Intro
Welcome! In this post, we will embark on a journey to open up a digital coliseum, where digital gladiators (bots, crawlers and bad actors) vie for supremacy in the art of cyber warfare. Join me as we uncover the thrilling encounters and unexpected lessons from this cyber gladiator showdown all from the safety of our digitized arena.
Objective
- Setup honeypot in Azure in order to review attacks, methods and techniques performed by bad actors.
A honeypot is a deceptive system designed to lure hackers and cybercriminals into a controlled environment by mimicking vulnerable systems. It aims to gather insights into attack tactics and methods.
System Requirements
The T-Pot installation needs at least 8-16 GB RAM, 128 GB free disk space as well as a working internet connection.
- In this guide we will utilize Azure and T-pot to create our honeypot.
T-Pot is the all in one, optionally distributed, multiarch (amd64, arm64) honeypot plattform, supporting 20+ honeypots and countless visualization options using the Elastic Stack, animated live attack maps and lots of security tools to further improve the deception experience.
Setting up Azure VM
Navigate to the Azure portal and click on
Create Virtual Machine
.Name your VM, select a Resource Group, and choose your region.
For the image, select
Debian 11 “Bullseye” -x64 Gen2
.Choose
Standard_B4ms
for the size of the VM.Fill in the user name and key pair name for SSH authentication.
- In the OS Disk section, set the size to
128 GB
(as per the system requirements for T-pot). Keep all other defaults
- Click on
Create
to create the VM and download the private key to connect to the VM.
- Accept the defaults for public inbound port for SSH (22) which will allow us to SSH into our VM.
- After creating the VM, lets head back to Network settings and change SSH to only allow My IP. Click on your Virtual Machine > Network Settings > Create Port Rule
Configuring PuTTy to SSH into VM
I will utilize PuTTY to SSH into my Azure VM. In order to do so, we will require PuTTY and our Azure VM Private Key. Since PuTTY doesn't share the same key format as our Azure VM Private key, we will need to generate an SSH key from the Azure Private key to save in the .ppk format for use in putty.
If you havent already done so, head over to https://www.putty.org/ and click Download PuTTY.
Once downloaded, select puttygen.
Click Load
Select your Azure VM Private Key (you may need to select "All Files" when browsing to find your .pem key)
Once the Key has been loaded, the new key will automatically generate. Click on save private key and save in a suitable location.
Open PuTTY
We will add our new generate key to start a new SSH session
Select +Connection > +SSH > +Auth > +Credentials
Under private key file: browse to the newly created .ppk key.
in PuTTY Scroll back up to Session and select type in the IP address of your Azure VM
- You will be prompted with "login as", if you've kept the defaults, login as azureuser. If you have selected a passphrase from the previous step enter it here.
Configuring VM & Installing T-Pot
- Once logged into your Azure VM run the following commands.
sudo apt update && sudo apt upgrade -y
sudo apt install git
git clone https://github.com/telekom-security/tpotce
- Once complete, cd into tpotce:
cd tpotce
./install.sh --type=user
When installing, you will be presented with what installation you'd like to complete, lets go with (h) for Hive which will install T-Pot Hive: ELK and Tools.
When installing, you will be prompted to select username/password to login to Web Console.
After completion, we will need to reboot.
sudo reboot
After reboot is complete, we will need to head back to our Virtual Machine > Network Settings and edit our SSH rule and add additional rules below:
T-Pot management: SSH port to 64295 from My IP
T-Pot we management: Port 64297 from My IP
Allow all else: 0-64293,64298-65535 Any
Logging into T-Pot Web Console, Attack Map, Kibana
To login to the T-Pot console, head to your Azure VM and copy the Public IP Address
In your address bar type in the following and replace <PUBLIC_IP> with your Azure VM IP (you will be presented to sign in with your credentials):
https://<PUBLIC_IP>:64297
- On the T-Pot Landing Page just click on
Attack Map
and you will be forwarded to the animated live Attack Map. Attack Map is a live map that shows a visual of the number of attacks by Service, Port, Country and Geo location.
- Lets head back to the main page and select Kibana
Kibana
Kibana is an open-source data visualization and exploration platform. It helps to analyze data with custom visualizations, dashboards, and charts to make sense of complex information. We can use it to identify patterns, trends, and anomalies in the obtained data. We can select from a large variety of dashboards.
We will be taking a look at the Cowrie and Suricata dashboards:
Cowrie
Cowrie is a key component of the honeypot setup, simulating SSH and Telnet servers to mimic genuine systems that attackers might target. When attackers engage with Cowrie, it logs their actions, commands, and behavior, capturing the tools and methods they employ.
Suricata
Suricata is an open-source Network Intrusion Detection System (NIDS), Network Intrusion Prevention System (NIPS), and Network Security Monitoring (NSM) tool. It is designed to monitor network traffic in real-time and detect malicious activities, suspicious behavior, and security threats.
- After leaving the Virtual Machine open for 11 hours and 15 minutes, the following data has been aggregated:
Findings
Over the course of the 11 hours and 15 minutes there were over 11,676 SSH and Telnet attacks and over 1.2 million events on the Suricata dashboard. I have performed OSINT on two of the downloaded files that the attackers have downloaded on the honeypot:
Hash 1: Shell Script
d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e
- File Characteristics:
- File Type: Shell Script
File Size: 795 bytes
Behavioral Flags Detected:
Linux Base64 Encoded Pipe to Shell
Disable or Stop Services
Persistence via Cron Files
Experimental TCP Options
Data Sent on Stream After TCP Reset Sent
Suricata Stream Packet with Invalid Timestamp
Detects Debug Environment
Self-Deletes
Summary: The detected file showcases a range of malicious behaviors typical of an advanced attack toolkit designed to compromise and maintain control over a specific system.
Impact:
Service Disruption: Potentially disables critical services, disrupting operations.
Persistence: Establishes persistence through cron jobs, ensuring ongoing access to the compromised system.
Network Manipulation: Engages in manipulating network traffic using experimental TCP options.
Evasion Tactics: Attempts to evade detection through manipulation of timestamps and detection of debug environments.
Cover-up: Self-deletes to erase traces
This shell script poses significant risks by compromising system integrity, leading to operational disruptions and data security breaches. Immediate isolation and thorough analysis are recommended to mitigate further damage.
Hash 2: Cryptocurrency Miner
ea9f3911ff2884621874c1e98b5dc9139964adeab333b92816eb5c307d73a67f
File Characteristics:
Type: ELF (Executable and Linkable Format)
Size: 1.1 MB
Detection: Riskware.Linux.Bitcoin Miner
Attributes: ARM architecture, UPX compression, uses shared libraries (.so files)
Summary: Likely a cryptocurrency mining tool targeting Linux systems.
Impact: Consumes system resources covertly, potentially degrading performance and increasing energy costs.
This file, flagged as Riskware.Linux.Bitcoin Miner, targets Linux systems and employs ARM architecture and UPX compression. It includes shared libraries for additional functionality. This indicates a likely cryptocurrency mining tool that consumes system resources covertly, impacting performance and increasing costs.
Conclusion
The experience of running this honeypot has been enlightening and eye-opening. It demonstrated the relentless nature of cyber threats and the speed at which attackers can exploit vulnerabilities. During the course of this project I've encountered a range of attacks from SSH brute-force attempts to DDoS attacks. Witnessing the global reach of these attacks provided me the context of the interconnectedness and vulnerability of the cyber landscape worldwide.
This project has not only provided practical insights into cybersecurity but also reinforced the need for vigilance, proactive defenses, and continuous monitoring in safeguarding your digital systems. As we conclude this journey, I encourage everyone to stay informed and continue exploring ways to obtain first hand practical experience with the attacks, techniques and methods that attackers employ. Thank you for joining me on this learning adventure, and until next time!