Glastopf is a web application honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application.
This article is mostly to cover the installation, setup, usage, etc
Installation
The installation wiki says to use Debian Squeeze so you could use php5-cgi > 5.4. However, apd will not build against php 5.4.4. Also, debian squeeze comes by default with python 3.1 and 2.6, which would not allow me to build evnet either. I overcame these issues in order to get a working installation.
Prerequisites
With a fully up to date debian squeeze minimal install in a virtualbox image, I did these steps:
[codesyntax lang=”bash”]
# Add "deb http://mirror.cse.iitk.ac.in/debian/ testing main contrib" to sources.list in order to get python2.7 echo "" >> /etc/apt/sources.list echo "# temp required for python2.7" >> /etc/apt/sources.list echo "deb http://mirror.cse.iitk.ac.in/debian/ testing main contrib" >> /etc/apt/sources.list apt-get update # this removes php-5.4.4 apt-get remove --purge php-pear php5 php5-dev php5-cli libapache2-mod-php5 php5-common # this installs php-5.3.3-7 apt-get install php5=5.3.3-7+squeeze13 php5-dev=5.3.3-7+squeeze13 libapache2-mod-php5=5.3.3-7+squeeze13 php5-common=5.3.3-7+squeeze13 php5-cli=5.3.3-7+squeeze13 php-pear=5.3.3-7+squeeze13 # the other dependancies apt-get install git subversion python2.7 python-openssl python2.7-dev build-essential make python-chardet python-mysqldb
[/codesyntax]
Database Setup
I enabled python-mysqldb above and later I enable the module in the configuration file. For now we just create the database and db user:
[codesyntax lang=”bash”]
mysqladmin create glaspot mysql -uroot -p -e "CREATE USER 'glaspot'@'localhost' IDENTIFIED BY 'mypass';" mysql -uroot -p -e "grant select,insert,update,delete on glaspot.* to 'glaspot'@'localhost';" mysql -uroot -p -e "flush privileges;"
[/codesyntax]
Build Directory
I always create a /home/build directory to install anything from source.
[codesyntax lang=”bash”]
mkdir -p /home/build cd /home/build
[/codesyntax]
Installing evnet
Download evnet using git:
[codesyntax lang=”bash”]
git clone git://github.com/rep/evnet.git cd evnet python2.7 setup.py install cd /home/build
[/codesyntax]
Installing Glastopf
Get the source from the Subversion repository:
[codesyntax lang=”bash”]
svn co svn://glastopf.org:9090/glaspot glaspot
[/codesyntax]
Installing APD
If you follow the installation wiki for apd, you will find out these steps won’t work because apd will not compile against php-5.4.x. This is why I forced the install of php-5.3.3 above. Here is what I did to get this to work because apd also has troubles compiling against php-5.3. There are numerous bug reports and tickets for each version.
[codesyntax lang=”bash”]
cd /home/build svn co http://svn.php.net/repository/pecl/apd/trunk apd cd apd/ phpize ./configure make
[/codesyntax]
When you run the make command above, you may get a build error. I forgot to log the error message, but it has to do with a change in php-5.3 zend framework. The fix is this, which I found here:
You ONLY need to do this if you get a build error above during the make step. If you didn’t get a build error, skip to the next code block below.
find the line in php_apd.c:
int apd_zend_startup(zend_extension *extension)
Pretty close to right under it, comment out this next line and add the one after it:
# CG(extended_info) = 1; /* XXX: this is ridiculous */
CG(compiler_options) |= ZEND_COMPILE_EXTENDED_INFO;
[codesyntax lang=”bash”]
make install
[/codesyntax]
Next we need to configure our php.ini:
[codesyntax lang=”bash”]
echo "" > /etc/php5/conf.d/apd echo "zend_extension = /usr/lib/php5/20090626/apd.so" >> /etc/php5/conf.d/apd echo "apd.dumpdir = /tmp/apd" >> /etc/php5/conf.d/apd echo "apd.statement_tracing = 0" >> /etc/php5/conf.d/apd
[/codesyntax]
Building the Sandbox
Go to sandbox directory and create the apd_sandbox.php using command:
[codesyntax lang=”bash”]
cd /home/build/glaspot/trunk/sandbox make
[/codesyntax]
Configure Glastopf
Setup ip address & port for glastopf along with the database and database user credentials in the file /home/build/glaspot/trunk/glastopf.cfg
Create A Script to Run It
[codesyntax lang=”bash”]
echo "cd /home/build/glaspot/trunk/" > /root/glaspot.sh echo "python2.7 webserver.py" >> /root/glaspot.sh chmod 700 /root/glaspot.sh
[/codesyntax]
Run the Honeypot:
[codesyntax lang=”bash”]
/root/glaspot.sh
[/codesyntax]
After you start up the honeypot, you should see the following:
[codesyntax lang=”bash”]
Webserver running on: 0.0.0.0:8080 waiting for connections... INFO:honeypot:Starting Glastopf [feedcli] Connecting to feed broker... [feedcli] Connected to hpfeed broker. INFO:honeypot:HPFeeds started INFO:honeypot:Glastopf instantiated and privileges dropped
[/codesyntax]
Testing the Honeypot:
Use your web browser to visit your honeypot. You should see the following output on your honeypots command line:
[codesyntax lang=”bash”]
2012-07-27 11:57:53 192.168.130.98 requested GET / on 192.168.130.100:8080 INFO:honeypot:192.168.130.98 GET / 2012-07-27 11:57:53 192.168.130.98 requested GET /style.css on 192.168.130.100:8080 INFO:honeypot:192.168.130.98 GET /style.css 2012-07-27 11:57:53 192.168.130.98 requested GET /favicon.ico on 192.168.130.100:8080 INFO:honeypot:192.168.130.98 GET /favicon.ico
[/codesyntax]
If you really want to test it, hack away. Out of curiosity of how it would look, I ran websecurify against the server. After 415 issues it crashed with a segfault at the exact same place three different times….so it is a bug in the honeypot.
[codesyntax lang=”bash”]
INFO:honeypot:192.168.130.98 GET /mod*.php?pname='`"iyzZg 2012-07-27 12:07:45 192.168.130.98 requested GET /mod*.php?pname="'<iyzZg> on 192.168.130.100:8080 INFO:honeypot:192.168.130.98 GET /mod*.php?pname="'<iyzZg> 2012-07-27 12:07:45 192.168.130.98 requested GET /mod*.php?pname=javascript:f(iyzZg) on 192.168.130.100:8080 INFO:honeypot:192.168.130.98 GET /mod*.php?pname=javascript:f(iyzZg) 2012-07-27 12:07:45 192.168.130.98 requested GET /mod*.php?pname=" on 192.168.130.100:8080 INFO:honeypot:192.168.130.98 GET /mod*.php?pname=" Exception SystemError: 'null argument to internal routine' in ./start-honeypot.sh: line 2: 2985 Segmentation fault python2.7 webserver.py
[/codesyntax]
Leave a Reply
You must be logged in to post a comment.