Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Jesse Bowling
    @JesseBowling
    Well I’m sorry you all had to spend all that time investigating! I was on vacation last week and missed the message. :)
    On the positive side, I’m guessing you all learned a lot about the honeypot? :D
    d90
    @d90
    I have a general question: how do we generate deploy key
    @JesseBowling the honeypots require this but i don't see info on how to generate them.
    Jesse Bowling
    @JesseBowling

    Hi @d90 ! So the easiest way to get the key is to use the webui, and browse to the ‘Deploy’ tab. Select one of the honeypot scripts. The command line displayed will include the deploy key…for example:

    deploy.sh https://stingar.url 8characterdeploykey &&

    You can also run docker-compose exec chnserver grep DEPLOY_KEY /opt/config.py
    And finally, if you want a predictable DEPLOY_KEY, you can set it in chnserver.sysconfig: DEPLOY_KEY=“”
    d90
    @d90
    OK. thank you
    Mark Gardner
    @mkgvt_gitlab
    Our CHN honeypots seem to be running just fine. Next step. How do we get the data back? Was it in the documentation and I missed it?
    d90
    @d90
    @JesseBowling I have a concern with cowrie. When I nmap scan it clearly announces this is a honeypot. I'm wondering if this could be obfuscated 23/tcp open telnet Cowrie Honeypot telnetd
    Mike
    @kraigu
    @mkgvt_gitlab you can look at it GUI-wise on your CHN server system, the default userid is admin@localhost and there's steps in the docs to set a password. Or you can pull things out with an API key + some curl / favourite scripting/scraping language
    or if you've configured it to do so, your CIF server, but I'm assuming you didn't do that
    @mkgvt_gitlab or, based on backscroll, your security office will tell you :D
    Mark Gardner
    @mkgvt_gitlab
    Thanks @kraigu. I'll look into it. As for the ITSO, he is already aware of my activities. :-)
    Mike
    @kraigu
    no worries =]
    Chris O'Donnell
    @chodonne_twitter
    @d90 looks like cowrie fixed the nmap scanning issue with 1.5.3, but the CHN repo currently pulls 1.5.2. https://github.com/cowrie/cowrie/releases
    Jesse Bowling
    @JesseBowling
    @chodonne_twitter thanks for the note about cowrie! We’ll look at updating that.

    @d90 : One (underused) option that may help in this case (unsure since I’m not sure what NMap is keying on; chodonne’s answer may be what’s needed) is to use the personalities option for the honeypot:

    https://communityhoneynetwork.readthedocs.io/en/stable/cowrie/#adding-a-custom-cowrie-personality

    Chris O'Donnell
    @chodonne_twitter
    when routing multiple subnets via AnyIP, are there any other configs that need to be tweaked? Like either the docker daemon or cowrie configs?
    Jesse Bowling
    @JesseBowling
    Oof, that’s one for @drewstinnett…I think all we have on that is at https://communityhoneynetwork.readthedocs.io/en/stable/config/#accepting-all-traffic-from-a-default-route
    That said, this works fine for smaller, non-overlapping dark networks. It does NOT work well when using default routes, due to kernel confusion on where to route things. to be more concrete...
    Chris O'Donnell
    @chodonne_twitter
    I saw that and still having issues (possibly something weird on our end). I’ll keep digging
    Jesse Bowling
    @JesseBowling

    Routing 10.0.10.0/24 to an anyip host with a “real/management” interface on 10.0.20.5 is just dandy.

    But if you tried to send a default route of 10.0.0.0/16 at the anyip interface, your management interface traffic will end up sucked into the honeypot as well, which is of course not ideal. :-/

    I think the answer there is multiple routing tables with priority based on interface, but I’ve yet to actually work out exactly how to make that work.
    Chris O'Donnell
    @chodonne_twitter
    ok…we’re working on routing subnets that aren’t on the same one in the main interface.
    Jesse Bowling
    @JesseBowling
    ah, ok
    Chris O'Donnell
    @chodonne_twitter
    Like I said, I’ll play around w/ it, just wanted to verify I wasn’t missing something easy before I went down the rabbit hole
    zapsoda
    @zapsoda
    Can anyone tell me how CHN compares to the MHN? I realize that MHN is developed by a commercial company, but what additions/features does CHN have that MHN does not? Aka why would I use one over the other?
    Jesse Bowling
    @JesseBowling

    Hi @zapsoda ! Great question!

    MHN is where CHN came from; we forked that project about 1.5 years ago and have been working to maintain it since then. In terms of project comparisons, I think the biggest difference is that CHN is based on Docker images for the server and individual honeypots, while MHN used custom scripts to install the software onto the local OS in a traditional manner

    CHN is being developed towards furthering the STINGAR project (https://stingar.security.duke.edu), but could be used by others who are interested in running honeypot networks and sharing those results via CIF (Collective Intelligence Framework, particularly https://github.com/csirtgadgets/bearded-avenger)
    zapsoda
    @zapsoda
    Awesome! Thank you!
    Jesse Bowling
    @JesseBowling
    At least 1.5 years ago, Threatstream had declared MHN to be a “community supported project” after the primary author, Jason Trost, left Anomali. Perhaps they picked support back up….
    but it’s been a bit since I looked :)
    zapsoda
    @zapsoda
    Hmm, it does seem to be updated but I'm interested in the Docker capabilities of CHN, I'll be playing around with it shortly..
    Jesse Bowling
    @JesseBowling
    Well, looks like someone pushed something to master 27 days ago, so...
    Someone is doing something :)
    Please do! and lodge all your complaints either in https://github.com/CommunityHoneyNetwork/CHN-Server/issues or here. We can’t get better without feedback. :)
    I’ll note that we’ve been targeting Docker as the primary use case, and the way we worked the old MHN stuff into the current model forced some choices that make it not so great for k8s, but should be fine in a Docker-based container environment :)
    zapsoda
    @zapsoda
    Hmm, good to know, thanks!
    Jesse Bowling
    @JesseBowling
    We’ve got a big push for 2.0 version that should be in minimum viable product state by end of year that will address that. However, that’s a long way away (though less so than when we started in March) :D
    zapsoda
    @zapsoda
    For the base URL can it be an IP, or does it need to be a domain? @JesseBowling
    Jesse Bowling
    @JesseBowling
    It can be an IP, but know that it will default to using a self-signed cert for the server (so you’ll have to accept warnings in the browser). Also you’ll need to add a --no-check-certificate to the wget portion of the deployment command
    Do specify the “http” or “https” in the SERVER_BASE_URL though, even if you use an IP
    zapsoda
    @zapsoda
    Cool, I assume I should define the SUPERUSER_EMAIL and PASSWORD variables? What about SECRET_KEY/DEPLOY_KEY? Or should I just not mess with the chnserver.sysconfig much yet? Besides defining the base_url? (I'm just spinning up a PoC deployment to play around with for now)
    zapsoda
    @zapsoda
    I'm getting a refused connection when I try to connect to the management URL (after reseting the admin password and deploying with docker-compose), any suggestions @JesseBowling ?
    zapsoda
    @zapsoda
    I could tell from the log output CERTBOT was failing cause I was using an IP rather than domain, switched to SELFSIGNED and was still getting an error around generating the cert, when ran with sudo the error seems to change/go away, but I'm still unable to browse to it
    zapsoda
    @zapsoda
    Everything seems to be working now!
    Mark Gardner
    @mkgvt_gitlab
    How do I verify that data from our new honeypot is showing up in the CHN? (Someone I talked to off-line said something about figuring out our participant ID so we could distinguish our data.)
    (I asked a similar question earlier.)
    We have verified the data by looking at the web interface using admin@localhost. I would now like to verify the data is reaching the CHN.