PhoneyC honeyclient

Overview

Let me introduce PhoneyC - pure Python honeyclient implementation.

It is a perspective project and it has a huge potential. All features and advantages are described in a corresponding article. Briefly, PhoneyC is a low interaction, virtual honeyclient that emulates the core functionality of a web client and emulates specific vulnerabilities to pinpoint the attack vector.

It consists of two core components - a simple web crawler (honeywalk.py) and an analysis engine (honeyclient.py) with all required auxiliary modules. Further I'll describe installation and usage procedures.

Installation

As a sample platform I'm using Ubuntu 9.04 Jaunty Jackalope for x84-64 processor. Following the README instructions we have to install python 2.3 and upper, clamav, spidermonkey, vb2py and curl (it is not mentioned in the README file, but it is used internally by the analysis engine):

$ sudo apt-get install clamav spidermonkey-bin

Python is already installed in the system by default. vb2py functionality is not using right now in the project trunk, but I hope that it will be fixed in the near future.

Also symlinks should be created (now all paths are hardcoded in the project). And for correct ClamAV scanning a 'clamd' directory should be created in '/tmp'.

$ sudo mkdir -p /usr/local/bin
$ sudo ln -s /usr/bin/smjs /usr/local/bin/js
$ sudo ln -s /usr/bin/clamscan /usr/local/bin/clamdscan
$ mkdir /tmp/clamd

And of course the project should be checked out:

svn co http://phoneyc.googlecode.com/svn/phoneyc/trunk phoneyc

That is all! I think in near future the process of installation will be reduced and egg-file will be created. But the project is in the heavy development now and there are other features that should be implemented first.

Usage

It is difficult to find a sites in a wild that will be recognized by PhoneyC now. Although it has a good database with vulnerabilities, these vulnerabilities is not using so often now. But I hope that in the future the database will be actual enough for finding infected sites in a wild (actually, it is a one of the goals of the project). So for now let just use a tests that are provided with the project.

All tests are located in the 'tests' directory. First of all, test a HTML-file via file://-locator:

nuald@nuald-laptop:~/workspace/phoneyc/trunk$ python honeywalk.py file://`pwd`/tests/toshiba.html
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5, popen2, os, re, sets
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: The popen2 module is deprecated.  Use the subprocess module.
  import md5, popen2, os, re, sets
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: the sets module is deprecated
  import md5, popen2, os, re, sets
HoneyWalk started at Fri Jun 19 09:11:23 2009 UTC
===> file:///home/nuald/workspace/phoneyc/trunk/tests/toshiba.html  []
('Toshiba Surveillance oveflow in SetPort()\n', '', 'bf17c0466b197fd26f9203cae6ea2523') {'ClamAV': ('dde847a073d02b06644d6602fc224810', 'OK')}

Please notice that the honeywalk.py script requires a full URI to the file (that's why I used `pwd` command). And ignore deprecation warnings - Ubuntu is shipped with the Python 2.6 and PhoneyC project is not ported to it yet.

Now let's check a web site. Run a simple site with SimpleHTTPServer module:

nuald@nuald-laptop:~/workspace/phoneyc/trunk$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

And check a HTML page via HTTP:

nuald@nuald-laptop:~/workspace/phoneyc/trunk$ python honeywalk.py http://localhost:8000/tests/xupload.html
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5, popen2, os, re, sets
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: The popen2 module is deprecated.  Use the subprocess module.
  import md5, popen2, os, re, sets
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: the sets module is deprecated
  import md5, popen2, os, re, sets
HoneyWalk started at Fri Jun 19 09:18:06 2009 UTC
===> http://localhost:8000/tests/xupload.html  []
('XUpload overflow in AddFolder()\n', '', '1d53a3556ec686912fa58bf97d3be7b5') {'ClamAV': ('a1877275c721080a3bb49fbca9282e3e', 'OK')}

That's all for now. I hope that the project will be growning and gain a much popularity.

Comments

Post a Comment

Popular posts from this blog

Web application framework comparison by memory consumption

Memory consumption is slightly specific to my area of software development now, but I did some research recently and maybe these results can be useful for others. Of course, I know that precious comparison is very difficult to carry out, but actually I needed only overall picture. And let me admit that results are pretty interesting and even frustrated (at least for me). As a basis I took so-starving project, and measured initial RSS (Resident Set Size) of the each process (local development webservers). Platform: x86_64 Linux (latest Ubuntu with all updates). As a reference, here is the RSS of the interpreters in interactive console mode: Interpreter Version RSS (kB) stackless python 2.6.4 3916 ruby (via irb) 1.8.7 4664 python 2.7.1 5624 php 5.3.5 6924 v8 (via node.js shell) 2.5.9.9 8796 One more reference - the most simplest WSGI app ( example  in the Python documentation). It's RSS: 7336 Kb , so I assume it's almost impossible to consume l
Read more

Trac Ticket Workflow

Trac is the wiki and issue tracking system that is the most used for my software development projects. Let me share few hints about its ticket workflow, especially about the statuses, the roles of the participants, and let me give an example of the workflow config. But if you are interested in other things like Trac plugins, source browser, customizing, etc, let me know. All the information given below regards the workflow described at the end of the article. The original Trac workflow is missed vital features like the support for ticket verifying, or the required ticket statuses range, so I do not use it in my projects. The description of the main statuses: new - the ticket has been created; in-progress - the developer has began to work with the ticket; fixed - the ticket is fixed (the problem issued in the ticket is solved); verified - the ticket is verified (tester or PM has verified that the ticket is fixed correctly); closed - the ticket is closed (it's not
Read more

Shellcode detection using libemu

Shellcode can be seen as a list of instructions that has been developed in a manner that allows it to be injected in an application during runtime. Each security researcher face the shellcodes during their work, and in this article I'll show how to detect shellcodes using Python (via libemu Python binding). Few words about libemu : libemu is a small library written in C offering basic x86 emulation and shellcode detection using GetPC heuristics. Intended use is within network intrusion/prevention detections and honeypots. The information on the site is not actual in some places, so I'll give direct and clear instruction how to get and install libemu. Clone the git repository: $ git clone git://git.carnivore.it/libemu.git Firstly, configure, make and install libemu itself (without binding): $ autoreconf -v -i $ ./configure --prefix=/opt/libemu $ make $ sudo make install If you set up prefix as shown above, you have to add the library path to /etc/ld.so.conf file
Read more