This is a tutorial to quickly setup and deploy a honeypot. This is useful if you are a student/researcher who wants to quickly through up a honeypot, without implementing proxmox. I’m posting this to document this interesting creation, as I haven’t seen a honeypot or most networks done like this (for a good reason).
VLANS should be configured to work beforehand.
The ‘fun’ part of this is the fact that this allows a live attacker to have full control immediantly of the computer you give them without any restrictions inside your network. Too many honeypots are way too safe. There is no fun in that, let that attacker thrive and give you more content. This allows the user to place more vm’s on their vulnerable vlan to see if the honeypot attack spreads.
Now, honestly if you have proxmox this is much easier. While this configuration works, proxmox is much easier to setup, and I would reccomend that over this setup.
I used this honeypot to open rdp and smb publically on a windows 7 computer to see how quickly it was attacked (10 minutes).
You will want to tag your host computer on two vlans, the vlan you want to host the vulnerable machine at, and the vlan where splunk is configured (or other monitoring tool).
An alternative network config is available at the bottom, and can be used if you want to quickly set this up.
Toplogy
Host computer (with splunk)
Hosting windows on a macvlan interface, to allow it to interface with the rest of the computers on this vulnerable vlan without restriction.
Macvlan requires a bridge to ’talk’ to the host machine.
Setup
First, setup the macvlan for the interface. Replace IP’s and interface name.
docker network create \
-d macvlan \
--subnet=10.7.7.0/24 \
--gateway=10.7.7.1 \
-o parent=enp3s0.20 \
windows_macvlan
So, lets setup docker to get windows running locally.
services:
windows:
image: dockurr/windows
container_name: windows_vuln
environment:
VERSION: "7u"
devices:
- /dev/kvm
- /dev/net/tun
cap_add:
- NET_ADMIN
ports:
- 8006:8006
- 3388:3389
volumes:
- ./windows:/storage
restart: always
stop_grace_period: 2m
networks:
windows_macvlan:
ipv4_address: 10.7.7.5
networks:
windows_macvlan:
external: true
Ports are not needed, since we are referencing an external network.
Now, create that bridge host.
sudo ip link add macvlan_host link enp3s0.20 type macvlan mode bridge
sudo ip addr add 10.7.7.254/24 dev macvlan_host
sudo ip link set macvlan_host up
Now, lets create a little script to just rdp and splunk using iptables from the bridge interface to the computer.
sudo iptables -A OUTPUT -o macvlan_host -p tcp -d 10.7.7.5 --dport 3389 -j ACCEPT
sudo iptables -A INPUT -i macvlan_host -p tcp -s 10.7.7.5 --sport 3389 -j ACCEPT
sudo iptables -I OUTPUT -o macvlan_host -s 10.7.7.5 -d 10.7.7.4 -p tcp --dport 9997 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT -i macvlan_host -s 10.7.7.4 -d 10.7.7.5 -p tcp --sport 9997 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Drop everything else on macvlan_host
sudo iptables -A OUTPUT -o macvlan_host -j DROP
sudo iptables -A INPUT -i macvlan_host -j DROP
You will likely want to change some of these, if you do it is very easy to kill docker and other important processes. Here is a nice script to reset everything you can mess up with bad iptables blocking rules.
# Stop Docker
sudo systemctl stop docker
# Remove Docker network state
sudo rm -rf /var/lib/docker/network
sudo rm -rf /var/run/docker
sudo rm -rf /var/run/docker.sock
# Delete the docker0 interface
sudo ip link delete docker0 2>/dev/null
# Optionally disable conflicting network services temporarily
sudo systemctl stop NetworkManager
sudo systemctl stop systemd-networkd
sudo systemctl stop firewalld
# Start Docker
sudo systemctl daemon-reexec
sudo systemctl start docker
# Check status
sudo systemctl status docker
docker run hello-world
sudo systemctl start NetworkManager
sudo systemctl start systemd-networkd
sudo systemctl start firewalld
I used this more than I should have.
Now, the only thing left to do is grab memory of the host machine. Do that with:
docker exec -it windows_vuln nc localhost 7100
Then, enter:
dump-guest-memory windows.mem
Copy it to your host machine.
docker cp windows_vuln:/windows.mem ./windows.mem
This allows for analysis with volitlity.
You can also mount the filesystem with this command below:
sudo mount -o loop,ro,offset=105906176 data.img winmnt
Here is a simple inputs.conf to use.
[WinEventLog://Security]
disabled = 0
index = sysmon
sourcetype = WinEventLog:Security
[WinEventLog://System]
disabled = 0
index = sysmon
sourcetype = WinEventLog:System
[WinEventLog://Application]
disabled = 0
index = sysmon
sourcetype = WinEventLog:Application
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
index = sys
sourcetype = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Alternative Networking
If that networking looked bad and confusing, that is because it sort of is. It’s much easier to use a bridge. Here is how I did that and set this up again.
First, create your routing table for the docker bridge. This ensures that everything from the docker bridge leaves on the correct vlan. :
echo "200 docker20" | sudo tee -a /etc/iproute2/rt_tables
sudo ip route add default via 10.7.7.1 dev enp3s0.20 table docker20
docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' windows_vuln
sudo ip rule add from 172.19.0.2 table docker20
Mark traffic for routing through that bridge.
sudo ip rule del from 172.19.0.2 table docker20
sudo iptables -t mangle -A PREROUTING -s 172.19.0.2 -j MARK --set-mark 20
sudo ip rule add fwmark 20 table docker20 priority 100
sudo ip route del default via 10.7.7.1 dev enp3s0.20
Prevent network manager from overiding that route.
sudo nmcli connection modify eth0.20 ipv4.never-default yes
sudo nmcli connection down eth0.20 && sudo nmcli connection up eth0.20
Block traffic to the main vlan.
sudo iptables -I FORWARD -s 172.19.0.2 -d 10.6.6.0/24 -j DROP
sudo iptables -I OUTPUT -s 172.19.0.2 -d 10.6.6.0/24 -j DROP
sudo iptables -I INPUT -s 172.19.0.2 -d 10.6.6.0/24 -j DROP
Finally, remove the external network within the docker yml. This is much easier! But boring. Lesson from this: just use proxmox or other vm manager for creating a honeypot, do not do what I did.