1. Running manuka docker honeypot setup

    I've just got dionaea and kippo running in docker images on to make a quick to set up honeypot. The project is called manuka.

    Here's how to get manuka running on Ubuntu 14.04:

    #install docker (skip if you have docker 1.3+ already)
    [ -e /usr/lib/apt/methods/https ] || {
      sudo apt-get update
      sudo apt-get install apt-transport-https
    }
    
    sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys \
        36A1D7869245C8950F966E92D8576A8BA88D21E9
    
    sudo sh -c "echo deb https://get.docker.com/ubuntu docker main > \
        /etc/apt/sources.list.d/docker.list"
    
    sudo apt-get update
    sudo apt-get -y install lxc-docker
    
    #install docker-compose
    sudo apt-get install -y python-pip
    sudo pip install docker-compose
    
    #run manuka
    curl -q https://raw.githubusercontent.com/andrewmichaelsmith/manuka/master/run.sh > run.sh
    chmod +x run.sh
    sudo ./run.sh
    

    You have just setup dionaea and kippo.

    Let's try out kippo:

    ssh [email protected]
    # > Password: <12345>
    # > [email protected]:~#
    

    And dionaea:

    sudo nmap  -d -p 445 127.0.0.1 --script=smb-vuln-ms10-061
    ls var/dionaea/bistreams
    # > total 4.0K
    # > drwxr-xr-x 2 nobody nogroup 4.0K Mar 16 23:21 2015-03-16
    

    All logs and files will be saved under $PWD/var/.

    Happy to hear any bug reports and feature requests on Github.

    read more

    There are comments.

  2. Docker volume and docker VOLUME

    I've been fiddling with docker lately and it took me a while to come to this realisation. The docker volume command line argument and the docker VOLUME Dockerfile instruction are a bit different.

    The docker volume command line argument:

    docker run -v /var/logs:/var/logs ubuntu echo test
    

    And the docker VOLUME Dockerfile instruction:

    VOLUME /var/logs
    

    The Dockerfile VOLUME instruction doesn't support host directories.

    As discussed in this stackoverflow post it looks like this is intentional because it makes things less portable.

    read more

    There are comments.

  3. Quick and Easy SSH MITM

    A quick intro to using mitmproxy to man-in-the-middle an SSH connection.

    So you want to sniff an SSH connection (that you have access to) but wireshark is giving you junk? Luckily someone has written a tool for that. The mitmproxy by Maximilian Hils allows you to plop a fake server in between your SSH client and the SSH server you're connecting to.

    I wanted to have a nose at the data sent from git to github over SSH. This is what I did.

    # Download mitmproxy
    git clone https://github.com/mitmproxy/mitmproxy.git
    
    #Generate mitm keys (these go to ~/.mitmkeys)
    ./mitmkeys
    

    Now you want to install the SSH key you just generated to the server you want to mitm.

    #Install SSH key
    ssh-copy-id -i ~/.mitmkeys/id_rsa.pub [email protected]
    

    Then run the proxy, pointing it at the victimserver.

    #Run proxy
    ./mitmproxy_ssh -H victimserver
    

    This runs the proxy on localhost:2222

    Now simply connect to the local proxy:

    ssh localhost -p 2222
    

    And ta-da! You should see the raw data sent between client and server in the window you ran mitmproxy_ssh.

    read more

    There are comments.

  4. Raspberry Pi Wi-Fi Honeypot

    I wanted to turn my Raspberry Pi in to a "fake" wireless access point that would accept Wi-Fi connections without a password but sandbox all requests to a local web server, like some hotel Wi-Fi you might encounter.

    It turns out that to achieve this you need a Wi-Fi dongle that supports "AP Mode". I ended up ordering an Edimax EW-7711UAN which has worked perfectly in AP mode with the pi so far.

    For this tutorial I am assuming that your pi is physically connected to your network via a LAN cable (on eth0). We can't set this up over Wi-Fi because the Wi-Fi network is going to be sandboxed.

    Install

    So, beginning with a fresh Raspian install I installed the following:

    sudo apt-get install -y hostapd dnsmasq nginx
    
    • hostapd will allow you to receive connections on your dongle, as if it were a wireless router.

    • Dnsmasq will allow the pi to provide DNS and DHCP services which is the bare minimum we need to get the clients to "work" on the network.

    • Nginx is the web server we'll use to serve the dummy files on our sandboxed network.

    Configuration

    First hostapd:

    sudo touch /etc/hostapd/hostapd.conf
    sudo nano /etc/hostapd/hostapd.conf
    

    And paste the following:

    interface=wlan0
    driver=nl80211
    ssid=NotFreeWifi
    channel=1
    

    We also need to tell hostapd where to find this config file:

    sudo nano /etc/init.d/hostapd
    

    Find the line:

    DAEMON_CONF=
    

    And change it to:

    DAEMON_CONF=/etc/hostapd/hostapd.conf
    

    This will set your pi up to accept unsecured connections. Don't do it if you don't know what you're doing.

    Next up, dnsmasq:

    sudo nano /etc/dnsmasq.conf
    

    And paste the following (at the end of the file):

    log-facility=/var/log/dnsmasq.log
    address=/#/10.0.0.1
    interface=wlan0
    dhcp-range=10.0.0.10,10.0.0.250,12h
    no-resolv
    log-queries
    

    This will set up the DHCP server, resolve all DNS lookups to 10.0.0.1 and log all queries to /var/log/dnsmasq.

    Now, you may have noticed that we used 10.0.0.1 there, the plan is to get the Wi-Fi adaptor listening on 10.0.0.1. This is to segregate the open Wi-Fi connections from the regular network:

    sudo nano /etc/network/interfaces
    

    And replace the contents with:

    auto lo
    
    iface lo inet loopback
    iface eth0 inet dhcp
    
    iface wlan0 inet static
    address 10.0.0.1
    netmask 255.255.255.0
    broadcast 255.0.0.0
    pre-up iptables-restore < /etc/iptables.rules
    

    Then, let's put a message in our www directory:

    sudo echo "<h1>hello!<h1>" > /usr/share/nginx/www/index.html
    

    Finally, we want to lock down our pi so that anyone who gets on the open network can't get up to any funny business:

    sudo iptables -F
    sudo iptables -i wlan0 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    sudo iptables -i wlan0 -A INPUT -p tcp --dport 80 -j ACCEPT
    sudo iptables -i wlan0 -A INPUT -p udp --dport 53 -j ACCEPT
    sudo iptables -i wlan0 -A INPUT -p udp --dport 67:68 -j ACCEPT
    sudo iptables -i wlan0 -A INPUT -j DROP
    
    sudo sh -c "iptables-save > /etc/iptables.rules"
    

    Let's set up all these services to start on startup so it will just work each time we turn it on:

    sudo update-rc.d nginx defaults
    sudo update-rc.d hostapd defaults
    sudo update-rc.d dnsmasq defaults
    

    Now make sure this will work on boot by turning it off and on again:

    sudo reboot
    

    Testing

    If you do a Wi-Fi search on your laptop or phone you should now see "NotFreeWifi". If you connect and type in "www.blaargh.com" you should get the message we wrote out earlier.

    Conclusion

    Now if you're a normal human being you've probably just blindly pasted these commands in to your shell. If you'd like to know what you've set up, then read on!

    Using hostapd we've set up our wireless dongle to take unsecured (no passwords) connections using the SSID "NotFreeWifi". This will allow anyone with Wi-Fi on their laptop or phone or whatever to connect to the pi.

    On it's own this won't do much - clients won't be able to do anything once they connect -so we've setup Dnsmasq to give clients I.P. addresses and tell them use 10.0.0.1 (the pi's I.P.) as a gateway.

    We've also used Dnsmasq to provide a DNS server which we've (rather sneakily) set up to give the address 10.0.0.1 to any request. So if someone tries to visit facebook.com, we tell them the address is 10.0.0.1

    Finally we've set up a webserver on the pi - so when users do try and go to facebook.com they actually connect to our pi - where we say hello to them.

    Results

    I've been running this on my pi for a week now and because of it's location I wasn't expecting to get any connections. Which is why I was pretty surprised to see that 5 people who weren't me have connected:

    sudo cat /var/log/dnsmasq.log  | grep provides | awk '{print $9}' | sort | uniq
    
    android-xxxxxxxxxxxx2535
    android-xxxxxxxxxxxx2c93
    android-xxxxxxxxxxxx96cc
    Axxxxx-iphone
    BLACKBERRY-Exxx
    
    read more

    There are comments.

« Page 2 / 6 »

social