Tektip ep21 - Drive Traffic to your Honeypot
Sunday, February 10, 2013 at 12:28PM In this episode of TekTip, I am going to show a unique method to drive traffic to your Honeypot. While I use Kippo as the example this approach will work for any Honeypot.
*If you do not know what Kippo is, shame on you. Watch this, this, and this to get caught up.
Now let's get to it. The first thing we need to do is prep our Kippo Instance so that we can measure the results of the approach. Log into your Kippo Honeypot, probably on HoneyDrive. Once logged in go to your kippo install directory and navigate to the data folder.
If using Honeydrive it will look something like this:
cd /opt/kippo/data
Now use the cat command to see what you currently have as allowable credentials in your userdb.txt.
cat userdb.txtroot:0:123456root:0:abc123root:0:p@ssw0rd
This is what I have. As you can see I allow 3 of the top 10 most used passwords. Now we want to add credentials that will be unique enough that they should not be attempted by your average attacker. Open userdb.txt in your favorite text editor and add a new line with the credentials you want to use. I added one for root:0:IamSo1337!. Running "cat userdb.txt" again shows the following:
cat userdb.txt
root:0:123456root:0:abc123root:0:p@ssw0rdroot:0:IamSo1337!
That takes care of the prep. Now if you are doing this with something other than Kippo, those previous steps won't apply. If whatever Honeypot you are using has the ability to let attackers authenticate you will want to set up a unique set of credentials for the experiment. If not, press on.
We will now use Social Networks against are attackers. To put it simply we are going to post login information for our Honeypot on a public site like pastebin, and then alert attackers to the information by posting a link to the paste file on social networks like Twitter.
You may want to keep the rest of the activity as anonymous as possible, so fire up Tor Browser or use proxychains to hide your IP information. Once anonymized go to pastebin.com.
The trick to getting this to work properly is to utilize keywords that attackers may have PasteLerts set up for. For instance you will want to include keywords such as ssh, login, username, password, root, and many others. Make sure you use some of these keywords in the title as well. Here is a sample one I put together:
Submit this and get your pastebin url. Now this will be enough to bring in a few extra hits already, from people who are monitoring pastebin. To get even more folks to see this though we will need to take it a step further.
While still anonymizing your activity create a throwaway twitter account. As many people as there are that monitor pastebin, there are even more that monitor twitter (at least I am guessing so). In particular there are certain twitter users and list that people follow to get password dumps as they occur. My favorite of these is @PastebinDorks.
With your new twitter account create a tweet that mentions @PastebinDorks or another account like that. Have it say something along the lines of, "Check out this one! http://pastebin.com/qi7wzp8h". Now anyone that follows @PastebinDorks will see your post. You may get lucky enough to have someone retweet it a few times.
Now you can just sit back and wait for the conenctions to roll in. While I used twitter and pastebin in my example, this can be done with any like tools. The point is to get the data out there in the public and then use social networks to increase exposure.
To monitor your kippo logs to see when attackers use the user/pass combination you specified in the userdb.txt. navigate to your kippo logs directory and and do the following:
honeydrive@honeydrive:/opt/kippo/log$ cat kippo.log | grep 'login attempt'
2013-02-10 13:04:46+0000 [SSHService ssh-userauth on HoneyPotTransport,9237,193.200.88.100] login attempt [root/abcd1234] failed
2013-02-10 13:04:48+0000 [SSHService ssh-userauth on HoneyPotTransport,9238,193.200.88.100] login attempt [root/1234] failed
2013-02-10 13:04:53+0000 [SSHService ssh-userauth on HoneyPotTransport,9239,193.200.88.100] login attempt [root/redhat] failed
2013-02-10 13:04:59+0000 [SSHService ssh-userauth on HoneyPotTransport,9240,193.200.88.100] login attempt [oracle/oracle] failed
2013-02-10 13:05:02+0000 [SSHService ssh-userauth on HoneyPotTransport,9241,193.200.88.100] login attempt [test/test] failed
2013-02-10 13:05:04+0000 [SSHService ssh-userauth on HoneyPotTransport,9242,193.200.88.100] login attempt [root/1] failed
2013-02-10 13:05:07+0000 [SSHService ssh-userauth on HoneyPotTransport,9243,193.200.88.100] login attempt [root/123] failed
2013-02-10 13:05:09+0000 [SSHService ssh-userauth on HoneyPotTransport,9244,193.200.88.100] login attempt [root/123456789] failed
2013-02-10 13:05:12+0000 [SSHService ssh-userauth on HoneyPotTransport,9245,193.200.88.100] login attempt [root/12345678] failed
2013-02-10 13:05:14+0000 [SSHService ssh-userauth on HoneyPotTransport,9246,193.200.88.100] login attempt [root/1234567] failed
2013-02-10 13:05:17+0000 [SSHService ssh-userauth on HoneyPotTransport,9247,193.200.88.100] login attempt [root/12345] failed
2013-02-10 13:05:20+0000 [SSHService ssh-userauth on HoneyPotTransport,9248,193.200.88.100] login attempt [teamspeak/teamspeak] failed
2013-02-10 13:05:22+0000 [SSHService ssh-userauth on HoneyPotTransport,9249,193.200.88.100] login attempt [teamspeak/ts3] failed
2013-02-10 13:05:25+0000 [SSHService ssh-userauth on HoneyPotTransport,9250,193.200.88.100] login attempt [nagios/nagios] failed
2013-02-10 13:05:28+0000 [SSHService ssh-userauth on HoneyPotTransport,9251,193.200.88.100] login attempt [postgres/postgres] failed
2013-02-10 13:05:30+0000 [SSHService ssh-userauth on HoneyPotTransport,9252,193.200.88.100] login attempt [root/qwe] failed
2013-02-10 13:05:33+0000 [SSHService ssh-userauth on HoneyPotTransport,9253,193.200.88.100] login attempt [root/1q2w3e] failed
2013-02-10 13:05:40+0000 [SSHService ssh-userauth on HoneyPotTransport,9254,193.200.88.100] login attempt [root/1q2w3e4r] failed
2013-02-10 13:05:43+0000 [SSHService ssh-userauth on HoneyPotTransport,9255,193.200.88.100] login attempt [root/qweqwe123] failed
2013-02-10 13:05:45+0000 [SSHService ssh-userauth on HoneyPotTransport,9256,193.200.88.100] login attempt [root/qazwsxedc] failed
2013-02-10 13:05:48+0000 [SSHService ssh-userauth on HoneyPotTransport,9257,193.200.88.100] login attempt [root/1qa2ws3ed] failed
2013-02-10 13:05:57+0000 [SSHService ssh-userauth on HoneyPotTransport,9258,193.200.88.100] login attempt [root/123123] failed
2013-02-10 13:06:00+0000 [SSHService ssh-userauth on HoneyPotTransport,9259,193.200.88.100] login attempt [root/abcd1234] failed
2013-02-10 13:06:03+0000 [SSHService ssh-userauth on HoneyPotTransport,9260,193.200.88.100] login attempt [root/qazwsx123] failed
2013-02-10 13:06:05+0000 [SSHService ssh-userauth on HoneyPotTransport,9261,193.200.88.100] login attempt [root/abc123] succeeded
2013-02-10 13:06:22+0000 [SSHService ssh-userauth on HoneyPotTransport,9262,193.200.88.100] login attempt [root/toor] failed
2013-02-10 13:015:24+0000 [SSHService ssh-userauth on HoneyPotTransport,9263,64.185.229.236] login attempt [root/IamSo1337!] succeeded
If you have any other tips or tricks like this, let me know by leaving a comment or sending me an email at 1aN0rmus@TekDefense.com
Honeydrive, Kippo, honeypot, ssh in TekTip
Reader Comments