Ok I know I haven’t been posting much lately about packets I have captured but it not like I have built a fan base yet. I have succeeded in one of my goals however, using honeytrap to capture packets for the security community. Recently port 20000 was reported as on the rise by Dshield and SANS had a call for packets. Being that honeytrap is listening on all ports all of the time I was able to filter all my pcap data for that port and submit full packet captures from established sessions. I know it’s not much, but it is a step in the direction I was hoping to take with this project. Hopefully I can continue to keep on top of the SANS postings and keep submitting packets.
Monday, January 22, 2007
Tuesday, January 02, 2007
HONEYTRAP Gotcha!
I decided to install honeytrap on a Linux laptop and open it up to the world via the DMZ option on my D-Link router. I started with Fedora Core 5 running on a 1Ghz Sony Vaio laptop with 256 Mbs of RAM. I started by locking down the host OS.
root@localhost# chkconfig –list | awk ‘/3:on/ {print $1}’
root@localhost# chkconfig service name off ; turn off service for run level 3
root@localhost# service service name stop ; stop the service
This first command will show you a list of services running on the host. To determine which service to turn off, refer to the internet. For all my purposes, I just wanted SSH running on port 2929 so I turned off any service that listens on any other port.
The first thing I did was to download honeytrap from “http://honeytrap.sourceforge.net/start.html” and compile the sources. I decided to compile with the pcap monitoring switch, however after running it and researching on the web, I found out that with the pcap option honeytrap drops the first packet and only establishes a socket with the second packet on that same port. As much of the activity I see on my FIOS connection is one off scanning and probing, this option was surely not for me.
To alleviate this problem I compiled honeytrap with the IPQ option. This uses iptables to send the initial SYN to honeytrap therefore dynamically creating a socket with the first connection attempt. I did this with the following configure switches:
root@localhost# ./configure –with-ipq-mon
I immediately got the error:
checking for libipq.h... no
I attempted to pull down the iptables sources, however these did not include “libipq.h”. After some searching I found on rpmfind, “iptables-devel-1.2.9-10.rpm”. installing this I got a dependency error for “iptables-1.2.9”. Not too discouraged, I downloaded and compiled iptables-1.2.9 and installed the devel RPM with the –nodeps switch. After installing these dependencies, I issued a:
root@localhost# find / -name libipq.h
/usr/include/libipq.h
Halleluiah!!
Now I move back to the honeytrap directory and issue:
root@localhost# ./make clean
root@localhost# ./configure –with-ipq-mon
root@localhost# make
root@localhost# make install
Now to make sure it ignored SSH port 2929, appended:
include = /etc/honeytrap/ports.conf
In the /etc/honeytrap/honeytrap.conf file and created a /etc/honeytrap/ports.conf file with the following:
port=2929,ignore
Load the IPQ module:
root@localhost# modprobe ip_queue
Issue “lsmod” command to ensure that the ip_queue module is loaded
Issue the following command to enable iptables to forward SYN’s to honeytrap:
iptables -A INPUT –i eth0 –p tcp -–syn –m state -–state NEW –j QUEUE
Once in place I envoke honeytrap:
root@localhost# ./honeytrap –u eon –g eon –D
honeytrap v0.6.2 Copyright © 2005-2006 Tillman Werner tillman.Werner@gmx.de
[2006-10-07 21:02:47] ----Trapping attacks via IPQ. ----
AT LAST!!!!!!!
This runs honeytrap with a non-root user and group and the –D flag tells honeytrap not to go into daemon mode.
On another host I have tshark runnig to capture traffic off of a switch span port:
root@localhost# tshark –w log dir -a filesize:50000 –b files:5 –i interface –f filter expression
This allows for 5 rotating 50Mb files in your log directory.
With this I can easily monitor connection attempts and capture the full payload of any inbound connection attempt to my Honeytrap.
Now I sit and wait for the interesting traffic. Being a packet monkey, I will post any interesting findings/packets to this blog.