Honeypot #10 [Honeyd] 檔案配置

2022 iThome 鐵人賽

DAY 15

Security

HONEYPOT×TRICK 100%不純保證系列第 15 篇

14th鐵人賽

魯大常

2022-09-30 08:55:55

1021 瀏覽

分享至

這一篇總算是有跑出東西了

Honeyd 1.6 至少可以跑後，再來測試官網的[Running]範例。

本範例會模擬出一台帶有 telnet 服務的機器，藉由監測這台主機，補捉從另一台主機連入的封包及輸入的帳密

在下載的檔案中有一個配置的範例檔「config.sample」，

#route entry 10.0.0.1
#route 10.0.0.1 link 10.2.0.0/24
#route 10.0.0.1 add net 10.3.0.0/16 10.3.0.1 latency 8ms bandwidth 10Mbps
#route 10.3.0.1 link 10.3.0.0/24
#route 10.3.0.1 add net 10.3.1.0/24 10.3.1.1 latency 7ms loss 0.5
#route 10.3.1.1 link 10.3.1.0/24

create default
set default default tcp action filtered
set default default udp action filtered
set default default icmp action filtered

# Example of a simple host template and its binding
create windows
set windows personality "OpenBSD 4.0 (x86)"
set windows uptime 1728650
set windows maxfds 35
add windows tcp port 80 "scripts/web.sh"
add windows tcp port 22 "scripts/test.sh"
add windows tcp port 23 "scripts/router-telnet.pl"
add windows udp port 53 open
set windows ethernet "dell"
set windows default tcp action closed

#create router
#set router personality "Cisco 2514 router (IOS 12.1)"
#set router default tcp action closed
#add router tcp port 22 "scripts/test.sh"
#add router tcp port 23 "scripts/router-telnet.pl"

#bind 10.3.0.1 router
#bind 10.3.1.1 router
#bind 10.3.1.12 template
#bind 10.3.1.11 template
bind 192.168.1.137 windows
#set 10.3.1.11 personality "Microsoft Windows NT 4.0 SP3"
#set 10.3.1.10 personality "IBM AIX 4.2"

年久失修，必須先修改以符合環境。

nano  ./config.sample

先將要虛擬的 IP 做一下變更，改為同網段的空 IP。例如本機是 192.168.41.188，這裡就改為 192.168.41.237
將這段

bind 192.168.1.237 windows

改為同網段的空 IP。

bind.192.168.41.237 windows

接著修改模擬的腳本(預設的 scripts 位置有錯)，這裡只修改 telnet 的部份
將

add windows tcp port 23 "scripts/router-telnet.pl"

改為

add windows tcp port 23 "scripts/embedded/router-telnet.pl"

接下來就可以試跑看看 honeyd

 sudo honeyd -d -f config.sample 192.168.41.237
Honeyd V1.6d Copyright (c) 2002-2007 Niels Provos
honeyd[10964]: started with -d -f config.sample 192.168.41.237
honeyd[10964]: listening promiscuously on ens160: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (host 192.168.41.237))) and not ether src 00:50:56:bf:a9:49
honeyd[10964]: Demoting process privileges to uid 65534, gid 65534

不過問題發生了，從別台電腦 telnet 192.168.41.237 ，只會看到 honeyd 會回應

honeyd[10964]: arp reply 192.168.41.237 is-at 00:25:64:f8:a0:9f

無法得到正確的 telent 回應...還好這個問題在前幾篇失敗時就有瞄到關鍵是另一個套件 arpd 沒有裝。

安裝 arpd

根據Honeyd 安裝與設定檔調校指出，如果不安裝 arpd 虛擬出 IP 的話，honeyd 是無法正確補捉訊息，所以才會只有上述的 arp 訊息。

這裡要注意的是 arpd 不能用 apt 直接安裝，需要手動安裝 0.2 的版本。而這個舊版本又需要依賴套件 libdnet、libevent，這兩個也是需要舊版本，都不能 apt 安裝。

apt 安裝的 arpd 直接輸入會出現錯誤「ioctl(SIOCGIFINDEX): No such device」

安裝 aprd 前置套件 libdnet

手動安裝 1.111 版本

wget https://nchc.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz
tar -xvf libdnet-1.11.tar.gz
cd libdnet-1.11
./configure

如果有 C++ 錯誤
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
要先使用「sudo apt install g++」安裝g++

make 
sudo make install

安裝 aprd 前置套件 libevent

手動安裝 libevent 1.4.14b 版本 ~~(誒，不是說好 honeyd 1.6 可以使用 2 版嗎)~~

wget https://github.com/downloads/libevent/libevent/libevent-1.4.14b-stable.tar.gz
tar -xvf libevent-1.4.14b-stable.tar.gz
cd libevent-1.4.14b-stable/
./configure 
make 
sudo make install

安裝本體 aprd

手動安裝 0.2 版本

wget http://www.citi.umich.edu/u/provos/honeyd/arpd-0.2.tar.gz
tar -xvf arpd-0.2.tar.gz
cd arpd
./configure
make
arpd.c: In function 'arpd_expandips':
arpd.c:99:8: warning: implicit declaration of function 'strlcat'; did you mean 'strncat'? [-Wimplicit-function-declaration]
    if (strlcat(filter, " or ", sizeof(filter)) >= sizeof(filter))
        ^~~~~~~
        strncat
arpd.c: In function 'arpd_send':
arpd.c:268:34: error: expected ')' before string constant
   syslog(LOG_DEBUG, __FUNCTION__ ": who-has %s tell %s",
                                  ^~~~~~~~~~~~~~~~~~~~~~
arpd.c: In function 'arpd_lookup':
arpd.c:285:34: error: expected ')' before string constant
   syslog(LOG_DEBUG, __FUNCTION__ ": %s at %s",
                                  ^~~~~~~~~~~~
arpd.c:294:34: error: expected ')' before string constant
   syslog(LOG_DEBUG, __FUNCTION__ ": no entry for %s",
                                  ^~~~~~~~~~~~~~~~~~~
arpd.c:297:34: error: expected ')' before string constant
   syslog(LOG_DEBUG, __FUNCTION__ ": %s at %s",
                                  ^~~~~~~~~~~~
arpd.c: In function 'arpd_recv_cb':
arpd.c:426:35: error: expected ')' before string constant
    syslog(LOG_DEBUG, __FUNCTION__ ": %s at %s",
                                   ^~~~~~~~~~~~
Makefile:195: recipe for target 'arpd.o' failed
make: *** [arpd.o] Error 1

修正錯誤

sudo nano aprd.c

加入以下字串

#define __FUNCTION__ ""

之後就可以安裝完畢

./configure
make
sudo make install

測試 arpd 可正常使用

sudo arpd 192.168.41.137
arpd[19374]: listening on ens160: arp  and not ether src 00:50:56:bf:a9:49

如果發生錯誤 arpd: error while loading shared libraries: libevent-1.4.so.2: cannot open shared object file: No such file or directory 請執行「sudo ldconfig」

測試 honeyd

統整所有軟體無誤後，執行以下指令可以看到

sudo arpd 192.168.41.237
arpd[29542]: listening on ens160: arp and (dst 192.168.41.237) and not ether src 00:50:56:bf:a9:49
sudo honeyd -d -f config.sample 192.168.41.237
Honeyd V1.6d Copyright (c) 2002-2007 Niels Provos
honeyd[29601]: started with -d -f config.sample 192.168.41.237
honeyd[29601]: listening promiscuously on ens160: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (host 192.168.41.237))) and not ether src 00:50:56:bf:a9:49
honeyd[29601]: Demoting process privileges to uid 65534, gid 65534

從另一台 telent 192.168.41.237 時會出現以下訊息，並試著輸入帳密

Users (authorized or unauthorized) have no explicit or
implicit expectation of privacy.  Any or all uses of this
system may be intercepted, monitored, recorded, copied,
audited, inspected, and disclosed to authorized site,
and law enforcement personnel, as well as to authorized
officials of other agencies, both domestic and foreign.
By using this system, the user consents to such
interception, monitoring, recording, copying, auditing,
inspection, and disclosure at the discretion of authorized
site.

Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal
penalties.  By continuing to use this system you indicate
your awareness of and consent to these terms and conditions
 of use.  LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.



User Access Verification

Username: test
Password:
% Access denied

honeyd 主機會出現回應的成功腳本，並且補捉到封包，包含使用者輸入的帳號。

honeyd[5073]: Connection request: tcp (192.168.41.99:49789 - 192.168.41.237:23)
honeyd[5073]: Connection established: tcp (192.168.41.99:49789 - 192.168.41.237:23) <-> scripts/embedded/router-telnet.pl
honeyd[5073]: E(192.168.41.99:49789 - 192.168.41.237:23): Attempted login: test/test

呼，得到這樣的結果應該是真的成功了吧。