Honeysnap

From aldeid
Jump to: navigation, search

Description

The following applies to HoneySnap version 1.0.7.

Honeysnap is a tool used for extracting and analyzing data from pcap files, including IRC communications. It is developed and maintained by Arthur Clune of the UK Chapter.

Installation

Prerequisites

$ sudo apt-get install libpcap0.8 libpcap0.8-dev python-pypcap python-irclib
Info.png
Note
Though python 2.4/2.5 is mentioned as a required dependency in the official documentation, it has been confirmed to work with version 2.7.

Honeysnap

$ cd /data/src/
$ svn checkout https://projects.honeynet.org/svn/honeysnap/trunk honeysnap
$ cd honeysnap
$ sudo python setup.py install

Configuration

Description

Honeysnap can be used with parameters (see the options section) or with a configuration file. The 2 next sections explain the honeynet.cfg configuration file.

IO section

The [IO] section handles IO related options

OUTPUT_DATA_DIRECTORY
Output data directory
Default OUTPUT_DATA_DIRECTORY=analysis
FILENAME
save output to a file instead of sending to the screen?
Default FILENAME=myoutput.txt
WORDFILE
extra words file for IRC matching
If no file if given, honeysnap will use its built in list.
Default WORDFILE=./words
HONEYPOTS
Space separated list of all the honeypots for the data
HONEYPOTS=10.2.1.145 10.2.1.146 10.2.1.147 10.2.1.148

OPTIONS section

The [OPTIONS] Configures which analysis functions of honeysnap will be run

USE_UTC
Print time output in UTC? (Otherwise use local time zone)
Default USE_UTC=NO
RAW_TIME
Print time output just as a raw timestamp? This will override USE_UTC for obvious reasons
Default RAW_TIME=NO
DO_PCAP
Summarise pcap info
Default DO_PCAP=YES
DO_PACKETS
Summarise packet counts for common protocols
Default DO_PACKETS=YES
DO_OUTGOING
Summarise outgoing packets
Default DO_OUTGOING=YES
DO_INCOMING
Summarise incoming packets
Default DO_INCOMING=YES
PRINT_VERBOSE
print that flow info to stdout as well as to a file? Warning - it's a lot of output!
(only valid if either or both of DO_INCOMING or do DO_OUTGOING is YES above)
Default PRINT_VERBOSE=NO
FLOW_COUNT_LIMIT
Only print/write to file flows with more than N packets? 0 = all
Default FLOW_COUNT_LIMIT=0
DO_HTTP
Extract files from HTTP
Default DO_HTTP=YES
PRINT_SERVED
Print files served by the honeypot over http/smtp/ftp?
This option can be informative, but can also generate a lot of spurious output
if the honeypot is scanned etc.
Default PRINT_SERVED=NO
PRINT_HTTP_LOGS
print http requests in logfile format?
Default PRINT_HTTP_LOGS=YES
DO_FTP
Extract files from FTP
Default DO_FTP=YES
DO_SMTP
Extract files from SMTP
Default DO_SMTP=YES
DO_DNS
log DNS traffic?
Default DO_DNS=YES
ALL_FLOWS
Extract all flows?
Default ALL_FLOWS=YES
DO_IRC
Extract/analyse IRC sessions
Default DO_IRC=YES
IRC_PORTS
Ports to always check for IRC regardless and to generate packet counts for IRC_PORTS=6667,6668
Default IRC_PORTS=6667
IRC_LIMIT
Limit IRC summary output to just top N for each category?
Set to 0 to see everything
Default IRC_LIMIT=10
DO_SEBEK
Extract sebek data?
Default DO_SEBEK=YES
SEBEK_PORT
port to look for sebek packets on
Default SEBEK_PORT=1101
SEBEK_EXCLUDES
exclude output from these sebek commands when printing to the screen (full output still stored in the file)
Default SEBEK_EXCLUDES=configure prelink sshd sa2 makewhatis
SEBEK_DATA_EXCLUDES
exclude output with that match these regexs in the 'data' portion of the sebek string (space separated)
regex format is that of the python re module
Default SEBEK_DATA_EXCLUDES=SSH-.*-libssh.*
SEBEK_ALL_DATA
save all sebek data (not just keystroke data) to file?
warning - this generates lots and lots and lots of data and can easily fill up memory!
Default SEBEK_ALL_DATA=NO
DISABLE_DEFAULT_FILTERS
disable default filers?
Default DISABLE_DEFAULT_FILTERS=NO
USER_FILTER_LIST
User filters. If default filters are disabled, this replaces the filters. Otherwise, this is appended to the default filter list.
Each filter should consist of a description and a filter separated by a comma.
The %s representing a the honeypot requires an extra % (i.e. %%s) in order to parse correctly.
Here is an example of a filter that counts all ip and tcp packets.
USER_FILTER_LIST=[Total IPv4 packets:, host %%s and (ip or tcp)] [Total TCP packets:, host %%s and tcp] [Total IPv4 packets:, host %%s and ip]
DO_SOCKS
extract socks 4|5 proxy data
Default DO_SOCKS=YES

Usage

Syntax

Usage: honeysnap [options] <file.pcap>

Options

--version
show program's version number and exit
-h, --help
show this help message and exit
-c CONFIG, --config=CONFIG
Config file
-f FILE, --file=FILE
Write report to FILE
-o DIR, --output=DIR
Write output to DIR, defaults to 'output'
-H HONEYPOTS, --honeypots=HONEYPOTS
Comma delimited list of honeypots
-w FILE, --words=FILE
Pull wordlist from FILE
--use-utc
Times in UTC? (Otherwise use localtime)
--raw-time
Just print raw timestamps? (Overrides --use-utc)
--do-packets
Summarise packet counts
--do-incoming
Summarise incoming traffic flows
--do-outgoing
Summarise outgoing traffic flows
--print-verbose
Print verbose flow counts to screen as well as storing in a file (needs --do-incoming or --do-outgoing)
--flow-count-limit=FLOW_COUNT_LIMIT
Only print/write to file flows with more than N packets? 0 = all
--do-dns
Extract DNS data
--do-http
Extract http data
--print-served
Print extracted files served by the honeypot(s)?
(Requires --do-http, --do-ftp or --do-smtp)
--print-http-logs
Print http requests in log file format? (Requires --do-http)
--do-ftp
Extract FTP data
--do-smtp
Extract smtp data
--do-telnet
Extract Telnet data
--do-irc
Summarize IRC and extract irc detail
--irc-ports=IRC_PORTS
Ports for IRC traffic (default 6667)
--irc-limit=IRC_LIMIT
Limit IRC summary to top N items
--do-sebek
Extract Sebek data
--sebek-port=SEBEK_PORT
Port for sebek traffic (default 1101)
--sebek-excludes=SEBEK_EXCLUDES
Exclude these commands when printing sebek output
--sebek-data-excludes=SEBEK_DATA_EXCLUDES
Exclude these regexes if matched in the data portion when printing sebek output
--sebek-all-data
Extract all sebek data? Warning - produces a very large amount of data (gigabytes)
--all-flows
Extract data from all tcp flows
--disable-default-filters
Disables default bpf filters
--user-filter-list=USER_FILTER_LIST
Appends a user defined bpf filter list. ex: [Total IPv4 packets:, host %s and ip],[Total TCP packets:, host %s and tcp]
--do-socks
Extract Socks proxy data

Example

$ honeysnap \
  -H 192.168.56.101 \
  --do-outgoing \
  --do-irc \
  --do-ftp \
  --do-sebek \
  --do-http \
  --do-outgoing \
  -o /data/tmp/analysis \
  -f /data/tmp/analysis/results.txt \
  /data/tmp/IETab/dd1d4a8dd6f8dc9080e97a29c6a97d7cf3e947bad3c9feb72322f6d817d09a94.pcap

The above command creates following files:

$ tree analysis/
analysis/
├── 192.168.56.101
│   ├── conns
│   │   └── outgoing.txt
│   └── http
│       ├── incoming
│       │   ├── 192.168.56.101.1044-180.71.56.227.80
│       │   ├── 192.168.56.101.1044-180.71.56.227.80.hdr
│       │   ├── 192.168.56.101.1045-180.71.56.227.80
│       │   ├── 192.168.56.101.1045-180.71.56.227.80.hdr
│       │   ├── 192.168.56.101.1050-180.71.56.227.80
│       │   └── 192.168.56.101.1050-180.71.56.227.80.hdr
│       └── outgoing
│           ├── 180.71.56.227.80-192.168.56.101.1044.hdr
│           ├── 180.71.56.227.80-192.168.56.101.1045.hdr
│           ├── 180.71.56.227.80-192.168.56.101.1050.hdr
│           ├── IETab.ini.1
│           ├── install.asp.2
│           └── setting.dat.2
├── pcapinfo.txt
└── results.txt

5 directories, 15 files
$ cat analysis/results.txt


Analysing file: /data/tmp/IETab/dd1d4a8dd6f8dc9080e97a29c6a97d7cf3e947bad3c9feb72322f6d817d09a94.pcap

Pcap file information:
	File name: /data/tmp/IETab/dd1d4a8dd6f8dc9080e97a29c6a97d7cf3e947bad3c9feb72322f6d817d09a94.pcap
 	Number of packets: 68
 	File size: 30427 bytes 
 	Data size: 29315 bytes 
 	Capture duration: 94.7538580894 seconds 
 	Start time: Sat Oct 26 11:24:05 2013 
 	End time: Sat Oct 26 11:25:40 2013 
 	Data rate: 309.380542292 bytes/s 
 	Data rate: 2475.04433834 bits/s 
 	Average packet size: 431.102941176 bytes 
         

Counting outgoing connections for 192.168.56.101

Looking for packets containing PRIVMSG for 192.168.56.101

No matching packets found

Analysing IRC

Honeypot 192.168.56.101, port 6667

	No IRC seen

Extracting from HTTP


HTTP summary for 192.168.56.101


requested_files:

180.71.56.227 -> 192.168.56.101, ietab.sidetab.co.kr/update/IE65/IETab.ini (Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)) at Sat Oct 26 11:24:15 2013
	file: /data/tmp/analysis/192.168.56.101/http/outgoing/IETab.ini.1, filetype: ASCII text, md5 sum: ab1500d553a2b01151d190ce66e17dd6
180.71.56.227 -> 192.168.56.101, ietab.sidetab.co.kr/install.asp (NSISDL/1.2 (Mozilla)) at Sat Oct 26 11:24:15 2013
	file: /data/tmp/analysis/192.168.56.101/http/outgoing/install.asp.1, filetype: ASCII text, md5 sum: 19e4e5ad8959e3f5110e28abe9c4fd9d
180.71.56.227 -> 192.168.56.101, ietab.sidetab.co.kr/install.asp (NSISDL/1.2 (Mozilla)) at Sat Oct 26 11:24:15 2013
	file: /data/tmp/analysis/192.168.56.101/http/outgoing/install.asp.2, filetype: ASCII text, md5 sum: 19e4e5ad8959e3f5110e28abe9c4fd9d
180.71.56.227 -> 192.168.56.101, www.ietab.co.kr/setting.dat (Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)) at Sat Oct 26 11:24:17 2013
	file: /data/tmp/analysis/192.168.56.101/http/outgoing/setting.dat.1, filetype: ASCII text, md5 sum: 4bfa1eb397779cc313e0d2a7bf52a47f
180.71.56.227 -> 192.168.56.101, www.ietab.co.kr/setting.dat (Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)) at Sat Oct 26 11:24:17 2013
	file: /data/tmp/analysis/192.168.56.101/http/outgoing/setting.dat.2, filetype: ASCII text, md5 sum: 4bfa1eb397779cc313e0d2a7bf52a47f

0 requests served by honeypot

Extracting from FTP


FTP summary for 192.168.56.101

	No traffic seen


Extracting Sebek data

Honeypot 192.168.56.101

No sebek data seen

Comments

blog comments powered by Disqus