Recent
Dionaea – Low interaction honeypot
After running Glastopf (Glastopf – Web Application Honeypot) for a few days and not getting any hits, I was a bit disappointed. I speculate that maybe you need to give web application honeypots more time to propagate across the Internet and get picked up by search engines to receive any significant hits, or even give the honeypot its own domain name. From my earlier post you will notice that I had tried to get Dionaea to run first.
Markus the lead developer of Dionaea got in contact after he read my post and saw that I was having trouble getting it running. It turned out to be a complete fail on my part, after following the instructions on the Dionaea homepage, Dionaea installed perfectly fine, it was just a case of me not knowing how to run it properly.
What is Dionaea?
Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls
Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.
Dionaea offers the following services by default, SMB (main service offered), HTTP, FTP and TFTP.
Here is an Nmap scan of the honeypot (first 1000 ports):
PORT STATE SERVICE
21/tcp open ftp
|_ ftp-anon: Anonymous FTP login allowed
42/tcp open tcpwrapped
80/tcp open http?
|_ html-title: Directory listing for /
135/tcp open msrpc?
443/tcp open ssl/https?
|_ sslv2: server still supports SSLv2
|_ html-title: Directory listing for /
445/tcp open microsoft-ds?
Statistics:
Dionaea was running for 1 day, 11 hours and 44 minutes.
The first hit took 14 hours, 10 minutes and 16 seconds.
During that time there were 164 total remote hits.
Top 3 ports: 445, 135 and 0. (in order of hits)
RPC Vulnerabilities exploited:
MS03-26
MS04-11
MS04-12
MS05-017
MS07-065
MS06-66
MS05-39
MS08-67
MS04-11
Captured Malware:
14a09a48ad23fe0ea5a180bee8cb750a
31ab688b36e7d8e5ce1082faa95f730e
53fed7473c878ad4b4e57a42c99df38f
69101c9cbc14f5778efa795bbd25e02c
833cda5b5bef5989deb6bf57c557ce30
93094c5ea5a47e5c5f3e020f2c434c35
df51e3310ef609e908a6b487a28ac068
f2d8d3ef1d5623bdfa9a0eebd4fc2266
f8815cdca238ad5ab566f05f5a6335a4
You can search for the malware associated with the MD5 hashes above here: http://www.virustotal.com/buscaHash.html
Dionaea is excellent, I feel that I have only scratched the surface of its true potential. For now unfortunately, the honeypot is turned off until I find a more suitable place to store it other than my living room floor. Hopefully I will do more work in the area of honeypots in the near future once I have some more spare time.
9 Responses to “Dionaea – Low interaction honeypot”
d0s
Nice results
I plan to set up a honeypot in a VM.
Dionaea looks pretty cool.
I know malware & rootkits tend to act differently in VM’s but it would be interesting to see the results.
D
Lukas
Hi Ryan,
you are right, to get hits on Glastopf you have to set up a domain (FQDN > subdomains) and wait for a google crawler.
Contact me if there are other questions.
Greetings,
Lukas
iVictor
Going to try it this week. Looks like the home page is down(?). Checking out at ohloh (http://www.ohloh.net/p/dionaea).
Best Regards.
Ambrose
Hi there,
Can you tell me please, where I can find some forums or email conferences where are discussed any problems with installing and compiling not only dionaea but also dependencies (like libemu…)…
Thanks for any response…
Mona
Hello there,
I have installed Dionaea properly however I am facing some troubles when i try to run it? Please help.
Thank you,
Andrew
Hello, I am having great difficulty running dionaea on ubuntu, I can’t seem to capture anything, I have taken all security features away and taken the firewall down on my router.
Thanks
Fhrobro
Catch those hackas! XD
ash
how to read log file of dionaea?
ash
i want explanation of this file.can any one tell me?
linux-sqos:/opt/nepenthes/var/log # cat nepenthes.log
[18032007 02:26:03 info module] 76 4
[18032007 02:26:03 info module] SMB Session Request 76
H CKFDENECFDEFFCFGEFFCCACACACACACA
[18032007 02:26:03 warn module] Unknown NETDDE exploit 76 bytes State 1
[18032007 02:26:03 module] Stored Hexdump var/hexdumps/850745ec6a9f3cc3d7ce4bdd7294e468.bin (0x0809fa80 , 0x0000004c).
[18032007 02:26:03 warn module] Unknown SMBName exploit 0 bytes State 1
[18032007 02:26:03 info handler dia] Unknown DCOM request, dropping
[18032007 02:26:11 crit sc handler] MATCH linkxor::link matchCount 5 map_items 5
[18032007 02:26:11 info sc handler] i = 1 map_items 5 , map = size
[18032007 02:26:11 info sc handler] i = 2 map_items 5 , map = size
[18032007 02:26:11 info sc handler] i = 3 map_items 5 , map = key
[18032007 02:26:11 info sc handler] i = 4 map_items 5 , map = post
[18032007 02:26:11 info sc handler] Found linkbot XOR decoder, key 0x1b, payload is 0x00b2 bytes long.
[18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330
[18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330, key 0xaeed1ff8.
[18032007 02:26:11 info down mgr] Handler link download handler will download link://64.182.172.15:56330/ru0f+A==
[18032007 02:26:13 info handler dia] Download via linkbot filetransferr done! ( download is 114176 bytes)
[18032007 02:26:13 info mgr submit] File b6c9254853a642e90756cfb04efd67ea has type PE executable for MS Windows (GUI) Intel 80386 32-bit
[18032007 02:26:13 warn dia] Unknown ASN1_SMB Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1a40 , 0x000000ac).
[18032007 02:26:13 warn module] Unknown PNP Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1638 , 0x000000ac).
[18032007 02:26:13 warn module] Unknown LSASS Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a08f0 , 0x000000ac).
[18032007 02:26:13 warn handler dia] Unknown DCOM Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 handler dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x0809fa80 , 0x000000ac).
linux-sqos:/opt/nepenthes/var/binaries # ls -l b6c9254853a642e90756cfb04efd67ea
-rw-r–r– 1 root root 114176 Mar 18 02:26 b6c9254853a642e90756cfb04efd67ea
linux-sqos:/opt/nepenthes/var/binaries # file b6c9254853a642e90756cfb04efd67ea
b6c9254853a642e90756cfb04efd67ea: PE executable for MS Windows (GUI) Intel 80386 32-bit
linux-sqos:/opt/nepenthes/var/binaries # cd /opt/nepenthes/var/hexdumps
linux-sqos:/opt/nepenthes/var/hexdumps # ls -l 16e9e789e405a1bc1e69a3a7f302416b.bin
-rw-r–r– 1 root root 172 Mar 18 02:26 16e9e789e405a1bc1e69a3a7f302416b.bin
linux-sqos:/opt/nepenthes/var/hexdumps # file 16e9e789e405a1bc1e69a3a7f302416b.bin
16e9e789e405a1bc1e69a3a7f302416b.bin: data
linux-sqos:/opt/nepenthes/var/hexdumps # xxd -g 1 -u 16e9e789e405a1bc1e69a3a7f302416b.bin
0000000: 00 00 00 A8 FF 53 4D 42 72 00 00 00 00 08 01 40 …..SMBr……@
0000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 03 …………..,.
0000020: 02 08 10 3E 00 85 00 02 50 43 20 4E 45 54 57 4F …>….PC NETWO
0000030: 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 RK PROGRAM 1.0..
0000040: 4D 49 43 52 4F 53 4F 46 54 20 4E 45 54 57 4F 52 MICROSOFT NETWOR
0000050: 4B 53 20 31 2E 30 33 00 02 4D 49 43 52 4F 53 4F KS 1.03..MICROSO
0000060: 46 54 20 4E 45 54 57 4F 52 4B 53 20 33 2E 30 00 FT NETWORKS 3.0.
0000070: 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 4C 4D 31 2E .LANMAN1.0..LM1.
0000080: 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 2X002..LANMAN2.1
0000090: 00 02 4E 54 20 4C 41 4E 4D 41 4E 20 31 2E 30 00 ..NT LANMAN 1.0.
00000a0: 02 4E 54 20 4C 4D 20 30 2E 31 32 00 .NT LM 0.12.
linux-sqos:/opt/nepenthes/var/hexdumps #