Introduction
This paper is how to setup your own Honeypot (dionaea). I would say most of us like Reverse Engineering binaries. Many of us have a fascination with malware. Why not combine them and RE some Malware that’s actively being used for exploitation?
My tutorial is how to setup a honeypot on Amazon Web Services (AWS). If you’re unfamiliar with AWS, tldr; they have servers, you can use them. ProTip: If you have 1 micro-instance with an attached hard drive less than 50GB, you can have a free server. You will have to provide your credit card info to AWS, but you are allowed a free server forever, so long as you stay in the “free-tier”. Now, you’re able to spin up n-number of micro-instances, but you only get what is equated to 1 month amount of hours, each month. So if you spin up 2 micro-instances, half way through the money, you will start to be billed, till the end of the month. So be careful.
Author Level: Skiddo
Required Skills
- General Linux Commands
- General Understanding of Networks
Requirements
- Server (AWS works well. Free w/ CC provided)
Disclaimer (Optional)
Some hosting providers don’t like malware.
So like, maybe not collect on their servers if they aren’t cool like you.
(Separate this header from the paper using a horizontal rule)
The paper
AWS setup
I will now begin how to setup your AWS instance.
[If you are not using AWS, skip to the next section.]
-
Go ahead a click EC2 and Create a new Instance. (EC2 == AWS Servers). After that, you want to select Ubuntu Server 14.04 LTS
-
Next, select the micro-instance type.
-
Great, now for Configure Instance Details, select “Auto-assign Public IP” and set it to “Enable”. (Don’t worry about my IAM role)
-
For storage, just add the default and click Next.
-
Ignore adding Tags and click Next.
-
Configuring Security Group is a bit more in depth. AWS by default only allows SSH open for your server. You must change this and all ALL ports open to your server. Yes. This is more insecure, but that’s the point.
-
Launch!
-
Alright this part is a bit more complex. To SSH into your box, you have to change the permissions for your private key (something.pem), and then ssh using it. Get your hostname from your instance. It’ll be under Public DNS (IPv4 )
Enter these on your local to connect to you AWS Server.
$ sudo chmod 400 /home/user/Downloads/key.pem
$ ssh -i /home/user/Downloads/key.pem [email protected]
Server setup
Let’s do our due diligence like good admins.
$ sudo su
# apt-get update; apt-get upgrade -y; apt-get dist-upgrade;
Grab out dependencies
# apt-get install git -y
# git clone GitHub - DinoTools/dionaea: Home of the dionaea honeypot
# apt-get install build-essential cmake check cython3 libcurl4-openssl-dev libemu-dev libev-dev libglib2.0-dev libloudmouth1-dev libnetfilter-queue-dev libnl-3-dev libpcap-dev libssl-dev libtool libudns-dev python3 python3-dev python3-bson python3-yaml ttf-liberation
# mkdir build
# cd build
# cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea …
# make
# make install
# cd /opt/dionaea/
Alright, now this is where you configuration file is. dionaea.cfg
This file specifies where your malware/binaries will get dropped, interface and ports listening. You can leave these default, but remember, the log file WILL get big. I think I had about 1G of malware, and 19G in logs.
So dionaea has many different services that it can allow and thus, making your honeypot open to more types of attacks. You get more malware.
These settings can be toggled in the services-available and services-enabled
directories. By editing each yaml file, you edit the service and how it will appear to a hacker/bot. If you want to accept SMB attacks, like…WannaCry, you’re gonna want to setup your server to accept smb.
# vim services-enabled/smb.yaml
If you want to enable a default Windows 7 setup, just uncomment Win7. Feel free to get creative.
Last but never least…RUN THE TRAP!!!
# /opt/dionaea/bin/dionaea -D
Conclusions
Took me awhile to get this up and running my first time. Second time, it took 16 minutes. If you’re having difficulties, try their docs.
https://dionaea.readthedocs.io/en/latest/run.html
Also just bug me on IRC.
See you on there. <3
