I’d like to announce the 1.0 release of the server-side, low-interaction honeypot Glutton!
We have built Glutton as a versatile honeypot, capable of receiving any network traffic by accepting connections on any port. Being very easy to adapt and extend, Glutton is a fantastic tool to understand network threats.
I am passionate about Network Security, Cybersecurity, and programming, and I wanted to get involved with a project that includes it all.
HosTaGe project drew my attention because I found it really fascinating the idea that any android device can be turned into a honeypot and be transformed into an essential tool for attack detection.
I wanted to work on this project because it allowed me to improve this new generation of mobile honeypots and consequently improve the security of the internet in general.
This is a contribution by Tan Kean Siong, follow him on Twitter @gento_ .
The open source honeypot Dionaea supported SMB since long but lacked support for the recent WannaCry ransomware SMB vulnerability and the most recent Samba RCE vulnerability CVE 2017-7494 dubbed “SambaCry” wormable attacks. With the recent changes, both attack vectors are supported and respective samples caught in the wild.
Dionaea is a low interaction, server side honeypot which emulates a vulnerable system or device. Its ultimate goal is to gain a copy of the malware. It supports various protocols and network stacks e.g. SMB, HTTP, FTP, TFTP, MSSQL, MySQL, SIP (VOIP). Recently it also got support to emulate an IoT device, SmartTV or XBOX with the UPnP and MQTT protocols enabled. Dionaea was created back in the years of the Conficker worm, and yet its solid SMB network stack proved to be useful in 2017 for the WannaCry worm hunt across the Internet.
Introduction
This blog post is a follow up to an earlier article, where I set out to conceive a system that could deliver the data needs to answer 5 specific questions.
The setup
To provide the data needed for this analysis, my setup consisted of 4 VPS situated respectively at Amazon EC2, Azure, MeeBox and a Danish ISP end-user connection. Even though the same 4 VPS were used throughout the data collection, 6 different IP addresses were used for the honeypots - the reason for this was that one of the honeypots had a dynamically assigned IP address. As mentioned in an earlier article all honeypots were running Heralding. The technical setup was automated with ansible.
Sometimes (actually, most times) you don’t need advanced deception technology, but rather just a simple tool to answer some simple questions. I was recently in that situation, and needed the answers to the following questions:
Which protocols does my adversary try to brute-force?
Which username and password did he use?
At which speed did he brute-force?
From where did he proxy from?
What time of day did he brute-force?
To answer these questions, I needed a tool that would output something similar to:
Hello,
recently I made fork of dionaea and DionaeaFR. Changes that I did are related with remote logging to relational database. Dionaea honeypot can now log remotely to postgresql database. In DionaeaFR frontend I had to do some changes, so it could support reading data from postgresql.
Links are github.com/GovCERT-CZ/dionaea and github.com/GovCERT-CZ/DionaeaFR.
I think that some one could use that so I write this post.
Have a nice day,
Stanislav Bárta
GovCERT.CZ (member of Czech Chapter)
Hello,
recently I published forks of shockpot and wordpot on GitHub.
These new versions include support for logging to postgresql database. I also created two frontends. One for shockpot with a name Shockpot-Frontend and second for wordpot with a name Wordpot-Frontend. Both frontends are based of great tool Kippo-Graph. You can find them also on GitHub. Links are github.com/GovCERT-CZ/Shockpot-Frontend and github.com/GovCERT-CZ/Wordpot-Frontend.
These frontends require data from honeypots stored in postgresql database and that’s why I made forks of those honeypots.
The Conpot development team is proud to announce the 0.5.0 release. Highlights of this release are the support for two new protocols and one additional device. Peter Soóky did a major contribution with support for the BACnet protocol, which is used for building automation and control networks, and support for IPMI, which is used an interface to a computer subsystem that provides management and monitoring capabilities independently of the host system’s CPU, firmware and operating system (consider the insights you can get from someone exploiting this). As mentioned in an earlier blog post, we also added support to emulate a Guardian AST device. This is based on the research from Kyle Wilhoit and Stephen Hilt.
Another goal of this release was to improve the ease of deployment. Therefore we added a Docker container template. Thanks to our contributors, we also have documentation on how to run Conpot on CentOS.
To avoid some easy fingerprinting, we added the feature to modify the MAC address of the interface Conpot is listening on. So now your hardware address can match the device manufacturer you are intending to emulate.
As with every other release, we tried to improve our test coverage and code quality in order to increase the honeypots stability.
The Conpot team is following closely the latest developments in Honeypot research and the methods and technologies used. If you look at the topics presented on security conferences, you might have also noticed an increased interest in ICS security and honeypot technologies in the last two years. One presentation from this years Blackhat’15 conference caught my attention also knowing previous research done by Kyle and Stephen: “The little pump gauge that could: Attacks against gas pump monitoring systems” [link] If you are interested in their findings, I recommend their white paper: “The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems“ [link, pdf] by Kyle Wilhoit and Stephen Hilt from Trend Micro’s Forward-Looking Threat Research team.
The team working on the ICS/SCADA honeypot Conpot, just merged in a more mature support for STIX (Structured Threat Information eXpression) formatted reporting via TAXII (Trusted Automated eXchange of Indicator Information) into the master branch on Github.
STIX allows us to represent event sessions captured by the honeypot in a structured format, which eases the integration of Conpot into existing consumer (e.g. SIEM) infrastructures.
By transforming an arbitrary honeypot event into a schema defined format, we are able to communicate an incident in a language, which is also understandable by someone not trained in interpreting industrial protocol messages.