未加星标

Getting Started With HoneyPy ― Part 1

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二05 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

In my last post, Introduction to HoneyPy & HoneyDB , I covered the basics of honeypots and provided a brief introduction to HoneyPy. In this post, I’ll walk through getting up and running with HoneyPy.

Why Run A Honeypot?

As a reminder, I would like to quickly touch on why you should even think about running a honeypot in the first place. Because I think you ought to be running honeypots if you are a researcher, “blue team” practitioner monitoring and defending a network, or a cyber security hobbyist.

As a researcher , the more data you have on malicious activity happening in the wild the more informed you will be, and you may discover something new.

As a defender , making your network as bumpy as possible increases your chances of tripping up malicious actors attempting to traverse your network. This increases the risk and costs for attackers, which in turn may cause them to think about spending their resources elsewhere, e.g. someone else’s network.

As a hobbyist , it’s just interesting and fun! It can be compared to someone on the beach going around with a metal detector, you just never know what you’re going to find.

Whichever of these scenarios you fit into, HoneyPy is a good way to get started.

Installing HoneyPy

Ok, let’s get into it. The first thing you will need is a running instance of linux. I test and run HoneyPy on Debian Linux, but since HoneyPy is written in python there is no reason why you can’t run HoneyPy on another Linux distributions as well. Also, I recommend creating a dedicated user account for HoneyPy just to keep things neat. One Important note, do not run HoneyPy as the root user!

Download the latest release from https://github.com/foospidy/HoneyPy/releases/latest . As of this blog post the latest release is v0.4.8, so the command to download HoneyPy is:

wget https://github.com/foospidy/HoneyPy/archive/0.4.8.tar.gz

Unzip the file with the command tar -xzf 0.4.8.tar.gz , this will create the folder HoneyPy-0.4.8 . The directory can be renamed and moved to wherever you like. If you created a dedicated user account for HoneyPy, that user’s $HOME directory will work just fine.

Downloading HoneyPy

Recorded by foospidy asciinema.org

Next, you need to address Python dependencies. Obviously, you need Python installed, and you will need pip as well. To ensure you have both, on Debian run the following commands as root (or using sudo ):

apt-get install -y python-requests python-twisted python-pip
pip install twitter dnslib

Installing HoneyPy Dependencies

Recorded by foospidy asciinema.org

For more information on HoneyPy dependencies see the ReadMe file.

That’s it, HoneyPy is installed!

Running HoneyPy

Running HoneyPy is simple, however getting everything configured properly involves a few steps but bear with me.

First, run HoneyPy with its “out-of-the-box” configuration:

python Honey.py

You will now see the HoneyPy console:


Getting Started With HoneyPy ― Part 1
HoneyPy Console

Next, at the HoneyPy console prompt type start and hit enter, and you are now running a HoneyPy honeypot!


Getting Started With HoneyPy ― Part 1
Starting HoneyPy

Starting and Stopping HoneyPy

Recorded by foospidy asciinema.org

Note : When running HoneyPy in console mode it is possible you could lose your terminal session. When the terminal session terminates so will HoneyPy. There are two options for running HonePy to prevent this from happening. The first is to use the terminal utility screen . To install screen on Debian run apt-get install screen . Alternatively, you can run HoneyPy in daemon mode using:

python Honey.py -d

The default setup is limited so there is some configuration that needs configuring:-). But before we dive into HoneyPy configuration we need to deal with running HoneyPy services on low ports. Notice the initial output above the HoneyPy banner.

Your service configuration suggests that you want to run on at least one low port!
To enable port redirection run the following ipt-kit (https://github.com/foospidy/ipt-kit) commands as root: ./ipt_set_tcp 7 10007
./ipt_set_udp 7 10007
./ipt_set_tcp 8 10008
./ipt_set_udp 8 10008
./ipt_set_tcp 23 10009
./ipt_set_tcp 24 1001

This is telling us that we have HoneyPy configured to listen on low ports (ports below 1024). A process needs root user privilege to open and listen on low ports, however, HoneyPy should be run as a non-root user. Since there are many low port services you might like to run, e.g. telnet, ftp, ssh, etc., we need a way for HoneyPy to receive connections on these ports. This can be done using iptables to enable port forwarding on a low port to a high port that HoneyPy can use.

Iptables can be complex to work with so I’ve actually published a utility called ipt-kit to help make things easier. In fact, the output noted above are the ipt-kit commands needed to configure iptables for the current HoneyPy configuration.

Below are the steps on how to use ipt-kit to configure iptables for HoneyPy. Note, modifying iptables does require root user privilege so you will need to run the ipt-kit commands as root.

1. Instead of copy/pasting the ipt-kit commands from the output noted above, HoneyPy can generate a script file for us. If you are still in the HonePy console type quit to exit. Next run:

python Honey.py -ipt

This will generate a the file /tmp/honeypy-ipt.sh

2. Download ipt-kit from https://github.com/foospidy/ipt-kit/archive/v1.1.tar.gz .

3. Extract ipt-kit to a directory of your choosing, tar -xzf v1.1.tar.gz .

4. Change directory to ipt-kit-v1.1 and copy honeypy-ipt.sh to the current directory cp /tmp/honeypy-ipt.sh .

5. Run the script ./honey-ipt.sh (this needs to be run wirth root privilege, so either run this as the root user or use sudo)

Now that we’ve updated iptables we want to make sure the changes persist even if the system is rebooted, run: ./ipt-survive-rebo

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

主题: DebianLinuxPython
分页:12
转载请注明
本文标题:Getting Started With HoneyPy ― Part 1
本站链接:http://www.codesec.net/view/481619.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(28)