Cowrie Honeypot - Honeypot
Lab Description
- The lab is provided by TryHackMe - Creators:
CoolComputerMan. - Link to access the lab: here.
Our final goal is to comprehend Cowrie honeypot and it’s functionalities.
Introduction to Honeypot
Honeypot is an intentionally vulnerable machine used to attract attackers and record their activites.
Here are some highlights of Honeypot’s utilities:
- Alert administrators of potential breaches.
- Understand adversaries, i.e. tools and techniques used.
- Distract attacker away from real infrastructures. This will lend us more time to respond to the attack.
Types of Honeypots
Honeypot Interactivity and Classification
1. Low-Interaction
Offer limitation in terms of activities to the adversaries. Basically, the adversaries will be limited in any post-exploitation actions against the Honeypot.
For instance, SMTP Honeypot by awhitehatter.
2. Medium-Interaction
Emulate real environment such as vulnerable services, and underlying OS, shell and file systems. Yet, attackers cannot fully perform post-exploitation procedures.
Cowrie honeypot will be a good example.
3. High-Interaction
Is usually a Virtual Machines with intentional vulnerabilities. It is crucial to manage this Honeypot well enough, otherwise, adversaries could abuse it as a foundation to compromise other assets.
Deployment Location
1. Internal honeypots
Deployed inside LAN. This is typically used as a monitor of a network to hunt threats from the inside.
2. External honeypots
Deployed outside LAN. This is typically used as a monitor from outside of a network. This deployment will give us more data since it is likely to be targeted at all times.
Cowrie Honeypot
Cowrie honeypot is a Low-, Medium- Interactive shell. We can try to login via SSH service.
$ ssh root@10.10.150.41
root@10.10.150.41's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@acmeweb:~# ls
root@acmeweb:~# ls -al
drwx------ 1 root root 4096 2013-04-05 12:25 .
drwxr-xr-x 1 root root 4096 2013-04-05 12:03 ..
drwx------ 1 root root 4096 2013-04-05 11:58 .aptitude
-rw-r--r-- 1 root root 570 2013-04-05 11:52 .bashrc
-rw-r--r-- 1 root root 140 2013-04-05 11:52 .profile
drwx------ 1 root root 4096 2013-04-05 12:05 .ssh
We can basically execute any command on the target system. Yet, there are two noticeable things:
- We can’t execute any
bashscript. This is a limitation of a low and medium honeypot. - Trying to create a file, we log back in, the file is deleted.
Cowrie Logs
Cowrie offers an outstanding ability to log all events that can track every connection and command handled by the system.
To demonstrate the idea, let’s us inspect a log file.
$ cat cowrie.json | jq '.message'
"New connection: 10.4.1.61:40342 (10.10.150.41:22) [session: b51c7f5d06d4]"
"Remote SSH version: SSH-2.0-OpenSSH_8.4p1 Debian-6"
"SSH client hassh fingerprint: ae8bd7dd09970555aa4c6ed22adbbf56"
"login attempt [root/] succeeded"
"Terminal Size: 190 46"
"request_env: LANG=en_US.UTF-8"
[]
"CMD: ls"
"CMD: ls -al"
"CMD: cat /etc/passwd"
"CMD: su phil"
"CMD: su phila"
"CMD: ls -al"
"CMD: ls /home"
"CMD: uname -a"
"CMD: bash -c 'whoami'"
"CMD: whoami"
"CMD: vi test.sh"
"CMD: nano test.sh"
"CMD: stty"
"CMD: echo \"whoami\" > test.sh"
"CMD: bash test.sh"
"Saved redir contents with SHA-256 33e7267d8409d63707706f95f3d67ee9be5fd3a2c6ffc60856c9baeca1ae3ed4 to var/lib/cowrie/downloads/33e7267d8409d63707706f95f3d67ee9be5fd3a2c6ffc60856c9baeca1ae3ed4"
"Closing TTY Log: var/lib/cowrie/tty/62b86306def6e51672e9dcfb4ced59089ace9c056c0bc9597a0a49d73ae2a40a after 178 seconds"
"Connection lost after 183 seconds"
"New connection: 10.4.1.61:40344 (10.10.150.41:22) [session: 2eae2e2585fe]"
"Remote SSH version: SSH-2.0-OpenSSH_8.4p1 Debian-6"
"SSH client hassh fingerprint: ae8bd7dd09970555aa4c6ed22adbbf56"
"login attempt [root/] succeeded"
"Terminal Size: 190 44"
"request_env: LANG=en_US.UTF-8"
[]
"CMD: ls"
"CMD: ls -al"
"CMD: "
"Closing TTY Log: var/lib/cowrie/tty/7b69298197ba2c2d62ad31598e0b47682e290c71ff6b87f5e00c3f78c77f3876 after 179 seconds"
"Connection lost after 182 seconds"
As we can see, all the system commands are recorded.
Note: we also notice that if with the external honeypots, it’s practically impossible to parse the log using CLI. To have a better vision, it’s recommended to commbine with logging platform such as ELK Stack.
Attacks Against SSH
Normally, attacks against the SSH service are done via a famous tool named hydra. Since Cowrie only leaves one SSH opened, it’s relatively easy to mitigate the attack.
Defense:
- Strong password.
- Public key authentication.
- Fail2ban
Those are the most ubiquitous ways to effectively mitigate such attacks.
Typical Post Exploitation Activity
Typically, the bot will perform post-exploitation activities such as:
- Check target’s kernel version using
unameornproc. Besides, they will try to read contents of files such as/etc/issueor/proc/cpuinfo.
As we notice, Cowrie will return incorrect values of the Debian version when executing uname -a command.
root@acmeweb:~# cat /etc/issue
Ubuntu 18.04.5 LTS \n \l # -> Real
root@acmeweb:~# uname -a
Linux acmeweb 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u1 x86_64 GNU/Linux
Install malicious software using
wgetorcurlcommands. However, as we mentioned, Cowrie will prevent bash execution to reduce the risks that a Honeypot might take.Delete all logs to prevent forensic activities. Cowrie counters that by logging all activities externally.
Identification Techniques
After the target is compromised, bots will execute orders of commands to enumerate the target
For instance, If we investigate the BotCommands/Sample3.txt file,
...
cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
there is a highly identificable public SSH Key from the Outlaw group is written into the target system to maintain access.
SSH Tunnelling
By default, Cowrie will log and drop all the SSH tunnelling traffic to the destination. This data is beneficial to detect web attacks.
If we inspect the Tunnelling/Sample1.txt log, we can see that attacker targets the wordpress website.
$ cat Sample1.txt
2021-03-17T10:09:51.052837Z [SSHChannel cowrie-discarded-direct-tcpip (62) on SSHService b'ssh-connection' on HoneyPotSSHTransport,118939,0.0.0.0] discarded direct-tcp forward request 62 to <A DOMAIN>:80 with data b'POST /xmlrpc.php HTTP/1.1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: keep-alive\r\nContent-Length: 201\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: <A DOMAIN>\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.109 Safari/537.36\r\n\r\n<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>password11\r</value></param></params></methodCall>
...
Conclusion
To conclude, Cowrie Honeypot is a great example to demonstrate how attacker’s artifacts are collected for digital forensics activities. Yet, we need to be very careful due to potential risks if it’s not properly configured.