L A B Y R I N T H

Loading

Gartner Peer Insights

1. NEW AND IMPROVED
1.1. Customization of Points settings

This release has become an impetus for further development in expanding the number of parameters for customizing the Points that will be created and launched as part of the Generate process. 

Among other things, we added functionality that includes but is not limited to, a list:
1. Selecting host names: you can set a static value or use the Hostname wordlist;
2. The ability to specify lists of MAC Organization Unit Identifier, the 3-byte part of the MAC address that identifies the equipment vendor, based on which MAC addresses for Points will be generated;
3. The ability to change the ports on which the service or services will "listen" (if provided by a specific Point Type);
4. Set a static list of users and the respective passwords that will be created in Points itself or select them from Usernames and Passwords wordlists;
5. If the Point Type provides several services,  deactivating or activating some of them is possible. For example, disable SNMP and HTTP and leave only the S7comm service for Siemens Simatic S7-1200 Point Type;
6. Set the ports on which web services run, attach your TLS certificates, etc.

Despite the updated functionality, deploying and configuring Labyrinth has remained almost unchanged.

 

 

The updated Honeynet setup process is described in the System User Guide v2.0.52.

 

 

 

Notably, this release is the initial stage in Labyrinth's development in this direction.

Future improvements will include, but are not limited to, the following:

- the ability to upload third-party files to Point;  

- increasing the number of Universal Web Point settings;

- the ability to upload data to decoys that will be used to fill them, namely PostgreSQ, MySQL, Universal Web Point, etc.

1.1.1. Setting up new Point types
The settings of personalized bait types are presented as text in YAML format. 

To add a new lure type, go to the Points -> Types submenu and click the add button:

A dialog box appears where you need to set the configuration parameters:

The required parameters are described in the table below:

 

Title

Overview

ID

Symbolic identifier of this configuration / Point Type.

Name

The configuration name.

Description

Configuration description.

Point Type Base

The type of decoy that is used as a basis. For example, SSH daemon, Universal Web, SSH Daemon, FTP Server, etc.

 

Hostnames / usernames /  passwords wordlists

An optional field that allows you to specify lists of host names, usernames, and their corresponding passwords. 
If left unselected, the same lists from the Honeynet configuration will be used if necessary.

 

Tags

Tags by which Point Type lists are filtered.

Each Point Type Base has its own set of parameters, which are described in the configuration itself in the form of comments. An example of the default configuration:

An example of an already customized configuration:

As a result, we receive a Point Type that can be used in the configuration of existing or creating new Honeynets:

 

When creating a personalized Point Type and selecting the Point Type Base on which we want to create a new Point Type, the user will be offered a configuration that, in most cases, can work without modification.


Each configuration has a detailed description, which is outlined in the form of detailed comments. They provide additional information about each parameter's settings and purpose.

1.1.2. Modifications to the Universal Web Point setup process

The main feature of Universal Web Point is the ability to emulate Web interfaces available in the real infrastructure specified in the configuration.

The updated process for setting up this type of decoy is as follows:
1. Among the Point Type Base options, select Universal Web Point;
2. In the "Point config" section, a configuration with supporting comments appears, in which you need to make one single change - set the "upstream_url" parameter.
3. If you need to use a domain name instead of an IP address in the HTTP Host header, you should also specify the "server_name" parameter.

 

After that, a new Point Type will appear in the list of available decoy types in the Honeynet configuration.

1.1.3. Migrate existing Honeynet configurations

During the upgrade, the Points that are already running will continue to work as usual. At the same time, Labyrinth can be re-generated at any time according to the standard procedure.

The configuration of existing Honeynets will be migrated automatically, except in the following cases:

- Universal Web Point 
Since the URL settings of the web service with which the Points of this type work must be explicitly specified in the created configuration, the Points of this type will be removed from the Honeynet configuration. 
A superficial description of the Universal Web Point migration is described above, more detailed instructions are available in the new version of the system User Guide.

- Windows 10 Host
If this type of Point uses RDP proxying, you must create the appropriate Point Types and change the Honeynet settings similarly to Universal Web Point.

1.2. New Point Type: ClientOS
 

The new Point Type simulates a client's actions and detects attempted MITM attacks and the activities of tools such as Responder. 

The main task of this type is to deliberately create "noise" in the network, which increases the likelihood of attracting an attacker.

To accomplish this goal, this Point Type makes the following types of requests at regular intervals:
1. Hostname and domain name resolutions via DNS, mDNS, LLMNR, and NetBIOS;
2. HTTP requests to specific web resources specified in the list in the configuration;
3. Requests for a list of file resources via the SMB (Windows File Share) protocol.

This Point Type can also optionally respond to NetBIOS name resolution requests in Windows networks.

Additionally, it has mechanisms for detecting attempts or execution of MITM attacks, namely detection:

- ARP spoofing;
- NBT/LLMNR/mDNS resolve poisoning;
- HTTPS requests interception.

Each of the defined functions can be customized, and some of them can be disabled if necessary.

1.3. Removing outdated functionality
 

1.3.1. Honeynet Network Scan deprecation
With the addition of the ability to configure Points more flexibly, the Network Scan option in Honeynets needs to be updated and therefore has been removed from the settings.
1.3.2. vsftpd-backdoor deprecation vs new FTP Point Type
The vsftpd-backdoor has been replaced by a new Point Type - FTP Server (ftpd). 

vsftpd backdoor is a vulnerability that existed in vsFTPd 2.3.4, which allowed an attacker to get into the server by setting a password according to a certain pattern. This vulnerability dates back to 2011 and therefore is neither relevant nor interesting from a security perspective. 

Instead, FTP Server Point can be flexibly customized to meet specific needs and objectives. For example:
1. Setting the port on which the FTP server will "listen";
2. Enabling or disabling the active ftp mode of operation;
3. Changing the service banner that will be displayed during client connections;
4. Allow or deny access for an anonymous user;
5. Restricting allowed or prohibited FTP commands, etc.

1.3.3. Sambacry vs new Samba File Server Point Type
Similarly to vsftpd-backdoor, an updated Samba File Server Point Type was added to replace Samba Cry Point Type.

2. FIXES

2.1. Username input field validation 
The restrictions for characters used in usernames have been enhanced. An issue, which previously  allowed usernames to consist solely of space characters, has been resolved in this latest update.  
2.2. Fixed a bug when starting the Generate process from Map

There was an error when generating all Honeynets from Map, which was fixed in this release. 

Now you can generate Honeynets (i.e. automatically create Points) individually for each Honeynet  from the Honeynets list or all together from Map. 
2.3. Loader Multitenancy 
An issue that occurred when loading a list of tenants was fixed: the Multitenancy page was missing  a loader. Under certain conditions, this did not allow the user to understand whether the list was  being loaded or whether the list was already complete.

 

Subscribe to our Newsletter

You successfully subscribed!