Yet another guide on how to set up OpenCanary with a Raspberry Pi
Note: If you see any issues below or if this guide did not work for you please reach out and let me know. I want to keep this as up to date and useful as possible. Thanks!
LAST UPDATED: 7/3/2023
1. GETTING STARTED:
WHY?:
I know, there are plenty of other guides covering this topic. However, I continually ran into issues when following their steps.
This guide is written to be slightly more comprehensive, and work with the latest software updates across the board. Beyond simply getting OpenCanary up and running, I wanted to cover how to evade OS fingerprinting and make the target seem
a little more juicy than what comes stock.
Requirements:
- Computer (duh) — Windows, Linux, macOS, whatever you prefer
- Raspberry Pi (3 or 4 preferably)
- Raspberry Pi Imager Software
- Micro SD Card
- External Monitor
- Peripherals — Mouse, Keyboard
- Other: Ethernet cable (if you don’t want to use wireless), SD Card Reader, HDMI cable or Micro HDMI cable
2. SETTING UP THE RASPBERRY PI
Follow the setup guide that came with your Pi. Depending on where you purchased your board it may have come with a pre-imaged micro SD card. If this is the case, you will want to re-image it with Raspberry Pi OS LITE (32-bit). This is included in the Raspberry Pi Imager software.
Note: You can set up a wireless network, hostname, and password in the Pi Imager Software and skip doing these with the manual steps below if you prefer.
Once you have everything set up, imaged, and ready to go, create a secure password for your Pi and log in.
- Connect to a Wireless Network (optional)
While this is entirely optional as you can plug the Pi in via ethernet, I thought I would include this just in case someone needs it.
When you first log in you may see a mesage that says “Wi-Fi is currently blocked by rfkill”
To fix this, run the following:
sudo raspi-config
Select System Options > Wireless LAN > [Select your country]
It should let you enter your network SSID and password from here.
- Connect to a hidden Wireless Network (also optional)
If your SSID is hidden, you’ll need to modify the wpa_supplicant file in order to connect.
Enter the following:
sudo nano /etc/wpa_supplicant/wpa_supplicant.conf
Below whatever information is in this file, add the following:
network={
scan_ssid=1
ssid="YourHiddenSSID"
psk="YourPassword"
}Hit Ctrl + O to save, and then hit Ctrl + X to exit nano
Go ahead and reboot:
sudo reboot
If you’re still not connected, try restarting the wireless interface:
- type
ifconfigto find the interface. - type
ifconfig [interface name] down' and then 'ifconfig [interface name] upto restart. - Fetch and Install the Latest Package Versions
sudo apt-get update && sudo apt-get upgrade -y- Change the Hostname
Run the following command to edit the hosts file.
sudo nano /etc/hostsThe hosts file should contain something similar to this:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters127.0.1.1 raspberrypiChange the last entry, raspberrypi to whatever hostname you prefer (make it a juicy target!).
We will also want to do the same to the hostname file.
sudo nano /etc/hostname.The hostname file should contain one line that also says raspberrypi
Change this line to the same hostname you placed in the hosts file.
After these changes have been made you will need to reboot. — sudo reboot now
3. INSTALLING REQUIRED PACKAGES
#Don't Forget!
sudo apt-get update && sudo apt-get upgrade Here are the basic requirements:
- git
- python3-virtualenv
- python3-pip
- python3-dev
- libssl-dev
- libffi-dev
It is entirely possible to run this all as one command, however I like to watch for errors on each install, so I choose to install each one separately.
sudo apt-get install gitsudo apt-get install python3-virtualenvsudo apt-get install python3-devsudo apt-get install libssl-devsudo apt-get install libffi-devand etc…
(add a -y at the end of each install to avoid having to answer the “Y or N” install question on each one)
You may already have some of these packages installed. For instanace, this is what returned for me on python3-pip:
pi@raspberrypi:~ $ sudo apt-get install python3-pip
Reading package lists... Done
Reading state information... Done
python3-dev is already the newest version
python3-dev set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.4. PYTHON VIRTUAL ENVIRONMENT BUILD
While it isn’t entirely necessary to use a virtual environment, it is recommended (I won’t get deep into this).
Run the following command to create and initiate the virtual environment:
virtualenv env/Then
. env/bin/activateYour console should now show an (env) in front of the next line, indicating that you are in the virtual environment.
To exit, simply type deactivate and to re-enter, type . env/bin/activate again.
5. INSTALLING OPENCANARY (Finally)
From within the virtual environment:
pip install opencanaryWooHoo!
Check to see if the install worked:
opencanaryd --helpThis should now show the OpenCanary help menu. If so, You have successfully installed OpenCanary on a Raspberry Pi!
CONFIGURING OPENCANARY
From within the Virtual Environment, let’s go ahead and install Python’s scapy and pcapy tools:
pip install scapy
pip install pcapyNext we need to copy the standard config file for OpenCanary. We can do this with opencanaryd --copyconfig
You should receive an output similar to this:
[*] A sample config file is ready /etc/opencanaryd/opencanary.conf [*] Edit your configuration, then launch with "opencanaryd --start"Easy enough! let’s edit it: sudo nano /etc/opencanaryd/opencanary.conf
Here is a sample of the config file that you should see:
{
"device.node_id": "opencanary-1",
"ip.ignorelist":[ ],
"git.enabled": false,
"git.port" : 9418,
"ftp.enabled": true,
"ftp.port": 21,
"ftp.banner": "FTP server ready,
"http.banner": "Apache/2.2.22 (Ubuntu)",
"http.enabled": true,
"http.port": 80,
"http.skin": "nasLogin",
"httpproxy.enabled" : false,
"httpproxy.port": 8080,
"httpproxy.skin": "squid",
"logger": {
"class": "PyLogger",
"kwargs": {
"formatters": {
"plain": {
"format": "%(message)s"
},
"syslog_rfc": {
"format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s"
}
},
"handlers": {
"console": {
"class": "logging.StreamHandler",
"stream": "ext://sys.stdout"
},
"file": {
"class": "logging.FileHandler",
"filename": "/var/tmp/opencanary.log"
}
}
}
},
"portscan.enabled": true,
"portscan.logfile":"/var/log/kern.log",
"portscan.synrate": 5,
"portscan.nmaposrate": 5,
"portscan.lorate": 3,
"smb.auditfile": "/var/log/samba-audit.log",
"smb.enabled": false,
"mysql.enabled": false,
"mysql.port": 3306,
"mysql.banner": "5.5.43-0ubuntu0.14.04.1",
"ssh.enabled": false,
"ssh.port": 22,
"ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
"redis.enabled": false,
"redis.port": 6379,
"rdp.enabled": true,
"rdp.port": 3389,
"sip.enabled": false,
"sip.port": 5060,
"snmp.enabled": true,
"snmp.port": 161,
"ntp.enabled": true,
"ntp.port": 123,
"tftp.enabled": true,
"tftp.port": 69,
"tcpbanner.maxnum":10,
"tcpbanner.enabled": false,
"tcpbanner_1.enabled": false,
"tcpbanner_1.port": 8001,
"tcpbanner_1.datareceivedbanner": "",
"tcpbanner_1.initbanner": "",
"tcpbanner_1.alertstring.enabled": false,
"tcpbanner_1.alertstring": "",
"tcpbanner_1.keep_alive.enabled": false,
"tcpbanner_1.keep_alive_secret": "",
"tcpbanner_1.keep_alive_probes": 11,
"tcpbanner_1.keep_alive_interval":300,
"tcpbanner_1.keep_alive_idle": 300,
"telnet.enabled": false,
"telnet.port": 23,
"telnet.banner": "",
"telnet.honeycreds": [
{
"username": "admin",
"password": "..."
},
{
"username": "admin",
"password": "admin1"
}
],
"mssql.enabled": false,
"mssql.version": "2012",
"mssql.port":1433,
"vnc.enabled": true,
"vnc.port":5000
}This is where we can truly configure the OpenCanary to make it look like the device we want.
For this guide, I’m going to use the built-in Synology NAS since there is already an HTML page available for it.
- The hostname I chose earlier is DB-BACKUPS. So for the the device.node_id I am going to use the same.
- For ftp.banner I’m using vsFTPd 2.0.0. Something simple, but looks vulnerable.
- Let’s use an old Apache Tomcat version for the http.banner — “Apache Tomcat 5.4.0” (Synology can run multiple servers, such as Apache or NGinx).
- For http.skin I am leaving it the same — “nasLogin” as this is a typical Synology NAS login page.
- Skins are located in ‘opencanary/modules/data/http/skin’ Here you can add any static HTML page you would like to emulate.
- For other services I’ve set ssh.enabled and vnc.enabled to True.
LOGGING // ALERTING
OpenCanary provides multiple options for logging, such as a generic Syslog, or it can send the logs over email.
Since I’m not sure what log management or SIEM tool you are using, I’ll cover alerts over email.
In the same opencanary.conf file there is a section called “logger”
We need to add SMPT as a handler under this section for the chosen mail relay.
GMAIL
First things first, if you’re using Gmail, I would set up a separate account for these alerts. On that account you will need to enable 2-Factor authentication and then generate a new App Password.
Follow these steps: https://support.google.com/accounts/answer/185833?hl=en
After this is set up, you’ll want to add the following under the “ logger > kwargs > handlers” section in the config file:
"SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["smtp.gmail.com", 587],
"fromaddr": "youraddress@gmail.com",
"toaddrs" : ["Your Choice of Recipients"],
"subject" : "OpenCanary Alert",
"credentials" : ["youraddress@gmail.com", "your app password"],
"secure" : []
}EXCHANGE
The easiest way to do this securely in Exchange is to add the IP for the Raspberry Pi as a mail relay in the Exchange server.
Once you have done this, you can add the following under the same “logger > kwargs > handlers” section in the config file:
"SMTP": {
"class": "logging.handlers.SMTPHandler",
"mailhost": ["IP or hostname of your Exchange relay server", 25], - port may be different, but is most likely going to be 25
"fromaddr": "canary@yourdomain.com",
"toaddr" : ["Your Choice of Recipients"], - A distribution group is recommended here for multiple recipients
"subject" : "OpenCanary Alert"
}AUTOMATION TIME
This will save you a lot of time and headache. Who wants to keep a monitor and keyboard hooked up to their
Canary? Not me…NOTE: This is done outside of the Python virtual environment we built.
Change the MAC Address
Most guides are going to make this the first step. I saved it for this section because it is going to
require some scripting. If you do not set it to change on every boot, it will go back to the original
MAC address every time the Pi reboots…and the original MAC address kind of gives us away…
First, we’ll need to install macchanger by running sudo apt-get install macchanger
[When it asks to change the MAC automatically, select “no” ]
Next, create a file within the /etc/network/if-up.d folder called “macchange”
sudo nano /etc/network/if-up.d/macchangeAdd the following to it:
#!/bin/shif [ "$IFACE" = lo]; then
exit 0
fi sudo /usr/bin/macchanger -m NEWMACADDRESS wlan0
Replace NEWMACADDRESS with whatever MAC address you want (formatted with colons).
Choose a manufacturer that matches the other
configurations well or other devices on your network.
Also, keep in mind that your interface may be different than wlan0, so check that with ifconfig
Next, make the script executable:
sudo chmod 755 /etc/network/if-up.d/macchangeNow that we have an executable script, we need to set up a service to run the script at startup. Create the service with the following command:
sudo nano /lib/systemd/system/macchange.service
Then add the following:
[Unit]
Description=MAC Address change
After=multi-user.target
After=syslog.target
After=network.target [Service]
Restart=always
ExecStart=/etc/network/if-up.d/macchange [Install]
WantedBy=mutli-user.target
Run these to set permissions on the service, and set it to startup with the boot sequence:
sudo chmod 644 /lib/systemd/system/macchange.servicesudo systemctl daemon-reloadsudo systemctl enable macchange.service
Reboot and the MAC address should be changed when you start back up!
Wake up the Canary
In order to get OpenCanary to start automatically, we’ll need to create a service:
sudo nano /lib/systemd/system/opencanary.service
Then add this:
[Unit]
Description=OpenCanary
After=multi-user.target
After=syslog.target
After=network.target [Service]
User=root
Restart=always
ExecStart=/home/pi/env/bin/opencanaryd --dev[Install]
WantedBy=multi-user.target
(if you installed OpenCanary by cloning the repository, the “opencanaryd” file may be in a
different location such as the “opencanary” folder within your virtual environment. Make sure
you set ExecStart to the correct path for this).
After you’ve made this file, follow the same steps from the macchange service:
sudo chmod 644 /lib/systemd/system/opencanary.servicesudo systemctl daemon-reloadsudo systemctl enable opencanary.service
To test the services:
sudo systemctl start opencanary.service
systemctl status opencanary.serviceTIP: If the status output says “failed” the action may have worked and the service has simply stopped running.
Reboot the machine and then see what your output is on an nmap scan!
EVADE OS FINGERPRINTING
While there are some more complex ways to accomplish this and even send back results for specific OS fingerprints (Check out Honeyd), We will be using a simple script to evade detection. The output at the end will look something like this:
Like always, let’s create a script! sudo nano /etc/network/if-up.d/fingerprint-change
This is what your script should look like:
#!/bin/sh if [ ! -d "$tcp_sign"]
then
mkdir tcp_sign
cp /proc/sys/net/ipv4/ip_default_ttl ./tcp_sign/ip_default_ttl_backup
cp /proc/sys/net/ipv4/tcp_timestamps ./tcp_sign/tcp_timestamps_backup
cp /proc/sys/net/ipv4/ip_no_pmtu_disc ./tcp/sign/ip_no_pmtu_disc_backup
cp /proc/sys/net/ipv4/tcp_stdurg ./tcp_sign/tcp_stdurg_backup
cp /proc/sys/net/ipv4/tcp_window_scaling ./tcp_sign/tcp_window_scaling_backup
cp /proc/sys/net/ipv4/tcp_sack ./tcp_sign/tcp_sack_backup
cp /proc/sys/net/ipv4/tcp_mtu_probing ./tcp_sign/tcp_mtu_probing_backup fi clear echo "99" > /proc/sys/net/ipv4/ip_default_tt
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo "0" > /proc/sys/net/ipv4/tcp_stdurg
echo "512" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "57" > /proc/sys/net/ipv4/tcp_mtu_probing
Make the script executable — sudo chmod 755 /etc/network/if-up.d/fingerprint-change
Test the script to verify that it runs sudo ./etc/network/if-up.d/fingerprint-change
Next, create a service to load that script when the Raspberry Pi boots!
sudo nano /lib/systemd/system/fingerprint.service
Then add this:
[Unit]
Description=OpenCanary
After=multi-user.target
After=syslog.target
After=network.target [Service]
User=root
Restart=always
ExecStart=/etc/network/if-up.d/fingerprint.service[Install]
WantedBy=multi-user.target
Reboot and then it is finally time to test the Canary!
Tips from the community
From Shmiffie:
I just wanted to mention that if you’re having trouble starting the OpenCanary with opencanaryd — start it might be because if you have enabled the honeypot SSH port in the config file, you’ll have to change the SSH port that you’ll use to actually remote in to the Raspberry Pi or they will kind of clash because both the real SSH port that you’re using and the honeypot SSH can’t listen on the same port.
You can do that by running this command:
sudo nano /etc/ssh/sshd_configJust a few lines down you’ll see where SSH is set to port 22. You’ll change the number from 22 to a different number (I’d recommend a random 5 digit number) and remove the ‘#’ before that or it will remain at port 22. Write out and you’re done!
— — EDIT — -
Don’t forget to restart SSH service for new port number to take effect.
sudo service ssh restart