Ad-Honeypot-Autodeploy – Deploy A Small, Intentionally Insecure, Vulnerable Windows Domain For RDP Honeypot Fully Automatically
Deploy a small, intentionally insecure, vulnerable Windows Domain for RDP Honeypot fully automatically.
Runs on self-hosted
The images should be ready in a reasonable time (~20-30 mins depending on your host hardware power).
Terraform
Now the infrastructure can be deployed using Terraform.
Get Terraform (>=0.13) if you do not have it (look at the install methods at Packer, above).
After a short time (~2-3 mins), the network and virtual machines are up and running.
WARNING: You should take care of protecting your private network. The terraform config (main.tf) provided here just contains a custom firewall rule for my own testing environment (blocking 192.168.0.0/16 destination traffic from the 192.168.3.0/24 honeypot network).
Next is the configuration phase.
Ansible
Get into the ansible folder:
cd ../ansible
Recommended installation method is installing the latest Ansible with some required additional dependencies in a Python venv virtualized environment:
python3 -m venv venv
. ./venv/bin/activate
pip install ansible pywinrm faker
For later use just activate the venv by
. ./venv/bin/activate
And just deactivate
if it is not needed anymore in your current session.
You should put an SSH public key with filename id.pub
into the ansible folder for accessing the Ubuntu Graylog machine with the ubuntu user (ansible will add it to ~ubuntu/.ssh/authorized_keys
).
The wordlist.txt
file contains some (intentionally weak) passwords for the populated domain users which can be customized.
Run the configuration phase:
ansible-playbook -i hosts setup-domain.yml -v
After 20-25 mins everything is ready.
The deployed system
hostname | ip address | operating system | role |
---|---|---|---|
dc1 | 192.168.3.100 | Windows Server 2016 | Domain Controller |
desktop12 | 192.168.3.112 | Windows 10 (version 2004) | Domain Member Workstation |
graylog | 192.168.3.191 | Ubuntu 18.04 LTS | Graylog Server |
According to the libvirt network configuration (NAT), the hosts can access the public internet (if your host system allows it).
Accessing the hosts is possible through the host system. Practically using an SSH socks tunnel and proxychains for RDP or WinRM access is very comfortable.
For example, if your libvirt host IP is 192.168.0.10, create a socks tunnel listening on localhost:5000
by
ssh 192.168.0.10 -D5000 -NTv
And access the Windows 10 desktop (using an appropriate /etc/proxychains.conf
configured for the :5000 tunnel):
proxychains xfreerdp /v:192.168.3.112 /u:administrator
Or, access the Graylog web interface listening on :9000 locally on the Graylog Ubuntu server by SSH ProxyJump and custom forward tunnel:
ssh -J 192.168.0.10 [email protected] -NTv -L9000:127.0.0.1:9000
Then open URL http://localhost:9000
and you reach the Graylog web interface.
For activating the RDP honeypot, just allow public access to 192.168.3.112:3389 (for example with some port forwarding configuration on your router and iptables rules on the host machine; my helper script is rdp_public.sh) and keep watching the Graylog. 😉
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.