Cygwin builds a honeypot instance

 
Author: demonalex [at] dark2s [Source: demonalex.nease.net/tiantian community

 

[Experiment] cygwin builds a honeypot instance

Writer: demonalex
Email: demonalex [at] dark2s [dot] org

 

It has been very bad recently. All three servers are broken and cannot play with Jail. I just want to compile some B socket programs and install
Cygwin, I accidentally found that the daemon function is not bad, but can be used as a honeypot, although it is not functional as Jail,
But there are still some "just like me" tips. I believe it can satisfy some of my friends who want to play Jail in winnt...
Limited, not well written. I hope you can point out the error here. Thank you :)......

 

I always thought cygwin was just used to compile some programs under WIN to create a virtual running environment of SHELL. But recently
In fact, it can also complete some honeypot functions. Below are some lab notes I have written. I believe there will be some mistakes,
I hope you can point it out for me :).

 

Objective: To make a lightweight (with a small amount of system resources) on a single host, provide normal services, and "sacrifice"
Or a honeypot system that does not affect the stability and analysis of the local host OS.

 

Lab environment:
Hardware environment: CPU C900-128 mb ram-40 GB HARDDISK
Software environment: host OS WIN2000 PRO-guest OS CYGWIN_NT 5.0 i686

 

Install cygwin on the local machine.
Cygwin Installer:
_Setup.exe "target = _ blank> http://demonalex.nease.net/cygwin_setup.exe

 

The installation process (only important steps are recorded below, but not important...: P ):

Because we do not have cygwin release, we have to select "Install from Internet. Select cygwin basic attributes. Select the download path for installing release. Select direct download (PS: Of course, if you are using a proxy, you need ...). Select one here (China is an image website without such items)... this step is to download the Packages list. Come out... pay attention to the focus of this experiment, and open the list where Category is Net. Find what we want, right? Install apache, nfs, and proftpd... (it is best to install inetd and xinetd so that you can use them to experiment later ...). The installation procedure is as follows: Check the New column. If the value of Skip in the column is not selected for installation, click the Skip to switch; if it is Keep, the installation is selected. Pay attention to the version number when switching, and try to select a new version (PS: Actually, this is what you like: P ). Next, click "Next... the subsequent steps are relatively simple, mainly waiting for a Long online installation process... so I won't say much... configuration process. First, we need to start cygwin's default bash. Can we see the familiar SHELL Interface?: P... first of all, make sure you want to implement the "Honeypot service". Here we use Apache to meet the needs of the penetration and service users. First, edit httpd. conf. $ Vi/etc/apache/httpd. conf edit the required keywords (such as DocumentRoot ). I don't need to introduce it more. (PS: the configuration document for details can be found in html "> http://fanqiang.chinaunix.net/a6/b1/index.html )?: Wq Save settings (I am too lazy. I only changed three to four of them...: P); then: $ cd/usr/sbin $ apachectl start success... $ netstat-an | grep "80", right? Aftercare/security issues. 1) "Honeypot service" crash: As in the previous example, the httpd service runs under the parent process bash (main process of cygwin, therefore, you do not have to worry about the impact of host OS operations due to abnormal service crashes or intentional attacks (such as overflow and denial of service attacks. Even if the other party overflows httpd under cygwin, it can only get the SHELL under its parent process (even ROOTSHELL, it can only run under the physical path of cygwin itself, this is indeed very similar to JAIL), without having any impact on the local NT system. This is a prerequisite for creating a single-Host-Based honeypot. 2) account information leakage: the SHELL in CYGWIN does have many places that depend on host OS (here it refers to my NT System, such as NIC interface and Account module (this may be its disadvantage, or it may be because it occupies the host OS resources so small ). You may worry that the shared Account module may cause account information leakage. I roughly checked one. There is no/etc/shadow file in BASH, and/etc/passwd won't bring much leakage, however, you can still find the host OS account name list. We recommend that you delete unnecessary account information. As for the passwd command, I have cooperated with su for N tests, but it cannot work normally... (PS: Maybe my level is limited: P). Can you rest assured ?! 3) service log query: the honeypot's post-event log query function is very important. With it, we can learn what hackers actually want and what they have done. If you have not modified/etc/apache/httpd. the keyword about log output in conf is in/var/log/apache/by default, which are access_log and error_log, respectively, you only need to use cat to check (or add a pipeline symbol and grep, etc.) to get the information you want to know... 4) Other considerations: CYGWIN is just a Virtual SHELL, so it is a little different from the normal SHELL, this may give the hacker some unnecessary tips. The above is just the most commonly used APACHE. In fact, you can also use other services or use inetd and xinetd to create other "honeypot services ". Another point is worth noting. I have already said that any daemon running under its SHELL is dependent on the parent process bash, therefore, if you close the bash process in the host OS, all services running under cygwin will be automatically killed, so if you want to keep your "honeypot" ONLINE all the time, you 'd better not close the "cute" SHELL window.