Sunday, June 10, 2012

Make Dionaea stealthier for fun and no profit

I'm in my "honeypot playing period" and I've tried to scan my Dionaea with Nmap which detect of course lots of port listening but more annoying, last versions of Nmap are able to see that some services are provided by Dionaea ...

So if you want your Honeypot to be stealthier you can apply some tricks. Before to modify Dionaea services behavior, you have to know how Nmap services fingerprint feature works (I will only speak about Nmap, because that's the most used ports scanner, it's up to you to try with others).

In order to be able to discover the name and version of a service, Nmap use Perl Compatible Regular Expressions. All these regexp are stored in /usr/share/nmap/nmap-service-probes (path can change according to OS). If you want to understand nmap-service-probes file's syntax, I recommend you to read this. Below, some probes extracted from this file :

So if we want to hide our Dionaea honeypot from Nmap users, we have to modify Dionaea behavior to unmatch Nmap probes. First, list all Dionaea probes of this file :

[steeve@omega ~]$ cat /usr/share/nmap/nmap-service-probes | grep Dionaea

We can see that Nmap is able to detect "only" 4 services offered by Dionaea : FTP, HTTP, MSSQL and SMB. I will show you how we can deceive Nmap by modifying few files in Dionaea. I won't show you how to tweak MSSQL service because I haven't make deeper and this service looks a bit more complicated ... (If you have a solution, you can send me a mail or share in comments :-) 

First, if we look at the FTP probe, we can see that Nmap only checks the connection banner. So we just have to change it, and Nmap will be lost in its attempt to retrieve service name and version. For sure we can put any banner, but the best thing to do (in my opinion) is to try to act like a real FTP server. Shodan is a great tool to help us to know how to simulate FTP servers, check this link. I have choose to use MS FTP banner : "Microsoft FTP Service".

So we have to edit the Ftp python file located in : /opt/dionaea/lib/dionaea/python/dionaea/ Now you just have to replace "Welcome to the ftp service" by the banner of your choice :

If we check HTTP Nmap probe, we can see that's a static one, no regexp used. This probe is based on HTTP headers and HTML source code. There is at least two simple solutions. We can see that HTTP service lists the directory content, so first we can decide to simply put a file in /opt/dionaea/var/dionaea/wwwroot directory, and HTML source code will be different and won't check probe anymore. The second solution is to modify the HTML code sent by Dionaea in /opt/dionaea/lib/dionaea/python/dionaea/ For example, in list_directory(), we can change DTD, title page ...

SMB probe provided by Nmap is based on the value of two fields of the SMB Negotiate Protocol Response : "OemDomainName" and "ServerName". Nmap expects to receive respectively "WORKGROUP" and "HOMEUSER-XXXXXX" where X represent random data. It seems quite easy to mislead Nmap on SMB service too. We just have to modify those values in  SMB_Negociate_Protocol_Response class of file /opt/dionaea/lib/dionaea/python/dionaea/smb/include/ Let's try with "HINMAP" and "TRYHARDER".

You can see results of our tricks just below. Sure, that's not perfect but it's better than nothing ;-)

In this blog post, I've shown you how to use Nmap probes to "protect" your honeypot, but you can do the opposite adding new probes to get a more powerfull Nmap. In addition, it will be interesting to modify MSSQL behavior and SSL certificates to obtain a no verbose honeypot (look at the first scan for SSL certificates details).

FYI : Markus, Dionaea's creator, won't fix Dionaea regarding to Nmap (or other scanners) possible detection. It's a cat-and-mouse game that he can't win because some protocols are tricky to implement and modify whereas Nmap probes are very easy to add. You can read this mail on Nepenthes mailing list.