Honeypot Discussions Part-3
In this article, we will end the honeypot trilogy. If you haven’t read yet Part-1 and Part-2, you may take a look at them first. Or we can directly enter a honeynet world where we will be establishing Modern Honey Network setup.
The Modern Honey Network (MHN) which is an open source installation consisting of many honeypot sensors will be explained here as an example based on the definitions made.
Modern Honey Network
The Modern Honey Network is a honeynet system consisting of many honeypot sensors. MHN is characterized by low or high interaction depending on the complexity. High interactive environments can encourage a hacker to spend a lot of time in a fake environment, leaving too many clues and wasting their time. The low interactive honeypot collects only basic information about invasive behavior, but is smaller and uses fewer resources.
MHN collects visitor data through its honeypots, but comparing it to years of traffic data collected from networks around the world makes it more efficient. Because the threat intelligence framework can compare web traffic logs with an ever-growing threat log, much higher quality intelligence is available.
People who run a network must protect their assets for the good of the company. It is also important to protect computers from being used by an outsider to attack others (zombie PC). The network’s ability to process data can also be used by attackers to send spam after it is hacked by others without the agency’s knowledge.
Today, threat intelligence is becoming the cornerstone of security. Therefore, organizations large and small make threat intelligence part of their daily security operations. However, the differences persist and blind spots are pointed out that need to be addressed.
To summarize the MHN and its sensors before installation:
MHN enables the creation of honeynet networks and analysis of data collected through these networks with sensor infrastructure developed as open source software and easily applicable to large networks. MHN saves the information it collects on MongoDB and provides it through a web interface or API (including integration with Logsign, Splunk and Arcsight SIEM tools).
MHN allows many open source honeypot services to be easily installed and distributed to other sensors only by copy/paste method. In this way, it allows data from other absorbers to be tracked from a single screen. In doing so, it communicates through the open source hpfeeds protocol.
Ready-made honeypot sensors that can be installed with MHN are as follows:
- Snort: It is not a honeypot service, but it is an IDS/IPS service that can be very helpful in detecting and preventing attacks. It is software developed by Sourcefire and acquired by Cisco but continues its open source life. Although the ready-made snort deployment sensor houses the old Snort version but you can directly update the rules manually and use it by new rules.
- Suricata: Provides an IDS/IPS service and security monitoring service, although it was not developed as long ago as snort, it has good community support and multithreading and data processing power is very fast.
- Dionaea: A sensor that supports IPv6 and TLS, has a python library installed and features libemu for shellcode detection. Dionaea’s goal is to trap malware that exploits vulnerabilities exposed by services to a network; the ultimate goal is to obtain a copy of the malware.
- Conpot: A sensor that works like fake versions of simple services and protocols for low-interactive Industrial Management Systems (ICS).
- Cowrie: It is a moderately interactive SSH honeypot sensor, it has many beautiful features such as downloading and uploading files.
- Amun: Another low interactive honeypot sensor based on Python.
- Shockpot: A sensor used to detect attackers trying to exploit the CVE-2014–6271 vulnerability.
- P0f: a simple passive operating system detection sensor.
- ElasticHoney: ElasticSearch is a sensor created to capture attackers exploiting remote code execution (RCE) vulnerabilities.
- Wordpot: A sensor created to detect attackers scanning Wordpress setup pages and components such as wordpress plug-ins.
Modern Honey Network (MHN) Installation
The hardware requirements on the MHN wiki page are as follows:
For MHN Server:
- Ubuntu 18.04.6 LTS
- 4 GB RAM
- Dual Core CPU
- 40 GB HDD
For honeypots (sensors):
- Ubuntu 18.04.6 LTS
- 512 MB — 1 GB RAM
- Dual Core CPU
- 20 GB HDD
Some of the honeypots use same ports. In these case there might be manually change these ports. Conpot, wordpot and shockpot honeypot sensors all use 80 ports, Amun and Dionaea Windows ports. In this article, only Cowrie and Worpot honeypot sensors will be installed and if other honeypots are asked to be installed, these issues should be considered.
Git setup:sudo apt install git -yMHN installation:cd /opt/sudo git clone https://github.com/pwnlandia/mhn.gitcd mhn/sudo ./install.sh
The installation phase which is written above, might take time according to the hardware specifications of the server. If the installation is completed without problems, a screen will arrive where mhn configuration settings must be entered. These settings can be entered as desired. The places left empty below were passed by pressing Enter to keep them the same.
===========================================================MHN Configuration===========================================================Do you wish to run in Debug mode?: y/n nSuperuser email: MHNtest@testmail.comSuperuser password:*****Server base url [“http://192.168.0.25"]:Honeymap url [“http:// 192.168.0.25:3000”]:Mail server address [“localhost”]:Mail server port :Use TLS for email?: y/n nUse SSL for email?: y/n nMail server username [“”]:Mail server password [“”]:Mail default sender [“”]:Path for log file [“mhn.log”]:
After completing this stage, it is necessary to wait a while longer. In this process, configurations are in progress and after the configurations were finished, MHN’s working services can be viewed by typing the following command into the terminal. (Figure 1)
sudo supervisorctl status
As in the image above, such an error is expected in Honeymap in the output received and does not interfere with the operation of other sensors.
Since the installation is completed smoothly, it is necessary to enter the interface of the MHN by opening the web browser to proceed to other stages and typing in the URL http://192.168.0.25. By this way we have set for the MHN server during the configuration phase. (Figure 2)
Afterwards, it is necessary to log into the system with the user name and password specified during the configuration phase. This will access the homepage of the MHN. (Figure 3)
By clicking Deploy, all honeypot sensors that can be used by default with MHN can be viewed. Select Script can determine the script required for these honeypot sensors.
However, before this, we need to install OpenSSH both for the operation of some honeypots and for the facilitation of remote management.
sudo apt-get install openssh-server
Let’s continue with an honeypot sensor which called a Cowrie. We need to copy the script in the Deploy Command section displayed in the”Figure 4" for the Cowrie to be installed and paste it into the terminal on a different virtual machine that will act as a sensor.
Since a honeynet simulation consisting of honeypots will be performed, it is enough to paste the command we copied from the server into the terminal on the machine that will be the honeypot sensor.
wget “http://192.168.0.25/api/script/?text=true&script_id=3" -O deploy.sh && sudo bash deploy.sh http://192.168.0.25 f3B5R1fe
This connection will end if the Cowrie honeypot is connected with SSH when the installation is completed smoothly. Because of this honeypot structure will configure the common SSH port from 22 to 2222. By this way it will be rejecting requests to 22 ports and perceiving them as attacks due to sensor duty. On this occasion, it is necessary not to consider the SSH requests to be made to the 22 ports of the honeypot in good faith.
After the installation is completed, it is seen that the new Cowrie honeypot sensor with IP address 192.168.0.26 has been added, as shown in the image above when the page is refreshed by coming to Sensors page. (Figure 5)
As shown in Figure 6 and Figure 7, when attempting to connect to the 192,168.0.26 IP address machine with the Cowrie honeypot sensor for testing purposes with SSH, the connection will fail to default port 22 and the MHN server will be notified that this is an attack.
As can be seen in the image above, 192.168.0.26 Cowrie honeypot sensor is displayed in one attack. In order to get details; By clicking “1” on the value in Attacks, details of the source and target port of this attack can be accessed as in the image below.
When the details of the release are examined, it is seen that SSH connection was attempted from ip address 192.168.0.27 to 22 port of honeypot machine with IP address 192.168.0.26. The SSH connection attempt failed even though the username and password were correct. When the reconnect is tried, but this time trying to connect from 2222 instead of the default SSH port 22, an SSH connection can be provided without error and without sending an attack notification to the honeypot server. (Figure 9)
Wordpot honeypot sensor will be installed to detect attacks on wordpress web applications and plugins.
The command in Deploy Command must be copied and pasted into the terminal on the honeypot machine where the installation will be performed, as in Cowrie. (Figure 10)
wget “http://192.168.0.25/api/script/?text=true&script_id=11" -O deploy.sh && sudo bash deploy.sh http://192.168.0.25 eTw9mCnK
Then, when you return to the interface of the MHN Server, it will be seen that the new Wordpot honeypot sensor with IP address 192.168.0.28 has been added, as shown in the following image in 2nd place.
It is seen that the honeypot sensor raises a wordpress web application by typing the IP address 192.168.0.28 in the URL in the web application on any machine on the same network. (Figure 12)
In order to simulate a more offensive attack than cowrie, an operating system equipped with offensive tools Kali Linux will use here. Because there are some active scan is required using the tools on it. An active scan can be performed using the CMS Scan tool. (Figure 13)
It appears that the attack was detected when the target entered the http://192.168.0.28 and started the scanning process and returned to the interface of the MHN honeypot server while this process was in progress. (Figure 14)
When the details of this attack on the 192.168.0.28 machine with the Wordpot honeypot sensor installed are displayed, it is displayed that the attack came from the 192.168.0.29 IP address machine to the 80 ports of the with the IP address 192.168.0.28 host by using the HTTP connection. (Figure 15)
Thus, a honeynet network was created, configured with the installation of the Modern Honey Network server, Cowrie honeypot sensor and Wordpot honeypot sensor. As a result of the tests, it is seen that there is a smooth installation and the honeypot server and sensors are actively working in accordance with their purpose. As here, the installation and use of many sensors is made possible because it is part of the Modern Honey Network.
In providing this protection, every possible source is benefited and just like in real life, honeypots which are trap systems that only malicious individuals will try to access, reinforce instant protection, as well as obtain the raw data necessary to analyze current threats and the methods used by these threat actors with simultaneous intelligence obtained from them.
In this article, in order to minimize the risk of damage, theft and encryption of digital data, a detailed examination of what honeypots are; details on how it works, how it is used and how it is classified by type are shared. By following the details in this shared document, it is possible for organizations to create a honeynet of honeypots to protect their data or for researchers to examine threats and methods of threat actors.
Honeypots are very important systems for detecting and analyzing attacks on external attack surfaces, as well as the movements of malicious users or infiltrated attackers, despite all security tightening of the systems. I have benefited from many sources on the internet in this article. The details of the use of open source honeypots, which are already widely used are emphasized and exemplified how to set them up. This study will be a useful document for anyone who wants to research attack detection and the methods of attack used, who is curious about the concept of honeypot and how it works, who wants to make a honeynet installation of honeypots.