ÈÐ Wïgê† Ðð† ñåmê

ïñ£ð§ê¢, ïñ£ðrmå†ïðñ §ê¢µr, Ðïgï†ål £ðrêñ§ï¢§, hå¢kïñg, §¥§†êm åÐmïñ阮rå†ïðñ, lïñµx ßlðg


Glastopf is a web application honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications.  The principle behind it is very simple:  Reply the correct response to the attacker exploiting the web application.

This article is mostly to cover the installation, setup, usage, etc

Installation

The installation wiki says to use Debian Squeeze so you could use php5-cgi > 5.4.  However, apd will not build against php 5.4.4.  Also, debian squeeze comes by default with python 3.1 and 2.6, which would not allow me to build evnet either.  I overcame these issues in order to get a working installation.

Prerequisites

With a fully up to date debian squeeze minimal install in a virtualbox image, I did these steps:

[codesyntax lang=”bash”]

# Add "deb http://mirror.cse.iitk.ac.in/debian/ testing main contrib" to sources.list in order to get python2.7
echo "" >> /etc/apt/sources.list
echo "# temp required for python2.7" >> /etc/apt/sources.list
echo "deb http://mirror.cse.iitk.ac.in/debian/ testing main contrib" >> /etc/apt/sources.list
apt-get update
# this removes php-5.4.4
apt-get remove --purge php-pear php5 php5-dev php5-cli libapache2-mod-php5 php5-common
# this installs php-5.3.3-7
apt-get install php5=5.3.3-7+squeeze13 php5-dev=5.3.3-7+squeeze13 libapache2-mod-php5=5.3.3-7+squeeze13 php5-common=5.3.3-7+squeeze13 php5-cli=5.3.3-7+squeeze13 php-pear=5.3.3-7+squeeze13
# the other dependancies
apt-get install git subversion python2.7 python-openssl python2.7-dev build-essential make python-chardet python-mysqldb

[/codesyntax]

Database Setup

I enabled python-mysqldb above and later I enable the module in the configuration file.  For now we just create the database and db user:

[codesyntax lang=”bash”]

mysqladmin create glaspot
mysql -uroot -p -e "CREATE USER 'glaspot'@'localhost' IDENTIFIED BY 'mypass';"
mysql -uroot -p -e "grant select,insert,update,delete on glaspot.* to 'glaspot'@'localhost';"
mysql -uroot -p -e "flush privileges;"

[/codesyntax]

Build Directory

I always create a /home/build directory to install anything from source.

[codesyntax lang=”bash”]

mkdir -p /home/build
cd /home/build

[/codesyntax]

Installing evnet

Download evnet using git:

[codesyntax lang=”bash”]

git clone git://github.com/rep/evnet.git
cd evnet 
python2.7 setup.py install
cd /home/build

[/codesyntax]

Installing Glastopf

Get the source from the Subversion repository:

[codesyntax lang=”bash”]

svn co svn://glastopf.org:9090/glaspot glaspot

[/codesyntax]

Installing APD

If you follow the installation wiki for apd, you will find out these steps won’t work because apd will not compile against php-5.4.x.  This is why I forced the install of php-5.3.3 above.  Here is what I did to get this to work because apd also has troubles compiling against php-5.3.  There are numerous bug reports  and tickets for each version.

[codesyntax lang=”bash”]

cd /home/build
svn co http://svn.php.net/repository/pecl/apd/trunk apd
cd apd/
phpize
./configure
make

[/codesyntax]

When you run the make command above, you may get a build error.  I forgot to log the error message, but it has to do with a change in php-5.3 zend framework.  The fix is this, which I found here:

You ONLY need to do this if you get a build error above during the make step.  If you didn’t get a build error, skip to the next code block below.

find the line in php_apd.c:
int apd_zend_startup(zend_extension *extension)

Pretty close to right under it, comment out this next line and add the one after it:
# CG(extended_info) = 1; /* XXX: this is ridiculous */
CG(compiler_options) |= ZEND_COMPILE_EXTENDED_INFO;

[codesyntax lang=”bash”]

make install

[/codesyntax]

Next we need to configure our php.ini:

[codesyntax lang=”bash”]

echo "" > /etc/php5/conf.d/apd
echo "zend_extension = /usr/lib/php5/20090626/apd.so" >> /etc/php5/conf.d/apd
echo "apd.dumpdir = /tmp/apd" >> /etc/php5/conf.d/apd
echo "apd.statement_tracing = 0" >> /etc/php5/conf.d/apd

[/codesyntax]

Building the Sandbox

Go to sandbox directory and create the apd_sandbox.php using command:

[codesyntax lang=”bash”]

cd /home/build/glaspot/trunk/sandbox
make

[/codesyntax]

Configure Glastopf

Setup ip address & port for glastopf along with the database and database user credentials in the file /home/build/glaspot/trunk/glastopf.cfg

Create A Script to Run It

[codesyntax lang=”bash”]

echo "cd /home/build/glaspot/trunk/" > /root/glaspot.sh
echo "python2.7 webserver.py" >> /root/glaspot.sh
chmod 700 /root/glaspot.sh

[/codesyntax]

Run the Honeypot:

[codesyntax lang=”bash”]

/root/glaspot.sh

[/codesyntax]

After you start up the honeypot, you should see the following:

[codesyntax lang=”bash”]

Webserver running on: 0.0.0.0:8080 waiting for connections...
INFO:honeypot:Starting Glastopf
[feedcli] Connecting to feed broker...
[feedcli] Connected to hpfeed broker.
INFO:honeypot:HPFeeds started
INFO:honeypot:Glastopf instantiated and privileges dropped

[/codesyntax]

Testing the Honeypot:

Use your web browser to visit your honeypot. You should see the following output on your honeypots command line:

[codesyntax lang=”bash”]

2012-07-27 11:57:53 192.168.130.98 requested GET / on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /
2012-07-27 11:57:53 192.168.130.98 requested GET /style.css on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /style.css
2012-07-27 11:57:53 192.168.130.98 requested GET /favicon.ico on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /favicon.ico

[/codesyntax]

If you really want to test it, hack away.  Out of curiosity of how it would look, I ran websecurify against the server.  After 415 issues it crashed with a segfault at the exact same place three different times….so it is a bug in the honeypot.

[codesyntax lang=”bash”]

INFO:honeypot:192.168.130.98 GET /mod*.php?pname='`"iyzZg
2012-07-27 12:07:45 192.168.130.98 requested GET /mod*.php?pname="'<iyzZg> on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /mod*.php?pname="'<iyzZg>
2012-07-27 12:07:45 192.168.130.98 requested GET /mod*.php?pname=javascript:f(iyzZg) on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /mod*.php?pname=javascript:f(iyzZg)
2012-07-27 12:07:45 192.168.130.98 requested GET /mod*.php?pname=" on 192.168.130.100:8080
INFO:honeypot:192.168.130.98 GET /mod*.php?pname="
Exception SystemError: 'null argument to internal routine' in ./start-honeypot.sh: line 2:  2985 Segmentation fault      python2.7 webserver.py

[/codesyntax]


Leave a Reply