Kippos Cousin Cowrie

Published: 2016-04-27
Last Updated: 2016-04-27 02:03:51 UTC
by Tom Webb (Version: 1)
0 comment(s)

We have mentioned Kippo a lot on the site, but a nice fork is a program called cowrie. (hxxps://github.com/micheloosterhof/cowrie). It has some nice new features including built-in support for Dshield! Since the install is the same as Kippo, I’ll skip that and point you to cowrie install guide for the basics (hxxps://github.com/micheloosterhof/cowrie/blob/master/INSTALL.md).

 

Dshield Setup

To setup Dshield logs on Ubuntu, you’ll need one additional python plugin installed.

>sudo apt-get install python-dateutil

 

Then we need to enable the Dshield portion. You need to remove ‘#’ from the part starting with the plugin name. You’ll also need your account info.  Once logged into ISC, go to My Accounts -> My reports.  Select Update info and you’ll see your  auth_key.

 

>vi /home/cowrie/cowrie.cfg

 

[output_dshield]

userid = 0123456789

auth_key = mysuperawesomekeycode

batch_size = 100

 

Once you have this setup, switch to the cowrie user and restart the service.To troubleshoot setup issues, look in /home/cowrie/log/cowrie.log

 

>fgrep dshield /home/cowrie/cowrie.log

 

2016-04-27 00:46:26+0000 [-] Loaded output engine: dshield


 

AppArmor Setup

 

To protect the OS, it's good to put some additional security controls around it.  My honeypot is running on Ubuntu, so I chose apparmor. You can access my cowrie profile on my github at hxxps://goo.gl/6F5FdG.  While I could lock it down a bit more, it seems to work well.

 

Once you downloaded the file, you need to copy it to the AppArmor folder.  (NOTE: If you did not install cowrie in the /home/cowrie folder you must rename the profile to the appropriate folder.)

>sudo cp /home/user/download/home.cowrie.start.sh /etc/apparmor.d/

 

Now place the service into enforcement mode.

>sudo aa-enforce /etc/apparmor.d/home.cowrie.start.sh

 

Now restart the cowrie service. Then check to see if it's being protected.

>aa-status

 

apparmor module is loaded.

5 profiles are loaded.

5 profiles are in enforce mode.

  /home/cowrie/start.sh

  /sbin/dhclient

  /usr/lib/NetworkManager/nm-dhcp-client.action

  /usr/lib/connman/scripts/dhclient-script

  /usr/sbin/tcpdump

0 profiles are in complain mode.

2 processes have profiles defined.

2 processes are in enforce mode.

  /home/cowrie/start.sh (25592)

  /sbin/dhclient (658)

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

 

To get a better understanding of what the actual profile is allowing check out hxxp://wiki.apparmor.net/index.php/QuickProfileLanguage.



 

Sqlite3 Setup

I run my honeypots on very lean VMs (512mb RAM), so they will not run with MYSQL on them, but to get similar power cowrie has support for sqlite3!

 

Create database

>cd /home/cowrie

>sqlite3 cowrie.db

sqlite>.read /home/cowrie/doc/sql/sqlite3.sql

 

In cowrie.cfg

>vi /home/cowrie/cowrie.cfg

 

[output_sqlite]

db_file = /home/cowrie/cowrie.db

 

Once you have restarted the service, everything should be ready to go. If you are new to SQLite a few useful commands to get you started are below.

 

>sqlite3 .schema

>sqlite3 .tables

>sqlite3 .quit

 

To access the database and get querying.

 

>sqlite3 /home/cowrie/cowrie.db


 

Query to see all connected sessions.

sqlite>select * from sessions;

 

80ec8485|2016-04-21T19:50:00.662184Z|2016-04-21T19:50:52.884641Z|0|1.1.1.1|59x231|1

 

To see what user/password combinations were used.

sqlite> select * from auth;

 

1|80ec8485|1|root|toor|2016-04-21T19:50:05.887822Z


 

To see what commands the attacker ran at the command prompt.

sqlite> select * from input;

 

1|80ec8485|2016-04-21T19:50:10.746605Z||1|ps -ef

2|80ec8485|2016-04-21T19:50:11.807890Z||1|ls

3|80ec8485|2016-04-21T19:50:13.832965Z||1|cat /tmp

4|80ec8485|2016-04-21T19:50:45.056651Z||1|wget https://github.com/micheloosterhof/cowrie/archive/master.zip

5|80ec8485|2016-04-21T19:50:52.558221Z||1|exit


 

I’ve enjoyed using cowrie on my latest setup with sqlite3.  Its been solid over the last week and have not ran into any issues.  

 

--

Tom Webb

 

0 comment(s)
ISC Stormcast For Wednesday, April 27th 2016 http://isc.sans.edu/podcastdetail.html?id=4971

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives