Since the launch of Fred Cohens’ Deception Toolkit in 1998 (First publically released Honeypot), Honeypots has been a proven useful method for attack detection and analysis. As these honeypots are complex in installation and require high maintenance, they are yet to get their proper place in enterprise security suits. However, the honeypot technology has been seeing rapid growth, and soon it will be held among various business threat detect security tools. There are two types of Honeypot deployments

1. Internal Honeypots (Behind Firewall)
2. External Honeypots (Outside Firewall)

Both deployment methods have their benefits such as follows

Internal Honeypots: These honeypots run behind the firewall as part of the internal network and work as a low noise IDS. These are very useful in detecting any compromised hosts, malicious users.

External Honeypots: You can deploy these honeypots in two types

Local External Honeypots: They are outside firewall but part of your IP space. This deployment helps your get idea of who is attacking you and assist you in filter attack traffic from legitimate traffic.

Global External Honeypots: They run over public clouds or VPSes and used by the organisations to make threat feeds and reputation engine for IP addresses.

The Low Cost and Low Maintenance Solution: Honeypots are part of natural enterprise security solution because of the hardware cost involved and high maintenance, but in the era of cost-effective open source hardware this problem can be solved easily with Raspberry Pi boards.

The Raspberry Pi is a credit sized single-board computer developed by Raspberry Pi Foundation. With the initial intention of promoting the teaching of basic computer science in school, this ARM Linux box would be one of the suitable candidates for deploying honeypot sensors. Low cost, low power consumption. It could turn into a powerful honeypot or attack detector.

One can easily install honeypots variant of his choice on the raspberry pi boards I will be adding some links in references for the same but if one is not looking forward to putting extra effort, he can directly Honeepi – A Customised Raspbian based honeypot sensor pre-loaded with different honeypots. The fourth release of honeepi comes pre-installed with honeypot packages like Dionaea, Cowrie, Conpot, Glastopf and classic honeypots like honeyd, Amun that run on Raspberry Pi 3 Model B. It also comes loaded with ntop, snort and remote pcap to allow network monitoring and capturing of pcap for further analysis.

Process for Settings up Sensors.

Pre-Requirements:        

1. Raspberry Pi (3 Model B preferred)
2. SD Card (32 GB preferred)
3. SD Card reader
4. Keyboard and Network Connectivity

Downloading Honeepi: You can download honeepi from the URL below.

https://sourceforge.net/projects/honeeepi/

Simple Installation

You should be able to use the Honeeepi image easily. The installation process is similar to the typical raw images (e.g. Raspbian), I am currently using Windows Operating System so I will be following method for same however one can easily search methods for other operating systesm.

1. Insert your microSD card into your card reader and find out its drive letter in Windows Explorer
2. Download SDFormatter (https://www.sdcard.org/downloads/formatter_4/) application and format your memory card with it, Don’t forget to turn on Auto Size Adjustment Option.
3. Unzip the file you downloaded and extract image to a folder
4. Download Win32DiskImager (https://sourceforge.net/projects/win32diskimager/) ,
5. Unzip the downloaded file and run the utility file.
6. Select the image file you downloaded.
7. Choose the drive of your SD card in the ‘Device’ drop-down. Make sure you choose the correct one. Otherwise, you risk damaging the data on your hard drive.
8. Select ‘Write’ and wait for the process to finish. That is it!
9. Now you can plug the SD card into your Raspberry Pi’s slot.

Now power up the board and connect it to a wired network. The honeeepi image is started with ‘DHCP’ and ‘sshd’ as default. Now locate Honeepi Network address in your DHCP list and ssh to it using following credentials.

SSH Port for Honeepi version 2016.10 is TCP/9002 and for the rest versions TCP/22

Default login: pi

Password: honeeepi

Now you can need to sudo raspi-config and expand the file system, post this run apt-get update / apt-get upgrade (Hope you are familiar with this)

Running Honeypots

Now here we will talk about running pre-installed honeypots, some of their description and suggestion on how to run them.

1. Conpot: Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. By providing a range of standard industrial control protocols, it created the basics to build your system, capable of emulating complex infrastructures to convince an adversary that he just found a massive industrial complex. To improve the deceptive capabilities, it also provided the possibility to serve a custom human-machine interface to increase the honeypots attack surface. The response times of the services can be artificially delayed to mimic the behaviour of a system under constant load. Because it is providing complete stacks of the protocols, Conpot can be accessed with productive HMI’s or extended with real hardware. Conpot is developed under the umbrella of the Honeynet Project and on the shoulders of a couple of massive giants.

Starting up conpot

• Login as pi

         cd /honeeepi/conpot

• To start for Siemens S7-200 (start as background)
  sudo conpot –template default &
• start kamstrup_382 (smart meter) (start as background)
  sudo conpot –template kamstrup_382 & (new)
• start ipmi (start as background)
  sudo conpot –template ipmi &
• start proxy (start as background)
  sudo conpot –template proxy &
• tart Guardian AST tank monitoring system
  sudo conpot –template guardian_ast &

2. Dionaea: Dionaeawas developed by Markus Koetter as a low-interaction honeypot is meant to be nepenthes successor. It emulates vulnerable systems with services often targeted by attackers such as HTTP, FTP, SSH, SMB, etc. It is written in C but uses Python to emulate various protocols to entice attackers.  It uses Libemu to detect shellcode and can alert us of the shellcode and capture it. Dionaea sends real-time notification of attacks via XMPP and then logs the information into a SQLite database.

Starting up Dionaea

• Login as pi
• cd /honeeepi/dionaea-honeypot
  • sudo ./start.sh & 
• To start OS fingerprinting (start as background)
  • sudo ./start-p0f.sh &

3. Glastopf: Glastopf is a minimalistic web server emulator written in Python by Lucas Rist a.k.a glaslos. The honeypot tool collects information about web application-based attacks like for example remote file inclusion, SQL injection, and local file inclusion

Starting up Dionaea

• Login as pi
• sudo glastopf-runner &

4. Cowrie: Cowrie is a Kippo based SSH/Telnet honeypot system written by Michel Oosterhof that is designed to not only log brute-force attempts against an ssh server but to “record” the entire shell session of an attacker. It creates a “fake” server that will be used to lure attackers to attempt access. The functionality of Cowrie extends far beyond what is described here  I encourage you to visit the Cowrie repository on Github in the meantime to read about all that it can do.

Setting up Cowrie

• Edit your ssh to different port number
  • sudo vi /etc/ssh/sshd_config
• Edit SSH port to other port of your choice (make sure use different port from honeypot services)
  • Port 22 <—–change port number ensure it does not clashes with other honeypot services
• restart SSH
  • sudo /etc/init.d/ssh restart
  • sudo su cowrie
• cd /honeeepi/cowrie
  • ./start.sh (script start process as background)

Running Network Monitoring:

Ntop (Start as background): ntop is computer software that probes a computer network to show network use in a way similar to what the program top does for processes. In interactive mode, it displays the network status on the user’s terminal. In Web mode, it acts as a web server, creating an HTML dump of the network status. It supports a NetFlow–sFlow emitter-collector, a Hypertext Transfer Protocol (HTTP) based client interface for creating ntop-centric monitoring applications, and RRDtool (RRD) for persistently storing traffic statistics.

• Login as pi
• cd /opt/ntop-5.0.1
• sudo ntop &
• The first-time startup will prompt for admin user password
• go to browser access, http://IPaddress of honeeepi:3000/

Remote Packet Capture (rpcapd): The Remote Capture Protocol (RPCAP) can work in two modes:

Passive Mode (default): the client (e.g. a network sniffer) connects to the remote daemon, it sends them the appropriate commands, and it starts the capture.

Active Mode: the remote daemon try to establish a connection to the client (e.g. the network sniffer); then, the client sends the appropriate commands to the daemon, and it starts the capture. This name is because the daemon becomes active instead of waiting for new connections.

The Active Mode is useful in case the remote daemon is behind a firewall, and it cannot receive connections from the external world. In this case, the daemon can be configured to establish the connection to a given host, which will have been configured to wait for that connection. After establishing the connection, the protocol continues its job in almost the same way in both Active and Passive Mode.

• Login as pi
• sudo passwd root -> set root password
• cd /opt/rpcapd
• sudo start.sh (script start process as background)
• Configure remote capture using Wireshark

Analysing Honeypot Logs: – Once all honeypots are active, they generate massive log files and analysis of these records can be easily done using ELK. All you need to do is get all logs files to your ELK machines and use logstash conf file to push them to ElasticSearch, and You can view them quickly in Kibana.

Logstash.conf:

# Input section

input {

# Conpot

  file {

    path => ["file_path/conpot.json"]

    codec => json

    type => "ConPot"

  }

# Cowrie

  file {

    path => ["file_path/cowrie.json"]

    codec => json

    type => "Cowrie"

  }

# Dionaea

  file {

    path => ["file_path/dionaea.json"]

    codec => json

    type => "Dionaea"

  }

# Glastopf

  file {

    path => file_path/glastopf.log"]

    type => "Glastopf"

  }

}

 

# Filter Section

filter {

# Conpot

  if [type] == "ConPot" {

    date {

      match => [ "timestamp", "ISO8601" ]

    }

  }

# Cowrie

  if [type] == "Cowrie" {

    date {

      match => [ "timestamp", "ISO8601" ]

    }

    mutate {

      rename => {

        "dst_port" => "dest_port"

        "dst_ip" => "dest_ip"

      }

    }

  }

# Dionaea

  if [type] == "Dionaea" {

    date {

      match => [ "timestamp", "ISO8601" ]

    }

    mutate {

      rename => {

        "dst_port" => "dest_port"

        "dst_ip" => "dest_ip"

        "[credentials][password]" => "login"

      }

      remove_field => "[credentials]"

    }

  }

# Glastopf

  if [type] == "Glastopf" {

    grok {

      match => [ "message", "\A%{TIMESTAMP_ISO8601}%{SPACE}%{NOTSPACE}%{SPACE}%{IP:src_ip}%{SPACE}%{WORD}%{SPACE}%{URIPROTO:http_method}%{SPACE}%{NOTSPACE:http_uri}%{SPACE}%{NOTSPACE}%{SPACE}%{HOSTNAME}:%{NUMBER:dest_port:integer}" ]

    }

    date {

      match => [ "timestamp", "ISO8601" ]

    }

  }

 

# Add geo coordinates / ASN info

  if [src_ip]  {

    geoip {

      source => "src_ip"

      target => "geoip"

      database => "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-2.0.7/vendor/GeoLiteCity-2013-01-18.dat"

      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]

      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]

    }

    mutate {

      convert => [ "[geoip][coordinates]", "float" ]

    }

    geoip {

      source => "src_ip"

      target => "geoip"

      database => "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-2.0.7/vendor/GeoIPASNum-2014-02-12.dat"

      add_field => [ "[geoip][full]", "%{[geoip][number]} %{[geoip][asn]}" ]

    }

  }

# In some rare conditions dest_port, src_port is indexed as string, forcing integer for now

  if [dest_port] {

    mutate {

        convert => { "dest_port" => "integer" }

    }

  }

  if [src_port] {

    mutate {

        convert => { "src_port" => "integer" }

    }

  }

}

# Output section

output {

  elasticsearch {

    hosts => ["localhost:9200"]

  }

}

 

Resource and References:

– Conpot (http://conpot.org/)
– Dionaea (https://github.com/gento/dionaea, with IoT honeypot feature – Internet of Things)
– Glastopf (http://glastopf.org/)
– Cowrie (https://github.com/micheloosterhof/cowrie)
– Kippo (https://github.com/desaster/kippo)
– Honeyd (https://github.com/DataSoft/Honeyd)
– amun (http://amunhoney.sourceforge.net/)

– Snort (https://www.snort.org/)
– ntop (http://www.ntop.org/)
– Remote packet capture (https://github.com/frgtn/rpcapd-linux)

– HoneyNet Project (https://www.honeynet.org)

– Honeepi Wiki (https://redmine.honeynet.org/projects/honeeepi)

– Indian HoneyNet Project (https://honeynet.org.in)