PhoneyC honeyclient

Overview

Let me introduce PhoneyC - pure Python honeyclient implementation.

It is a perspective project and it has a huge potential. All features and advantages are described in a corresponding article. Briefly, PhoneyC is a low interaction, virtual honeyclient that emulates the core functionality of a web client and emulates specific vulnerabilities to pinpoint the attack vector.

It consists of two core components - a simple web crawler (honeywalk.py) and an analysis engine (honeyclient.py) with all required auxiliary modules. Further I'll describe installation and usage procedures.

Installation

As a sample platform I'm using Ubuntu 9.04 Jaunty Jackalope for x84-64 processor. Following the README instructions we have to install python 2.3 and upper, clamav, spidermonkey, vb2py and curl (it is not mentioned in the README file, but it is used internally by the analysis engine):

$ sudo apt-get install clamav spidermonkey-bin

Python is already installed in the system by default. vb2py functionality is not using right now in the project trunk, but I hope that it will be fixed in the near future.

Also symlinks should be created (now all paths are hardcoded in the project). And for correct ClamAV scanning a 'clamd' directory should be created in '/tmp'.

$ sudo mkdir -p /usr/local/bin
$ sudo ln -s /usr/bin/smjs /usr/local/bin/js
$ sudo ln -s /usr/bin/clamscan /usr/local/bin/clamdscan
$ mkdir /tmp/clamd

And of course the project should be checked out:

svn co http://phoneyc.googlecode.com/svn/phoneyc/trunk phoneyc

That is all! I think in near future the process of installation will be reduced and egg-file will be created. But the project is in the heavy development now and there are other features that should be implemented first.

Usage

It is difficult to find a sites in a wild that will be recognized by PhoneyC now. Although it has a good database with vulnerabilities, these vulnerabilities is not using so often now. But I hope that in the future the database will be actual enough for finding infected sites in a wild (actually, it is a one of the goals of the project). So for now let just use a tests that are provided with the project.

All tests are located in the 'tests' directory. First of all, test a HTML-file via file://-locator:

nuald@nuald-laptop:~/workspace/phoneyc/trunk$ python honeywalk.py file://`pwd`/tests/toshiba.html
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5, popen2, os, re, sets
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: The popen2 module is deprecated.  Use the subprocess module.
  import md5, popen2, os, re, sets
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: the sets module is deprecated
  import md5, popen2, os, re, sets
HoneyWalk started at Fri Jun 19 09:11:23 2009 UTC
===> file:///home/nuald/workspace/phoneyc/trunk/tests/toshiba.html  []
('Toshiba Surveillance oveflow in SetPort()\n', '', 'bf17c0466b197fd26f9203cae6ea2523') {'ClamAV': ('dde847a073d02b06644d6602fc224810', 'OK')}

Please notice that the honeywalk.py script requires a full URI to the file (that's why I used `pwd` command). And ignore deprecation warnings - Ubuntu is shipped with the Python 2.6 and PhoneyC project is not ported to it yet.

Now let's check a web site. Run a simple site with SimpleHTTPServer module:

nuald@nuald-laptop:~/workspace/phoneyc/trunk$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

And check a HTML page via HTTP:

nuald@nuald-laptop:~/workspace/phoneyc/trunk$ python honeywalk.py http://localhost:8000/tests/xupload.html
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5, popen2, os, re, sets
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: The popen2 module is deprecated.  Use the subprocess module.
  import md5, popen2, os, re, sets
/home/nuald/workspace/phoneyc/trunk/honeyclient.py:6: DeprecationWarning: the sets module is deprecated
  import md5, popen2, os, re, sets
HoneyWalk started at Fri Jun 19 09:18:06 2009 UTC
===> http://localhost:8000/tests/xupload.html  []
('XUpload overflow in AddFolder()\n', '', '1d53a3556ec686912fa58bf97d3be7b5') {'ClamAV': ('a1877275c721080a3bb49fbca9282e3e', 'OK')}

That's all for now. I hope that the project will be growning and gain a much popularity.

Comments

Popular posts from this blog

DIY: Business cards in LaTeX

Python vs JS vs PHP for embedded systems

Web application framework comparison by memory consumption