Sunday, November 8, 2015

Power-Up Series 0x4 - Conpot (ICS/SCADA Honeypot)

The below setup guide was validated on Ubuntu Server 14.04.3 LTS (x64) and Rasbian GNU/Linux v7. If installing Rasbian on a Rasberry Pi, install and expand the Rasbian file system. This is a good time to change the regional localization settings to reflect "en-US UTF-8".

1. Update repository listings and its packages:
$ sudo apt-get -y update && sudo apt-get -y dist-upgrade

2. Disable and uninstall CUPS (not required for Ubuntu Server):
 $ sudo /etc/init.d/avahi stop
 $ sudo update-rc.d -f cups remove
 $ sudo apt-get remove --auto-remove avahi-daemon

3. Disable IPv6:
 $ sudo vim.tiny /etc/sysctl.conf 
 -----
 # Add the following lines to the bottom of the "/etc/sysctl.conf" file (sans pound sign)
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv6.conf.lo.disable_ipv6 = 1
 -----
 $ sudo sysctl -p
 $ sudo /etc/init.d/networking restart

4. Install dependencies:
 $ sudo sudo apt-get -y install libsmi2ldbl snmp-mibs-downloader python-dev libevent-dev libxslt1-dev libxml2-dev sqlite sqlite3 python-mysqldb
 $ wget https://bootstrap.pypa.io/ez_setup.py 
 $ sudo python ez_setup.py 

If you receive an "ImportError: No module named pkg_resources" error, execute the following:
$ sudo apt-get install --reinstall python-pkg-resources 

  $ sudo easy_install pip 

Ubuntu server also required the following dependencies:
 $ sudo apt-get -y install zlib1g-dev 
 $ sudo pip install 'requests[security]'

 5. Install Conpot
 $ cd opt/

 I recommend deleting the "MySQL-python" line if you are installing on a Rasbian OS:
 $ sudo vim requirements.txt

 $ sudo pip install -r requirements
 $  sudo python setup.py build
 $ sudo python setup.py install

7. Modify configuration file
 $ sudo vim.tiny /opt/conpot/conpot/conpot.cfg
 -----
 Change "[fetch_public_ip]" from "enabled = false" to ""enabled = true".
 Change Sqlite "enabled" to "True"
 -----

 8. Start Conpot.
 $ cd /opt/conpot/bin
 $ sudo python conpot  --template default

The "default" template will configure the following services/ports:
  • Modbus port 502/tcp
  • Siemens S7-200 port 102/tcp
  • Bacnet port 47808/tcp
  • IPOMI port 623/tcp
  • SNMP port 161/tcp 
  • HTTP webserver port 80/tcp 
References:
http://stackoverflow.com/questions/3373995/usr-bin-ld-cannot-find-lz
http://blog.khairulazam.net/category/honeypot/
https://github.com/mushorg/conpot
http://askubuntu.com/questions/309461/how-to-disable-ipv6-permanently
http://www.installion.co.uk/ubuntu/saucy/main/c/cups-daemon/uninstall.html
http://www.linuxquestions.org/questions/linux-networking-3/how-to-disable-mdns-service-356222/

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)