Honeypot Cowrie

The use of honeypots can be very useful in certain environments. For example, we can make attackers waste their time and lose interest in us by entertaining them with these servers. It is also very entertaining to see what techniques they use and what type of attacks they execute.

First, we install support for virtualenvs in Python:

emerge -av dev-python/virtualenv

We add the user with which we will run the honeypot:

useradd cowrie

We clone the project code:

su - cowrie
git clone http://github.com/cowrie/cowrie

We create a virtual env, activate it, and install the requirements:

cd cowrie/
virtualenv –python=python3 cowrie-env
source cowrie-env/bin/activate
pip install –upgrade pip
pip install –upgrade -r requirements.txt

We configure cowrie to look like a more normal system and to save logs in a txt file:

cp etc/cowrie.cfg.dist etc/cowrie.cfg
vi etc/cowrie.cfg

[honeypot]
hostname = RX4

[shell]
kernel_version = 4.2.0-4-kr0m-amd64
kernel_build_string = #1 SMP Gentoo 4.2.0

[ssh]
version = SSH-2.0-OpenSSH_6.0p1 Gentoo-amd64

[output_jsonlog]
enabled = false

[output_textlog]
enabled = true
logfile = ${honeypot:log_path}/audit.log
format = text

We start it just to check that the base installation works:

bin/cowrie start

Cowrie runs on port 2222, so we configure the following firewall rule so that traffic from port 22 ends up on 2222:

iptables -t nat -A PREROUTING -p tcp –dport 22 -j REDIRECT –to-port 2222

We connect via ssh:

ssh HONEYPOT -p22

We check that the commands are logged and everything works correctly:

tail var/log/cowrie/audit.log

We stop the cowrie to generate our own filesystem:

bin/cowrie stop

To generate a file system, we will use the bin/createfs script provided by Cowrie. This will generate a file with metadata for each file, permissions, etc. However, if you do a cat in the honeypot, they will be empty. To give them content, we need to put them in the honeyfs directory.

The best way to do this is to mount an LXD CT, copy the rootfs to honeyfs, and then generate the pickle file from this rootfs:

ssh LXD
cd /var/lib/lxd/containers/NAME/
tar czvf rootfs.tar.gz rootfs
exit

As root:

scp SERVER:/var/lib/lxd/containers/NAME/rootfs.tar.gz /home/cowrie/
cd /home/cowrie/
tar xvzf rootfs.tar.gz
cp -r rootfs/* cowrie/honeyfs/
chown -R root:root /home/cowrie/cowrie/honeyfs/

We tweak the system a bit:

cd /home/cowrie/cowrie/honeyfs/etc
vi hostname
vi issue
vi motd
vi hosts

NOTE: Changes made to /root are not reflected. I suppose this is some security measure of Cowrie to avoid possible information leaks.

We leave some gifts:

vi shadow

root:!PLAYWITHTHEBESTDIELIKETHEREST:10770:0:::::

vi ../id_rsa

PLAYWITHTHEBESTDIELIKETHEREST

mkdir -p /home/cowrie/cowrie/honeyfs/home/kr0m/.ssh
echo “PLAYWITHTHEBESTDIELIKETHEREST” > /home/cowrie/cowrie/honeyfs/home/kr0m/.ssh/id_rsa
chown -R kr0m:kr0m /home/cowrie/cowrie/honeyfs/home/kr0m/

We move the metadata of the original file system and regenerate it with the current structure:

mv share/cowrie/fs.pickle share/cowrie/fs.pickle.ori
bin/createfs -l honeyfs -o share/cowrie/fs.pickle

We start cowrie:

bin/cowrie start

We access via ssh and check the changes:

ssh HONEYPOT -p22

Welcome to Gentoo system

root@RX4:~# uname -a

Linux RX4 4.2.0-4-kr0m-amd64 #1 SMP Gentoo 4.2.0 x86_64 GNU/Linux

root@RX4:~# cat /etc/hostname

RX4

root@RX4:~# cat /etc/shadow

root:!PLAYWITHTHEBESTDIELIKETHEREST:10770:0:::::

root@RX4:~# cat /id_rsa

PLAYWITHTHEBESTDIELIKETHEREST

If we need to restore the original filesystem, we can always download it from the git repo:

wget https://raw.githubusercontent.com/cowrie/cowrie/master/share/cowrie/fs.pickle -O share/cowrie/fs.pickle

If we restart, we will have to start Cowrie by previously loading the python virtual environment:

su cowrie -l
cd cowrie
virtualenv –python=python3 cowrie-env
source cowrie-env/bin/activate
bin/cowrie start

NOTE: When logging in, a copy of the filesystem is being made to RAM, this may take a while depending on the HW where cowrie is running.