Recent

Dionaea – Low interaction honeypot

After running Glastopf (Glastopf – Web Application Honeypot) for a few days and not getting any hits, I was a bit disappointed. I speculate that maybe you need to give web application honeypots more time to propagate across the Internet and get picked up by search engines to receive any significant hits, or even give the honeypot its own domain name. From my earlier post you will notice that I had tried to get Dionaea to run first.


Markus the lead developer of Dionaea got in contact after he read my post and saw that I was having trouble getting it running. It turned out to be a complete fail on my part, after following the instructions on the Dionaea homepage, Dionaea installed perfectly fine, it was just a case of me not knowing how to run it properly.


What is Dionaea?

Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls

Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.


Dionaea offers the following services by default, SMB (main service offered), HTTP, FTP and TFTP.

Here is an Nmap scan of the honeypot (first 1000 ports):

PORT STATE SERVICE
21/tcp open ftp
|_ ftp-anon: Anonymous FTP login allowed
42/tcp open tcpwrapped
80/tcp open http?
|_ html-title: Directory listing for /
135/tcp open msrpc?
443/tcp open ssl/https?
|_ sslv2: server still supports SSLv2
|_ html-title: Directory listing for /
445/tcp open microsoft-ds?


Statistics:


Dionaea was running for 1 day, 11 hours and 44 minutes.
The first hit took 14 hours, 10 minutes and 16 seconds.
During that time there were 164 total remote hits.
Top 3 ports: 445, 135 and 0. (in order of hits)


RPC Vulnerabilities exploited:
MS03-26
MS04-11
MS04-12
MS05-017
MS07-065
MS06-66
MS05-39
MS08-67
MS04-11


Captured Malware:
14a09a48ad23fe0ea5a180bee8cb750a
31ab688b36e7d8e5ce1082faa95f730e
53fed7473c878ad4b4e57a42c99df38f
69101c9cbc14f5778efa795bbd25e02c
833cda5b5bef5989deb6bf57c557ce30
93094c5ea5a47e5c5f3e020f2c434c35
df51e3310ef609e908a6b487a28ac068
f2d8d3ef1d5623bdfa9a0eebd4fc2266
f8815cdca238ad5ab566f05f5a6335a4


You can search for the malware associated with the MD5 hashes above here: http://www.virustotal.com/buscaHash.html


Dionaea is excellent, I feel that I have only scratched the surface of its true potential. For now unfortunately, the honeypot is turned off until I find a more suitable place to store it other than my living room floor. Hopefully I will do more work in the area of honeypots in the near future once I have some more spare time.

Posted on 17 January, 2010 by admin

5 Responses to “Dionaea – Low interaction honeypot”

  1. d0s said...

    Nice results
    I plan to set up a honeypot in a VM.
    Dionaea looks pretty cool.
    I know malware & rootkits tend to act differently in VM’s but it would be interesting to see the results.

    D

  2. Lukas said...

    Hi Ryan,

    you are right, to get hits on Glastopf you have to set up a domain (FQDN > subdomains) and wait for a google crawler.

    Contact me if there are other questions.

    Greetings,
    Lukas

  3. iVictor said...

    Going to try it this week. Looks like the home page is down(?). Checking out at ohloh (http://www.ohloh.net/p/dionaea).

    Best Regards.

  4. Ambrose said...

    Hi there,
    Can you tell me please, where I can find some forums or email conferences where are discussed any problems with installing and compiling not only dionaea but also dependencies (like libemu…)…
    Thanks for any response…

  5. Mona said...

    Hello there,

    I have installed Dionaea properly however I am facing some troubles when i try to run it? Please help.

    Thank you,

Leave a Reply