Operate a honeypot (Dionaea) with Docker

What is Dionaea

A low-interactive honeypot aimed at collecting malware. DinoTools/dionaea

Honeypot construction

Dockerfile creation

Dockerfile


FROM ubuntu:18.04

ENV DEBIAN_FRONTEND=noninteractive

RUN apt update && \
    apt install -y --no-install-recommends \
    build-essential \
    cmake \
    check \
    cython3 \
    git \
    libcurl4-openssl-dev \
    libemu-dev \
    libev-dev \
    libglib2.0-dev \
    libloudmouth1-dev \
    libnetfilter-queue-dev \
    libnl-3-dev \
    libpcap-dev \
    libssl-dev \
    libtool \
    libudns-dev \
    less \
    python3 \
    python3-dev \
    python3-bson \
    python3-yaml \
    python3-boto3 \
    fonts-liberation && \
    apt autoremove -y && \
    git clone https://github.com/DinoTools/dionaea.git /opt/dionaea && \
    cd  /opt/dionaea && \
    mkdir build && \
    cd build && \
    cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea .. && \
    make && \
    make install && \
    groupadd --gid 1000 dionaea && \
    useradd -m --uid 1000 --gid 1000 dionaea && \
    chown -R dionaea:dionaea /opt/dionaea/var && \
    apt autoremove -y git

USER dionaea:dionaea

COPY dionaea.cfg /opt/dionaea/etc/dionaea/dionaea.cfg
COPY ftp.py /opt/dionaea/lib/dionaea/python/dionaea/
COPY index.html /opt/dionaea/var/lib/dionaea/http/root
COPY smbfields.py /opt/dionaea/lib/dionaea/python/dionaea/smb/include/
COPY mssql.py /opt/dionaea/lib/dionaea/python/dionaea/mssql/
COPY extras.py /opt/dionaea/lib/dionaea/python/dionaea/smb/

EXPOSE 21 42 69/udp 80 135 443 445 1433 1723 1883 1900/udp 3306 5060 5060/udp 5061 11211

It is based on Ubuntu 18.04 and is installed under/opt/dionaea. The image is published on Docker Hub.

Editing dionaea.cfg (only the logging part is described)

dionaea.cfg


[logging]
default.filename=var/log/dionaea/dionaea.log
default.levels=all,-debug
default.domains=*

errors.filename=var/log/dionaea/dionaea-errors.log
errors.levels=error
errors.domains=*

With the above settings, dionaea.log will output something other than debug, and dionaea-errors.log will output only error.

Creating /opt/dionaea/var/lib/dionaea/http/root/index.html

Since there is nothing in/opt/dionaea/var/lib/dionaea/http/root /, create index.html appropriately.

Nmap measures

https://gist.github.com/steeve85/2902618 As you can see from the above URL, if you operate it as it is, when you scan the port with Nmap, it will be noticed that it is a honeypot. Edit the following file so that it will not be bald.

/opt/dionaea/lib/dionaea/python/dionaea/ftp.py(Only the changed part is described)


RESPONSE = {
    # -- 100's --
    "data_cnx_already_open_start_xfr":    "125 Data connection already open, starting transfer",
    "file_status_ok_open_data_cnx":       "150 File status okay; about to open data connection.",

    # -- 200's --
    "cmd_ok":                             "200 Command OK",
    "type_set_ok":                        "200 Type set to {mode}.",
    "entering_port_mode":                 '200 PORT OK',
    "sys_status_or_help_reply":           '211 System status reply',
    "dir_status":                         '212 %s',
    "file_status":                        '213 {value}',
    #"help_msg":                           '214 help: %s',
    "name_sys_type":                      '215 UNIX Type: L8',
    "welcome_msg":                        "220 Welcome to the ftp service",← Change the value here
    "svc_ready_for_new_user":             '220 Service ready',
    "goodbye_msg":                        '221 Goodbye.',

/opt/dionaea/lib/dionaea/python/dionaea/smb/include/smbfields.py(Only the changed part is described)


ConditionalField(UnicodeNullField(
            "OemDomainName", "WORKGROUP"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
ConditionalField(UnicodeNullField(
            "ServerName", "HOMEUSER-3AF6FE"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),

Change the values ​​of "Oem Domain Name" and "Server Name".

/opt/dionaea/lib/dionaea/python/dionaea/smb/extras.py(Only the changed part is described)


self.native_os = "Windows 5.1"
self.native_lan_manager = "Windows 2000 LAN Manager"
self.oem_domain_name = "WORKGROUP"← Change the value here
self.os_type = 2
self.primary_domain = "WORKGROUP"
self.server_name = "HOMEUSER-3AF6FE"← Change the value here
self.shares = {}

/opt/dionaea/lib/dionaea/python/dionaea/mssql/mssql.py(Only the changed part is described)


r.VersionToken.TokenType =Change to 0x00 ← 0x01

Container startup

docker run -itd --rm -p 21:21 -p 42:42 -p 69:69/udp -p 80:80 -p 135:135 -p 443:443 -p 445:445 -p 1433:1433 -p 1723:1723 -p 1883:1883 -p 1900:1900/udp -p 3306:3306 -p 5060:5060 -p 5060:5060/udp -p 5061:5061 -p 11211:11211 masaomi346/dionaea /opt/dionaea/bin/dionaea -u dionaea -g dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg

Recommended Posts

Operate a honeypot (Dionaea) with Docker
Operate Emby with Docker
Create a Vue3 environment with Docker!
Deploy a Docker application with Greengrass
Build a Node.js environment with Docker
Build a PureScript development environment with Docker
Create a MySQL environment with Docker from 0-> 1
[docker] [nginx] Make a simple ALB with nginx
Build a Wordpress development environment with Docker
Build a Laravel / Docker environment with VSCode devcontainer
Build a WordPress development environment quickly with Docker
Prepare a scraping environment with Docker and Java
Create a Spring Boot development environment with docker
A simple CRUD app made with Nuxt / Laravel (Docker)
Practice making a simple chat app with Docker + Sinatra
Launch MariaDB with Docker
Rails deploy with Docker
Run Pico with docker
Explode Docker with WSL2
Use Puphpeteer with Docker
[Note] Build a Python3 environment with Docker in EC2
Try WildFly with Docker
Run Payara with Docker
[Note] Create a java environment from scratch with docker
[Docker] Connection with MySQL
Php settings with Docker
Getting Started with Docker
Disposable PHP with Docker
Install Composer with Docker
I made a development environment with rails6 + docker + postgreSQL + Materialize.
Create a Docker image with the Oracle JDK installed (yum
[Docker] Delete only the volume associated with a specific container
Build a Node-RED environment with Docker to move and understand
I tried to create a padrino development environment with Docker
Pytorch execution environment with Docker
Use GDAL with Python with Docker
Deploy with EC2 / Docker / Laravel
Run TAO Core with Docker
Docker management with VS Code
Let's operate Excel with Java! !!
Set up GitLab with docker
Create a playground with Xcode 12
Draw a gradient with CAGradientLayer
Run Rails whenever with docker
Get started with DynamoDB with docker
Docker autostart settings with wsl2
[Docker] Rails 5.2 environment construction with docker
Spring Boot starting with Docker
Build docker environment with WSL
Version control CocoaPods with Docker
Web application built with docker (1)
I tried BIND with Docker
React environment construction with Docker
Build DynamoDB local with Docker
[Docker] Use whenever with Docker + Rails
A story stuck with NotSerializableException
Using PlantUml with Honkit [Docker]
Build a SPA for Laravel 6.2 / Vue.js / Nginx / Mysql / Redis with Docker
Procedure for building a Rails application development environment with Docker [Rails, MySQL, Docker]
Prepare a transcendentally simple PHP & Apache environment on Mac with Docker
(For myself) Try creating a C # environment with docker + code-server, cloud9