Shulou(Shulou.com)06/01 Report--

Brief introduction

Many security personnel are keen on reverse engineering of malware. In this article, I will teach you to set up your own Dionaea honeypot to assist in the collection of malware samples.

This article will mainly discuss the honeypot setup steps on Amazon Web Services (AWS). If you are not familiar with AWS, then I suggest you first to do a basic understanding of AWS, which will be more conducive to your understanding. You need to be reminded that if you have a mini instance with less hard disk space than 50GB, you will get a free server. But you must provide your credit card information to AWS, as long as you keep it within the free limit, you can use it for free forever. You can also start n micro-instances, but be aware that even then you can only get a month's hours. For example, if you separate two micro-instances, you can only allocate half of each, and if you exceed the quota, you will be charged. We must pay attention to this point!

FB encyclopedia

Dionaea is a low interactive honeypot and an open source project for Honeynet Project. Dionaea honeypot is designed to trap malicious attacks and obtain malicious attack sessions and malicious code program samples. By simulating all kinds of common services, it captures the attack data to the service, records the IP, port, protocol type and other information of the attack source and target, as well as the complete network session process, automatically analyzes the possible shellcode and its function calls and download files, and obtains malicious programs.

Required skills

Learn about common Linux commands

Have a certain understanding of network knowledge

Server

Server (AWS is highly recommended, w / CC is provided free)

Disclaimer (optional)

Some managed service providers don't like malware. As a result, they may not allow you to collect malware samples on their servers.

AWS Settin

Now let's set up the AWS instance. (if you are not using AWS, skip to the next section)

1. Click EC2 and create a new instance (EC2 = = AWS Servers). After that, select Ubuntu Server 14.04 LTS.

two。 Then, select the mini instance type.

3. Well, for the Configure Instance Details step, select the "Auto-assign Public IP" item and set it to "Enable".

4. For the storage configuration, simply add the default value and click "Next".

5. In the tag, we directly click "Next".

6. By default, only the SSH port is open for AWS. Therefore, we must change this setting so that the server opens all ports. Although it is not safe to do so, it is a key point in this article.

7. Start

8. This part might be a little complicated. Connect to your server instance through SSH and change the permissions of the private key (something.pem) so that ssh can use it. Get your hostname from your instance. It is usually located under Public DNS (IPv4)

Enter the following command locally to connect to the AWS server

Sudo chmod 400 / home/user/Downloads/key.pem$ ssh-I / home/user/Downloads/key.pem ubuntu@ec2-13-57-45-50.us-west-1.compute.amaonaws.com server settings

Let's update the package with the following command:

$sudo su# apt-get update; apt-get upgrade-y; apt-get dist-upgrade

Dependency installation:

# apt-get install git-y # git clone https://github.com/DinoTools/dionaea apt-get install build-essential cmake check cython3 libcurl4-openssl-dev libemu-dev libev-dev libglib2.0-dev libloudmouth2-dev libnetfilter-queue-dev libnl-3-dev libpcap-dev libssl-dev libtool libudns-dev python3 python3-dev python3-bson python3-yaml ttf-liberation# mkdir build# cd build# cmake-DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea... # make# make install# cd / opt/dionaea/

OK, now the location is the location of the configuration file dionaea.cfg.

This file is used to specify the location of your malware / binaries, as well as the interface and port on which to listen. You can keep these default values, but keep in mind that the log files will get larger. For example, my malware is about 1 GB but has a log of 19 gigabytes.

Dionaea has many different services that can make your honeypot open to more types of attacks. As a result, you will collect more malware. We can switch these settings through the services-available and services-enabled directories. By editing individual yaml files, you can edit the service and how it displays hackers / robots. For example, want to be attacked by SMB, such as... WannaCry, then you need to set up your server to accept smb.

# vim services-enabled/smb.yaml

If you want to enable the default Windows 7 settings, simply cancel the Win7 commentator. It's the same with the others, so I won't say any more!

Finally, let's run our honeypot.

# / opt/dionaea/bin/dionaea-D summary

To be honest, it took me a long time to set up and run dionaea for the first time. The second attempt took me only 16 minutes. If you encounter some problems that you can't solve by yourself in the process, please try to read their official documentation (https://dionaea.readthedocs.io/en/latest/run.html), or ask questions in the relevant technical forums to find a solution.

This article is reproduced from: FreeBuf.COM, and the original text is compiled by FB editor secist

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.