🍯 Honeypots

• vulnerable security tool designed to attract attackers and record the actions of adversaries
• can be used in a defensive role to alert administrators of potential breaches
• and/or to distract attackers away from real infrastructure
• collects data, tools and techniques

Classification

by Interactivity

• Low-Interaction
  • only capable of simulating the functions that are required to simulate a service and capture attacks against it
  • Adversaries are not able to perform any post-exploitation activity
  • Example:  mailoney,  dionaea.
• Medium Interaction
  • emulating both vulnerable services as well as the underlying OS, shell, and file systems
  • ℹ️ the system presented to adversaries is a simulation,
    • it is usually not possible for to complete full range of post-exploitation activity
  • allows adversaries to complete initial exploits and carry out post-exploitation activity
  • For example: Cowrie
• High-Interaction
  • fully complete systems that are usually Virtual Machines that include deliberate vulnerabilities
  • Adversaries should be able (but not necessarily allowed) to perform any action against the honeypot as it is a complete system
  • ⚠️ Needs to be carefully managed, otherwise they can be used to attack other systems
  • For example Cowrie as an SSH Proxy

by Deployment location

• Internal Honeypots
  • deployed inside LAN
  •  for threats originating from the inside, for example, attacks originating from trusted personnel or attacks that by-parse firewalls like phishing attack
  • ⚠️ should never be compromised
• External Honeypots
  • Deployed on the internet
  • Monitor attacks outside LAN
  • Collects much more data since they are effectively guaranteed to be under attack at all times

Typical behavior of bots

ℹ️ Majority of typical SSH deployemnts are automated. Most of the post-exploitation activity that takes place after a bot gains initial access to the honeypot will follow a broad pattern.

• Perform some reconnaissance using the uname or nproc commands or by reading the contents of files like /etc/issue and /proc/cpuinfo.
  • honeypot can pretend to be a server or even an IoT toaster.
  • 💡 comparing uname -a with the content of /etc/issue file returns to me different values.
• Install malicious software by piping a remote shell script into bash. Often this is performed using wget or curl though, bots will occasionally use FTP
  • Cowrie will download each unique occurrence of a file but prevent the scripts from being executed.
  • Most of the scripts tend to reference cryptocurrency mining in some way.
• A more limited number of bots will then perform some anti-forensics tasks by deleting various logs and disabling bash history. This doesn’t affect Cowrie since all the actions are logged externally.

Bots are not limited to these action, can include some variation in the methods and the goals.

Bot Identifications

• by IP addresses
• Specific order of the commands
• Some identifiable messages in the scripts or commands (but this is uncommon)
• some are highly identifiable by public SSH key
• also possible to identify bots from the scripts that are downloaded by the honeypot, using the same methods that would be used to identify other malware samples.

SSH Tunneling & Attacks

•  not perform any actions directly against honeypot and instead will leverage a compromised SSH deployment itself.
• 💡 SSH tunnels forward network traffic between nodes via an encrypted tunnel.
  • can then add an additional layer of secrecy when attacking other targets as third parties are unable to see the contents of packets that are forwarded through the tunnel.
• Forwarding via SSH tunnels also allows an adversary to hide their true public IP in much the same way a VPN would.
• The IP obfuscation can then be used to facilitate schemes that require the use of multiple different public IP addresses like, SEO boosting and spamming. S
• may also be used to by-parse IP-based rate limiting tools like Fail2Ban as an adversary is able to transfer to a different IP once they have been blocked.
• 💡 most honeypots by default record all of the SSH tunneling request but not forward them to destination, Check documentation!

Brute-force attacks

SSH is wulnerable to bruteforce attacks when the port is exposed to the internet

• Can be mitigiated by not exposing port 22 to the inernet
• 💡 most common tool for bruteforcing SSH is Hydra
• 💡 fail2ban is commonly used to mitigate SSH brute-force attacks?