Conpot_usage Brief description

Conpot is an ICS (Industrial control System) Honeypot designed to collect attackers ' attack methods and motivations for industrial control systems. This article is mainly used to illustrate some of the configuration related to Conpot user customization. (See the original in English: Https://github.com/mushorg/conpot/blob/master/docs/source/usage/usage.rst)

The conpot comes with a default configuration file that enables the simulation of Siemens S7-200 PLC with basic expansion modules installed. The attack surface of this default emulation includes: MODBUS, HTTP, SNMP and S7comm. To avoid confusion, most of the Conpot configuration is in an XML file, and some are stored under the Templates folder in a different folder.

Mosbus

The <device_info /> section of the configuration file allows the user to define information for the device and can be returned as a function call. The <slave /> section allows the user to define each slave device (slave) in a <blocks />   Binary output blocks: COILS , binary input blocks: discrete_inputs , users simply define their starting address and data size. analog_inputs data is saved in bytes.

1 <Blockname= "a">2     <!--coils/discrete_outputs aka. Binary output, power on/power off3 Here we map Modbus addresses 1 to 127 to s7-200 PLC addresses Q0.0 to Q15.7 -4     <type>COILS</type>5     <starting_address>1</starting_address>6     <size>128</size>7     <Values>8         <value>9             <Address>1</Address>Ten             <!--Would be parsed with eval () - One             <content>[Random.randint (0,1) for B in range (0,128)]</content> A         </value> -     </Values> - </Block>

as shown in the above code snippet, the <values /> Some users can set the start Address and Content section, because the value of the content part is predicted, so the user can set it to a random value. The Hold register holding_registers can be thought of as a temporary data store, which can also be defined by the start address and data size, and the hold register does not need to be assigned an initial value.

Snmp

 < in the configuration file; snmp />   section, you can use  < symbol >   and a Name property define an information management library (MIB).  

1 <  name= "SYSDESCR">2     <value> Siemens, SIMATIC, s7-200</value>3</  Symbol>

The process of including the repository in Conpot is as follows: (for example, introducing Ifnumber from If-mib)

1. Download If-mib and Ianaiftype-mib (If-mib's dependency package);

1 wget http://www.iana.org/assignments/ianaiftype-mib/ianaiftype-MiB2 wget ftp:// ftp.cisco.com/pub/mibs/v2/if-mib.my

2. Conpot will automatically compile the MIB file, but need to use the '-a ' parameter to specify the path to store the MIB folder;

1 sudo conpot-t my_custom_template.xml-a/opt/mymibs

3. Include the user-defined SNMP configuration in the MIB profile template.

1 <MIBname= "If-mib">2     <symbolname= "Ifnumber">3         <value>2</value>4     </symbol>5 </MIB>

HTTP

In the <http> section of the configuration file, users can configure the features of the Conpot Web server, and using corresponding headers and behaviour to control the access characteristics of each page and resource. You can also control how and when the appropriate error code and error pages are transmitted.

Configuration of Global http:

1 <Global>2     <Config>3         <!--What protocol shall we use by default? -4         <Entityname= "Protocol_version">http/1.1</Entity>5         <!--if we find any date header to being delivered, should we update it to a real value? -6         <Entityname= "Update_header_date">True</Entity>7         <!--should we disable the HTTP HEAD method? -8         <Entityname= "Disable_method_head">False</Entity>9         <!--should we disable the HTTP TRACE method? -Ten         <Entityname= "Disable_method_trace">False</Entity> One         <!--should we disable the HTTP OPTIONS method? - A         <Entityname= "Disable_method_options">False</Entity> -         <!--Tarpit:how Much latency should we introduce to all response by default? - -         <Entityname= "Tarpit">0</Entity> the     </Config> -  -     <!--These headers is sent with each response - -     <Headers> +         <!--This date header would be updated, if enabled above - -         <Entityname= "Date">Sat, APR 1984 07:30:00 GMT</Entity> +     </Headers> A </Global>

As shown above, the role of each XML configuration statement can be clearly understood from the comments:

• Disable_method : The characteristic of the item represented by the loss of energy;
• headers : globle Part of the headers will be loaded on each page passed, it can be defined by each page with the same name of the headers rewrite;
• tarpit : Limit the transmission speed of the page; This is done to simulate those slower devices, where the value of the tarpit is specified in seconds and milliseconds;

We also add the flexibility of the configuration by introducing aliases (alias). It is convenient to use aliases so that users can specify aliases to represent other already configured resources, allowing Conpot to perform actions that respond without having to redefine all configuration items.

 1  <  node  name  = "/index.htm"  >  2  <!--  This node would inherit the payload from the referenced alias node without telling the brows ER  -->  3  <  alias  > /index.html< Span style= "color: #0000ff;" ></ alias  >  4  </ node  >  

The above configuration allows the browser to respond to '/index.htm ' HTTP requests all with the defined '/index.html ' in the form of aliases. and the browser does not perceive these internal conversions, because these internal transformations are done separately by Conpot. It is important to note that only a single-layer alias can be processed.

The transmission of dynamic pages is usually in the form of block transfer encoding, <chunks> instruction enables block transfer encoding and multiple parts to transmit an entire large data stream. The configuration below is to divide a page into 4 blocks, 130, 15, 30, and 110 bytes respectively. If the total number of bytes for a user-configured transport block is less than the number of bytes to be transferred, Conpot automatically appends a block containing all missing information to the end of the transport block to complete the request. These blocks are transmitted sequentially and do not have the trapit effect in the process of transmission.

1 <  name= "/some_chunked_file.html">2     <!--   - 3     < chunks >130,15,30,110</chunks>4</  Node>

　　

The request to page '/' will be redirected to another webserver as shown in the following configuration file. Conpot sends a request to this webserver, just like a background agent, Conpot will send a response result page to the requesting client on behalf of the server that actually generated the response, so web the browser will not detect any exceptions.

 1  <  node  name  = "/redirected-page"  >  2  <!--  This page is redirected to another Web server  -->  3   >  10.0.0.100</ proxy  >  4  </ node  >  

This feature page can be applied to the status code. For example, proxy redirection is applied to status code 404, so all requests that cannot be processed by the conpot itself are secretly forwarded to Another system , this system can be a real high-interaction device. If only 404 status codes are configured, all requests will be forwarded to the other webserver. This conpot is like a terminating honeywall for higher interaction with the HTTP protocol.

Ianaiftype-mib

Conpot_usage Brief description