Project Honeypot API and Powershell

This week I decided to do some work with the Project Honey Pot http:bl API. I have been using this mostly as part of other scripts used to gather information from logs.This API was rather interesting as it is a DNS query rather than the normal URL/HTTP methods I have been working with.

“Project Honey Pot is a web-based honeypot network, which uses software embedded in web sites to collect information about IP addresses used when harvesting e-mail addresses for spam or other similar purposes such as bulk mailing and e-mail fraud. The project also solicits the donation of unused MX entries from domain owners.” -Wikipedia

I would suggest reading the Terms of Service if you plan on using this API for any production systems, or any kind of dynamic blocking:

The code can be found on Pastebin here

Or on my Github here

#https://www.projecthoneypot.org/faq.php
function Get-projecthoneypot() {
#https://www.projecthoneypot.org/terms_of_service_use.php
Param(
[Parameter(Mandatory = $true)][string]$ip,
[AllowEmptyString()]$api_key="<YOUR API KEY HERE>"
)
$ip_arr = $ip.split(".")
[array]::Reverse($ip_arr)
$ip = $ip_arr -join(".")
$query = $api_key+ "." + "$ip" + ".dnsbl.httpbl.org"
try {
$response = [System.Net.Dns]::GetHostAddresses("$query") | select -expandproperty IPAddressToString
} catch {
return $false
}
$decode = $response.split(".")
if($decode[0] -eq "127") {
$days_since_last_seen = $decode[1]
$threat_score = $decode[2]
switch ($decode[3]){
0 { $meaning = "Search Engine"}
1 { $meaning = "Suspicious"}
2 { $meaning = "Harvester"}
3 { $meaning = "Suspicious & Harvester"}
4 { $meaning = "Comment Spammer"}
5 { $meaning = "Suspicious & Comment Spammer"}
6 { $meaning = "Harvester & Comment Spammer"}
7 { $meaning = "Suspicious & Harvester & Comment Spammer"}
default {$meaning = "Unknown"}
}
$return_obj = [PSCustomObject] @{
last_seen = $days_since_last_seen
threat_score = $threat_score
meaning = $meaning
}
return $return_obj

} else {
return “Illegal response”
}

}

To break down the function a little bit to the interesting tid bits there is the DNS query:

$ip_arr = $ip.split(".")
[array]::Reverse($ip_arr)
$ip = $ip_arr -join(".")
$query = $api_key+ "." + "$ip" + ".dnsbl.httpbl.org"
try {
$response = [System.Net.Dns]::GetHostAddresses("$query") | select -expandproperty IPAddressToString
} catch {
return $false
}

The api wants each bit of information broken down as a subnet. First I break the ipv4 address into an array, reverse the order. So 192.168.0.1 becomes 1.0.168.192.
We then combine the api key to the front of the query. So if your apikey is 12345abcdef your dns query looks like 123456abcdef.1.0.168.192 Then to hit the correct the dns servers we add the FQDN: 123456abcdef.1.0.168.192.dnsbl.httpbl.org the dns server will then respond with an IP.

The response from the honeypot API DNS servers is the form of an Ip address. Always starting with 127 we can confirm the query is correct and then move on to the next octet:

$decode = $response.split(".")
if($decode[0] -eq "127") {
$days_since_last_seen = $decode[1]
$threat_score = $decode[2]
switch ($decode[3]){
0 { $meaning = "Search Engine"}
1 { $meaning = "Suspicious"}
2 { $meaning = "Harvester"}
3 { $meaning = "Suspicious & Harvester"}
4 { $meaning = "Comment Spammer"}
5 { $meaning = "Suspicious & Comment Spammer"}
6 { $meaning = "Harvester & Comment Spammer"}
7 { $meaning = "Suspicious & Harvester & Comment Spammer"}
default {$meaning = "Unknown"}
}

The second octet is the number of days since a qualifying incident caused the ip to be logged.
The third octet is the score the system gives the ip as a threat level. The level goes from 0 to 255. 255 being the highest threat. The system qualifies threat by a variety of methods.
The final octet is the behavior the project spotted from the IP.

That is all for this week. Thanks for reading.

Using Malwaredomains.com DNS Black hole list with Windows 2012 DNS and Powershell

Malwaredomains.com is a project that is constantly adding known malware domains to a giant list.
They have directions for adding there zones files to a windows server but they even describe it as a bit of a work around. They link to a powershell script that uses wmi. Well, I hadn’t worked with the windows 2012 Powershell DNS commands so I threw together a quick little script to handle linking to the malwaredomains.com list using the native commands for windows 2012.

The script pulls and parses the full .txt file www.malwaredomains.com keeps. The Primary Zone is as a non Active directory integrated entry. This will keep it from flooding your active directory and replication with entries. If you choose to add this script I would recommend you place it only on the domain controllers that your users are likely to query for DNS. An example would be if you have two active directory domain controllers to handle an office’s DNS and two domain controllers for FSMO roles and to serve the Datacenter the script should run on the office Domain controllers.

This script can be found on pastebin
And all three of these scripts can be found on my github.
Customize the top variables for your environment, the rest of the script should be self handling:

$tmp_file_holder = "current_list.bk"

$rollback_path = “C:\scripts\current_roll_back.list”
$rollback_date = get-date -format “M_dd_yyyy”
$rollback_backup_file = $rollback_path + “rollback_” + $rollback_date + “.bat”

move-item $rollback_path $rollback_backup_file -force

$domain_list = invoke-webrequest http://mirror1.malwaredomains.com/files/domains.txt | select -expandproperty content
$domain_list -replace “`t”, “;” -replace “;;” > $tmp_file_holder
$domain_content = get-content $tmp_file_holder

$zone_list = get-dnsserverzone | where {$_.IsDsIntegrated -eq $false} | select -expandproperty Zonename

foreach($line in $domain_content){
if(-not($line | select-string “##”)) {
$line_tmp = $line -split “;”
$line = $line_tmp[0]
if($zone_list -notcontains $line) {
Add-DnsServerPrimaryZone “$line” -DynamicUpdate “none” -ZoneFile “$line.dns”
echo “$line” | Out-File -FilePath $rollback_file -Encoding ascii -append
sleep 1
}
}
}

The Malwaredomains.com team often takes down sites off the list that were temporarily added, or wrongfully added. I created a roll back script.
This script can be found on pastebin
And all three of these scripts can be found on my github.
Make sure to modify the top variable to fit your environment and match the original script:

$rollback_path = "C:\scripts\current_roll_back.list"

$domain_content = get-content $rollback_path
$zone_list = get-dnsserverzone | where {$_.IsDsIntegrated -eq $false} | select -expandproperty Zonename

foreach($line in $domain_content) {
if($zone_list -contains $line) {
Remove-DnsServerZone “$line”
sleep 1
}
}

I would suggest setting up 2 scheduled tasks.
One to run weekly adding new domains to the list and keeping the list up to date.
The second task would run the roll back. Clearing out wrongly marked domains, etc. Though how you choose to manage it is up to you.

Since I was messing around with the files anyway I also made a host file generator. Host files are not really a preferable method as there have been reports of large host files slowing down browsing and the like. That said I do use a version of this script on my personal computers and haven’t seen an issue. Malwaredomains.com doesn’t offer host files, but they offer a list of some great host files. That limits the use of the bellow script, but I do like adding my own hostfile entries to the top of the script and run it as a scheduled task once a week.
This can be found on pastebin
And all of the code can be found on my github

Change the variables at the top to fit your needs. I even made it easy to setup a reroute ip to a branded warning for businesses. I would point out that this doesn’t protect against sub domains and the like.


$host_file_path = "C:\windows\system32\drivers\etc\hosts_tmp"
$final_loc = "C:\windows\system32\drivers\etc\hosts"
$tmp_file_holder = ".\current_list.bk"
$reroute = "127.0.0.1"

$Host_File_header = “# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost”

echo “$Host_File_header” > $host_file_path

$domain_list = invoke-webrequest http://mirror1.malwaredomains.com/files/domains.txt | select -expandproperty content
$domain_list -replace “`t”, “;” -replace “;;” > $tmp_file_holder
$domain_content = get-content $tmp_file_holder
foreach($line in $domain_content){
if(-not($line | select-string “##”)) {
$line_tmp = $line -split “;”
$line = $line_tmp[0]
echo “$reroute $line” >> $host_file_path
}
}

move-item $host_file_path $final_loc -force

All the code can be found on my github.com

Thanks for reading.