HoldMyBeer

 

Kippo is typically the go to application for information security researchers looking to set up an SSH honeypot. Likewise the Cowire honeypot is forked from the Kippo project. I personally believe that Cowire is better than Kippo and has fixed some common issues within Kippo. Below I go through a simple instillation of Cowire on Ubuntu 14.04. Within the coming posts I will show some of the common ways attackers detect a Cowire/Kippo instance, and its short comings. Please keep in mind that I mean no disrespect to the developers of the Kippo honeypot! They have provided the most used honeypot on the internet today and have truly done a remarkable job.

Cowire vs Kippo SSH Honeypot

Metasploit Module

The Metasploit Framework within Kali Linux has an auxiliary module for detecting Kippo honeypots. Fortunately for us Cowire isn’t easily detected as a honeypot by this metasploit module. Below I deminstrate the use of the  metasploit module “auxilliary/scanner/ssh/detect_kippo” to detect Kippo and show Cowire is undetected.

Kippo

Cowire

 

Default credentials

Most SSH scanners will look for honeypots accepting root as a username and 123456 as a password. That combination is the default username and password combination for Kippo. Bots built with some intelligence should ignore boxes that allow this combination because it’s likely a honeypot. Cowire accepts everything but 123456 for a password.

 

Cowire is impressively smart on how it handles authentication, at least in my opinion. First, it has your basic text file(database) with username and password combinations like Kippo. The user/pass database has the ability to use *(all) and !(not). Down below I have an example of how to use the user/pass database effectively. Please keep in mind Cowire will use combinations from the top down. The user/pass database has a structure for combinations the follows “<usernname>:<user ID>:<password>”. The first entry will deny any authentication attempt using root as the username and root as the password. The third entry will accept any authentication attempt using testuser as the username, password123 as the password, and login the user with the user ID of 500. The fourth entry will accept any authentication attempt using root as the username and a password not denied by the first two entries.

But what if don’t want to predefine username and password combinations? Cowire comes built-in with the ability to allow authentication after a certain number of attempts. Within the the cowire.cfg file you can set a range like from 2 to 10 and then Cowire will pick a random number. After that random number of login attempts Cowire will accept any username and password combination. This can be really effective when you are more interested in collecting username and password combinations.

 

Shell Session

Some issues with Kippo is how it handles established sessions made to the honeypot. For example when you exit the Kippo honeypot you are left in a trapped shell. Reason being is Kippo doesn’t send the client an exit status so the client is effectively trapped in a shell that is unusable. As of the writing of this blog post on September 12th 2016 this is still an issue in Kippo. Cowire has taken the liberty of sending the client an exit code of 0 which means a successful disconnect. Please keep in mind if there is an error Cowire will still send an exit code of 0.

 

Not honeypot is perfect

In the security industry we always saying how time is never on our side. The hackers may not an entry point into a system but with enough time and resources they will find a way in or around your defenses. This same principle applies to honeypots and how attackers will detect honeypots. Honeypots emulate a system or service so there is always a tell to show it’s not the real thing. The most important part of honeypot is to keep your attacker in the honeypot as long as you can. The longer your attacker is in your honeypot the more you learn about their tactics or what they want.

 

Install/Setup Cowire

Setup OpenSSH

1. sudo apt-get update
2. sudo apt-get install git
3. sudo vim /etc/ssh/sshd_config
   1. Set “Port 22” to “Port <x>”
   2. save,exit
4. sudo service ssh restart

 

Install Cowire

1. sudo apt-get -y install python-twisted python-crypto python-pyasn1 python-gmpy2 python-zope.interface python-dev openssl python-openssl git python-pip
2. sudo useradd -d /home/cowrie -s /bin/bash -m cowrie -g users
3. cd /opt
4. git clone https://github.com/micheloosterhof/cowrie.git cowrie
5. cd cowrie
6. pip install -r requirements.txt
7. chown -R cowrie:users /opt/cowrie/

 

Install/Setup Authbind

1. sudo apt-get install authbind
2. touch /etc/authbind/byport/22
3. chown cowire /etc/authbind/byport/22
4. chmod 777 /etc/authbind/byport/22

 

Install/Setup supervisor

1. sudo apt-get install supervisor
2. sudo vim /etc/supervisor/conf.d/cowrie.conf
   1. add:
      [program:cowrie]
command=authbind --deep twistd -l log/cowrie.log --umask 0077 --pidfile cowrie.pid --nodaemon cowrie
directory=/opt/cowrie
stdout_logfile=/opt/cowrie/log/cowrie.out
stderr_logfile=/opt/cowrie/log/cowrie.err
autostart=true
autorestart=true
stopasgroup=true
killasgroup=true
user=cowrie

   2. save,exit
3. supervisorctl update

 

Cowire Features

Quick list of features

• Supports SFTP and SCP uploads.
• Provides support for TCP/IP tunneling.
• SSH fingerprint logging
• JSON logging
• ELK stack integration
• Better support for common linux commands
  • “ls” lists all entries in alphabetical order.
  • “wget” can download data using ports other than 80.

• Supports SFTP and SCP uploads.
• Provides support for TCP/IP tunneling.
• SSH fingerprint logging
• JSON logging
• ELK stack integration
• Better support for common linux commands
  • “ls” lists all entries in alphabetical order.
  • “wget” can download data using ports other than 80.

Downloads Folder

The dl(downloads) folder located at /opt/cowire/dl shows all files that are downloaded by attackers. An attacker will often use the  wget or curl command to pull download their malicious script or binary. The download folder will also save uploads by SCP or SFTP.

 

TTY logs

This is actually really fun to watch and play. Each session initiated by an attacker is logged to a TTY log file. These TTY log files are located at opt/cowire/log/ttyt. Using this command “./opt/cowire/bin/playlog  /opt/cowire/log/tty/<tty log>” you can “watch” the attacker interact with your honeypot in real time. It’s really funny when the attacker doesn’t know they are in a honeypot and they pull down a private key to log into another box via SSH. Yes, I have caught someone doing this on my server :).

 

Textcmds

This folder contains terminal commands that print information about the system. For instance an example is “df”. The first photo is showing me cating the output of the command df. The second photo is me “running” the command df, as you can see the text is that same. The text in df can be changed to reflect the current system or a system you choose.

 

honeyfs

Honeyfs actually emulates sections of a linux filesystem. Specifically it emulates the /etc and /proc directories on linux. The /etc for configuration files and /proc for the process directory on linux. Files can be added to these directories to show up in a honeypot session to an attacker.

 

cowire.cfg

This is the configuration file for settings on a Cowire honeypot. The followings settings can be set such as hostname, log file location, download location(wget, curl, etc), honeyfs to use, SSH Version, enabling telnet, mysql database to send data to, and VirusTotal integration.