As I wrote in The fundamentals of honeypots and honeynets, In this post I’ll cover detail how we installing and using honeyPy as a honeypot.
There are two ways to install honeypy.
* First, you can clone or download zip the latest version of honeypy on link https://github.com/foospidy/HoneyPy
Next, you need to install python-dependencies. In my case I’m using ubuntu and make sure you run commands as root.
apt-get install -y python-requests python-twisted python-pip pip install twitter dnslib
- The second ways, that is using docker. You can see how it install here
First, run honeyPy with its “out-of-the-box” configuration:
You will see the honeyPy console:
In cosole mode services do not automatically start, use start command. Type the help commands for a list of command options.
Note: You can lose your honeyPy session if you terminate terminal session. There are two ways to prevent that happen. Ther first is to use the terminal utility screen. Alternatively, you can run honeyPy in deamon mode using:
python Honney.py -d &
The problem now is we need to deal with running honeyPy services on low ports.
Your service configuration suggests that you want to run on at least one low port! To enable port redirection run the following ipt-kit (https://github.com/foospidy/ipt-kit) commands as root: ./ipt_set_tcp 7 10007 ./ipt_set_udp 7 10007 ./ipt_set_tcp 8 10008 ./ipt_set_udp 8 10008 ./ipt_set_tcp 23 10009 ./ipt_set_tcp 24 1001
This telling us that we have honeyPy configured to listen on low ports(ports below 1024). A process needs root user privilege to open and listen on low ports, howerver, honeyPy should be run as a non-root user. Since there are many low port services you might to run, e.g telnet, ftp, ssh, dns, etc. The solution is using iptables to enable port forwarding on a low port to high port that honeyPy can use.
Modifing iptables is quite complex if you are new with it. Fortunately, the author of honeyPy created a scipts to make things easier.
Below are the steps on how to use ipt-kit to configure iptables for honeyPy.
For detail instruction you can read more here. In this post I only focus on how to run( the commands)
Note: If you using image default in hub.docker if not a latest version. So, you have to build a honeypy image. If you are not, never mind.
Build honey image
git clone https://github.com/foospidy/HoneyPy-Docker.git cd HoneyPy-Docker make build-debian sudo docker run -privileged -u 0 -it foospidy/honeypy:latest
Config honey run on low ports
python Honey.py -ipt wget https://github.com/foospidy/ipt-kit/archive/v1.1.tar.gz tar -xzf v1.1.tar.gz cd ipt-kit-1.1/ cp /tmp/honeypy-ipt.sh . ./honeypy-ipt.sh ./ipt_survive_reboot y
The result after run the commands above
By default, events are logged to the default log file. The default log file is not the nicest file to read, which is homePy has more useful “loggers” that can be enabled.(honey.cfg)
* Twitter – Tweet events on Twitter
* Log stash – Post events to log stash
* Elastic search – Post events directory to Elasticsearch
* Slack – Post events to a Slack channel
* HoneyDB – Post events to HoneyDB
It’s very easy to config loggers. I won’t cover it in detail here.
CONFIGURING HONEYPY SERVICES
File config located at dir/etc/services/cfg. This is the file that tells honeyPy what services to run, and what ports to run them on.Here an example:
[Echo] plugin = Echo low_port = tcp:7 port = tcp:10007 description = Echo back data received via tcp. enabled = Yes
[Echo] this specifies the name of the service.
plugin tells honeyPy which plugin to load and use for service emulation.
low_port: if the service is going to listen on a low port.
port: this is the port honeyPy will actually listen on.
enabled: this tells honeyPy whether this service should be enabled or disabled at startup.
An example look like:
[EgDNS] plugin = Echo low_port = udp:53 port = udp:10053 description = A very simple fake DNS listener that echoes back data from DNS queries. enabled = Yes
If we wanted a more interactive DNS service, there is DnsUdp plugin in the plugins folder. This configuration entry would look like this:
[BetterDNS] plugin = DnsUdp low_port = udp:53 port = udp:10053 description = A low interaction DNS listener that responds to DNS queries. enabled = Yes
I hope this post it’s a quickstart for you if you want to try using honeyPy as a honeypot for the first time.
For detail, you can read on gihub