Having a Honeypot in your network can help to alert you to malicious traffic. However, installing and maintaining one can be a bit troublesome, particularly if you haven’t done it before. The complexity only increases if you aren’t familiar with Linux operating systems. I have written a previous blog on the results I received from a Honeypot I set up on my home network which was accessible to the Internet. What I didn’t write about was how long it took me to get it going. I used Dionaea and had it setup in its own subnet. I also had a firewall between it and my network, “just in case.” I turned the Honeypot off after a couple months and got busy with other things. I wanted to get back to it but I didn’t want to go through all the hassle again.
Enter HoneyDrive3 from Ioannis Koniaris at http://bruteforcelab.com. He has built a Linux Distro with honeypots already built and ready to run. I first learned of the tool in the October issue of the ISSA journal written by Russ McRee.
Rather than covering the tool in detail I would like to document the steps I took to get it up and running on a Hyper-V server. Ioannis has it configured to download in an .ova file format which can be imported to VirtualBox. The hard disk itself is in the .vmdk (VMWare) format. Hyper-V uses the .vhd format. Converting the file is straight forward but there are a couple hurdles. (It would be nice if everybody supported a standard format, but I digress).
There are two blogs that got me headed in the right direction. The first is, http://blog.opensecurityresearch.com/2013/05/setting-up-your-hacking-playground.html. Here, they go into a lot of detail about the problems of converting a guest Linux OS from a .vmdk to a .vhd. I won’t say much about it since they give a very detailed description but the tool they used successfully, Starwind V2V, didn’t work on HoneyDrive3. The second site I won’t point to because there is a current XSS attack on the page, according to my browser.
A little background on the conversion process of a .vmdk to a .vhd. Hyper-V has built-in tools that will do the conversion very nicely as long as the guest operating system is a Windows machine. I have used it to convert other servers successfully. The Starwind V2V tool is free and I have used it successfully in the past but when I tried it on HoneyDrive3 I got the following error:
Invalid file format (10) 
D:\HoneyDrive_3_Royal_Jelly\HoneyDrive_3_Royal_Jelly-disk1.vmdk – Invalid format. EOS marker not found
I found the necessary steps on the second website. We will use the VirtualBox command line tools to do the conversion. It is only one command but there are some pre-requisites.
You can download HoneyDrive here, http://sourceforge.net/projects/honeydrive/
Here are the specs of my systems.
Hyper-V Server 2008 R2 running on an HP ProLiant server as the host.
For VirtualBox I have an I7 laptop with 8Gb of memory. I also have a second box running HoneyDrive on an Intel core2duo box. The required specs are really low.
You will need to have VirtualBox installed on a separate computer.
- Download the .ova file and import it into VirtualBox. Then start up the machine. As an aside, you can extract files from .ova by changing the file extension to .tar and using 7-zip to extract them.
- The VirtualBox Guest Additions are installed already. It needs to be uninstalled. The following steps are performed inside HoneyDrive
- Insert the Guest Additions cd by clicking Device and selecting Insert Guest additions CD.
- Open Terminator in HoneyDrive
- Type ls /media to see the version of Guest Additions. My version is 4.3.8_92456.
- sudo sh /media/VBOXADDITIONS_4.3.8_92456/VBoxLinuxAdditions.run uninstall
- Shut down the machine normally and close VirtualBox manager. I did not have any snapshots on mine.
- You need to have the VirtualBox Manager opened as an administrator. When I tried it the first time I right-clicked it and selected run as administrator. It didn’t work and it threw and error. I then opened its properties and selected the box to run as admininstrator. This worked. Go figure.
- Open VirtualBox Manager as Administrator. It must be open when you run the command below.
- Open a command prompt, also as administrator, and navigate to the VirtualBox installation location.
- In my set up, I copied the HoneyDrive.vmdk to the VirtualBox installation directory so I didn’t have to path to it.
- Use this command for the conversion: VBoxManage clonehd –format vhd honeydrive filename.vmdk> < new name.vhd>
- I had errors with this command before I was running as admin
- The conversion took less than 10 minutes and came out to about 9Gb
- Copy the file to your Hyper-V server.
- Depending on your network, you might want to order a pizza
- After you are done eating the pizza your file is probably copied
- On the Hyper-V server create a new VM but when you get the part where it asks you to create a new hard disk select the newly converted hard drive. I am assuming the reader has a basic knowledge of Hyper-V. If you have questions let me know.
- Finish the wizard and start up the VM.
Contrary to previous IT experiences this worked the first time I tried it.
Now go to http://bruteforcelab.com for some good reading. If you have a subscription to the ISSA Journal you can use the Toolsmith article in the October issue for a great getting started guide.
Happy hunting, or perhaps, trapping.
Nov 19 2014