If you want to observe live and real threat intelligence the best way is probably by deploying a Honeypot.
Here are some step by step instructions that are fully working at the time of writing this article and that should have you gathering data in 30 minutes.
Disclaimer: As of May 2019 there are already many tools out there automating all this process (the Modern Honey Network is a famous one), however most of those tools’ development has been abandoned and the scripts that automate all the process don’t work anymore (dependencies, Python 3, and all that black magic), hence the step by step process. (plus you will get to understand how the tools work).
0. What are we going to deploy:
Two devices on the cloud:
Device 1: Runs the Cowrie honeypot, registers all the data, then sends its logs.
Device 2: Runs Splunk Free, collects logs, and prints out cool graphs.
These devices will be deployed in DigitalOcean cloud because:
- There’s a free $100 credit! (if you’re considering running this experiment use my referral link 🙂)
- I am not setting a honeypot anywhere near any of my networks.
*Note: Google Cloud also provides free credit at this time.
1. Installing and tweaking Cowrie:
Start by deploying onto Digital Ocean a basic $5 a month Droplet with 1GB of RAM / 1 CPU— I found Ubuntu 18.10 x64 worked well:
You will receive an email with the user/password to SSH into it immediately.
-Remember to change your terminal settings to the Matrix colour scheme for extra hacking skills-
I will follow the steps detailed in the Cowrie project’s GitHub page but here’s some easy copy pasting assistance:
sudo apt-get update
sudo apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind
Then add a Cowrie user and switch to it. We can’t (and really don’t want) to run Cowrie as root:
sudo adduser --disabled-password cowrie
sudo su - cowrie
Download Cowrie’s code:
git clone http://github.com/cowrie/cowrie
Set up the virtual environment for the Honeypot (fake OS):
virtualenv --python=python3 cowrie-env
(cowrie-env) $ pip install --upgrade pip
(cowrie-env) $ pip install --upgrade -r requirements.txt
Locate the cowrie.cfg.dist file and copy it onto the same file but named cowrie.cfg, that is the one we will edit.
cp /home/cowrie/cowrie/etc/cowrie.cfg.dist /home/cowrie/cowrie/etc/cowrie.cfg
This is the configuration file for Cowrie, if you want to enable Telnet, make change the hostname of the server (so it does not look like the generic Cowrie honeypot), and so and so… we will do the changes here.
For example let’s do a hostname change: edit the line hostname. Easy. Most fields are self explanatory, change the line hostname to look like this:
hostname = UbuntuServer4
To have the Honeypot listening on port 22 (by default the Honeypot listens on 2222 which will make us miss a lot of stuff) we have to do a few changes:
On the cowrie.cfg file:
listen_endpoints = tcp:22:interface=0.0.0.0
Note: Cowrie needs a restart every time you make changes in the config file.
Then run these commands so a non-root user can listen on port 22 (blocked by default and we can’t run Cowrie as root so this will be necessary):
sudo apt-get install authbind
sudo touch /etc/authbind/byport/22
sudo chown cowrie:cowrie /etc/authbind/byport/22
sudo chmod 770 /etc/authbind/byport/22
Then edit the file /etc/ssh/sshd_config, modify the port line to make your honeypot true SSH port listen on a random port (dont pick 2222 come on!) and perform a ssh service restart:
vim /etc/ssh/sshd_config //Uncomment port line and change numberservice ssh restart
Finally: Set up Cowrie under supervisord so you can daemonize it:
apt install supervisorcat > /etc/supervisor/conf.d/cowrie.conf <<EOF[program:cowrie]command=/opt/cowrie/bin/cowrie startdirectory=/opt/cowriestdout_logfile=/opt/cowrie/var/log/cowrie/cowrie.outstderr_logfile=/opt/cowrie/var/log/cowrie/cowrie.errautostart=trueautorestart=truestopasgroup=truekillasgroup=trueuser=cowrieEOFsupervisorctl update
Troubleshoot now if it has been daemonized correctly:
cowrie RUNNING pid 1007, uptime 0:16:44
Also check netstat to verify the correct process is listening in every port:
root@Cowrie:~# netstat -tanpl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:32328 0.0.0.0:* LISTEN 922/sshd
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 639/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1007/python3
Python listening on port 22 is the fake system and sshd on the one for our true SSH (you can always use the DigitalOcean console if you lock yourself out).
Took a lot of copy pasting to get here but think about all the… L E A R N I N G
1. Do the following to edit the users that can access the Honeypot:
First copy userdb.example to the .txt file so we can edit
cp /home/cowrie/cowrie/etc/userdb.example /home/cowrie/cowrie/etc/userdb.txt
Then edit the file accordingly to the comments in it.
Protip: Make the honeypot more interesting for attackers by limiting the logins that can get in.
Protip2: Allow everything to study botnet campaign attacks.
2. Integration with VirusTotal:
Go to VirusTotal and create a free account, you will receive an API key.
Go to the cowrie.cfg file and uncomment the VirusTotal section:
enabled = true
api_key = ***paste here your API KEY***
upload = True
debug = False
scan_file = True
scan_url = True
It is a great idea to take a snapshot for $0.05 a month — beats repeating all of the above :)
2. Deploying Splunk:
To deploy Splunk we’re going to need a new Droplet (Hey you could do everything in a single Droplet but this makes it more scalable, i.e. you can deploy more honeypots and link them back to Splunk).
In this case I use a slightly bigger Droplet:
Create an account on Splunk and download the Free version (free up until 500MB a day of traffic, which hopefully you won’t receive yet!).
Download the Linux version in .tgz and you will see a Command Line download option to download via wget
wget -O splunk-7.2..
tar -zxvf splunk-7.2...
Set up a user/pwd and then access the GUI by going onto http://WhateverYourSplunkIpIs:8000
3. Connect Cowrie to Splunk
To connect Cowrie the blog from Splunk explains it pretty well here. In summary:
Go to Splunk, on the top menu click on:
Settings> Add Data
Create a HTTP Event Collector, under Monitor, leave everything as automatic and copy the Token you will obtain.
In the honeypot Droplet, go to your cowrie.cfg file and uncomment the output_splunk section:
enabled = true
url = https://localhost:8088/services/collector/event
token = xxxxxxxxxxxxxx
index = cowrie
sourcetype = cowrie
source = cowrie
Then fill the token and url with the information you will obtain from Splunk.
URL is the public IP of the second Droplet and you obtain Token by deploying a new data collector on Splunk:
Settings> Add Data > Monitor > HTTP Event Collector.
Leave everything as automatic and copy the Token you will obtain
Then restart Cowrie and it will start sending logs.
Inside Splunk Go to Data>Indexes and create a new Index, just change the name to “cowrie”.
Edit under Data>Data inputs the HTTP collector so everything is sent to the index “cowrie”.
Go back to Data>Indexes and verify that Cowrie is sending events, you will see that the Index “cowrie” has some recent latest events
If it doesn’t, well, shit.
4. Start looking at the fancy graphs:
Go to the top left of Splunk and click on Apps>Manage Apps
Then select Install app from file and install the Manuka Honeypot:
This is a Splunk App that I created specifically for Cowrie .
There are many Apps out there (MHN, Tango, EngagedThreat…) but as of 2019 all are mostly outdated due to what I mentioned on the first disclaimer.
Leave the honeypot running for a few hours (or minutes to be fair) and you will start seeing results.
Now this is the cool part. Splunk is kind of Excel on steroids when it comes to graphs.
Some of the dashboards you will see are:
5. Replay CLI recordings:
Terminal recordings are stored in the /cowrie/tty folder (in the Cowrie machine!)
You can go to the TTY directory and see if there’s any recordings
cd /home/cowrie/cowrie/var/lib/cowrie/tty//home/cowrie/cowrie/var/lib/cowrie/tty# ls -la
drwxrwxr-x 2 cowrie cowrie 4096 May 8 06:35 .
drwxrwxr-x 4 cowrie cowrie 4096 May 7 04:28 ..
-rw-rw-r-- 1 cowrie cowrie 2 May 7 03:38 .gitignore
-rw-r--r-- 1 cowrie cowrie 4750 May 8 05:52 22cd32d7e0061023a685158d46903d35c8369d9f1c158daadddc0ca2b3129ba3
-rw-r--r-- 1 cowrie cowrie 432 May 7 05:02 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-rw-r--r-- 1 cowrie cowrie 2222 May 8 05:45 f4518faf335e77750bc7a61d3e9c0df3c0740c62540259417fec9c067bd2f070
There’s a few!
Then go to the bin directory:
and run playlog with pointing to the files in the TTY directory listing the full path:
There’s a dashboard that lists all recent TTY captured activity and make’s things a bit easier:
Try a few things, for example, modify userdb.txt so it allows a lot of passwords .
You allow all passwords for a user by configuring it like this:
If you followed every instruction step by step, and the Ubuntu images on DigitalOcean or the Cowrie project haven’t changed too much since May 2019 this should be working flawlessly.
Happy hunting and looking forward to any feedback on this!