Today we will be talking about good ole honeypots. If you don’t know what honeypots are (no, not Winnie the Pooh’s favorite snack), you can refer to this article. I will also demonstrate how to deploy a personal honeypot.
Honeypots have many advantages including but not limited to:
- Observing current bad actor behavior
- Collecting data on bad actors
- Hiding your real infrastructure
- Investigation and research to better secure your environment
- Getting a leg up on people doing bad things
There are many types of honeypots, but the technique is more or less the same: you set up a fake system on the internet or LAN, accept input on some network protocol and interact with the victim in a compliant way. For example, if you deploy a SSH honeypot, this honeypot must be able to behave and respond like a real SSH server, otherwise you will give the surprise away too fast and be flagged, and most likely added to blocklists. You want your honeypot to be as efficient as possible collecting every bit of data you can.
Here is list of a few OSS honey pots, you will notice that there is more than one way to build/deploy a honeypot:
- phpmyadmin_honeypot
- Kippo – Medium interaction SSH honeypot
- Cowrie (based on Kippo)
- slipm-honeypot – A simple, low-interaction port monitoring honeypot
- SpamHAT – Spam Honeypot Tool
Demonstration
So it’s time to build a honeypot! For this tutorial I will be using Kippo to set up a SSH honeypot.
DISCLAIMER: USE HONEYPOTS AT YOUR OWN RISK! Just because your honeypot was designed to be a fake environment, this DOES NOT mean that the honeypot itself is immune to vulnerabilities. Remember, everything is vulnerable, you just have to do your best to avoid getting on the bad side of anyone that is capable of doing damage. For some people, this is impossible due to their line of work. Just be safe and make sure you understand the risks while playing with honeypots. It’s also a very good idea to NOT TRUST the code you’re deploying. I would recommend you spend a little bit of time getting to know the codebase by just giving it a thorough read first.
Assumptions for this tutorial
You have experience with:
- Basic Linux administration
- Managing code with Git
- A little bit of Python and package management via pip
The install guide can be found here:
git clone https://github.com/desaster/kippo cd kippo mv kippo.cfg.dist kippo.cfg |
Using python2.7+
virtualenv venv . venv/bin/activate |
To build Twisted you need the python development header files.
On Gentoo, portage already comes shipped with the python header files.
On RHEL based distros:
sudo yum install python-devel |
On Debian based distros:
sudo apt-get install python-dev |
Use an older version of Twisted because the most recent version removes some of the necessary authentication modules.
pip install Twisted==15.1.0 pip install pycrypto pip install pyasn1 |
Below is a list of possible default settings you can tweak (format is INI style digested by the ConfigParser python module). Each option is sufficiently documented on what it does (if the name doesn’t give it away). There are other options but you will have to read the config file for yourself.
grep -v '^#' kippo.cfg | sed -e /^$/d [honeypot] ssh_port = 2222 hostname = svr03 log_path = log download_path = dl contents_path = honeyfs filesystem_file = fs.pickle data_path = data txtcmds_path = txtcmds rsa_public_key = data/ssh_host_rsa_key.pub rsa_private_key = data/ssh_host_rsa_key dsa_public_key = data/ssh_host_dsa_key.pub dsa_private_key = data/ssh_host_dsa_key exec_enabled = true ssh_version_string = SSH-2.0-OpenSSH_5.1p1 Debian-5 interact_enabled = false interact_port = 5123 |
Let’s change some of the defaults a bit, because Kippo is a widely known honeypot and detection scripts are out there. We should give ourselves a fighting chance to go unnoticed.
sed -i -e 's/ssh_port = 2222/ssh_port = 1337/; s/hostname = svr03/hostname = super.secure.black.xbox/; s/ssh_version_string = SSH-2.0-OpenSSH_5.1p1 Debian-5/ssh_version_string = SSH-2.0-OpenSSH_6.1p2 Debian-3+deb7u1/; s/interact_enabled = false/interact_enabled = true/; s/interact_port = 5123/interact_port = 1234/' kippo.cfg |
Start the honeypot.
./start.sh twistd (the Twisted daemon) 15.1.0 Copyright (c) 2001-2015 Twisted Matrix Laboratories. See LICENSE for details. Starting kippo in the background... Generating new RSA keypair... Done. Generating new DSA keypair... Done. |
You are LIVE and should be able to monitor and interact with anyone that successfully connects to your honeypot.
