Honeypot Workshop
From 25C3 Public Wiki
Contents |
[edit] Content
This Honeypot Workshop is a handson event where people will setup and run their own low-interaction nepenthes and honeytrap honeypots to collect malware and exploits. You will learn the fundamentals of honeypot-based network attack analysis, i.e. investigate the recorded honeypot data and corresponding traffic dumps. A second part will provide a brief introduction to blackbox malware analysis.
[edit] When and where
The workshop will take place on 2008-12-29, 20:00-23:00. Location: Workshop room A03
[edit] Requirements
Attendees must bring their own laptop with a recent Linux operating system (we recommend Ubuntu) and a Windows XP virtual machine (we suggest VirtualBox which is bridged to the host's physical network. Be aware that you are responsible for your own working environment as we won't have time to do configuration stuff on-site. However, you may send questions via mail and we'll try to help you as good as we can.
[edit] How to attend
This workshop adresses people who would like to gain first insights in honeypots and their use for attack analysis. The instructor team will be working closely with the attendees. We will thus offer no more than 10 places. If you would like to attend, send an application to us with some infos about yourself and why you deserve a place.
[edit] Command Log
* nepenthes install # svn co https://svn.mwcollect.org/nepenthes/trunk/ nepenthes # cd nepenthes # autoreconf -v -i --force # ./configure --prefix=/opt/nepenthes # make # make install (as root) # !! edit /opt/nepenthes/etc/nepenthes/nepenthes.conf to your needs # /opt/nepenthes/bin/nepenthes -h (look at options ;) ) # /opt/nepenthes/bin/nepenthes -u nobody -g nogroup
* honeytrap install # aptitude install libnetfilter-queue-dev # svn co https://svn.mwcollect.org/honeytrap/trunk/ honeytrap-svn # cd honeytrap-svn # autoreconf -i # ./configure --prefix=/opt/honeytrap/ --with-stream-mon=nfq # make # make install (as root) # iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW -j NFQUEUE (replace eth0 with your interface) # cd /opt/honeytrap/ # ./sbin/honeytrap -h (look at options ;) ) # ./sbin/honeytrap -Dt 5 -C etc/honeytrap/honeytrap.conf