Build an easy RDP Honeypot with Raspberry PI 3 and observe the infamous attacks as (BlueKeep) CVE-2019–0708
Last weeks a big activity on networks trying to attack RDP service , maybe a botnets looking an infected “zombies” on RDP services or perhaps the bad guys trying to exploit the new attack called (BlueKeep) CVE-2019–0708 ? Inspect the traffic and setup your own honeypot with RP3.
Technical Requirements:
Hardware:
1. Raspberry PI3Essential Packages
1. Wireshark
2. tcpdump
3. bro
4. rdpy
5. tcpick
Installation
Step1: Flash your Kali image to your Raspberry PI3 , I chose this one https://images.offensive-security.com/arm-images/kali-linux-2019.2-rpi3-nexmon.img.x z, and I used Etcher software to flashing your SD card on windows environment (easy&quickly) https://www.balena.io/etcher/?ref=etcher_footer
Step2: Once flashed proceed to update/upgrade everything:
# apt-get update && apt-get upgrade && apt-get dist-upgrade
Step3: install the python-rdpy packages
# pip install twisted pyopenssl qt4reactor service_identity rsa pyasn1
# pip install rdpy
# apt-get install python-qt4Step4: Validation, If everything was OK should be executing the following commands:
# rdpy-rdpcredsspmitm.py
# rdpy-rdpmitm.py
# rdpy-rssplayer.py
# rdpy-vncscreenshot.py
# rdpy-rdpclient.py
# rdpy-rdphoneypot.py
# rdpy-rdpscreenshot.py
# rdpy-vncclient.pyNote: On Kali Linux I received some errors with Twisted packages just I fixed with following commands: # wget -c https://twistedmatrix.com/Releases/Twisted/19.2/Twisted-19.2.0.tar.bz2
# bzip2 -d Twisted-19.2.0.tar.bz2
# tar -xvf Twisted-19.2.0.tar
# python setup.py install
Step5: Create a MiTM attack and record the session (RSS files), the idea is get show a visible screen for intruders (Fake Remote Desktop):
# rdpy-rdpmitm.py -o /root/honeypots_arsenal/ 192.168.1.17Where 192.168.1.17 is the real Windows Server 2008 IP address with RDP service enableStart a RDP connection to your localhost or 127.0.0.1 using xfreerdp# xfreerdp --no-nla 127.0.0.1To see:[*] INFO: *******************************************
[*] INFO: * SSL Security selected *
[*] INFO: *******************************************^C
Step6: Replay your session recorded with rdpy-rssplayer.py command, this is the record (screen) that intruders will see:
# rdpy-rssplayer.py 20190601025837_127.0.0.1_1.rss
Step7: Time to run your RDP Honeypot , just execute the following command:
# rdpy-rdphoneypot.py 20190601025837_127.0.0.1_1.rss
Step8: Check if the RDP service is listen on port 3389 into your Raspberry PI using nmap
# nmap -F localhost
Step9: Setup your router to give access to the intruders on service 3389 (Remote Desktop Protocol) and test if the RDP service is listen on port 3389 using nmap
nmap -F (your external IP address)
Step10: Enable your tcpdump and capture all the traffic arrive on port 3389
# tcpdump tcp port 3389 -i eth0 -vvX -w rdp.pcap
Packet Analysis
Step11: Install tcpick , wireshark , bro and perform an analysis of pcap file (rdp.pcap)
# apt-get install tcpick
# apt-get install wireshark
# apt-get install cmake make gcc g++ flex git bison python-dev swig libpcap-dev libssl-dev zlib1g-dev -y
# apt-get install libgeoip-dev -y
# apt-get install libmaxminddb-dev
# apt-get install bro broctl bro-aux -yPacket analysis with tcpick
# tcpick -C -yP -r rdp.pcap | moreVoila!
Step12: Review in deep with human readable logs using bro (the following command will create log files)
# bro -r rdp.pcap -C
# cat rdp.log | bro-cut id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name | more 
Resources
https://github.com/citronneur/rdpy
https://stackoverflow.com/questions/17476761/importerror-no-module-named-twisted-internet
https://tools.kali.org/reporting-tools/rdpy
https://docs.zeek.org/en/stable/quickstart/#managing-bro-with-brocontrol
https://blog.rapid7.com/2017/06/24/how-to-install-and-configure-bro-on-ubuntu-linux/
