First, I copied an introduction and did not translate it.
The software capture-HPC (https://projects.honeynet.org/capture-hpc) is a client-side Honeypot, heavily based on the functionality of VMware.
A client software is installed on a virtual VMware Guest System (Windows XP) and a server side part of the software contacts the client by using a VMware proprietary protocol and instructs it to open a URL that presumably contains malicious content.
File changes, registry changes and network activity are recorded for analysis while a URL is being accessed. after a snapshot able timeout, the virtual machine is automaticaly resetted to a snapshot of the system marked as clean and the process starts from the beginning with another URL.
Capture-HPC can be installed on Linux and Windows platforms (the virtual machine is Windows XP SP2). I use Windows XP.
First install vmserver (not VMWare, but it is similar). You can download the supervisor here:
Name: www.okeydown.com
Code: X1XWE-TPW66-CC27A-4YEFG
After installation, create a new virtual machine and install Windows XP SP2. This is recommended in the capture-HPC instruction document. I do not know other systems.
After the operating system is installed, copy capture-hpc's client captureclient-setup.exe to the Virtual Machine for installation. I use capture-client-2.5.1-389.zip. After installation, you can set a whitelist of files, processes, and registry operations in filemonitor. exl, processmonitor. exl, and registrymonitor. exl. To capture network traffic, install Winpcap.
The network of the virtual machine is configured to enable normal internet access. Nat and bridging modes (IP addresses need to be configured) are all supported. Then, use the snapshot-Take snapshot menu to save a Clean System Snapshot.
Here, I use a machine with a recovery card. the IP address of the local machine is 192.168.2.215, And the IP address of the virtual machine is 192.168.2.216. After the host is restarted, I find that the IP address of the NIC of the local machine is 0.0.0.0, the Virtual Machine's IP address became 192.168.2.215. After a long time, it was discovered that the IP address of the reset card was configured. Simply disable the virtual NICs VMware network adapter vmnet1 and vmnet8 in the network connection, and then restart the IP address of the local Nic. After you enable the virtual machine, you can still access the Internet after you find that the two virtual NICs are disabled ~~
-------------------------------------------- I float, float, and shake the rootless separation line -----------------------------------------------------------
Then install capture-server on the local machine. Before installation, install Sun's Java JRE 1.6.0-update 7 (it should be 1.6.x ). Then download capture-server.
). After decompression, configure config. xml. Paste the configuration instructions in readme. Skip this step if you don't want to take a closer look.
-Client_inactivity_timeout: The capture client indicates that it is still alive via responding to a ping by the server. this happens every 10 seconds. if no Pong is already ed by the client for the duration of the client_inactivity_timeout, the client inactivity error is thrown and the VM reverted. an example when this cocould happen is when a malicious site causes a blue screen.
-Revert_timeout: The VIX code that the revert function makes use of, at times hangs, but functions properly if restarted. if the revert has not completed during the revert_timeout duration, the revert timeout error is thrown and the revert of the VM attempted once again.
-Vm_stalled_after_revert_timeout: identical to the revert_timeout, but the start criteria is not communicated by the vix api, but rather by the capture client sending a visit command.
-Vm_stalled_during_operation_timeout: When client (e.g. internet Explorer) locks up, the capture client is still able to respond to pings, but doesnt progress visitation of URLs. this vm_stalled_during_operation_timeout sets how often the capture server shocould at least each CT a visitation event (this is highly dependent on speed of the network and how many URLs are being visited ). if no visitation event is already ed during the timeout period, the VM stalled error is thrown and the VM is reverted.
-Same_vm_revert_delay: The VIX library and VMware Server have a difficult time reverting VMS at the same time. the Code already prevents the same VM from reverting at the same time. the delay specified by this variable is automatically applied when reverting the same VM.
-Different_vm_revert_delay: The VIX library and VMware Server have a difficult time reverting VMS at the same time. the delay specified by this variable is automatically applied when reverting a different VM. this delay is larger because theoretically it wocould be possible to delay two VMS at the same time.
* The global option group size determines how many instances of the client application are opened at the same time. A value of 1 will cause only 1 instance to be opened (just like capture-HPC v 2.01 and prior ). note only certain client plug-ins support visiting group of sizes larger than one:
-Internetexplorer (applies divide-and-conquer algorithm): full support (max group size of 80)
-Internetexplorerbulk (applies bulk algorithm): full support (max group size of 54)
-Firefox (applies divide-and-conquer algorithm): full support; however, Firefox needs to be configured to open a blank page and not restore from previous sessions. in addition, because Firefox does not have a callback that notifies the server when a page has successfully been retrieved, the client-default-visit-time needs to be increased to accommodate loading x Firefox instances and retrieving the web pages. some testing might be required to determine the appropriate value.
-Other: only group sizes of 1 are supported at this point
* Add the local exclusion lists that wocould be pushed to the clients if that option is enabled
* Add VMware servers
Specify the IP address, port, username, and password of the VMware Server that hosts capture clients.
* For each VMware Server, add virtual machines that run a capture client.
Specify the path to the Virtual Machine vmx file as well as the Administrator account and password and path the capture BAT file exists (needs to be a BAT file ).
Although the configuration document is not annotated, it is easy to understand. Below is an example of mine.
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="config.xsd"> <!-- version 2.5 --> <global collect-modified-files="false" client-default="iexplorebulk" client-default-visit-time="20" capture-network-packets-malicious="false" capture-network-packets-benign="false" send-exclusion-lists="false" terminate="true" group_size="20" vm_stalled_after_revert_timeout="120" revert_timeout="120" client_inactivity_timeout="60" vm_stalled_during_operation_timeout="300" same_vm_revert_delay="6" different_vm_revert_delay="24" /> <exclusion-list monitor="file" file="FileMonitor.exl" /> <exclusion-list monitor="process" file="ProcessMonitor.exl" /> <exclusion-list monitor="registry" file="RegistryMonitor.exl" /> <!--preprocessor classname="example"> <![CDATA[ <example-config attribute1="1.0" attribute2="40" attribute2="log/output.log"/> ]]> </preprocessor--> <virtual-machine-server type="vmware-server" address="127.0.0.1" port="902" username="administrator" password="voodoo"> <virtual-machine vm-path="D:\Virtual Machines\Windows XP Professional\Windows XP Professional.vmx" client-path="C:\Progra~1\capture\CaptureClient.bat" username="Administrator" password="voodoo"/> </virtual-machine-server></config>
Client-default refers to the browser type, which can be iexplore, iexplorebulk, Firefox, etc. For details, see the E Description document.
<virtual-machine-server type="vmware-server" address="127.0.0.1" port="902"
username="administrator" password="voodoo">
The above address is the host address where the VM is located. username and password are the host password, and port is the port used by vmserver. The default value is 902.
<virtual-machine vm-path="D:\Virtual Machines\Windows XP Professional\Windows XP Professional.vmx"
client-path="C:\Progra~1\capture\CaptureClient.bat"
username="Administrator"
password="voodoo"/>
The above VM-path is the path of the VM file (*. vmx), and the client-path is the installation path of the captrueclient In the VM (do not set progra ~ 1. Change to program files,
Error ~), Username and password are the login username and password of the VM.
-------------------------------------------- I float, float, and you shake the rootless separation line. The success is coming soon ----------------------------------
After configuration, create a new urls.txt file in the capture-serverdirectory and enter the domain name to be tested, for example:
www.google.com
www.baidu.com
www.hao123.com
Create a new batch file runhpc. BAT to start capture-HPC. The format is as follows:
java -Djava.net.preferIPv4Stack=true -jar CaptureServer.jar -s <IP listening address>:<IP listening port> -f urls.txt
IP listening address is the local address, IP listen Portis generally 7070, and urls.txt is the file of the stored webpage list. For example:
java -Djava.net.preferIPv4Stack=true -jar CaptureServer.jar -s 192.168.2.215:7070 -f urls.txt
Double-click to run the task.
If you enable the vmserver during running, you can intuitively view the network access situation of the current virtual machine.
---------------------------------------------- I'm floating, you are shaking, rootless separation line ------------------------------------------------
Originally, this capture-HPC has the crawler function. It can automatically extract the links on the webpage to crawl the net, but later finds the URL in the urls.txt file.
After the list is accessed, it stops and does not climb to other sites. This is because the program itself does not have this function or the configuration is incorrect (if you have other insights, please send me an email
Exchange zhao.sh@live.cn ).
Later, I found a method. I previously put a host table in the database for storing domain name URLs (currently there are 0.1 million records) during DNS crawling ), this table can only be exported to capture-HPC.
To expand its probe range.
Importing database query results to text files can be written in this way (sqlplus environment)
set pagesize 50000;
spool d:\urls.txt;
select * from dnshost;
spool off;