HoneyTrap介绍
HoneyTrap是一个可扩展的开源系统,用于运行、监控和管理蜜罐。
HoneyTrap蜜罐系统通过在网络中部署感应节点,实时感知周边网络环境,并将感应节点的日志进行实时存储和可视化分析,从而实现对网络环境中威胁情况的感知。该系统旨在通过模拟潜在攻击目标,吸引并捕获攻击者的活动,为安全团队提供有关攻击者行为、工具和意图的宝贵信息。
HoneyTrap在FreeBSD ports和pkg系统里面,安装非常方便。最新版本为2021版本。
honeytrap-g20210510_20 Framework for running, monitoring and managing honeypots
官网源码:https://github.com/honeytrap/honeytrap gitcode源码:https://gitcode.com/honeytrap/honeytrap
HoneyTrap手册:FreeBSD下安装 Install HoneyTrap on FreeBSD | HoneyTrap 配置蜜罐服务:Services | HoneyTrap
安装使用
安装
在FreeBSD系统下,直接使用pkg安装即可:
pkg install honeytrap
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
honeytrap: g20210510_20
Number of packages to be installed: 1
The process will require 16 MiB more space.
5 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching honeytrap-g20210510_20.pkg: 100% 5 MiB 1.3MB/s 00:04
Checking integrity... done (0 conflicting)
[1/1] Installing honeytrap-g20210510_20...
===> Creating groups.
Creating group 'honeytrap' with gid '333'.
===> Creating users
Creating user 'honeytrap' with uid '333'.
[1/1] Extracting honeytrap-g20210510_20: 100%
启动
在root账户下,直接运行命令honeytrap即可
root@fbhost:~ # honeytrap
2024/05/26 08:44:09 Failed to read config file config.toml: open config.toml: no such file or directory
2024/05/26 08:44:09 Failed to read config file /usr/local/etc/honeytrap/honeytrap/config.toml: open /usr/local/etc/honeytrap/honeytrap/config.toml: no such file or directory
2024/05/26 08:44:09 Using config file /usr/local/etc/honeytrap/honeytrap.toml
_ _ _____ 🍯
| | | | ___ _ __ ___ _ |_ _| __ __ _ _ __
| |_| |/ _ \| '_ \ / _ \ | | || || '__/ _' | '_ \
| _ | (_) | | | | __/ |_| || || | | (_| | |_) |
|_| |_|\___/|_| |_|\___|\__, ||_||_| \__,_| .__/
|___/ |_|
Honeytrap starting (cp98bmc56oi085qlqke0)...
Version: 2021-05-10T00:00:00 (110030494f54)
honeytrap > heartbeat > category=heartbeat, date=2024-05-26 08:44:39.90594456 +0800 CST m=+30.037749369, sensor=honeytrap, sequence=0, token=cp98bmc56oi085qlqke0, type=info
honeytrap > heartbeat > category=heartbeat, date=2024-05-26 08:45:09.904327698 +0800 CST m=+60.036132496, sensor=honeytrap, sequence=1, token=cp98bmc56oi085qlqke0, type=info
执行之后应该干什么呢? 当然是连上来了。HoneyTrap启动了8022端口,可以通过ssh登录
ssh登录HoneyTrap服务器
使用命令:
ssh -p 8022 root@192.168.1.5
注意这里要用root账户登录,默认密码是:password
登录进来显示:
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-31-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
524 packages can be updated.
270 updates are security updates.
----------------------------------------------------------------
Ubuntu 16.04.1 LTS built 2016-12-10
----------------------------------------------------------------
last login: Sun Nov 19 19:40:44 2017 from 172.16.84.1
哇,真是一个古老的软件啊!
登录之后发现没有任何shell命令,连ls、pwd等都没有。原来这就是蜜罐啊,这里输入的任何命令,都可以在原来开HoneyTrap服务的控制台看到,比如输入“hello”,
跟踪到的信息为:source-port=54481, ssh.command=hello, ssh.sessionid=cp99ecc56oi08hokkt60, token=cp98bmc56oi085qlqke0, type=ssh-channel
配置其它蜜罐
HoneyTrap默认打开了ssh蜜罐,其它的都要手工去设置,在/usr/local/etc/honeytrap/honeytrap.toml文件里加入配置即可,
配置的格式是
[service.<you_choose_the_nickname_of_the_service>]
type="<official_name_of_the_service>"
# .. arguments
[[port]]
port=["<protocol>/<port>",..]
services=["nickname_of_the_service"]
配置web蜜罐
[service.http01]
type="http"
server="Nginx"
[[port]]
port="tcp/8080"
services=["http01"]
使用curl命令测试:
curl -v GET http://192.168.1.5:8080
* Could not resolve host: GET
* Closing connection
curl: (6) Could not resolve host: GET
* Trying 192.168.1.5:8080...
* Connected to 192.168.1.5 (192.168.1.5) port 8080
> GET / HTTP/1.1
> Host: 192.168.1.5:8080
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Nginx
< Content-Length: 0
<
* Connection #1 to host 192.168.1.5 left intact
配置elasticsearch分布式检索蜜罐
elasticsearch是非常流行分布式检索引擎,在人工智能图片和自然语言检索方面应用非常广,我们也可以开一个elasticsearch的蜜罐,配置命令:
[service.elastico]
type="elasticsearch"
name="AW2LChf"
cluster_name="elasticsearch"
cluster_uuid="ay20oRi4SHmlOPAyTrPh6A"
[[port]]
port="tcp/9200"
services=["elastico"]
使用curl命令测试
curl 192.168.1.5:9200
{"cluster_name":"elasticsearch","cluster_uuid":"ay20oRi4SHmlOPAyTrPh6A","name":"AW2LChf","tagline":"You Know, for Search","version":{"build_date":"2017-05-29T16:05:51.443Z","build_hash":"2cfe0df","build_snapshot":false,"lucene_version":"6.5.1","number":"5.4.1"}}
看一个假的elasticsearch服务返回信息就来了。
配置HoneyTrap开机启动服务
在/etc/rc.conf文件中加入honeytrap_enable="YES" 语句,可以使用下面命令:
echo honeytrap_enable="YES" >> /etc/rc.conf
这样就会开机启动服务了。第一次可以手工命令起服务:
service honeytrap start
总结
原来蜜罐系统不是这么遥不可及,它就是一个假的服务罢了。HoneyTrap蜜罐系统体积小巧,在FreeBSD下可以直接pkg 安装,安装快,启动快,配置也不是太复杂,是一个非常好的蜜罐系统。
调试
其它系统HoneyDrive
HoneyDrive是一个运行在linux下的蜜罐系统,在HoneyDrive上具有几十个各种各样的蜜罐程序,如Dionaea、Amun malware honeypots,Wordpot等 ,Kippo是HoneyDrive上比较典型的蜜罐。HoneyDrive就是一个Xubuntu的虚拟机系统,把虚拟机导入到vmware或VMbox中就可以运行了。
首先去下载,国内较慢。
个人账户启动HoneyPort报错
honeytrap
2024/05/26 08:50:01 Failed to read config file config.toml: open config.toml: no such file or directory
2024/05/26 08:50:01 Failed to read config file /usr/local/etc/honeytrap/honeytrap/config.toml: open /usr/local/etc/honeytrap/honeytrap/config.toml: no such file or directory
2024/05/26 08:50:01 Failed to read config file /usr/local/etc/honeytrap/honeytrap.toml: open /usr/local/etc/honeytrap/honeytrap.toml: permission denied
No configuration file found! Check your config (-c).
看来还是要用超级用户启动它。
本地登录8022端口报错
ssh -p 8022 root@127.0.0.1
Unable to negotiate with 127.0.0.1 port 8022: no matching host key type found. Their offer: ssh-rsa
使用-v 选项来看详细的交互信息:
ssh -v -p 8022 root@127.0.0.1
debug1: Authenticating to 127.0.0.1:8022 as 'root'
debug1: Fssh_load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 127.0.0.1 port 8022: no matching host key type found. Their offer: ssh-rsa
怀疑是蜜罐系统跟本地的密钥不匹配。远程是可以登录的。