2 weeks ago

How to Use the Cowrie SSH Honeypot to Catch Attackers on Your Network « Null Byte :: WonderHowTo

The internet is actually constantly under siege by bots searching for vulnerabilities to attack along with exploit. While conventional wisdom is actually to prevent these attacks, there are ways to deliberately lure hackers into a trap in order to spy on them, study their behavior, along with capture samples of malware. In This particular tutorial, we’ll be creating a Cowrie honeypot, an alluring target to attract along with trap hackers.

A honeypot is actually a network or internet-attached device designed to be attacked along with given a specific set of vulnerabilities. Honeypots usually intend to impersonate the sort of devices of which attackers have an interest in, such as web servers.

While these devices can appear similar, or even identical, to authentic servers during passive scanning, there are numerous substantial differences between a deliberately-created honeypot along having a vulnerable server.

These adjustments attempt to make the honeypot indistinguishable coming from a production server to any potential hacker who is actually scanning for open SSH ports to attack, while limiting the actual danger of an insecure server by creating one in a sandboxed environment. This particular creates something which looks real along with appears vulnerable to hackers however does not create the same dangers to a server administrator as a truly vulnerable server could.

Cowrie is actually a honeypot which attempts to impersonate an SSH server, specifically one with weak along with easily cracked login credentials. Once an attacker is actually logged in, they’ll have access to a fake Linux shell where they can run commands along with receive realistic looking responses, however the attacker will never be able to actually execute these real commands outside of the sandbox honeypot environment. of which’s because This particular Cowrie “shell” is actually in fact not a Linux shell at all. The command-line environment is actually implemented entirely in Python.

Like different honeypots, while fooling the attacker into thinking they’re in a server, Cowrie will also log or analyze the attacks which are made against the idea. This particular allows for the honeypot administrator to gain an idea of what sort of attacks are being attempted, their general success or failure rate, as well as the geographical location of the IP coming from which a given attack originates. Cowrie is actually also capable of attempting to capture information about a specific attacker rather than just the metadata of their attack, such as accidentally exposed SSH fingerprints.

Honeypots Help to Understand How Malicious Hackers Work

The video below demonstrates a real-world attack which was captured along with replayed. The hacker attempts to utilize numerous Linux utilities, presumably in order to download along with run malware on the server, only to discover of which while these commands return many generally normal responses, attempts to actually run malware or steal data seem to fail.

Perhaps with or without realizing they are on a honeypot, the attacker eventually becomes frustrated along with attempt to delete every file on the system with rm, a command which, of course, also fails due to the protected nature of the honeypot.

Honeypots Protect Against & Help Identify Breaches

The presence of a honeypot may also distract some malicious attackers coming from real targets, along with in wasting their time, potentially serve to protect a larger network with real production machines in use. They can also assist in identifying a local network breach, in of which if another machine on a LAN is actually compromised, the evidence may be revealed when the attacker attempts to pivot to the honeypot. If a user on a large network unknowingly is actually infected by malware, the idea may be detected after a honeypot receives a login attempt originating coming from of which infected device, along having a network administrator then may be able to identify along with resolve the issue.

A honeypot will never be shared having a real server, nor connected to a real network. Use caution when creating a honeypot, as if the idea is actually misconfigured the idea may create real vulnerabilities. Cowrie is actually not known to be vulnerable itself, however, bringing attention to a machine as a honeypot leads to a higher possibility of attacks on different services which may have security flaws. With This particular in mind, you should ensure of which wherever you choose to install your honeypot is actually not being used as a live machine for any different services.

Step 1: Choosing Where to Install Cowrie

Cowrie itself doesn’t require substantial technical specifications to run. The honeypot can be installed on practically anything having a Linux shell along having a network connection, including on a Raspberry Pi.

In order to draw attacks over the internet, your honeypot will need to be connected to the internet along with available to be port scanned. This particular port scanning may require adjustments to your router or firewall configurations on your network. One such adjustment may be router-focused port-forwarding to deliberately expose certain ports to the internet.

Don’t Miss: Use SSH Local Port Forwarding to Pivot into Restricted Networks

Rather than draw attention to a local network along with adjust the network configuration, one can also use a virtual private server (VPS), a virtual machine instance provided by a hosting provider. Unlike traditional online server spaces, which generally only provide FTP access for hosting websites or files, a VPS provides direct operating system shell access, ideal for installing a honeypot.

Image by Image by SADMIN/Null Byte

If you choose to use a Raspberry Pi, the idea serves a relatively Great platform for a honeypot, as its low cost makes the otherwise impractical application of resources to a honeypot easier to justify. Considering of which a real server should never be used as both a functioning server along having a honeypot at the same time, applying a tiny circuit board computer is actually a Great solution. The Raspberry Pi 3 is actually an ideal platform as the idea has the highest specifications of any Pi available. the idea is actually available as just the single-board computer or having a convenient starter kit.

Don’t Miss: Set Up a Headless Raspberry Pi Hacking Platform Running Kali Linux

In This particular tutorial, Cowrie is actually installed on a VPS running Debian. VPS providers generally allow the choice of operating system as well as the amount of memory along with CPU cores provided. For running Cowrie, any Linux server-specific distribution will work on even most low-specification server options. Desktop distributions are also functional, although some special-purposed distributions such as Kali Linux may not be ideal due to use of non-standard firewall rules along with account privilege configurations.

In This particular tutorial, we’re using Debian, a desktop along with server Linux distribution known for stability along with security. different Debian-based distros like Ubuntu or Raspbian are also effective choices.

The exposure of a honeypot depends on its network connection. On a VPS, you’re setting up the honeypot on the vulnerable port 22, which is actually exposed to the entire internet, as is actually true of any different device connected to the internet directly. If, instead, you’re looking to detect breached along with pivot attempts within of which local network, set you honeypot up within a LAN.

Step 2: Preparing for Cowrie Installation

The first step to preparing your server is actually to make sure the idea is actually updated. While the honeypot will deliberately limit the actual exposure of the system, the idea’s Great to make sure of which the variation of Linux in use on the machine you intend to install the honeypot on is actually up to date along with secure.

On Debian or Debian-based distros such as Ubuntu, the system can be updated using apt-get, as shown within the string below. This particular can be entered into the system command line or over SSH if you’re connecting to the system remotely.

sudo apt-get update && sudo apt-get upgrade

Don’t Miss: How to Use the Chrome Browser Secure Shell App to SSH into Remote Devices

Once you’re up to date, we can install some of the Cowrie-specific dependencies by running the command below.

sudo apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind

Once the prerequisites are installed, the next step is actually to move the actual SSH service to a different port. While the honeypot will impersonate an SSH server on port 22, we’ll want to be able to still administrate the system over SSH on a different port. We can specify This particular within the SSH daemon configuration file. We can edit This particular file within the Nano text editor, included in most Linux distros, by running the command below in a terminal.

sudo nano /etc/ssh/sshd_config

Change the number after “Port” coming from 22 to whatever number you choose, along with make sure to remove the “#” symbol coming from the beginning of the line if the idea was previously commented out. In This particular example, I changed the port to “9022.” This particular port number represents the port where we will actually administrate the honeypot, while the vulnerable honeypot service will run on port 22 like a conventional SSH service. the idea can be set to any number, as long as the idea is actually not port 22.

After the changed are made to the file, they can be saved within Nano by pressing Ctrl + O along with then exiting Nano with Ctrl + X. After the SSH configuration is actually changed, the service can be restarted with systemd by using the command below in a terminal.

sudo systemctl restart ssh

If you installed on a VPS or wish to connect to your honeypot machine remotely, when using SSH, use the -p option to specify This particular brand-new port. To connect over SSH to the port 9022, the command below could be used, followed by the address of the server.

ssh -p 9022

currently, we’re ready to begin the initial configuration of Cowrie.

Step 3: Installing Cowrie

The first step of the installation process is actually to create a brand-new user account specifically for Cowrie. We can do This particular with the adduser command by running the string below.

sudo adduser –disabled-password cowrie

This particular creates a brand-new user account with no password along having a username of “cowrie.” We can log into This particular brand-new user account using sudo suas within the command shown below.

sudo su – cowrie

Next, we can clone the Cowrie source code into This particular brand-new user account’s home folder using Git, as shown within the command below.

git clone https://github.com/micheloosterhof/cowrie

currently, we can move into the cowrie folder with cd.

cd cowrie

Within This particular directory, we can create a brand-new virtual environment for the tool by running the command below.

virtualenv cowrie-env

We can then activate This particular brand-new virtual environment:

source cowrie-env/bin/activate

coming from here, we can use Pip to install additional requirements. First, update Pip with the following command.

pip install –upgrade pip

currently, install the requirements with the string shown below. The requirements.txt file included with Cowrie is actually used as a reference for the Python dependencies for Pip to install.

pip install –upgrade -r requirements.txt

The configuration for Cowrie is actually defined in two files, cowrie.cfg.dist along with cowrie.cfg. By default, only cowrie.cfg.dist is actually included when the tool is actually downloaded, however any settings which are set in cowrie.cfg will be assigned priority. To make the idea slightly more simple to configure, we can create a copy of cowrie.cfg.dist along with use the idea to create cowrie.cfg, such of which there is actually a backup of the original file. We can do This particular using the cp command, as shown within the string below.

cp cowrie.cfg.dist cowrie.cfg

We can edit This particular configuration file in Nano by running nano cowrie.cfg coming from the command line. The first setting which may be worth changing is actually the hostname of the honeypot. While This particular isn’t necessary, the default “svr04” may be an indicator of which This particular is actually a honeypot to an attacker.

Next, “listen_port” should be set to “22” rather than “2222,” such of which attempted connections at the standard SSH port are allowed.

We can currently make any different adjustments to the file, save them with Ctrl + O, along with exit Nano with Ctrl + X. After the file is actually saved, we can also update the port routing configuration for the system by tunning the command below.

iptables -t nat -A PREROUTING -p tcp –dport 22 -j REDIRECT –to-port 2222

We can currently launch Cowrie by running the string below coming from the Cowrie folder.

bin/cowrie start

If This particular succeeds, the honeypot is actually currently running! You can also stop the idea at any time by running bin/cowrie stop.

Don’t Miss: Capturing Zero-Day Exploits within the Wild having a Dionaea Honeypot

Step 4: Monitoring & Attacking the Honeypot

If we do a network scan like Nmap against our server, we’ll see of which all three of the SSH ports we configured are active. Port 2222 is actually visible, where Cowrie is actually running, as well as port 22, the standard SSH port being forwarded by the iptables configuration defined earlier. Lastly, port 9022 is actually also filtered, the actual SSH administration port in use.

If we attempt to connect to port 22 or 2222, we can directly “attack” our own honeypot. The honeypot will accept practically any attempted login credentials, as well as present something which looks like a Linux shell.

After logging in to the honeypot on port 22 along with attempting to run commands on the idea, we can review what we did by logging back in on port 9022 to check the logs. These logs are recorded in a format which can be replayed in real-time using the integrated log replay tool. This particular script can be run followed by the specific log file as an argument in order to replay the idea in real time.

To call the script, use ./bin/playlog coming from the Cowrie directory followed by the name of the log you wish to replay. Logs are located within the /log/tty/ directory within Cowrie’s root directory, along with each is actually titled procedurally, with the date along with time automatically set as the filename. To view the available logs, use ls by running ls log/tty coming from the Cowrie directory. Once you’ve selected a log to view, use the idea as the argument for the playlog script, as shown within the example command below.

./bin/playlog /home/cowrie/cowrie/log/tty/20171214-154755-fe93f2240ae-0i.log

If your honeypot is actually connected to the internet, you can just wait until the inevitable probes attempt to log in along with drop malware on the machine. Cowrie is actually open-source along with very configurable, along with could absolutely be expanded along with combined to have further functions to be suitable for a wide variety of honeypot projects. With very minimal setup, the idea’s still very powerful, along having a fascinating way to understand the attack landscape of the internet.

I expect of which you enjoyed This particular tutorial on the Cowrie honeypot! If you have any questions about This particular tutorial or Cowrie usage, feel free to leave a comment or reach me on Twitter @tahkion.

Cover image along with screenshots by TAKHION/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

ten − seven =