HoneyDrive 0.2 Nectar edition released!

new release for HoneyDrive (Desktop)!
This is version 0.2 aka Nectar edition, which brings more honeypot and malware related tools on the distro.

You can download it from HoneyDrive's SourceForge page at: http://sourceforge.net/projects/honeydrive/

MD5 Checksum: 8f0d65b4260e963e5639ab4555b3c70f
SHA-1 Checksum: 285775170167cb4d4614ae3955889882b4358fdf

Changes and additions on this version (in no particular order):

1. Installed Kippo2Wordlist, a tool to create wordlists based on passwords used by attackers against Kippo SSH honeypot.
2. Installed DionaeaFR , a visualization tool which was recently presented in my previous post.
3. Added Kojoney SSH honeypot, patched version (updated scripts, new features, etc).
4. Added Amun malware honeypot, along with useful scripts.
5. Installed mwcrawler, a script that parses malicious URL lists and downloads malware files (video).
6. Added Thug, a honeyclient written in Python aimed at mimicking the behavior of a web browser in order to detect and emulate malicious contents.
7. Added the following tools: Pipal, John the Ripper, IRCD-Hybrid, Origami, dsniff, hping, Scapy, Tcpreplay, tcptrace, sslstrip, libemu, Adminer.
8. Added the Open Penetration Testing Bookmarks Collection to Firefox.

HoneyDrive is a virtual appliance (OVA) with Xubuntu Desktop 12.04 32-bit edition installed. It contains various honeypot software packages such as Kippo SSH honeypot, Dionaea malware honeypot, Honeyd low-interaction honeypot, Thug honeyclient and more. Additionally it includes useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, and much more. Lastly, many other helpful security, forensics and malware related tools are also present in the distribution.

Features

• Virtual appliance based on Xubuntu 12.04 Desktop.
• Distributed as a single OVA file, ready to be imported.
• Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin.
• Kippo SSH Honeypot, plus Kippo-Graph, Kippo2MySQL and other helpful scripts.
• Dionaea malware honeypot, plus DionaeaFR other helpful scripts.
• Amun malware honeypot, plus helpful scripts.
• Kojoney SSH honeypot, plus helpful scripts.
• Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts.
• LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator, INetSim and SimH.
• Thug honeyclient for client-side attacks analysis, along with mwcrawler malware collector.
• A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, ClamAV, ettercap, Automater, UPX, pdftk, Flasm, pdf-parser, Pyew, dex2jar and more.
• Firefox plugins pre-installed, plus extra helpful software such as GParted, Terminator, Adminer, VYM, Xpdf and more.

DOWNLOAD:-

The latest version (0.2) of HoneyDrive Desktop (Nectar edition), released on January 16, 2012 is hosted at SourceForge.net: http://sourceforge.net/projects/honeydrive/

Download latest relased on 16-01-2013

Download HoneyDrive_0.2_Nectar_edition.ova (3.3 GB)

HoneyDrive 0.1 Santa edition Released on 30-12-2012 

 

MD5 Checksum: 8f0d65b4260e963e5639ab4555b3c70f
SHA-1 Checksum: 285775170167cb4d4614ae3955889882b4358fdf

Please take a look at the README.txt file on SourceForge (also included inside the virtual disk) to see where everything is located.

INSTALLATION:

After downloading the file, you simply have to import the virtual appliance to your virtual machine manager/hypervisor (suggested software: Oracle VM VirtualBox).

FREQUENTLY ASKED QUESTIONS:

1. Why use HoneyDrive?
   HoneyDrive saves you time! It has all the major honeypot-related software pre-installed and pre-configured to work out of the box (or with some configuration options of your liking). As I have seen many times in comments or support requests I get, setting up a honeypot system is not always something easy. This is especially true for new infosec enthusiasts or sysadmins and “hard” to set up software like Dionaea for example.
2. What utilities and software are included in HoneyDrive?
   HoneyDrive contains all the major honeypot-related software and many more useful tools. For a complete list you’ll have to take a look at the README.txt file included in the virtual appliance (you’ll find it on the desktop) or online at the downloads section of SourceForge (link above).
3. Why isn’t [insert-name-here] included in HoneyDrive?
   I’m not a security guru and unfortunately can’t keep track of every different piece of software. But, I’m very open to suggestions about HoneyDrive! If you know a tool that could be of benefit please let me know by leaving a comment on this page and it will be included in the next release of HoneyDrive.
4. How do I get started? How do I login?
   You just have to download the OVA file from SourceForge (link above) and import it in your virtual machine manager/hypervisor. You can then login using the password “honeydrive” (without the quotes).
5. What is the password for [insert-name-here]?
   Again, your best bet is reading the README.txt file included in the virtual appliance or found online at the downloads section of SourceForge (link above). Every password you will need is included in its appropriate section.

SCREENSHOTS:

Source-
http://bruteforce.gr/honeydrive-0-2-nectar-edition-released.html

HoneyDrive Desktop released!

HoneyDrive is a virtual appliance (OVA) with Xubuntu Desktop 12.04 32-bit edition installed. It contains various honeypot software packages such as Kippo SSH honeypot, Dionaea malware honeypot, Honeyd low-interaction honeypot and more. Additionally it includes useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, and much more. Lastly, many other helpful security, forensics and malware related tools tools are also present in the distribution.

The latest version (0.1) of HoneyDrive Desktop (Santa Claus edition), which was officially released on December 26, 2012 will be hosted at SourceForge.net. I am uploading the appliance (around 2.7GBs) while writing this post and need a couple of hours. Here is the link where you will find it: http://sourceforge.net/projects/honeydrive/

Please take a look at the README.txt file on SourceForge (also included inside the the virtual disk) to learn the specific features and where everything is located.

The installation procedure is pretty straightforward: after downloading the file, you simply have to import the virtual appliance to your virtual machine manager/hypervisor (suggested software: Oracle VM VirtualBox).

Below is a comprehensive list of HoneyDrive's features, ready to be used for promotion purposes :)

• Virtual appliance based on Xubuntu 12.04 Desktop.
• Distributed as a single OVA file, ready to be imported.
• Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin.
• Kippo SSH Honeypot, plus Kippo-Graph, Kippo2MySQL and other helpful scripts.
• Dionaea malware honeypot, plus phpLiteAdmin and other helpful scripts.
• Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts.
• LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator, INetSim and SimH.
• A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, ClamAV, ettercap, Automater, UPX, pdftk, Flasm, pdf-parser, Pyew, dex2jar and more.
• Firefox plugins pre-installed, plus extra helpful software such as GParted, Terminator, VYM, Xpdf and more.

DOWNLOAD:

Download HoneyDrive_0.1_Santa_edition.ova (2.9 GB)

The latest version (0.1) of HoneyDrive Desktop (Santa Claus edition), released on December 26, 2012 is hosted at SourceForge.net: http://sourceforge.net/projects/honeydrive/

MD5 Checksum: 49e57aab8ca36a02e0114930cb11c09d
SHA-1 Checksum: f644e878527a39f87df515ba7026ae84960b239d

Please take a look at the README.txt file on SourceForge (also included inside the the virtual disk) to see where everything is located.

INSTALLATION:

After downloading the file, you simply have to import the virtual appliance to your virtual machine manager/hypervisor (suggested software: Oracle VM VirtualBox).

Specification for Honey Drive

Source-

http://sourceforge.net/projects/honeydrive/

http://bruteforce.gr/honeydrive

Kippo-Graph v0.7.3 released!

Kippo-Graph is a full featured script to visualize statistics from a Kippo SSH honeypot.

It uses “Libchart” PHP chart drawing library by Jean-Marc Trémeaux, “QGoogleVisualizationAPI” PHP Wrapper for Google’s Visualization API by Thomas Schäfer and geoPlugin geolocation technology (geoplugin.com).

Kippo-Graph currently shows 24 charts, including top 10 passwords, top 10 usernames, top 10 username/password combos, success ratio, connections per IP, connections per country, probes per day, probes per week, ssh clients, top 10 overall input, top 10 successful input, top 10 failed input and many more. There are also geolocation data extracted and displayed with Google visualization technology using a Google Map, a Intensity Map, etc. Lastly, input-related data and statistics are also presented giving an overview of the action inside the system.

DOWNLOAD:

Download the latest version (0.7.3) here: kippo-graph-0.7.3

MD5 Checksum: EF27DB0031E3FC2D1F80DD4F83A8A175
SHA-1 Checksum: 0FA03F5FA4BED233731CB4F5F4CD42C1CDF92215

Please also take a look at the README.txt file inside the package.

REQUIREMENTS:

You need to have “php5-gd” and “php5-mysql” packages installed. On Ubuntu/Debian:

1 2	apt-get update && apt-get install -y php5-gd php5-mysql /etc/init.d/apache2 restart

QUICK INSTALLATION:

1 2 3 4 5 6 7

wget http://bruteforce.gr/wp-content/uploads/kippo-graph-VERSION.tar mv kippo-graph-VERSION.tar /var/www cd /var/www tar xvf kippo-graph-VERSION.tar --no-same-permissions cd kippo-graph chmod 777 generated-graphs vi config.php #enter the appropriate values

Browse to http://your-server/kippo-graph to generate the statistics.

PREVIOUS VERSIONS:

You can download version 0.7.2 here: kippo-graph-0.7.2
You can download version 0.7.1 here: kippo-graph-0.7.1
You can download version 0.7 here: kippo-graph-0.7
You can download version 0.6.5 here: kippo-graph-0.6.5
You can download version 0.6.4 here: kippo-graph-0.6.4
You can download version 0.6.3 here: kippo-graph-0.6.3
You can download version 0.6.2 here: kippo-graph-0.6.2
You can download version 0.6.1 here: kippo-graph-0.6.1
You can download version 0.6 here: kippo-graph-0.6
You can download version 0.5.1 here: kippo-graph-0.5.1
You can download version 0.5 here: kippo-graph-0.5
You can download version 0.4 here: kippo-graph-0.4
You can download version 0.3 here: kippo-graph-0.3
You can download version 0.2 here: kippo-graph-0.2
You can download version 0.1 here: kippo-graph-0.1

CHANGES:

Version 0.7.3:
+ Fixed XSS issues in Kippo-Input.
+ Added tables with overall/basic stats in Kippo-Graph and Kippo-Input.

Version 0.7.2:
+ Minor fixes and various changes.

Screenshot-

Source-

http://bruteforce.gr/kippo-graph-version-0-7-3-released.html

KFSensor - Advanced Windows Honeypot System

KFSensor is a Windows based honeypot Intrusion Detection System (IDS).

It acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and trojans.
By acting as a decoy server it can divert attacks from critical systems and provide a higher level of information than can be achieved by using firewalls and NIDS alone.

KFSensor is designed for use in a Windows based corporate environment and contains many innovative and unique features such as remote management, a Snort compatible signature engine and emulations of Windows networking protocols.

With its GUI based management console, extensive documentation and low maintenance, KFSensor provides a cost effective way of improving an organization's network security.

KFSensor Benefits
Signature attack identification KFSensor's rule base signature engine can identify known attack patterns, which greatly helps in analyzing the nature of a event. Rules can be imported from external sources in Snort format giving access to a huge amount of security knowledge. Detects Windows networking attacks KFSensor contains the world's only Windows networking/ NetBIOS / SMB / CIFS emulation honeypot. This unique feature enables it to detect the nature of attacks on file shares and Windows administrative services, currently the most prevalent and damaging on the Internet. Firewalls can detect port scans, but not the nature of an attack. NIDS can identify certain attacks but not without the risk of compromising security. Only KFSensor can provide the maximum information on an attack, without risk of compromise. Extendable architecture The already comprehensive emulation and reporting features of KFSensor can be further extended by writing your own scripts and database queries. No false positives Firewalls and network based IDS are often overwhelmed by the amount of network traffic and often generate false alarms by misinterpreting legitimate network traffic. KFSensor's honeypot model has no legitimate uses, so all connections to them are suspect. Low overheads KFSensor lies dormant until attacked, consuming very little processor time or network resources. Sensors can be installed on users’ machines without affecting their normal use, eliminating the need for additional hardware. Full converage All TCP, UDP and ICMP traffic is monitored for all ports.		Remote Administration Protect different locations in the corporate network with multiple KFSensor installations and manage the process from one location. KFSensor Enterprise Edition provides remote configuration and real time concatenation of events from a single administrator machine using top of the range encryption and authentication. Simplicity The concepts behind KFSensor are easy to understand. Its configuration and operation is straightforward, requiring minimal training and maintenance. Advanced server simulation KFSensor emulates real servers, such as FTP, SMB, POP3, HTTP, Telnet, SMTP and SOCKS to improve deception and gain more valuable information on a hacker's motives. Real time detection Attacks are detected, analyzed and reported immediately allowing response to an attack while still in progress. Detects unknown threats Unlike other products KFSensor does not rely on signatures of known attacks and can therefore detect new or 0 day threats, such as new worms, viruses and elite hackers. KFSensor is just as effective at detecting internal threats. Security in-depth KFSensor complements other types of security products, such as firewalls, anti-virus and network based IDS systems, to provide an additional layer of protection. Designed for a corporate environment KFSensor's secure design and its ability to work both inside a LAN and in front of a firewall make it suitable for organizations that demand the highest security requirements.

16 August 2012

KFSensor version 4.8.0 released ArcSight CEF Format Support KFSensor can be configured to forward events to ArcSight in CEF format. This streamlines and simplifies the integration of KFSensor with the Arcsight Enterprise Threat and Risk Management (ETRM) platform. The Common Event Format (CEF) is an open log management standard that improves the interoperability of security-related information from different security and network devices and applications. CEF is the first log management standard to support a broad range of device types. CEF enables technology companies and customers to use a common event log format so that data can easily be collected and aggregated for analysis by an enterprise management system. Setting up KFSensor to integrate with ArcSight is simply a matter of opening the SysLog Alerts menu option and entering the ArcSight server IP address and selecting CEF as the alter format. Visitor Rule Distribution Centrally defined visitor rules can now be distributed to all sensors automatically. This makes it faster and easier to reduce false positive results consistently across all sensors. To make use of this facility define a new rule on the local sensor on the KFSensor administrator machine. The collator service will then distribute this rule to all sensors. The full enterprise configuration must be enabled for this to work. Common Configuration file To make it easier to set up new sensors with a standard configuration a new local configuration file is now created that contains the machine specific information. This allows the main configuration file to be replaced without loosing the machine specific settings.

Download from here

Source-

http://www.keyfocus.net/kfsensor/

HoneyBox v0.1 - Honeypots in a box!

Honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.

HoneyBox is a virtual hard disk drive (VMDK format) with Ubuntu Server 11.10 32-bit edition installed. It contains various honeypot systems such as Kippo SSH honeypot, Dionaea malware honeypot and Honeyd. Additionally it includes useful scripts and utilities to analyze and visualize the data it captures. Lastly, other helpful tools like tshark (command-line Wireshark), pdftools, etc. are also present.

DOWNLOAD:

The latest version (0.1) contains Kippo SSH honeypot and related scripts (kippo-graph, kippo-stats, kippo-sessions, etc). Everything is pre-configured to work. Due to its size the file is hosted at SourceForge:http://sourceforge.net/projects/honeybox/

Please also take a look at the README.txt file at SourceForge (also included inside the disk) to learn the specific features and where everything is located.

INSTALLATION:

After downloading the file, you must uncompress it and then you simply have to create a new virtual machine (suggested software: Oracle VM VirtualBox) and select the VMDK drive as its hard disk.

Download HoneyBox.7z (508.6 MB) 

Specification - OS: Ubuntu Server 11.10 32-bit HDD: VMDK 15GB (2GB split) Localization: English (UK), UK layout, GMT Extra: Automatic security updates Software: OpenSSH (port: 2222) & LAMP server [System] Connectivity: DHCP Hostname: honeybox User: HoneyBox User Username/Password: honeybox/honeybox MySQL root password: honeybox + phpMyAdmin [Kippo] Path: /home/honeybox/kippo/ Port: 22 MySQL db: kippodb MySQL user: kippouser MySQL pass: kippopass [Kippo-Graph] Path: /var/www/kippo-graph [Kippo-Scripts] Path: /home/honeybox/ + kippo2mysql.pl + kippo-sessions.sh + kippo-stats.pl Kippo2MySQL db: kippo2mysql Kippo2MySQL user: kippouser Kippo2MySQL pass: kippopass 

Visit Website -
http://bruteforce.gr/honeybox

http://sourceforge.net/projects/honeybox/

For more information on Honeypot 

Sources -

http://en.wikipedia.org/wiki/Honeypot_(computing)

http://www.sans.org/security-resources/idfaq/honeypot3.php

http://www.insecure.in/honeypots.asp

http://www.honeynet.org/

http://www.seminartime.com/seminar_rpt/ct_rpt/honeypots/honeypots_1.php

http://www.hackersonlineclub.com/honeypot

Honey pot Diagram Source -

http://www.sans.org/security-resources/idfaq/honeypot3.php

http://www.hackersonlineclub.com/honeypot