Jul 272012
 

Glastopf is a web application honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications.  The principle behind it is very simple:  Reply the correct response to the attacker exploiting the web application.

This article is mostly to cover the installation, setup, usage, etc

Installation

The installation wiki says to use Debian Squeeze so you could use php5-cgi > 5.4.  However, apd will not build against php 5.4.4.  Also, debian squeeze comes by default with python 3.1 and 2.6, which would not allow me to build evnet either.  I overcame these issues in order to get a working installation.

Prerequisites

With a fully up to date debian squeeze minimal install in a virtualbox image, I did these steps:

# Add "deb http://mirror.cse.iitk.ac.in/debian/ testing main contrib" to sources.list in order to get python2.7
echo "" >> /etc/apt/sources.list
echo "# temp required for python2.7" >> /etc/apt/sources.list
echo "deb http://mirror.cse.iitk.ac.in/debian/ testing main contrib" >> /etc/apt/sources.list
apt-get update
# this removes php-5.4.4
apt-get remove --purge php-pear php5 php5-dev php5-cli libapache2-mod-php5 php5-common
# this installs php-5.3.3-7
apt-get install php5=5.3.3-7+squeeze13 php5-dev=5.3.3-7+squeeze13 libapache2-mod-php5=5.3.3-7+squeeze13 php5-common=5.3.3-7+squeeze13 php5-cli=5.3.3-7+squeeze13 php-pear=5.3.3-7+squeeze13
# the other dependancies
apt-get install git subversion python2.7 python-openssl python2.7-dev build-essential make python-chardet python-mysqldb

Database Setup

I enabled python-mysqldb above and later I enable the module in the configuration file.  For now we just create the database and db user:

mysqladmin create glaspot
mysql -uroot -p -e "CREATE USER 'glaspot'@'localhost' IDENTIFIED BY 'mypass';"
mysql -uroot -p -e "grant select,insert,update,delete on glaspot.* to 'glaspot'@'localhost';"
mysql -uroot -p -e "flush privileges;"

Build Directory

I always create a /home/build directory to install anything from source.

mkdir -p /home/build
cd /home/build

Installing evnet

Download evnet using git:

git clone git://github.com/rep/evnet.git
cd evnet 
python2.7 setup.py install
cd /home/build

Installing Glastopf

Get the source from the Subversion repository:

svn co svn://glastopf.org:9090/glaspot glaspot

Installing APD

If you follow the installation wiki for apd, you will find out these steps won’t work because apd will not compile against php-5.4.x.  This is why I forced the install of php-5.3.3 above.  Here is what I did to get this to work because apd also has troubles compiling against php-5.3.  There are numerous bug reports  and tickets for each version.

cd /home/build
svn co http://svn.php.net/repository/pecl/apd/trunk apd
cd apd/
phpize
./configure
make

When you run the make command above, you may get a build error.  I forgot to log the error message, but it has to do with a change in php-5.3 zend framework.  The fix is this, which I found here:

You ONLY need to do this if you get a build error above during the make step.  If you didn’t get a build error, skip to the next code block below.

find the line in php_apd.c:
int apd_zend_startup(zend_extension *extension)

Pretty close to right under it, comment out this next line and add the one after it:
# CG(extended_info) = 1; /* XXX: this is ridiculous */
CG(compiler_options) |= ZEND_COMPILE_EXTENDED_INFO;

make install

Next we need to configure our php.ini:

echo "" > /etc/php5/conf.d/apd
echo "zend_extension = /usr/lib/php5/20090626/apd.so" >> /etc/php5/conf.d/apd
echo "apd.dumpdir = /tmp/apd" >> /etc/php5/conf.d/apd
echo "apd.statement_tracing = 0" >> /etc/php5/conf.d/apd

Building the Sandbox

Go to sandbox directory and create the apd_sandbox.php using command:

cd /home/build/glaspot/trunk/sandbox
make

Configure Glastopf

Setup ip address & port for glastopf along with the database and database user credentials in the file /home/build/glaspot/trunk/glastopf.cfg

Create A Script to Run It

echo "cd /home/build/glaspot/trunk/" > /root/glaspot.sh
echo "python2.7 webserver.py" >> /root/glaspot.sh
chmod 700 /root/glaspot.sh

Run the Honeypot:

/root/glaspot.sh

After you start up the honeypot, you should see the following:

Webserver running on: 0.0.0.0:8080 waiting for connections...
INFO:honeypot:Starting Glastopf
[feedcli] Connecting to feed broker...
[feedcli] Connected to hpfeed broker.
INFO:honeypot:HPFeeds started
INFO:honeypot:Glastopf instantiated and privileges dropped

Testing the Honeypot:

Use your web browser to visit your honeypot. You should see the following output on your honeypots command line:

2012-07-27 11:57:53 192.168.130.98 requested GET / on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /
2012-07-27 11:57:53 192.168.130.98 requested GET /style.css on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /style.css
2012-07-27 11:57:53 192.168.130.98 requested GET /favicon.ico on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /favicon.ico

If you really want to test it, hack away.  Out of curiosity of how it would look, I ran websecurify against the server.  After 415 issues it crashed with a segfault at the exact same place three different times….so it is a bug in the honeypot.

INFO:honeypot:192.168.130.98 GET /mod*.php?pname='`"iyzZg
2012-07-27 12:07:45 192.168.130.98 requested GET /mod*.php?pname="'<iyzZg> on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /mod*.php?pname="'<iyzZg>
2012-07-27 12:07:45 192.168.130.98 requested GET /mod*.php?pname=javascript:f(iyzZg) on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /mod*.php?pname=javascript:f(iyzZg)
2012-07-27 12:07:45 192.168.130.98 requested GET /mod*.php?pname=" on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /mod*.php?pname="
Exception SystemError: 'null argument to internal routine' in ./start-honeypot.sh: line 2:  2985 Segmentation fault      python2.7 webserver.py