This project focuses on deploying the Cowrie honeypot to study and mitigate SSH brute-force attacks. Cowrie, a medium-interaction honeypot, simulates SSH services to attract attackers, logs their interactions, and provides insights into their behaviors and tactics. The project also includes testing the honeypot using various tools and analyzing the collected data.
- Review existing research and honeypot solutions.
- Set up and configure Cowrie honeypot on Ubuntu Server.
- Simulate brute-force attacks using tools like Medusa and Metasploit.
- Analyze attacker behaviors, techniques, and tactics.
- Provide recommendations for proactive defense measures.
- Simulates SSH services to attract attackers.
- Logs attacker interactions, including login attempts, executed commands, and file transfers.
- Provides JSON-formatted logs for detailed analysis.
- Lenovo T460s Laptop: Used for hosting virtual environments.
- VirtualBox: Virtualization platform for running isolated Ubuntu Server and Kali Linux environments.
- Ubuntu Server 22.04 LTS: Hosting platform for Cowrie honeypot.
- Kali Linux 2024: Used for penetration testing and launching attacks.
- Putty: Terminal emulator for testing SSH access.
- Nmap: Network scanning tool to detect open ports and services.
- Medusa and Metasploit: Brute-forcing tools for simulating attacks.
Cowrie will be configured to listen for SSH connections on port 22. To avoid conflict with the real SSH service, the real SSH service will be reconfigured to listen on a different port for administrative purposes.
-
Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
-
Update the listening port for the SSH service to a different port (e.g.,
2244). -
Restart the SSH service to apply changes:
sudo systemctl restart ssh
-
Verify the SSH service status:
sudo systemctl status ssh
-
Test the connection to the new SSH port:
ssh root@<your-server-ip> -p 2244
- Install the required dependencies for Cowrie:
sudo apt-get update && sudo apt-get upgrade sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv
- Create a new user for Cowrie:
sudo adduser --disabled-password cowrie
-
Switch to the Cowrie user:
sudo su - cowrie
-
Navigate to the user's home directory and clone the Cowrie repository:
git clone https://github.com/cowrie/cowrie
-
Navigate to the Cowrie directory:
cd ~/cowrie
-
Create a Python virtual environment:
python3 -m venv cowrie-env
-
Activate the virtual environment:
source cowrie-env/bin/activate -
Install the required Python packages:
python -m pip install --upgrade pip python -m pip install --upgrade -r requirements.txt
-
Copy the default configuration file and rename it:
cp cowrie.cfg.dist cowrie.cfg
-
Edit the configuration file to customize the settings:
nano cowrie.cfg
Modify the hostname and other settings to make the server appear realistic.
Cowrie must listen on port 22 for SSH connections. There are two methods to achieve this:
-
Redirect port 22 to Cowrie's default port (2222):
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
-
Ensure the real SSH service is running on a different port to avoid conflicts.
-
Install Authbind:
sudo apt-get install authbind
-
Allow Cowrie to bind to port 22:
sudo touch /etc/authbind/byport/22 sudo chown cowrie:cowrie /etc/authbind/byport/22 sudo chmod 770 /etc/authbind/byport/22
-
Edit the Cowrie configuration to enable Authbind and update the listening port:
nano cowrie.cfg
Update the
[ssh]section to:[ssh] listen_endpoints = tcp:22:interface=0.0.0.0
- Navigate to the
bindirectory and start Cowrie:cd ~/cowrie/bin ./cowrie start
-
Set up fake services, user credentials, and logging behavior to mimic legitimate services.
-
Create a fake file system using the
cowrie/honeyfsdirectory for attackers to interact with:cowrie/honeyfs/etc/passwd: Simulates user accounts.cowrie/share/cowrie/txtcmds/usr/bin: Contains essential binary executables.cowrie/share/cowrie/txtcmds/usr/sbin: Contains system administration utilities.
-
Ensure all configurations make the honeypot appear realistic to attackers. This concludes the installation and configuration of Cowrie on an Ubuntu server. The honeypot is now ready to capture attacker interactions and provide valuable insights for security analysis.
Nmap is one of the tools that can be used in port scanning. nmap was use to run a port scan on the system, I used following command to scan the system on kali-linux.
Nmap (ipaddr)
In second phase, bruteforce attack was selected which is a hacking method that uses trial and error to crack passwords, login credentials and encryption keys. For this attack, a tool named medusa, which comes built-in in Kali Linux OS.The following command was used to launch the attack
medusa -u root -p pass.txt -h ip-addr
Also the attack was preform on metasploit , which comes built-in in Kali Linux OS. mess the right combination.The following command was used to launch the attack.
RHOSTS, VERBOSE, USERNAME
Testing the system using putty was used to gain accesss into the system and successfully got into the cowrie honeypot as root and using the password from bruteforcing.
Developed a Python-based parsing tool to process Cowrie logs.
The log directory used by the parsing tool is:
`/home/cowrie/cowrie/var/log/cowrie/`Open a terminal and navigate to the directory containing the parsing tool script.
cd /home/cowrie/cowrie/parsinglog.py/
ls /home/cowrie/cowrie/var/log/cowrie/
python3 parsing_tool.py
Observations:
- Several open and filtered ports detected during scanning
Recommendations:
- Disabling unnecessary services and securing exposed ports.
Observations:
- Successful brute-force login achieved using default credentials
Recommendations:
- Include enforcing strong password policies, enabling two-factor authentication, and monitoring for suspicious activities.
Observations:
- Multiple commands were executed by attackers post-login.
- Activities included directory traversal, file operations, and network configuration checks.
- Difficulty in Installing GUI for Ubuntu Server.
- Challenges in developing log analysis tools.
- Enhance Cowrie with cryptographic measures for added security.
- Strengthen authentication using multi-factor authentication (MFA).
- Regularly update system software and enforce strong password policies.
- Integrate advanced log visualization tools like ELK Stack for deeper insights.
- Deploy the honeypot in external network environments to gather more diverse data.
- Expand the scope to include additional attack vectors and protocols.
- Develop automated alert systems based on honeypot logs.
├── src
│ ├── cowrie_config.cfg # Configuration file for Cowrie
│ ├── parse_logs.py # Python script for log parsing
├── logs
│ ├── cowrie.log # Raw logs from Cowrie
│ ├── parsed_logs.json # Parsed logs in JSON format
├── docs
│ ├── report.pdf # Detailed project report
│ ├── analysis_charts.png # Visualization of attacker behaviors
- Rahma Yaqeen
- LinkedIn: https://linkedin.com/in/fameera-yakeen
- Email:[email protected]
For more information or to contribute, feel free to reach out or create a pull request in this repository!