Run the Trap! How to Setup your own Honeypot to collect Malware samples

Introduction

This paper is how to setup your own Honeypot (dionaea). I would say most of us like Reverse Engineering binaries. Many of us have a fascination with malware. Why not combine them and RE some Malware that’s actively being used for exploitation?

My tutorial is how to setup a honeypot on Amazon Web Services (AWS). If you’re unfamiliar with AWS, tldr; they have servers, you can use them. ProTip: If you have 1 micro-instance with an attached hard drive less than 50GB, you can have a free server. You will have to provide your credit card info to AWS, but you are allowed a free server forever, so long as you stay in the “free-tier”. Now, you’re able to spin up n-number of micro-instances, but you only get what is equated to 1 month amount of hours, each month. So if you spin up 2 micro-instances, half way through the money, you will start to be billed, till the end of the month. So be careful.

Author Level: Skiddo

Required Skills

  • General Linux Commands
  • General Understanding of Networks

Requirements

  • Server (AWS works well. Free w/ CC provided)

Disclaimer (Optional)

Some hosting providers don’t like malware.
So like, maybe not collect on their servers if they aren’t cool like you.

(Separate this header from the paper using a horizontal rule)


The paper

AWS setup

I will now begin how to setup your AWS instance.
[If you are not using AWS, skip to the next section.]

  1. Go ahead a click EC2 and Create a new Instance. (EC2 == AWS Servers). After that, you want to select Ubuntu Server 14.04 LTS20%20PM

  2. Next, select the micro-instance type.36%20PM

  3. Great, now for Configure Instance Details, select “Auto-assign Public IP” and set it to “Enable”. (Don’t worry about my IAM role)33%20PM

  4. For storage, just add the default and click Next.

  5. Ignore adding Tags and click Next.

  6. Configuring Security Group is a bit more in depth. AWS by default only allows SSH open for your server. You must change this and all ALL ports open to your server. Yes. This is more insecure, but that’s the point.53%20PM

  7. Launch!
    40%20PM

  8. Alright this part is a bit more complex. To SSH into your box, you have to change the permissions for your private key (something.pem), and then ssh using it. Get your hostname from your instance. It’ll be under Public DNS (IPv4 )
    23%20PM
    Enter these on your local to connect to you AWS Server.

$ sudo chmod 400 /home/user/Downloads/key.pem
$ ssh -i /home/user/Downloads/key.pem [email protected]

Server setup

Let’s do our due diligence like good admins.

$ sudo su
# apt-get update; apt-get upgrade -y; apt-get dist-upgrade;

Grab out dependencies

# apt-get install git -y
# git clone https://github.com/DinoTools/dionaea
# apt-get install build-essential cmake check cython3 libcurl4-openssl-dev libemu-dev libev-dev libglib2.0-dev libloudmouth1-dev libnetfilter-queue-dev libnl-3-dev libpcap-dev libssl-dev libtool libudns-dev python3 python3-dev python3-bson python3-yaml ttf-liberation
# mkdir build
# cd build
# cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea …
# make
# make install
# cd /opt/dionaea/

Alright, now this is where you configuration file is. dionaea.cfg
This file specifies where your malware/binaries will get dropped, interface and ports listening. You can leave these default, but remember, the log file WILL get big. I think I had about 1G of malware, and 19G in logs.

29%20AM

So dionaea has many different services that it can allow and thus, making your honeypot open to more types of attacks. You get more malware.
These settings can be toggled in the services-available and services-enabled
directories. By editing each yaml file, you edit the service and how it will appear to a hacker/bot. If you want to accept SMB attacks, like…WannaCry, you’re gonna want to setup your server to accept smb.

# vim services-enabled/smb.yaml

If you want to enable a default Windows 7 setup, just uncomment Win7. Feel free to get creative.
51%20PM

Last but never least…RUN THE TRAP!!!

# /opt/dionaea/bin/dionaea -D

50%20PM

Conclusions

Took me awhile to get this up and running my first time. Second time, it took 16 minutes. If you’re having difficulties, try their docs.


Also just bug me on IRC.
See you on there. <3

29 Likes

I want to set this up with Google cloud with a packer image.

Hopefully we can introduce the magic of DevOps through this @fraq

Anyway, good job dude! Nice article

3 Likes

How does malware discover the server and by what means?

2 Likes

One possibility I can think of is that it scans different IP ranges and then tries automated exploits on them.

4 Likes

In addition to what @anon79434934 suggested, if the server gets indexed in Shodan it could be discovered through Shodan’s API. E.g. see autosploit

1 Like

Github Repo 404. Check it out.

2 Likes

Looks to be a typo in the article for the github link… Try this one here instead.

2 Likes

Thanks! Changed it so it should work now. :slight_smile:

1 Like

These are all correct. This is how one discovers your vuln server.
Scanning IPs, fingerprinting, and then (usually) auto-executing an exploit and dropping malware on your server.

1 Like

Interesting… now what to do if you don’t have a CC (and not for the lack of trying)?

1 Like

CC? Credit card?

Don’t use a VPS then. Portforward it like a maniac.

1 Like

Hey! I guess I’m a unit of measurement. That’s cool.

5 Likes

The BEST unit of measurement.

2 Likes

Could set it up at home, but I’m not sure the safest way of doing this. Much iptable rules.

Would be extremely careful with setting up honeypot on home network. Couple thoughts would be to make sure your honeypot is an isolated vlan on a dd-wrt router. Set it on the home dmz with firewall behind it to allow not traffic into the network from it.

3 Likes

I will look into it… doubt I will come up with much though 'cuz I’m just a scrub. lololol.

This is why you should use a VPS. Much simpler.

Set mine up and it had 23GB of log file within 10 minutes of running…

Restarted with a different log level set

1 Like

i like this post. although i’m not a fan of aws ec2 instances. i apreciate this post. i’m going to give this a try on my linode or digitalocean vps. I’ve alsways wanted to see what i could collect.

I am 100% in agreement with you. For purposes of malware research, a vps is the best. Honeypots internally are not bad defense for companies. I think of it as alarm system on your network. As for home users, I wouldn’t encourage it as much.

1 Like