Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify Status of All Honeypot Deployment Scripts #5

Closed
14 tasks done
wrharding opened this issue Jan 17, 2022 · 21 comments
Closed
14 tasks done

Verify Status of All Honeypot Deployment Scripts #5

wrharding opened this issue Jan 17, 2022 · 21 comments
Assignees
@wrharding

Comments

@wrharding
Copy link
Owner

wrharding commented Jan 17, 2022
edited
Loading

List information on the deployment attempts on CentOS 6 and Ubuntu 18/20 for the following honeypots:

  • Amun
  • Conpot
  • Cowrie
  • Dionaea
  • Elastichoney
  • Drupot
  • Glastopf
  • Kippo
  • Magenpot
  • p0f
  • Shockpot
  • Snort
  • Suricata
  • Wordpot
@wrharding wrharding self-assigned this Jan 17, 2022
@wrharding
Copy link
Owner Author

wrharding commented Jan 18, 2022
edited
Loading

Suricata:

Currently fails on any deployment. See #4.

Since Suricata 2.0 is not supported anymore, an update to 5.x or newer is needed. Also of note, MHN utilizes a repo forked from the official Suricata repo with a custom branch that hasn't been updated in almost 8 years: https://github.com/wrharding/suricata/tree/hpfeeds-support

@wrharding
Copy link
Owner Author

Amun

MHN's fork of Amun hasn't been updated in 8 years. It currently fails to install on Ubuntu because of a file increase attempt. In my Ubuntu testing, this number was already at 9223372036854775807, so perhaps this can be removed from the deployment script. More testing needed.

Pwnlandia has an outdated fork of Amun but the deployment script utilizes http://github.com/zeroq/amun.

@wrharding
Copy link
Owner Author

More testing needed.

Confirmed on CentOS 6 and Ubuntu 18.04/20.04

Fixed in pwnlandia/pull/838

@wrharding
Copy link
Owner Author

Note worthy list of supported honeypots:

https://github.com/pwnlandia/mhn/wiki/List-of-Supported-Sensors

    Amun (Ubuntu 14.04/16.04)
    Cowrie (Ubuntu 16.04)
    Conpot (Ubuntu 14.04/16.04)
    Dionaea (Ubuntu 14.04, Centos 7, Raspberry Pi)
    ElasticHoney (Ubuntu 14.04/16.04)
    Glastopf (Ubuntu 14.04/16.04)
    p0f (Ubuntu 14.04/16.04)
    Shockpot (Ubuntu 14.04/16.04)
    Snort (Ubuntu 14.04/16.04)
    Suricata (Ubuntu 14.04/16.04)
    Wordpot (Ubuntu 14.04/16.04)

@wrharding wrharding moved this from Todo to In Progress in Modern Honey Network v2 Jan 18, 2022
@wrharding
Copy link
Owner Author

Fixed in pwnlandia/pull/838

Local issue #6 for project tracking

@wrharding
Copy link
Owner Author

Conpot

Completed on Ubuntu 16.04 and 18.04. No support for CentOS/RHEL.

@wrharding
Copy link
Owner Author

Conpot currently supports Python 3.6 only:
https://conpot.readthedocs.io/en/latest/installation/install.html

However, MHN is specifically installing the last version that supports Python 2:

mhn/scripts/deploy_conpot.sh

Line 27 in d15325c

pip install -e git+https://github.com/mushorg/conpot.git@Release_0.5.2#egg=conpot-dev

I don't see why MHN can't update to the newest Conpot version (it will have to be referenced by Github, the latest release version is years out of date).

@wrharding
Copy link
Owner Author

Cowrie

Currently installs successfully but cannot be started by supervisorctl

2023-04-08 20:42:29,396 CRIT Supervisor running as root (no user in config file)
2023-04-08 20:42:29,397 WARN No file matches via include "/etc/supervisor/conf.d/*.conf"
2023-04-08 20:42:29,403 INFO RPC interface 'supervisor' initialized
2023-04-08 20:42:29,403 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2023-04-08 20:42:29,403 INFO supervisord started with pid 3232
2023-04-08 20:42:52,139 INFO spawned: 'cowrie' with pid 8400
2023-04-08 20:42:52,362 INFO exited: cowrie (exit status 0; not expected)
2023-04-08 20:42:53,364 INFO spawned: 'cowrie' with pid 8412
2023-04-08 20:42:53,529 INFO exited: cowrie (exit status 0; not expected)
2023-04-08 20:42:55,532 INFO spawned: 'cowrie' with pid 8418
2023-04-08 20:42:55,701 INFO exited: cowrie (exit status 0; not expected)
2023-04-08 20:42:58,705 INFO spawned: 'cowrie' with pid 8424
2023-04-08 20:42:58,874 INFO exited: cowrie (exit status 0; not expected)
2023-04-08 20:42:59,876 INFO gave up: cowrie entered FATAL state, too many start retries too quickly
2023-04-08 20:47:17,629 INFO spawned: 'cowrie' with pid 8483
2023-04-08 20:47:17,803 INFO exited: cowrie (exit status 0; not expected)
2023-04-08 20:47:18,805 INFO spawned: 'cowrie' with pid 8489
2023-04-08 20:47:18,975 INFO exited: cowrie (exit status 0; not expected)
2023-04-08 20:47:20,983 INFO spawned: 'cowrie' with pid 8495
2023-04-08 20:47:21,152 INFO exited: cowrie (exit status 0; not expected)
2023-04-08 20:47:24,156 INFO spawned: 'cowrie' with pid 8501
2023-04-08 20:47:24,329 INFO exited: cowrie (exit status 0; not expected)
2023-04-08 20:47:25,331 INFO gave up: cowrie entered FATAL state, too many start retries too quickly

Cowrie's only requirements are Python 3.8+ and the python virtual environment, but the script installs the python package, which defaults to python 2.7 in Ubuntu 18.04.

https://github.com/cowrie/cowrie#requirements

However, the install script specifies the following commit: cowrie/cowrie@34f8464

https://github.com/wrharding/mhn/blob/master/scripts/deploy_cowrie.sh#L35

Additionally, most of the requirements specified have not been pinned to a specific version. At this point, it may be easier to update the install script to include the latest version of Cowrie rather than trying to hunt down the compatible versions of the requirements.

@wrharding
Copy link
Owner Author

Cowrie issues tracked in #7

@wrharding
Copy link
Owner Author

NOTE: Along with the above Cowrie test, all testing from here on out is focused on Ubuntu 18.04

Dionaea

The service was installed successfully and is online and listening on the following ports, all of which are reporting in the MHN console (except for 42, which showed up as 35003 for some reason):

21
23
42
53
80
135
443
445
1433
1723
1883
3306
5060
11211
27017

Note: This script explicitly installs the python3 package.

@wrharding
Copy link
Owner Author

Dionaea upgrade progress tracked in #8

@wrharding
Copy link
Owner Author

Elastichoney

Installed successfully, service is running, and full connections to port 9200 are registered in the MHN console. However, simply doing nc <host> 9200 does not yield an attack in the MHN console. This honeypot has not been updated in 8 years. The project T-Pot uses a different Elastic honeypot, which was last updated 2 years ago.

https://gitlab.com/bontchev/elasticpot

Switching to new honeypot is being tracked in #9

@wrharding
Copy link
Owner Author

Drupot

Installed successfully, service is running, but no attacks are being registered on the MHN console. Reading through the source with my zero Goland experience shows the honeypot is meant to log an attack anytime:

References to an implementation of hpfeeds written in Golang called Agave.

Work on this honeypot issue is being tracked in #10

@wrharding
Copy link
Owner Author

Glastopf

Multiple issues installing this honeypot.

Tracking fixes and upgrades to Snare/Tanner in #11

@wrharding
Copy link
Owner Author

Kippo

This honeypot is not in the list of deployable sensors, but the install script still exists in /scripts:

https://github.com/wrharding/mhn/blob/master/scripts/deploy_kippo.sh

This makes sense as it turned into Cowrie. Updates to documentation and removing the install script are probably all that are needed.

Tracking in #12

@wrharding
Copy link
Owner Author

Magenpot

Installed successfully, process running under supervisorctl and attacks are being sent to the MHN's hpfeeds server, but nothing is populated in the attack overview.

Tracking in #13

@wrharding
Copy link
Owner Author

p0f

Installs successfully, process runs under supervisorctl and traffic registers on the MHN console.

Tracking updates in #14

@wrharding
Copy link
Owner Author

Shockpot

Installs successfully, runs under supervisorctl, and sends attacks (or non-attacks if you've set it up that way) to the MHN's hpfeeds and renders them properly. However, dionaea seems to do this as of v0.5.0. I'm unsure if both honeypots need to be supported.

https://dionaea.readthedocs.io/en/latest/changelog.html#id10

Tracking removal in #15

@wrharding
Copy link
Owner Author

Snort

Installs successfully, runs under supervisorctl and sends/renders attacks to the MHN console. We're about 6 years out of the EOL for the currently used version of Snort.

Upgrades tracked in #16

@wrharding
Copy link
Owner Author

Wordpot

Installs successfully, runs with supervisorctl, and attacks are recorded in the MHN console. It's slightly out of date from the upstream version.

Tracking upgrades in #17

@wrharding
Copy link
Owner Author

All currently integrated honeypots (those that exist with install scripts in scripts/) have been audited for install. Additional testing should be performed on all of them as I'm going through the various upgrades and fixes. These were also only tested on Ubuntu 18.04, for the most part.

@github-project-automation github-project-automation bot moved this from In Progress to Done in Modern Honey Network v2 Apr 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wrharding wrharding

Labels
None yet
Projects
Modern Honey Network v2
Status: Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wrharding