Loading
1. NEW AND IMPROVED
1.1. Customization of Points settings
This release has become an impetus for further development in expanding the number of parameters for customizing the Points that will be created and launched as part of the Generate process.
Among other things, we added functionality that includes but is not limited to, a list:
1. Selecting host names: you can set a static value or use the Hostname wordlist;
2. The ability to specify lists of MAC Organization Unit Identifier, the 3-byte part of the MAC address that identifies the equipment vendor, based on which MAC addresses for Points will be generated;
3. The ability to change the ports on which the service or services will "listen" (if provided by a specific Point Type);
4. Set a static list of users and the respective passwords that will be created in Points itself or select them from Usernames and Passwords wordlists;
5. If the Point Type provides several services, deactivating or activating some of them is possible. For example, disable SNMP and HTTP and leave only the S7comm service for Siemens Simatic S7-1200 Point Type;
6. Set the ports on which web services run, attach your TLS certificates, etc.
Despite the updated functionality, deploying and configuring Labyrinth has remained almost unchanged.
1.1.1. Setting up new Point types
The settings of personalized bait types are presented as text in YAML format.
To add a new lure type, go to the Points -> Types submenu and click the add button:
A dialog box appears where you need to set the configuration parameters:
The required parameters are described in the table below:
Each Point Type Base has its own set of parameters, which are described in the configuration itself in the form of comments. An example of the default configuration:
As a result, we receive a Point Type that can be used in the configuration of existing or creating new Honeynets:
1.1.2. Modifications to the Universal Web Point setup process
The main feature of Universal Web Point is the ability to emulate Web interfaces available in the real infrastructure specified in the configuration.
The updated process for setting up this type of decoy is as follows:
1. Among the Point Type Base options, select Universal Web Point;
2. In the "Point config" section, a configuration with supporting comments appears, in which you need to make one single change - set the "upstream_url" parameter.
3. If you need to use a domain name instead of an IP address in the HTTP Host header, you should also specify the "server_name" parameter.
After that, a new Point Type will appear in the list of available decoy types in the Honeynet configuration.
1.1.3. Migrate existing Honeynet configurations
During the upgrade, the Points that are already running will continue to work as usual. At the same time, Labyrinth can be re-generated at any time according to the standard procedure.
The configuration of existing Honeynets will be migrated automatically, except in the following cases:
- Universal Web Point
Since the URL settings of the web service with which the Points of this type work must be explicitly specified in the created configuration, the Points of this type will be removed from the Honeynet configuration.
A superficial description of the Universal Web Point migration is described above, more detailed instructions are available in the new version of the system User Guide.
- Windows 10 Host
If this type of Point uses RDP proxying, you must create the appropriate Point Types and change the Honeynet settings similarly to Universal Web Point.
1.2. New Point Type: ClientOS
The new Point Type simulates a client's actions and detects attempted MITM attacks and the activities of tools such as Responder.
The main task of this type is to deliberately create "noise" in the network, which increases the likelihood of attracting an attacker.
To accomplish this goal, this Point Type makes the following types of requests at regular intervals:
1. Hostname and domain name resolutions via DNS, mDNS, LLMNR, and NetBIOS;
2. HTTP requests to specific web resources specified in the list in the configuration;
3. Requests for a list of file resources via the SMB (Windows File Share) protocol.
This Point Type can also optionally respond to NetBIOS name resolution requests in Windows networks.
Additionally, it has mechanisms for detecting attempts or execution of MITM attacks, namely detection:
- ARP spoofing;
- NBT/LLMNR/mDNS resolve poisoning;
- HTTPS requests interception.
Each of the defined functions can be customized, and some of them can be disabled if necessary.
1.3. Removing outdated functionality
1.3.1. Honeynet Network Scan deprecation
With the addition of the ability to configure Points more flexibly, the Network Scan option in Honeynets needs to be updated and therefore has been removed from the settings.
1.3.2. vsftpd-backdoor deprecation vs new FTP Point Type
The vsftpd-backdoor has been replaced by a new Point Type - FTP Server (ftpd).
vsftpd backdoor is a vulnerability that existed in vsFTPd 2.3.4, which allowed an attacker to get into the server by setting a password according to a certain pattern. This vulnerability dates back to 2011 and therefore is neither relevant nor interesting from a security perspective.
Instead, FTP Server Point can be flexibly customized to meet specific needs and objectives. For example:
1. Setting the port on which the FTP server will "listen";
2. Enabling or disabling the active ftp mode of operation;
3. Changing the service banner that will be displayed during client connections;
4. Allow or deny access for an anonymous user;
5. Restricting allowed or prohibited FTP commands, etc.
2. FIXES
2.1. Username input field validation
The restrictions for characters used in usernames have been enhanced. An issue, which previously allowed usernames to consist solely of space characters, has been resolved in this latest update.
2.2. Fixed a bug when starting the Generate process from Map
There was an error when generating all Honeynets from Map, which was fixed in this release.
Now you can generate Honeynets (i.e. automatically create Points) individually for each Honeynet from the Honeynets list or all together from Map.
2.3. Loader Multitenancy
An issue that occurred when loading a list of tenants was fixed: the Multitenancy page was missing a loader. Under certain conditions, this did not allow the user to understand whether the list was being loaded or whether the list was already complete.
