What happens over five days of emulating the most common and most exploited vulnerable services known today? Interesting insights into the attacks hitting our critical infrastructure, or any public IP’s for that matter, that would in a lot of cases remain invisible. I’ll go over all the HoneyPots that actually captured data and do a quick dive in the sort of attacks that were captured.
If you haven’t read about the setup of this HoneyPot system, head over to this article for some more context: Getting Started with HoneyPots
Suricata is an independent open source threat detection engine. By combining intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM) and PCAP processing, Suricata can quickly identify, stop, and assess even the most sophisticated attacks.
Basically being a software firewall, allowing a quick overview of all the traffic your firewall should also be able to spot. Very handy to get an idea where most of the traffic is coming from.
One big takeway from the data below, is the amount of CVE-2020-11899 hits in this one week.
Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. As we can see, attempts to exploit SSH are much more common. Location based data may not be too relevant, given that most of these attacks won’t happen from the IP of the actual attacker Some downloads were made and we can see a number of commands used, once the attackers found themselves inside the HoneyPot.
The Cowrie SSH HoneyPot was the most exploited out of all the different HoneyPots. This is not my first time using the T-Pot HoneyPot, and every time, SSH is the most attacked service. In recent years even overtaking the dreaded SMB protocol, which by now is far less common.
- Use key-pairs where possible
- Change the default SSH port
- Do not use weak or breached passwords
- Limit SSH access with a firewall where possible
Dionaea is a low-interaction honeypot that captures attack payloads and malware. Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting IPV6 and TLS.
Seen from our five day experiment, almost every attack hitting our server was towards port 445 running the SMB protocol. With 485 currently listed vulnerabilities, many of which with a high severity score, it’s no surprise this protocol gets a lot of attention.
When filtering out the SMB noise we are left with mostly SQL related databases being targeted with default and weak passwords.
- SMB is insanity
- Do not use default passwords, or weak passwords
- Consider changing default ports for databases if exposed to the internet
- Use a firewall to limit access to your database management
Honeytrap is a low-interaction honeypot and network security tool written to catch attacks against TCP and UDP services. It was developed by Tillmann Werner of the Giraffe Chapter. In its default configuration, it runs as a daemon and starts server processes on demand when a connection attempt to a port is made.
What this gives us, is a good understanding of what the most common ports are that receive activity. Of course if ports are already mapped to other HoneyPots, the traffic will show there instead. For example, this setup doesn’t have a dedicated RDP HoneyPot, so we see the traffic going to port 3389 catching a lot of attention in HoneyTrap. Using a different installation of T-Pot, we could capture and interact with the RDP traffic as well.
It is a great way to at least log all the traffic coming in by port number, so we get an idea what services we might want to leave out, or which ones to add in future HoneyPot setups. Making this HoneyPot a good option for a “catch all” on the noise you otherwise miss.
- Adjust your HoneyPot deployment to the services you want to protect/investigate
- Use catch-all HoneyPots to catch any blind spots
DDoSPot is a honeypot “platform” for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks. The platform currently supports the following honeypot services/servers in the form of relatively simple plugins called pots:
- DNS server
- NTP server
- SSDP server
- CHARGEN server
- Random/mock UDP server
This recent addition to the T-Pot framework gives us the ability to see DDoS attacks happening live. During this five day test, no noticeably large traffic was observed, with only a slight peak coming from several Brazil based IP addresses.
- DDoS Honeypots are excellent for catching attacks early
- Can be used to identify attacks and build mitigation for future attacks
- Train analysts to spot a DDoS attack
- Sinking traffic with your HoneyPot is a bit over-ambitious, but using services like Akamai and CloudFlare to mitigate DDoS attacks is a good idea
From the creator: “Sometimes you just want a simple honeypot that collects credentials, nothing more. Heralding is that honeypot. Currently the following protocols are supported: ftp, telnet, ssh, http, https, pop3, pop3s, imap, imaps, smtp, vnc, postgresql and socks5.”
Interesting catch in this HoneyPot, for a while there was absolutely nothing happening, until one IP address had about 6000+ attempts at entering a password. Judging by the port 5900 and the simplicity and similarity of the passwords, this seems a word-list made from default and common passwords. Trying to gain access via VNC, which just like RDP is a protocol to remotely access and interact with a computer system, mostly servers.
- Do not use default passwords
- Move the default port
- Use a firewall to limit access to these types of services
Low interaction honeypot designed for Android Debug Bridge over TCP/IP. This allows developers to make a connection to devices for troubleshooting or debugging. Allowing for the following interactions:
adb shell <shell command> – allows a developer to run all kinds of commands on the connected device such as ls, wget and many others.
adb push <local file> <remote destination> – allows a developer to upload binaries from his own machine to the connected Android device.
We see in our five days of capture, a variety of locations trying a mix of commands. Several malware samples were caught and we can see exactly what types of commands are being used.
To grab a random sample from this, we see that the command “pm path com.ufo.miner” is used. Looking into that UFO Miner, we find that this is Android malware installing a Crypto Miner:
- Catching mobile malware is interesting and fun
- Can create awareness about getting Mobile Device Management policies in place
- Demonstrate the importance of security updates and 3rd party security software for mobile devices
Tanner & Snare
SNARE is a web application honeypot sensor attracting all sort of maliciousness from the Internet.
TANNER is a remote data analysis and classification service to evaluate HTTP requests and composing the response then served by SNARE. TANNER uses multiple application vulnerability type emulation techniques when providing responses for SNARE. In addition, TANNER provides Dorks for SNARE powering its luring capabilities.
As seen below, the bulk of these attacks are from systems that expect a certain reply. They will send a GET request for information, which our HoneyPot recognizes and sends an appropriate reply back. This gives a clear overview of the types of content popular to request from webservers. Which you can in turn use to prioritize the hardening of your own systems. Certain websites might give away valuable information through a simple GET request.
Interesting example of personal experience, is a customer who had their Keeppass database “in the cloud”. Running the WGET program from Linux, allowed for the download of the entire password database.
- Least privilege and properly securing all files on anything connected to a network is vitally important
Redis is an in-memory data structure store, used as a distributed, in-memory key–value database, cache and message broker, with optional durability. Redis supports different kinds of abstract data structures, such as strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indices.
What we catch in our HoneyPot is an overview of the commands given to Redis. Paining a picture of the types of data attackers try to obtain.
For example, a command given “slaveof 22.214.171.124 8886” meaning the attacker tries to change the replication address for this Redis server. Meaning they will receive all the data to their server as well.
- When using a caching system, ensure this is properly secured to prevent large portions of data to be replicated to attackers
A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability.
Running this HoneyPot a few years ago would have seen a lot more hits. Nevertheless, seeing a vulnerability for a device people specifically deploy to increase security, from 2018.. Still getting this much attention, is worrying to say the least. Crime and other behavior revolving around money, usually stops when there is no more money to be gained. This means that exploiting these devices with a four year old vulnerability, is still profitable to this day.
Mailoney is an SMTP HoneyPot, allowing you to capture the malicious use of SMTP servers. For example we can see the command inputs and the addresses used to send or receive email. This data can be helpful to detect spam campaigns, determine the addresses used my spammers or better configure existing email servers.
From the samples in our HoneyPot we can see that even using basic email security, such as strict SPF records and strong authentication for SMTP servers, can save a lot of headache.
- Use SPF at least, DKIM and DMARC where possible
- Strong authentication for SMTP servers
- Religiously tight patch-management for SMTP servers is advised
Not a HoneyPot but a nice visualization offered in T-Pot, displaying the most common passwords caught in all of the HoneyPots. The query run to generate this visualization:
type.keyword:”Cowrie” OR type.keyword:”Dionaea” OR type.keyword:”Heralding” OR type.keyword:”RDPY”
No surprises there, as these have been the most popular passwords for years now. Just goes to show that good password hygiene, next to patch management and least-privilege, remain the low hanging fruits of cybersecurity.
While there is a lot more information to be gained, analyzed and reported from these HoneyPots. A quick dive into the data from just the dashboards alone, paints a clear picture of the types of attacks happening. Data that can be used to quickly identify where the biggest gains in security posture can be made. And to communicate clearly the invisible traffic. A lot of which will remain unseen to the C-level or customers.
This also did not cover all the HoneyPots available, just the ones that actually caught data. Running different configurations and operating in different IP blocks around the world, will for sure change the data you catch.