Mining Deep Cyber Space Intelligence by Deploying Your Own Honeypots
What is this article about?
This article aims to give you a general understanding of honeypots.
I will also guide you through installing and deploying your own honeypot using Cowrie and give you ideas and examples on how to collect the malicious information that's being picked up by your honepots.
Most importantly, enjoy and appreciate the fun things that are being collected by your honeypots.
What is a honeypot?
According to Wikipedia:
Let's ignore that and let me try to explain that to you in simple words:
A Honeypot is basically a "fake" service pretending to be a "normal" service that lures the attackers to target them.
What can a honeypot simulate?
- Fake Server (e.g. Web Server, TOR Node)
- Fake Service (e.g. SSH, RDP, FTP)
- Fake ID (e.g. Email Address, Online Accounts)
- And Much More...
A honeypot can also be a real thing running as it is, for example, a real server. The advantage of this is that it will be able to fully simulate the functionalities to the maximum extent. However, the disadvantage is that you will need to make sure the attacker doesn't escape your control. There's also a chance the attacker gets out of your control and in the worst case, backtracks you.
Why You Need One
As your honeypots are located in the Frontier Cyber Battlefield, you will be able to capture world's most advanced malicious data and have the opportunity to analyze them.
Or, if you have many more honeypots set up in different regions of the world, you can potentially turn yourself into a mini ZoomEye or NORSE Live Attack Map, where you can visualize thia data or create a cyber threat map to analyze the influence of the new threats as they come out.
Do you want to make your own brute force dictionaries by collecting what your honeypot received?
Yeah mate, you got my idea
I've hosted a nice SSH honeypot called Cowrie (I will show you how to install it in the next part).
Many of its collected results were very interesting.
Such as some attackers' personal "ammunition garage" and the weapons they sell.
In the old days, some malicious attackers were using my honeypot to try to communicate with Pokemon Go's servers.
Or you can also visualize the malicious attacks like I did:
The main purposes of honeypots are mostly to collect threat intelligence and to capture attackers' time/efforts by placing honeypots inside an enterprise network.
Both of these have their potentials profits. I will leave them to you to think about I will also add this one:
- What if the honeypot has the ability to counter-attack? (e.g. via a JS payload).
You are more than welcome to post thoughts/ideas in the comment section below
Here comes the practical part!
Let's install Cowrie on your honeypot server:
Step 1: Install Dependencies
$ sudo apt-get install git virtualenv libmpfr-dev libssl-dev libmpc-dev libffi-dev build-essential libpython-dev -y
Step 2: Create Cowrie User Account
$ sudo adduser --disabled-password cowrie Adding user `cowrie' ... Adding new group `cowrie' (1002) ... Adding new user `cowrie' (1002) with group `cowrie' ... Changing the user information for cowrie Enter the new value, or press ENTER for the default Full Name : Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] $ sudo su - cowrie
Step 3: Download Cowrie Repo
$ git clone http://github.com/micheloosterhof/cowrie Cloning into 'cowrie'... remote: Counting objects: 2965, done. remote: Compressing objects: 100% (1025/1025), done. remote: Total 2965 (delta 1908), reused 2962 (delta 1905), pack-reused 0 Receiving objects: 100% (2965/2965), 3.41 MiB | 2.57 MiB/s, done. Resolving deltas: 100% (1908/1908), done. Checking connectivity... done. $ cd cowrie
Step 4: Create Virtual Environment
$ pwd /home/cowrie/cowrie $ virtualenv cowrie-env New python executable in ./cowrie/cowrie-env/bin/python Installing setuptools, pip, wheel...done. $ source cowrie-env/bin/activate (cowrie-env) $ pip install --upgrade -r requirements.txt
$ cd bin/ $ ./cowrie start Starting cowrie in the background...
Step 5: Change SSH port
We need to change the default SSH port (22) to something else.
$ vim /etc/ssh/sshd_config
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. Port 65432 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::
Step 6: Change Cowrie's SSH port
As Cowrie listens by default on port 2222, we forward SSH port 22's traffic to port 2222.
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
Step 7: Restart Cowrie
$ bin/cowrie restart
Let's log into our honeypot using username "root" with password "admin"
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@svr04:~# whoami root root@svr04:~# ping google.com PING google.com (184.108.40.206) 56(84) bytes of data. 64 bytes from google.com (220.127.116.11): icmp_seq=1 ttl=50 time=44.4 ms 64 bytes from google.com (18.104.22.168): icmp_seq=2 ttl=50 time=42.5 ms 64 bytes from google.com (22.214.171.124): icmp_seq=3 ttl=50 time=40.5 ms ^C --- google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 907ms rtt min/avg/max/mdev = 48.264/50.352/52.441/2.100 ms root@svr04:~# uname -a Linux svr04 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u1 x86_64 GNU/Linux root@svr04:~# apt install python bash: apt: command not found root@svr04:~# yum install python bash: yum: command not found root@svr04:~# wget google.com --2018-04-05 05:43:22-- http://google.com Connecting to google.com:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html; charset=ISO-8859-1] Saving to: `/root/index.html' 100%[======================================>] 0 100K/s eta 0s 2018-04-05 05:43:22 (100 KB/s) - `/root/index.html' saved [10593/0] root@svr04:~# ls index.html root@svr04:~# cat index.html <!doctype html><html itemscope="" ite.............(and more...)
On the honeypot's side, the attacker's actions are logged under
For demonstration purposes, I've removed extra information, such as datetime, networking logs, and my own IPs.
New connection: XXX.XXX.XXX.XXX:34252 (XXX.XXX.XXX.XXX:2222) Remote SSH version: SSH-2.0-OpenSSH_7.5p1 Ubuntu-10ubuntu0.1 ... login attempt [root/admin] succeeded Initialized emulated server as architecture: linux-x64-lsb ... pty request: 'xterm-256color' (51, 181, 1270, 769) Terminal Size: 51 181 request_env: LANG=en_US.UTF-8 getting shell Opening TTY Log: log/tty/20180405-054249-c9f804dbd74c-0i.log CMD: whoami Command found: whoami CMD: ping google.com Command found: ping google.com CMD: uname -a Command found: uname -a CMD: apt install python Command not found: apt install python CMD: yum install python Command not found: yum install python CMD: wget google.com Command found: wget google.com Starting factory <HTTPProgressDownloader: http://google.com> ... CMD: ls Command found: ls CMD: cat index.html Command found: cat /root/index.html connection lost
You can also add new username:password combinations in Cowrie by modifying
My attack map image above was done using Splunk simply using Geolocation DB and a Heatmap.
However, feel free to create your own malicious data visualizations using D3.js or other visualization tools.
PS. You will probably find this helpful too: Send Cowrie Output to a MySQL Database.
I hope this article gave you a fresh feeling/vision on honeypots and if you do have any questions/thoughts, you're welcome to comment below.