Glastopf is a web application honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application.
This article is mostly to cover the installation, setup, usage, etc
The installation wiki says to use Debian Squeeze so you could use php5-cgi > 5.4. However, apd will not build against php 5.4.4. Also, debian squeeze comes by default with python 3.1 and 2.6, which would not allow me to build evnet either. I overcame these issues in order to get a working installation.
With a fully up to date debian squeeze minimal install in a virtualbox image, I did these steps:
# Add "deb http://mirror.cse.iitk.ac.in/debian/ testing main contrib" to sources.list in order to get python2.7 echo "" >> /etc/apt/sources.list echo "# temp required for python2.7" >> /etc/apt/sources.list echo "deb http://mirror.cse.iitk.ac.in/debian/ testing main contrib" >> /etc/apt/sources.list apt-get update # this removes php-5.4.4 apt-get remove --purge php-pear php5 php5-dev php5-cli libapache2-mod-php5 php5-common # this installs php-5.3.3-7 apt-get install php5=5.3.3-7+squeeze13 php5-dev=5.3.3-7+squeeze13 libapache2-mod-php5=5.3.3-7+squeeze13 php5-common=5.3.3-7+squeeze13 php5-cli=5.3.3-7+squeeze13 php-pear=5.3.3-7+squeeze13 # the other dependancies apt-get install git subversion python2.7 python-openssl python2.7-dev build-essential make python-chardet python-mysqldb
I enabled python-mysqldb above and later I enable the module in the configuration file. For now we just create the database and db user:
mysqladmin create glaspot mysql -uroot -p -e "CREATE USER 'glaspot'@'localhost' IDENTIFIED BY 'mypass';" mysql -uroot -p -e "grant select,insert,update,delete on glaspot.* to 'glaspot'@'localhost';" mysql -uroot -p -e "flush privileges;"
I always create a /home/build directory to install anything from source.
mkdir -p /home/build cd /home/build
Download evnet using git:
git clone git://github.com/rep/evnet.git cd evnet python2.7 setup.py install cd /home/build
Get the source from the Subversion repository:
svn co svn://glastopf.org:9090/glaspot glaspot
If you follow the installation wiki for apd, you will find out these steps won’t work because apd will not compile against php-5.4.x. This is why I forced the install of php-5.3.3 above. Here is what I did to get this to work because apd also has troubles compiling against php-5.3. There are numerous bug reports and tickets for each version.
cd /home/build svn co http://svn.php.net/repository/pecl/apd/trunk apd cd apd/ phpize ./configure make
When you run the make command above, you may get a build error. I forgot to log the error message, but it has to do with a change in php-5.3 zend framework. The fix is this, which I found here:
You ONLY need to do this if you get a build error above during the make step. If you didn’t get a build error, skip to the next code block below.
find the line in php_apd.c:
int apd_zend_startup(zend_extension *extension)
Pretty close to right under it, comment out this next line and add the one after it:
# CG(extended_info) = 1; /* XXX: this is ridiculous */
CG(compiler_options) |= ZEND_COMPILE_EXTENDED_INFO;
Next we need to configure our php.ini:
echo "" > /etc/php5/conf.d/apd echo "zend_extension = /usr/lib/php5/20090626/apd.so" >> /etc/php5/conf.d/apd echo "apd.dumpdir = /tmp/apd" >> /etc/php5/conf.d/apd echo "apd.statement_tracing = 0" >> /etc/php5/conf.d/apd
Building the Sandbox
Go to sandbox directory and create the apd_sandbox.php using command:
cd /home/build/glaspot/trunk/sandbox make
Setup ip address & port for glastopf along with the database and database user credentials in the file /home/build/glaspot/trunk/glastopf.cfg
Create A Script to Run It
echo "cd /home/build/glaspot/trunk/" > /root/glaspot.sh echo "python2.7 webserver.py" >> /root/glaspot.sh chmod 700 /root/glaspot.sh
Run the Honeypot:
After you start up the honeypot, you should see the following:
Webserver running on: 0.0.0.0:8080 waiting for connections... INFO:honeypot:Starting Glastopf [feedcli] Connecting to feed broker... [feedcli] Connected to hpfeed broker. INFO:honeypot:HPFeeds started INFO:honeypot:Glastopf instantiated and privileges dropped
Testing the Honeypot:
Use your web browser to visit your honeypot. You should see the following output on your honeypots command line:
2012-07-27 11:57:53 192.168.130.98 requested GET / on 192.168.130.100:8080 INFO:honeypot:192.168.130.98 GET / 2012-07-27 11:57:53 192.168.130.98 requested GET /style.css on 192.168.130.100:8080 INFO:honeypot:192.168.130.98 GET /style.css 2012-07-27 11:57:53 192.168.130.98 requested GET /favicon.ico on 192.168.130.100:8080 INFO:honeypot:192.168.130.98 GET /favicon.ico
If you really want to test it, hack away. Out of curiosity of how it would look, I ran websecurify against the server. After 415 issues it crashed with a segfault at the exact same place three different times….so it is a bug in the honeypot.