nmap scan not showing results

69 views
Skip to first unread message

Christopher Bruder

unread,
Oct 11, 2017, 1:57:53 PM10/11/17
to Modern Honey Network

I just did a fresh install, of MHN.  Then I used the deploy method on two raspberry pis.  I plugged them in and did an nmap scan on them both, then I checked the MHN console and its showing 0 attacks.  Any idea why??
nmap -T4 -A -v xx.xx.xx.xx

Brady Sullivan

unread,
Oct 11, 2017, 2:33:47 PM10/11/17
to Modern Honey Network
Please follow this: https://github.com/threatstream/mhn/wiki/MHN-Troubleshooting-Guide#troubleshooting-the-honeypot-side

Post the results so we have a starting idea of what may be wrong.
Message has been deleted

Christopher Bruder

unread,
Oct 11, 2017, 3:12:13 PM10/11/17
to Modern Honey Network
This is on the server side:

<remvoed email>:/var/log/mhn$ mongo hpfeeds
MongoDB shell version v3.4.9
connecting to: mongodb://127.0.0.1:27017/hpfeeds
MongoDB server version: 3.4.9
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
        http://docs.mongodb.org/
Questions? Try the support group
        http://groups.google.com/group/mongodb-user
Server has startup warnings:
2017-10-11T09:58:13.003-0400 I STORAGE  [initandlisten]
2017-10-11T09:58:13.004-0400 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2017-10-11T09:58:13.004-0400 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2017-10-11T09:58:13.028-0400 I CONTROL  [initandlisten]
2017-10-11T09:58:13.028-0400 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2017-10-11T09:58:13.028-0400 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2017-10-11T09:58:13.028-0400 I CONTROL  [initandlisten]
2017-10-11T09:58:13.028-0400 I CONTROL  [initandlisten]
2017-10-11T09:58:13.028-0400 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2017-10-11T09:58:13.028-0400 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2017-10-11T09:58:13.028-0400 I CONTROL  [initandlisten]
>


On Wednesday, October 11, 2017 at 2:58:56 PM UTC-4, Christopher Bruder wrote:
pi@so-honeypot04:/opt/dionaea $ sudo netstat -luntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State                                                                                                                                                                    PID/Program name
tcp        0      0 0.0.0.0:877             0.0.0.0:*               LISTEN                                                                                                                                                                   357/sshd
tcp6       0      0 :::877                  :::*                    LISTEN                                                                                                                                                                   357/sshd
udp        0      0 0.0.0.0:38106           0.0.0.0:*                                                                                                                                                                                        322/avahi-daemon: r
udp        0      0 0.0.0.0:5353            0.0.0.0:*                                                                                                                                                                                        322/avahi-daemon: r
udp        0      0 0.0.0.0:68              0.0.0.0:*                                                                                                                                                                                        309/dhcpcd
udp6       0      0 :::5353                 :::*                                                                                                                                                                                             322/avahi-daemon: r
udp6       0      0 :::36790                :::*                                                                                                                                                                                             322/avahi-daemon: r


pi@so-honeypot04:/opt/dionaea $ sudo supervisorctl status
dionaea                          FATAL     Exited too quickly (process log may have details)


pi@so-honeypot04:/opt/dionaea $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


pi@so-honeypot04:/opt/dionaea $ sudo tcpdump -nnNN tcp port 10000
sudo: tcpdump: command not found

Christopher Bruder

unread,
Oct 11, 2017, 3:13:28 PM10/11/17
to Modern Honey Network
I did, check it out, I'm so lost on whats wrong:

>
> pi@so-honeypot04:/opt/dionaea $ sudo netstat -luntp
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> PID/Program name
> tcp        0      0 0.0.0.0:877             0.0.0.0:*               LISTEN
> 357/sshd
> tcp6       0      0 :::877                  :::*                    LISTEN
> 357/sshd
> udp        0      0 0.0.0.0:38106           0.0.0.0:*
> 322/avahi-daemon: r
> udp        0      0 0.0.0.0:5353            0.0.0.0:*
> 322/avahi-daemon: r
> udp        0      0 0.0.0.0:68              0.0.0.0:*
> 309/dhcpcd
> udp6       0      0 :::5353                 :::*
> 322/avahi-daemon: r
> udp6       0      0 :::36790                :::*
> 322/avahi-daemon: r
> pi@so-honeypot04:/opt/dionaea $ sudo supervisorctl status
> dionaea                          FATAL     Exited too quickly (process log
> may have details)
> pi@so-honeypot04:/opt/dionaea $ ^C
> pi@so-honeypot04:/opt/dionaea $ pi@so-honeypot04:/opt/dionaea $ sudo
> supervisorctl status
> -bash: pi@so-honeypot04:/opt/dionaea: No such file or directory
> pi@so-honeypot04:/opt/dionaea $ dionaea                          FATAL

> Exited too quickly (process log may have details)
> -bash: syntax error near unexpected token `('

> pi@so-honeypot04:/opt/dionaea $ sudo iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> pi@so-honeypot04:/opt/dionaea $ sudo tcpdump -nnNN tcp port 10000
> sudo: tcpdump: command not found
> pi@so-honeypot04:/opt/dionaea $ sudo tcpdump -nnNN tcp port 10000
> sudo: tcpdump: command not found

Message has been deleted

Christopher Bruder

unread,
Oct 12, 2017, 1:26:46 PM10/12/17
to Modern Honey Network
Something else I noticed was if I try to run a wget against the honeypot, it just tells me x.x.x.x:80 failed: connection refused.  This was from the troubleshooting guide

Can you run these commands from your honeypot system and provide the output?

Before running these commands start a script to wget against your honeypot.

$ sudo netstat -luntp
$ sudo supervisorctl status
$ sudo iptables -L
$ sudo tcpdump -nnNN tcp port 10000


On Thursday, October 12, 2017 at 1:19:41 PM UTC-4, Christopher Bruder wrote:
Alright so based on what you said so far, I changed the website to icanhazip.com, did a reload and then did a status and its still showing as fatal

pi@so-honeypot04:~ $ sudo supervisorctl reload
Restarted supervisord

pi@so-honeypot04:~ $ sudo supervisorctl status

dionaea                          FATAL     Exited too quickly



Reply all
Reply to author
Forward
0 new messages