Hack Like a Pro: Capturing Zero-Day Exploits in the Wild with a Dionaea Honeypot, Part 1

Capturing Zero-Day Exploits in the Wild with a Dionaea Honeypot, Part 1

Hack Like a Pro: Capturing Zero-Day Exploits in the Wild with a Dionaea Honeypot, Part 1

Welcome back, my greenhorn hackers!

The Holy Grail of any hacker is to develop a zero-day exploit—an exploit that has never been seen by antivirus (AV) and other software developers, as well as intrusion detection system (IDS) developers. In that way, you can exploit systems with your newly discovered vulnerability with impunity!

To get a zero-day, you have at least two choices: develop your own or capture someone else's.

Developing your own can be a long and tedious process and requires significant knowledge of assembler, fuzzing, shellcode, etc. The process can take take thousands of man days. Cybercrime gangs and spying governments invest millions of dollars to develop zero-days, but in some rare cases, individuals manage to develop zero-days with little effort, especially for legacy systems. (The zero-day that hacked Target two years ago was developed by a 17-year-old hacker in Russia, but it targeted Windows XP, which Target was still using on their point-of-sale systems).

The other approach is to capture a zero-day that others have developed and reuse it. Remember the Hacking Team exploits that were released when Hacking Team was hacked? This approach has long been used by AV developers, forensic investigators and, in some cases, hackers.

What we want to do in this series is install and configure a honeypot that appears both vulnerable and realistic. Then, we wait for it to lure attackers in and then capture their malware when they have successfully compromised our system.

If we are a forensic investigator, we can then analyze the malware and maybe develop a defense or signature. If we are a hacker, we may be able to reuse the malware on other systems. In some cases, we may need to re-engineer the malware for other purposes, but that is still much faster and more efficient than starting from scratch. The key is to be able to capture the malware first.


Dionaea was developed by Markus Koetter as a low-interaction honeypot. It emulates a vulnerable Windows systems with services often targeted by attackers such as HTTP, FTP, SSH, SMB, etc. It is written in C, but uses Python to emulate various protocols to entice attackers.

Dionaea is named after the genus of plants that includes the carnivorous Venus flytrap. I think the symbolism is apparent.

Probably most important, it uses Libemu to detect shellcode and can alert us of the shellcode and capture it. Dionaea sends real-time notification of attacks via XMPP and then logs the information into a SQLite database.


Libemu is a library used for x86 emulation as well as shellcode detection, which is perfect for our honeypot here. It can pull malware off the wire or inside documents (PDF, RTF, etc.) that we can then use to analyze for malicious behavior using heuristics.

This is a relatively advanced honeypot and should not be attempted by the novice. In addition, I strongly suggest that you NOT use it on a system that will be used for other purposes as we will be installing libraries and other code that may disable other parts of your system.

In addition, Dionaea is meant to be vulnerable. This means if it is compromised, your entire system may be compromised. You should use a clean install, preferably a Debian or Ubuntu system. I will be using a clean install of Ubuntu 14.04.

Step 1: Install Dependencies

Dionaea is a complex piece of software and requires numerous dependencies that are not usually installed on Ubuntu or other Debian distributions. As a result, we will need to install the dependencies before installing and configuring Dionaea. This can be a long and tedious task.

For instance, to begin we need to download the following packages.

ubuntu > apt-get install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev sqlite3

Fortunately, Andrew Michael Smith has developed a script that does all the heavy lifting for us. We can download his script from GitHub using wget.

ubuntu > wget -q https://raw.github.com/andrewmichaelsmith/honeypot-setup-script/master/setup.bash -O /tmp/setup.bash && bash /tmp/setup.bash

This script will download and install all of the dependencies (there are many) and applications (p0f, SQLite, and others), then download and install and configure Dionaea.

Be patient here, this can take quite awhile.

Step 2: Choose an Interface

After downloading all of the applications and dependencies, Dionaea will begin to configure itself and ask you to choose the network interface you want the honeypot to listen on. Here, I chose eth0, but yours may be different.

Eventually, the downloading and installing will complete and you will be greeted by a screen like below telling you that p0f and Dionaea have started.

Step 3: Test the Install

Once the above process has been completed, we can check to see whether Dionaea has been properly and completely installed by typing:

ubuntu > dionaea -help

If the help screen seen above appears, you have successfully installed Dionaea. Congratulations!

Configuring Dionaea

Now our honeypot is up and running. In future tutorials in this series, I will show you how to set up Dionaea to alert you in real time of attacks, how to identify the particulars of the attackers (OS, IP, browser, interface), and how to capture and analyze the shellcode of the attack.

Then, we will test our honeypot using Metasploit and other attack tools to see whether it can actually capture malware before placing it live online. So keep coming back, my greenhorn hackers!

Cover images via Shutterstock (1, 2)


Don't want to sound like a noob here,
but what exactly is a "honeypot" in hacking terms?
(I've read the Wikipedia definition, but didn't quite understand)

A honeypot is usually used to divert or study attackers. Here, we are using it to capture their malware.

if the hacker is experienced and has a zero day,i think he would know
a honey pot when he sees one..right?

Don't underestimate the realism of some honeypots.


Excellent tutorial, never thought of setting a Honeypot at my own home, it usually takes too many resources.. but still, very interesting stuff!

Aren't honey pots dangerous when not properly used? I mean they are still running on your PC right?

Yes, there are dangers, but you are emulating a Windows system on a Linux system. The exploits for Windows won't work on Linux.

Master OTW,
thank you for yet another great tutorial.

I have a need to set one up but I'm a little unsure of where to set one up. I read your article twice, along with the one from last year but I still have a few questions:

I understand the corporate need (and how to go about) setting up a honeypot in a corporate network type environment (Like in Mr Robots TV series), but what are other options outside of work?

  • Set one up on my home network, register a domain name and port forward (VPN) to my honeypot in a kickbox disguised as a vulnerable Windows Server?
  • Or maybe just set the honeypot in a kickbox on my home network and with an AP set with WEP, hoping someone in the vicinity will hack it?
  • Or go with hosting services (like godaddy) and have it hosted in the cloud, after buying a domain name?

Yours truly,

Nice article.

I was wondering lately , Are there any techniques, to detect if the target running a honypot ?

should i install it in virtual machine or in a separate pc?

i would imagine you would want a seperate PC but if you're on a budget you can always pick up a raspberry pi for 30 bucks and if you want to be really safe buy a new public IP for it from your isp. even better would be to puchase a vps (virtual private server) from one of the many providers.

Ive had a miserable time trying to install this on clean versions of ubuntu 14. has anything changed since this post that would make the provided script fail to properly install the dependencies?

This article is fairly recent, so I doubt anything has changed significantly.

FYI, the link to Dionaea in the article, dionaea.carnivore.it , has been down for 3 weeks. Is there any other links? Googling for a honey pot software could have it's consequences so I'd rather have it come from a trusted source.

instead of ubuntu can i do it in Kali Linux ?

Share Your Thoughts

  • Hot
  • Latest