Shulou(Shulou.com)06/01 Report--

Introduction

This article will introduce how to build your own honeypot (dionaea). What I'm trying to say is that most of us like reverse engineering binaries. At the same time, many of us are fascinated by malware. So why not combine them with some malware that is being developed?

What I'm going to talk about is how to build a honeypot on Amazon Web Services (AWS). If you're not familiar with AWS, it doesn't matter, you just need to know: they provide a lot of servers, and you can use them. It is important to note that if you only need a hard disk space smaller than 50GB, then you can create a free server. However, you must provide your credit card information to AWS, but as long as you do not exceed the limit of the "free package", you can use these servers for free forever. Now, you can start n micro-instances, but you can only get a total of one month's free hours per month. Therefore, if you enable two micro-instances, they will apportion the free hours. Once it is exceeded, it will be charged until the end of the month. So, please be careful.

Required skills

L basic Linux command

L basic understanding of network knowledge

Required resources

Server (AWS is fine and w/CC is free)

Disclaimer (optional)

Some managed service providers do not like malware.

So, if they're not as cool as you, they may not like you to collect malware samples on their servers.

Configure AWS

I'll now show you how to configure your AWS instance.

[if you are not using AWS, please skip to the next section.]

1. Click EC2 and create a new instance (EC2 = = AWS Servers). After that, you need to choose Ubuntu Server 14.04 LTS.

two。 Next, select the mini instance type.

3. Good, now configure the details, select "Auto-assign Public IP" and set it to "Enable".

4. For storage, simply add the default value and click Next.

5. Ignore tagging, and then click Next.

6. For configuring security groups, you need an in-depth introduction. By default, AWS only allows you to open SSH for your server. Therefore, you must change this setting to allow the server to open all ports. Yes, it's not safe, but that's what we need.

7. Activate.

8. Okay, this part is a little complicated. To connect to your server instance using SSH, you must change the permissions of the private key (something.pem), and then use it to change the ssh. Give the instance a hostname, which is usually under Public DNS (IPv4).

Enter the following command locally to connect to the AWS server.

$sudo chmod 400 / home/user/Downloads/key.pem

$ssh-I / home/user/Downloads/key.pem ubuntu@ec2-13-57-45-50.us-west-1.compute.amaonaws.com

Configure the server

Next, let's configure the server like an administrator. First, run the following command:

$sudo su

# apt-get update; apt-get upgrade-y; apt-get dist-upgrade

Then, install the dependencies.

# apt-get install git-y

# git clone https://github.com/DinoTools/dionaea 13

# apt-get install build-essential cmake check cython3 libcurl4-openssl-dev libemu-dev libev-dev libglib2.0-dev libloudmouth2-dev libnetfilter-queue-dev libnl-3-dev libpcap-dev libssl-dev libtool libudns-dev python3 python3-dev python3-bson python3-yaml ttf-liberation

# mkdir build

# cd build

# cmake-DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea...

# make

# make install

# cd / opt/dionaea/

OK, now let's set the location in the configuration file dionaea.cfg.

This file is used to specify where malware / binaries will be placed and which interfaces and ports to listen on. You can keep these default values, but keep in mind that the log files can become very large. I should have about 1G of malware and the log file size is 19G. As a result, dionaea provides many different services that make your honeypot open to more types of attacks, and you will receive more malware.

We can switch these settings in the services-available and services-enabled directories. By editing each yaml file, you can edit the service and how it presents the hacker / bot. If you want to be attacked by SMB, such as WannaCry, you need to set up the server to accept smb.

# vim services-enabled/smb.yaml

If you want to enable the default Windows 7 settings, simply uncomment the Win7. The rest, please feel free to be creative.

Last but not least, get the honeypot running.

Conclusion

It took me a long time to build the honeypot before the first successful run, but the second time, it only took me 16 minutes. If you are confused, please refer to this document: https://dionaea.readthedocs.io/en/latest/run.html.

This article is reprinted to "Security guest", original editor: edge

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.