HoneyTrap介紹

HoneyTrap是一個可擴展的開源系統，用于運行、監控和管理蜜罐。
HoneyTrap蜜罐系統通過在網絡中部署感應節點，實時感知周邊網絡環境，并將感應節點的日志進行實時存儲和可視化分析，從而實現對網絡環境中威脅情況的感知。該系統旨在通過模擬潛在攻擊目標，吸引并捕獲攻擊者的活動，為安全團隊提供有關攻擊者行為、工具和意圖的寶貴信息。

?HoneyTrap在FreeBSD ports和pkg系統里面，安裝非常方便。最新版本為2021版本。

honeytrap-g20210510_20 ? ? ? ? Framework for running, monitoring and managing honeypots

官網源碼：https://github.com/honeytrap/honeytrap?gitcode源碼：https://gitcode.com/honeytrap/honeytrap

?HoneyTrap手冊：FreeBSD下安裝?Install HoneyTrap on FreeBSD | HoneyTrap?配置蜜罐服務：Services | HoneyTrap

安裝使用

安裝

在FreeBSD系統下，直接使用pkg安裝即可：

pkg install honeytrap
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
?? ?honeytrap: g20210510_20

Number of packages to be installed: 1

The process will require 16 MiB more space.
5 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching honeytrap-g20210510_20.pkg: 100% ? ?5 MiB ? 1.3MB/s ? ?00:04 ? ?
Checking integrity... done (0 conflicting)
[1/1] Installing honeytrap-g20210510_20...
===> Creating groups.
Creating group 'honeytrap' with gid '333'.
===> Creating users
Creating user 'honeytrap' with uid '333'.
[1/1] Extracting honeytrap-g20210510_20: 100%

啟動

在root賬戶下，直接運行命令honeytrap即可

root@fbhost:~ # honeytrap?
2024/05/26 08:44:09 Failed to read config file config.toml: open config.toml: no such file or directory
2024/05/26 08:44:09 Failed to read config file /usr/local/etc/honeytrap/honeytrap/config.toml: open /usr/local/etc/honeytrap/honeytrap/config.toml: no such file or directory
2024/05/26 08:44:09 Using config file /usr/local/etc/honeytrap/honeytrap.toml

?_ ? _ ? ? ? ? ? ? ? ? ? ? ? _____ ? ? ? ? ? ? ? ?🍯
| | | | ___ ?_ __ ? ___ _ ? |_ ? _| __ __ _ _ __
| |_| |/ _ \| '_ \ / _ \ | | || || '__/ _' | '_ \
| ?_ ?| (_) | | | | ?__/ |_| || || | | (_| | |_) |
|_| |_|\___/|_| |_|\___|\__, ||_||_| ?\__,_| .__/
? ? ? ? ? ? ? ? ? ? ? ? |___/ ? ? ? ? ? ? ?|_|

Honeytrap starting (cp98bmc56oi085qlqke0)...
Version: 2021-05-10T00:00:00 (110030494f54)

honeytrap > heartbeat > category=heartbeat, date=2024-05-26 08:44:39.90594456 +0800 CST m=+30.037749369, sensor=honeytrap, sequence=0, token=cp98bmc56oi085qlqke0, type=info
honeytrap > heartbeat > category=heartbeat, date=2024-05-26 08:45:09.904327698 +0800 CST m=+60.036132496, sensor=honeytrap, sequence=1, token=cp98bmc56oi085qlqke0, type=info
?

執行之后應該干什么呢？ 當然是連上來了。HoneyTrap啟動了8022端口，可以通過ssh登錄

ssh登錄HoneyTrap服務器

使用命令：

ssh -p 8022 root@192.168.1.5

注意這里要用root賬戶登錄，默認密碼是：password

登錄進來顯示：

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-31-generic x86_64)

* Documentation: ?https://help.ubuntu.com
* Management: ? ? https://landscape.canonical.com
* Support: ? ? ? ?https://ubuntu.com/advantage

524 packages can be updated.
270 updates are security updates.

----------------------------------------------------------------
Ubuntu 16.04.1 LTS ? ? ? ? ? ? ? ? ? ? ? ? ?built 2016-12-10
----------------------------------------------------------------
last login: Sun Nov 19 19:40:44 2017 from 172.16.84.1
?

哇，真是一個古老的軟件啊！

登錄之后發現沒有任何shell命令，連ls、pwd等都沒有。原來這就是蜜罐啊，這里輸入的任何命令，都可以在原來開HoneyTrap服務的控制臺看到，比如輸入“hello”，

跟蹤到的信息為：source-port=54481, ssh.command=hello, ssh.sessionid=cp99ecc56oi08hokkt60, token=cp98bmc56oi085qlqke0, type=ssh-channel

配置其它蜜罐

HoneyTrap默認打開了ssh蜜罐，其它的都要手工去設置，在/usr/local/etc/honeytrap/honeytrap.toml文件里加入配置即可，

配置的格式是

[service.<you_choose_the_nickname_of_the_service>]
type="<official_name_of_the_service>"
# .. arguments[[port]]
port=["<protocol>/<port>",..]
services=["nickname_of_the_service"]

配置web蜜罐

[service.http01]
type="http"
server="Nginx"[[port]]
port="tcp/8080"
services=["http01"]

使用curl命令測試：

curl -v GET http://192.168.1.5:8080
* Could not resolve host: GET
* Closing connection
curl: (6) Could not resolve host: GET
* ? Trying 192.168.1.5:8080...
* Connected to 192.168.1.5 (192.168.1.5) port 8080
> GET / HTTP/1.1
> Host: 192.168.1.5:8080
> User-Agent: curl/8.6.0
> Accept: */*
>?
< HTTP/1.1 200 OK
< Server: Nginx
< Content-Length: 0
<?
* Connection #1 to host 192.168.1.5 left intact
?

配置elasticsearch分布式檢索蜜罐

elasticsearch是非常流行分布式檢索引擎，在人工智能圖片和自然語言檢索方面應用非常廣，我們也可以開一個elasticsearch的蜜罐，配置命令：

[service.elastico]
type="elasticsearch"
name="AW2LChf"
cluster_name="elasticsearch"
cluster_uuid="ay20oRi4SHmlOPAyTrPh6A"[[port]]
port="tcp/9200"
services=["elastico"]

使用curl命令測試

curl 192.168.1.5:9200
{"cluster_name":"elasticsearch","cluster_uuid":"ay20oRi4SHmlOPAyTrPh6A","name":"AW2LChf","tagline":"You Know, for Search","version":{"build_date":"2017-05-29T16:05:51.443Z","build_hash":"2cfe0df","build_snapshot":false,"lucene_version":"6.5.1","number":"5.4.1"}}
看一個假的elasticsearch服務返回信息就來了。

配置HoneyTrap開機啟動服務

在/etc/rc.conf文件中加入honeytrap_enable="YES" 語句，可以使用下面命令：

echo honeytrap_enable="YES" >> /etc/rc.conf

這樣就會開機啟動服務了。第一次可以手工命令起服務：

service honeytrap start

總結

原來蜜罐系統不是這么遙不可及，它就是一個假的服務罷了。HoneyTrap蜜罐系統體積小巧，在FreeBSD下可以直接pkg 安裝，安裝快，啟動快，配置也不是太復雜，是一個非常好的蜜罐系統。

調試

其它系統HoneyDrive

HoneyDrive是一個運行在linux下的蜜罐系統，在HoneyDrive上具有幾十個各種各樣的蜜罐程序，如Dionaea、Amun malware honeypots，Wordpot等 ，Kippo是HoneyDrive上比較典型的蜜罐。HoneyDrive就是一個Xubuntu的虛擬機系統，把虛擬機導入到vmware或VMbox中就可以運行了。

首先去下載，國內較慢。

個人賬戶啟動HoneyPort報錯

honeytrap?
2024/05/26 08:50:01 Failed to read config file config.toml: open config.toml: no such file or directory
2024/05/26 08:50:01 Failed to read config file /usr/local/etc/honeytrap/honeytrap/config.toml: open /usr/local/etc/honeytrap/honeytrap/config.toml: no such file or directory
2024/05/26 08:50:01 Failed to read config file /usr/local/etc/honeytrap/honeytrap.toml: open /usr/local/etc/honeytrap/honeytrap.toml: permission denied
No configuration file found! Check your config (-c).
?

看來還是要用超級用戶啟動它。

本地登錄8022端口報錯

ssh -p 8022 root@127.0.0.1
Unable to negotiate with 127.0.0.1 port 8022: no matching host key type found. Their offer: ssh-rsa
使用-v 選項來看詳細的交互信息：

ssh -v ?-p ?8022 root@127.0.0.1
debug1: Authenticating to 127.0.0.1:8022 as 'root'
debug1: Fssh_load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 127.0.0.1 port 8022: no matching host key type found. Their offer: ssh-rsa
懷疑是蜜罐系統跟本地的密鑰不匹配。遠程是可以登錄的。