Tips for an Information Security Analyst/Pentester career - Ep. 55: Deception (Honeypots)

In the last three posts we've dealt with detection of a Meterpreter payload.

Let's now see how we can use deception to fool our attackers, by developing a honeypot (if you don't know what I'm talking about, check the link for a definition of this term).

For the purposes of this tutorial, I'm going to use a custom Linux distribution based on Xubuntu, called Honeydrive, which includes several honeypots already pre-installed and configured.

I'm going to analyze a very popular honeypot, called Dionaea.

Once downloaded the OVA file, you can run its related VM through VirtualBox or VMware. 

Once the VM has booted up, all its configurations are explained in the README.txt file, located on the desktop.

After starting the honeypot by running its start script, I performed an Nmap scan with Kali Linux to understand what it was detected  on the other end.

Problem 

Sadly, the default configuration for Dionaea isn't stealthy enough, and Nmap detected it immediately.

Its creator doesn't have time or resources to play this mouse and cheese game between Dionaea and software like Nmap, that constantly updates its signatures.

Solution

First thing we want to do is to change the MAC address of the network adapter, so our honeypot doesn't result to be a VM.

For this purpose, we need to go to Settings/Network Adapter/Advanced Settings (it's pretty much the same both in VMware and VirtualBox).

We want to change the first three octets of the MAC address, so that it matches the organization unique identifier for a specific manufacturer, as shown here.

We might also want to change the default username and password (honeydrive:honeydrive), as they're too revealing.

Nmap signatures and detection

The problem with Dionaea can be solved by understanding how Nmap detects a specific service and performing some changes to the honeypot configuration files.

First of all, we need to stop the honeypot by killing its related services (ps -ef | grep -i dionaea | grep -v grep to find the PID of its related services and then kill command to stop them).

 We can understand how Nmap detects the services running on the target machine through the command cat /usr/share/nmap/nmap-service-probes | grep -i Dionaea, which produces the following output:

Deception through tweaking

a) FTP 

Going to /opt/dionaea/lib/dionaea/python/dionaea/ftp.py, we can change the settings related to the FTP server.

Nmap raises a red flag when it detects a "Welcome to the FTP service" string, so we can change it to something different. I changed it here to VSFTPD 3.0.3

b) MS SQL: Going to /opt/dionaea/lib/dionaea/python/dionaea/mssql/mssql.py, we need to change the highlighted string from 0x00 to something else. 

c) SMB: 

Going to /opt/dionaea/lib/dionaea/python/dionaea/smb/include/smbfields.py, we need to change two strings: "WORKGROUP", under OemDomainName and "HOMEUSER-3AF6FE", under ServerName, to something different.

d) HTTP

I created a default HTML page using source code taken from an existing website.

I copied said source code to /opt/dionaea/var/dionaea/wwwroot/index.html.

Final result 

We can now restart our honeypot and perform a new Nmap scan with Kali Linux.

This time around, no service is detected as Dionaea honeypot any longer.

We're now ready to use our honeypot in order to deceive and study any potential attackers.

Episode 54