Blue Team Basics - Honeynets

Blue Team Basics - Honeynets

Creating a honeynet

"All warfare is based on deception....when we are near, we must make the enemy believe we are far away" Sun Tzu, The Art of War

Introduction

A honeypot or numerous honeypot's (a honeynet) purpose is to gather threat intelligence (TTPs), divert attack efforts and fundamentally detect attacks. A honeypot is a controlled vulnerable system created to lure attackers.

There are 3 types of honeypots; low, medium and high interaction. Each provide varying levels of intelligence depending on how complicated they are to set up. Low interaction being the easiest but providing the least intelligence.

Honeypots can be used as an early warning system.

This guide will get you up to speed with the basic honeypots as well as providing you with a secure deployment of a honeynet system.

Modern Honey Network (MHN) by Anomali (previously ThreatStream) is a honeypot management system. It utilises the HPfeeds protocol to centralise the data into a mongodb instance for analysis.

Design

MHN consists of a management server and one or many honeypots.

Management Server - Secure it down as much as possible by running it behind an IPS/IDS, I opted to host it internally using a DMZ behind a WAF. This way I could virtualise the server and keep it for reuse. The honeypots can be rapidly deployed plus most the configuration is done on the management server.

The management server was built with an Ubuntu 14.04 LTS server 2 vCPU, 4 GB RAM, 30Gb SSD.

Finally, I highly recommend using Cloudflare to manage DNS as well as providing a global CDN, DDoS protection and firewall capabilities. Tip: enable 2FA when creating your account. Also, CF now supports web sockets for non-business customers! (which is handy for the MHN Honey Map).

pots.sneakymonkey.net Design

Honeypots - I used Digital Ocean generated VPSs (other providers; UK2/Linode/EC2/OVH). Another bonus is that they provide pre-built distributions for quick deployment, ideal for honeypots/throw-away servers. Fancy Digital Ocean? then use my referral code to start you off with $10 credit.

MHN’s main advantage is the simplicity of deployment. Here is a quick breakdown of each supported honeypot;

  • Snort: Snort is not a honeypot per se but an IDS/IPS very helpful to detect attacks on your network, Sourcefire (the creator of Snort) was a acquired by Cisco but the product Snort remains OpenSource.

  • Suricata: Suricata is also an IDS/IPS, it has not been as longer as Snort but has a great community and is fast.

  • Dionaea: Dionaea is a low interaction honeypot it exposes services like SMB, MSSQL, SIP, HTTP, FTP, TFTP.

  • Glastopf: Glastopf is a very popular Honeypot that has the ability to emulate thousands of web vulnerabilities, it is actively maintained.

  • Kippo: Kippo is a medium interaction ssh honeypot, has the ability to upload and download files and other nice features

  • Cowrie: Fork of Kippo. Added ‘ssh exec commands’ support, SFTP support, SCP support, direct-tcpip (proxying) support and many other features

  • p0f: p0f is a tool that that uses passive fingerprinting to identify the OS behind a TCP connection

  • Conpot: Conpot is a low interaction Industrial Control Systems honeypot and basically emulates some protocols used in industrial environments.

  • Wordpot: Wordpot is a WordPress emulator honeypot it is still maintained and could be expanded using plugins

  • ShockPot: ShockPot is a webapp honeypot that expose the vulnerability CVE-2014-6271

  • Elastic Honey: A simple honeypot designed to mimic a vulnerable Elasticsearch (ES) instance. CVE-2015-1427

  • Thug: is a client-side honeypot (honeyclient) that emulates a web browser. It is designed to automatically interact with the malicious website to explore its exploits and malicious artifacts, often in the form of JavaScript.

Management Server Installation

Before we deploy any honeypots we need a management server.

  1. Spin up a Ubuntu server (12.04/14.04 for best support)

  2. Install NGINX webserver

apt-get update
apt-get install nginx -y
  1. Install MHN
mkdir /opt && cd /opt/
apt-get install git -y
git clone https://github.com/threatstream/mhn.git
cd mhn/
./install.sh

Give it ~5 minutes (it should import 19,000+ IDS rules from Emerging Threats), complete the config wizard to finish up.

  1. Check all services are started
supervisorctl status
geoloc                           RUNNING
honeymap                         RUNNING
hpfeeds-broker                   RUNNING
hpfeeds-logger-splunk            RUNNING
mhn-celery-beat                  RUNNING
mhn-celery-worker                RUNNING
mhn-collector                    RUNNING
mhn-uwsgi                        RUNNING
mnemosyne                        RUNNING 
  1. BUG Fix permissions for mhn-celery-beat service if it crashed.
chown www-data /var/log/mhn/mhn.log  
chmod 600 /var/log/mhn/mhn.log 
  1. Restart the crashed service
supervisorctl start mhn-celery-beat
  1. After the installation wizard has finished, you can still manually change the config if needed;
vim /opt/mhn/server/config.py
  1. Now its started connect to the web front end http://yourdomain.com

Your basic HTTP honeypot management server is now setup.

Enable MHN SSL under Nginx.

  1. Generate a stronger DHE parameter (needed for HSTS):
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096
  1. Create these under /etc/nginx/sites-available/
vim /etc/nginx/sites-available/mhn-http
server {  
    listen       80;
    server_name  yourdomain.com;

    location / { 
        try_files $uri @mhnserver; 
    }

    root /opt/mhn/server;

    location @mhnserver {
      include uwsgi_params;
      uwsgi_pass unix:/tmp/uwsgi.sock;
    }

    location  /static {
      alias /opt/mhn/server/mhn/static;
    }
}
vim /etc/nginx/sites-available/mhn-https
server {
    listen              443 ssl spdy;
    server_name         yourdomain.com;

    ssl_certificate     /etc/ssl/private/1_yourdomain.com_bundle.crt;
    ssl_certificate_key /etc/ssl/private/1_yourdomain.com_bundle.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    add_header Strict-Transport-Security "max-age=31536000";
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    if ($ssl_protocol = "") {
        rewrite ^ https://$host$request_uri? permanent;
    }

    location / {
        try_files $uri @mhnserver;
    }

    root /opt/www;

    location @mhnserver {
      include uwsgi_params;
      uwsgi_pass unix:/tmp/uwsgi.sock;
    }

    location  /static {
      alias /opt/mhn/server/mhn/static;
    }
}

vim /etc/nginx/sites-available/honeymap-https
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen   8443 ssl spdy ;
    ssl_certificate /etc/ssl/private/1_yourdomain.com_bundle.crt;
    ssl_certificate_key /etc/ssl/private/1_yourdomain.com_bundle.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    add_header Strict-Transport-Security "max-age=31536000";
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    root /opt/honeymap/client;
    index index.html index.htm;

    server_name yourdomain.com;

    location / {
        try_files $uri $uri/ /index.html;
    }

    location /data/ {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}
  1. Run the follow the enable the sites
ln -fs /etc/nginx/sites-available/mhn-https /etc/nginx/sites-enabled/mhn-https
ln -fs /etc/nginx/sites-available/honeymap-https /etc/nginx/sites-enabled/honeymap-https

Change MHN to support SSL

vim /opt/mhn/server/config.py
SERVER_BASE_URL = 'https://yourdomain.com'
HONEYMAP_URL = 'https://yourdomain.com:8443'

Restart Services & NGINX

supervisorctl status
supervisorctl restart all
service nginx restart

Check your SSL enabled site against SSLLabs and SecurityHeaders.io. Continue to configure HSTS, certificate pinning and harden as your desire.

Check MHN Services

OPTIONAL Stop MHN connecting back to ThreatStream (part of their Optic product/service - nothing is free!)

/opt/mhn/scripts/disable_collector.sh

Finally, just check core MHN services are still running

supervisorctl status
geoloc                           RUNNING
honeymap                         RUNNING
hpfeeds-broker                   RUNNING
hpfeeds-logger-splunk            RUNNING
mhn-celery-beat                  RUNNING
mhn-celery-worker                RUNNING
mhn-collector                    STOPPED
mhn-uwsgi                        RUNNING
mnemosyne                        RUNNING 

What each process is doing;

  • geoloc - Provides geolocation data (Maxmind GeoLite databases) for the honeymap.
  • honeymap – Real-time websocket stream of GPS events on a fancy SVG world map.
  • hpfeeds-broker – Honeynet Project generic authenticated datafeed protocol.
  • hpfeeds-logger-splunk – Small App for reading from MHN's hpfeeds broker and writing splunk logs.
  • mhn-celery-beat - handles asynchronous scheduled tasks (like regenerating the snort signatures).
  • mhn-celery-worker - handles asynchronous tasks.
  • mhn-collector - Sending data back to ThreatStream for their Optic product.
  • mhn-uwsgi – MHN web front end.
  • Mnemosyne - Normalizer for honeypot data.

Deploying Honeypots

From here you can log in and start deploying honeypots.

  1. https://yourdomain.com/ui/manage-deploy/
  2. Select Script > Honeypot
  3. Copy the Deploy Command and run that on your honeypot server.
  4. Check Sensors > View to see your registered honeypot.
  5. Done.

I'd recommend you play with Cowrie, p0f and Snort at first. Log in to your Cowrie honeypot on the normal port 22 to generate 'attack' traffic to test alerting (log back in on port 2222 for a 'normal' session to administer).

On each of the honeypots I statically set the DNS to not route through Cloudflare. You might not need to do this.

vim /etc/hosts
x.x.x.x yourdomain.com

OPTIONAL Changing the HPFEED port. Needed if you want to route through Cloudflare;

/opt/hpfeeds/broker/feedbroker.py
/opt/hpfeeds/geoloc.json
/opt/hpfeeds/examples/geoloc/geoloc.py
/opt/mnemosyne/mnemosyne.cfg
/opt/mhn/server/collector_v2.py
/opt/honeymap/server/config.json
/opt/mhn/server/mhn/static/registration.txt
find /opt/ -type f -exec grep -H 'HPF_PORT=10000' {} \;

Basic Maintenance

Starting individual services

supervisorctl start <service>                           
<service>: started

Restart all services.

supervisorctl restart all                           

Check MongoDB is running

service mongod status

Upgrading MHN Management Server

sudo su -
cd /opt/mhn
git fetch
git stash
git merge origin/master
git stash pop
supervisorctl restart mhn-uwsgi

Check all logs for any errors

tail -n0 -F /var/log/mhn/*

Fixing permission for mhn-celery-worker (if it fails to start)

sudo chown www-data /var/log/mhn/mhn.log
sudo chmod 600 /var/log/mhn/mhn.log

Capture HPFEED data, either on the honeypot or server for troubleshooting.

tcpdump -nnNN tcp port 10000

Check https://github.com/threatstream/mhn/wiki/MHN-Troubleshooting-Guide for further assistance.

Dashboard Results

To give you an idea, here's some of the data I collected over 1 month. These are the Splunk MHN dashboards available here Splunk MHN App

SplunkDash1

SplunkDash2

Further Research

Legal Note

Things change for everyone if a compromised honeypot or honeynet becomes a springboard to launch additional system attacks. It can also be argued that the establishment of a 'vulnerable' system contributed to the problem and could constitute 'gross negligence'. Monitor your honeynet vigorously and don't turn on and forget.

Resources
DigitalOcean Referral Badge