The biggest project that I faced in my university life was the end-of-degree project. For years I had been determined to dedicate myself to security, so my end-of-degree project had to be about security.
It was then that I got in touch with Professor Álvaro Ortigosa, the current director of the Institute of Forensic Sciences and Security, and he gave me a series of tips and articles that would allow me to decide later on the subject of the project. After analyzing them, the honeypots caught my attention.
I researched and it turned out that one of my professors, Francisco de Borja Rodríguez, was offering a dissertation related to honeypots hiding. So I contacted him and ended up with a very interesting project: a tool capable of detecting honeypots. Since I gave the rights of the project to the university, I can not show my tool, but shodan has something similar in the development phase, a tool called honeyscore, which can be used to give us an idea.
However, in this post I will focus on explaining what honeypots are and how to get your own honeynet.
A honeypot is a multidisciplinary computer security resource, whose main function is to be compromised, attacked and invaded by malicious users, deceiving them with the appearance of a real system. Honeypots are a source of information for the computer security researcher since they monitor and analyze these attacks in a system without any sensitive information that could be compromised.
My end-of-degree project consisted of deploying a large set of honeypots on my university’s network, improving and obfuscating them to make them undetectable, and developing a tool capable of detecting whether an IP address contains a honeypot.
Since I wanted to get the widest possible reach, I deployed eleven different honeypots, emulating different services, such as the ConPot honeypot, which simulates an Industrial Control System, the Cowrie honeypot, which imitates an SSH server, the Glastopf honeypot, appearing to be a web server, etc.
To deploy this set of honeypots (honeynet) I used the t-Pot repository, a platform that offers eleven different honeypots (ConPot, Cowrie, Dionaea, ElasticPot, Glastopf, Honeytrap, Mailoney, Rdpy, Suricata, Vnclowpot, and eMobility).
I chose this honeynet for my project because it allowed me to deploy these eleven honeypots in a single virtual machine. Next I’ll show you all the steps to deploy your own honeypots with this platform.
To install the honeynet t-Pot, the first step is to download the t-Pot.iso image from the https://github.com/dtag-dev-sec/t-Potce repository.
Then you must create a new virtual machine in VirtualBox, configuring it so that it has 4096 MB of RAM, and attaching a 64GB dvi disk. In addition, you should change the network mode from “NAT” to “Bridge”. Then you just need to attach the downloaded image and add it to the IDE driver.
Start the virtual machine, and follow the instructions of the installer. In case it is installed on a computer that is on a network with DHCP, just follow the steps of the installer in automatic mode.
If the message “DHCP could not be configured” appears, the network where the host computer is, does not have DHCP, so you must configure the network manually: when prompted, enter the IP where you want to host the honeypot receive attacks, the subnet mask, the Gateway and the DNS.
After the installation is finished, the installation menu will appear again. You must turn off the machine, enter the VirtualBox configuration and delete the t-Pot.iso file you added earlier.
Once the basic installation has been completed, the machine must be restarted. For a complete configuration of the honeypot, choose the option “everything“. It will ask us to enter the password and the user with whom to access in the administration panel to the data of the attacks made to the honeypot.
The user to enter our honeypot is “tsec“. The password, the first that we have put in the previous step.
To be root you must type ‘sudo su‘ and enter the password you previously chose.
To check the status of the honeypots raised in the honeynet, you must type the command
$ ./sh dps.sh
To update each honeypot just execute the commands:
$ cd /opt/t-Pot
$ ./update.sh -y
Next we will be able to access to the information about the attacks received with Kibanna introducing in the navigator the IP address of the honeypot from the port 64297.
We must enter “Advanced” and select the option to add exception, as the browser will detect it as a non-secure site.
After this it will ask us for a username and password. It must be the one we configured previously.
In Kibanna, we choose T-Pot, and we’ll have graphics of all the attacks made.
As you can see, during the time I was with the honeypots up, I collected millions of attacks from almost every country in the world. And the good thing about the interface offered by Kibanna is that we can query the database of the attacks received and understand how the attackers proceed to try to compromise each machine. For example, in the following image we can see a tagcloud with the most tested users and passwords to try to enter the honeypot Cowrie (which pretends to be a ssh server).
This platform has a lot of potential and can provide a lot of useful information for forensic analysis. If you want to investigate more about honeypots, I recommend that you follow these steps and install your own honeypots to learn.