A low-interactive honeypot aimed at collecting malware. DinoTools/dionaea
Dockerfile
FROM ubuntu:18.04
ENV DEBIAN_FRONTEND=noninteractive
RUN apt update && \
apt install -y --no-install-recommends \
build-essential \
cmake \
check \
cython3 \
git \
libcurl4-openssl-dev \
libemu-dev \
libev-dev \
libglib2.0-dev \
libloudmouth1-dev \
libnetfilter-queue-dev \
libnl-3-dev \
libpcap-dev \
libssl-dev \
libtool \
libudns-dev \
less \
python3 \
python3-dev \
python3-bson \
python3-yaml \
python3-boto3 \
fonts-liberation && \
apt autoremove -y && \
git clone https://github.com/DinoTools/dionaea.git /opt/dionaea && \
cd /opt/dionaea && \
mkdir build && \
cd build && \
cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea .. && \
make && \
make install && \
groupadd --gid 1000 dionaea && \
useradd -m --uid 1000 --gid 1000 dionaea && \
chown -R dionaea:dionaea /opt/dionaea/var && \
apt autoremove -y git
USER dionaea:dionaea
COPY dionaea.cfg /opt/dionaea/etc/dionaea/dionaea.cfg
COPY ftp.py /opt/dionaea/lib/dionaea/python/dionaea/
COPY index.html /opt/dionaea/var/lib/dionaea/http/root
COPY smbfields.py /opt/dionaea/lib/dionaea/python/dionaea/smb/include/
COPY mssql.py /opt/dionaea/lib/dionaea/python/dionaea/mssql/
COPY extras.py /opt/dionaea/lib/dionaea/python/dionaea/smb/
EXPOSE 21 42 69/udp 80 135 443 445 1433 1723 1883 1900/udp 3306 5060 5060/udp 5061 11211
It is based on Ubuntu 18.04 and is installed under/opt/dionaea. The image is published on Docker Hub.
dionaea.cfg
[logging]
default.filename=var/log/dionaea/dionaea.log
default.levels=all,-debug
default.domains=*
errors.filename=var/log/dionaea/dionaea-errors.log
errors.levels=error
errors.domains=*
With the above settings, dionaea.log will output something other than debug, and dionaea-errors.log will output only error.
Since there is nothing in/opt/dionaea/var/lib/dionaea/http/root /, create index.html appropriately.
https://gist.github.com/steeve85/2902618 As you can see from the above URL, if you operate it as it is, when you scan the port with Nmap, it will be noticed that it is a honeypot. Edit the following file so that it will not be bald.
/opt/dionaea/lib/dionaea/python/dionaea/ftp.py(Only the changed part is described)
RESPONSE = {
# -- 100's --
"data_cnx_already_open_start_xfr": "125 Data connection already open, starting transfer",
"file_status_ok_open_data_cnx": "150 File status okay; about to open data connection.",
# -- 200's --
"cmd_ok": "200 Command OK",
"type_set_ok": "200 Type set to {mode}.",
"entering_port_mode": '200 PORT OK',
"sys_status_or_help_reply": '211 System status reply',
"dir_status": '212 %s',
"file_status": '213 {value}',
#"help_msg": '214 help: %s',
"name_sys_type": '215 UNIX Type: L8',
"welcome_msg": "220 Welcome to the ftp service",← Change the value here
"svc_ready_for_new_user": '220 Service ready',
"goodbye_msg": '221 Goodbye.',
/opt/dionaea/lib/dionaea/python/dionaea/smb/include/smbfields.py(Only the changed part is described)
ConditionalField(UnicodeNullField(
"OemDomainName", "WORKGROUP"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
ConditionalField(UnicodeNullField(
"ServerName", "HOMEUSER-3AF6FE"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
Change the values of "Oem Domain Name" and "Server Name".
/opt/dionaea/lib/dionaea/python/dionaea/smb/extras.py(Only the changed part is described)
self.native_os = "Windows 5.1"
self.native_lan_manager = "Windows 2000 LAN Manager"
self.oem_domain_name = "WORKGROUP"← Change the value here
self.os_type = 2
self.primary_domain = "WORKGROUP"
self.server_name = "HOMEUSER-3AF6FE"← Change the value here
self.shares = {}
/opt/dionaea/lib/dionaea/python/dionaea/mssql/mssql.py(Only the changed part is described)
r.VersionToken.TokenType =Change to 0x00 ← 0x01
docker run -itd --rm -p 21:21 -p 42:42 -p 69:69/udp -p 80:80 -p 135:135 -p 443:443 -p 445:445 -p 1433:1433 -p 1723:1723 -p 1883:1883 -p 1900:1900/udp -p 3306:3306 -p 5060:5060 -p 5060:5060/udp -p 5061:5061 -p 11211:11211 masaomi346/dionaea /opt/dionaea/bin/dionaea -u dionaea -g dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg
Recommended Posts