Dionaea - Setting up a Honeypot environment (Part 2)

1. Introduction

In the previous post, we configured an SSH honeypot using Cowrie. In this tutorial, I will go through the installation and configuration process for a honeypot application named Dionaea. While Cowrie is a Honeypot designed to record traffic related to SSH and Telnet, Dionaea focuses on capturing malware.
Dionaea does this by emulating a range of services often exposed to the network, an extensive list can be found here
We could configure Dionaea to listen to all the protocols found in the above-mentioned list, but as we want our Honeypot to look realistic, we will only choose the once that are most likely to generate incidents.

In this walkthrough we will only be emulated the following services:

Service Port
MySQL 3306
SMB 445
HTTP 80,443

In my setup, I will be running Dionaea in parallel with Cowrie.

1.3 Prerequisites:

  • In this tutorial, I decided to use Ubuntu Server 16.04, I cannot guarantee that Dionaea will be compatible will newer versions of Ubuntu.
  • It is also recommended to host this honeypot on a public VPS, this will give you a lot of interesting data. But hosting it locally for testing purposes is fine πŸ˜‰

2. Installation and basic configuration

2.1 Update

Before we begin with the installation of a cowrie, let's update the system.

$ sudo apt-get update

2.2 Compile & install Dionaea 0.8.0

Compared to Cowrie, Dionaea does not come pre-compiled, which means that we need to compile it ourselves.

Start by downloading the source code:

$ cd ~
$ git clone https://github.com/DinoTools/dionaea.git
$ cd dionaea

Then install all the neceserry dependencies used by the compiler

$ sudo apt-get install \
build-essential \
cmake \
check \
cython3 \
libcurl4-openssl-dev \
libemu-dev \
libev-dev \
libglib2.0-dev \
libloudmouth1-dev \
libnetfilter-queue-dev \
libnl-3-dev \
libpcap-dev \
libssl-dev \
libtool \
libudns-dev \
python3 \
python3-dev \
python3-bson \
python3-yaml \
python3-boto3 \
ttf-liberation

When all the dependecies are in place, we will create a build directory and use cmake in order to setup the build process

$ sudo mkdir build
$ cd build
$ cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea ..

Now we will use make in order to build, and make install to install it to our current system

$ make
$ sudo make install

Dionaea should now be installed and made available under /opt/dionaea πŸ‘

2.3 Configurations

During the configuration process of Dionaea, there are primarily 4 folders (ihandlers-available, ihandlers-enabled, services-available and services-enabled) and one file (dionaea.cfg) we need to consider.

ihandlers (logging)

Whenever we manage to receive a copy of the malware sent to our Honeypot, we need to have a way to handle the traffic; ihandler plugins will allow us to do this. There are two ihandler folders available under "/opt/dionaea/etc/dionaea/", namly "ihandlers-available" and "ihandlers-enabled". ihandler-available refers to the different plugins we can enable for dionaea, while ihandler-enabled contains a set of symbolic links which points to configuration files in the "ihandlers-available". If a symbolic link is created then that plugin is enabled.

services

The two service folders function in the same way as the ihandlers folders. There are two folders, but the difference is that these folders refer to actual protocols that are being mimicked by Dionaea, our Honeypot will be configure with HTTP/HTTPS, MYSQL and SMB. As stated in the introduction, in order to make this honeypot look realistic we limit the number of exposed services to something that would be more realistic.

dionaea.cfg

This is the main configuration file for Dionaea, we will only be doing a couple of configurations in this file.

2.3.1 Remove unwanted protocols

Dionaea will by default listen on a large set of protocols, and as we only want to use our Honeypot to mimic HTTP(S), MYSQL, and SMB we can remove the rest.
We do this by simply deleting the symbolic links in the services-enabled folder

$ cd /opt/dionaea/etc/dionaea/services-enabled
$ sudo rm blackhole.yaml epmap.yaml ftp.yaml memcache.yaml mirror.yaml mongo.yaml mqtt.yaml mssql.yaml pptp.yaml sip.yaml tftp.yaml upnp.yaml
2.3.2 Configure Dionaea to as a service

In order to make the Dionaeas process easier to manage will we make it run as a service in the background using systemd.

We will start by creating a new file in /etc/systemd/system

$ sudo nano /etc/systemd/system/dionaea.service

And paste the following

[Unit]
Description = making network connection up
After = network.target[Service]
ExecStart = /opt/dionaea/bin/dionaea[Install]
WantedBy = multi-user.target

We should now be able to start Dionaea by using the systemctl command

Start Dionaea $ systemctl start dionaea
Stop Dionaea $ systemctl stop dionaea
Restart Dionaea $ systemctl restart dionaea
Show the current status of the Dionaea service $ systemctl status dionaea
Enable dionaea to start at boot $ systemctl enable dionaea

Dionaea should be be up and running πŸ˜‰

Incident logs will be in the following directory: /opt/dionaea/var/log/dionaea

3. Additional configuration

There are some other additional configurations we can set up in order to make our configuration a little better

3.1 Automatically upload captured binaries to Virus Total

By uploading the captured binaries to virus total, we can both help the community and get an automatic AV scan of the binaries we captured.

To do this, you first need to create a Virus Total account, I will not be going through this process as it is documented in many other places. Simply go toΒ Virus Total and create an account. Then go to "https://www.virustotal.com/en/user/<username>/apikey/" and copy your API key into virustotal.yaml

$ sudo nano /opt/dionaea/etc/dionaea/ihandlers-available/virustotal.yaml

And paste your API key into this file

apikey: "........." apikey:"Paste API key"

Then enable the ihandler by creating a symbolic link from ihandler-available to ihandler-enabled

$ cd /opt/dionaea/etc/dionaea/ihandlers-available/
$ sudo ln -s ../ihandlers-available/virustotal.yaml ../ihandlers-enabled/virustotal.yaml

Then restart Dionaea

 

 

 

Sources

Honeypot part 1: Setting up Cowrie and Dionaea

https://dionaea.readthedocs.io/en/latest/

https://buildmedia.readthedocs.org/media/pdf/dionaea/latest/dionaea.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *