Forum Thread: Catching Exploits/Malware on a Live OS Honeypot!

Welcome back my aspiring honeypot hacker enthusiasts! I previously wrote an article on catching malware with Dionaea. This was a great way to get introduced into the world of honeypots. I then had to step up my game, creating a real live honeypot network. I'll begin explaining this is detail to my all hacker brothers reading this. Please note: This takes a lot of time to setup/trial/error, you will want to pull out your hair at times, you might even throw your cat across the room,who knows? but note, after all the frustration, it will be worth it.

Step 1) We will first need to pick a VPS provider that lets us have a cheap windows VPS. I got some 10$ per VPS setup with Windows 7 64bit. They also offer other Windows versions. I choose to run all on Windows 7 64 for starters.

Step 2) We will be using the following software

-Microsoft OSM for log details (https://www.microsoft.com/en-us/cloud-platform/operations-management-suite)
-Microsoft Azure for deploying ( https://azure.microsoft.com)
-PPEE
-Reg shot
-Virus total up-loader
-Malware bytes (if you want)
-Wireshark
-Processhacker
-Sysmon (https://technet.microsoft.com/en-us/sysinternals/sysmon)

Step 3) The Windows 7 versions on the VPS sites usually do not have the latest patches installed. So we do not need to remove anything usually. For example the patches for SMB1 which Wannacry uses (KB4013389). You can go through and add patches if you are trying to collect only certain types of malware or exploits. Also, although it is controversial, I turned the Windows firewall COMPLETELY off. Some people choose to open only certain ports and limit outbound, but…… fuck it, that takes to long when deploying a lot, we can reformat anyways. (Note I did try this and didnt catch malware near as fast)

Step 4) We are going to setup in Microsoft Azure (https://azure.microsoft.com) After we made an account in there and OSM (its free BTW). We are going to create a "work-group". Click the plus button and search for "Log Analytic s". Once this is created the work-group is made.

Step 5) We will then add in Servicemap, Security and Audit, and Wiredata 2.0. These will pull the logs from our honeypots and put them into OSM for us. I think of Azure as the deploy point and each OSM as where the log information is stored.

Step 6) You will have to install the InstallDependencyAgent and the WindowsAgent on the honeypot servers. I choose to email these to myself with my Protonmail account as you have keys you will need to copy. Also it is easier to send files to yourself for setting up.

Step 7) I wrote a script in Powershell to download software, so I wouldn't have to keep downloading it manually when I kept erasing my honeypot. PLEASE NOTE, this script will only work on Powershell 2 that I know of, so if you applied patches and using another version it might not work. You can also tweak it to your liking as you can see.

*Start Script*

$url = "https://1.eu.dl.wireshark.org/win64/Wireshark-win64-2.2.7.exe"
$path = "C:\Wireshark-win64-2.2.7.exe"
# param(string$url, string$path)

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}

"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)

$path

$url = "https://data-cdn.mbamupdates.com/web/mb3-setup-consumer/mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092.exe"
$path = "C:\mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092.exe"
# param(string$url, string$path)

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}

"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)

$path

$url = "https://github.com/processhacker2/processhacker2/releases/download/v2.39/processhacker-2.39-setup.exe"
$path = "C:\processhacker-2.39-setup.exe"
# param(string$url, string$path)

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}

"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)

$path

$url = "http://www.rarlab.com/rar/winrar-x64-55b4.exe"
$path = "C:\winrar-x64-55b4.exe"
# param(string$url, string$path)

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}

"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)

$path

$url = "https://download.microsoft.com/download/5/B/C/5BC5DBB3-652D-4DCE-B14A-475AB85EEF6E/vcredist_x86.exe"
$path = "C:\vcredist_x86.exe"
# param(string$url, string$path)

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}

"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)

$path

$url = "https://svwh.dl.sourceforge.net/project/regshot/regshot/1.9.0/Regshot-1.9.0.7z"
$path = "C:\Regshot-1.9.0.7z"
# param(string$url, string$path)

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}

"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)

$path

$url = "http://download.microsoft.com/download/E/D/B/EDB22276-C316-4982-AFED-6367255D0824/InstallDependencyAgent-Windows.exe"

$path = "C:\InstallDependencyAgent-Windows.exe"
# param(string$url, string$path)

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}

"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)

$path

$url = "https://download.microsoft.com/download/8/4/3/84312DF3-5111-4C13-9192-EBF2DF81B19B/MMASetup-AMD64.exe"
$path = "C:\MMASetup-AMD64.exe"
# param(string$url, string$path)

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}

"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)

$path

$url = "https://www.virustotal.com/static/bin/vtuploader2.2.exe"
$path = "C:\vtuploader2.2.exe"
# param(string$url, string$path)

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}

"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)

$path

$url = "https://download.sysinternals.com/files/Sysmon.zip"
$path = "C:\Sysmon.zip"
# param(string$url, string$path)

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) {
$path = Join-Path $pwd (Split-Path -leaf $path)
}

"Downloading $url`nSaving at $path"
$client = new-object System.Net.WebClient
$client.DownloadFile($url, $path)
#$client.DownloadData($url, $path)

$path

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force

sc.exe query mrxsmb10
sc.exe query mrxsmb20
Restart-Computer

*End Script*

sc.exe query mrxsmb10
sc.exe query mrxsmb20
^^^^^^^^^^^^^^^^^^^^

These commands show us if SMB1 and SMB 2 are running, the commands on top of that enable SMB 1 and 2 so it can be exploited. I added them in the script to make sure they were on and working correctly.

Step 8 ) Sysmon! (https://technet.microsoft.com/en-us/sysinternals/sysmon)
We will extract sysmon to the C:\ folder and run the follow commands
sysmon -accepteula -i -h md5,sha256 -n -l
This will enable hashing and network alarms, more information on the symon website to tweak it.

We will be using this to see when events are created or processes, aka malware are dropped on the system, changes done, etc

We can create custom Sysmon event logs in event viewer. Open event viewer and "Create Custom View" , click by source and choose "sysmon". You can then pick what event ID's you want to sort by. (once again check out the website https://technet.microsoft.com/en-us/sysinternals/sysmon)

Step 9 ) Install the software you are going to use before disabling your firewall. Fire up wireshark, process hacker etc. Make sure that your OSM shows your honeypots connected and is pulling data back to them. Disable and firewall and your in business!

Step 10) Catch some exploits or Malware, have fun! Alot of things can be tweaked on here, OS's, Patches, Addons, Sysmon events, This is just a basic guide to get you started.

Random helpful links

https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf

https://doublepulsar.com/eternalpot-lessons-from-building-a-global-nation-state-smb-exploit-honeypot-infrastructure-3f2a0b064ffe

https://www.splunk.com/blog/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/

https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

https://aka.ms/dependencyagentwindows
https://docs.microsoft.com/en-us/azure/operations-management-suite/operations-management-suite-service-map-configure

If you like my writing, check out my site at http://www.ethicalredteam.com

3 Responses

Honey pots have been something that interest me for a long time
I remember how much I "suffered" to learn about honey pots as there wasn't many reliable tutorials
Great job!

As soon as I'm done writing this week I want to try this, I want to start looking at reverse engineering malware.

Share Your Thoughts

  • Hot
  • Active