Intrusion Detection Honeypots: Detection through Deception by Sanders Chris

Author:Sanders, Chris [Desconocido]
Language: eng
Format: epub
Publisher: Applied Network Defense
Published: 2021-03-01T06:00:00+00:00

Leaving credentials lying around on public file shares likely to be accessed in a compromise.

Utilizing default credentials from common services or devices (cisco:x:cisco). This works best if you also mimic other characteristics of the device.

The changes made to userdb.txt take effect immediately and don’t require restarting Cowrie.

Building a More Legitimate File System

When an attacker logs into the SSH honeypot, Cowrie presents them with what appears to be a functioning file system. They can use the ls command to list the contents of directories, the cd command to change into them, and even use the cat command to read out files. The file system looks and feels real at a basic level, but it’s all fake and made possible through a database of directories and associated files served up by Cowrie. They aren’t actually interacting with a real file system. Any time a user logs in, Cowrie gives them a copy of this file system to manipulate, which gets deleted after they log off.

While the default file system included with cowrie works for proof of concept, there are a few good reasons to replace it with one of your own creation. First, if you hope to keep an adversary engaged with your honeypot for long, you must give them something interesting to dig through. Second, clever or experienced attackers may easily recognize the vanilla honeypot file system or some of its default attributes. Finally, several of the other changes you’ll likely make to Cowrie should also be reflected in the file system. For example, if you added users to the userdb.txt file, the file system should contain home directories for those users along with entries in /etc/passwd, /etc/shadow, /etc/group, and other related files.

There are two essential components to the Cowrie emulated filesystem. First is the pickle file8 that contains a database of the file system metadata like the directory structure, file names, permissions, ownership, and so on. Next is the cowrie/honeyfs directory containing the file contents. For an attacker to find and view a file, it must be present both in the pickle file and in the honeyfs directory structure. If it’s in the pickle file but not in honeyfs, they’ll find the file, but it won’t have any contents. If it’s in honeyfs but not in the pickle file, they won’t be able to see it in the directory structure.

Creating a pickle file is most effectively done by deploying a reference OS that you’ll use as the basis for your fake file system. For example, if you’re mirroring an Ubuntu 18 system, deploy a copy of Ubuntu in a VM and configure that file system as you’d want your attacker to view it. From there, complete the following steps:

On your honeypot, move the existing honeyfs directory into a backup location:

mv honeyfs/ backupfs/

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.