So I wanted to do something which has been done many times before and that was to create an SSH honeypot for some threat intelligence collection purposes. The twist to this is that I want to send the results to MISP and I came across a few hicups along the way. Ive previously blogged about Fail2Ban and it got me thinking, what if I added a secondary action to send the resulting banned ip into MISP.
In my last post I wrote about Installing and Securing NodeRED. The reason behind this was twofold. First, NodeRED is pretty cool and I want to be able to do some more ETL (Extract, Transform, Load) operations for personal projects I want to start on and secondly, I’ve been looking into TheHive webhooks functionality and needed some way to drive it in a way that didn’t require hundreds of lines of bespoke python code.
Warning - Dragons ahead The following post is for educational purposes only. The Lazagne project is a Python based tool that will attempt to extract username and password details from various applications on your Windows, Linux and Mac systems. As such, it would be considered a hacking tool. Portions of this tool have been adapted for use in the Qealler Malware. I decided that i’d run up a test Windows Virtual machine to run this against but can confirm that the tool works equally as well in Linux.
This is the formal end of this series but I wanted to write a quick conclusion peice, so this post is a reflection about this 4 in 1 open source threat and incident response platform and the journey to get there. All the other posts in this series can be found here: Part I - Building TheHive Part II - Setup reverse proxy for TheHive Part III - Building MISP
Fail2Ban is a great piece of software to keep those who would try (and fail) to access your services. It’s easy to setup as well, and can be as complicated as you want. Firstly perform the install by using this command. This will perform the install and create a service so that when you reboot, fail2ban will automatically start. sudo apt install fail2ban The configuration I am going to be performing will be for sshd, however there are stacks of pre-configured jails that can be used, and if it doesn’t have a pre-canned option, if your app has a log file file, then it can be customised accordingly.
Recently I was made aware of a GitHub project by Chris Long named “Detection Lab” which allows blue teams to see what a particular piece of malware does in an environment and conversely allows the red team to see what breadcrumbs their software may leave behind. Its a 4 lab server consisting of: Microsoft Windows AD Server Splunk Logging A Windows Event Forwarding Server Client Win10 machine Based off the back of last weeks CyberGym training and the fact that there are TerraForm templates for this setup, I decided to give this a shot.
Now that I’ve established the blog, I would like to proof of concept a Continuous Integration, Continuous Deployment (CI-CD) pipeline for it. Its something that I know I will be able to utilise in the future and its a valuable skill to be across given that my line of work does include automation and scripting for both personal and professional reasons. Having the code stored in a git repository is the first step to this.