Blog

Installing and Setting Up Honeeepi

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
 

In a security sense, the term honeypot is used to describe an intentionally vulnerable system with no legitimate use, possibly open to the internet, which is set up for the purpose of both monitoring and detecting potential attacks on the network it is attached to. Keep an eye out for future blog posts where I will show you some of the more interesting logs collected whilst running my honeypots. 

Honeypots are generally divided into three groups based on the level of interaction they offer an attacker. These groups are as follows:

Low Interaction - Honeypots in this category generally offer an open port and a login screen, but will reply to the attacker with random data rather than trying to imitate any interface. They will automatically log any attempted connection. A few honeypots in this category are: honeyd, glastopf, and thug

Medium Interaction - Most of the honeypots discussed today will fall into this category, which, as you may imagine, falls somewhere between low and high/full interaction. They will likely offer a simulated interface, such as SSH, with support for a few commands and a virtual file system to offer the attacker a more genuine experience. Examples: cowrie and hornet

High/Full Interaction - A full interaction honeypot is a fully fledged, vulnerable system exposed to the internet. If an attacker were to exploit it they would have a full OS at their disposal, filled with genuine looking data. It is the ideal way to watch an attacker in their element, with little suspicion that they are being watched or the system is a fake; however it could easily be turned against you, if the attacker is to perform illegal acts with the exploited system then the responsibility could be on you for leaving it intentionally vulnerable. 

A good Honeypot can be an invaluable tool for both large corporations and home 'hobbyists'; giving a real insight into what attacks may be occuring and the techniques they may use, as well as their potential geographic location. It must also be noted that a honeypot can draw attention to an otherwise uninteresting network, and it is always advisable to ensure that all legitimate devices on your network are kept very well updated and secured. Setting up a subnet for your honeypot could also be a great idea.

In this post I will be discussing how to relatively simply set up Honeeepi on a Raspberry Pi 3 Model B and the post-installation setup, as well as the actual use of various honeypots included in the Honeeepi image.

The Honeeepi project is part of Honeynet, and debuted in October 2013 with an image for the original Raspberry Pi Model B, and the team have been great at releasing newer images as the Pi has progressed. You can find their wiki here, and the image downloads are hosted on sourceforge here

 

Instructions Begin

There are a few prerequisites for this project, listed below:

A Raspberry Pi (I will be using the Pi 3, the instructions are similar for each model though) 

A Micro SD Card (Class 10, Min. 8gb, 16gb+ recommended) 

Some way to power the Pi and connect it to the internet

You can also use a monitor and keyboard during setup however it is just as simple to use SSH.

A computer to image the SD card. (I will be using linux, however you can use win32diskimager)

PART 1: PREPARING SD CARD

Step 1: Download the correct Honeeepi image for your Pi. For the Pi 3 I need the 2016.10 version. 

Step 2: Partition the SD card. I will use fdisk. 

- Open a terminal and type

lsblk 

This will list your disks and partitions and allow you to find the ID of your SD card. Mine was 'mmcblk0'.

- Type

sudo fdisk /dev/mmcblk0

Replacing mmcblk0 with your ID from the last step. You may have to enter your password. If you don't, stop running as root :p 

- AFTER COMPLETING THESE COMMANDS ALL DATA ON YOUR SD CARD WILL BE LOST.  Type "d" and press enter, here you can delete any partitions you may have on your SD card. I had two, so I had to type: "1" enter "d" enter "2" enter. 

- Type "n" and hit enter. This is the menu where you will create the correct partition table for Honeeepi. Press "p" then enter to make a primary partition. Then press "1" and hit enter to make it the first partition. You will image the disk later so you can just accept the defaults for the first and last sector, making one large partition. 

Step 3: Decompress the downloaded image file. Type

7z e honeeepi-201610.img.7z

Step 4: Write the image to your SD card. Type

sudo dd bs=2M if=honeeepi-201610.img of=/dev/mmcblk0 

and hit enter. It may take a few minutes to write the image. During this time you will just see a blinking cursor. When you see a prompt appear again the process is finished. 

Step 5: Unmount the sd card with

sudo umount /dev/mmcblk0

remove the SD card and insert it into your Pi, then power it on and connect your ethernet cable.

PART 2: SETUP PI

**Step 0/Protip: You can connect using wifi at this stage if you can either use a monitor and keyboard with the Pi, or let the Pi complete its inital boot then power it off and remove the SD card, reinserting it into your PC. 

You will need to edit  the wpa supplicant configuration file. Open a terminal.

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

Then you will need to paste the following into the file, under everything else.

network={
    ssid="Replace_with"
    psk="Your_credentials"
}

Then you can press "Ctrl+O" then enter to save the file and "Ctrl+X" to exit. 

Your Pi may notice the change automatically and try to connect. If it doesnt you can manually restart the network interface with

sudo ifdown wlan0

and

sudo ifup wlan0

This would also be a good time to run 

ifconfig

and find your IP for the next step.

Step 1: Go to your router control panel or use a network scanning tool to find the IP adress of your Pi. Honeeepi boots with SSH running on port 9002 for version 2016.10, or port 22 on any other version.

There are various SSH clients available, I reccomend Putty or Juice SSH. The method is similar for all, you will enter the IP adress, port, and login details, then click connect. Some clients you will have to enter the login details after hitting connect instead. You can login to your Pi with the default credentials: 

Login: pi

Password: honeeepi

Step 2: You should now be presented with a remote terminal session on your Pi. The first thing you should do is type

passwd

This will allow you to change the default password for the 'pi' account. Then you should update the Pi. 

sudo apt-get update && sudo apt-get -y upgrade 

This may take a while, depending on your connection speed, but it is very important to ensure that your honeypot is secure. 

PART 3: STARTING & CONFIGURING HONEYPOTS

COWRIE

Cowrie is a medium interaction honeypot which emulates an open SSH port. it has a basic virtual file system which can be altered by the attacker, as well as the capability to capture anything downloaded to the system for later analysis. It also keeps detailed logs of each connection attempt which can be replayed in real time with an included python script.  

Step 0: If you are using any version of Honeeepi except 2016.10, you will need to change the default SSH port to allow cowrie to host its virtual environment on port 22. 

sudo nano /etc/ssh/sshd_config

There will be a line which says

#Port 22

Uncomment the line and replace the port number with your desired SSH control port. (NOTE: this is the port for you to use when connecting to your Pi later, make sure you remember it). Then you can press "Ctrl+O" then enter to save the file and "Ctrl+X" to exit. Now you need to restart SSH.

sudo /etc/init.d/ssh restart

Step 1: 

Login as the user 'cowrie' 

sudo su cowrie

navigate to the cowrie directory on your sd card

cd /honeeepi/cowrie

This is the working directory for cowrie, containing config files, the logs which will be created when you run it, a utility to customise the generated virtual filesystem, etc. I will give a breif overview of the most interesting ones:

nano /data/userdb.txt

Editing this file will allow you to control the username and password combinations allowed to log into the honeypot. The default file looks like this: (the comments are my explanation)

root:x:!root         \\the exclamation mark blocks a login with this password
root:x:!123456
root:x:*             \\the asterix will allow a login with any password, 
richard:x:*          \\except one blocked by an exclamation mark
richard:x:fout       \\this allows a login with a specific combination.

It is a good idea to play around with this file until you are comfortable with it, as leaving the defaults will likely make it easier to fingerprint cowrie and disregard the honeypot. 

 

 

 

 

 

 

About TSSec

We are Digger and Odskee, a small information security research team based in the UK.  We love breaking and fixing things and enjoy getting our hands dirty in the field of infoSec.

Odskee tends to focus on the theoretical, software based aspects while Digger finds himself at home with the raw electronics.  We both have a number of years of experience within a number of similar roles and think these work best as a team.

Latest News

©2018 TSSec

Search