HonSSH - A High Interaction Honeypot Solution


HonSSH is a high interaction Honeypot solution that is inspired and partly based on Kippo.

It will sit between an attacker and a honeypot, creating two separate SSH connections between them.

Features:

  • A text based summary of an attackers session is captured in a text file.
  • Advanced networking feature to spoof attackers IP addresses between HonSSH and the honeypot.
  • All interaction is captured into a TTY log (thanks to Kippo) that can be replayed using the playlog utility included from Kippo.
  • Application hooks to integrate your own output scripts.
  • Can use docker to spin up new honeypots and reuse them on ip basis.
  • Captures all connection attempts to a text file, database or email alerts.
  • Downloads a copy of all files transferred through wget or scp.
  • Saves all modifications made to the docker container by using filesystem watcher.
  • Sessions can be viewed or hijacked in real time (again thanks to Kippo) using the management telnet interface.
  • When an attacker sends a password guess, HonSSH can automatically replace their attempt with the correct password (spoof_login option). This allows them to login with any password but confuses them when they try to sudo with the same password.

How It Works

When HonSSH is first run, it will begin a connection to the honeypot, acquire the SSH server version of the honeypot, store it and then disconnect.

When an attacker connects to HonSSH, HonSSH will set up an SSH connection with the attacker, and a separate connection with the honeypot. Any data transferred after the key exchange is passed from the attacker to the honeypot and vice versa. 

It is intended that the machine hosting HonSSH also provides NAT translation and firewall blocking.

This will not work if private keys are used - it is recommended to disable Public Key Authentication on the honeypot SSH server. 

It is suggested that the HonSSH use the same encryption keys as the honeypot to fool the attacker further.


SETUP AND CONFIGURATION

Setup using single static machine:

Requirements:

  • An Operating System (currently only tested on Ubuntu, Debian, and OpenBSD) 
  • Python 
  • Twisted (python-twisted)

Running

Edit honssh.cfg to your liking and start by running:
./honsshctrl.sh START
honsshctrl.sh is a shell script that runs HonSSH in the background using twistd. Use 'honsshctrl.sh HELP' for more options.

You can also run it manually with more configuration options. For example, to run in the foreground use:
twistd -y honssh.tac -p honssh.pid -n

Setup using Docker:

Requirements:

  • An Operating System (currently only tested on Ubuntu, Debian and OpenBSD)
  • Python 2.7
  • Twisted (python-twisted)
  • Cryptography (python-cryptography)
  • Docker
  • Docker python (docker-py)
  • GeoIP python (python-geoip)
  • service_identity python

Running

  1. Edit honssh.cfg to your liking
  2. Disable HONEYPOT STATIC: enabled = false
  3. Enable HONEYPOT DOCKER: enabled = true
  4. Enable both pre-auth and post-auth
  5. Set image = to a Docker image that has sshd installed and running like rastasheep/ubuntu-sshd:14.04 (Don't forget to pull the image using docker pull <image>) Tips: If you are using the example docker image, don't forget to change launch_cmd to another command because sshd is already running inside the container.
  6. Set honey_port to the port that the Openssh of the docker image is listening to.
  7. Start honssh using:
./honsshctrl.sh START
You can also run it manually with more configuration options. For example, to run in the foreground use:
twistd -y honssh.tac -p honssh.pid -n

Troubleshooting

  • Error: TypeError: generate_private_key() got an unexpected keyword argument 'backed'
Twisted developers made a typo from the 16.0.0 version, you have to replace the word backed to backend at the line 121 of the file /usr/local/lib/python2.7/dist-packages/twisted/conch/scripts/ckeygen.py.

  • Error : No module named honssh after installed the requirements using pip
Try adding the PYTHONPATH to the Linux vars:
export PYTHONPATH="$PYTHONPATH:/folder/to/honssh"

  • The connection hangs and reply with no output
1. Copy the SSH banner using telnet (example: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3):
telnet 127.0.0.1 22
exit
2.  Put it into the config file honssh.cfg at the var ssh_banner =.

  • Error: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
Upgrade the requirements using pip:
pip install twisted cryptography --upgrade


ADVANCED NETWORKING

Without Advanced Networking:

Without HonSSH advanced networking functionality enabled the following scenario happens. When an attacker connects from the internet, HonSSH creates another SSH tunnel between the client_addr and the honey_addr.
  1. honey_addr - e.g. 192.168.1.10
  2. client_addr - e.g. 192.168.1.1
                          2)       1)
                            \        \
 /----------\       |--------|       |----------|
 | Internet |-------| HonSSH |-------| HoneyPot |
 \----------/       |--------|       |----------|`
In the example above, the honeypot will always see connections coming from 192.168.1.1 and not the attacker's IP address. This helps give away HonSSH as a honeypot system and is not desired.

With Advanced Networking Enabled:

HonSSH's Advanced Networking allows HonSSH to create fake IP addresses on the HonSSH box (using ip link and ip addr commands) and do NAT (using iptables) to make it look like all packets are coming from the attacker. Thus, this functionality requires privileges to run those commands or to be ran as root.

If HonSSH does not have permission to run any of these commands, it will fall back to using the honey_addr rather than the Advanced Networking functionality.

Walkthrough:
  1. honey_addr - e.g. 192.168.1.10
  2. client_addr - e.g. 192.168.1.1
  3. attacker - e.g. 1.1.1.1
              3)                                  2)       1)
                 \                                   \        \
      |----------|       /----------\       |--------|       |----------|
      | Attacker |-------| Internet |-------| HonSSH |-------| HoneyPot |
      |----------|       \----------/       |--------|       |----------|
When an attacker connects from 1.1.1.1, HonSSH starts by creating a dummy interface called 'honssh'.
ip link add name honssh type dummy
ip link set honssh up

After creating the interface it assigns it a semi-random IP address. HonSSH will bind to this address to create the tunnel between HonSSH and the honey pot.
ip addr add 2.2.2.2/32 dev honssh

Now HonSSH has bound to a semi-random Fake IP address, we need to use some iptables NAT rules to translate between the attacker's IP address and our fake address.

All packets will now appear as if they are coming from the attacker.

When the attacker disconnects, HonSSH will check that they have no other sessions open. If they have no other sessions, HonSSH will remove the Fake IP address and iptables rules.

If there are no other sessions running, HonSSH will also remove the honssh interface.

PASSWORD SPOOFING

As HonSSH is sat between the attacker and the honeypot, HonSSH has the ability to modify SSH packets in transit.

The idea behind password spoofing is to change the wrong password that an attacker gave, into the correct password and allow them to log in.

Password spoofing in HonSSH can now support multiple users and two different password mechanisms - fixed and random.
  • Fixed - you supply a list of passwords that you wish to be allowed.
  • Random - you supply a percentage value and HonSSH will randomly allow certain passwords though.

Configuration

To enable password spoofing:
  1. In honssh.cfg find the section called PASSWORD SPOOFING and set enabled to true
  2. Make sure users_conf is pointing to your users.cfg file
A user can be defined in users.cfg by creating a section with the username:
[root]
Each section must contain the actual password for the account:
[root]
real_password = toor
To provide a list of fake passwords that you wish to spoof:
[root]
real_password = toor
fake_passwords = fakePass1, fakePass2, fakePass3
This will allow anyone to log in as root using the passwords fakePass1, fakePass2 and fakePass3.

Or to have the attackers log in with a random chance use:
[root]
real_password = toor
random_chance = 25
This will allow anyone to log in as root using any password 25% of the time.

When someone logs in using a spoof password, the details are stored in logs/spoof.log by default. If someone else comes along and logs in with that same password we can correlate this IP address with previous IP addresses that have used that password. HonSSH logs this as a potential link between IP addresses in the text logs.



No comments

Powered by Blogger.