Eric Gearhart

Virtual Threat Contributing Writer

In this “Virtual Threat” how-to article, I’ll discuss the ins and outs of setting up a Dionaea honeypot. For those unfamiliar with the term, a honeypot at its core is a “computer system expressly set up to attract and ‘trap’ people who attempt to penetrate other people’s computer systems.”

A boatload of pre-built honeypots have been created over the years, first from the wonderful hacking novel “A Cuckoo’s Egg,” where Clifford Stoll basically allowed a hacker to breeze through the entirety of Berkeley’s network unchecked, to more recently Honeyd, Kippo (which is focused on providing specifically an SSH honeypot), to nepenthes, which Dionaea is meant to be a successor to.

The entire point of honeypots is the discovery of unknown new attack vectors… honeypots such as Kippo can go as far as simulating a real SSH shell for the script kidde attacker, automatically downloading and saving off any code the attacker tries to download (for further analysis by the researcher who is running the honeypot) and logging every single command the attacker runs.

One can only imagine how interesting and informative the detailed logging of an attacker’s sessions could be, and the Dionaea realizes many of the things one can imagine. Dionaea will save binaries that are uploaded to ‘fake’ services it hosts, it will save pcaps of interesting traffic, and complete logging into a sqlite database (accessible via easy to use Python scripts) are all baked-in features. Another nice aspect of Dionaea are traffic graphs that are easily built using scripts that come with Dionaea’s source.:

This particular graph is an analysis of specifically smb data, and indicates that shellcode and file offers have been uploaded to my honeypot. The binaries of each of these transfers were all captured by Dionaea, and I ran the binaries through VirusTotal. Every one of them are a Trojan horse of some kind.

Ordinarily, setting up a honeypot at your own house can be a somewhat laborious task… building a system dedicated to running the honeypot software, getting the OS installed, exposing it to the Internet, leaving the “box” up 24/7 using power from your house and making noise… as one can imagine this is quite a bit of trouble just in the name of some cursory academic interest in watching hackers. Fortunately nowadays with the advent of “cloud computing” (which is really just at its essence a harkening back to the old time shared system days), slinging a Linux box onto the Internet is as easy as pointing and clicking. With some added work and elbow grease, standing up a Honeypot is as easy as following a few steps in a tutorial, at minimal cost. The honeypot I build on Joyent’s servers costs me all of $20 a month. So without further ado, let’s get to it!

For this tutorial I have built from scratch a Joyent VM, in their US East datacenter. I used Joyent’s pre-built VM image of Debian 6.03, which is conveniently named “debian-6.03.”

For the size I simply picked their smallest option, “Extra Small,” which gives you 512 megs of RAM and 15 gigs of hard drive space for $.03 cents an hour… plenty of room for what we’re doing.

After the VM is provisioned, the next step is to ssh out to the VM and do an ‘apt-get update’ and an ‘apt-get upgrade’ so that the VM is completely up to date. Right off the bat I had 60 packages to update:

After a reboot into the new kernel that was just updated we’re good to go, so from here on out we’re basically following the Dionaea installation guide (which is somewhat hairy and detailed, hence this howto). The guide is located here: http://dionaea.carnivore.it/#compiling and I’m essentially following the ‘Ubuntu’ instructions, with some tweaks because of missing packages that Debian does not have by default in it repositories.

So first of all we need to install some packages, for the various dependencies Dionaea has (copy the following text and paste it into an ssh session you’ve established to your Joyent VM):

apt-get –yes install libglib2.0-dev libssl-dev \ libcurl4-openssl-dev \ libreadline-dev libsqlite3-dev python-dev \ libtool automake autoconf build-essential \ subversion git-core flex bison pkg-config gnuplot

If you’ve pasted it in correctly, Debian should go ahead and automatically install a collection of packages. Now let’s get to the Dionaea prerequisites!

The first dependency is liblcfg… for this we’ll make a directory to store the source code for all this stuff (in /opt/dionaea/src) we’ll pull down a bunch of source code and we’ll build all the dependencies needed.

mkdir /opt/dionaea mkdir /opt/dionaea/src cd /opt/dionaea/src

The first thing we’ll install is liblcfg, from carnivore.it (makers of Dionaea):

git clone git://git.carnivore.it/liblcfg.git liblcfg cd liblcfg/code autoreconf -vi ./configure –prefix=/opt/dionaea make install cd ../..

Next up is libemu, also from carnivore.it:

git clone git://git.carnivore.it/libemu.git libemu cd libemu autoreconf –vi ./configure –prefix=/opt/dionaea make install cd ..

Next up to install is libnl (this differs from the carnivore.it instructions, because the git repository in their instructions is apparently broken):

git clone https://github.com/tgraf/libnl.git cd libnl autoreconf -vi export LDFLAGS=-Wl,-rpath,/opt/dionaea/lib ./configure –prefix=/opt/dionaea make make install cd ..

Next is libev:

mkdir libev cd libev wget http://dist.schmorp.de/libev/Attic/libev-4.04.tar.gz tar xfz libev-4.04.tar.gz cd libev-4.04 ./configure –prefix=/opt/dionaea make install cd ../..

We’re basically done with the custom Dionaea dependencies, so now we’re going to “roll our own” build of Python, specifically Python 3.2, for Dionaea to use.

mkdir python-3.2 cd python-3.2 wget http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz tar xfz Python-3.2.2.tgz cd Python-3.2.2/ ./configure –enable-shared –prefix=/opt/dionaea \ –with-computed-gotos –enable-ipv6 \ LDFLAGS=”-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/” make make install cd ../..

Now per the instructions we need to build Cython:

mkdir cython cd cython wgethttp://cython.org/release/Cython-0.15.tar.gz tar xfz Cython-0.15.tar.gz cd Cython-0.15 /opt/dionaea/bin/python3 setup.py install cd ../..

Almost done, next we’re going to build udns:

mkdir /opt/dionaea/src/udns cd /opt/dionaea/src/udns wget http://www.corpit.ru/mjt/udns/old/udns_0.0.9.tar.gz tar xfz udns_0.0.9.tar.gz cd udns-0.0.9/ ./configure make shared cp udns.h /opt/dionaea/include/ cp *.so* /opt/dionaea/lib/ cd /opt/dionaea/lib ln -s libudns.so.0 libudns.so cd /opt/dionaea/src

Finally, we’re going to build a specific version of libpcap:

mkdir /opt/dionaea/src/libpcap cd /opt/dionaea/src/libpcap wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz tar xfz libpcap-1.1.1.tar.gz cd libpcap-1.1.1 ./configure –prefix=/opt/dionaea make make install cd ../..

OK, so now at this point all the dependencies for Dionaea should be built and installed in the right places. As a final step, we’re going to build and install Dionaea itself:

git clone git://git.carnivore.it/dionaea.git dionaea cd dionaea autoreconf -vi ./configure –with-lcfg-include=/opt/dionaea/include/ \ –with-lcfg-lib=/opt/dionaea/lib/ \ –with-python=/opt/dionaea/bin/python3.2 \ –with-cython-dir=/opt/dionaea/bin \ –with-udns-include=/opt/dionaea/include/ \ –with-udns-lib=/opt/dionaea/lib/ \ –with-emu-include=/opt/dionaea/include/ \ –with-emu-lib=/opt/dionaea/lib/ \ –with-gc-include=/usr/include/gc \ –with-ev-include=/opt/dionaea/include \ –with-ev-lib=/opt/dionaea/lib \ –with-nl-include=/opt/dionaea/include \ –with-nl-lib=/opt/dionaea/lib/ \ –with-curl-config=/usr/bin/ \ –with-pcap-include=/opt/dionaea/include \ –with-pcap-lib=/opt/dionaea/lib/ make make install

If you’ve copied and pasted all these commands and everything has built correctly (which it all should… I tested this entire howto on a clean VM I stood up on Joyent), then congratulations! You now have a Dionaea honeypot set up. The next steps involve starting the Dionaea service and ensuring it’s receiving traffic. I’ll also briefly go over building the traffic charts, and reading from the Dionaea logs.

Starting the Dionaea daemon

Starting Dionaea is quite simple:

cd /opt/dionaea/bin ./dionaea -D

By ‘tailing’ the output of the Dionaea logs, we can see that it started successfully:

tail /opt/dionaea/var/log/dionaea.log

Doing a ‘netstat’ we can see that Dionaea is listening on a number of different ports as well (note all the ports with state “LISTEN” and the PID/Program name of Dionaea):

netstat -plant

Checking Dionaea Logs

Aside from just tailing dionaea.log, there is a utility provided that queries the Dionaea internal sqlite database that allows you to see connections from particular IP addresses. The following command shows connections from the last 24 hours:

/opt/dionaea/bin/python3 /opt/dionaea/bin/readlogsqltree \ -t $(date ‘+%s’)-24*3600 /opt/dionaea/var/dionaea/logsql.sqlite

On my test VM that I just built, there haven’t been any connections yet, but on the Dionaea VM that has been up for 3 months there are 60 connections from the last 24 hours.

Building Dionaea graphs, and viewing the graphs

Before we go ahead and build the graphs, first we need to install the Apache web server and configure it to listen on a non-standard port (because our honeypot is already listening on the common web ports!)

First we need to install the Apache packages (it will fail to start and there will be an error, that’s OK):

apt-get –yes install apache2

Then we need to modify the port Apache listens on and start Apache:

cd /etc/apache2 cp ports.conf ports.conf.original cat ports.conf.original | sed ‘s/Listen 80/Listen 8000/’ > ports.conf mkdir /etc/apache2/htdocs chown www-data /etc/apache2/htdocs /etc/init.d/apache2 start

Next we change over to where the web content is stored, and we’re going to build our graphs. The graphs are by default put into /tmp/dionaea-gnuplot

cd /etc/apache2/htdocs /opt/dionaea/bin/python3 \ /opt/dionaea/src/dionaea/modules/python/util/gnuplotsql.py \ -d /opt/dionaea/var/dionaea/logsql.sqlite \ -p smbd -p epmapper -p mssqld -p httpd -p ftpd

After the command runs, we need to move the content that was created over to the web directory:

mv /tmp/dionaea-gnuplot/* .

At this point, if you do an ‘ifconfig eth0’ on your Joyent VM and note the public IP that was assigned, you should be able to open a web browser and point it at http://<Your VM IP>:8000/ and see graphs from Dionaea

Other Interesting Stuff

There is some interesting stuff under /opt/dionaea/var/dionaea – for example, under /opt/dionaea/var/dionaea/binaries, any binaries that Dionaea ‘captures’ from remote attackers are stored. Running ‘file’ on these binaries usually reveals that these are “PE32 executable for MS Windows (GUI) Intel 80386 32-bit” or “MS-DOS executable, MZ for MS-DOS.” I pulled down the binaries on my honeypot, uploaded them to VirusTotal.com and this revealed that they were all various different types of Trojans. The next step would be to build Windows VMs and attempt running the exes.

Q and A

Q: Can this same VM be implemented on Amazon’s EC2?

A: This is entirely possible, but I wanted to try out Joyent’s services, and there is already talk on the interwebs that honeypots in general are a violation of Amazon’s Terms of Service (see the discussion here for more details: http://www.reddit.com/r/netsec/comments/11yezx/want_to_setup_a_honeypot_for_free_to_log/)

I deliberately chose Joyent because they’re more of an “off beat” cloud provider, so at least if one were to be “busted” by Joyent it wouldn’t jeopardize any Amazon services.