Building a Honeypot to Capture Zero-Day Exploits, Part 1

The Holy Grail of any hacker is to develop a zero-day exploit—an exploit that has never been seen by antivirus (AV) or intrusion detection systems (IDS) developers. In that way, the hacker can exploit systems with their newly discovered vulnerability without detection!

To get a zero-day, you have at least two choices: (1) develop your own or (2) capture someone else's.

Developing your own can be a long and tedious process and requires significant knowledge of assembler, fuzzing, shellcode, etc. The process can take take thousands of man days. Cybercrime gangs and government intelligence agencies invest millions of dollars to develop zero-days, but in some rare cases, individuals manage to develop zero-days with little effort, especially for legacy systems. (The zero-day that hacked Target several years ago was developed by a 17-year-old hacker in Russia, but it targeted Windows XP, which Target was still using on their point-of-sale systems(POS)).

The other approach is to capture a zero-day that others have developed and reuse it. Remember the Hacking Team exploits that were released when Hacking Team was hacked? This approach has long been used by AV developers, forensic investigators and, in some cases, hackers. In fact, the recent Vault 7 release showed that the CIA was capturing zero-day malware and reverse engineering it for their purposes.

What we want to do in this series is install and configure a honeypot that appears both vulnerable and realistic. Then, we wait for it to lure attackers in and then capture their malware when they have successfully compromised our system.

If we are a forensic investigator, we can then analyze the malware and maybe develop a defense or signature. If we are a hacker, we may be able to reuse the malware on other systems. In some cases, we may need to re-engineer the malware for other purposes, but that is still much faster and more efficient than starting from scratch. The key is to be able to capture the malware first.

Dionaea

Dionaea was developed by Markus Koetter as a low-interaction honeypot. It emulates a vulnerable Windows systems with services often targeted by attackers such as HTTP, FTP, SSH, SMB, etc. It is written in C, but uses Python to emulate various protocols to entice attackers.

Dionaea is named after the genus of plants that includes the carnivorous Venus flytrap. I think the symbolism is apparent. Probably most important, it uses Libemu to detect shellcode and can alert us of the shellcode and capture it. Dionaea sends real-time notification of attacks via XMPP and then logs the information into a SQLite database.

Libemu

Libemu is a library used for x86 emulation as well as shellcode detection, which is perfect for our honeypot here. It can pull malware off the wire or inside documents (PDF, RTF, etc.) that we can then use to analyze for malicious behavior using heuristics.

This is a relatively advanced honeypot and should not be attempted by the novice. In addition, I strongly suggest that you NOT use it on a system that will be used for other purposes as we will be installing libraries and other code that may disable other parts of your system.

In addition, Dionaea is meant to be vulnerable. This means if it is compromised, your entire system may be compromised. You should use a clean install, preferably a Debian or Ubuntu system. I will be using a clean install of Ubuntu 14.04.

Step 1: Install Dependencies

Dionaea is a complex piece of software and requires numerous dependencies that are not usually installed on Ubuntu or other Debian distributions. As a result, we will need to install the dependencies before installing and configuring Dionaea. This can be a long and tedious task.

For instance, to begin we need to download the following packages.

ubuntu > apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev sqlite3

Fortunately, Andrew Michael Smith has developed a script that does all the heavy lifting for us. We can download his script from GitHub using wget.

ubuntu > wget -q https://raw.github.com/andrewmichaelsmith/honeypot-setup-script/master/setup.bash -O /tmp/setup.bash && bash /tmp/setup.bash

 

This script will download and install all of the dependencies (there are many) and applications (p0f, SQLite, and others), then download and install and configure Dionaea.

 

Be patient here, this can take quite awhile.

Step 2: Choose an Interface

After downloading all of the applications and dependencies, Dionaea will begin to configure itself and ask you to choose the network interface you want the honeypot to listen on. Here, I chose eth0, but yours may be different.

 

Eventually, the downloading and installing will complete and you will be greeted by a screen  telling you that p0f and Dionaea have started.

 

Step 3: Test the Install

Once the above process has been completed, we can check to see whether Dionaea has been properly and completely installed by typing:

ubuntu > dionaea -help

 

 

 

 

 

If the help screen seen above appears, you have successfully installed Dionaea. Congratulations!

Configuring Dionaea

Now our honeypot is up and running. In future tutorials in this series, I will show you how to set up Dionaea to alert you in real time of attacks, how to identify the particulars of the attackers (OS, IP, browser, interface), and how to capture and analyze the shellcode of the attack.