Introduction To Honeypots
What are honeypots?
A honeypot is a deliberately vulnerable security tool designed to attract attackers and record the actions of adversaries. Honeypots can be used in a defensive role to alert administrators of potential breaches and to distract attackers away from real infrastructure. Honeypots are also used to collect data on the tools and techniques of adversaries and assist with generating effective defensive measures.
This room will demonstrate the Cowrie honeypot from the perspectives of an adversary and security researcher. This room will also highlight the data collected by a Cowrie honeypot deployment, some analysis methodologies, and what the gathered data tell us about typical botnet activity.
Types of Honeypots
Honeypot Interactivity and Classification
A wide variety of honeypots exist so it is helpful to classify them by the level of interactivity provided to adversaries, with most honeypots falling into one of the below categories: Introduction To Honeypots
Low-Interaction honeypots offer little interactivity to the adversary and are only capable of simulating the functions that are required to simulate a service and capture attacks against it. Adversaries are not able to perform any post-exploitation activity against these honeypots as they are unable to fully exploit the simulated service. Examples of low-interaction honeypots include mailoney and dionaea.
Medium-Interaction honeypots collect data by emulating both vulnerable services as well as the underlying OS, shell, and file systems. This allows adversaries to complete initial exploits and carry out post-exploitation activity. Note, that unlike, High-Interaction honeypots (see below), the system presented to adversaries is a simulation. As a result, it is usually not possible for adversaries to complete their full range of post-exploitation activity as the simulation will be unable to function completely or accurately. We will be taking a look at the medium-interaction SSH honeypot, Cowrie in this demo.
High-Interaction honeypots are fully complete systems that are usually Virtual Machines that include deliberate vulnerabilities. Adversaries should be able (but not necessarily allowed) to perform any action against the honeypot as it is a complete system. It is important that high-interaction honeypots are carefully managed, otherwise, there is a risk that an adversary could use the honeypot as a foothold to attack other resources. Cowrie can also operate as an SSH proxy and management system for high-interaction honeypots.
Deployment Location
Once deployed, honeypots can then be further categorized by the exact location of their deployment:
Internal honeypots are deployed inside a LAN. This type can act as a way to monitor a network for threats originating from the inside, for example, attacks originating from trusted personnel or attacks that by-parse firewalls like phishing attacks. Ideally, these honeypots should never be compromised as this would indicate a significant breach.
External honeypots are deployed on the open internet and are used to monitor attacks from outside of the LAN. These honeypots are able to collect much more data on attacks since they are effectively guaranteed to be under attack at all times.
The Cowrie SSH Honeypot
The Cowrie honeypot can work both as an SSH proxy or as a simulated shell. The demo machine is running the simulated shell. You can log in using the following credentials:
IP - 10.10.81.52
User - root
Password - <ANY>
As you can see the emulated shell is pretty convincing and could catch an unprepared adversary off guard. Most of the commands work like how you'd expect, and the contents of the file system match what would be present on an empty Ubuntu 18.04 installation. However, there are ways to identify this type of Cowrie deployment. For example, it's not possible to execute bash scripts as this is a limitation of low and medium interaction honeypots. It's also possible to identify the default installation as it will mirror a Debian 5 Installation and features a user account named Phil. The default file system also references an outdated CPU.
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ ssh root@10.10.81.52
The authenticity of host '10.10.81.52 (10.10.81.52)' can't be established.
RSA key fingerprint is SHA256:tag6Ip0SU0wDGK1/QLA7FVFRhGHsHtMUqktyMyNOs3E.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.81.52' (RSA) to the list of known hosts.
Ubuntu 18.04.5 LTS
root@10.10.81.52's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@acmeweb:~# whoami
root
root@acmeweb:~# #www.kumaratuljaiswal.in
Cowrie Logs
Cowrie Event Logging
The honeypot wouldn't be of much use without the ability to collect data on the attacks that it's subjected to. Fortunately, Cowrie uses an extensive logging system that tracks every connection and command handled by the system. You can access the real SSH port for this demo machine using the following options:
IP - 10.10.81.52
Port - 1400
User - demo
Password - demo
Cowrie can log to a variety of different local formats and log parsing suites. In this case, the installation is just using the JSON and text logs. I've installed the JSON parser jq on the demo machine to simplify log parsing.
Note: You may need to delete the demo machine's identity from .ssh/known_hosts as it will differ from the one used in the honeypot. You will also need to specify a port adding -p 1400 to the SSH command. The logs will also be found at /home/cowrie/honeypot/var/log/cowrie
Log Aggregation
The amount of data collected by honeypots, especially external deployments can quickly exceed the point where it's no longer practical to parse manually. As a result, it's often worth deploying Honeypots alongside a logging platform like the ELK stack. Log aggregation platforms can also provide live monitoring capabilities and alerts. This is particularly beneficial when deploying Honeypots, with the intent to respond to attacks rather than to collect data.
>
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ ssh demo@10.10.81.52 -p 1400
The authenticity of host '[10.10.81.52]:1400 ([10.10.81.52]:1400)' can't be established.
ECDSA key fingerprint is SHA256:0CHR6APzGaV/dM1GonCR0T7wJ3nJpPQ7jym2/1E33HY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.81.52]:1400' (ECDSA) to the list of known hosts.
demo@10.10.81.52's password:
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-158-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Oct 11 04:04:00 UTC 2021
System load: 0.18 Processes: 91
Usage of /: 27.3% of 8.79GB Users logged in: 0
Memory usage: 41% IP address for eth0: 10.10.81.52
Swap usage: 0%
0 updates can be applied immediately.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
demo@acmeweb:~$ whoami
demo
demo@acmeweb:~$ #www.hackingtruth.in
demo@acmeweb:~$
Note: You may need to delete the demo machine's identity from .ssh/known_hosts as it will differ from the one used in the honeypot. You will also need to specify a port adding -p 1400 to the SSH command. The logs will also be found at /home/cowrie/honeypot/var/log/cowrie
demo@acmeweb:~$ ls
BotCommands Top200Creds.txt Tunnelling
demo@acmeweb:~$ cat Top200Creds.txt
/root/1234/
/root/gm8182/
/root/Admin123/
/root/cisco/
/pi/raspberry/
/user/user/
/root/abc123/
/pi/raspberryraspberry993311/
/user/1234/
/root/test/
/root/elite/
/ftpadmin/ftpadmin/
/default//
/admin/11/
demo@acmeweb:~$
demo@acmeweb:~$ cd /home/cowrie/honeypot/var/log/cowrie
demo@acmeweb:/home/cowrie/honeypot/var/log/cowrie$ ls
audit.log cowrie.json cowrie.json.2021-09-23
demo@acmeweb:/home/cowrie/honeypot/var/log/cowrie$
Attacks Against SSH
SSH and Brute-Force Attacks
By default, Cowrie will only expose SSH. This means adversaries will only be able to compromise the honeypot by attacking the SSH service. The attack surface presented by a typical SSH installation is limited so most attacks against the service will take the form of brute-force attacks. Defending against these attacks is relatively simple in most cases as they can be defeated by only allowing public-key authentication or by using strong passwords. These attacks should not be completely ignored, as there are simply so many of them that you are pretty much guaranteed to be attacked at some point.
A collection of the 200 most common credentials used against old Cowrie deployments has been left on the demo machine and can be used to answer the questions below. As you can see, most of the passwords are extremely weak. Notable entries include the default credentials used for some devices like Raspberry PIs and the Volumio Jukebox. Various combinations of '1234' and rows of keys are also commonplace.
1) How many passwords include the word "password" or some other variation of it e.g "p@ssw0rd"
HINT - This regular expression works "p.*ss.*". You can also count lines by piping to wc -l
Ans - 15
demo@acmeweb:~$
demo@acmeweb:~$ ls
BotCommands Top200Creds.txt Tunnelling
demo@acmeweb:~$
demo@acmeweb:~$ grep "p.*ss" Top200Creds.txt
/admin/password/
/root/password1/
/root/password/
/user1/password/
/MikroTik/password/
/default/password/
/admin1/password/
/profile1/password/
/user/password/
/admin/passw0rd/
/admin1/passw0rd/
/user1/passw0rd/
/profile1/passw0rd/
/MikroTik/passw0rd/
/default/passw0rd/
demo@acmeweb:~$
demo@acmeweb:~$
demo@acmeweb:~$ ls
BotCommands Top200Creds.txt Tunnelling
demo@acmeweb:~$
demo@acmeweb:~$ grep "p.*ss" Top200Creds.txt | wc -l
15
demo@acmeweb:~$
2) What is arguably the most common tool for brute-forcing SSH?
Ans - hydra
3) What intrusion prevention software framework is commonly used to mitigate SSH brute-force attacks?
Ans -
Typical Bot Activity
Typical Post Exploitation Activity
The majority of attacks against typical SSH deployments are automated in some way. As a result, most of the post-exploitation activity that takes place after a bot gains initial access to the honeypot will follow a broad pattern. In general, most bots will perform a combination of the following:
Perform some reconnaissance using the uname or nproc commands or by reading the contents of files like /etc/issue and /proc/cpuinfo. It's possible to change the contents of all these files so the honeypot can pretend to be a server or even an IoT toaster.
Install malicious software by piping a remote shell script into bash. Often this is performed using wget or curl though, bots will occasionally use FTP. Cowrie will download each unique occurrence of a file but prevent the scripts from being executed. Most of the scripts tend to reference cryptocurrency mining in some way.
A more limited number of bots will then perform some anti-forensics tasks by deleting various logs and disabling bash history. This doesn't affect Cowrie since all the actions are logged externally.
Bots are not limited to these actions in any way and there is still some variation in the methods and goals of bots. Run through the questions below to further understand how adversaries typically perform reconnaissance against Linux systems.
1) What CPU does the honeypot "use"?
Ans -
2) Does the honeypot return the correct values when uname -a is run? (Yay/Nay)
Ans -
3) What flag must be set to pipe wget output into bash?
Ans -
4) How would you disable bash history using unset?
Ans -
Identification Techniques
Bot Identification
It is possible to use the data recorded by Cowrie to identify individual bots. The factors that can identify traffic from individual botnets are not always the same. However, some artifacts tend to be consistent across bots including, the IP addresses requested by bots and the specific order of commands. Identifiable messages may also be present in scripts or commands though this is uncommon. Some bots may also use highly identifiable public SSH keys to maintain persistence.
It's also possible to identify bots from the scripts that are downloaded by the honeypot, using the same methods that would be used to identify other malware samples.
Take a look at the samples included with the demo machine and answer the below questions.
Note: Don't run any of the commands found in the samples as you may end up compromising whatever machine that runs them!
1) What brand of device is the bot in the first sample searching for? (BotCommands/Sample1.txt)
Ans -
2) What are the commands in the second sample changing? (BotCommands/Sample2.txt)
Ans -
3) What is the name of the group that runs the botnet in the third sample? (BotCommands/Sample3.txt)
Ans -
SSH Tunnelling
Attacks Performed Using SSH Tunnelling
Some bots will not perform any actions directly against honeypot and instead will leverage a compromised SSH deployment itself. This is accomplished with the use of SSH tunnels. In short, SSH tunnels forward network traffic between nodes via an encrypted tunnel. SSH tunnels can then add an additional layer of secrecy when attacking other targets as third parties are unable to see the contents of packets that are forwarded through the tunnel. Forwarding via SSH tunnels also allows an adversary to hide their true public IP in much the same way a VPN would.
The IP obfuscation can then be used to facilitate schemes that require the use of multiple different public IP addresses like, SEO boosting and spamming. SSH tunnelling may also be used to by-parse IP-based rate limiting tools like Fail2Ban as an adversary is able to transfer to a different IP once they have been blocked.
SSH Tunnelling Data in Cowrie
By default, Cowrie will record all of the SSH tunnelling requests received by the honeypot but, will not forward them on to their destination. This data is of particular importance as it allows for the monitoring and discovery of web attacks, that may not have been found by another honeypot. I've included a couple of samples sort of data that can be recorded from SSH tunnels.
Note: Some elements have been redacted from the samples to protect vulnerable servers.
1) What application is being targetted in the first sample? (Tunnelling/Sample1.txt)
Ans -
2) Is the URL in the second sample malicious? (Tunnelling/Sample2.txt) (Yay/Nay)
Ans -
Recap and Extra Resources
Recap
I hope this room has demonstrated how interesting honeypots can be and how the data that we can collect from them can be used to gain insight into the operations of botnets and other malicious actors.
Extra Resources
I've included some extra resources to assist in learning more about honeypots below:
Awesome Honeypots - A curated list of honeypots
Cowrie - The SSH honeypot used in the demo
Sending Cowrie Output to ELK - A good example of how to implement live log monitoring
I would also recommend that you deploy a honeypot yourself as it's a great way to learn. Deploying a honeypot is also a great way to understand how to work with cloud providers since external honeypots are best when deployed to the cloud. Deploying and managing multiple honeypots is also an interesting challenge and a good way to gain practical experience with tools like Ansible.
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
- Hacking Truth by Kumar Atul Jaiswal