cheatsheet: deployment of an industrial honeypot - incibe-cert · libedit-dev bison flex libtool...
TRANSCRIPT
Deployment of an industrial honeypot
http FTP
HONEY INSTALLATION
GIT INSTALLATION sudo apt-get install git
HONEYD DOWNLOAD git clone httpsgithubcomDataSoftHoneyd
DEPENDENCIES INSTALLATION sudo apt-get install libevent-dev libdumbnet-dev libpcap-dev libpcre3-devlibedit-dev bison flex libtool automake zlib1g-dev python net-tools
HONEYD COMPILATION AND INSTALLATION cd Honeydautogenshconfiguremake
CREATION OF DIRECTORY FOR CONFIGURATION FILES cd mkdir ltpath_namegt
HONEYPOT CONFIGURATION
SCADA HONEYNET PROJECT DOWNLOAD httpwwwsfnetprojectsscadahoneynet
MOVE SCRIPTS DIRECTORY TO HONEYPOT PATH cd ltdownload_pathgttar -xvzf ltscadahoneynet_filetargtcp -a cernsacadahoneynetfilesscripts ltpath_namegtscripts
This last path will be labeled as ltscripts_pathgt for the following steps
SCRIPT WEB MODIFICATION Edit ltscripts_pathgthoneyd-http-siemenspy
webroot = ldquovarcshoneynetscriptsweb-siemensrdquo -gt webroot = ldquoltscripts_pathgtweb-siemensrdquo
RENAME AND MODIFY TELNET FILE Inside ltscripts_pathgt
cp honeyd-telnet-schneiderpy honeyd-telnet-siemenspy
Modify honeyd-telnet-siemenspy yumlle
logintext = nrVxWorks login -gt logintext = ldquonrSiemens Login rdquo
MODIFY NMAPASSOC FILE cat usrsharehoneydnmap-os-db | grep Siemens Simatic 300
Add the result (without Fingerprint) to the end of the usrsharehoneydnmapassoc list In case it is already there make sure that it does not remain as a comment
CONFIGURATION FILE Create a conyumlguration yumlle (ltyumllenameconfgt) inside the directory ltpath_namegt and including the following conyumlguration lines
create siemens set siemens ethernet ldquo001ff8ccd023rdquo set siemens default tcp action closedset siemens default udp action resetset siemens personality ldquoSiemens Simatic 300 programmable logic controllerrdquoadd siemens tcp port 21 python ltscripts_pathgthoneyd-ftp-siemenspyadd siemens tcp port 23 python ltscripts_pathgthoneyd-telnet-siemenspyadd siemens tcp port 80 python ltscripts_pathgthoneyd-http-siemenspyadd siemens tcp port 102 python ltscripts_pathgthoneyd-s7pyadd siemens udp port 161 python ltscripts_pathgthoneyd-snmp-siemenspyadd siemens tcp port 502 python ltscripts_pathgthoneyd-modbuspyset siemens uptime lttimestamp in secondsgtbind ltip_addressgt siemens
HIGH INTERACTION HONEYPOT
ATTACKER
SERVICES
OPERATING SYSTEM
RUNNING HONEYD
sudo honeyd -d -p nmap-os-db -i ltinterfacegt -l ltlog_nameloggt -f ltfilenameconfgtltIP_address_or_subnetgt -u 0 -g 0 --disable-webserver