Capture-HPC

From Emre´s Wiki

Revision as of 08:22, 6 June 2009 by 89.247.12.42 (Talk)
(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Building the software

The current release of capture-hpc is 2.5.1 is only available for VMWare Server 1.0.6 as precompiled binary.

In my setup however I needed the functionality for VMWare server 2.0 on a 64Bit Debian Etch Linux system.

The following sections explain in detail the process of

  • obtaining the required software for compiling the client and server part
  • configuring the build environment
  • building the software.

Prerequisites

The operating system for the server part is Debian Etch, AMD64 architecture.

To make things a little bit more convenient for me, I compiled the client part of capture-hpc on my local system within an instance of VMWare workstation.

I´ll assume that you have setup the following components:

  • Debian Linux host with working VMWare server 2.0
  • Windows XP SP2 in VMWare workstation with VMWare tools installed (this will be for building the software)
  • Windows XP SP2 in VMWare server with VMWare tools installed (this will be our honeypot)

Downloading software

According to the official capture-hpc documentation, several software packages are required to build both, the client and the server part.

The official documentation is focused on building the client for a VMWare server 1.0.6 environment and some software components are not available anymore (at least not with the exact version), so the list was not completely applicable to my setup.

The components I used were as follows:

Client

  • Windows 2008 WDK (WDK_6001_18001.iso, ca. 650MB), available via http://connect.microsoft.com/. Downloading of this software requires a Microsoft Connect account

Server

  • Capture-Server 2.5.1 available via https://projects.honeynet.org/capture-hpc/wiki
  • Apache Ant available via 'apt-get install ant'
  • Ant Contrib 1.0 was not installed specifically
  • Sun's Java JDK 1.6.XX available via 'apt-get install sun-java6-jdk'
  • VMWare VIX (VMware-vix-1.6.0-122956.x86_64.tar.gz, ca. 21MB) available via https://www.vmware.com/freedownload/p/download.php?product=server20). Please note that the filename is for the 64Bit version of VIX - depending on your setup you might need the 32Bit file.
  • GCC available via 'apt-get install build-essential'
  • Other tools available via 'apt-get install libglib2.0-0'

Creating the client build environment

To create the build environment for the capture-client, the downloaded software will be installed and a couple of other things will be adjusted.

Please note that "Programme" might be "Program files" or something else for your Windows installation.

Capture-Client

Just copy the source code to C:\capture-client.

Windows 2008 WDK

Mount the ISO file and start the installation, keeping all the default settings.

This should make the WDK available at C:\WinDDK\6001.18001.

Windows SDK for Windows Server 2008

Mount the ISO file and start the installation, keeping all the default settings.

This should make the SDK available at C:\Programme\Microsoft SDKs\Windows\v6.1 .

Boost C++ libraries

Run the installer file for the precompiled Boost libraries.

You should now select all components relevant for Visual Studio 9 ("VC9").

The installation takes some time so be patient.

The required files are available at C:\Programme\boost\boost_1_35_0 after the installation is finished.

If someone can tell me what components are actually needed, I will gladly list them on my Wiki so people will not have to download every boost library!

WinPcap 4.0.2 Developer's Pack

Just unzip the contents to C:\WpdPack.

Visual C++ 2008 / Visual Studio 9

Mount the ISO file and start the installation, keeping all the default settings.

This should make the required software available at C:\Programme\Microsoft Visual Studio 9.0.

expatpp XML library

Just unzip the archive to C:\expatpp.

DDK Build

Just unzip the archive to C:\ddkbuild_v72.

NSIS

Just unzip the archive to C:\nsis-2.38.

Java

Just install it, keeping the default settings. The files should be available at C:\Programme\Java\jdk1.6.0_10.

Adding Environment Variables

For the build process, several environment variables have to be set.

To achieve this, open up the dialogue from the following screenshot and make the described modifications:

File:Screenshot evn.png

  • INCLUDE user variable with the following values: C:\Programme\Microsoft Visual Studio 9.0\VC\include;C:\Programme\boost\boost_1_35_0;C:\Programme\Microsoft SDKs\Windows\v6.1\Include;C:\WinDDK\6001.18001\inc\api;c:\expatpp\src_pp;C:\WpdPack\Include;C:\expatpp\expat\lib;C:\WinDDK\6001.18001\inc;C:\Programme\Microsoft Visual Studio 9.0\VC\include;C:\Programme\Microsoft SDKs\Windows\v6.1\Include;C:\WinDDK\6001.18001\inc\api;c:\expatpp\src_pp;C:\WpdPack\Include;C:\expatpp\expat\lib;C:\WinDDK\6001.18001\inc\mfc42
  • LIB user variable with the following values: C:\capture-client;C:\Programme\boost\boost_1_35_0\lib;C:\Programme\Microsoft SDKs\Windows\v6.1\Lib;C:\WinDDK\6001.18001\lib\wxp\i386;C:\expatpp\expat\lib;C:\expatpp\vc_pp\expatpp\ReleaseMT
  • JAVA_HOME user variable with the following value: C:\Programme\Java\jdk1.6.0_10
  • WNETBASE user variable with the following value: C:\WinDDK\6001.18001
  • ANT_HOME user variable with the following value: C:\ant
  • VIX_HOME user variable with the following value: C:\Programme\VMware\VMware VIX

You can also use the registry file below to add all environment variable at once: http://www.emre.de/files/vars.reg

PATH should also contain the following paths: C:\nsis-2.38;C:\ddkbuild_v72;C:\WinDDK\6001.18001\bin;C:\Programme\Java\jdk1.6.0_10\bin

Adjusting capture-client

To make capture-client work, you will have to make some further modifications (thanks to Lasse Borup for this hint):

  • in the connect call in revert.c, the parameter VIX_SERVICEPROVIDER_VMWARE_SERVER should be changed to VIX_SERVICEPROVIDER_VMWARE_VI_SERVER

Building and installing the client

For compiling the capture-client open up a VC9 console (looks similiar to a DOS box) and 'cd' to C:\capture-client.

Due to some odditiy the following steps are necessary for a sucessfull compilation:

  • start the compilation process with the command nmake release-hpc.
  • copy the file Captureglobal.obj into the folders C:\capture-client\ApplicationPlugins\InternetExplorer and C:\capture-client\ApplicationPlugins\InternetExplorerBulk
  • re-run nmake release-hpc

Could someone please tell me the difference between nmake release-hpc and nmake release-bat? Thanks!'

You should now have a file C:\capture-client\CaptureClient-Setup.exe.

Transfer CaptureClient-Setup.exe, the WinPCAP Libraries and the Microsoft Visual C++ 2008 Redistributable Package to your honeypot and install them.

You should reboot your machine, log in and make a snapshot of this state, which will be considered "clean".

Creating the server build environment

Just unpack capture-server to /home/you/capture-server.

Add some environment variables:

  • export VIX_HOME=/usr/lib/vmware-vix
  • export VIX_INCLUDE=/usr/include/vmware-vix
  • export VIX_LIB=/usr/lib/vmware-vix/lib/VIServer-2.0.0/64bit
  • export JAVA_HOME=/usr/lib/jvm/java-6-sun
  • export LD_LIBRARY_PATH=/usr/lib/vmware-vix/lib/VIServer-2.0.0/64bit/

In compile_revert_linux.sh replace the line 'gcc -I $VIX_INCLUDE -o revert revert.c $VIX_LIB/libvmware-vix.so' with gcc -I $VIX_INCLUDE -o revert revert.c /usr/lib/vmware-vix/lib/VIServer-2.0.0/64bit/libvix.so.

Create two symlinks:

  • ln -s /usr/lib/vmware-vix/lib/VIServer-2.0.0/64bit/libgvmomi.so.0 /usr/lib/libgvmomi.so.0
  • ln -s /usr/lib/vmware-vix/lib/VIServer-2.0.0/64bit/libcurl.so.4 /usr/lib/libcurl.so.4

Building and running the server

Now run ant. After sucessfull compilation you should have a folder release. This folder contains your capture-server components.

Configure the software before firing it up (thanks again to Lasse Borup for this hints):

  • in the config.xml instead of writing for example "192.168.1.1" as the address of the vmware server, one has to write "https://192.168.1.1:4443/sdk". The port number in the URL must match the port you have configured for VMWare server for HTTPS connections. The following port number "port=..." is ignored.
  • in the config.xml for the path of the virtual machine, the following style is needed: "[storage1] Client/Client.vmx" where storage1 is the data store containing the machine. Be aware of the space af the data store name. If you do not know the name of your storage, just connect to your VMWare server with the VI client, choose the server in the inventory, choose the tab "Summary". You will find the name in the box named "Datastore".

With a java -Djava.net.preferIPv4Stack=true -jar CaptureServer.jar -s 192.168.1.1:7070 -f input_urls_example.txt you can now start-up everything.

Please note that 192.168.1.1 is the ip of the host machine (do not use 127.0.0.1 as your capture-client is supposed to connect to the host on this ip).

Retrieved from "http://www.emre.de/wiki/index.php/Capture-HPC"