Monday, January 19, 2015

HOME Router Honeypot

HOME Router Honeypot

I like to recommend the “China ELF” blog series from Malware Must Die.

One of the malwares are targeting embedded architectures as mention in one of their posts.

then the Linux/AES.DDoS that is aiming for the router & embedded architecture (ARM, MIPS, PPC)

Investigating about this kind of malware I found this excellent post Analyzing Malware for Embedded Devices: TheMoon Worm. It shows how to use qemu to analyze malware in MIPS architectures and with different firmwares (OpenWRT, Linksys, …)

This gives me the idea for my weekend project:

SSH OpenWRT honeypot

Let’s consider that only the ssh port are exposed to internet. Feel free to use whatever IP you want for the VM.

We need qemu to run the OpenWRT VM, but latest qemu versions have problems emulating mips architectures so I had to compile qemu from sources. You can do the same or install an older qemu version.

# We can use an OpenWRT precompiled version 
# And test that all works fine
sudo qemu -m 32 -kernel vin/malta/openwrt-malta-le-vmlinux-initramfs.elf -nographic

That runs nice but we need to tweak the image to suit our needs (acquire WAN IP, NAT, …) , then we need to compile from openwrt sources and modify the files as explained here OpenWrt Buildroot – Usage

# Clone openwrt repository
cd /opt
git clone git://
cd openwrt
# Create custom files
mkdir -p files/etc/config
# eth0 will be the LAN interface and eth1 the WAN
cat > files/etc/config/network << EOF
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config interface 'lan'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config interface 'wan'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option gateway ''
        option dns ''

# Create a root password
cat >  files/etc/shadow << EOF
# Permit SSH from WAN
cat >  files/etc/rc.local << EOF
/usr/sbin/iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
# Select Malta architecture
make menuconfig
# Compile
make -j 2 
#After a successful build, the freshly built image(s) can be found in the newly created <buildroot_dir>/bin directory
cp bin/malta/openwrt-malta-le-vmlinux-initramfs.elf ~/

We can launch now the VM and use honeyd to simulate some attached devices. The lan-ifup and wan wan-ifup scripts are used to assign IPs to interfaces and to bring them up.

# Launch OpenwWRT VM
qemu-system-mipsel -m 32 -M malta \
      -kernel openwrt-malta-le-vmlinux-initramfs.elf \
      -net nic,macaddr=C0:4A:00:2C:EC:61 \
      -net tap,ifname=lan0,script=lan-ifup,downscript=lan-ifdown \
      -net nic,macaddr=C0:4A:00:2C:EC:62 \
      -net tap,ifname=wan0,script=wan-ifup,downscript=wan-ifdown \
# Simulate attached hosts to the LAN
honeyd -i lan0 -d -f config.honeyd -t /tmp/dhcp.honey 
# Give internet access
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Now that eveything is set up we want to capture all traffic so we are going to install mitmproxy_ssh to act as a ssh proxy for incoming connections.

mitmproxy_ssh -H -P 22 -p 22 -s -o /tmp/ssh.log

When the victim disconnects the mitmproxy_ssh stops and we can inspect the log with

mitmlogview -f /tmp/ssh.log

If we want to keep the ssh proxy alive we can execute this scripts and store every session in a different log file.

while true
        mitmproxy_ssh -H -P 22 -p 22 -s -o /tmp/ssh.log
        DATE=$(date +"%Y%m%d%H%M")
        mv /tmp/ssh.log /var/log/hpot/ssh$DATE.log
        sleep 1

Take into account that every time you reboot the VM it resets to default settings because it hasn’t a filesystem device.