Cowrie Honeypot

This was originally a weekend project, but that become a project that I did sink some hours into. Originally I was playing around with Terraform in Azure since I wanted to learn about it. And since I had a virtual machine running, why not use it for something interesting? Data was collected from 12:22 29.01.2023 (UTC) to 08:30 04.02.2023 (UTC).

Setup/configuration

Sources used during the setup/configuration:

https://medium.com/threatpunter/how-to-setup-cowrie-an-ssh-honeypot-535a68832e4c

https://cowrie.readthedocs.io/en/latest/INSTALL.html

https://github.com/cowrie/cowrie

First I did create a virtual machine in Azure using Terraform. The template can be found at: https://github.com/rhofset/Templates/tree/main/Terraform/Azure/Linux%20Virtual%20Machine

Connect to the created machine

ssh -i C:\Users\<USER>\.ssh\<SSHKEY> <USERNAME>@<IP_ADDRESS>

Change port for SSH

# change to port 9999:
sudo nano /etc/ssh/sshd_config

sudo service ssh restart

# Connect from my local machine using the new port:
ssh -i C:\Users\<USER>\.ssh\<SSHKEY> <USERNAME>@<IP_ADDRESS> -p 9999

Update and install packages

sudo apt update

sudo apt install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv

sudo apt install python3.10-venv

sudo apt upgrade

Got some problems creating the virtual environment later in the text, so needed to add the python3.10-venv.

Add Cowrie user

# Add user:
sudo adduser --disabled-password cowrie

# Change user:
sudo su - cowrie

Clone repository

# Git clone
git clone http://github.com/cowrie/cowrie

# Goto folder
cd cowrie

Activate virtual environment

# Create env
python3 -m venv cowrie-env

# Activate enc
source cowrie-env/bin/activate

# Install packages:
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade -r requirements.txt

Redirect port 22 to 2222

sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

Another solution here is to get Cowrie to listen on port 22.

Start

./bin/cowrie start

Stop

./bin/cowrie stop

Result

In total there were 8815 login attempts. 5379 failed and 3436 was successful. All of the result under is carved out from the logfiles using Power Bi Desktop. The default username/password DB was used for allowing logins to the honeypot.

# Default username/password:
root:x:!root
root:x:!123456
root:x:!/honeypot/i
root:x:*
tomcat:x:*
oracle:x:*
*:x:somepassword
*:x:*

IP’s

Username

I have removed all attempts where an empty username is used (“null”). I have no idea what device or service that has “345gs5662d34” as a username.

Password

For the password results, I have done the same as for the usernames and removed “null” from the list. I have also no idea what the two passwords at the top of the list are used for (3245gs5662d34 and 345gs5662d34). Since there are many attempts to use them, I would think they are some default passwords for a service or device. Let me know if anyone knows.

Country

Login attempts per day

Total login attempts:

Total login attempts succeed:

Total login attempts failed:

Files uploaded

Hashes from files that were uploaded to the honeypot while it was active. I forgot to save and transfer the files that were uploaded before I shut down and destroyed the virtual machine in Azure. It was stupid since there were samples that were not uploaded to Virustotal.

Log files

If anybody wants the log files, let me know.

Lesson learned

If I do this one more time, I think I will implement a log analysing tool to the honeypot, like Azure Sentinel, Kibana/Elasticstack or something similar.