Table of contents
1. Instructions for use of HFish
Modify the honeypot service directly
Create a template and apply it to multiple nodes
2.1. Uninstall the Linux management terminal
2.2. Uninstall the Windows management terminal
1. Instructions for use of HFish
1.1. Deployment model
Basic structure of HFish
HFish is composed of a management terminal (server) and a node terminal (client). The management terminal is used to generate and manage the node terminal, and receive, analyze and display the data returned by the node terminal. The node terminal accepts the control of the management terminal and is responsible for building a honeypot service. .
HFish module relationship diagram
Converged in the enterprise network
1.2. Add/delete nodes
default node
After installing the HFish management terminal, a node-aware attack is established on the machine where the management terminal is located by default, and the node is named "built-in node".
The node will open some services by default, including FTP, SSH, Telnet, Zabbix monitoring system, Nginx honeypot, MySQL honeypot, Redis honeypot, HTTP proxy honeypot, ElasticSearch honeypot and general TCP port monitoring.
注意:该节点不能被删除,但可以暂停。
new node
Enter the [Node Management] page, click [Add Node]
Select the corresponding installation package and connection address according to the node device type
Execute the command statement or install the package on the node machine to successfully deploy the node.
Adding nodes can be installed in two ways, one is command line installation, which is to install online by executing commands on the installed node; the other is account password installation, which is to provide the account information of the installed node to remotely install on the management node. This time, the command line is used to install on the windows platform.
When installing under windows, an installation package will be generated and downloaded to the installed node. Double-click the installer, and a dialog box will pop up indicating that the installation is successful. After the installation is successful, the corresponding scheduled tasks will be added to the system.
You can view the installation log and running log through the log file added to the setup.log and hfishclient files. Under normal circumstances, refresh the node management under the management page, and a new node will appear.
After the node restarts, the client process will start automatically, but an error message is found in the client.log log file:
2023-03-22 11:02:32.603 [WARN] scan.go:44: find all device err: couldn't load wpcap.dll
Found in the official docs:
注意:Windows节点的扫描感知依赖WinPcap,需要手动进行下载安装!
WinPcap official link: https://www.winpcap.org/install/bin/WinPcap_4_1_3.exe
In the actual test process, I use NPcap. After the installation is complete, it needs to be restarted, and the scanning perception can only be performed after the restart.
Scan awareness:
It is used to display the full port scanning detection behavior of HFish honeypot nodes by three protocols: TCP, UDP and ICMP.
Even if the node-related ports are not open, HFish can still record the scanning behavior. In addition, HFish will also record the outreach behavior of the node host itself.
delete node
Enter the [Node Management] page, find the node to be deleted in the node list, and click [Delete] on the right side of the node. HFish needs to verify your administrator identity twice. After entering the admin password, the node will be deleted.
After the node is deleted:
- The node-side process will automatically exit, but the program will remain in the original path and needs to be deleted manually.
- All attack data is not lost and can still be viewed in all data.
1.3. Add/delete honeypots
After adding a node, you can configure the node to deploy various honeypot services. HFish provides two ways to configure node services.
Modify the honeypot service directly
This method can quickly modify the honeypot service on a single node, and its operation steps are as follows:
Click on a single node to directly add and delete services on the node (you can choose to apply and modify the built-in template)
Create a template and apply it to multiple nodes
The honeypot template is convenient for users to manage many nodes at the same time and change the honeypot service in batches, that is, to apply a set of templates to multiple nodes in batches. The operation steps are as follows:
Enter the [Template Management] page, click [New Template], enter the template name, select the honeypot service, fill in the description information, and click [OK] to save
Enter the [Node Management] page, expand the specific node, and select the honeypot template created above
Wait for the status of the honeypot service to change to [Enabled] after the template is applied. Note: the honeypot has not been deployed yet
After the node completes the template loading normally, the service status should be [Online], if it is displayed as [Offline], it means that the honeypot service has not been started normally, you can move the mouse to the question mark to view the prompt, or please refer to our later [Troubleshooting] illustrate】
1.4. View attack
Currently, HFish provides four different pages to view attack information , namely: attack list , scan perception , attack source , account assets
The four functions represent four different attack data scenarios
| Function introduction | Functional principle | |
|---|---|---|
| attack list | Collect all attacks on honeypots | After the node deploys the honeypot, all the attacker's attack information on the honeypot will be included in the "attack list". |
| scan awareness | All connection information of the node machine network card is collected | After the node is generated, HFish will record the connection to all network cards of the node , including the visiting IP, connection IP and port. |
| source of attack | Collected IP information of all connected and attacking nodes | The IP information of all attempts to connect and attack nodes are recorded in the attack source, and if the honeypot source tracing and countermeasures are successful, the information will also be recorded in it. |
| Account assets | Collected all account passwords used by attackers to crack honeypots | HFish will extract the account and password used by the attacker to log in to SSH and all Web honeypots , and display them in a unified manner. At the same time, users can customize monitoring vocabulary , such as employee names, company names, etc. Once they coincide with the account used by the attacker, they can be highlighted and alerted. |
The screenshots in the official document are the old version, and the new version adds new functions. For example, the cool big screen function:
Click on the big screen to open the big screen, press F11 to go full screen, this function can be copied and put on the big screen for display.
Click Settings in the upper right corner to change the title of the big screen.
2. Uninstall
2.1. Uninstall the Linux management terminal
1. Delete the scheduled task process
注意:不同的linux版本结束方式不同,需要自己确认
2. End the management process
# 结束hfish和hfish-server的进程
root@HFish~# ps ax | grep ./hfish | grep -v grep
8435 ? Sl 97:59 ./hfish
8436 ? Sl 97:59 ./hfish-server
root@HFish:~# kill -9 8435
root@HFish:~# kill -9 84363. Delete the folder
# 使用install.sh安装的HFish会被部署到/opt/hfish目标,将整个删除即可
root@HFish~# rm -rf /opt/hfish4. Clean up all configurations (if you want to install it later, it is recommended not to delete it, otherwise you need to completely reconfigure it next time)
# 使用install.sh安装的HFish会在/usr/share/hfish下建立全局变量
root@HFish~# rm -rf /usr/share/hfish5. Delete the MySQL database configuration (SQLite can be ignored)
# 删除HFish数据库
root@HFish:~# mysql -h127.0.0.1 -uroot -p
Enter password:*******(默认密码详见config.ini配置文件)
mysql> DROP DATABASE hfish;
# 停止MySQL服务
root@HFish:~# systemctl stop mysqld
root@HFish:~# systemctl disable mysqld6. Can restore SSH and Firewall configuration
# 清除SSH config内对于访问来源的限制
root@HFish~# vi /etc/ssh/sshd_config
注释掉以 AllowUsers root@ 开头的行
# 重启SSH服务
root@HFish~# systemctl restart sshd
# 清除Firewall服务的规则(请根据实际情况删除!)
root@HFish~# firewall-cmd --permanent --list-all | grep ports | head -n 1 | \
cut -d: -f2 | tr ' ' '\n' | xargs -I {} firewall-cmd --permanent --remove-port={}
# 重启Firewall服务
root@HFish~# systemctl restart firewalld
2.2. Uninstall the Windows management terminal
1. Delete the scheduled task process HFish management terminal
2. End the hfish process
In the task manager, end the process of hfish and hfish-server
3. Delete the management folder
2.3. Uninstall the Linux node
1. Delete the scheduled task process
# 打开计划任务,删除带有hfish字样的行
root@HFish~# crontab -e2. End the client process
# 结束client的进程
root@HFish~# ps ax | grep ./client | grep -v grep
8435 ? Sl 97:59 ./client
root@HFish:~# kill -9 84353. Delete the client folder
The folder path is according to your own installation path, there is no global configuration on the client side, just delete the installation folder
2.4, delete the Windows node
1. Close the scheduled task HFishClient
2. End the client process
In the task manager, end the process of hfish and client
3. Delete the client folder
The folder path is according to your own installation path, there is no global configuration on the client side, just delete the installation folder