Azure Honeypot

Azure Honeypot

·

7 min read

Intro

Welcome! In this post, we will embark on a journey to open up a digital coliseum, where digital gladiators (bots, crawlers and bad actors) vie for supremacy in the art of cyber warfare. Join me as we uncover the thrilling encounters and unexpected lessons from this cyber gladiator showdown all from the safety of our digitized arena.

Objective

  • Setup honeypot in Azure in order to review attacks, methods and techniques performed by bad actors.

A honeypot is a deceptive system designed to lure hackers and cybercriminals into a controlled environment by mimicking vulnerable systems. It aims to gather insights into attack tactics and methods.

System Requirements

The T-Pot installation needs at least 8-16 GB RAM, 128 GB free disk space as well as a working internet connection.

  • In this guide we will utilize Azure and T-pot to create our honeypot.

T-Pot is the all in one, optionally distributed, multiarch (amd64, arm64) honeypot plattform, supporting 20+ honeypots and countless visualization options using the Elastic Stack, animated live attack maps and lots of security tools to further improve the deception experience.


Setting up Azure VM

  • Navigate to the Azure portal and click on Create Virtual Machine.

  • Name your VM, select a Resource Group, and choose your region.

  • For the image, select Debian 11 “Bullseye” -x64 Gen2.

  • Choose Standard_B4msfor the size of the VM.

  • Fill in the user name and key pair name for SSH authentication.

  • In the OS Disk section, set the size to 128 GB (as per the system requirements for T-pot). Keep all other defaults

  • Click on Create to create the VM and download the private key to connect to the VM.

  • Accept the defaults for public inbound port for SSH (22) which will allow us to SSH into our VM.

  • After creating the VM, lets head back to Network settings and change SSH to only allow My IP. Click on your Virtual Machine > Network Settings > Create Port Rule


Configuring PuTTy to SSH into VM

I will utilize PuTTY to SSH into my Azure VM. In order to do so, we will require PuTTY and our Azure VM Private Key. Since PuTTY doesn't share the same key format as our Azure VM Private key, we will need to generate an SSH key from the Azure Private key to save in the .ppk format for use in putty.

  • If you havent already done so, head over to https://www.putty.org/ and click Download PuTTY.

  • Once downloaded, select puttygen.

  • Click Load

  • Select your Azure VM Private Key (you may need to select "All Files" when browsing to find your .pem key)

  • Once the Key has been loaded, the new key will automatically generate. Click on save private key and save in a suitable location.

  • Open PuTTY

    • We will add our new generate key to start a new SSH session

    • Select +Connection > +SSH > +Auth > +Credentials

    • Under private key file: browse to the newly created .ppk key.

  • in PuTTY Scroll back up to Session and select type in the IP address of your Azure VM

    • You will be prompted with "login as", if you've kept the defaults, login as azureuser. If you have selected a passphrase from the previous step enter it here.


Configuring VM & Installing T-Pot

  • Once logged into your Azure VM run the following commands.
sudo apt update && sudo apt upgrade -y
sudo apt install git  
git clone https://github.com/telekom-security/tpotce
  • Once complete, cd into tpotce:
cd tpotce  
./install.sh --type=user
  • When installing, you will be presented with what installation you'd like to complete, lets go with (h) for Hive which will install T-Pot Hive: ELK and Tools.

  • When installing, you will be prompted to select username/password to login to Web Console.

  • After completion, we will need to reboot.

sudo reboot
  • After reboot is complete, we will need to head back to our Virtual Machine > Network Settings and edit our SSH rule and add additional rules below:

  • T-Pot management: SSH port to 64295 from My IP

  • T-Pot we management: Port 64297 from My IP

  • Allow all else: 0-64293,64298-65535 Any


Logging into T-Pot Web Console, Attack Map, Kibana

  • To login to the T-Pot console, head to your Azure VM and copy the Public IP Address

  • In your address bar type in the following and replace <PUBLIC_IP> with your Azure VM IP (you will be presented to sign in with your credentials):

      https://<PUBLIC_IP>:64297
    

  • On the T-Pot Landing Page just click on Attack Map and you will be forwarded to the animated live Attack Map. Attack Map is a live map that shows a visual of the number of attacks by Service, Port, Country and Geo location.

  • Lets head back to the main page and select Kibana

Kibana

Kibana is an open-source data visualization and exploration platform. It helps to analyze data with custom visualizations, dashboards, and charts to make sense of complex information. We can use it to identify patterns, trends, and anomalies in the obtained data. We can select from a large variety of dashboards.

  • We will be taking a look at the Cowrie and Suricata dashboards:

    Cowrie

    Cowrie is a key component of the honeypot setup, simulating SSH and Telnet servers to mimic genuine systems that attackers might target. When attackers engage with Cowrie, it logs their actions, commands, and behavior, capturing the tools and methods they employ.

    Suricata

    Suricata is an open-source Network Intrusion Detection System (NIDS), Network Intrusion Prevention System (NIPS), and Network Security Monitoring (NSM) tool. It is designed to monitor network traffic in real-time and detect malicious activities, suspicious behavior, and security threats.

  • After leaving the Virtual Machine open for 11 hours and 15 minutes, the following data has been aggregated:


Findings

Over the course of the 11 hours and 15 minutes there were over 11,676 SSH and Telnet attacks and over 1.2 million events on the Suricata dashboard. I have performed OSINT on two of the downloaded files that the attackers have downloaded on the honeypot:

Hash 1: Shell Script

d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e

  • File Characteristics:
  • File Type: Shell Script
  • File Size: 795 bytes

  • Behavioral Flags Detected:

    • Linux Base64 Encoded Pipe to Shell

    • Disable or Stop Services

    • Persistence via Cron Files

    • Experimental TCP Options

    • Data Sent on Stream After TCP Reset Sent

    • Suricata Stream Packet with Invalid Timestamp

    • Detects Debug Environment

    • Self-Deletes

  • Summary: The detected file showcases a range of malicious behaviors typical of an advanced attack toolkit designed to compromise and maintain control over a specific system.

    Impact:

    • Service Disruption: Potentially disables critical services, disrupting operations.

    • Persistence: Establishes persistence through cron jobs, ensuring ongoing access to the compromised system.

    • Network Manipulation: Engages in manipulating network traffic using experimental TCP options.

    • Evasion Tactics: Attempts to evade detection through manipulation of timestamps and detection of debug environments.

    • Cover-up: Self-deletes to erase traces

This shell script poses significant risks by compromising system integrity, leading to operational disruptions and data security breaches. Immediate isolation and thorough analysis are recommended to mitigate further damage.


Hash 2: Cryptocurrency Miner

ea9f3911ff2884621874c1e98b5dc9139964adeab333b92816eb5c307d73a67f

  • File Characteristics:

  • Type: ELF (Executable and Linkable Format)

  • Size: 1.1 MB

  • Detection: Riskware.Linux.Bitcoin Miner

  • Attributes: ARM architecture, UPX compression, uses shared libraries (.so files)

  • Summary: Likely a cryptocurrency mining tool targeting Linux systems.

  • Impact: Consumes system resources covertly, potentially degrading performance and increasing energy costs.

    This file, flagged as Riskware.Linux.Bitcoin Miner, targets Linux systems and employs ARM architecture and UPX compression. It includes shared libraries for additional functionality. This indicates a likely cryptocurrency mining tool that consumes system resources covertly, impacting performance and increasing costs.


Conclusion

The experience of running this honeypot has been enlightening and eye-opening. It demonstrated the relentless nature of cyber threats and the speed at which attackers can exploit vulnerabilities. During the course of this project I've encountered a range of attacks from SSH brute-force attempts to DDoS attacks. Witnessing the global reach of these attacks provided me the context of the interconnectedness and vulnerability of the cyber landscape worldwide.

This project has not only provided practical insights into cybersecurity but also reinforced the need for vigilance, proactive defenses, and continuous monitoring in safeguarding your digital systems. As we conclude this journey, I encourage everyone to stay informed and continue exploring ways to obtain first hand practical experience with the attacks, techniques and methods that attackers employ. Thank you for joining me on this learning adventure, and until next time!