Dionaeaとは
マルウェアの収集を目的とした低対話型ハニーポット。
DinoTools/dionaea
ハニーポット構築
Dockerfile作成
Dockerfile
FROM ubuntu:18.04
ENV DEBIAN_FRONTEND=noninteractive
RUN apt update && \
apt install -y --no-install-recommends \
build-essential \
cmake \
check \
cython3 \
git \
libcurl4-openssl-dev \
libemu-dev \
libev-dev \
libglib2.0-dev \
libloudmouth1-dev \
libnetfilter-queue-dev \
libnl-3-dev \
libpcap-dev \
libssl-dev \
libtool \
libudns-dev \
less \
python3 \
python3-dev \
python3-bson \
python3-yaml \
python3-boto3 \
fonts-liberation && \
apt autoremove -y && \
git clone https://github.com/DinoTools/dionaea.git /opt/dionaea && \
cd /opt/dionaea && \
mkdir build && \
cd build && \
cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea .. && \
make && \
make install && \
groupadd --gid 1000 dionaea && \
useradd -m --uid 1000 --gid 1000 dionaea && \
chown -R dionaea:dionaea /opt/dionaea/var && \
apt autoremove -y git
USER dionaea:dionaea
COPY dionaea.cfg /opt/dionaea/etc/dionaea/dionaea.cfg
COPY ftp.py /opt/dionaea/lib/dionaea/python/dionaea/
COPY index.html /opt/dionaea/var/lib/dionaea/http/root
COPY smbfields.py /opt/dionaea/lib/dionaea/python/dionaea/smb/include/
COPY mssql.py /opt/dionaea/lib/dionaea/python/dionaea/mssql/
COPY extras.py /opt/dionaea/lib/dionaea/python/dionaea/smb/
EXPOSE 21 42 69/udp 80 135 443 445 1433 1723 1883 1900/udp 3306 5060 5060/udp 5061 11211
Ubuntu 18.04をベースとしており、/opt/dionaea配下にインストールしています。
Docker Hubにイメージを公開しています。
dionaea.cfgの編集(loggingの部分のみ記載)
dionaea.cfg
[logging]
default.filename=var/log/dionaea/dionaea.log
default.levels=all,-debug
default.domains=*
errors.filename=var/log/dionaea/dionaea-errors.log
errors.levels=error
errors.domains=*
上記の設定により、dionaea.logはdebug以外のものを、dionaea-errors.logはerrorのみ出力するようになる。
/opt/dionaea/var/lib/dionaea/http/root/index.htmlの作成
/opt/dionaea/var/lib/dionaea/http/root/に何もないので、適当にindex.htmlを作成する。
Nmap対策
https://gist.github.com/steeve85/2902618
上記のURLを見れば分かるが、そのまま運用すると、Nmapでポートスキャンしたときにハニーポットだとバレてしまう。
バレないようにするために下記ファイルを編集する。
/opt/dionaea/lib/dionaea/python/dionaea/ftp.py(変更箇所だけ記載)
RESPONSE = {
# -- 100's --
"data_cnx_already_open_start_xfr": "125 Data connection already open, starting transfer",
"file_status_ok_open_data_cnx": "150 File status okay; about to open data connection.",
# -- 200's --
"cmd_ok": "200 Command OK",
"type_set_ok": "200 Type set to {mode}.",
"entering_port_mode": '200 PORT OK',
"sys_status_or_help_reply": '211 System status reply',
"dir_status": '212 %s',
"file_status": '213 {value}',
#"help_msg": '214 help: %s',
"name_sys_type": '215 UNIX Type: L8',
"welcome_msg": "220 Welcome to the ftp service", ←ここの値を変更
"svc_ready_for_new_user": '220 Service ready',
"goodbye_msg": '221 Goodbye.',
/opt/dionaea/lib/dionaea/python/dionaea/smb/include/smbfields.py(変更箇所だけ記載)
ConditionalField(UnicodeNullField(
"OemDomainName", "WORKGROUP"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
ConditionalField(UnicodeNullField(
"ServerName", "HOMEUSER-3AF6FE"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
"WORKGROUP"と"HOMEUSER-3AF6FE"を変更
「OemDomainName」と「ServerName」の値を変更する。
/opt/dionaea/lib/dionaea/python/dionaea/smb/extras.py(変更箇所だけ記載)
self.native_os = "Windows 5.1"
self.native_lan_manager = "Windows 2000 LAN Manager"
self.oem_domain_name = "WORKGROUP" ←ここの値を変更
self.os_type = 2
self.primary_domain = "WORKGROUP"
self.server_name = "HOMEUSER-3AF6FE" ←ここの値を変更
self.shares = {}
/opt/dionaea/lib/dionaea/python/dionaea/mssql/mssql.py(変更箇所だけ記載)
r.VersionToken.TokenType = 0x00 ←0x01に変更
コンテナ起動
docker run -itd --rm -p 21:21 -p 42:42 -p 69:69/udp -p 80:80 -p 135:135 -p 443:443 -p 445:445 -p 1433:1433 -p 1723:1723 -p 1883:1883 -p 1900:1900/udp -p 3306:3306 -p 5060:5060 -p 5060:5060/udp -p 5061:5061 -p 11211:11211 masaomi346/dionaea /opt/dionaea/bin/dionaea -u dionaea -g dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg