Kippos Cousin Cowrie

Published: 2016-04-27
Last Updated: 2016-04-27 02:03:51 UTC
by Tom Webb (Version: 1)
0 comment(s)

We have mentioned Kippo a lot on the site, but a nice fork is a program called cowrie. (hxxps://github.com/micheloosterhof/cowrie). It has some nice new features including built-in support for Dshield! Since the install is the same as Kippo, I’ll skip that and point you to cowrie install guide for the basics (hxxps://github.com/micheloosterhof/cowrie/blob/master/INSTALL.md).

 

Dshield Setup

To setup Dshield logs on Ubuntu, you’ll need one additional python plugin installed.

>sudo apt-get install python-dateutil

 

Then we need to enable the Dshield portion. You need to remove ‘#’ from the part starting with the plugin name. You’ll also need your account info.  Once logged into ISC, go to My Accounts -> My reports.  Select Update info and you’ll see your  auth_key.

 

>vi /home/cowrie/cowrie.cfg

 

[output_dshield]

userid = 0123456789

auth_key = mysuperawesomekeycode

batch_size = 100

 

Once you have this setup, switch to the cowrie user and restart the service.To troubleshoot setup issues, look in /home/cowrie/log/cowrie.log

 

>fgrep dshield /home/cowrie/cowrie.log

 

2016-04-27 00:46:26+0000 [-] Loaded output engine: dshield


 

AppArmor Setup

 

To protect the OS, it's good to put some additional security controls around it.  My honeypot is running on Ubuntu, so I chose apparmor. You can access my cowrie profile on my github at hxxps://goo.gl/6F5FdG.  While I could lock it down a bit more, it seems to work well.

 

Once you downloaded the file, you need to copy it to the AppArmor folder.  (NOTE: If you did not install cowrie in the /home/cowrie folder you must rename the profile to the appropriate folder.)

>sudo cp /home/user/download/home.cowrie.start.sh /etc/apparmor.d/

 

Now place the service into enforcement mode.

>sudo aa-enforce /etc/apparmor.d/home.cowrie.start.sh

 

Now restart the cowrie service. Then check to see if it's being protected.

>aa-status

 

apparmor module is loaded.

5 profiles are loaded.

5 profiles are in enforce mode.

  /home/cowrie/start.sh

  /sbin/dhclient

  /usr/lib/NetworkManager/nm-dhcp-client.action

  /usr/lib/connman/scripts/dhclient-script

  /usr/sbin/tcpdump

0 profiles are in complain mode.

2 processes have profiles defined.

2 processes are in enforce mode.

  /home/cowrie/start.sh (25592)

  /sbin/dhclient (658)

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

 

To get a better understanding of what the actual profile is allowing check out hxxp://wiki.apparmor.net/index.php/QuickProfileLanguage.



 

Sqlite3 Setup

I run my honeypots on very lean VMs (512mb RAM), so they will not run with MYSQL on them, but to get similar power cowrie has support for sqlite3!

 

Create database

>cd /home/cowrie

>sqlite3 cowrie.db

sqlite>.read /home/cowrie/doc/sql/sqlite3.sql

 

In cowrie.cfg

>vi /home/cowrie/cowrie.cfg

 

[output_sqlite]

db_file = /home/cowrie/cowrie.db

 

Once you have restarted the service, everything should be ready to go. If you are new to SQLite a few useful commands to get you started are below.

 

>sqlite3 .schema

>sqlite3 .tables

>sqlite3 .quit

 

To access the database and get querying.

 

>sqlite3 /home/cowrie/cowrie.db


 

Query to see all connected sessions.

sqlite>select * from sessions;

 

80ec8485|2016-04-21T19:50:00.662184Z|2016-04-21T19:50:52.884641Z|0|1.1.1.1|59x231|1

 

To see what user/password combinations were used.

sqlite> select * from auth;

 

1|80ec8485|1|root|toor|2016-04-21T19:50:05.887822Z


 

To see what commands the attacker ran at the command prompt.

sqlite> select * from input;

 

1|80ec8485|2016-04-21T19:50:10.746605Z||1|ps -ef

2|80ec8485|2016-04-21T19:50:11.807890Z||1|ls

3|80ec8485|2016-04-21T19:50:13.832965Z||1|cat /tmp

4|80ec8485|2016-04-21T19:50:45.056651Z||1|wget https://github.com/micheloosterhof/cowrie/archive/master.zip

5|80ec8485|2016-04-21T19:50:52.558221Z||1|exit


 

I’ve enjoyed using cowrie on my latest setup with sqlite3.  Its been solid over the last week and have not ran into any issues.  

 

--

Tom Webb

 

0 comment(s)
ISC Stormcast For Wednesday, April 27th 2016 http://isc.sans.edu/podcastdetail.html?id=4971

Comments


Diary Archives