Tag Archives: honeypot

Dionaea simple analysis

Dionaea exploit analysis

We’ll using python bundled with Dionaea:

It will open a python console. Enter the code below line by line:


It will produce test.bin file in /tmp/ folder.

Now we analyze it and dump the output to another file:

You should see something like this:

As you can see, the malicious URL is hxxp://188.245.32.210:8147/kcfl

https://sourceforge.net/p/nepenthes/mailman/message/26862416/

Installing Conpot on Ubuntu 12.04

Conpot is a low interactive server side Industrial Control Systems (ICS) honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems.

For more info, you can refer at here

First, edit your apt list file and insert this line below:

After that, update your OS:

Then, install required dependencies:

Some of dependencies need to be install via pip:

  • Ensure that you have installed python-pip before you run this command.

Install Modbus-tk (to create modbus app easily with Python):

Install Conpot:

Finish! Next step is to run the conpot:

Conpot is running on these port:

ensure that those port is not occupied or used yet.

Honeypot after 1 week hosted..

So, I spend my holiday installing & configuring honeypot at my new vps.
I managed to installed Dionaea, Kippo, p0f (still has error permission denied T__T) & thug.
And for the interfaces, I install DionaeaFR and Kippo-Graph on my honeypot.

Currently I still on research for smtp honeypot. If you have 1, please do suggest to me. 🙂

 Dionaea. 4 unique URL for malware download. 9 malware binaries captured.

Kippo. Total login attempts : 7478. Distinct source IP addresses : 19

Script to install Thug honeypot on Ubuntu 12.04

Thug is a Python low-interaction honeyclient aimed at mimicking the behaviour of a web browser in order to detect and emulate malicious contents. It based on Python + V8 JS engine. You can go to the website or google to understands more about this awesome application.

So, here I share to you a script that automate the building and compiling Thug honeypot + V8 on Ubuntu machine:

#!/bin/bash

#Install some dependencies for the building process
sudo apt-get install -y autoconf build-essential git-core scons subversion libboost-dev libboost-python-dev libboost-thread-dev libboost-system-dev libtool mongodb python-bs4 python-chardet python-cssutils python-dev python-html5lib python-httplib2 python-zope.interface python-pymongo python-pefile python-setuptools

sudo easy_install beautifulsoup4

#Obtaining libemu via Git
cd /tmp/
git clone git://git.carnivore.it/libemu.git

#Configure and install
cd /tmp/libemu/
autoreconf -v -i
./configure –enable-python-bindings –prefix=/opt/libemu
sudo make install
sudo ldconfig -n /opt/libemu/lib

#Obtaining pylibemu via Git
cd /tmp/
git clone https://github.com/buffer/pylibemu.git

#Build and install
cd /tmp/pylibemu/
sudo sh -c “echo /opt/libemu/lib > /etc/ld.so.conf.d/pylibemu.conf”
python setup.py build
sudo python setup.py install

#Obtain the codes via svn and git
cd ~
git clone https://github.com/buffer/thug.git
cd ~/thug/
svn checkout http://v8.googlecode.com/svn/trunk/ v8

#Apply the Thug’s patch for V8
cp patches/V8-patch* .
patch -p0 < V8-patch1.diff
rm V8-patch*

#Build and compile python wrapper for V8. This process will compile the V8 engine at the same time
cd /tmp/
svn checkout http://pyv8.googlecode.com/svn/trunk/ pyv8
export V8_HOME=$HOME/thug/v8
cd pyv8
python setup.py build
sudo python setup.py install

I really appreciate if you can share with me your experience using this software in production/real-life. 🙂 

Error when installing python2.7-dev on Ubuntu 12.04 (OpenVZ)

As the title above, I think you will encounter the same problem when trying to install software on vps that using OpenVZ

I encounter this problem during my honeypot installation on my new vps when I try to install python2.7-dev onto Ubuntu 12.04.

The error shows something like this;

libc6-dev : Depends: libc6 (= 2.15-0ubuntu10.2) but 2.15-0ubuntu10+openvz0 is to be installed
E: Unable to correct problems, you have held broken packages.

To solve it, modify the file at /etc/apt/preferences.d/99ovz-libc-pin

Replace from this line:

libc-bin libc6

become this line;

libc-bin libc6 libc6-dev libc-dev-bin

Save it, update & enjoy. 🙂