WelComeToHoneyPOTWORLD/ 低対話型ハニーポットを調査してみた

Transcript

1. ௿ର࿩ܕϋχʔϙοτ Λௐࠪͯ͠Έͨ WELCOME TO HONEY POT WORLD ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ

2. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ͓඼ॻ͖ 1. ࣗݾ঺հ 2.ϋχʔϙοτͱ͸ 3.ϋχʔϙολʔ΁ͷಓͷΓ 4. ϋχʔϙοτௐࠪ 5.

   ௐࠪ݁Ռ(·ͱΊʣ

3. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ͸͡Ίʹ ▸ ຊൃද͸ݸਓతͳҙݟ͓ΑͼݸਓతͳௐࠪʹΑΔ΋ͷͰ͢ɻ ▸ Կ͔ຊൃදͰޡΓ͕͋Γ·ͨ͠Βɺޙ΄Ͳ
 twittrͳͲͰڭ͑ͯ௖͚Δͱ޾͍Ͱ͢ɻ

4. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ࣗݾ঺հ ▸ ໊લ
 sec chick@one_sec_chick ▸ ͓࢓ࣄ
 αΠόʔηΩϡϦςΟؔ࿈


   ˞ PSOCͰΞφϦετΛ͍ͯ͠·ͨ͠ ▸ ϋχʔϙολʔྺ
 6ϲ݄ ▸ ར༻ϋχʔϙοτ
 WoWHoneypot

5. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ࠓճͷൃද ▸ T-pot͕εϖοΫతʹݫ͘͠ɺ௿ର࿩ܕϋχʔϙοτͰӡ༻͠Α͏ͱ
 ͍ͯ͠Δਓʹ޲͚ͯɺͦΕͧΕɺͲͷΑ͏ͳಛ௃͕͋Δ͔Λௐࠪ
 ˞௿ର࿩ܕɿಛఆͷOS΍ΞϓϦέʔγϣϯΛΤϛϡϨʔτ͠؂ࢹ
 ▸ ࠓճɺௐ΂ͨϋχʔϙοτ͸ҎԼͷ௨Γ •

   cowrie • dionaea • glastopf • honeytrap • WoW Honeypot
 ‣ ͜ͷൃදͰ1ਓͰ΋ϋχʔϙολʔ͕૿͑ͯ͘ΕΔ͜ͱΛ໨ඪʹͯ͠ൃද

6. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ϋχʔϙοτͱ͸ ▸ Θ͟ͱ੬ऑͳ؀ڥΛઃஔ͠߈ܸऀʹ৵ೖͤ͞ɺ߈ܸऀͷߦ ಈΛ؂ࢹ͠ɺ෼ੳ͢Δ͜ͱΛ໨తͱͨ͠γεςϜ ▸ ϋχʔϙοτͷछྨͱͯ͠͸ɺओʹαʔϏεΛΤϛϡϨʔτ ͢Δ௿ର࿩ܕͱຊ෺ͷΞϓϦέʔγϣϯ΍OSΛ࢖͏
 ߴର࿩ܕ͕ଘࡏ

   ▸ ࣮ࡍʹϩάΛݟΔ͜ͱͰɺ߈ܸऀ͕ͲͷΑ͏ͳ੬ऑੑΛར༻ ͠ɺͲͷΑ͏ͳ໨తͰ߈ܸ͍ͯ͠Δ͔Λ؍࡯Ͱ͖Δ

7. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ϋχʔϙοτͱ͸ ੬ऑͳαʔό
   )POOFZQPU ߈ܸΛ࢓ֻ͚Δ ߈ܸΛ෼ੳ

8. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ϋχʔϙολʔ΁ͷಓͷΓᶃ ▸ ษڧձͷαΠτΛݟ͍ͯΔͱɺԿ΍Βϋχʔϙοτͱ͍͏
 จࣈྻΛൃݟ ▸ ௐ΂ͯΈΔͱɺ͋͑ͯ੬ऑੑͳ؀ڥʹͯ͠ɺ߈ܸͤ͞Δ͜ͱ Ͱɺ߈ܸํ๏Λ؍࡯͢Δͱ͍͏ັྃతͳϫʔυ ▸

   ໘നͦ͏ͩͱࢥ͍ɺࣗ෼΋ϋχʔϙολʔʹͳΔ͜ͱΛܾҙ

9. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ϋχʔϙολʔ΁ͷಓͷΓᶄ ▸ ·ͣ͸ϋχʔϙοτΛબͿඞཁ͕͋Δ͕ɺछྨ͕ଟ͘ͲΕΛબ΂͹ ͍͍͔෼͔Βͳ͍

10. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ϋχʔϙολʔ΁ͷಓͷΓᶅ ▸ ωοτͰௐ΂ͯΈΔͱɺT-PotΛ࢖͍ͬͯΔਓ͕ଟ͍ ▸ T-Pot͸ෳ਺ͷϋχʔϙοτΛ؍ଌՄೳͰ͋ΓɺΠϯετʔϧ͢Δͩ ͚Ͱ෯޿͍αʔϏεΛ؍ଌͰ͖Δϋχʔϙοτ

11. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ϋχʔϙολʔ΁ͷಓͷΓᶆ ▸ ࣗ୐ʹT-PotΛߏங͠Α͏ͱࢥ͕ͬͨɺ҆શੑΛߟྀͯ͠ VPSʹߏங͢Δ͜ͱʹ ▸ ͜͜Ͱ T-Potͷਪ঑εϖοΫ͕ωοΫʹɻɻɻɻ
 ˞ඪ४ͷΠϯετʔϧͰ΋ϝϞϦ

    4GBɺSSD 64 GB ͷ༰ྔ͕ඞཁ ▸ ਪ঑εϖοΫͰ͸ͳ͍͕ɺ͓ۚͷ౎߹্ɺϝϞϦ2GͰಈ͔ͯ͠ΈΔ͜ͱʹ ਪ঑εϖοΫͰ͘͞ΒVPSͰՁ ֨ΛݟͯΈΔͱɺ݁ߏߴ͍ ਪ঑εϖοΫ͡Όͳ͍͚Ͳɺ ϝϞϦΛ2GBͯ͠΋େৎ෉͔ͳ

12. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ʲࢀߟʳ͘͞ΒVPSͷ͓஋ஈ ࢀরɿhttps://vps.sakura.ad.jp/specification/

13. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ʲࢀߟʳϋχʔϙοτઃஔՄೳαʔϏε ▸ աڈʹϋχʔϙολ͕ௐ΂ͯ಺༰Ͱ֤αʔϏεͰͷϋχʔϙοτͷ ӡ༻Մ൱ʹ͍ͭͯௐ͓ࠪͯ͠Γɺଟ͘ͷ؀ڥͰར༻͢Δ͜ͱ͕Մೳ αʔϏε໊ αϙʔτ͔Β ͷճ౴೔ Մ൱

    උߟ ConoHa 2017.06.21 NG ن໿ҧ൓Ͱ͸ͳ͍͕ଞͷ͓٬༷΁ͷӨڹ͕ݒ೦͞ΕΔͷͰ߇͑ͯ΄͍͠ ͘͞ΒͷΫϥ΢υ 2017.08.10 OK ར༻ن໿΍੍ݶࣄ߲ʹ͸֘౰͠ͳ͍ͷͰ໰୊ͳ͍ɻଞͷ͓٬༷ʹ໎࿭͕͔͔Δঢ় گ(େྔͷτϥϑΟοΫ͕ൃੜ͢Δɺར༻͍ͯ͠Δαʔό͕ݪҼͰ֎෦ͷෆਖ਼α ʔόͷϦετʹొ࿥͞ΕΔɺ౳)͕͋Ε͹ɺݸผʹ੍ݶΛ࣮ࢪ͢৔߹͕͋Δ ͘͞ΒͷVPS 2017.08.10 OK ಉ্ IDCFΫϥ΢υ 2017.08.10 OK Ϋϥ΢υ্ͰӡӦ͢Δ಺༰ʹ͍ͭͯ͸໰ΘΕͳ͍ͷͰӡ༻Մೳɻͨͩ͠ɺୈࡾऀ ౳ʹෆਖ਼ʹѻΘΕͨ৔߹͸໿׺౳ʹ౰ͯ͸·ΔՄೳੑ͕͋Δ ABLENET VPS 2017.08.10 OK ϋχʔϙοτͷΠϯετʔϧΛېࢭ͸͍ͯ͠ͳ͍͕ɺଞͷ͓٬༷ͷར༻ʹӨڹ͕ ग़ΔΑ͏ͳ৔߹͸ར༻ͷ੍ݶ΍ܖ໿ղআΛߦ͏৔߹͕͋Δ KAGOYA CLOUDʗ2 2017.08.10 OK ϋχʔϙοτͷӡ༻ʹର੍ͯ͠ݶ͸ͳ͍͕ɺ߈ܸΛड͚ΔલఏͷγεςϜͳͷͰ ηΩϡϦςΟରࡦΛे෼ʹ࣮ࢪͨ͠͏͑Ͱӡ༻ͯ͠΄͍͠ɻ ServersManˏVPS 2017.08.10 OK Πϯετʔϧ͢ΔΞϓϦέʔγϣϯʹ੍ݶ͸ઃ͚͍ͯͳ͍͕ɺن໿ͷୈ17৚͓ Αͼୈ32৚ʹ֘౰͢Δͱ൑அ͞Εͨ৔߹͸੍ݶΛߦ͏ࣄ͕͋Δɻ ʮServersMan@VPSϓϥϯར༻ن໿ʯͷېࢭࣄ߲Λ֬ೝͯ͠΄͍͠ɻ ໊͓લ.comVPS 2017.08.14 OK ࢀরɿ
    ϋχʔϙοτͷӡ༻͕ن໿ҧ൓Ͱͳ͍͔ௐ΂ͯΈͨ
    
    IUUQTCMBDLMFQBSEOFUWCON

14. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ϋχʔϙολʔ΁ͷಓͷΓᶇ ▸ ਺೔ؒ͸ॱௐʹಈ͍͍͕ͯͨɺΤϥʔͰT-Pot͕ࢭ·ͬͯ͠·͏ࣄ৅ ͕ଟൃ
 ▸ ݁ہɺ҆ఆͯ͠ಈ͔ͳ͍ͷͰɺղ໿͢Δ͜ͱʹɻɻɻɻ
 ▸ ݱࡏ͸ɺ௿εϖοΫͰ΋ՔಇՄೳͰɺHTTPͷ߈ܸΛ؂ࢹͰ͖Δ


    WoWHoneypotΛӡ༻த

15. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ௿ର࿩ܕ HONEYPOT ௐࠪ ▸ ௿ର࿩ܕͷϋχʔϙοτΛ঺հ

16. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ GLASTOPF ▸ WEBͰͷ߈ܸΛ؂ࢹʹಛԽͨ͠ϋχʔϙοτ ▸ σΟϨΫτϦτϥόʔαϧ΍ SQL Injection ʹରͯ͠ɺΤϛϡϨʔτ

    ͨ݁͠ՌΛදࣔ

17. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ GLASTOPF Ϩεϙϯεྫ ▸ ϦΫΤετྫ1
 http://192.168.0.xx/test.php?q=SELECT%20A%20FROM%20B
 Ϩεϙϯε
 Invalid query:

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT A FROM B' at line 1 ▸ ϦΫΤετྫ2
 http://192.168.0.xx/test.php?a=../../../../../../../etc/passwd
 Ϩεϙϯε
 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x: 2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x: ~ লུ ~
 ※ ҎԼͷgithubͷςετέʔεΛࢀߟ
 ɹhttps://github.com/mushorg/glastopf/blob/master/glastopf/testing

18. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ WOW HONEYPOT ▸ HTTPͷ߈ܸΛ؂ࢹ໨తͱͨ͠ϋχʔϙοτ ▸ ߈ܸऀͷϦΫΤετʹରͯ͠ɺ߈ܸ͕੒ޭͨ͠Α͏ʹݟ͔͚ͤΔ
 ϨεϙϯεΛฦ৴ ▸

    ϋϯςΟϯάػೳʹΑΓɺϚϧ΢ΣΞΛVirus TotalͰղੳՄೳ
 (ݕମ͸อଘ͠ͳ͍) ▸ Πϯετʔϧ͕؆୯ʢҎԼͷϖʔδΛࢀߟʹΠϯετʔϧՄೳʣ
 https://github.com/morihisa/WOWHoneypot

19. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ WOW HONEYPOT 
    ߈ܸऀ͕αʔό΁ϦΫΤετΛૹ৴ 
    αʔόͷ'8Ͱϙʔτసૹ
 ྫɿϙʔτ͔Βϙʔτ΁ 
    ϦΫΤετ͔ΒϨεϙϯε಺༰Λܾఆ 
    ߈ܸऀ΁ϨεϙϯεΛฦ͢ 8P8
    )POFZQPU

    ࢀߟɿॳ৺ऀ޲͚ϋχʔϙοτ
    808)POFZQPU
    ͷ঺հ
 ɹɹɹIUUQTTQFBLFSEFDLDPNNPSJIJ@TPDDIVYJO[IFYJBOHLFIBOJIPUVUPXPXIPOFZQPUGBMTFTIBPKJF TMJEF

20. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ WOW HONEYPOT Ϩεϙϯεྫ ▸ GET /etc/passwd
 Ϩεϙϯεɿ
 root:x:0:0:root:/root:/bin/bash

    daemon:x:1:1:daemon:/usr/sbin:/ usr/sbin/nologin ~লུ~
 ▸ GET /getcfg.php (D-Link)
 Ϩεϙϯεɿ DEVICE.ACCOUNT 100 admin 100 adminpass administrators manage
 ▸ POST /wls-wsat/CoordinatorPortType
 εςʔλείʔυɿ500

21. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ COWRIE ▸ SSH͓ΑͼTelnetͷ؂ࢹΛ໨తͱͨ͠ϋχʔϙοτ ▸ ߈ܸऀͷଧͪࠐΜͩίϚϯυͷه࿥͓Αͼ࠶ੜ͕Մೳ ▸ ߈ܸऀ͕ϋχʔϙοτʹμ΢ϯϩʔυͨ͠ϑΝΠϧΛอଘ

22. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ COWRIE ▸ ϩά (/log/cowrie-textlog.log)
 2018-06-21T06:20:11.790706Z login attempt [sec_chick/aaaaaa]

    failed
 2018-06-21T06:20:15.884342Z login attempt [sec_chick/bbbbb] failed
 2018-06-21T06:20:18.976004Z login attempt [sec_chick/cccccc] succeeded
 2018-06-21T06:20:19.466336Z Terminal Size: 24 80
 2018-06-21T06:20:19.467874Z request_env: LANG=ja_JP.UTF-8
 2018-06-21T06:20:19.470091Z Opening TTY Log: log/tty/ 20180621-062019-758689600833-0i.log
 2018-06-21T06:20:33.007909Z CMD: ls
 2018-06-21T06:20:33.020759Z Command found: ls 
 2018-06-21T06:20:49.834860Z CMD: wget www[.]yahoo.co.jp
 2018-06-21T06:20:49.839532Z Command found: wget www[.]yahoo.co.jp
 2018-06-21T06:20:49.937292Z Downloaded URL (http://www[.]yahoo.co.jp) with SHA-256 bbede94bcf9ab5fbc4469b382335449ebf2499595ffc84b64eb492faa79b35e1 to dl/ bbede94bcf9ab5fbc4469b382335449ebf2499595ffc84b64eb492faa79b35e1

23. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ COWRIE ϩάΠϯ࣌ ▸ ϩάΠϯ࣌ͷϩά
 login attempt [sec_chick/aaaaaa] failed


    login attempt [sec_chick/bbbbb] failed
 login attempt [sec_chick/cccccc] succeeded
 ▸ ͋͑ͯԿ౓͔ϩάΠϯΛࣦഊ͔ͤͯ͞ΒϩάΠϯͤ͞Δ࢓૊Έ
 ˞̏ճ໨ͰϩάΠϯ੒ޭ
 ▸ ϩάΠϯ෦෼Ͱ͸Ϣʔβ໊͓ΑͼύεϫʔυΛऩू

24. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ COWRIE ϩάΠϯޙ ▸ ϩάΠϯޙͷϩά
 CMD: ls
 Command found:

    ls 
 CMD: wget www.yahoo.co.jp
 Command found: wget www[.]yahoo.co.jp
 Downloaded URL (http://www[.]yahoo.co.jp) with SHA-256 bbede94bcf9ab5fbc4469b382335449ebf2499595ffc ~লུ~ ▸ ϩάΠϯ੒ޭޙɺ߈ܸऀ͕ͲͷΑ͏ͳίϚϯυΛ࣮ߦ͔ͨ͠
 ֬ೝՄೳ ▸ μ΢ϯϩʔυ͞ΕͨϑΝΠϧ͸อଘ͞ΕΔͨΊɺޙ͔Β֬ೝՄೳ

25. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ DIONAEA ▸ ωοτϫʔΫ্ͰՔಇ͍ͯ͠ΔαʔϏεͷ੬ऑੑΛૂͬͨϚ ϧ΢ΣΞͷั֫Λ໨తͱͨ͠ϋχʔϙοτ ▸ FTPɺHTTPɺMySQLɺSMBͳͲͷ෯޿͍αʔϏε(16छྨ) ʹؔ͢Δ߈ܸΛ؂ࢹՄೳ ▸

    ั֫͞ΕͨϚϧ΢ΣΞ͸σΟϨΫτϦʹอଘ͞ΕΔ

26. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ DIONAEA ▸ ҎԼͷαʔϏε͕dionaea্Ͱ؂ࢹՄೳ ໊લ αʔϏε ϙʔτ ϓϩτί Black

    hole telnet 23 tcp DNS 53 tcp,udp NTP 123 udp EPMAP SMB 135 tcp FTP FTP 21 tcp HTTP HTTP 80 tcp Memache memcache 11211 tcp mirror mirror 42 tcp MongoDB MongoDB 27017 tcp mqtt MQ Telemetry Transport 1883 tcp ໊લ αʔϏε ϙʔτ ϓϩτί MSSQL MSSQL 1433 tcp MYSQL MYSQL 3306 tcp PPTP PPTP 1723 tcp SIP (VoIP) SIP 5060 tcp SIP over TLS 5061 tcp SIP 5060 udp SMB SMB 445 tcp TFTP TFTP 69 udp UPnP UPnP 1900 udp

27. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ DIONAEA දࣔྫ(HTTP) ▸ σϑΥϧτͰ͸ Directory listing for ͷϖʔδ͕දࣔ͞ΕΔ

28. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ DIONAEA දࣔྫ(FTP) ▸ FTP઀ଓ࣌ͷ༷ࢠ
 220 FTP server ready.


    USER sec_chick
 331 Password required for sec_chick.
 PASS password
 230 User logged in, proceed
 pwd
 257 "/"
 help
 502 Command 'HELP' not implemented

29. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ HONEYTRAP ▸ ෯޿͍αʔϏεΛ؂ࢹ͢Δ͜ͱ͕Ͱ͖Δϋχʔϙοτ ▸ TCP͓ΑͼUDPʹରͯ͠ͷ௨৴Λϩάʹه࿥
 ˞ύέοτΛNFQUEUEʹૹΓɺHoneytrap͕ॲཧ ▸ ୅දతͳϓϩτίϧʹରͯ͠ɺܾ·ͬͨϨεϙϯεΛ


    ฦ͢͜ͱ͕Մೳ ▸ αʔϏεΛݶఆ͍ͯ͠ͳ͍ͨΊɺ༷ʑͳ߈ܸΛ؂ࢹՄೳ

30. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ HONEYTRAP Ϩεϙϯεྫ ▸ FTP
 220 Welcome to localhost

    ▸ SMTP
 250 localhost ESMTP Postfix ▸ MYSQL
 4.0.24_Debian-10sarge1-logu3;n:u`b,

31. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ֤ϋχʔϙοτ·ͱΊ ϋχʔϙοτ໊ ֓ཁ औಘՄೳͳ৘ใ glastopf ɾWebܦ༝Ͱͷ߈ܸΛ؂ࢹΛ໨తͱͨ͠ϋχʔϙοτ ɾσΟϨΫτϦτϥόʔαϧ ΍

    SQL Injection ʹରͯ͠
 ੬ऑੑͳ൓ԠΛ߈ܸऀ΁ฦ͢ ɾPOSTϦΫΤετͷBODY෦ͷ৘ใΛऔಘՄೳ ɾHTTPϦΫΤετͷ಺༰ WoWHoneypot ɾHTTPͷ߈ܸΛ؂ࢹ໨తͱͨ͠ϋχʔϙοτ ɾHTTP ϦΫΤετΛ·Δͬͱอଘ ɾ߈ܸऀͷϦΫΤετʹରͯ͠ɺ߈ܸ͕੒ޭͨ͠Α͏ʹ ɹݟ͔͚ͤΔϨεϙϯεΛฦ৴ ɾϋϯςΟϯάػೳʹΑΓɺϚϧ΢ΣΞΛVirus Totalʹ࿈ܞ
 Մೳ(ݕମ͸อଘ͠ͳ͍) ɾΠϯετʔϧ͕؆୯ ɾHTTPϦΫΤετͷ಺༰ ɾϚϧ΢ΣΞͷURLઌ ▸ HTTPʹؔ͢ΔϋχʔϙοτͰ͋Ε͹ɺglastopf΋͘͠͸
 WoWHoneypot͕Φεεϝ

32. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ֤ϋχʔϙοτ·ͱΊ ϋχʔϙοτ໊ ֓ཁ औಘՄೳͳ৘ใ cowrie ɾSSH͓ΑͼTelnetͷ؂ࢹΛ໨తͱͨ͠ϋχʔϙοτ ɾ৵ೖऀͷଧͪࠐΜͩίϚϯυͷه࿥͓Αͼ࠶ੜ͕Մೳ ɾ৵ೖऀ͕ϋχʔϙοτʹμ΢ϯϩʔυͨ͠ϑΝΠϧΛอଘ

    ɾSSH͓ΑͼTelnetͰར༻ͨ͠Ϣʔβ໊ɺPW ɾϩάΠϯޙʹೖྗ͞ΕͨίϚϯυ ɾwget, curl Ͱμ΢ϯϩʔυ͞Εͨ ϑΝΠϧ dionaea ɾωοτϫʔΫ্ͰՔಇ͍ͯ͠ΔαʔϏεͷ੬ऑੑΛૂͬͨ Ϛϧ΢ΣΞͷั֫Λ໨తͱͨ͠ϋχʔϙοτ ɾFTPɺHTTPɺMySQLɺSMBͳͲͷ෯޿͍αʔϏε (16छྨ)ΛΧόʔ ɾ৵ೖऀ͕ઃஔͨ͠Ϛϧ΢ΣΞ΋ޙ͔ΒࢀরՄೳ ɾՔಈ͍ͯ͠ΔαʔϏε΁ͷ௨৴ ɾ഑ஔ͞ΕͨϚϧ΢ΣΞ honeytrap ɾ෯޿͍αʔϏεΛ؂ࢹ͢Δ͜ͱ͕Մೳ (ࠓճͷݕূͰ࠷΋ଟ͘ͷϙʔτͰͷ௨৴Λݕ஌) ɾ࣮ࡍͷ௨৴಺༰΋֬ೝՄೳ ɾओཁϙʔτ΁ͷ؆қతͳϨεϙϯεΛฦ͢ ɾhoneytrapѼ΁ͷ௨৴ ▸ HTTPҎ֎ͰͷϋχʔϙοτͰ͋Ε͹ɺcowrieɺdionaeaɺ honeytrap͕Φεεϝ

33. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ௐࠪ݁Ռʢ·ͱΊʣ ▸ ௿ର࿩ܕͷϋχʔϙοτʹ͍ͭͯௐࠪΛ࣮ࢪ ▸ ௿ର࿩ܕʹ΋ͦΕͧΕछྨ͕͋ΔͨΊɺ ࣗ෼ͷ؍࡯͍ͨ͠
 ߈ܸͰϋχʔϙοτΛબ୒͠·͠ΐ͏ʂ ▸

    ͓ۚʹ༨༟͕͋Δਓ͸T-PotΛӡ༻͢Δͷ΋༗ ▸ ௿ର࿩ܕϋχʔϙοτͷಋೖํ๏͸ɺϒϩά΍ॻ੶Ҏ֎ʹ΋
 Dockerfile͕ࢀߟʹͳΔ(ͲͷίϚϯυΛଧͯ͹͍͍͔෼͔ΔͨΊʣ ▸ ࠓճͷൃදͰҰਓͰ΋ଟ͘ͷϋχʔϙολʔ͕૿͑Δͱخ͍͠Ͱ͢ʂʂʂ

34. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ऴΘΓ ▸ ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂʂʂ

35. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ࢀߟURL ▸ Githubؔ࿈
 https://github.com/dtag-dev-sec/tpotce
 https://github.com/micheloosterhof/cowrie
 https://github.com/dinotools/dionaea
 https://github.com/mushorg/glastopf
 https://github.com/armedpot/honeytrap


    https://github.com/morihisa/WOWHoneypot

36. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ࢀߟURL ▸ www.morihi-soc.net
 http://www.morihi-soc.net/
 https://speakerdeck.com/morihi_soc/chu-xin-zhe-xiang-kehanihotuto-wowhoneypot-falseshao- jie ▸ HONEYPOTӡ༻೔ه


    https://blog.n-etupirka.net/ ▸ αΠόʔηΩϡϦςΟ͸͡Ί·ͨ͠
 https://tk-secu.hateblo.jp/ ▸ Misc notes
 https://fatsheep.hateblo.jp/ ▸ nanka iroiro
 http://waaai-tanoshiiiii.hatenablog.com/ ▸ ଞʹ΋༷ʑͳϋχʔϙολʔͷϒϩάΛࢀߟʹͤͯ͞΋Β͍·ͨ͠

37. ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձ ࢀߟॻ੶ ▸ Ոܭʹ΍͍͞͠ϋχʔϙοτೖ໳
 ஶऀɿʹ΄Μ΋΋Μ͕
 ߪೖURL: https://booth.pm/ja/items/663689 ▸ WOWHoneypotͷ༡ͼ͔ͨ


    ஶऀɿmorihi-soc
 ߪೖURL: https://booth.pm/ja/items/824586