INetSim as a Basic Honeypot

Published: 2016-05-14. Last Updated: 2016-05-15 00:17:18 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

First, "INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behavior of unknown malware samples."[1] There are several popular honeypot out there (Kippo, Honeyd, etc) but I wanted something simple and lightweight and decided to use INetSim to capture some of the traffic hitting my network on a regular basis.

The first step is to check the requirements for INetSim which might require some Perl packages if your installation doesn't have them already. This list is here. If you are planning to use the feature that support redirecting non native services (port not supported natively with INetSim as a service), your Linux kernel must be less than version 3.5.0 which no longer support the IPTables::IPv4::IPQueue in the current version of the required Perl module.

The tarball is a small package that requires to run setup.sh to set the correct permissions and create a local SSL certificate (which you can replace with a CA signed certificate after) and edit the conf/inetsim.conf file to choose the services you want to run (default is all services are on).

INetSim support several protocols such as DNS, http(s), smtp(s), ftp(s), IRC, etc including all the small services.

Here are a few examples of web GET/POST traffic captured over HTTP/SSL:

GET /script HTTP/1.1
GET /a2billing/ HTTP/1.1
GET /CFIDE/administrator/ HTTP/1.1
GET /phpmyadmin/scripts/setup.php HTTP/1.1
GET /pma/scripts/setup.php HTTP/1.1
GET /myadmin/scripts/setup.php HTTP/1.1
GET /MyAdmin/scripts/setup.php HTTP/1.1
GET /manager/html HTTP/1.1
GET /stssys.htm HTTP/1.0
GET /zabbix/index.php HTTP/1.1
POST /xmlrpc.php HTTP/1.0
POST /index.action HTTP/1.1
POST /login.action HTTP/1.1
GET /YesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItO
nPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveAL
ookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLb
utWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurp
osePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReally
LongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScann

Some of the more interesting web User-Agents:

User-Agent: Cloud mapping experiment. Contact research@pdrlabs.net (Seen multiple times)
User-Agent: Telesphoreo
User-Agent: Mozilla/5.0
User-Agent: python-requests/2.9.1
User-Agent: lwp-trivial/1.41
User-Agent: Mozilla/3.0 (compatible; Indy Library)
User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)  (Scanned the web server with Nmap)
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
User-Agent: masscan/1.0 (https://github.com/robertdavidgraham/masscan)
User-Agent: ZmEu
User-Agent: netscan
User-Agent: Go http package
User-Agent: shellshock-scan
User-Agent: CSS Certificate Spider (http://www.css-security.com/certificatespider/)
User-Agent: Netcraft SSL Server Survey - contact info@netcraft.com

[1] http://www.inetsim.org/index.html
[2] http://www.inetsim.org/requirements.html
[3] http://www.inetsim.org/downloads.html
[4] https://github.com/FEDEVEL/imx6rex-linux-3.10.17/blob/master/Documentation/ABI/removed/ip_queue

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)

Comments


Diary Archives