Bun @ 郑 州 University Network Safety Park http://secu.zzu.edu.cn Built a honeypot network based on * NIX system to relatively multi-system maintenance and network security knowledge, but be a honey for Windows systems The threshold of the can (hereinafter referred to as WinPot) is relatively low, and most of the friends will be SELECT & CLICK :), today we try to build a honeypot system under Windows, because Win and * NIX systems are different, we are very It is difficult to use effective tools to completely track intruders' behaviors, because Win has a variety of remote management software (VNC, Remote-Anything), and most of these software, most of the anti-virus software does not kill them, And we didn't like the power of the LIDS to control the authority of Administrator. Relatively, WinPot's risk is slightly, and it takes more time and energy to see him, there is no way, the threshold is low, the risk is of course It will be relatively high. OK, start introducing the software VPC Virtual PC we need, he is a virtual operating system software, of course, you can also choose VMware. ActivePerl-5.8.0.805-mswin32-x86.msi Windows Under PERL parser Evtsys_exe.zip A program that transmits the system log to the log server coml101.zip A program that secrets cmd.exe written by Perl, does not display in the list of processes, because the intruder is indeed, cmd.exe :) Kiwi_syslog_daemon_7 a very professional Log Server Software Norton AntiVirus Enterprise Client I like anti-virus software, support Win2k Server. Of course, if you think that other more suitable for you, you have the right to choose Ethereal-setup-0.9.8.exe Ethereal's Windows version, Ethereal is a very famous sniffer next to NIX, of course, if you are already in your honeynet It is not necessary to arrange Sniffer, but this article is mainly for DVLDR worms, and Ethereal's decode function is very strong, and he uses him to get IRC MSG very good WinPCAP_3_0_beta.exe ethereal requires his support. MD5SUM.EXE Windows Used to make MD5Sum check-in-Tool Green Alert Firewall to limit Windows 2000 Professional ISO mirroring when using VPC virtual operating system, this article is involved in the ISO image of Windows 2000 Professional. All programs can be downloaded in Zhengzhou University Network Safety Park to http://secu.zzu.edu.cn DVLDR Worm He is a worm with Windows 2000 / NT weak password. The worm is used by the dictionary violent cracking randomly generated IP machine. If successful, the machine is infected, and the VNC modified version is implanted, and report to an IRC list that has been infected with the host, while continuing to other machines. You can visit Zhengzhou University Network Safety Park or about him more detailed information. First: Install a Win2k Pro using VPC, the specific installation method is omitted, put all the patches, leaving only one vulnerability, is the empty password of the administrator required by the DVLDR worm.
2: Install Norton AntiVirus Enterprise Client, upgrade to the latest virus library, start real-time monitoring 3: replace the cmd.exe program with cmdlog, and extract the comlog101.zip, there are five files cmd.exe, cmd101.pl, and correspond. TXT, MD5.TXT, Readme.txt, where cmdlog.txt and readme.txt are explained files, MD5.txt contains the value of the MD5 checksum of these five files, we can use the MD5Sum.exe tool to detect them. whether suffer modify D: comlog101> md5sum.exe * md5sum.exe:.: Permission denied md5sum.exe: ..: Permission denied f86ba5ffaa8800a2efa9093d2f11ae6f * cmd.exe 484c4708c17b5a120cb08e40498fea5f * com101.pl 001a6f9ca5f6cf01a23076bad9c6261a * comlog.txt 121bf60bc53999c90c6405440567064b * md5.txt eb574b236133e60c989c6f472f07827b * MD5SUM.EXE 42605ECFA6FE0F446C915A41396A7266 * Readme.txt compares these numbers and md5.txt's digital comparison, if there is inconsistency, the proof program is modified, do not use and notify me after the check is correct, we start covering the system's cmd.exe. First Open Explorer -> Tools -> Folder Items -> View, remove the hook of "hidden protected operating system file" and select "Show all files and folders" -> OK and go Go to the c: winntsystem32dllcache directory, and find cmd.exe, and change him into cm_.exe, then copy the cmd.exe and com101.pl under Comlog101 to here, and change Cmd.exe under C: WinntSystem 32 CM_.exe, also copies CMD.exe and COM101.pl under the COMLOG101 directory here. During this time, the system will remind your system file to be modified, ask if you fix it, choose cancellation. Then in the C: Winnthelp directory, you are using the "tutor", here is where the command record of cmd.exe, of course, you can also modify COM101.pl to select the location of the log. Now we run cmd.exe, you will find that the window will flash, because we haven't installed the Perl parser yet. Run ActivePerl-5.8.0.805-mswin32-x86.msi, all the way is OK. Now we run cmd.exe, this is going out to our lovely CMD window, just knock a few things go in, then go to the c: Winnthelptutor directory, you can see the record. In order to avoid record yourself in cmd.exe, we can change the original cmd.exe to another name. 4: Install the log server, we choose Kiwi's syslog daemon 7 because he is professional and there are many statistics and support products, all the way, and start the service.
NetStat -an We can see 514 port udp 0.0.0.0.0:514 *: * 5: Install evtsys_exe, decompress two programs evtsys.exe and evtsys.dll, etc. .exe * md5sum.exe:.: Permission denied md5sum.exe: ..: Permission denied f5ba9453e12dc030b5e19f75c079fec2 * evtsys.dll dcc02e429fbb769ea5d94a2ff0a14067 * evtsys.exe eb574b236133e60c989c6f472f07827b * md5sum.exe If everything goes well, the implementation of evtsys.exe / D:? evtsys_exe> EVTSYS.EXE /? usage: evtsys.exe -i | -u | -d [-h host] [-p port] [-d] -i install service --u uninstall service - D debug: Run As Console Program (Run in Debug mode) -h host name of log host -p port port number of syslogd (Log server port, default is 514) -q char Quote Messages with Character Default Port: 514 We run d: evtsys_exe> evtsys.exe -h log server IP -I to install the service so your system's application log, system log, security log will be sent to the log server, so we can be more realistic Understand the operation of the system.
Six: Install WinPCap_3_0_beta.exe and Ethereal-Setup-0.9.8.Exe The following is probably t t t t e t tEREAL CAPTURE-> Start Capture Packets in Promiscuous Mode does not choose this, because we only need to get this unit Information, no need to run Filter Filter Name in mixed mode: IP Host Urip and TCP Port 6667 can only have a rule, but you can use logical symbol negation (`! 'Or` not') intersection (`&& 'OR) `and ') paglement (` ||' or `or") also has =,> =, , & and more, more detailed settings, please see if Ethereal's manual tests yourself to test whether the SNIFFER works on IRC, and speak We can see some results and select a record, and press "FOLLOW TCP Stream" to view the IRC's chat content. Seven: Install the green warning firewall to turn off "Enter the request notice", open sharing, put all intrusion detection countermeasures "Interception" is changed to "Warning", the warning level is changed to "record", we mainly want to know about the approximate attack situation, then we download the software, temporary documents, history, and documentation of you. Delete, and turn on Ethereal now is the rest of the worm infection ................................................................................ It is too bad, non-computer professional engage in computer sorrow ... What IDA, Win32DASM 8 know ~~~~ The article added, after all installation, use regsnap to be a SNAP will be better
