toolsmith: Artillery

Prerequisites
Linux or Windows system with a Python interpreter
Introduction
I was reminded of Dave Kennedy’s Artillery while attending and presenting at DerbyCon 4.0 in September given that Dave is a DerbyCon founder. Artillery has recently benefitted from a major update and formal development support as part of Dave’s Binary Defense Systems (BDS) company. The BDS blogannounced version 1.3 on November 11, which further prompted our discussion here. Artillery first surfaced for me as part of the ADHD project I covered during my C3CM discussion in October 2013’s toolsmith. While Dave’s investments in the security community have grown, Artillery was initially maintained by Dave’s TrustedSec organization then transitioned to BDS, given that group’s “defend, protect, secure” approach to managed security solutions. Artillery is an open source project created to provide early warning indicators for various attacks. Artillery was included in ADHD, the Active Defense Harbinger Distribution, because it spawns multiple ports on a system, a honeypot-like activity that creates “exposures” for attackers to go after. Dave described the fact that it also made blue teaming a bit easier for folks. Additional Artillery features include active file system change monitoring, detection of brute force attacks, and generation of other indicators of compromise. Artillery protects both Linux and Windows systems against attacks and can integrate with threat intelligence feeds allowing correlation and notification when an attacker IP address has previously been identified. Artillery supports multiple configurations, different versions of Linux, and can be deployed across multiple systems with centralized event collection. With a ton of support, and additions coming in from all over the world to make Artillery better, Dave mentioned that plans for Artillery include much better support for Windows, and expansion to allow a server/client model, moving away from purely standalone implementations. BSD’s plan is to continue significant development for Artillery while ensuring it maintains its open source origins allowing continued contribution back to the community Dave so readily embraces.
Laying In Artillery
Artillery installation is well documented on the Binary Defense Systems site and is remarkably straightforward. Note that I only installed and tested Artillery on a Linux system.
On the Linux system you wish to install Artillery, simply execute git clone https://github.com/trustedsec/artillery, change directory to the artillerydirectory just created, run sudo ./setup.py, then edit to the configfile to suit your preferences. I’ll walk you through my configuration as a reference.
1)      I created a directory called holisticinfosec, and added “/holisticinfosec/” to MONITOR_FOLDERS
2)      I enabled HONEYPOT_BAN=ON, you’ll want to consider your implementation before you do this or you may inadvertently block legitimate traffic. You could also use WHITELIST_IP to prevent this issue and allow specific hosts but, as good as they are, whitelists can quickly become arduous to maintain. Bans and IPS-like blocks suffer from ye olde false positive issues when left unchecked.
3)      I used Yahoo for my SMTP settings (USERNAME, PASSWORD, ADDRESS) and set ALERT_USER_EMAILto my holistincinfosec.org address for alert receipt. Caution here as well as you can quickly SPAM yourself or your Security Operations Center (SOC) monitored mail, and even cause an inbox DoS if your Artillery server(s) is busy. You can control frequency with EMAIL_TIMER and EMAIL_FREQUENCY, I suggest default settings initially (email alerts off) until you fine tune and optimize your Artillery implementation.
4)      Brute force attempts monitoring is cool and worthwhile, I enabled both SSH and FTP via SSH_BRUTE_MONITOR and FTP_BRUTE_MONITOR. Experiment with “attempts before you ban” as, again, you may not ban initially.
5)      The THREAT_INTELLIGENCE_FEED and THREAT_FEED allow you to consume the BDS Artillery Threat Intelligence Feed (ATIF). It’s represented as banlist.txt. You can pull from the BDS site or establish your own ATIF server for all you Artillery nodes to pull from. As with any blacklist, again, ensure that you want to block them all as there are more than 86,000 entries in this list. You can also add other lists if you wish as well.
6)      One of the most important settings are for your syslog preferences, you can log locally or write to a remote collector. This speaks to my defender’s sensibilities and we’ll discuss this further later as such.
The South Base Camp blog (@johnjakem) also has a nice writeup on Artillery nuances; it’s a quick read and worth your time.
Indirect Artillery Fire
I conducted basic tests of Artillery functionality with email alerts and banning enabled.
For the folder monitoring feature I wrote a file called test to the /holisticinfosec directory including the sentence “Monkey with me” and restarted Artillery. When I monkeyed with test by adding snarky commentary, I was alerted via email and a log entry in the local syslog file. Figure 1 is the email alert indicating the change to the test file.
Figure 1 – Artillery alert for change to test file
To blast the honeypot functionality, a nice Nmap scan sufficed with nmap -p 1-65535 -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.220.130.
The result was an alert flood stating that [!] Artillery has detected an attack from the IP Address: 192.168.220.131 with example content as seen in Figure 2.
Figure 2 – Blocked and banned! Artillery stops attack traffic cold
I used Bruter to try and pound the FTP and SSH services but because the Artillery configuration was set to only four attempts before banning, my dictionary attacks were almost immediately kicked to the curb. Darn you, Artillery! For this experiment I enabled SYSLOG_TYPE=FILE in my Artillery configuration, which writes event to /var/artillery/logs/alerts.log instead of syslog.
Remember, if you find yourself unable to connect to your Artillery server on a specific port or aren’t writing test events, check your configuration file as you may have banned yourself. I did so more than once. Instantly solve this problem as follows: sudo ./remove_ban.py 192.168.220.1 where the IP address is that which you want to free from the bonds of iptables purgatory.
Direct Artillery Fire
Artillery represents a golden opportunity to harken back to my C3CM guidance, particularly Part 2, wherein I discussed use of the ELK stack, or Elasticsearch, Logstash, and Kibana. You can quickly set up the ELK stack up using numerous guides found via search engine and customize it for Artillery analysis.
Rather than repeat what I’ve already documented, I took a slightly different tack and utilized my trusty and beloved Security Onion VM. Doug Burks’ (@dougburks) Security Onion includes ELSA (enterprise log search and analysis) which is a “centralized syslogframework built on Syslog-NG, MySQL, and Sphinx full-text search.” I could and should do a toolsmith on ELSA alone, but it’s so well documented by project developers and Doug, you’d do well just to read their content. To make use of ELSA I needed only point Artillery syslog to my Security Onion server by changing the /var/artillery/config file as follows:
1)      Changed SYSLOG_TYPE=LOCAL to SYSLOG_TYPE=REMOTE
2)      Set the IP address for my Security Onion server with SYSLOG_REMOTE_HOST=”192.168.220.131″
3)      Restarted Artillery from /var/artillerywith sudo ./restart_server.py
“That’s it?” you ask. Indeed. I logged into ELSA on my SO server after hammering the Artillery node with varied malfeasance, queried with host=192.168.220.130, you can see the results in Figure 3.
Figure 3 –Artillery events written to a remote Security Onion ELSA instance
ELSA provides you with a number of query options and filters so even if you have multiple Artillery servers you can zoom in on specific instances, dates, or attack types. A query such as host=192.168.220.130 groupby:program led me to program=”unknown” which, in turn, alerted me that I ended up being banned from Yahoo for spamming my account with alerts as seen in Figure 4.
Figure 4 – Artillery alerts me that I am a spammer
It’s always good to check your logs from a variety of perspectives. 🙂
I intend to write some additional scripts for Artillery analysis and parsing, and devise additional means for incorporating threat intelligence to and from my Artillery instance. Let me know via the blog comment or Twitter how you’ve done the same.
In Conclusion
Artillery, on many levels, is the epitome of simplicity, which is part of why I love it. If you possess even the slightest modicum of Python understanding, the Artillery source files should make complete sense to you. Properly tuned, I can’t really think of a reason not to run Artillery on Linux servers for sure, and maybe Windows boxes where you have Python installed. Just remember to practice safe banning, you don’t want to drop production traffic. I’m really glad Dave’s Binary Defense Systems interest has taken over care and feeding for Artillery and can’t wait to see what’s next for this fine little defender’s delight.
It’s that time of year again! Be ready to vote for your favorite tool of 2014, I’ll soon post the survey to my website or blog and Tweet it out by mid-December. We’ll conclude voting by January 15, 2015 and announce a winner soon thereafter. Please vote and tell your friends and coworkers to do the same.
Ping me via email or Twitter if you have questions (russ at holisticinfosec dot org or @holisticinfosec).
Cheers…until next month.
Acknowledgements

Dave Kennedy (@HackingDave), TrustedSec, Binary Defense Systems, and DerbyCon

Continue reading toolsmith: Artillery

toolsmith: HoneyDrive – Honeypots in a Box

Prerequisites
Virtualization platform
Introduction
Late in July, Ioannis Koniaris of BruteForce Lab (Greece) released HoneyDrive 3, the Royal Jelly edition. When Team Cymru’s Steve Santorelli sent out news of same to the Dragon News Bytes list the little light bulb went off in my head. As I prepared to write our ninety-sixth toolsmith for October’s edition I realized I had not once covered any honeypot technology as the primary subject matter for the monthly column. Time to rectify that shortcoming, and thanks to Ioannis (and Steve for the ping on DNB radar screen) we have the perfect muse in HoneyDrive 3.
From HoneyDrive 3’s own description, it’s a honeypot Linux distro released as a virtual appliance (OVA) running Xubuntu Desktop 12.04.4 LTS edition which includes over 10 pre-installed and pre-configured honeypot software packages. These includes the Kippo SSH honeypot, Dionaea and Amun malware honeypots, the Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, as well as Thug and PhoneyC honeyclients and more. It also includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it captures, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Finally, nearly 90 well-known malware analysis, forensics and network monitoring related tools are included with HoneyDrive 3   .
Ioannis let me know he started HoneyDrive mostly out of frustration arising from the difficulty of installing and configuring some of the well-known honeypot systems. At first, he created scripts of his own to automate their installation and deployment but then decided to put them all in a nice package for two reasons:
1.       For newcomers to be able to quickly deploy and try out various honeypot systems,
2.       To connect the honeypot software with all the existing projects built on top of them.
As an example Ioannis developed Kippo-Graph, Honeyd-Viz and various other tools while HoneyDrive makes the integration between the backend (honeypots) and frontend (tools) seamless. Ioannis has strong evidence that HoneyDrive and some of the specific tools he’s created are very popular based on the interactions he’s had online and in-person with various researchers. HoneyDrive is used in many universities, technical research centers, government CERTs, and security companies. Ioannis believes honeypots are more relevant than ever given the current state of global Internet attacks and he hopes HoneyDrive facilitates their deployment. His roadmap includes creating visualization tools for honeypot systems that currently don’t have any visualization features, and attempt to develop a way to automatically setup HoneyDrive sensors in a distributed fashion.
This is a great effort, and it really does not only simplify setup and getting underway, but the visual feedback is rich. It’s like having a full honeypot monitoring console and very easy to imagine HoneyDrive views on big monitors in security operations centers (SOC). Ready to give it a try?
HoneyDrive Prep
Download the HoneyDrive OVA via SourceForge. This is a fully configured 4GB open virtual appliance that you can import into your preferred virtualization platform. I did so on VMWare Workstation 10, which complained a bit initially but gave me the option to bypass its whining and proceed unfettered. There’s a good convert-to-VMWare doc if you need it but I conducted a direct import successfully. Royal Jelly has run like a champ since. If you’re exposing the virtual machine in order to catch some dirty little flies in your honey traps keep in mind that your virtual network settings matter here. Best to bridge the VM directly to the network on which you’re exposing your enticing offerings, NAT won’t work so well, obviously. Apply all the precautions associated with hosting virtual machines that are likely to be hammered. Depending on where you deploy HoneyDrive and the specific honeypots you plan to utilize, recognize that it will be hammered, particularly if Internet facing. Worn out, rode hard and put away wet, flogged…hammered. Feel me? The beauty is that HoneyDrive does such a fabulous job allowing for performance monitoring, you’ll be able to keep an eye on it. With virtualization you can always flush it and restart from your snapshot, just remember to ship off your logs or databases so you don’t lose valuable data you may have been collecting. Let’s play.
I Am Honeydripper, Hear Me Buzz
There is SO much fun to be had here, where to begin? Rhetorical…we begin with carefully reading the comprehensive README.txt file conveniently found on the HoneyDrive desktop. This README describes all available honeypots and their configurations. You’ll also find reference to the front-end visualization offerings such as Ioannis’ Kippo-Graph. Perfect place to get started, Kippo is a favorite.
Kippo
Kippo, like all its counterparts found on HoneyDrive, is available as a standalone offering, but is ready in an instant on HoneyDrive. From a Terminator console, cd /honeydrive/kippo followed by ./start.sh. You should receive Starting kippo in the background…Loading dblog engine: mysql. You’re good to go. If you need to stop Kippo it’s as easy as…wait for it,./stop.sh. From a remote system attempt an SSH connection to your HoneyDrive IP address and you should meet with success. I quickly fired up my Kali VM and pounded the SSH “service” the same way any ol’ script kiddie would: with a loud bruteforcer. My favorite it is Patator using the SSH module and the little John dictionary file from fuzzdb as seen in Figure 1.
Figure 1: Bruteforcing Kippo’s SSH service with Patator
As you can see my very first hit was successful using that particular dictionary. Any knucklehead with 123456 in their password lists would think they’d hit pay dirt and immediately proceed to interact. Here’s where Kippo-Graph really shines. Kippo-Graph includes visual representations of all Kippo activity including Top 10s for passwords, usernames, combos used, and SSH clients, as well as success ratios, successes per day/week, connections per IP, successful logins from same IP, and probes per day/week. Way too many pretty graphs to print them all here, but Kippo-Graph even includes a graph gallery as seen in Figure 2.
Figure 2: Kippo-Graph’s Graph Gallery shines
But wait, there’s more. I mentioned that a bruteforce scanner who believes they are successful will definitely attempt to login and interact with what they believe is a victim system. Can we track that behavior as well? Yah, you betcha. Check out Kippo-Input, you’ll see all commands passed by attackers caught in the honeypot. Kippo-Playlog will actually playback the attacker’s efforts as video and offering DIG and location details on the related attacker IP. Figure 3 represents Kippo-Input results.
Figure 3: Kippo-Input provides the attacker’s commands
Many of these graphs and visualizations also offer CSV output; if you wish to review data in Excel or R it’s extremely useful. HoneyDrive’s Kippo implementation also allows you to store and review results via the ELK (Elasticsearch, Logstash, Kibana) stack, using Kippo2ElasticSearch, that we first introduced in our toolsmith C3CMdiscussions.
Of course, Kippo is not the only honeypot offering on HoneyDrive 3, let’s explore further.
Dionaea
Per the Honeynet Project site, “Dionaea is a low-interaction honeypot that captures attack payloads and malware. Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls.”
HoneyDrive includes the DionaeaFR script which provides a web UI for all the mayhem Dionaea will collect.
To start Dionaea, first cd /honeydrive/dionaea-vagrant then run ./runDionaea.sh. Follow this with the following to start DionaeaFR:
cd /honeydrive/DionaeaFR/
python manage.collectstatic
python manage.py runserver 0.0.0.0:8000
Point your browser to http://[your HoneyDrive server]:8000 and you’ll be presented a lovely UI Dionaea.
Even just an NMAP scan will collect results in DionaeaFR but you can also follow Emil Tan’s guidance for testing Dionaea with Metasploit to emulate malware behavior. Figure 4 is a snapshot of the DionaeaFR dashboard.
Figure 4: DionaeaFR dashboard
You can see connection indicators from my NMAP scan as well as SMB and SIP exploits attempts as described in Emil’s Edgis Security blog post.
Wordpot

Wordpot is a WordPress honeypot. No one ever attacks WordPress, right? Want to see how badly WordPress is attacked en masse when exposed to the Internet? Do this:
sudo service apache2 stop (WordPot and Apache will fight for port 80, suggest moving Apache to a different port anyway)
cd /honeydrive/wordpot
sudo python wordpot.py
You’ll find the logs in /honeydrive/Wordpot/logs. My logs, as represented along with my fake WordPress site in Figure 5, are the result of a Burp Suite scan I ran against it. If you expose WordPot to the evil intarwebs, your logs will look ridiculously polluted by comparison.
[Insert wordpot.png]
Figure 5: WordPot site and WordPot logs
A number of HoneyDrive offerings write to SQLite databases. Lucky for you, HoneyDrive includes phpLiteAdmin, a web-based SQLite database admin tool (like phpMyAdmin). Note that is configured to accept traffic only from localhost by default.
In Conclusion
This is such a great distribution, I’m thrilled Ioannis’ HoneyDrive is getting the use and attention it deserves. If you haven’t experimented or deployed honeypots before you quite literally have no excuse at this point.  As always, practice safe honeypotting, no need to actuallysuffer a compromise. Honeypots need to be closely monitored, but that’s exactly what makes HoneyDrive so compelling, great visualization, great logging, and great database management. HoneyDrive is certainly a front runner for toolsmith tool of the year, but that, as always, is up to you, my good reader. Download HoneyDrive ASAP and send me feedback.
Ping me via email if you have questions (russ at holisticinfosec dot org).
Cheers…until next month.
Acknowledgements
Ioannis Koniaris, project lead and developer

Continue reading toolsmith: HoneyDrive – Honeypots in a Box