Andy Smith's Blog

  • Announcing Bluepot: a Bluetooth Honeypot

    • Bluetooth
    • Honeypots

    I have finally got around to putting my Bluetooth Honeypot 'Bluepot' online and it is available (source and binaries) here: http://code.google.com/p/bluepot/

    Bluepot is a Bluetooth Honeypot created for a third year university project that attempts to mirror the functionality of internet based honeypots such as Dionaea but in the world of Bluetooth. It is written in Java and being released under the GNU General Public License v3.

    It is very much still a work in process but has a good deal of functionality, including a graphical user interface, support for multiple Bluetooth devices, ability to 'fake' device type and support for multiple vulnerabilities. The main support for malware collection is support for the OBEX Push protocol, enabling a computer to automatically download all files sent to it whilst under the guise of a smart phone or printer.

    Bluepot looks like this:

    Bluepot currently only runs on Linux, mainly because Windows only supports one Bluetooth device and support for multiple Bluetooth dervices was considered to be a major feature of the project. Adding Windows support should be relatively trivial and is a definite possibility for future development.

    Looking back at Bluepot, 7 months after completing development,there are a number of changes I would like to make and features I would like to add. The code isn't perfect but isn't that awful either, all constructive criticism is welcomed.

    More about Bluepot: http://code.google.com/p/bluepot/

    Read more...

  • Kippo Customisations

    • Honeypots
    • SSH

    Having ran Kippo for a while now I am beginning to suspect that people are recognising the Kippo install and moving on. This isn't too difficult as there are some fairly static  pieces of data that Kippo will provide you with should you request them. Fortunately it's very easy to change these as we see fit, so we will!

    NOTE: Don't just do this. This is not exactly best security practice. I personally am using information about a computer that is not running Kippo and putting it on to a different server. If you just run the below commands on a computer running Kippo then an attacker is going to know all sorts of information about your computer that may give them the upper hand in an actual attack. At the very list edit the passwd file to replace usernames.

    The following commands are to illustrate what I have done. Copying and pasting may not be the best of ideas.

    Update honeyfs:

    cat /proc/cpuinfo > kippo/honeyfs/proc/cpuinfo
    cat /etc/issue > kippo/honeyfs/etc/issue
    cat /etc/passwd > kippo/honeyfs/etc/passwd
    

    Update txtcmds:

    dmesg > kippo/txtcmds/bin/dmesg
    mount > kippo/txtcmds/bin/mount
    #<em><strong>definitely</strong> change the I.P. addresses within this file
    </em>ifconfig > kippo/txtcmds/sbin/ifconfig
    

    Next up I am going to add some more 'programs'

    php -v > kippo/txtcmds/bin/
    python --version > kippo/txtcmds/bin/python
    

    Arguably these two may alert the attacker as they will be expecting to be able to type php and python rather than just get the version output but my hope is that it will fool them in to thinking that they are installed and encourage them to wget some of their tools.

    So now hopefully our honeypot will look more legitimate to the attacker, or at least one that has gotten used to stock Kippo installs. Only time will tell!

    Read more...

  • Running GlastopfNG

    • Honeypots
    • Web

    I decided to try out GlastopfNG recently, I don't know too much about it other than that it is a web application honeypot and the successor to Glastopf. I decided that the best way to learn about it would be to try it out.

    This was on a Ubuntu 10.04 LTS. At first I set out to compile from source but as the binaries are provided and compiling from source turned out to be a little tricky I took the easier option.

    wget http://dev.glastopf.org/attachments/17/GlastopfNG.zip
    unzip GlastopfNG.zip
    cd GlastopfNG/
    

    As this is not the latest version there is a NullPointerException bug in this binary, we have to move a .log file to fix this:

    mv ./modules/report/cleanLog/cleanLog.log ./modules/report/cleanLogXXX.log
    

    (This needs to be run each time before you start GlastopfNG)

    Then we can start!

    java -jar GlastopfNG.jar
    

    Now to experiment, results to follow!

    Read more...

  • Honeypot Hosting

    • Honeypots

    As I am just a honeypot hobbyist and not affiliated with any university or the security department of any organisation I have to host my honeypots myself.

    Currently I rent a VPS to do this, a low spec server with two IP addresses. This is perfectly acceptable for my needs (after all, this is just a hobby) but with my lease expiring soon I decided to hunt for the perfect "honeypot host".

    There's little information on the internet regarding honeypot hosting and posts I have made in the past on forums have turned up nothing so I decided to contact the hosts directly.

    Results

    I contacted just over ten ISPs, specifically those that specialise in VPS hosting (because I'm cheap), here is what I asked them and what they said:

    Q: Can I run a honeypot on your servers?

    • A (best)**: Yes
    • *A *(worst): No**

    I didn't ask this question directly although it was discussed in the content of my email, to explain my IP address greed. I was surprised to find many hosts completely unwelcoming to the idea of having a honeypot on their servers. One response from those that weren't interested was that running one would "put a target on everyone within the core infrastructure of that facility" and this was not uncommon. Attempts to to explain that I wasn't exactly planning on sticking an unpatched Windows XP install on their systems were met with deaf ears.

    Q: How many IP addresses can I get?

    • A (most)**: 5
    • A (least): 0**

    Obviously quite important for the purposes of running a honeypot, this was the main piece of information I was after. Unfortunately, the maximum offer I received was 8 (with 5 usable). Further enquiries led me to find that RIPE are (understandably) quite particular about what they give IP addresses out for and who to, after allocating a block to an ISP they will perform an audit and if the ISP aren't using the addresses as RIPE see fit they won't give them any more. I contacted RIPE about this, they weren't particularly informative and mostly eager to get me to sign up as a member.

    Q: Can you guarantee a good dispersion of the addresses?

    • A (best): Probably not
    • A (worst): No

    Generally the answer was that this was not possible as ISPs dish out IPs as they get them and also we generally themselves allocated in blocks. Either way, there was no way for any host contacted to guarantee such a service.

    The Hosts

    Those hosts the responded and were happy to host honeypots are as follows:

    Conclusion

    All in all, fairly disappointing results, possibly hardly worth the blog post, except in the vain hope that I've missed some super host that can offer me all I need. This is by no means an extensive study but the responses are fairly bleak for those of us with limited resources, regardless, I hope this may save someone the time I expended.

    Follow Up - 3 months on

    This is a quick note I'm adding to the bottom of this article for anyone who finds it and wants to know what I did. I went with tagadab in the end, as they had the best value and the most IPs on offer. Furthermore their support not only knew what a honeypot was but were welcoming towards the idea of hosting them. I got 5 IPs, they were unvaried (as I had been warned) and basically x.x.x.x, x.x.x.x+1, .. , x.x.x.x+4.

    The experience has been fine, the server stable and speedy and no bother for hosting honeypots. Exactly what I wanted.

    For those in the position I was 3 months ago I would give a piece of advice that I would like to have tried. From the get go I chose '5 IPs', the maximum, I realised that perhaps my impatience caused me to miss a trick. What I should have done is request 1 IP, then a week later another, then a week later another and so on until I had hit my maximum. This would have almost certainly resulted in a more varied selection of IPs.

    If you try this let me know how it works!

    Read more...