now, launch VMware with the ''vmware'' command, and configure a ''New Virtual Machine''. Choose ''Custom virtual machine configuration'', ''New Workstation 5 format'', ''Linux Guest OS'' (Linux 2.6). One processor, 192 MB of RAM. Network connection bridged and LSI adapter. Create new virtual disk (8Go).
When your honeypot is ready to have visitors, change your ISP Box or gateway configuration to NAT all Internet incoming packets to the honeypot (192.168.5.3). Configure also a special port redirect to have a remote access to the VMware box. The SSH daemon must listen on this special port. You can also configure a port knocking to be more furtive.
With this first testing environment, it takes only one hour to have an unauthorised access ... here is what was appended:
Deletions:
First of all, install you prefered distribution. On this article, an Ubuntu has been chosen (Ubuntu 6.06 Server i386). Once installed, proceed with the basic configuration.
Install the lastest update:
Now, launch VMware with the ''vmware'' command, and configure a ''New Virtual Machine''. Choose ''Custom virtual machine configuration'', ''New Workstation 5 format'', ''Linux Guest OS'' (Linux 2.6). One processor, 192 MB of RAM. Network connection bridged and LSI adaptater. Create new virtual disk (8Go).
When your honeypot is ready to have visitors, change your ISP Box or gateway configuration to NAT all Internet incoming packets to the honeypot (192.168.5.3). Configure also a special port redirect to have a remote access to the VMware box. The SSH daemon must listen on this special port. You can also configure a port knocking to improve furtivity.
With this first testing environement, it takes only one hour to have an unauthorised access ... here is what was appended:


Revision [190]

Edited on 2006-09-16 12:33:47 by StanKju
Additions:
For more information of what is a Honeypot refer to "Know Your Enemy" papers of the [[http://www.honeynet.org honeynet project]].
Finally, here is the VMware view of the network diagram.:
In our configuration, the honeypot must be connected with an Ethernet link and it is not possible to use Wifi. In fact, Wireless LAN cards do not work in a WMware bridged setup. The reason is the following : a wireless adapter cannot send packets that have a different MAC address than its own. With bridged networking, VMware software creates packets from the guest operating system using the guest's MAC address, which is different from the MAC address of the actual network adapter. Thus a wireless adapter will not send
those packets.
First of all, install you prefered distribution. On this article, an Ubuntu has been chosen (Ubuntu 6.06 Server i386). Once installed, proceed with the basic configuration.
# We need to access remotely to the host ... SSH server is a good start !
Now we can restart the virtual OS, and configure it. Log with user ''roo'' and become root. An automatic configuration will begin. Choose ''Honeywall configuration'' and ''Interview'' mode. Here is a sample of my answer :
~- Destination IP: 192.168.128.254 (gateway IP address)
Now we are going to see how to manage our VMware box remotely. All of this is made with a SSH connection from a remote host. For testing all of this, activate the forwarding packet on your ISP Box administration console or on your gateway: all Internet incoming packets have to be NAT to the VMware box (192.168.128.2). At the end, after testing our network, we will change the NAT to point to our honeypot (192.168.128.3).
First of all, VMware required a GUI to start. We need X server up and running automatically on boot. To do that, configure gdm to make an automatic login :
The Web interface named ''Walleye'' helps you for your every day remote Honeywall administration. It also provides data analysis functionality. To use it, launch your favorite browser and go to ""https://ww.xx.yy.zz"" where ww.xx.yy.zz is the IP address of your honeywall management interface (192.168.249.2 for me). In our configuration we can only access it localy on the VMware box.
Deletions:
For more information of what is a Honeypot reffer to "Know Your Enemy" papers of the [[http://www.honeynet.org honeynet project]].
Finaly, here is the VMware view of the network diagram.:
In our configuration, the honeypot must be connected with an Ethernet link and it is not possible to use Wifi. In fact, Wireless LAN cards do not work in a WMware bridged setup: VMware bloks bridged networking on the wireless network card. The reason is the following : a wireless adapter cannot send packets that have a different MAC address than its own. We are exactly in this situation because each VMware virtual network interface have it's own MAC address.
First of all, install you prefered distribution. On this article, an Ubuntu has been chosed (Ubuntu 6.06 Server i386). Once installed, proceed with the basic configuration.
# We need to access remotly to the host ... SSH server is a good start !
Now we can restart the virtual OS, and configure it. Log with user ''roo'' and become root. An automatic configuration will begin automaticaly. Choose ''Honeywall configuration'' and ''Interview'' mode. Here is a sample of my answer :
~- Destination IP: 192.168.128.254 (gateway IP adress)
Now we are going to see how to manage our VMware box remotely. All of this is made with a SSH connection from a remote host. For testing all of this, activate the forwarding packet on your ISP Box adminitration console or on your gateway: all Internet incoming packets have to be NAT to the VMware box (192.168.128.2). At the end, after testing our network, we will change the NAT to point to our honeypot (192.168.128.3).
First of all, VMware required a GUI to start. We need X server up and running automaticaly on boot. To do that, configure gdm to make an automatic login :
The Web interface named ''Walleye'' helps you for your every day remote Honeywall administation. It also provides data analysis functionality. To use it, launch your favorite browser and go to ""https://ww.xx.yy.zz"" where ww.xx.yy.zz is the IP address of your honeywall management interface (192.168.249.2 for me). In our configuration we can only access it localy on the VMware box.


Revision [188]

Edited on 2006-09-01 09:23:11 by StanKju
Additions:
Honeynet allows you to capture and analyze suspect activities, like Worms propagation or hackers.
I have two PC, one for the virtual honeypot and another one for my daily tasks. Here is the diagram of my configuration :
My ISP Box acts as a DHCP server. I have a web interface which allows me to assign static IP addresses. In this way, the DHCP server assigns the same IP based on the MAC address of the host. If you are using a Linux gateway configure your DHCP to have this behaviour.
All your honeywall configuration is in the /hw/conf/ directory. There is an ASCII configuration file /etc/honeywall.conf which contains all of these configuration values. This is mine:
Deletions:
Honeynet allow you to capture and analyze suspect activities, like Worms propagation or hackers.
I have two PC, one for the virtual honeypot and one for my daily tasks. Here is the diagram of my configuration :
My ISP Box act as a DHCP server. I have a web interface which allows me to assign static IP addresses. In this way, the DHCP server assigns the same IP based on the MAC address of the host. If you are using a Linux gateway configure your DHCP to have this behaviour.
All your honeywall configuration is in the /hw/conf/ directory. There is an ASCII configuration file /etc/honeywall.conf which contains all of these configuration values. This is mines:


Revision [185]

The oldest known version of this page was created on 2006-08-25 16:28:11 by StanKju
Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki
Page was generated in 0.1033 seconds