Table of contents
 |
ARM based honeypot table lamp running uClinux
Time for some more fun with uClinux, this time I decided to take a look at the dual modem/router ARM based board from Actiontec. This board is sold retail for about $60 as an external modem/router and runs uClinux.
If you want to pick one of these up and are extremely lazy click here:
http://froogle.google.com/froogle?q=actiontec+dual+modem+router&btnG=Search+Froogle
Board specifications:
|
 |
Special thanks goes to the actionhackers on the actionhack mailing list. Especially Bruce Lightner and Patrick McNamara, Bruce who amazed everyone with his home grown daughter board that enabled non actiontec people to talk to the board over a serial interface. Patrick for his USB hack which saved me on more than one occasion:)
Kudos also goes to the people at actiontec who provided the GPL sources for the modem allowing us to compile our own kernel for the board. (And to Bruce for spending time to get it to work right)
Here are some relevant links to the actiontec board and the actionhack group who have been hacking away at it
Closeup of the board + daughter board
Actiontec Sources
Actiontec Wiki
History
Originally I was having some stability problems with my linksys dsl/router so I decided that this board would serve as an excellent substitute. Compiling the rp-pppoe client for uClinux was pretty easy and soon I had this thing running as a mini firewall. One major problem was that there wasn't a way to write to flash drive without creating a new rom filesystem. Unfortunately this was a tad too cumbersome for my firewall needs so I abandoned the idea. I'll probably go back to the firewall if somebody figures out how to do this. The modem comes with a proprietary cgi program that handles flash drive access for the modem/router settings. Great for the modem but not so great for those who want to write their own custom firewall software.After shelving the board for a while I got around to it again and thought that it would make a good honeypot for the bots and hackers out there who occasionally come across my home network. My first idea was to port honeyd to the board but abandoned that after realizing that I probably do not have enough space for the binaries.
Most of the open source slimmed down honeypot software out there uses perl or some other interpretive scripting language. Again, my 1.5 MB space constraint prevented me from using perl or any other interpreter.
Long story short I decided to write something myself for my ARM based honeypot idea. Not terribly inventive but I thought it would be cool to have something that looked like a windows box from the outside; throw in some attractive shares and maybe I could trap some of these open share looking people. Instead doing something sensible (like borrowing from the existing samba code base) I thought it would be fun to write this program from scratch. I've never had to reverse engineer a protocol, thankfully ethereal does an excellent job of interpreting the SAMBA protocol and doing most (if not all) of the reverse engineering for me.
Using a linux box running samba I captured a minimal amount of data and used it as canned simulation data for the SMB queries. Pretty simple in theory... it ended up being slightly more complicated than I originally imagined.
ConstructionBefore writing any code for this thing I really wanted to mount the board is something cool. I did some searching on ebay and found a ceramic honeypot lamp. 5 bucks! Rock'n. A great excuse to buy a roto-zip and do some ceramic cutting in my small apartment. Really the most fun was cutting this thing with a roto-zip. I highly recommend ceramic cutting to those who need to take out frustration. I also highly recommend rotozip over dremel. I tried to do this with a dremel first, it wasn't happening. After about three tries the motor on the dremel seized and I had to return it. Anyway, shortly after getting the rotozip I realized how foolish I was not to get the roto first. Rotozip rocks. Enough said. |
 |
 |
 |
 |
Here is what it looked like after I finished the cut. Surprisingly it wasn't too difficult to get the board inside the pot. After a few tries I decided to cut off a corner of the board so it would sit flush with the slot. This cut on the actiontec board can be seen on the picture at the top of the page. Luckily there was only an empty socket in the piece I needed to cut off.
FakeSMB
After monitoring traffic on my network for a few hours (something I rarely do) I saw that there were a lot of requests coming in on the SMB ports. For this reason I thought it would be interesting to make a program attractive to these bots, worms and whatnot.
Anyway what this does is fake out the samba protocol. Basically a mini-samba with no practical use.
I call it FakeSMB.
Source Code
The source code for the honeypot "fakeSMB" program is pretty simple.Download - fakesmb.tar.gz
Below is the main loop:
Connection accept loop
fakesmb.c
int main()
{
SMBManager *pSMBManager;
pSMBManager = (SMBManager *) malloc(sizeof(SMBManager));
SMBManager_Construct(pSMBManager);
SMBManager_CreateShareMsg(pSMBManager);
SMBManager_ListenSocket(pSMBManager);
while (1) { // main accept() loop
SMBManager_Accept(pSMBManager);
while (pSMBManager->smb_status == GOT_CONNECTION) {
SMBManager_ReadNBHeader(pSMBManager);
switch (pSMBManager->pdu_nbheader.type) {
case 0x81: //nb session request
SMBManager_ProcessNBRequest(pSMBManager);
break;
case 0x00: //smb request
SMBManager_ReadSMBHeader(pSMBManager);
SMBManager_ProcessSMBRequest(pSMBManager);
break;
default:
#ifdef DEBUG
printf("WARNING: Unknown NMB protocol type!\n");
#endif
SMBManager_Disconnect(pSMBManager);
break;
}
}
}
SMBManager_Destruct(pSMBManager);
free(pSMBManager);
return 0;
}
Here I am binding to port 139 and listening for incoming connect requests. The SMBManager methods hide the standard unix socket calls. Once I get a connection I start reading packets off the socket. If I am able to decode the NB header I process the packet for a handful of different types of SMB requests. For the most part I return canned SMB data. The major exception are the messages that describe the share names and the computer information. (name, description, etc)
The majority of the messages are SMB requests, handled in SMBManager_ProcessSMBRequest in smbmanager.c. All of the canned SMB data is defined in the fakedata.h header file.
I've only tested it with winXP and win2K with linux-x86 and ARM. Feel free to download the source and give it a shot. Keep in mind that this should not be run on a machine exposed to the outside world that you care about. There could security problems with the software. Obviously I'm not too worried if somebody finds a way to remotely execute arbitrary code on my ARM board but on a real box it could be problematic :)
Configuration
There is a very simple /etc/fakesmb.dat file that contains the configuration data.The first line is the comment and the subsiquent lines are computer share names.
So three shares and a computer comment of "100-Acre-Woods" would look something like:
100-Acre-Woods
movies
mp3s
fun-stuff
Screenshots
Below are some requisite screenshots of the honeypot in action. Here the honeypot has the ip address '192.168.1.50'
First a standard share query from a winXP box:
Unfortunately I do not have anything here that will simulate fake files inside the shares. That was my original intention but the implementation ended up being too complicated. I felt as though I was re-inventing the wheel enough as it was. Bascially you get an ambiguous error if you try to map any of these shares to a network drive.
Second, accessing the shares in windows explorer
Don't try to click, especially not in win2k or you run a good chance of crashing explorer.exe >:)WinXP tends to hang, crash explorer or give an error.
TODO
A few outstanding things left to do- Daemonize the process
- Make logging work (doesn't seem like busybox-syslogd will compile for MMUless ARM)
- Accept multiple concurrent connections
- Run some of the LEDs out to the front or make them light up more
- Figure out what to do with the modem and the second etherenet port