Tag Archives: VirusTotal

Monitoring Honeypot Output

Last week I posted in Hacking about installing a Honeypot to record SSH traffic. Since it was installed, I’ve been working on easily monitoring of the output. Michel Oosterhof, the creator of Cowrie, has done a lot of development work to create some awesome logging output from the honeypot. There are a lot of different options and you can even store output in a mySql database. I found instructions for that on a wordpress blog. Feel free to checkout the current page at greenjam94.me/honeypot.html

First Attempt

After setting up my mySQL, I wrote a page of php functions to run about 8 different queries to get back information I thought was relevant. At first, the page was as simple as possible, the same page with all those functions also displayed the front end. It was a late night rushed kind of job, but you could see some pretty cool stats, in the first 24 hours of the site, we had over 500 attempts to establish a SSH connection to the honeypot. I linked the php page to my website and was happy for the night.

Second Attempt

After looking at the page for a while, the load page took forever, it also didn’t look that good. For one thing, the code was horrible. I had so many php echo statements where there were paragraphs of unformatted HTML. The front end web page was a clear reflection of that. My goal of my second attempt was to make the webpage load fast, even on mobile devices. To accomplish that, I moved all the html to an actual html file and used Javascript and AJAX to bounce requests to the old PHP page.

AJAX

It’s not anything new, but the site loads immediately and info fills if possible. If for some reason the PHP fails, the site doesn’t break, the page simply doesn’t display that part of the content. With the page being more formatted it was easier to make design changes. The site is slightly more responsive and mobile friendly thanks to better implementation of the Bootstrap framework.

IP Info

The website also uses ipinfo.io to get more information about where an IP address is located, right now the page is only displaying Country Codes, but the idea is to display the IP addresses over a map. Wouldn’t that look really cool? I want to use something like d3 but I haven’t had any experience with it so it may take a while. It’d be nice if it could look like this cesium example.

VirusTotal

Our honeypot is monitoring traffic and we see results, but we aren’t doing anything with them. Files and uploads are saved so it’s possible to analyze things further. VirusTotal is a website with a public API to review IP addresses and files for viruses and malicious code. One of my future goals is to set up a connection to the API to turn in anything that gets uploaded through the honeypot. The only issue I see is that filenames get changed, and VirusTotal doesn’t like that. The name is changed to a hash of information about the session that uploaded the file.

Future Plans

Better use of IpInfo and VirusTotal are the next steps to improve the site. After that I’ll work on improving the site in other ways. Right now, the honeypot is logging through regular log files, JSON, and mySQL. In the five days it’s been running, we’ve had over 1,000 sessions and logging those in triplicate might get expensive on the hard drive. It’d be more efficient to write the PHP backend to pull from the JSON logs instead of needing the SQL database.

Cowrie Honeypot Installation

Who likes honey? I know I do. Unfortunately Cowrie isn’t the like of honeypot you might imagine. Instead of thinking source of deliciousness, think something yWinnie the poohou will get your hand stuck in. In security terms a Honeypot is where a system is set up to record everything that’s going on. In those terms, cowrie is a SSH monitor that tracks everything that happens over an ssh connection.

This is a project that I started with @Taco_Pirate. He had a digital ocean VM that he wasn’t using and we decided to turn that into a honeypot of some sort. At first we were going to use Kippo, but after reading though some of the wiki we found that Cowrie is just  newer and more updated flavor of Kippo.

So what did we end up doing to get everything set up? Well first we started with a basic linux installation on the VM. From there we followed the instructions on Kippo to install any necessary services.

sudo apt-get install build-essential python-dev libmysqlclient-dev python-virtualenv python-pip

It’s probably also a good idea to run apt-get update first as well. From there we followed the instruction’s on cowrie’s INSTALL.md. First we created a user, cloned the directory from the github repo, and then copied the configuration. By default, the honeypot listens to port 2222, so we set up an IP table config rule to port any traffic from port 22 to go there. That rule is:

sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

For admin reasons we also opened another port for Taco_Pirate and I to connect to. All it takes to start the honeypot is a single command from the directory that Cowrie is installed to which is “./start.sh” \, stopping is as simple as running “./stop.sh”. It was a pretty easy set up, so this post is short compared to my last few but that’s good. If you’re interested in learning about how people or robots (scripts that do malicious things) interact with servers over SSH or what people use to try and guess accounts or passwords, I would suggest you make a honeypot for yourself.

The author of Cowrie started with kippo and made some really cool additions, you can read them all on his website. Some of them that I really like are the SFTP support and improved logging. There are a lot of options in the config file for different uses of the logs. For example you can add attempts to a MySQL database or send files to VirusTotal in order to see if things are malicious.  Integrating with VirusTotal was something I requested from the creator of Cowrie and he set it up really quickly. If you have a similar idea, you can create an issue on Github.

Thanks for reading this, if you have any questions about how I implemented Cowrie then please comment below. If you want to view the statistics of the people getting caught then feel free to look here.