Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

Honeytrap

 

Honeytrap, written by Tillmann Werner, is a low-interaction malware collection honeypot. Unlike the classic approach of emulating services or well-known vulnerabilities, Honeytrap takes a different approach by dynamically reacting to incoming traffics and tricks offender to send its complete payload. This dynamic server concept allows Honeytrap to respond to most network traffics and even observes zero-days attacks.

 

Honeytrap offers various different connection monitors in applying the dynamic server concept:

  1. A libpcap-based sniffer catches locally generated RST packets with a sequence number of zero indicating a rejected connection request. These packets indicate a rejected connection request, thus Honeytrap will need to open the source port of the RST packets to handle incoming requests in the future.

  2. Hook the ip_queue interface of iptables and create an iptables rule to deliver packets related to new connections to Honeytrap. This monitor as the advantage of catching the first try.

 

The latter is not as stealthy as the former connection monitor as all connection requests will be entertained whilst a libpcap-based connection monitor will only entertain persistent network connection.

 

Installation

I installed my Honeytrap (on my virtual machine running CentOS 6.2) using the libpcap-based connection monitor as I flavoured it more than the ip_queue connection monitor. Nonetheless, I will still show how to install a Honeytrap with the ip_queue connection monitor.

 

Firstly, get a copy of the tarball from sourceforge here.

 

Resolve dependencies:
  • $ yum install ElectricFence
    Electric Fence prevents buffer overflow bug, enabling you to operate Honeytrap securely.

  • $ yum install libpcap-devel
    If you are using the libpcap-based connection monitor.

  • $ yum install iptables-devel
    If you are using the ip_queue connection monitor. You will also need to add the following iptables rule to your iptables:
    $ iptables -A INPUT -i [monitoring-interface] -p tcp --syn -m state --state NEW -j QUEUE

 
Install Honeytrap:

$ ./configure --with-stream-mon=[connection-monitor-type] --with-efence

 

$ make && sudo make install

 Honeytrap will be installed into /usr/local/etc/honeytrap by default.

 

Configuration

You will have to configure your Honeytrap to our likings before running it. The default configuration file can be found in /usr/local/etc/honeytrap/honeytrap.conf.

 

Where you can find your log and PID files:

Where to find your Honeytrap activities:

  • attack_dir stores all data collected about the attacks against your Honeytrap.

  • dlsave_dir stores all malware collected by your Honeytrap.

Configure your Honeytrap responses:
  • Normal mode: basic emulation capabilities.

  • Mirror mode: mirror back all incoming data to the attacker.

  • Proxy mode: relay incoming connections to a different host or service.

  • Ignore mode: Honeytrap will simply ignore connection to that port.

 

Run your Honeytrap!

$ honeytrap -c /usr/local/etc/honeytrap/honeytrap.conf -u nobody -g nobody -t 5 -D

 

** For security purposes, it is important you never run Honeytrap as root!

 

Share on Facebook
Share on Twitter
Please reload

RECENT POST

September 5, 2017

Please reload

CATEGORIES
Please reload

TAGS
RSS
RSS Feed