Sunday, November 8, 2015

Power-Up Series 0x4 - Conpot (ICS/SCADA Honeypot)

The below setup guide was validated on Ubuntu Server 14.04.3 LTS (x64) and Rasbian GNU/Linux v7. If installing Rasbian on a Rasberry Pi, install and expand the Rasbian file system. This is a good time to change the regional localization settings to reflect "en-US UTF-8".

1. Update repository listings and its packages:
$ sudo apt-get -y update && sudo apt-get -y dist-upgrade

2. Disable and uninstall CUPS (not required for Ubuntu Server):
 $ sudo /etc/init.d/avahi stop
 $ sudo update-rc.d -f cups remove
 $ sudo apt-get remove --auto-remove avahi-daemon

3. Disable IPv6:
 $ sudo vim.tiny /etc/sysctl.conf 
 -----
 # Add the following lines to the bottom of the "/etc/sysctl.conf" file (sans pound sign)
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv6.conf.lo.disable_ipv6 = 1
 -----
 $ sudo sysctl -p
 $ sudo /etc/init.d/networking restart

4. Install dependencies:
 $ sudo sudo apt-get -y install libsmi2ldbl snmp-mibs-downloader python-dev libevent-dev libxslt1-dev libxml2-dev sqlite sqlite3 python-mysqldb
 $ wget https://bootstrap.pypa.io/ez_setup.py 
 $ sudo python ez_setup.py 

If you receive an "ImportError: No module named pkg_resources" error, execute the following:
$ sudo apt-get install --reinstall python-pkg-resources 

  $ sudo easy_install pip 

Ubuntu server also required the following dependencies:
 $ sudo apt-get -y install zlib1g-dev 
 $ sudo pip install 'requests[security]'

 5. Install Conpot
 $ cd opt/

 I recommend deleting the "MySQL-python" line if you are installing on a Rasbian OS:
 $ sudo vim requirements.txt

 $ sudo pip install -r requirements
 $  sudo python setup.py build
 $ sudo python setup.py install

7. Modify configuration file
 $ sudo vim.tiny /opt/conpot/conpot/conpot.cfg
 -----
 Change "[fetch_public_ip]" from "enabled = false" to ""enabled = true".
 Change Sqlite "enabled" to "True"
 -----

 8. Start Conpot.
 $ cd /opt/conpot/bin
 $ sudo python conpot  --template default

The "default" template will configure the following services/ports:
  • Modbus port 502/tcp
  • Siemens S7-200 port 102/tcp
  • Bacnet port 47808/tcp
  • IPOMI port 623/tcp
  • SNMP port 161/tcp 
  • HTTP webserver port 80/tcp 
References:
http://stackoverflow.com/questions/3373995/usr-bin-ld-cannot-find-lz
http://blog.khairulazam.net/category/honeypot/
https://github.com/mushorg/conpot
http://askubuntu.com/questions/309461/how-to-disable-ipv6-permanently
http://www.installion.co.uk/ubuntu/saucy/main/c/cups-daemon/uninstall.html
http://www.linuxquestions.org/questions/linux-networking-3/how-to-disable-mdns-service-356222/

Posted by at No comments:
Labels: ,

Sunday, November 1, 2015

Power-Up Series 0x3 - Install Bro and Brotop Web GUI

Updated 16 Feb 2016.
In this post, I have listed the steps necessary to configure a single Bro node leveraging the Brotop Web GUI for easier log parsing and reading.

Install dependencies:
$ sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libgeoip-dev libssl-dev python-dev zlib1g-dev libmagic-dev swig libgoogle-perftools-dev

Install Bro:
$ sudo mkdir -p /nsm/bro
$ cd ~
$ wget https://www.bro.org/downloads/release/bro-2.4.1.tar.gz
$ tar -xvzf bro-2.4.1.tar.gz
$ cd bro-2.4.1/
$ ./configure --prefix=/nsm/bro
$ make
$ sudo make install
$ export PATH=/nsm/bro/bin:$PATH

Install Geo-IP Databases:
$ cd ~
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$ gunzip GeoLiteCity.dat.gz
$ sudo cp GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
$ gunzip GeoLiteCityv6.dat.gz
$ sudo cp GeoLiteCityv6.dat /usr/share/GeoIP/

 Modify configuration files: $ sudo vim /nsm/bro/etc/node.cfg
-----
Ensure that "interface=eth0" is the network interface you are using; otherwise, modify this line.
-----
$ sudo vim /nsm/bro/etc/networks.cfg
-----
Add appropriate RFC1918 address space and Microsoft APIPA in CIDR format
-----
$ sudo vim /nsm/bro/etc/broctl.cfg
-----
Change the MailTo address and the logging config, if desired.
-----
$ sudo /nsm/bro/bin/broctl
[BroControl]> install
[BroControl]> exit

Auto-start Broctl
$ sudo vim /etc/rc.local
-----
Add the following line "/nsm/bro/bin/broctl start"
-----

Monitoring Bro node:
$ sudo /nsm/bro/bin/broctl
[BroControl]> status
[BroControl]> ps.bro
[BroControl]> top

Restart host: $ sudo shutdown -r now

Setup & Run Brotop Web GUI:
$ cd ~
$ mkdir brotop/
$ cd brotop/
$ wget https://github.com/criticalstack/brotop/releases/download/v0.3.0/brotop-linux-amd64.tar.gz
$ tar -zxvf brotop-linux-amd64.tar.gz
$ cd pkg/linux-amd64/
$ hostname -I  #192.168.1.225
$ ./brotop --path=/nsm/bro/logs/current/
Browse to http://192.168.1.225:8080/

Numbers of Connections by Protocol:
$ /nsm/bro/bin/bro-cut service < conn.log | sort | uniq -c | sort -n

Top 10 Destination Ports:
$ /nsm/bro/bin/bro-cut id.resp_p < conn.log | sort | uniq -c | sort -rn | head -n 10

Top 10 User-Agents:
$ /nsm/bro/bin/bro-cut user_agent < http.log | sort | uniq -c | sort -rn | head -n 10

 Replace "user_agent" with "mime_type" to view HTTP file types

Visited Websites:
$ /nsm/bro/bin/bro-cut host < http.log | sort | uniq -c | sort -rn

Bro maintains a cheat sheet at https://github.com/bro/cheat-sheet/raw/master/bro-cheat-sheet.pdf

Bro Exercises: https://www.google.com/search?https://www.google.com/search?btnG=1&pws=0&q=site...challenge+%7C%7C+exercise&gws_rd=ssl#pws=0&q=site:*.bro.org+challenge+%7C%7C+exercisesite:*.bro.org+challenge+%7C%7C+exercise

References:
https://www.bro.org/download/
http://dev.maxmind.com/geoip/legacy/geolite/
http://knowm.org/how-to-install-bro-network-security-monitor-on-ubuntu/
https://github.com/kingtuna/Hybrid-Darknet-Concept
https://github.com/criticalstack/brotop
https://www.bro.org/bro-workshop-2011/solutions/logs/
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)