This post will outline an effective and painless way to deploy a honey net, with the sole purpose of capturing live malware samples. This can be used to aid threat intelligence and gain a greater understanding about the propagation of malware.

It is important to note, that while this guide will aid in the collection of malware samples, the platform provided by the Modern Honey Network has a much greater scope. Additionally, this deployment will be used more as a data ingress point, that will be built upon using tools outside the Modern Honey Network.

Hierarchical overview

Hierarchical overview

As the hierarchical overview shows, the honey net is a collection of nine servers. These servers are broken down by the cloud provider they are hosted on.
The reason for including the operating system version is due to their being discrepancies in the deployment using other versions. While this system would work on other versions, the most efficient way is the one depicted.

Modern Honey Network Server

A conscious effort to use both Linode and Digital Ocean came largely down to cost and speed of deployment. While the $5 offerings from both providers are sufficient for the honeypot nodes, the MHN server will require greater resources due to the volume of data it is likely to ingest.

The server used in this example is one of Digital Ocean’s basics $20 offerings, the specification for this are 4 GB / 2 CPUs.
This system is also running Ubuntu 18.04, there is support for a number of other operating systems, but this guide is designed to allow for it to be as effective as possible.

If the intention is to MHN for the dashboard it provides It would be recommended to use a system with 8 GB+ of memory

Installation

cd /opt/
sudo git clone https://github.com/pwnlandia/mhn.git
cd mhn/
sudo ./install.sh

Configuration

During the configuration options it would be advisable to leave the base URL as the systems IP address. This comes from much trial and error when attempting to connect honey pots to MHN.

Should you wish to have multiple users access MHN it would be good practice to add an email configuration. A service like MailGun allows for SMTP accounts to be setup against a domain of your choosing. However, if the scope of this deployment is for a single user, the admin account password can be manually changed through the configuration file.

===========================================================
MHN Configuration
===========================================================
Do you wish to run in Debug mode?: y/n n
Superuser email: [email protected]
Superuser password: 
Server base url ["http://1.2.3.4"]: 
Honeymap url ["http://1.2.3.4:3000"]:
Mail server address ["localhost"]: 
Mail server port [25]: 
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [""]: 
Mail server password [""]: 
Mail default sender [""]: 
Path for log file ["mhn.log"]: 

Honey Pot Deployment

As previously mentioned the infrastructure used for this honey net lives in both Digital Ocean and Linode. Some caveats have been encountered while deploying dionaea to both these providers. So to overcome this some tweaks to the deployment scripts need to be made.

These can be cloned from GitHub and copied into MHN deployment section. Fundamentally both these scripts are the same. However, the Lionde offering includes some additional steps to disable IPv6. This will be required as there are issues connecting dionaea hpfeeds to mhn while it has both IPv4 and IPv6 addresses.

There are a few sections of the script that will need you to provide your own information.

HPFeeds

During the deployment of dionaea we want hpfeeds to be configured as this is how MHN ingresses the data from the honey pots. If the server base url has been left as the MHN server IP this variable can remain as $HPF_SERVER. However, if a custom domain name has been used manually add the MHN server IP to this section. There have been some issues noticed when attempting to use a domain name.

cat > /opt/dionaea/etc/dionaea/ihandlers-enabled/hpfeeds.yaml <<EOF
- name: hpfeeds
  config:
    # fqdn/ip and port of the hpfeeds broker
    server: "YOUR_MHN_SERVER_IP"
    # port: $HPF_PORT
    ident: "$HPF_IDENT"
    secret: "$HPF_SECRET"
    # dynip_resolve: enable to lookup the sensor ip through a webservice
    dynip_resolve: "http://canhazip.com/"
    # Try to reconnect after N seconds if disconnected from hpfeeds broker
    # reconnect_timeout: 10.0
EOF
VirusTotal

By default, the virus total connection will not be deployed using the generic script. Whilst this is not a requirement it can upload previously unknown samples to virus total for analysis.

cat > /opt/dionaea/etc/dionaea/ihandlers-enabled/virustotal.yaml <<EOF
- name: virustotal
  config:
    # grab it from your virustotal account at My account -> My API Key (https://www.virustotal.com/en/user/<username>/apikey/)
    apikey: "YOUR_VIRUSTOTAL_API"
    file: "var/lib/dionaea/vtcache.sqlite"
    comment: "This sample was captured in the wild and uploaded by the dionaea honeypot.\n#honeypot #malware #networkworm"
EOF
Bistream Managment

Dionaea is very heavy in terms of the data it collects, one of the main issues faced when using a low spec system is the storage space. To overcome this the deployment script will add a script and schedule it using cron. It is important to note that this script can add a lot of overhead to the system, so running it for the times listed is advised.

cat > /opt/bistream_script.sh <<EOF
#!/bin/bash
# Compress bistream files older than 3 Hours
find /opt/dionaea/var/lib/dionaea/bistreams/* -type f -mmin +360 -exec gzip {} \;
# Clear bistream logs from dionaea every 6 Hours
find /opt/dionaea/var/lib/dionaea/bistreams/* -type f -mmin +720 -exec rm -rf {} \;
EOF

crontab -l | { cat; echo "0 * * * * /bin/bash /opt/bistream_script.sh"; } | crontab -
Linode IPv6

As previously mentioned, there are some issues when trying to run dionaea on a system that has both IPv4 and IPv6 addresses. To mitigate this the following section of the script will disable IPv6 prior to the installation.

# Disable ipv6
cat > /etc/sysctl.conf <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF

echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config
Dionaea Config

This final section is also implemented to reduce the amount of storage dionaea will use. By default, dionaea’s logs are rather verbose resulting in the disk filling up quickly. To get the system stood up quicker, the config is rewritten to only log errors.

cat > /opt/dionaea/etc/dionaea/dionaea.cfg <<EOF
[dionaea]
download.dir=var/lib/dionaea/binaries/
modules=curl,python,nfq,emu,pcap
processors=filter_streamdumper,filter_emu
listen.mode=getifaddrs
# listen.addresses=127.0.0.1
# listen.interfaces=eth0,tap0
# Use IPv4 mapped IPv6 addresses
# It is not recommended to use this feature, try to use nativ IPv4 and IPv6 adresses
# Valid values: true|false
# listen.use_ipv4_mapped_ipv6=false
# Country
# ssl.default.c=GB
# Common Name/domain name
# ssl.default.cn=
# Organization
# ssl.default.o=
# Organizational Unit
# ssl.default.ou=
[logging]
default.filename=var/log/dionaea/dionaea.log
default.levels=error
default.domains=*
errors.filename=var/log/dionaea/dionaea-errors.log
errors.levels=error
errors.domains=*
[processor.filter_emu]
name=filter
config.allow.0.protocols=smbd,epmapper,nfqmirrord,mssqld
next=emu
[processor.filter_streamdumper]
name=filter
config.allow.0.types=accept
config.allow.1.types=connect
config.allow.1.protocols=ftpctrl
config.deny.0.protocols=ftpdata,ftpdatacon,xmppclient
next=streamdumper
[processor.streamdumper]
name=streamdumper
config.path=var/lib/dionaea/bistreams/%Y-%m-%d/
[processor.emu]
name=emu
config.limits.files=3
#512 * 1024
config.limits.filesize=524288
config.limits.sockets=3
config.limits.sustain=120
config.limits.idle=30
config.limits.listen=30
config.limits.cpu=120
#// 1024 * 1024 * 1024
config.limits.steps=1073741824
[module.nfq]
queue=2
[module.nl]
# set to yes in case you are interested in the mac address  of the remote (only works for lan)
lookup_ethernet_addr=no
[module.python]
imports=dionaea.log,dionaea.services,dionaea.ihandlers
sys_paths=default
service_configs=etc/dionaea/services-enabled/*.yaml
ihandler_configs=etc/dionaea/ihandlers-enabled/*.yaml
[module.pcap]
any.interface=any
EOF

Once the first dionaea instance has been deployed, you should start to see attack data in both the MHN dashboard and your threat map. After an hour or so attack data will be visible in MHN. This can show you the source and payloads received.
We can build upon this by building a malware vault. This will be a central store for the samples collected by dionaea. There is also a future scope for automated classification of captured samples.

Leave a Reply

Your email address will not be published. Required fields are marked *