Amun: Python Honeypot


Writing Amun Vulnerability Modules

There exist two way of writing vulnerability modules for the amun honeypot. The first way is to directly code python, the second is to use the XML to vulnerability function. The second method can be used to build simple vulnerability modules or quickly create a basis for a more complex modul and write the rest directly in python.
We will take a look at the easy way first: XML to Vulnerability

Switch to the utils directory of your amun honeypot installation (e.g.: /opt/amun/utils/). Here will find a directory named xml_vuln_creator which holds the tool to transform XML files to vulnerability modules (vuln_creator.py), as well as, some example XML files.

Lets start with a simple example, the ARCserve Backup Agent vulnerability. The directory already contains a XML file named xml_arc.xml, which contains all necessary information to create a vulnerability modul.
Following is the content of the XML file:

<Vulnerability> <Init> <Name>ARC</Name> <Stages>0</Stages> <WelcomeMess></WelcomeMess> <Ports> <Port>6070</Port> </Ports> <DefaultReply>random</DefaultReply> </Init> </Vulnerability>
Now for the details, every vulnerability XML contains the main container <Vulnerability>, which encloses all other attributes and parameters. The first container inside is named <Init> and defines some necessary parameters, like the shortname of the vulnerability, in this case ARC, the number of stages without the last stage, since the last one is always there, in this case zero. The <WelcomeMess> can contain a Banner for a service, everything placed here will be displayed to the attacker when connecting to the service. Next is the <Ports> section where you can define the ports on which the modul is listening. This is currently not really used, as one still has to manually add a new vulnerability to the amun.conf file and list the ports there again. Future version will create the amun.conf entry automatically, thus this option is already included. The <DefaultReply> section can contain for example a string or whatever you want your vulnerability modul to reply by default. The keyword random will set the default reply to random numbers of 510 bytes length, plus the carriage return and newline at the end.

As our sample does not have any other stages except the one to collect shellcode, there is no need to define anything else except the <Init> section.
To build your new vulnerability modul you need to perform the following: ./vuln_creator.py -f xml_arc.xml. The result will be two new files in the same directory, namely arc_modul.py, arc_shellcodes.py. Now switch to the vuln_modules directory and create a new subdirectory named vuln-arc. The directory must contain the name of the vulnerability just as it was defined in the XML, but lowercase, otherwise amun will fail to load the file. Copy the arc_modul.py, arc_shellcodes.py files to the new directory.

Finally you need to adjust your amun.conf file. Add the directory name to the vuln-modules list and create a new entry at the end of the file named vuln-arc: 6070. This is where you need to define the port(s) for the vulnerability to listen on. If it uses more than one port you can use a comma to separate the ports. As amun automatically checks the config file for changes your new vulnerability modul should be loaded within the next minutes.

To be continued with a more complex example...

Amun - "the concealed":

Man with high feather crown - originally a god of wind, but he was raised to being one of the mightiest gods in egypt.