ethicalhack3r

After running Glastopf (Glastopf – Web Application Honeypot) for a few days and not getting any hits, I was a bit disappointed. I speculate that maybe you need to give web application honeypots more time to propagate across the Internet and get picked up by search engines to receive any significant hits, or even give the honeypot its own domain name. From my earlier post you will notice that I had tried to get Dionaea to run first.

Markus the lead developer of Dionaea got in contact after he read my post and saw that I was having trouble getting it running. It turned out to be a complete fail on my part, after following the instructions on the Dionaea homepage, Dionaea installed perfectly fine, it was just a case of me not knowing how to run it properly.

What is Dionaea?

Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls

Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.

Dionaea offers the following services by default, SMB (main service offered), HTTP, FTP and TFTP.

Here is an Nmap scan of the honeypot (first 1000 ports):

PORT STATE SERVICE
21/tcp open ftp
|_ ftp-anon: Anonymous FTP login allowed
42/tcp open tcpwrapped
80/tcp open http?
|_ html-title: Directory listing for /
135/tcp open msrpc?
443/tcp open ssl/https?
|_ sslv2: server still supports SSLv2
|_ html-title: Directory listing for /
445/tcp open microsoft-ds?

Statistics:

Dionaea was running for 1 day, 11 hours and 44 minutes.
The first hit took 14 hours, 10 minutes and 16 seconds.
During that time there were 164 total remote hits.
Top 3 ports: 445, 135 and 0. (in order of hits)

RPC Vulnerabilities exploited:
MS03-26
MS04-11
MS04-12
MS05-017
MS07-065
MS06-66
MS05-39
MS08-67
MS04-11

Captured Malware:
14a09a48ad23fe0ea5a180bee8cb750a
31ab688b36e7d8e5ce1082faa95f730e
53fed7473c878ad4b4e57a42c99df38f
69101c9cbc14f5778efa795bbd25e02c
833cda5b5bef5989deb6bf57c557ce30
93094c5ea5a47e5c5f3e020f2c434c35
df51e3310ef609e908a6b487a28ac068
f2d8d3ef1d5623bdfa9a0eebd4fc2266
f8815cdca238ad5ab566f05f5a6335a4

You can search for the malware associated with the MD5 hashes above here: http://www.virustotal.com/buscaHash.html

Dionaea is excellent, I feel that I have only scratched the surface of its true potential. For now unfortunately, the honeypot is turned off until I find a more suitable place to store it other than my living room floor. Hopefully I will do more work in the area of honeypots in the near future once I have some more spare time.

I bought an old battered PC over the weekend with the goal of installing a honeypot. I had never installed a honeypot before so wasn’t quite sure what to expect. At first I decided on Dionaea the succsesor to Nepenthes, I had heard great things about Nepenthes from a friend of mine (Infosanity). After going through the installation process, I couldn’t get Dionaea to ‘make’ with the right Python version detected (> 3.0), after about an hour of playing around I decided to give Glastopf a try.

Glastopf is a Honeypot which emulates thousands vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application. The project has been kicked off by Lukas Rist around one year ago and the results we are got during this time are very promising and an incentive to put even more effort in the development of this unique tool.

Glastopf was very easy to install and configure, I simply downloaded the subversion trunk and ran it with “sudo python webserver.py”. Glastopf was up and running however not configured. Glastopf gives you the option to save the honeypot logs to a MySQL database, for this all you have to do is install MySQL and python-mysql, set up the database/tables and add the ‘mysql.py’ plugin to the configuration file. Glastopf provides you with the table structure already set out in the ‘/structure/log.sql’ file, to import the file I used ‘mysql-navigator’ (sudo apt-get install mysql-navigator), mysql-navigator is a GUI client for MySQL, you can however just use the MySQL command line client.

All I had to do now was forward port 80 on my router to the machine with Glastopf running on it. I will now leave the machine running for a few days and hopefully come back with some statistics, which I will of course be posting and making pretty little graphs out of. :) If the initial statistics and hits are positive I will try to keep the honeypot running indefinitely and some how link the stats to the blog.

I had a security breach on the blog over the Christmas period. To cut a long story short two black hats named HcJ and cyb3r-1st compromised another site on the shared hosting server, they decided to deface my blogs for a short period of time while they were at it. After talking to both of them regarding the breach it turns out they are nice guys (a bit misguided), they told me how they breached the server so that I could pass the information on to the hosting provider for them to patch it.

At first I thought it may have been a WordPress 0day that they used to compromise my blogs, so I set about hardening my Wordpress installation. Changed all passwords, delete all files/reinstate files from backup, installed security plugins, revised file permissions, etc.

Security plugins installed:
Chap Secure Login
Log User Access
Wordpress Firewall
WP Security Scan

Here’s a great article by Wordpress on how to harden your installation:
http://codex.wordpress.org/Hardening_WordPress

The zone-h defacement mirror:
http://www.zone-h.org/mirror/id/10039957

In this instance there is very little I can do to protect the server as it is not owned by me, the best I can do is change/preasure the hosting provider and secure my web applications.

I recently upgraded to Windows 7 from Vista. I had planned to migrate fully to Ubuntu 9.10 Karmic however after nearly £100 investment in wireless equipment and none of the hardware working under Ubuntu I bit the bullet. I will now be running Ubuntu and other Linux distributions as Virtual Machines.

Here is a list (in no particular order) of essential (to me) Open Source and Free (as in beer) software (non-security) I installed on my shinny new Windows 7:

FileZilla FTP client – http://filezilla-project.org/ (Open Souce)
Mozilla Thunderbird – http://www.mozillamessaging.com (Open Source)
Inkscape – http://www.inkscape.org/ (Open Source)
BitTorrent – http://www.bittorrent.com/ (Open Source)
Wireshark – http://www.wireshark.org/ (Open Source)
7-Zip – http://www.7-zip.org/ (Open Source)
Notepad++ – http://notepad-plus.sourceforge.net/ (Open Source)
Mozilla Firefox – http://www.mozilla.com/firefox/ (Open Source)
OpenOffice – http://www.openoffice.org/ (Open Source)
Sun VirtualBox – http://www.virtualbox.org/ (Open Source)
Tortoise SVN – http://tortoisesvn.tigris.org/ (Open Source)
VLC – http://www.videolan.org/vlc/ (Open Source)
TrueCrypt – http://www.truecrypt.org/ (Open Source)
XAMPP – http://www.apachefriends.org/en/xampp.html (Open Source)
Zattoo – http://zattoo.com/ (Free)
Spotify – http://www.spotify.com/ (Free)
Skype – http://www.skype.com/ (Free)

It should now be easier than ever to pwn my box now that you all know what software and OS I’m running. ;) What Open Source/Free software can you not live without?

P.S. HAPPY NEW YEEAARRR!!!

RandomStorm have acquired Damn Vulnerable Web App (DVWA) :)

RandomStorm showed their interest in DVWA and wanted to help the project grow. After some weeks of talks we have settled on an agreement which I believe will benefit the DVWA project immensely.

What do RandomStorm do?

RandomStorm was formed in 2007 to provide a proactive vulnerability management service for companies and organisations that take network security seriously and need to demonstrate maximum due diligence in protecting personal and corporate information.

Without going into too much detail RandomStorm will help develop DVWA further, help with marketing, help with direction and overall make the project as good as it can be. DVWA will now be part of the RandomStorm Open Source Project and will be hosted with them in the near future. I will still play a strong role in the development and general overseeing of the project. The acquirement of DVWA has nothing but positives, the project will still be as great and even greater than it is, I still get to work on my baby, DVWA will still be open source and the project has the backing of a great company, RandomStorm.

Andrew Mason, Chief Technologist at RandomStorm says:

I see that combining efforts on this will really add value to this great tool and take it to the next step.

RandomStorm will be releasing an official press release in the near future. I would really like to hear everyones feedback so please comment.

In the meantime you can follow RandomStorm on Twitter: @RandomStorm