Install Dionaea on Ubuntu 14.04
September 9, 2014
Full Network "Anonymous" VPN w/Ubiquiti EdgeMax Router
October 12, 2014

Dionaea Honeypot Obfuscation

After installing a honeypot, ensuring that it does not blatantly look like a honeypot is critical. Luckily, dionaea honeypot obfuscation is relatively simple. We’ll base this off Nmap results, which is the gold standard in enumeration.  Here’s the initial scan results:

root@kali:/usr/share/nmap# nmap -sV 1.2.3.4
Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-10 09:27 EDT
Nmap scan report for abc.example.com (1.2.3.4)
Host is up (0.0083s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Dionaea honeypot ftpd
22/tcp open ssh (protocol 2.0)
42/tcp open tcpwrapped
80/tcp open http
135/tcp open msrpc?
443/tcp open ssl/https
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Dionaea honeypot MS-SQL server
3306/tcp open mysql MySQL 5.0.54
5060/tcp open sip (SIP end point; Status: 200 OK)
5061/tcp open ssl/sip (SIP end point; Status: 200 OK)
...truncated...

As you can see, we need to obfuscate FTP and MS-SQL.  First, let’s explore how nmap is identifying these as dionaea. Nmap includes a text file containing ~12,000 fingerprints of services (/usr/share/nmap/nmap-service-probes). If we look at the fingerprints for dionaea we can see how it is being identified and simply change how our installation responds. Thus, we ensure the honeypot is not as easily identified.

FTP

FTP is being identified by the 220 banner of the server. This is a quick change in the configuration of the service.  Below is the signature from the nmap  and the sed command to obfuscate dionaea.

Signature

m|^220 Welcome to the ftp servicern| p/Dionaea honeypot ftpd/

Obfuscation Command

sed 's/Welcome to the ftp service/Welcome to the awesome ftp service/g' -i /usr/lib/dionaea/python/dionaea/ftp.py

 

MS-SQL

MS-SQL was a bit trickier. I’m no expert in this area, but I was lucky enough to find that someone else had already explored this. The Security Art Work team had performed a deep-dive into this one to figure out that the identification was part of the initial MS-SQL handshake. The details of their findings are available on their blog here.

Signature

m|^x04x01x00x2bx00x00x00x00x00x00x1ax00x06x01x00x20x00x01x02x00x21x00x01x03x00x22x00x00x04x00x22x00x01xffx08x00x02x10x00x00x02x00x00| p/
Dionaea honeypot MS-SQL server/

Obfuscation Command

 sed 's/r.VersionToken.TokenType = 0x00/r.VersionToken.TokenType = 0xAA/g' -i /usr/lib/dionaea/python/dionaea/mssql/mssql.py

Updated nmap results

root@kali:/usr/share/nmap# nmap -sV 1.2.3.4
Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-10 09:57 EDT
Nmap scan report for abc.example.com (1.2.3.4)
Host is up (0.0082s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh (protocol 2.0)
42/tcp open tcpwrapped
80/tcp open http?
135/tcp open msrpc?
443/tcp open ssl/https?
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s?
3306/tcp open mysql MySQL 5.0.54
5060/tcp open sip (SIP end point; Status: 200 OK)
5061/tcp open ssl/sip (SIP end point; Status: 200 OK)
...truncated...

And there ya have it, a relatively obfuscated installation of dionaea. It will at least avoid immediate identification from a network scan.

 

Leave a Reply

Your email address will not be published. Required fields are marked *