As I said in previous posts, recently I was in charge of the defense of a large network and I had to figure out a lot of things to build an effective defense strategy. One of the first things I’ve done was to set up a honeynet on the network and start capturing everything I could to co relate events and gain a better knowledge of the network.
Dionaea honeypot helped me a lot in that task as this honeypot is very simple to install and work with. Dionaea covers a lot of services, pretty much everything that you wanna study, my main interest on that was to use it for capturing Windows malware as modules such as smb or ftp work fine for that.
You can install dionaea using the following:
apt-get install software-properties-common
$ sudo add-apt-repository ppa:honeynet/nightly
$ sudo apt-get update
apt-get install dionaea
Once the program is installed you can edit the configuration in its etc dir. You can edit things like the downloads dir, some modules, service names and info about them.
You can configure each of the services that dionaea is emulating manually editing it’s yaml file.
As you can see all common or most used services are available to emulate and enabled by default.
In each service you can configure things like the root folder if it’s an ftp service, database names if it’s a mysql server and so on.
Once the service is running it may log to an sqlite database with the following format:
I left a dionaea honeypot running for a couple of months, the main purpose of that was to basically capture a considerable amount of windows malware files. And after that time I got some.
Almost every piece of malware was sent using smb. I also got other interesting information in other services such as mssql/mysql.
After reviewing some of the pieces of malware that were found on the server I sow things like:
A lot of wannacry samples:
As well as other common banker software
I also dumped everything to a mysql database, at first I also tried elastik+kibana but as I wanted to do something so “custom” I ended up on a custom mysql database:
You can get full log and malware samples here: