HoneyDrive 到底是个什么玩意

最新推荐文章于 2023-10-31 13:00:00 发布

asnine

最新推荐文章于 2023-10-31 13:00:00 发布

阅读量2.6k

点赞数 3

本文链接：https://blog.csdn.net/asnine/article/details/38707201

版权

HoneyDrive3发布后，经由Freebuf在国内一炒,顿时火了一把。具体参见《Linux蜜罐系统HoneyDrive 3版本发布》，http://www.freebuf.com/tools/40865.html。

毕竟是炒好了的冷饭，图个方便的人，还是趋之若鹜的。

但HoneyDrive到底是个什么玩意，他都包含了哪些内容呢，今天就来数落数落。

首先它是一个ova格式的虚拟设备。可以直接导入到安装了virtualbox，Xen，vm等服务器上。我是导入安装了Xen的服务器上，由于需要格式转换什么的，80G的空间，转换了2个多小时，才成功导入。

关于这个HoneyDrive的制作，也简单的很，大部分要做的事情还是收集各种Honeynet相关的项目。其实每个人，都可以定制属于自己的系统。在虚拟机上安装一个Ubuntu纯洁系统，然后就是安装我们需要的各种开源软件，各种小工具，安装成功之后，直接将整个虚拟机导出，就得到了属于我们自己的SelfDrive.ova。

再来说说HoneyDrive之后，到底安装了哪些软件，这个其实可以看看HoneyDrive的README.txt，但是自己手贱，打包上传到了baidu网盘，Honeydrive上面安装的project及tools，参见： http://pan.baidu.com/s/1o6OCy6I，大家可以自己看看。

接下来就要具体说说各种HoneyPot项目都是干啥用的。

KippoSSH Honeypot : 在机器上模拟SSH服务，并且可以进一步提供更加真实的shell交互环境。攻击者的口令猜测记录及攻击源IP地址都会被记录，而且攻击者一旦猜测成功预先设定的用户名口令之后，便可以愚弄攻击者，伪装成真实的shell交互，只有当curl和wget会触发真实命令，去下载攻击者的文件，进行下一步分析。

Kippo:一款优秀的SSH蜜罐开源软件.pdf:http://pan.baidu.com/s/1i3KcQot

Dionaea : Dionaea 蜜罐的设计目的是诱捕恶意攻击，获取恶意攻击会话与恶意代码程序样本。它通过模拟各种常见服务，捕获对服务的攻击数据，记录攻击源和目标IP、端口、协议类型等信息，以及完整的网络会话过程，自动分析其中可能包含的 shellcode 及其中的函数调用和下载文件，并获取恶意程序。

有别于高交互式蜜罐采用真实系统与服务诱捕恶意攻击，Dionaea 被设计成低交互式蜜罐，它为攻击者展示的所有攻击弱点和攻击对象都不是真正的产品系统，而是对各种系统及其提供的服务的模拟。这样设计的好处是安装和配置十分简单，蜜罐系统几乎没有安全风险，不足之处是不完善的模拟会降低数据捕获的能力，并容易被攻击者识别。

Dionaea低交互式蜜罐部署详解:http://drops.wooyun.org/tips/640

Dionaea 低交互式蜜罐介绍：http://pan.baidu.com/s/1sjGyI7r

Glastopfweb honeypot：Glastopf is aHoneypot which emulates thousands of vulnerabilities to gather data fromattacks targeting web applications. The principle behind it is very simple:Reply the correct response to the attacker exploiting the web application.

Glastopf：Web应用攻击诱捕软件分析： http://www.2cto.com/Article/201302/189433.html

Amun: Through the use of emulated vulnerabilities Amun aims at capturingmalware in an automated fashion. The use of the scriping language Python, amodular design, and the possibility to write vulnerability modules in XML allowthe honeypot to be easily maintained and

extended to personal needs.

Amun: Automatic Capturing of MaliciousSoftware：http://pan.baidu.com/s/1dDiXrot

Conpot:Conpot is a low interactive server side Industrial Control Systemshoneypot designed to be easy to deploy, modify and extend. By providing a rangeof common industrial control protocols we created the basics to build your ownsystem, capable to emulate complex infrastructures to convince an adversarythat he just found a huge industrial complex. To improve the deceptivecapabilities, we also provided the possibility to server a custom human machineinterface to increase the honeypots attack surface. The response times of theservices can be artificially delayed to mimic the behaviour of a system underconstant load. Because we are providing complete stacks of the protocols,Conpot can be accessed with productive HMI's or extended with real hardware.Conpot is developed under the umbrella of the Honeynet Project and on the shouldersof a couple of very big giants.

http://conpot.org/

Honeydlow-interaction honeypot:Honeyd is a small daemonthat creates virtual hosts on a network. The hosts can be configured to runarbitrary services, and their personality can be adapted so that they appear tobe running certain operating systems. Honeyd enables a single host to claimmultiple addresses - I have tested up to 65536 - on a LAN for networksimulation. Honeyd improves cybersecurity by providing mechanisms for threat detection andassessment. It also deters adversaries by hiding real systems in the middle ofvirtual systems.

http://www.honeyd.org/index.php

LaBreasticky honeypot:LaBrea is a intrusion detection /"sticky" honey pot technology using virtual servers to detectmalware. LaBrea takes over unused IP addresses, and creates virtual serversthat are attractive to worms, hackers, and other denizens of the Internet. Theprogram answers to connection attempts in a way that the machine at the otherend gets "stuck", sometimes for a very long time.
LaBrea works by watching ARP requests and replies. When the pgm seesconsecutive ARP requests spaced several seconds apart, without any interveningARP reply, it assumes that the IP in question is unoccupied. It then"creates" an ARP reply with a bogus MAC address, and fires it back tothe requester.

Phoneyc:Phoneyc是一个低交互式的蜜罐,用于分析针对客户端的恶意代码行为，它提供了一个javascript引擎,用来执行网页中的js代码,依据其行为特征判断该网页是否含有恶意js代码。

http://www.honeynet.org/project/PhoneyC

Thug:A complement to honeypots, a honeyclient is a tool designed to mimicthe behavior of a user-driven network client application, such as a webbrowser, and be exploited by an attacker's content.

Thug is a Python low-interactionhoneyclient aimed at mimicking the behavior of a web browser in order to detectand emulate malicious contents.

https://github.com/buffer/thug

还包括其他的一些honeypot的相关项目，主要的目的都类似，只不过不同的honeypot之间模拟的服务及实现方式可能不太相同。也包括了一个

ELK Stack(http://www.elasticsearch.org/overview/)，日志监控模块。

也包括了一些实用的小工具，在对malware进行手动分析的时候，可能用的上。

以上资料都是在浩瀚的网络世界中总结收集到的，个中辛苦，实属不易。也算是对自己的一个总结。

本文由asnine首发，也是自己发的第一篇博客，排版之类的可能有些差，凑活看吧。