iT邦幫忙

2022 iThome 鐵人賽

DAY 20
0
Security

HONEYPOT×TRICK 100%不純保證系列 第 20

Honeypot #13 手動安裝 Cowrie

  • 分享至 

  • xImage
  •  

中老年人的快樂就是這麼僕實無華
重灌、安裝、敲指令,享受時間條與鍵盤的喀喀聲。

https://ithelp.ithome.com.tw/upload/images/20221005/20103688FdBAfzoNdL.png


T-Pot 裡的 Cowrie 這麼香,為什麼還要手動安裝呢? Cowrie 算上起源的 kippo 的發想的 Kojoney 0.0.1 Beta 也在 2005 年左右,都沒比 2003 的 honeyd 0.5 的老,但卻仍在持續更新中啊,不值得 Respect 一下嘛!

官方文件上提到的作業系統大都是 Debian 10、Ubuntu 18、Ubuntu 20。而這一次我們要測的環境如下

  • Debian 11.5.0
  • Cowrie 2.4.0
  • 數據輸出 mysql。有時間的話測試 Threat Jammer

安裝7步驟

  1. 安裝前置軟體
sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv
  1. 建立使用者帳號 cowrie,資訊都直接略過按 Enter,最後按下 y 即可建立
sudo adduser --disabled-password cowrie
Adding user `cowrie' ...
Adding new group `cowrie' (1001) ...
Adding new user `cowrie' (1001) with group `cowrie' ...
Creating home directory `/home/cowrie' ...
Copying files from `/etc/skel' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y
  1. 切換為剛剛建立的 cowrie 後,從 github 下載cowrie
sudo su - cowrie
cowrie@debian:~$ git clone http://github.com/cowrie/cowrie
Cloning into 'cowrie'...
warning: redirecting to https://github.com/cowrie/cowrie/
remote: Enumerating objects: 15911, done.
remote: Counting objects: 100% (230/230), done.
remote: Compressing objects: 100% (159/159), done.
remote: Total 15911 (delta 99), reused 185 (delta 70), pack-reused 15681
Receiving objects: 100% (15911/15911), 9.48 MiB | 15.53 MiB/s, done.
Resolving deltas: 100% (11028/11028), done.
  1. 進入剛剛下載的 cowrie 目錄,並確認路徑後開始建立 python 的虛擬環境
cowrie@debian:~$ cd cowrie/
cowrie@debian:~/cowrie$ pwd
/home/cowrie/cowrie
virtualenv --python=python3 cowrie-env
created virtual environment CPython3.9.2.final.0-64 in 335ms
  creator CPython3Posix(dest=/home/cowrie/cowrie/cowrie-env, clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/home/cowrie/.local/share/virtualenv)
    added seed packages: pip==20.3.4, pkg_resources==0.0.0, setuptools==44.1.1, wheel==0.34.2
  activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
source cowrie-env/bin/activate
(cowrie-env) cowrie@debian:~/cowrie$ pip install --upgrade pip
Requirement already satisfied: pip in ./cowrie-env/lib/python3.9/site-packages (20.3.4)
Collecting pip
  Downloading pip-22.2.2-py3-none-any.whl (2.0 MB)
     |████████████████████████████████| 2.0 MB 366 kB/s
Installing collected packages: pip
  Attempting uninstall: pip
    Found existing installation: pip 20.3.4
    Uninstalling pip-20.3.4:
      Successfully uninstalled pip-20.3.4
Successfully installed pip-22.2.2
(cowrie-env) cowrie@debian:~/cowrie$ pip install --upgrade -r requirements.txt
Collecting appdirs==1.4.4
  Downloading appdirs-1.4.4-py2.py3-none-any.whl (9.6 kB)
Collecting attrs==22.1.0
  Downloading attrs-22.1.0-py2.py3-none-any.whl (58 kB)
.
.
.
Requirement already satisfied: setuptools in ./cowrie-env/lib/python3.9/site-packages (from zope.interface>=4.4.2->twisted==22.4.0->-r requirements.txt (line 14)) (44.1.1)
Building wheels for collected packages: tftpy
  Building wheel for tftpy (setup.py) ... done
  Created wheel for tftpy: filename=tftpy-0.8.2-py3-none-any.whl size=29499 sha256=eaa7eb1423c4076e9a5ace57819e4ff051a1d8eb86bc341a5b5c9b9eb21b9756
  Stored in directory: /home/cowrie/.cache/pip/wheels/d2/6f/14/6b5aac54a1559d0a5139d259add06fe0803118ab9fce22a18e
Successfully built tftpy
Installing collected packages: pyasn1, incremental, constantly, appdirs, zope.interface, urllib3, typing-extensions, tftpy, six, pyparsing, pycparser, pyasn1_modules, idna, configparser, charset-normalizer, certifi, bcrypt, attrs, requests, python-dateutil, packaging, hyperlink, cffi, Automat, twisted, cryptography, service_identity, pyopenssl, treq
Successfully installed Automat-20.2.0 appdirs-1.4.4 attrs-22.1.0 bcrypt-4.0.0 certifi-2022.9.24 cffi-1.15.1 charset-normalizer-2.1.1 configparser-5.3.0 constantly-15.1.0 cryptography-37.0.4 hyperlink-21.0.0 idna-3.4 incremental-21.3.0 packaging-21.3 pyasn1-0.4.8 pyasn1_modules-0.2.8 pycparser-2.21 pyopenssl-22.0.0 pyparsing-3.0.9 python-dateutil-2.8.2 requests-2.28.1 service_identity-21.1.0 six-1.16.0 tftpy-0.8.2 treq-22.2.0 twisted-22.4.0 typing-extensions-4.3.0 urllib3-1.26.12 zope.interface-5.4.0
  1. 編輯 cowrie 的設定檔讓其使用 telnet。

這裡我們新增一個設定檔,而不去動會預設讀取的設定檔 cowrie.cfg.dist

nano etc/cowrie.cfg

加入以下字串

[telnet]
enabled = true
  1. 啟動 Cowrie
bin/cowrie start

Join the Cowrie community at: https://www.cowrie.org/slack/

Using activated Python virtual environment "/home/cowrie/cowrie/cowrie-env"
Starting cowrie: [twistd  --umask=0022 --pidfile=var/run/cowrie.pid --logger cowrie.python.logfile.logger cowrie ]...
/home/cowrie/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:97: CryptographyDeprecationWarning: Blowfish has been deprecated
  b"blowfish-cbc": (algorithms.Blowfish, 16, modes.CBC),
/home/cowrie/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:101: CryptographyDeprecationWarning: CAST5 has been deprecated
  b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC),
/home/cowrie/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:106: CryptographyDeprecationWarning: Blowfish has been deprecated
  b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR),
/home/cowrie/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:107: CryptographyDeprecationWarning: CAST5 has been deprecated
  b"cast128-ctr": (algorithms.CAST5, 16, modes.CTR),
  1. (非必要)設定要監聽的 port。Cowrie 會監聽 SSH 的 port 2222、Telnet 的 port 2223。所以這裡將連線至 port 22 、23 重新轉向至 2222、2223 。

一個實際的例子為,我們為了安全將 SSH port 改為 40022,那麼合法的連線理論上就只有 40022 連進來的,因此從 port 22 就可以視為可疑的攻擊者。

exit
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
sudo iptables -t nat -A PREROUTING -p tcp --dport 23 -j REDIRECT --to-port 2223

上述的 exit 是跳出之前執行指令時的使用者 cowrie ,才能正確執行 sudo 指令
另外請注意 iptables 重開機以後就會失效!

測試

先從另一台 ssh port 22 進入此台後,就可以在 cowrie 主機上看到相關連線

tail /home/cowrie/cowrie/var/log/cowrie/cowrie.json
{"eventid":"cowrie.login.failed","username":"test","password":"4321","message":"login attempt [test/4321] failed"

記得先將 SSH 改為其他 port 如 40022,不然現在的預設 port 22 就算帳號正確也是不能連的,因為已經被重新導向給 port 2222 ,交由 Cowrie 監控。

補充說明

重啟 cowrie

/home/cowrie/cowrie/bin/cowrie restart

停止 cowrie

/home/cowrie/cowrie/bin/cowrie stop

log 位置

 /home/cowrie/cowrie/var/log/cowrie/cowrie.json
 /home/cowrie/cowrie/var/log/cowrie/cowrie.log

設定 Cowrie 假 SSH、telnet 可使用的帳號密碼

/home/cowrie/cowrie/etc/userdb.example

參考資料

Cowie 官方文件
SSH蜜罐cowrie实战
COWRIE蜜罐部署


上一篇
Honeypot #12 T-Pot 上的 Cowrie 的相關檔案
下一篇
Honeypot #14 將 Cowrie 輸出到 MySQL(MariaDB) - 安裝 MariaDB
系列文
HONEYPOT×TRICK 100%不純保證33
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言