My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

What did I say to make you stop talking to me?

Published: 2024-01-30. Last Updated: 2024-01-30 15:37:38 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

We use Cowrie to emulate an SSH and Telnet server for our honeypots. Cowrie is great software maintained by Michel Oosterhof [1]. The honeypot is a reasonable emulation of such a server, easy to maintain, and very feature-rich for even more advanced analysis. We only use it in its simplest form for our DShield sensor.

Attackers are interested in attempting to detect honeypots; over the years, we have seen various ways to do so. But so far, we have not done much to prevent this. We randomize some fo the parameters, but overall, we just run a "stock" cowrie install. There is however a relatively easy method to find out what gave the honeypot away after the attacker connected.

Most attackers will immediately disconnect after they realize they have found a honeypot. So as a simple method, you just find out what the last command was an attacker executed. I just did this for some of our larger honeypots, investigating about 10 million cowrie sessions. The by far most common "last command" was:

/bin/busybox cat /proc/self/exe || cat /proc/self/exe

On my "stock" Cowrie honeypot, the output is:

#  /bin/busybox cat /proc/self/exe || cat /proc/self/exe
cat: /proc/self/exe: No such file or directory
cat: /proc/self/exe: No such file or directory

While on a normal Linux system, it will return the binary of the current process, which would be bash or whatever shell is running. But the file does exist. Luckily, Cowrie's customizable honeypot filesystem will make it easy to fix this.

There are a few other commands that are commonly the "last used" command:

which ls

For the honeypot, this command returns nothing, while for the normal system, it returns "/usr/bin/ls" . Easily fixed by customizing the "which' command of the honeypot.

Another interesting trick that attackers appear to use is to use openssl to detect the honeypot. For example:

openssl passwd -1 zwMUEG67

On a normal system, this would return a salted MD5 hashed password. But the honeypot does not offer openssl.

Working now on adjusting our honeypot configuration to emulate some of these commands better. After all, we do want to keep talking :). 

[1] https://github.com/cowrie/cowrie

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: cowrie honeypot
2 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Once you finished your analysis, have you considered submitting a Pull Request to the Cowrie project to make their default honeyfs have some of these? Maybe they could have an examples/ folder with configuration scripts. One labelled "sans_honeypot_commands_analysis" would be convenient to have as part of the default installation.
yes. I do consider a pull request once I got it all working well.

Diary Archives