{kippo users} Mercury LiveCD

32 views
Skip to first unread message

AndrewWaite

unread,
Sep 10, 2010, 7:53:49 AM9/10/10
to kippo users
All,

sure many of you will already be aware from following the Nepenthes
mailing list, but this may be useful information to some.

John Moore has released the first version of Mercury LiveDVD, which is
a Ubuntu distribution containing Nepenthes, Dionaea, Kippo and several
analysis tools in a single live boot offering. I haven't had much
chance to take a look yet but the idea seems promising and should
hopefully reduce deployment and configuration times required for new
honeypot sensors.

New mirrors are popping up at an impressive rate so I won't try to
list them here, find mirrors and follow the conversation on the
Nepenthes mailing list (archives here:
http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTimFMdgYeO3Miu0R6BnLFobmOCmDmiaXkNeMTQmE%40mail.gmail.com&forum_name=nepenthes-devel).

--Andrew

Leon v/d Eijk

unread,
Sep 10, 2010, 8:01:06 AM9/10/10
to kippo users
Andrew,

I did noticed the posting in the mailing list. Great initiative !
Although I'm not sure if it is such a good idea to use Dionaea _and_
Nepenthes on one box at the same time.
Any thoughts on this guys ?

Leon

On 10 sep, 13:53, AndrewWaite <a...@infosanity.co.uk> wrote:
> All,
>
> sure many of you will already be aware from following the Nepenthes
> mailing list, but this may be useful information to some.
>
> John Moore has released the first version of Mercury LiveDVD, which is
> a Ubuntu distribution containing Nepenthes, Dionaea, Kippo and several
> analysis tools in a single live boot offering. I haven't had much
> chance to take a look yet but the idea seems promising and should
> hopefully reduce deployment and configuration times required for new
> honeypot sensors.
>
> New mirrors are popping up at an impressive rate so I won't try to
> list them here, find mirrors and follow the conversation on the
> Nepenthes mailing list (archives here:http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTimFMdg...).
>
> --Andrew

AndrewWaite

unread,
Sep 10, 2010, 8:12:15 AM9/10/10
to kippo users
Personally I wouldn't run both at once, but primarily because Dionaea
has more updated functionality rather than anything else. I don't see
it causing a problem providing the configuration doesn't have both
systems trying to bind to the same ip/port combinations.

But the ability to run either, or or both (not sure that's a
sentence...) quickly and with minimal setup time definitely appeals.
Not sure it will replace permanent installations, but good for one-off
testing.

--Andrew

On 10 Sep, 12:53, AndrewWaite <a...@infosanity.co.uk> wrote:
> All,
>
> sure many of you will already be aware from following the Nepenthes
> mailing list, but this may be useful information to some.
>
> John Moore has released the first version of Mercury LiveDVD, which is
> a Ubuntu distribution containing Nepenthes, Dionaea, Kippo and several
> analysis tools in a single live boot offering. I haven't had much
> chance to take a look yet but the idea seems promising and should
> hopefully reduce deployment and configuration times required for new
> honeypot sensors.
>
> New mirrors are popping up at an impressive rate so I won't try to
> list them here, find mirrors and follow the conversation on the
> Nepenthes mailing list (archives here:http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTimFMdg...).
>
> --Andrew

mlwrcollect

unread,
Sep 10, 2010, 11:52:37 AM9/10/10
to kippo...@googlegroups.com
Actually, I do run both on the same machine, cause i use dionaea mainly
for its SMB implementation. I still run a combination of nepenthes and
amun to cover for the rest of the service simulation. Why is this a bad
idea ?

Greetz.
Dave

Jacob Kuehndorf

unread,
Sep 10, 2010, 11:55:41 AM9/10/10
to kippo...@googlegroups.com

Its a bad idea if you have to trying to access the same ip/port. Running it on the same computer is not a bad thing.

On Sep 10, 2010 10:52 AM, "mlwrcollect" <mlwrc...@gmail.com> wrote:
 Actually, I do run both on the same machine, cause i use dionaea mainly
for its SMB implementation. I still run a combination of nepenthes and
amun to cover for the rest of the service simulation. Why is this a bad
idea ?

Greetz.
Dave


On 9/10/10 2:12 PM, AndrewWaite wrote:

> Personally I wouldn't run both at once, but primarily beca...

Leon v/d Eijk

unread,
Sep 10, 2010, 12:40:24 PM9/10/10
to kippo...@googlegroups.com
Not saying its a bad idea, just wondering if it isn't a bit "double"
or they wont get in the way of each other. Dionaea is the successor on
nepenthes, so why running both ?

Leon

> --
> You received this message because you are subscribed to the Google Groups "kippo users" group.
> To post to this group, send email to kippo...@googlegroups.com.
> To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.
>
>

mlwrcollect

unread,
Sep 16, 2010, 11:41:37 AM9/16/10
to kippo...@googlegroups.com
Ah, right. I thought i was doing something really badly wrong here :) I
see your point and actually would love doing the same, using all cool
features from Dionaea. And we probably will in the near future, however,
currently we heavily rely on SurfIDS as framework and NFQUEUE is not
enabled there. As far as I know, but please corrent me when im wrong,
Dionaea only offers SMB when not using the queuing features (freeze the
syn and open a port) ? This has been the main reason for me to combine
honeypots so to have a wide spread of simulated vulnerabilities...

Dave

Markus

unread,
Sep 16, 2010, 3:22:01 PM9/16/10
to kippo...@googlegroups.com
Hi,

On Thu, Sep 16, 2010 at 5:41 PM, mlwrcollect <mlwrc...@gmail.com> wrote:
>  Ah, right. I thought i was doing something really badly wrong here :) I
> see your point and actually would love doing the same, using all cool
> features from Dionaea. And we probably will in the near future, however,
> currently we heavily rely on SurfIDS as framework and NFQUEUE is not
> enabled there. As far as I know, but please corrent me when im wrong,
> Dionaea only offers SMB when not using the queuing features (freeze the
> syn and open a port) ? This has been the main reason for me to combine
> honeypots so to have a wide spread of simulated vulnerabilities...

dionaea serves

smb - tcp/445
dcerpc - tcp/135
mssql - tcp/1433
http - tcp/80 - more or less useless
https - tcp/443 - as useless as http
ftp - tcp/21 - not as useless as http, you can even upload/download files
tftp - udp/69 - actually not useless, but does not get attacks
sip - udp/5060 - does not play nice with sipvicious yet

If you got numbers which other services you see getting hit, getting
served by amun/nepenthes, please let me know.

And last but not least, there is
any - tcp/* via nfq and mirroring back the attack to the attacker,
running this code is an ethical mess, but sometimes helps in
identifying potential services for the honeypot (we got mssql that
way).


MfG
Markus

mlwrcollect

unread,
Sep 16, 2010, 4:03:54 PM9/16/10
to kippo...@googlegroups.com
Hi Markus!

On 9/16/10 9:22 PM, Markus wrote:
> sip - udp/5060 - does not play nice with sipvicious yet
>
>

Nice!, Been playing with artemisa lately, which is nice too, but having
it at some level with Dionaea sounds great!

Greetz,
Dave

Markus

unread,
Sep 16, 2010, 4:50:13 PM9/16/10
to kippo...@googlegroups.com
Hi,

artemisa is something different, it is a voip client, which you
connect to your (asterisk) sip service and wait for incoming calls,
the sip dionaea provides is meant to detect sip scanning (and more),
which is addressed on sip services like asterisk.

Artemisa uses PJSIP, which is not an option for dionaea due to the
lack of control over sockets and the lack of control for the threads
used in the library.
Given the complexity in sip, it is really unlikely dionaea will get a
sip client stack.
Therefore, if you are looking for spit, Artemisa is your choice.


MfG
Markus

Reply all
Reply to author
Forward
0 new messages