Honeypot Analysis

Introduction to my Honeypot project

A honeypot is an intentionally compromised computer system that is usually deployed alongside functional production systems within the network, and it is designed to attract cyber attacks. After gaining a baseline knowledge of cyber security I wanted to take a step away from the books and learning videos for a time to gain some real-life experience with cyber attacks. Once I set up my personal Honeypot, I allowed it to stay online for 72hours to see what kind of attackers I could lure in and this blog is going to be used to explain the process and the experience of this project.

The Set Up

In order to monitor and later analyze a honeypot, I used Amazon Web Services (AWS) to spin up an instance in Stockholm that hosted Tpotce provided by Telekom-Security. T-Pot is a multi-honeypot platform that is easy to deploy and has low maintenance with numerous and easily digestible visualization options with the use of the Elastic Stack and animated live attack maps. T-Pot also has Spiderfoot which is an open source intelligence (OSINT) automation tool that integrates just about every data source available and utilizes a range of methods for data analysis, making data easy to navigate.

Focus

For my analysis, I will be focusing on the 72-hour period that my honeypot was active and reviewing The data that was gathered from the web attackers including IP address, tracing where the attack came from, which port they attempted to enter, the types of attacks used and more.

Attack Input

In that 72-hr period, my system was attacked 19,518 times by 122 unique sources IPs. Of those 19,518 attacks, 96% of the attacks were comming from China and 94% of all the attacks were aimed at SSH while 6% were aimed at Telnet.

Source IP

By reviewing the source IP i found that most of the attempted entries originated from the same IP address which shows evidence of the attacker trying to enter through a Denial-of-service (DDOS) attack.

Brute Force Attack

The list of usernames and passwords are evidence of a brute force attack. Brute Force is a popular hacking method used to gain unauthorized access to a system or network. It is a trial and error-based method to crack passwords, login credentials and encryption keys. The attacker uses a computer to test a wide range of password and username combinations until they find the correct login information. These common passwords can be found in a word list like “rockyou.txt”. Most attackers will do some reconnaissance to gather information on users on the network before attempting this attack and some systems like WordPress usually have default users such as “admin”.

Below are just a some examples of the usernames the attackers used in their attempt to gain access:

Command Line Input

As expected once the attackers gained access to the system many of them used simple Linux commands to learn more information about the system. The aim or goal of each attacker may have been different, but they all used similar methodology and commands once a foothold was established.

• The command “uname -a” is a request to print all system information such as the processor type and kernel name.
• The command “top” executes a program which provides a dynamic real-time view of a running system. It shows system summary information as well as a list of processes currently being managed by the Linux Kernel.
• The command “crontab -l” shows the scheduled tasks/processes that are running on the system. This can prove useful when establishing persistence.

Even after gaining an initial foothold, recon is still required to find the best and most effective means of escalating privileges or getting to the actual target if this was not final intended target.

Debrief

After analyzing the data that I received from my honeypot, I have gained a deeper understanding of just how dangerous of a place the internet is. To have such a large number of attempted attacks within a 24-hour span is mind boggling and further proves how important cyber security is, not only for huge corporations, but small businesses and individuals as well.

Brute force logging attempts on SSH can be prevented disabling SSH services that are not business critical. Also firewall and firewall rules could be implemented that prevent unauthorized access on port 22. Telnet is an unencrypted communication and if it is not business critical it should also be disabled as to not give the attacker an easy vulnerability to exploit. Following the best practices when it comes to security is the best way to protect your system from malicious actors.

In this project of creating my honeypot, I was able to apply a multitude of skills that I have gained throughout my years working in IT with the US Airforce along with the foundational cyber security tools that my cohort with Fullstack Academy has equiped me with and it felt great to apply all of those experiences and lessons into one project and was extremly satisfying to see it all come together.