Saturday, July 5, 2008

Let's Try A New Honeypot

Honeypot is a great tool to discover new attacks' scenarios, malware propagation, virus' infections and so forth. Unfortunately sometime installing a Honeypot results very complicated and stressful. For this reason I wanna point out Amun a very useful honeypot written in python language, and for that really fast and easy to use.
If you wanna try it, you need to installPsyco, a python light library . Take it from apt-get or if you're using OS X from port just typing :

sudo port install py25-psyco

After that, edit /config/amun.conf and configure your honeypot !
At least you need to add the external ip address to use, and the vulnerabilities to emulate. A new feature with Amun 0.1.2 is auto-submission to Anubis, an online malware sandbox; if you don't like Anubis remove the entry from config file as following.

Save the amun.conf, start ./, and here we go . An easy honeypot has been installed on your local machine.

Another great Amun features is the possibility to write a "Vulnerability's plugin" using a XML file, so no particular python language skills are needed. Under the ./utils/xml_vuln_creator folder you'll find a "Creator":, able to convert a xml file to a vulnerability module. Let me show a very famous example: the VNC vulnerability.

From the source :

typing :

./ -f xml_vnc.xml

You'll build two files to add into the folder /vuln_modules/ :

Again, we've just finished to build our own vulnerability's module, and our honeypot has a new feature: "The VNC Vulnerability". Everything thanks to XML technologies and Python language' s union. So far the honeypot configuration was very stressfull, right now it's going to be an easy installation process.

Thanks to RWTHAACHEN University for that.

No comments: