SSH Honeypots (Ab)used as Proxy

Published: 2016-03-13
Last Updated: 2016-03-14 08:23:10 UTC
by Xavier Mertens (Version: 1)
10 comment(s)

I’m operating a small group of SSH honeypots (located in Belgium, Canada & France) and I’m of course keeping an eye on it every day. Collected data are sent to DShield and to my Splunk instance. A small reminder: if you’ve a spare Raspberry Pi lying around, why not deploy a honeypot and help us to collect more data? Johannes posted a script to automate the setup and is looking for beta testers!
Cowrie is a wonderful honeypot. Not only, it tracks login attempts and, when the attacker successfully connected, it also simulates a real server with a fake file system and commands. But it can also simulate "Direct-TCP" requests. This is a nice feature offered by SSH servers that allow a user to create TCP sessions inside the SSH tunnel. This feature is called "Port Forwarding". It is used by many people who need to access a service not directly reachable from their current location. Example: you have a web interface to manage an appliance that is not available but you have a SSH server in the same subnet. Just do this:  (The appliance is, the SSH server is
$ ssh -L 8443: user@
Then point your browser to
More interesting: To surf the web anonymously, you can use dynamic port forwarding with the '-D' flag:
$ ssh -D 8080 user@
Then, configure your browser to use as a SOCKS proxy and you will surf the web with a source IP address of
Note: This feature is enabled by default in OpenSSH and can be disabled by adding 'AllowTcpForwarding No' to your sshd_config. With SSHv2, you can also only permit some users or groups to use this feature.
If it's so easy and useful for good people, you can imagine that it's even more interesting for attackers that could then hide their IP address. A few days ago, I detected an unusual amount of events generated by some of my honeypots. Regarding my honeypots, there was an huge increase of “Direct-TCP” requests over the past 7 days:
Event Hits 24242 22967 15130
cowrie.log.closed 14679
cowrie.session.connect 13882
cowrie.session.closed 13877
cowrie.command.success 11563
cowrie.client.version 9019
cowrie.login.success 8652
cowrie.command.failed 3948
A closer look to the "Direct-TCP" requests shows clear a peak of activity for the last days:
The most affected honeypots are the ones located in France (Paris) and Canada (Ontario). The top attackers were located in the following countries:
Country Hits
Germany 22405
Russia 1295
United States 267
Argentina 76
France 51
Switzerland 35
Netherlands 26
Ukraine 20
India 16
Iran 16
Germany came in first place just with two distinct IP addresses. And what about the destination? Here is the top-10:
The attackers tried to use the honeypot mainly for mail and web traffic, based on this top-10 destination ports:
TCP Ports Hits
80 31431
25 1428
587 383
443 271
465 160
110 30
143 13
1101 4
1102 4
89 1

If we analyze the relations between the honeypots, sources and destinations, we see that some destinations (blue) were targeted by more than one attacker (green) connected on different honeypots (red):

About the web traffic, the top destinations  were:
  • (an ads tag management system)

Some people trying to abuse those services? Feel free to share your findings if you also detected such kind of activity!

To conclude: attackers are not only scanning the Internet to find vulnerable hosts and turn them in bots. They are also looking for ways to hide themselves to perform (maybe) more complex or dangerous attacks.

And keep in mind that if you allow users to SSH to systems that can access the Internet, they can be used as a solution to bypass classic controls in place!

Xavier Mertens
ISC Handler - Freelance Security Consultant

10 comment(s)

A Look at the Mandiant M-Trends 2016 Report

Published: 2016-03-13
Last Updated: 2016-03-13 18:28:03 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Mandiant released their 2016 threat reports last month and highlighted some interesting trends: more breaches were made public and location and motive of attackers were more diversified. Handlers have posted over the past week diaries on various threats; attempt to exploit MacOS [2], fishing campaigns [3] and exploit kits [4] to name a few which in a way isn't really anything new. The attacks are now more in your "face" and going after the mainstream applications, encrypting files for money and mobile devices.

The report also contains some interesting statistics, "The median number of days an organization was compromised in 2015 before the organization discovered the breach (or was notified about the breach) was 146."[1] That is a long time, that is almost 5 months before a breach is discover. One of the new trends has been an increase in user held to ransom with critical files encrypted with Cryptolocker [5], loss of personal information or the exploit of network gears [6].

The report ends with an upbeat tone where it highlight the fact that security teams are getting better at detecting and combating attacks by malicious actors. The median time to detect system compromised has been steadily declining, however, there is still have a lot of work to do to detect and remediate the attack much sooner. What do you think a reasonable time should be? Hours, days, or less than a month.


Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)


Diary Archives