Mercury – Live Honeypot DVD

<UPDATE>Live download mirror: carnivore.it</UPDATE>
Mercury Live DVD was initially (I believe) announced in a post to the Nepenthes Mailing list. It is a remastered Ubuntu distribution with pre-installed honeypot applications and malware analysis tools created by John Moore. From the ReadMe:

This live DVD is a remastered version of Ubuntu 10.0 Beta LTS x86_32. It was designed due to my being disappointed with another reverse engineering malware live CD that was released recently. I have decided to call my creation MERCURY, which is an acronym for Malware Enumeration, Capture, and Reverse Engineering.
The Mercury live DVD contains tools used for digital forensics, data recovery, network monitoring, and spoofing. It should primarily be used as a honeypot or network monitoring platform as well as a laboratory and teaching aid. There are three honeypots installed – honeyd, nepenthes, and dionaea. Four, if you include netcat.

The majority of the additional applications reside in /opt:

  • Dionaea (0.1.0) – Dionaea is a malware collection honeypot focusing primarily on SMB emulation, covered on InfoSanity numerous times before.
  • FFP – Fuzzy Fingerprinting is a util to aid SSH MitM attacks.
  • jsunpack-n – Is a Javascript unpacker, perfect for analysis captured or potentially malicious URLs in more depth.
  • Kippo (svn rev.169) – Kippo is an low-medium interaction SSH honeypot, Also covered
  • mitm-ssh – Unsurprisingly, a utility for aiding man in the middle attacks against SSH connections.
  • Origami & pdftools – Two frameworks for analysing malicious PDF files.
  • Volatility – an excellent memory analysis toolkit
  • Zerowine-vm – A malware behavior analysis platform. I’ve covered ZeroWine here before, and whilst I find it useful for initial analysis I found it a pain to setup and get running. The fact this works out of the box on Mercury is enough reason alone to keep the .iso handy.

Other tools are installed on the system as started, access from standard locations (/etc, /usr/bin, etc.). I won’t try to list them all, but some highlights include:

  • Nepenthes – Dionaea’s predecessor
  • Honeyd – Honeypot system, perfect for emulating multiple different systems from one platform. Covered in more depth here.
  • John – John the Ripper, password cracker
  • ircd-hybrid – irc server daemon, useful for analysis irc-based malware’s interaction with command and control systems.
  • Snort – de-facto intrusion detection system.
  • Wireshark – Packet capture and network analysis tools.

I could go on, but I’m sure you get the idea.
Setting up a honeypot, and analysing the results, has never been easier. And I’m sure the toolkit’s functionality will also be useful in other scenarios; incident response, general network administration or as a safe learning platform. So what are you waiting for?
–Andrew Waite
N.B. there have been several mirror’s and downloads established, the most reliable download source I’ve used is Markus’ mirror at carnivore.it

Join the conversation

23 Comments

  1. Thanks for putting this together. I’ve recently become more interested in malware investigation and this will be a big help. I have it up and running now on an old Pentium 4 and am running Dionaea. I’m new at this, but believe I have it set up correctly. Am I correct in assuming the dionaea.conf does not need any adjustments prior to use? I just let it go with the default.
    Thanks again!

    1. Hi Ken,
      thanks for the feedback, although I should be quick to point out I didn’t create Mercury, that honour is John’s, I just use and like it.
      Dionaea should run out of the box, but I’d recommend that you do tweak a few settings to ensure you get the most out of Dionaea’s (extensive) capabilities. At a bare minimum I’d configure the SQL logging capabilities to get better statistics and set your own email address for the malware submissions to get detailed analysis of the malware captured by your system.
      Hope this helps, good luck

  2. I have a problem when I configured dionaea,it said cannot find Python, but I did install it. And another error is:”configure:error:too old”. Do you have any idea why it happened? I use RHL5.0. Do you think the system may lead to the problem?
    By the way, do you know the differences between nepenthes and dionaea ? Can I use dionaea to find out the malware on my local computer.
    Thank you.

  3. I have a problem when I configured dionaea, it said cannot find Python, but I did install it. Another error is:”configure:error:too old”. Do you have any idea why it happened? I use RHL5.0. Do you think the system may lead to the problem?
    Because I failed to install dionaea, so I wonder can dionaea analysis malware on our local computer, or does it analysis online just like nepenthes?
    Thank you.

    1. I’m guessing that if you’re definitely got Python installed then Dionaea can’t find it. Is Python in your path and/or is Dionaea looking in the right place? Assuming you followed Marcus’ installation docs to the letter, python should be /opt/dionaea/bin/python3.1.
      I don’t use RH myself, but I would be surprised if this was the problem, just ensure that the software versions packaged by your distro meet the pre-requisites, if not compile from source.
      Neither Dionaea or Nepenthes analyse the captured malware, but do have handlers for submitting samples to online analysis frameworks. With the functionality improvements continually being added to Dionaea (like access to the virustotal apis) Dionaea is definitely the way to go.
      Hope this helps, if you’re still struggling I’d ask on the dev mailing list (https://lists.sourceforge.net/lists/listinfo/nepenthes-devel)
      –Andrew

  4. Hi,
    I read your great post and now am interested in using Murcury Live dvd instead of installing Dionaea Honeypot for malware collection purpose. I’m not sure it can give me everything that dionaea directly installed on a system could, as it is a LIVE dvd, and chenges (for example installng a packege to analyze attacks or other customizations) will not remain permanetly. what do U think is better to implement such a malware connection honeypot: a permanent Dionaea with a complicated and boring installation or just downloading a 1.3 GB Murcury live dvd ?
    thanks in advanced.

    1. Hi Setare,
      thanks for the comment, and it’s a question I’ve been asked from a few different people.
      Ultimately you need to use the right tool for the right job. John has done a great job of implementing a quick and easy way to get a honeypot sensor setup, and hopefully lowered the barriers to entry for people knew to honeypot technologies and techniques. One thing you can do bypass the restrictions imposed from a liveCD setup is to install to hard disk to maintain system changes, as Mercury is based on Ubuntu then HDD install is only a few clicks away.
      The downside the Mercury is due to the great pace of development that Markus and others are currently achieving with additional functionality within Dionaea. If you want to play with the bleeding edge then you’ve only really got one choice, installation from source. Although from my experiences the installation of Dionaea is getting simpler and quicker than previously, just make sure you rtfm before asking the mailing list 😉

  5. Project seems dead. Went to sourcforge to download. Seems like no activity other than than the initial upload. When you goto the download link and browse, there’s nothing there.
    That’s unfortunate, it sounded ideal.

  6. The link mentioned in the article doesn’t work anymore and a quick Google search is coming up dry. Could you suggest an alternative manner of downloading?

    1. Hi, didn’t realise the link was dead, thanks for the heads up.
      Searching myself, I can’t find anything either; I’ll ask around for an alternative download location and let you know if I get anything of interest.
      Scratch that, the Carnivore Link at the bottom of the post that Marcus provides appears to still be active.

  7. Hi Andrew,
    I need to capture malware of network of University.
    Does this work for the entire network or for a network segment?
    How do I set it up according to my needs?
    How does the “DVD live Mercury”?
    How I can access the captured malware?
    Where these binaries are stored?
    Regards,
    George

  8. Hi George,
    Mercury is now fairly outdated, if you’re looking to capture malware you’d probably be better off with a standalone Dionaea install, the older version of Dionaea on the live CD should be able to give you a feel for capabilities. However:
    Does this work for the entire network or for a network segment?
    + The HPs are configured to listen on IP(s) as a standard host.
    How I can access the captured malware?
    Where these binaries are stored?
    + Captured binaries will be stored under the Dionaea install path (probably: /opt/dionaea/var/binaries [I think…]).
    Hope this helps get you started, happy honeypotting.

    1. Thanks Andrew,
      Maybe, Do you know any honeypot that currently capture malware successfully?
      Regards.

  9. Hi Andrew,
    I have questions regarding Honeyd and Kippo.
    Honeyd as Kippo both work the same way that Dionaea? Emulate services and capture malware? Where store the malware?
    I have two hosts in different VLANs. I can do work Amun and Honeyd in the same host? and,
    I can do work “Dionaea” and “Kippo” on the other host?
    My main goal is to capture malware.
    Regards.

  10. please can someone upload the dvd on http link instead of ftp ?
    I cannot download it my university blocks ftp connections I need this because I am doing a session about honeypot for a course

Leave a comment

Leave a Reply to suspirosdelalma Cancel reply

Your email address will not be published. Required fields are marked *