What did I say to make you stop talking to me?, (Tue, Jan 30th)

Category :

SANS Full Feed

Posted On :

We use Cowrie to emulate an SSH and Telnet server for our honeypots. Cowrie is great software maintained by Michel Oosterhof [1]. The honeypot is a reasonable emulation of such a server, easy to maintain, and very feature-rich for even more advanced analysis. We only use it in its simplest form for our DShield sensor.

Attackers are interested in attempting to detect honeypots; over the years, we have seen various ways to do so. But so far, we have not done much to prevent this. We randomize some fo the parameters, but overall, we just run a “stock” cowrie install. There is however a relatively easy method to find out what gave the honeypot away after the attacker connected.

Most attackers will immediately disconnect after they realize they have found a honeypot. So as a simple method, you just find out what the last command was an attacker executed. I just did this for some of our larger honeypots, investigating about 10 million cowrie sessions. The by far most common “last command” was:

/bin/busybox cat /proc/self/exe || cat /proc/self/exe

On my “stock” Cowrie honeypot, the output is:

#  /bin/busybox cat /proc/self/exe || cat /proc/self/exe
cat: /proc/self/exe: No such file or directory
cat: /proc/self/exe: No such file or directory

While on a normal Linux system, it will return the binary of the current process, which would be bash or whatever shell is running. But the file does exist. Luckily, Cowrie’s customizable honeypot filesystem will make it easy to fix this.

There are a few other commands that are commonly the “last used” command:

which ls

For the honeypot, this command returns nothing, while for the normal system, it returns “/usr/bin/ls” . Easily fixed by customizing the “which’ command of the honeypot.

Another interesting trick that attackers appear to use is to use openssl to detect the honeypot. For example:

openssl passwd -1 zwMUEG67

On a normal system, this would return a salted MD5 hashed password. But the honeypot does not offer openssl.

Working now on adjusting our honeypot configuration to emulate some of these commands better. After all, we do want to keep talking :). 

[1] https://github.com/cowrie/cowrie


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.