这篇博文记录HoneyDrive_3_Royal_Jelly(1)系统应用整体的简介和(2)初期准备或相关具体功能的介绍说明,和(3)HoneyDrive_3的基本使用或基础理论。
参考:HoneyDrive (全局性介绍HoneyDrive的文章,不偏不倚) https://bruteforce.gr/honeydrive
一、系统应用整体的简介
参考: http://bruteforce.gr/honeydrive-3-royal-jelly-edition.html
HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution. 20161219 11:10——12:39
What you need to know (PLEASE READ):
1) HoneyDrive 3 has been created entirely from scratch. It is based on Xubuntu Desktop 12.04.4 LTS edition and it is distributed as a standalone OVA file that can be easily imported as a virtual machine using virtualization software such as VirtualBox and VMware.
2) All the honeypot programs from the previous version of HoneyDrive are included, while they have also been upgraded to their latest versions and converted almost entirely to cloned git repos for easier maintenance and updating. This latter fact on its own could be considered reason enough to release the new version.
3) Many new honeypot programs have been installed that really make HoneyDrive 3 “complete” in terms of honeypot technology, plus around 50(!) new security related tools in the fields of malware analysis, forensics and network monitoring.
4) The main honeypot software packages and BruteForce Lab’s projects reside in /honeydrive. The rest of the programs reside in /opt. The location of all software can be found inside the README.txt file on the desktop.
5) HoneyDrive 3 doesn’t make itself as known to the outside world as the previous version. There are no descriptive messages and apart from Kippo-Graph and Honeyd-Viz every other piece of software is not accessible from the outside (unless if you configure them otherwise, or even lock down Kippo-Graph and Honeyd-Viz as well).
A note on versioning: previous versions of HoneyDrive started with a zero (0.1 and 0.2) which seemed confusing to some. I didn’t like it either and in the end I decided to “renumber” those as versions 1 and 2, essentially making this new version HoneyDrive 3, .i.e the third official release.
二、HoneyDrive使用前的初期准备或相关具体功能的介绍说明
参考:HoneyDrive 3 VMware guide https://bruteforce.gr/honeydrive-3-vmware-guide.html
Here is a step by step guide for converting the HoneyDrive 3 OVA file to a VMware-compatible virtual machine. The procedure should be the same for all the other VMware products as well (Workstation, ESXi, etc). Instructions:
2.1 HoneyDrive_3在VMware中使用的前期准备工序:
(1).下载OVF Tool (:Download OVF Tool 3.5.2 (needs a free account registration)from: https://my.vmware.com/web/vmware/details?downloadGroup=OVFTOOL352&productId=352
(2). 安装、运行OVF Tool,将OVA格式文件转换为VMX格式,(Convert HoneyDrive OVA to VMX)
(3).将VMX格式文件(Honey)导入到vmware中,通过双击.vmx文件的方式(Import/open the new virtual machine by double clicking the .vmx file.)。
(4).在HoneyDrive virtual machine中的终端界面里卸载VirtualBox Guest Additions(Inside the HoneyDrive virtual machine, open Terminator (on the desktop) and type the following to uninstall the VirtualBox Guest Additions):
$ sudo aptitude purge -P virtualbox-guest-dkms virtualbox-guest-utils virtualbox-guest-x11
$ sudo reboot
备注:这里卸载VirtualBox Guest Addition时需要提供用户密码,密码信息可以在桌面上名为“README”的文件中[System]里找到。
(5).安装VMware Tools(认为这一步骤是可选的),
Once HoneyDrive is running again, click on “Virtual Machine” –> “Install VMware Tools” from the menu. This will mount a virtual disk with VMware Tools. Open Terminator again and type:
$ cp /media/VMware Tools/VMwareTools-<version>.tar.gz ~/ $ tar zxvf VMwareTools-<version>.tar.gz $ cd vmware-tools-distrib $ sudo ./vmware-install.pl -d $ sudo reboot
执行上述操作完成安装后,执行命令的终端出现如下界面 提示:
VMware Tools
安装完毕并重启系统后,可以实现跨越真实主机zh直接传递数据到虚拟主机当中,即是实现直接从真实主机复制信息或文件到虚拟主机中(宿主主机或其他主机,比如下面是从宿主主机server2012直接粘贴信息到虚拟主机,还有从远程登录连接到宿主主机的主机win7中直接复制信息到虚拟主机中),见下图:
That’s it, enjoy HoneyDrive in VMware!
2.2 工序中,关于在windows中OVF Tool的使用
关于详尽的ovf的信息,参考:https://www.vmware.com/support/developer/ovf/
本次实践中,是在windows的dos终端界面使用的ovf tool。用法如下:
(1)快捷键win R打开“运行”交互界面输入“cmd”进入dos界面
(2)命令行中输入 D:softwarevm-convert-toolovftool.exe --lax -st=ova D:tmpHoneyDrive_3_Royal_Jelly.ova D:tmp2HoneyDrive_3_Royal_Jelly.vmx,直接回车,即进入格式转换模式。如下图:
备注:(0)之所以尝试dos命令行,是因为在图形界面中安装完毕ovftool之后既没有启动快捷图标也没有可用于有效启动该工具的exe文件(1)关于命令中选项和参数的含义可以通过执行命令 D:softwarevm-convert-toolovftool.exe --help来了解。(2)命令中,D:softwarevm-convert-tool 是ovftool的安装路径,D:tmp是存放HoneyDrive_3_Royal_Jelly.ova的路径, D:tmp2是新建的空的用于存放转换vmx格式文件的路径。(3)上述命令行之所以要使用绝对路径,是因为该应用没有加入windows的全局环境配置,或说没有加入成功,关于win7中全局环境变量的配置参考如下链接(本次实践中没有配置成功):
OVFTool 4.1 vmdk格式换成OVF格式
http://blog.csdn.net/hanzheng260561728/article/details/51345481
Adding the OVF Tool to your Path Environment Variable The following instructions are for Windows 7, but the steps are similar on other Windows systems : Right-click My Computer. Select Properties. Select Advanced system settings. Select Environment Variables. Highlight (select) the Path variable from the System variable (lower) pane. Click the Edit button and then type the path to the folder where you installed the OVF Tool (at the end of the existing path).
2.3 工序中,将VMX格式文件导入到vmware中的操作
通过双击HoneyDrive_3_Royal的“.vmx”文件的方式,将HoneyDrive
的系统名HoneyDrive_3_Royal导入到vmware的虚拟机列表中,然后在vmware的虚拟机列表中选中该系统名称,单机菜单栏下方的“开启此客户机操作系统”绿色按钮就可以开启该操作系统。即是说,HoneyDrive_3应用套件是预安装在ubuntu操作系统中的,HoneyDrive_3_Royal_Jelly.ova文件是现成的组装好后生成的虚拟机文件(而不是需要先安装ubuntu系统而后手工将套件安装放置到ubuntu中),直接可以使用,只是为了在Vmware中使用所以要将其格式转换为vmx。
20161219 16:17——17:51
三、HoneyDrive_3的基本使用或基础理论
参考:Getting started with honeyd
https://bruteforce.gr/getting-started-honeyd.html
3.1 ubuntu操作系统的基础配置和常用管理命令
参考:Ubuntu12.04 系统初始化
blog.csdn.net/yangfanabc1993/article/details/23677285
安装过ubuntu 12.04 后需要做的几件事
http://blog.163.com/likaifeng@126/blog/static/320973102012620550682/
(0.1)更新源数据,更新所有的软件和安全补丁 。
sudo apt-get update 或者使用更新管理器更新软件。
(0.2)安装ssh服务端,sudo apt-get install openssh-server
(1)查看ssh服务端进程,ps -ef|grep sshd; sudo service ssh status
(2)开启、终止sshd进程,sudo service ssh start
20161219 20:16——22:56
(3)网卡配置文件、主机名的配置、本地主机名&IP(域名解析)的hosts绑定配置
参考:Ubuntu通过修改配置文件进行网络配置
http://blog.chinaunix.net/uid-22117508-id-157758.html
配置网卡,sudo vim /etc/network/interfaces,内容如下:
#======defualt settings====================
#auto lo #本部分是网卡文件中的自有的默认配置信息
#iface lo inet loopback
#======dhcp pattern========================
#auto eth0 #本部分是手工添加,自动获取IP模式的eth0
#iface eth0 inet dhcp
#======static ip =========================
auto eth0 #本部分是手工添加,静态IP模式的eth0,未注释,生效
iface eth0 inet static
address 192.168.0.16
netmask 255.255.255.0
gateway 192.168.0.1
#pre-up ifconfig eth0 hw ether xx:xx:xx:xx:xx:xx(修改MAC)
重启网卡eth0,ifdown eth0;ifup eth0
重启网络服务,sudo /etc/init.d/networking restart
添加域名解析服务器,sudo /etc/resolv.conf
主机名的配置,sudo vim /etc/hostname
本地域名解析绑定配置,sudo vim /etc/hosts
(4)防火墙进程的开启与关闭以及配置
参考:
IptablesHowTo
https://help.ubuntu.com/community/IptablesHowTo
ubuntu下iptables的用法
http://blog.sina.com.cn/s/blog_537517170102vkpy.html
Ubuntu Server 12.04 配置防火墙iptables
http://blog.csdn.net/supercrsky/article/details/17553289
iptables:
ufw:sudo ufw enable;sudo ufw disable;sudo ufw status
官网描述:When you install Ubuntu, iptables is there, but it allows all traffic by default. Ubuntu 8.04 Comes with
ufw
- a program for managing the iptables firewall easily.——所以鉴于iptables配置策略的理论盘根错节和并不影响当前实践,故先将本部分理论基础搁置,从长计议。
(5)修改对应于centos中yum源的“Download from”的源
这里多见于图形界面中处理。
(6)操作系统信息查看
查看操作系统的位数,getconf LONG_BIT
查看当前Ubuntu系统的版本,<1> cat /proc/version # proc目录下记录的当前系统运行的各种数据,version记录的版本信息可以直接通过cat查看到,还可以看到gcc版本,但这里不是普通的发行版本号。<2>uname -a #显示自己的内核版本 <3>lsb_release -a #显示版本描述和正规的发行版本号 <4> cat /etc/issue #只显示发行版本号
查看CPU信息,cat /proc/cpuinfo
(7)ubuntu软件包管理工具的使用
参考:Ubuntu Equivalent of Yum's WhatProvides
http://stackoverflow.com/questions/4471327/ubuntu-equivalent-of-yums-whatprovides
SwitchingToUbuntu/FromLinux/RedHatEnterpriseLinuxAndFedora
https://help.ubuntu.com/community/SwitchingToUbuntu/FromLinux/ RedHatEnterpriseLinuxAndFedora
关于Ubuntu下apt的一些用法及和yum的比较
http://blog.sina.com.cn/s/blog_49b1f7210102vepr.html
<1>apt-file search ssh 与yum whatprovides */ssh
备注:yum反向查询命令或文件所属软件包的命令其实已经由参数“whatprovides”改为了“provides”,这点可以通过“yum --help”查证,但是前者还是可以使用的。相应地,ubuntu/debian系列的linux操作系统中使用的是apt-file来实现等效的反向查询。
apt-file search ssh的使用:首先,如果apt-file不存在,使用apt-get install apt-file进行安装;而后,新装的apt-file需要先执行apt-file update;最后才能使用apt-file search|find ssh
注意:apt-file search XYZ的使用与等效的yum provides XYZ使用格式不同,前者不用使用“*/”