Recent

Dionaea – Low interaction honeypot

After running Glastopf (Glastopf – Web Application Honeypot) for a few days and not getting any hits, I was a bit disappointed. I speculate that maybe you need to give web application honeypots more time to propagate across the Internet and get picked up by search engines to receive any significant hits, or even give the honeypot its own domain name. From my earlier post you will notice that I had tried to get Dionaea to run first.

Markus the lead developer of Dionaea got in contact after he read my post and saw that I was having trouble getting it running. It turned out to be a complete fail on my part, after following the instructions on the Dionaea homepage, Dionaea installed perfectly fine, it was just a case of me not knowing how to run it properly.

What is Dionaea?

Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls

Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.

Dionaea offers the following services by default, SMB (main service offered), HTTP, FTP and TFTP.

Here is an Nmap scan of the honeypot (first 1000 ports):

PORT STATE SERVICE
21/tcp open ftp
|_ ftp-anon: Anonymous FTP login allowed
42/tcp open tcpwrapped
80/tcp open http?
|_ html-title: Directory listing for /
135/tcp open msrpc?
443/tcp open ssl/https?
|_ sslv2: server still supports SSLv2
|_ html-title: Directory listing for /
445/tcp open microsoft-ds?

Statistics:

Dionaea was running for 1 day, 11 hours and 44 minutes.
The first hit took 14 hours, 10 minutes and 16 seconds.
During that time there were 164 total remote hits.
Top 3 ports: 445, 135 and 0. (in order of hits)

RPC Vulnerabilities exploited:
MS03-26
MS04-11
MS04-12
MS05-017
MS07-065
MS06-66
MS05-39
MS08-67
MS04-11

Captured Malware:
14a09a48ad23fe0ea5a180bee8cb750a
31ab688b36e7d8e5ce1082faa95f730e
53fed7473c878ad4b4e57a42c99df38f
69101c9cbc14f5778efa795bbd25e02c
833cda5b5bef5989deb6bf57c557ce30
93094c5ea5a47e5c5f3e020f2c434c35
df51e3310ef609e908a6b487a28ac068
f2d8d3ef1d5623bdfa9a0eebd4fc2266
f8815cdca238ad5ab566f05f5a6335a4

You can search for the malware associated with the MD5 hashes above here: http://www.virustotal.com/buscaHash.html

Dionaea is excellent, I feel that I have only scratched the surface of its true potential. For now unfortunately, the honeypot is turned off until I find a more suitable place to store it other than my living room floor. Hopefully I will do more work in the area of honeypots in the near future once I have some more spare time.

Posted on 17 January, 2010 by ethicalhack3r

9 Responses to “Dionaea – Low interaction honeypot”


  1. d0s


    Nice results
    I plan to set up a honeypot in a VM.
    Dionaea looks pretty cool.
    I know malware & rootkits tend to act differently in VM’s but it would be interesting to see the results.

    D


    Comment posted on January 17, 2010 at 19:51:06 GMT

  2. Lukas


    Hi Ryan,

    you are right, to get hits on Glastopf you have to set up a domain (FQDN > subdomains) and wait for a google crawler.

    Contact me if there are other questions.

    Greetings,
    Lukas


    Comment posted on January 26, 2010 at 16:53:48 GMT

  3. iVictor


    Going to try it this week. Looks like the home page is down(?). Checking out at ohloh (http://www.ohloh.net/p/dionaea).

    Best Regards.


    Comment posted on March 7, 2010 at 12:23:03 GMT

  4. Ambrose


    Hi there,
    Can you tell me please, where I can find some forums or email conferences where are discussed any problems with installing and compiling not only dionaea but also dependencies (like libemu…)…
    Thanks for any response…


    Comment posted on May 4, 2010 at 12:47:42 GMT

  5. Mona


    Hello there,

    I have installed Dionaea properly however I am facing some troubles when i try to run it? Please help.

    Thank you,


    Comment posted on May 17, 2010 at 19:43:52 GMT

  6. Andrew


    Hello, I am having great difficulty running dionaea on ubuntu, I can’t seem to capture anything, I have taken all security features away and taken the firewall down on my router.

    Thanks


    Comment posted on November 16, 2010 at 14:19:12 GMT

  7. Fhrobro


    Catch those hackas! XD


    Comment posted on December 23, 2010 at 23:06:57 GMT

  8. ash


    how to read log file of dionaea?


    Comment posted on December 4, 2011 at 19:59:46 GMT

  9. ash


    i want explanation of this file.can any one tell me?

    linux-sqos:/opt/nepenthes/var/log # cat nepenthes.log

    [18032007 02:26:03 info module] 76 4
    [18032007 02:26:03 info module] SMB Session Request 76
    H CKFDENECFDEFFCFGEFFCCACACACACACA
    [18032007 02:26:03 warn module] Unknown NETDDE exploit 76 bytes State 1
    [18032007 02:26:03 module] Stored Hexdump var/hexdumps/850745ec6a9f3cc3d7ce4bdd7294e468.bin (0x0809fa80 , 0x0000004c).
    [18032007 02:26:03 warn module] Unknown SMBName exploit 0 bytes State 1
    [18032007 02:26:03 info handler dia] Unknown DCOM request, dropping
    [18032007 02:26:11 crit sc handler] MATCH linkxor::link matchCount 5 map_items 5
    [18032007 02:26:11 info sc handler] i = 1 map_items 5 , map = size
    [18032007 02:26:11 info sc handler] i = 2 map_items 5 , map = size
    [18032007 02:26:11 info sc handler] i = 3 map_items 5 , map = key
    [18032007 02:26:11 info sc handler] i = 4 map_items 5 , map = post
    [18032007 02:26:11 info sc handler] Found linkbot XOR decoder, key 0x1b, payload is 0x00b2 bytes long.
    [18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330
    [18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330, key 0xaeed1ff8.
    [18032007 02:26:11 info down mgr] Handler link download handler will download link://64.182.172.15:56330/ru0f+A==
    [18032007 02:26:13 info handler dia] Download via linkbot filetransferr done! ( download is 114176 bytes)
    [18032007 02:26:13 info mgr submit] File b6c9254853a642e90756cfb04efd67ea has type PE executable for MS Windows (GUI) Intel 80386 32-bit
    [18032007 02:26:13 warn dia] Unknown ASN1_SMB Shellcode (Buffer 172 bytes) (State 0)
    [18032007 02:26:13 dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1a40 , 0x000000ac).
    [18032007 02:26:13 warn module] Unknown PNP Shellcode (Buffer 172 bytes) (State 0)
    [18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1638 , 0x000000ac).
    [18032007 02:26:13 warn module] Unknown LSASS Shellcode (Buffer 172 bytes) (State 0)
    [18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a08f0 , 0x000000ac).
    [18032007 02:26:13 warn handler dia] Unknown DCOM Shellcode (Buffer 172 bytes) (State 0)
    [18032007 02:26:13 handler dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x0809fa80 , 0x000000ac).

    linux-sqos:/opt/nepenthes/var/binaries # ls -l b6c9254853a642e90756cfb04efd67ea
    -rw-r–r– 1 root root 114176 Mar 18 02:26 b6c9254853a642e90756cfb04efd67ea
    linux-sqos:/opt/nepenthes/var/binaries # file b6c9254853a642e90756cfb04efd67ea
    b6c9254853a642e90756cfb04efd67ea: PE executable for MS Windows (GUI) Intel 80386 32-bit
    linux-sqos:/opt/nepenthes/var/binaries # cd /opt/nepenthes/var/hexdumps
    linux-sqos:/opt/nepenthes/var/hexdumps # ls -l 16e9e789e405a1bc1e69a3a7f302416b.bin
    -rw-r–r– 1 root root 172 Mar 18 02:26 16e9e789e405a1bc1e69a3a7f302416b.bin
    linux-sqos:/opt/nepenthes/var/hexdumps # file 16e9e789e405a1bc1e69a3a7f302416b.bin
    16e9e789e405a1bc1e69a3a7f302416b.bin: data
    linux-sqos:/opt/nepenthes/var/hexdumps # xxd -g 1 -u 16e9e789e405a1bc1e69a3a7f302416b.bin
    0000000: 00 00 00 A8 FF 53 4D 42 72 00 00 00 00 08 01 40 …..SMBr……@
    0000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 03 …………..,.
    0000020: 02 08 10 3E 00 85 00 02 50 43 20 4E 45 54 57 4F …>….PC NETWO
    0000030: 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 RK PROGRAM 1.0..
    0000040: 4D 49 43 52 4F 53 4F 46 54 20 4E 45 54 57 4F 52 MICROSOFT NETWOR
    0000050: 4B 53 20 31 2E 30 33 00 02 4D 49 43 52 4F 53 4F KS 1.03..MICROSO
    0000060: 46 54 20 4E 45 54 57 4F 52 4B 53 20 33 2E 30 00 FT NETWORKS 3.0.
    0000070: 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 4C 4D 31 2E .LANMAN1.0..LM1.
    0000080: 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 2X002..LANMAN2.1
    0000090: 00 02 4E 54 20 4C 41 4E 4D 41 4E 20 31 2E 30 00 ..NT LANMAN 1.0.
    00000a0: 02 4E 54 20 4C 4D 20 30 2E 31 32 00 .NT LM 0.12.
    linux-sqos:/opt/nepenthes/var/hexdumps #


    Comment posted on December 4, 2011 at 20:01:29 GMT

Leave a Reply