Customizing your Cowrie honeypot

Future logo for Cowrie? :)

Creating a pickle filesystem

for i in proc usr sbin sys lib etc bin
do
docker cp DOCKER_ID:$i /tmp/picklefs
done
An excerpt of the filesystem I am mimicking on my honeypot
Pickle filesystem viewed by the attacker. See how s/he can go in the libubox directory and list files, and jshn.sh has a valid size, but it’s all fake and in reality you cannot read the file. If you want the file to readable, you need to use Cowrie’s honeyfs feature.
./fsctl ./fs.pickle
fs.pickle:/$ cd ffs
fs.pickle:/ffs$ ls -l
-rw-rw-r — 1 1 1 0 2020–03–24 15:28 CONFIG.XML
...
fs.pickle:/ffs$ chown 0 CONFIG.XML
former UID: 1. New UID: 0
.pickle:/ffs$ chgrp 0 CONFIG.XML
former GID: 1. New GID: 0

Adding custom files attackers can access

The attacker can list /etc and read /etc/passwd

Prompts and banners

# telnet prompt
telnet_username_prompt_regex = (\n|^) login: .*
# SSH banner
ssh_version = OpenSSH_7.9p1, OpenSSL 1.1.1a 20 Nov 2018
version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# Modify the response of '/bin/uname'
# Default (uname -a): Linux <hostname> <kernel_version>
# <kernel_build_string> <hardware_platform> <operating system>
kernel_version = 3.10.27
kernel_build_string = #781 SMP
hardware_platform = armv7l
operating_system = GNU/Linux
prompt=YourPrompt>
Adding the prompt feature to Cowrie — now integrated to Cowrie’s repository

Creating a [fake] command

Interface: wl0
SSID:
Identity:
WEP Hex KEY / WPA-PSK Passphrase:
Encryption: none
Authentication: open
EAP: none
Association Status:UNASSOCIATED
Access Point MAC Address:00:00:00:00:00:00
Signal Strength: 0%
Signal Strength: 0dBm (-100dBm Min, -40dBm Max)
Pump Channel: 0
Access Point Channel: 0

Creating simple operational commands

$ ls -al 
drwxr-xr-x 2 axelle axelle 4096 Apr 2 2020 .
drwxrwxr-x 14 axelle axelle 4096 Apr 27 2020 ..
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 ash
-rwxr-xr-x 1 axelle axelle 204 Mar 21 2020 board_detect
-rwxr-xr-x 1 axelle axelle 372766 Mar 21 2020 busybox
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 cat
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 chgrp
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 chmod
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 chown
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 cp

Listing process

4000> ps
PID TTY TIME COMMAND
7807 pts/0 0:00 -bash
7809 pts/0 0:00 ps
4000> ps aex
PID TTY STAT TIME COMMAND
1 ? Ss 0.48 /lib/systemd/systemd --system --deserialize 20
2 ? S< 0.0 [kthreadd]
...
{
"COMMAND": "/usr/bin/mds --daemon",
"CPU": 0.0,
"MEM": 0.0,
"PID": 28002,
"RSS": 0,
"START": "Apr6",
"STAT": "Ss",
"TIME": 0.0,
"TTY": "?",
"USER": "mds",
"VSZ": 0
}
4000> ps aex
PID TTY STAT TIME COMMAND
1 ? Ss 0.48 /lib/systemd/systemd --system --deserialize 20
[..]
28002 ? Ss 0.0 /usr/bin/mds --daemon

Login

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

162 Followers

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.