i A quickstark with honeyPy – All things in moderation

A quickstark with honeyPy

As I wrote in The fundamentals of honeypots and honeynets, In this post I’ll cover detail how we installing and using honeyPy as a honeypot.

INSTALLING HONEYPY

There are two ways to install honeypy.
* First, you can clone or download zip the latest version of honeypy on link https://github.com/foospidy/HoneyPy

Next, you need to install python-dependencies. In my case I’m using ubuntu and make sure you run commands as root.

apt-get install -y python-requests python-twisted python-pip
pip install twitter dnslib  
  • The second ways, that is using docker. You can see how it install here

RUNNING HONEYPY

First, run honeyPy with its “out-of-the-box” configuration:

python Honey.py  

You will see the honeyPy console:

In cosole mode services do not automatically start, use start command. Type the help commands for a list of command options.

Note: You can lose your honeyPy session if you terminate terminal session. There are two ways to prevent that happen. Ther first is to use the terminal utility screen. Alternatively, you can run honeyPy in deamon mode using:

python Honney.py -d &  

The problem now is we need to deal with running honeyPy services on low ports.

Your service configuration suggests that you want to run on at least one low port!
To enable port redirection run the following ipt-kit (https://github.com/foospidy/ipt-kit) commands as root:

./ipt_set_tcp 7 10007
./ipt_set_udp 7 10007
./ipt_set_tcp 8 10008
./ipt_set_udp 8 10008
./ipt_set_tcp 23 10009
./ipt_set_tcp 24 1001  

This telling us that we have honeyPy configured to listen on low ports(ports below 1024). A process needs root user privilege to open and listen on low ports, howerver, honeyPy should be run as a non-root user. Since there are many low port services you might to run, e.g telnet, ftp, ssh, dns, etc. The solution is using iptables to enable port forwarding on a low port to high port that honeyPy can use.

Modifing iptables is quite complex if you are new with it. Fortunately, the author of honeyPy created a scipts to make things easier.

Below are the steps on how to use ipt-kit to configure iptables for honeyPy.
For detail instruction you can read more here. In this post I only focus on how to run( the commands)

Note: If you using image default in hub.docker if not a latest version. So, you have to build a honeypy image. If you are not, never mind.

Build honey image

git clone https://github.com/foospidy/HoneyPy-Docker.git  
cd HoneyPy-Docker  
make build-debian  
sudo docker run -privileged -u 0 -it foospidy/honeypy:latest  

Config honey run on low ports

python Honey.py -ipt  
wget https://github.com/foospidy/ipt-kit/archive/v1.1.tar.gz  
tar -xzf v1.1.tar.gz  
cd ipt-kit-1.1/  
cp /tmp/honeypy-ipt.sh .  
./honeypy-ipt.sh  
./ipt_survive_reboot  
y 


The result after run the commands above

CONFIGURING HONEYPY

By default, events are logged to the default log file. The default log file is not the nicest file to read, which is homePy has more useful “loggers” that can be enabled.(honey.cfg)
Includes:
* Twitter – Tweet events on Twitter
* Log stash – Post events to log stash
* Elastic search – Post events directory to Elasticsearch
* Slack – Post events to a Slack channel
* HoneyDB – Post events to HoneyDB

It’s very easy to config loggers. I won’t cover it in detail here.

CONFIGURING HONEYPY SERVICES

File config located at dir/etc/services/cfg. This is the file that tells honeyPy what services to run, and what ports to run them on.Here an example:

[Echo]
plugin = Echo
low_port = tcp:7
port = tcp:10007
description = Echo back data received via tcp.
enabled = Yes  

[Echo] this specifies the name of the service.

plugin tells honeyPy which plugin to load and use for service emulation.

low_port: if the service is going to listen on a low port.

port: this is the port honeyPy will actually listen on.

desciption

enabled: this tells honeyPy whether this service should be enabled or disabled at startup.

An example look like:

[EgDNS]
plugin = Echo
low_port = udp:53
port = udp:10053
description = A very simple fake DNS listener that echoes back data from DNS queries.
enabled = Yes

If we wanted a more interactive DNS service, there is DnsUdp plugin in the plugins folder. This configuration entry would look like this:

[BetterDNS]
plugin = DnsUdp
low_port = udp:53
port = udp:10053
description = A low interaction DNS listener that responds to DNS queries.
enabled = Yes

CONCLUSION

I hope this post it’s a quickstart for you if you want to try using honeyPy as a honeypot for the first time.
For detail, you can read on gihub

REFERENCES

https://labs.signalsciences.com/getting-started-with-honeypy-part-1
https://github.com/foospidy/ipt-kit
https://github.com/foospidy/HoneyPy-Docker

Leave a Reply