dimanche 28 mai 2017

Feedback on how build SMB Honeypot

Hey,

During the painful "Wannacry weekend" I've received a lot of message asking for help to create a SMB Honeypot.
I'll try here to explain how I've create mine.
It's 2017 but it looks like it's useful to remind that Honeypot are really useful.
I've read a lot of papers about Wannacry variants during the wannacry crisis, but I've never saw them in the wild. A lot of trolls has uploaded patched versions of the w0rm in Virustotal and has waited for the first paper about a new variante....

This post will not explain all the steps for building a Honeypot but it will try to give some tips and ideas.

Exposing port 445

So, we need to create a honeypot for monitoring SMB network and catching Wannacry in the more automatical way possible.
First of all let's try to expose port 445. In many countries, it's really complicated to expose SMB over the Internet \o/!

My first try was to install a Windows VM with a shared directory (Windows 7 x64 because it's a very used OS in corporations, and hey we're in 2017, people uses 64bits OSs), and configure NAT rules in my home router:
                                          
+--------+          +----------+          +----------+
|Internet|---445--->|homerouter|---445--->|Windows VM|
+--------+          +----------+          +----------+
I've obviously disable Windows Firewall and Windows Defender but when I've try to nmap the 445 port the port was always filtered:
Host is up.
PORT    STATE    SERVICE      VERSION
445/tcp filtered microsoft-ds
After some tests with Wireshark it apears that my home router allows incomming packets on port 445 but blocks outcomming packets.
I've reproduce this behaviour on French ISPs (SFR, Numericable, Orange), French hoster OVH, UK ISPs and some Digital Ocean VPSs
Due to this, we have to bypass this hard coded Firewall rules. It's realy easy, we just have to forward SMB packets to another port than 445. But for that we need 2 other machine. One for forwarding incomming SMB packets to another port and the other for forwarding outcomming packets:
+--------+         
|Internet|-445-+
+--------+     |  
               |
              +---+         +----------+
              |VPS|--5555-->|homerouter|
              +---+         +----------+
                                |
                                |       +---+        +----------+
                                +-5555->|Rpi|--445-->|Windows VM|
                                        +---+        +----------+
                             
You need a few iptables rules (sorry in advance, I'm not an iptables Jedi \o/).
In the exposed VPS:

iptables -t nat -A PREROUTING -p tcp --dport 445 -j DNAT --to-destination HOME_ROUTER_IP:5555
iptables -A FORWARD -p tcp --dport 445 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward


and for the RaspberryPi config:

iptables -t nat -A PREROUTING -p tcp --dport 5555 -j DNAT --to-destination WINDOWS_VM:445
iptables -A FORWARD -p tcp --dport 5555 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward


By this way, the 445 port of our Windows VM is ready to be pwned.
To accelerate the pwning rate, I use many cheap VPSs around the world (I've used DigitalOcean, 1&1, HostAfrika...)
+--------+         
|Internet|-445-+
+--------+     |  
               |
              +---+         
              |VPS|--5555---------+
              +---+               |
              +---+               |
              |VPS|--5555---------+
              +---+               |
              +---+               |
              |VPS|--5555---------+
              +---+               |
              +---+               |
              |VPS|--5555---------+     
              +---+               |
              +---+               |
              |VPS|--5555---------+
              +---+               |
              +---+               |
              |VPS|--5555---------+
              +---+               |
                                  |
                            +----------+
                            |homerouter|
                            +----------+
                                |
                                |       +---+        +----------+
                                +-5555->|Rpi|--445-->|Windows VM|
                                        +---+        +----------+                           
The big limit of this configuration is when the packet is into our Windows VM, the source IP is losted due to the iptables forwarding.
In my case I capture traffic on VPSs and retrieve pcaps via this trick (thanks to Kafeine :D)

Monitoring the endpoint

Because there is a lot of other malware than Wannacry it's important to monitor our Windows.
For that, you have a lot of tools available; ProcMon is a good candidate, it's easy to run it and collect pmon trace automatially with the command line, for example here, you can launch it and save a pml trace:
pmon.exe /AcceptEula /Backingfile C:\pmon.pml
To stop procmon, run it like:
pmon.exe /Terminate
There is a lot of solution for the behaviour part, you can use etw traces, Event viewer...
The hardest part is to collect files dropped into our Honeypot.
I think that the better way is to use Minifilter, you can intercept writed PE files and save them in a specific location. There is an almost ready to use example in the WDK.
You can also hook WriteFile API in userland but it's easily bypassable.

Just for fun you can even retrive writted files and a lot of cool information without developping tool, just with the very painfull powerfull debugger Windbg \o/.
The idea is to use Windbg as kernel debugger, break on each nt!ntWritefile, and save Buffer parameter :D.
But you can do more! Dumping lsass memory on each attack for example :) Oh, yes, forget about perf here :D it's for fun
You have 2 options: the native diabolic scripting language of Windbg or the awesome python interface pykd
Here I'll use pykd :)
Download VirtualKd and install it into the VM (copy the "target" directory and run vminstall)
Run vmmon before restarting the VM, on the next boot Windbg will pop.


Press f5 and let Windows boots. When Windows is ready, break into Windbg (ctrl+pause).
Now we can do everything we want. For example let's try to dump the memory of lsass (usefull for fileless attack :) ) By dumping lsass memory you can even easily extract the payload binary :).

For that, load pykd extension into Windbg via:
.load pykd
And create your python script as you want.
A dirty example here:
Finally, choose on wich action you want to break on Windbg, here we'll dump lsass each time it try to write a file:
bp nt!ntWriteFile "!py C:\smbhoneypot\dumper.py;g"
Here we go, you are abble to collect a memory dump of lsass eatch time it was exploited to drop someting!

From now you can extract just the buffer of ntWriteFile, you can break on the vulnerability itself and trace execution etc. Plug your brain and be creative !

It's quick to do, it's easy and it allow you to collect a lot of useful data.

Cleaning your honeypot

Another important point is to manipulate Virtual machine. For that you have a lot of tools availaible.
In my case, I use VMWare on Windows. VMWare has a useful tools called vmrun, with it you can power on ,power off,revert snapshot, retrieves files from VM (like a pmon trace), run command in VM, list files... etc
Some command line example:
create snapshot:
vmrun.exe-T ws snapshot c:\VMs\honeypot.vmx snapshot_name
revert snapshot:
vmrun.exe-T ws snapshot revertToSnapshot c:\VMs\honeypot.vmx snapshot_name
run program in guest:
vmrun.exe -gu windows_user -gp windows_pwd runProgramInGuest \
                              c:\VMs\honeypot.vmx -activeWindow \
                                 -interactive -noWait program.exe
get data from guest:
vmrun.exe -gu windows_user -gp windows_pwd copyFileFromGuestToHost \
                              c:\VMs\honeypot.vmx -activeWindow \
                                c:\guest\auto_run.txt c:\host\auto_run.txt
There is similare tools for every hypervizor.

PROFIT

Last point: don't forget store all the data. Store everything you can, even if you don't know yet what to do with these data.
Date, IPs source, memory dump, sample etc These data are gold mine.
You can found a lot of python lib for parsing pcap, you can export windbg output, you can graph your pmon traces with tools like ProcDot, forward your data in Kibana dashbords etc.

Conclusion

This kind of infrastructure cost me around 30€/months for VPSs + 30€ for a RaspberryPi so less than 500€ by year for having a look at what happening in the wild, Having data, making stats, start some investigation etc :)

This kind of project are awesome because you have to deals with network, system, a little bit a dev, databases etc. You can even use this kind of honeypot for learning forensic for example!
I strongly recommand to every people who want to learn malware hunting to build honeypots, on many services and on different countries.
Of course you cannot catch advanced attacks with honeypot, but you can catch interresting malware with RDP or VNC honeypots for example

Links

Some link that can help you:
Tracing API call in Python: Fibratus
Example of how deal with pcap in Python
memdump tools from CCT
File System Filter Driver Tutorial
WinDbg cheat sheet
Using vmrun to Control Virtual Machines
Make ETW Great Again. - Ruxcon 2016
HONEY ? Where is my POS - Botconf