Customizing your Cowrie honeypot

Future logo for Cowrie? :)
  1. The Cowrie config file ./etc/cowrie.cfg. This is the main config file of the honeypot. You can configure path names (and hence modify names below), login options, prompts, architecture etc.
  2. Fake commands in ./share/cowrie/txtcmds. It would take too much time to emulate all commands. Some of them can be very basically emulated by always returning the same text, such as command usage or error. This is the directory for such commands.
  3. The honeypot filesystem ./honeyfs. This is where you place a tree of files you want the attacker to see.
  4. The pickle filesystem ./share/cowrie/fs.pickle. This is a virtual filesystem: files in there won’t really exist (you can’t cat them for example) but they get listed in the tree of files. This helps make it look real, while not copying each file (would take space).

Creating a pickle filesystem

for i in proc usr sbin sys lib etc bin
do
docker cp DOCKER_ID:$i /tmp/picklefs
done
An excerpt of the filesystem I am mimicking on my honeypot
Pickle filesystem viewed by the attacker. See how s/he can go in the libubox directory and list files, and jshn.sh has a valid size, but it’s all fake and in reality you cannot read the file. If you want the file to readable, you need to use Cowrie’s honeyfs feature.
./fsctl ./fs.pickle
fs.pickle:/$ cd ffs
fs.pickle:/ffs$ ls -l
-rw-rw-r — 1 1 1 0 2020–03–24 15:28 CONFIG.XML
...
fs.pickle:/ffs$ chown 0 CONFIG.XML
former UID: 1. New UID: 0
.pickle:/ffs$ chgrp 0 CONFIG.XML
former GID: 1. New GID: 0

Adding custom files attackers can access

The attacker can list /etc and read /etc/passwd
  • honeyfs/etc/hostname
  • honeyfs/proc/cpuinfo: customize this for your system’s architecture (e.g. ARM)
  • honeyfs/proc/mounts: typically customize this if you are imitating an embedded device: they frequently use JFFS2, tmpfs etc.
  • honeyfs/proc/meminfo: customize with a plausible amount of memory for your system.
  • honeyfs/root directory.

Prompts and banners

# telnet prompt
telnet_username_prompt_regex = (\n|^) login: .*
# SSH banner
ssh_version = OpenSSH_7.9p1, OpenSSL 1.1.1a 20 Nov 2018
version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# Modify the response of '/bin/uname'
# Default (uname -a): Linux <hostname> <kernel_version>
# <kernel_build_string> <hardware_platform> <operating system>
kernel_version = 3.10.27
kernel_build_string = #781 SMP
hardware_platform = armv7l
operating_system = GNU/Linux
prompt=YourPrompt>
Adding the prompt feature to Cowrie — now integrated to Cowrie’s repository
  • honeyfs/etc/issue
  • honeyfs/etc/issue.net: customize your Telnet banner in here
  • honeyfs/etc/motd: customize your login banner here
  • honeyfs/proc/version: Unix version

Creating a [fake] command

Interface: wl0
SSID:
Identity:
WEP Hex KEY / WPA-PSK Passphrase:
Encryption: none
Authentication: open
EAP: none
Association Status:UNASSOCIATED
Access Point MAC Address:00:00:00:00:00:00
Signal Strength: 0%
Signal Strength: 0dBm (-100dBm Min, -40dBm Max)
Pump Channel: 0
Access Point Channel: 0

Creating simple operational commands

$ ls -al 
drwxr-xr-x 2 axelle axelle 4096 Apr 2 2020 .
drwxrwxr-x 14 axelle axelle 4096 Apr 27 2020 ..
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 ash
-rwxr-xr-x 1 axelle axelle 204 Mar 21 2020 board_detect
-rwxr-xr-x 1 axelle axelle 372766 Mar 21 2020 busybox
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 cat
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 chgrp
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 chmod
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 chown
-rwxr-xr-x 1 axelle axelle 372766 Apr 2 2020 cp

Listing process

4000> ps
PID TTY TIME COMMAND
7807 pts/0 0:00 -bash
7809 pts/0 0:00 ps
4000> ps aex
PID TTY STAT TIME COMMAND
1 ? Ss 0.48 /lib/systemd/systemd --system --deserialize 20
2 ? S< 0.0 [kthreadd]
...
{
"COMMAND": "/usr/bin/mds --daemon",
"CPU": 0.0,
"MEM": 0.0,
"PID": 28002,
"RSS": 0,
"START": "Apr6",
"STAT": "Ss",
"TIME": 0.0,
"TTY": "?",
"USER": "mds",
"VSZ": 0
}
4000> ps aex
PID TTY STAT TIME COMMAND
1 ? Ss 0.48 /lib/systemd/systemd --system --deserialize 20
[..]
28002 ? Ss 0.0 /usr/bin/mds --daemon

Login

  1. UserDB. The honeypot has a list of valid credentials (./etc/userdb.txt). The attacker is granted access if s/he uses one of those. The list is little more complicated than pure id/pwd couples: you can specify wildcards for example, or deny particular words.
  2. AuthRandom. Attackers are granted access after a random number of logins (see ./src/cowrie/core/auth.py).

--

--

--

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Reversing Ryuk: A Technical Analysis of Ryuk Ransomware

Iron fish crypto,this is new era in private.

Parrot Protocol Security Enhancements

What happens when you type https://www.linkedin.com ?

Gathering Open Source Intelligence

Why Shadow IT ?

How to secure app config and encrypt data in flight in AWS

Revision links

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

HoneyPot Analysis

Convert Veracode XML Report to Excel Report

Blue Walkthrough — THM

Finding Luther — An OSINT Geo location Challenge.