Want to keep learning?

This content is taken from the Coventry University & Institute of Coding's online course, Security Operations. Join the course to learn more.

Skip to 0 minutes and 11 seconds We’re going to start off with two very simple honeypots. Now, you get various

Skip to 0 minutes and 18 seconds types of honeypot: you can get a complete system which is acting as a lure for people coming into the network and people trying to attack you, however, you can also get much simpler ones which are designed to look like an attractive system but they won’t stand up to close investigation. However, they’re very simple to set up and that’s what we’re looking at today. So the simplest one of these is something called Cowrie. Cowrie actually comes as a docker container so using it is very very simple. We just type in service docker start because we need docker up and running before we can do anything and we just wait for docker to start.

Skip to 1 minute and 6 seconds Depending on your speed of your machine it may take a few minutes. And now good that docker running and it’s very simple.

Skip to 1 minute and 11 seconds Docker run - P 2 2 2 2 : 2 2 2 2 It does help if actually tell it what has got to do that’s what I missed out that time. Cowrie / Cowrie So I’m telling it to download the Cowrie docker image from the Cowrie depository, can’t find it locally so it’s going to go on the net and it’s just gonna suck it all down for you and it’s going to set everything up so you don’t actually need to worry about setting anything up. And that’s it downloaded, it’s got the latest version of Cowrie and it’s just about to start.

Skip to 1 minute and 55 seconds So what Cowrie gives you is an SSH and a telnet interface so it pretends to look a bit like an ordinary machine but it’s not. Let’s see, so let’s try and log into it SSH I need to specify the port now that was the 2 2 2 2 that we said and I’m just going to call local host because I’m just running on my local machine. Oh it’s warning me that docker hasn’t seen this before. Yes of course I want to connect. And it’s asking for the routes password. Now in this case it doesn’t actually matter what you type in, it always succeeds, which might be a bit of a giveaway.

Skip to 2 minutes and 46 seconds N ow if you look here on this left window you can actually see what Cowrie is recording, it’s recording a whole load of things. And if we do LS we can see that command, and there. And if we go to the top directory we actually see what looks a bit like an actual machine. Because that’s the whole point of a honeypot is designed to pretend to be a target that someone might hack, while we’re recording everything that’s going on. So let’s see, I think I want to go into home. Oh I look it’s got Richards information. That doesn’t have anything in there but I can find maybe useful bits of information there.

Skip to 3 minutes and 49 seconds When you investigate a bit further you’ll find that really all Cowrie has is empty files so it’s not going to fool an attacker for very long but it is recording everything and it is giving you useful information. So it can act as a toy honeypot to give you an idea of what’s going on. Well we’ve had a look at Cowrie and as we saw Cowrie’s nice, easy to install, but a bit simple. I want to turn our attention to another package and it’s called OpenCanary.

Skip to 4 minutes and 34 seconds It’s also a honeypot but it’s a bit more complex a honeypot and it needs a bit more setup but it does mean that there are more ways an attacker could potentially attack and interact with it and try and break it and that’s useful for us because it helps us see what they’re up to. So first thing we need to do is install all the packages that we need for it, so. The exact instructions are in the handout to go with this but basically I want to install Python and various Python environments. Now this comes up it’s basically telling you it’s updating open SSL so just press space and then queue. We don’t need to worry about it at this point.

Skip to 5 minutes and 39 seconds Okay that’s the key Cali place and packages installed. I’m also going to install a few more packages, these packages are optional but these packages will help us if we want to play around with our DP that’s the Microsoft Remote Desktop Protocol and if we want to do stuff using that. So it’s a whole load more packages to install and again this command is going to be in the handout. And yes the observance of yours will have realised and that I have tried to install Python - dev twice I could have missed that out. Okay that is the Cali packages installed. Now what we’re going to do now is take advantage of Python’s ability to create virtual environments.

Skip to 6 minutes and 35 seconds Now what these virtual environments are our sand boxes where we can play around with different Python modules without interfering with the main Python install on our computer. So let’s create first of all folder to put things in. I’m going to call it imaginatively OC. Go into that folder and what I’m gonna do is I am going to create a virtual environment and I am just going to enter that virtual environment. Okay so that’s me in my virtual environment, I now just need to install the Python packages. First of all our RDP client it’ll suck everything from the net and now we install OpenCanary itself.

Skip to 7 minutes and 40 seconds If we use this mechanism it means sure that we have an up to date version of OpenCanary and an up to date version of all the libraries it depends on. Okay we’ve now got OpenCanary installed we need to start it. So I just do OpenCanary D minus minus start and if you got OpenCanary setup that will start it but as we’ll see we don’t have it set up. But fortunately it tells us how to do that, so let’s do OpenCanary D minus copy config and it says oh yes I’ve got that and you’ve got a sample config file now ready in your home directory under OpenCanary.comf.

Skip to 8 minutes and 20 seconds If we open that and whatever your favorite editor is and that’s the config file for OpenCanary. Let’s just have a quick look through it, we see it’s got an FTP server and that’s switched on and it’s got a banner. Let’s change that banner slightly. So I’m going to call it Coventry EH FTP server. And it’s got some HTTP. HTTP enabled a set to false that means it’s not going to run, I want to change that, I want to make sure it is running. So let’s change that so it’s true. And as you can see there’s a whole host of things that we can set up here.

Skip to 9 minutes and 17 seconds If you want to look at it so it appears to be a Windows server you can set up Windows File Sharing that’s a bit more involved so we’re not going to cover it today but you can do things like that. You can set up an SSH server, NTP server, a huge range of things. You can set up on telnet server. Well we played around with SSH for Cowrie, let’s change the things around this time and let’s enable the telnet server. And again I am going to change the banner that’s the thing that’s going to be displayed and I am going to call it Winnie the Pooh.

Skip to 10 minutes and 2 seconds That might be giving a little bit of a hint here as to what it actually is. So we’ve got a whole lot of things and I said you’ve got Microsoft SQL servers, MySQL servers, whole host of things. The OpenCanary website has a range of sample configuration files so you can tailor your honeypot to be whatever server you want it to be. So I’m going to quit that, I’m going to save that and now I am just going to do OpenCanary D minus minus start. And that is the OpenCanary server up and running. So let’s try and play around with it. Unlike Cari, we don’t have things appearing here. OpenCanary has a log file it’s in VAR temp OpenCanary dot log.

Skip to 10 minutes and 53 seconds And we can see what’s happening at any time there. So let’s try something, so let’s first of all open up a browser and let’s go to our local machine. Oh and look OpenCanary is giving you something that looks like network-attached storage a nass and indeed if we go back to the log file we can see people are trying to log into it. If you remember our config file that was one of the options we could change.

Skip to 11 minutes and 39 seconds It’s got a number of you might call skins, that’s ID fake identities for the web server, and you can choose whichever one and we’d actually decided that it was going to be a nice log in so it’s pretending to be a network attached storage. We mentioned telnet so let’s try telnetting into it. Oh, and look, it’s telling us it’s the Winnie the Pooh telnet server.

Skip to 12 minutes and 19 seconds And if we FTP into it as well we can see it’s the Coventry EH FTP server. So you can configure it and change it to be whatever you want and at any point you can go in and you can see what’s happening and the log files and you can change it. Now the logging on this is quite complex and normally we would use something like an elk stack. So hopefully that’s given you a slight taster into honeypots.

Setting up a honeypot

As we said in the previous step, this video takes you through the instructions given.

We use honeypots to monitor the network and keep an eye on things when we don’t want to expose real data or real machines to the network but we still want to see what’s going on.

We’ve looked today at some basic honeypots – a very simple one, Cowrie [00:44], and a slightly more complex one, OpenCanary [04:28] – but there are opportunities to do much more complex ones. If you want to, you could set up a honeynet (a collection of honeypots). If we were going to do that then we would probably take the time to install actual machines and seed them with fake data, but in every other respect they would be standard machines.

Share this video:

This video is from the free online course:

Security Operations

Coventry University