HoneyTrap介绍

HoneyTrap是一个可扩展的开源系统，用于运行、监控和管理蜜罐。
HoneyTrap蜜罐系统通过在网络中部署感应节点，实时感知周边网络环境，并将感应节点的日志进行实时存储和可视化分析，从而实现对网络环境中威胁情况的感知。该系统旨在通过模拟潜在攻击目标，吸引并捕获攻击者的活动，为安全团队提供有关攻击者行为、工具和意图的宝贵信息。

 HoneyTrap在FreeBSD ports和pkg系统里面，安装非常方便。最新版本为2021版本。

honeytrap-g20210510_20         Framework for running, monitoring and managing honeypots

官网源码：https://github.com/honeytrap/honeytrap gitcode源码：https://gitcode.com/honeytrap/honeytrap

 HoneyTrap手册：FreeBSD下安装 Install HoneyTrap on FreeBSD | HoneyTrap 配置蜜罐服务：Services | HoneyTrap

安装使用

安装

在FreeBSD系统下，直接使用pkg安装即可：

pkg install honeytrap
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    honeytrap: g20210510_20

Number of packages to be installed: 1

The process will require 16 MiB more space.
5 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching honeytrap-g20210510_20.pkg: 100%    5 MiB   1.3MB/s    00:04    
Checking integrity... done (0 conflicting)
[1/1] Installing honeytrap-g20210510_20...
===> Creating groups.
Creating group 'honeytrap' with gid '333'.
===> Creating users
Creating user 'honeytrap' with uid '333'.
[1/1] Extracting honeytrap-g20210510_20: 100%

启动

在root账户下，直接运行命令honeytrap即可

root@fbhost:~ # honeytrap 
2024/05/26 08:44:09 Failed to read config file config.toml: open config.toml: no such file or directory
2024/05/26 08:44:09 Failed to read config file /usr/local/etc/honeytrap/honeytrap/config.toml: open /usr/local/etc/honeytrap/honeytrap/config.toml: no such file or directory
2024/05/26 08:44:09 Using config file /usr/local/etc/honeytrap/honeytrap.toml

 _   _                       _____                🍯
| | | | ___  _ __   ___ _   |_   _| __ __ _ _ __
| |_| |/ _ \| '_ \ / _ \ | | || || '__/ _' | '_ \
|  _  | (_) | | | |  __/ |_| || || | | (_| | |_) |
|_| |_|\___/|_| |_|\___|\__, ||_||_|  \__,_| .__/
                        |___/              |_|

Honeytrap starting (cp98bmc56oi085qlqke0)...
Version: 2021-05-10T00:00:00 (110030494f54)

honeytrap > heartbeat > category=heartbeat, date=2024-05-26 08:44:39.90594456 +0800 CST m=+30.037749369, sensor=honeytrap, sequence=0, token=cp98bmc56oi085qlqke0, type=info
honeytrap > heartbeat > category=heartbeat, date=2024-05-26 08:45:09.904327698 +0800 CST m=+60.036132496, sensor=honeytrap, sequence=1, token=cp98bmc56oi085qlqke0, type=info
 

执行之后应该干什么呢？ 当然是连上来了。HoneyTrap启动了8022端口，可以通过ssh登录

ssh登录HoneyTrap服务器

使用命令：

ssh -p 8022 root@192.168.1.5

注意这里要用root账户登录，默认密码是：password

登录进来显示：

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-31-generic x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

524 packages can be updated.
270 updates are security updates.

----------------------------------------------------------------
Ubuntu 16.04.1 LTS                          built 2016-12-10
----------------------------------------------------------------
last login: Sun Nov 19 19:40:44 2017 from 172.16.84.1
 

哇，真是一个古老的软件啊！

登录之后发现没有任何shell命令，连ls、pwd等都没有。原来这就是蜜罐啊，这里输入的任何命令，都可以在原来开HoneyTrap服务的控制台看到，比如输入“hello”，

跟踪到的信息为：source-port=54481, ssh.command=hello, ssh.sessionid=cp99ecc56oi08hokkt60, token=cp98bmc56oi085qlqke0, type=ssh-channel

配置其它蜜罐

HoneyTrap默认打开了ssh蜜罐，其它的都要手工去设置，在/usr/local/etc/honeytrap/honeytrap.toml文件里加入配置即可，

配置的格式是

[service.<you_choose_the_nickname_of_the_service>]
type="<official_name_of_the_service>"
# .. arguments

[[port]]
port=["<protocol>/<port>",..]
services=["nickname_of_the_service"]

配置web蜜罐

[service.http01]
type="http"
server="Nginx"

[[port]]
port="tcp/8080"
services=["http01"]

使用curl命令测试：

curl -v GET http://192.168.1.5:8080
* Could not resolve host: GET
* Closing connection
curl: (6) Could not resolve host: GET
*   Trying 192.168.1.5:8080...
* Connected to 192.168.1.5 (192.168.1.5) port 8080
> GET / HTTP/1.1
> Host: 192.168.1.5:8080
> User-Agent: curl/8.6.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: Nginx
< Content-Length: 0
< 
* Connection #1 to host 192.168.1.5 left intact
 

配置elasticsearch分布式检索蜜罐

elasticsearch是非常流行分布式检索引擎，在人工智能图片和自然语言检索方面应用非常广，我们也可以开一个elasticsearch的蜜罐，配置命令：

[service.elastico]
type="elasticsearch"
name="AW2LChf"
cluster_name="elasticsearch"
cluster_uuid="ay20oRi4SHmlOPAyTrPh6A"

[[port]]
port="tcp/9200"
services=["elastico"]

使用curl命令测试

curl 192.168.1.5:9200
{"cluster_name":"elasticsearch","cluster_uuid":"ay20oRi4SHmlOPAyTrPh6A","name":"AW2LChf","tagline":"You Know, for Search","version":{"build_date":"2017-05-29T16:05:51.443Z","build_hash":"2cfe0df","build_snapshot":false,"lucene_version":"6.5.1","number":"5.4.1"}}
看一个假的elasticsearch服务返回信息就来了。

配置HoneyTrap开机启动服务

在/etc/rc.conf文件中加入honeytrap_enable="YES" 语句，可以使用下面命令：

echo honeytrap_enable="YES" >> /etc/rc.conf

这样就会开机启动服务了。第一次可以手工命令起服务：

service honeytrap start

总结

原来蜜罐系统不是这么遥不可及，它就是一个假的服务罢了。HoneyTrap蜜罐系统体积小巧，在FreeBSD下可以直接pkg 安装，安装快，启动快，配置也不是太复杂，是一个非常好的蜜罐系统。

调试

其它系统HoneyDrive

HoneyDrive是一个运行在linux下的蜜罐系统，在HoneyDrive上具有几十个各种各样的蜜罐程序，如Dionaea、Amun malware honeypots，Wordpot等 ，Kippo是HoneyDrive上比较典型的蜜罐。HoneyDrive就是一个Xubuntu的虚拟机系统，把虚拟机导入到vmware或VMbox中就可以运行了。

首先去下载，国内较慢。

个人账户启动HoneyPort报错

honeytrap 
2024/05/26 08:50:01 Failed to read config file config.toml: open config.toml: no such file or directory
2024/05/26 08:50:01 Failed to read config file /usr/local/etc/honeytrap/honeytrap/config.toml: open /usr/local/etc/honeytrap/honeytrap/config.toml: no such file or directory
2024/05/26 08:50:01 Failed to read config file /usr/local/etc/honeytrap/honeytrap.toml: open /usr/local/etc/honeytrap/honeytrap.toml: permission denied
No configuration file found! Check your config (-c).
 

看来还是要用超级用户启动它。

本地登录8022端口报错

ssh -p 8022 root@127.0.0.1
Unable to negotiate with 127.0.0.1 port 8022: no matching host key type found. Their offer: ssh-rsa
使用-v 选项来看详细的交互信息：

ssh -v  -p  8022 root@127.0.0.1
debug1: Authenticating to 127.0.0.1:8022 as 'root'
debug1: Fssh_load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 127.0.0.1 port 8022: no matching host key type found. Their offer: ssh-rsa
怀疑是蜜罐系统跟本地的密钥不匹配。远程是可以登录的。