7MS #574: Annoying Attackers with ADHD
SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
Hey friends! Today we're looking at ADHD - Active Defense Harbinger Distribution - a cool VM full of tools designed to annoy/attribute/attack pesky attackers! ADHD gets you up and running with these tools quickly, but the distro hasn't been updated in a while, so I switched to a vanilla Kali system and setup a cowrie SSH honeypot as follows:
Install prerequisites:
sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv
Configure cowrie user
sudo adduser --disabled-password cowrie
sudo su - cowrie
git clone https://github.com/cowrie/cowrie.git ~/cowrie
Install cowrie dependencies (as a sudo user)
cd /home/cowrie/cowrie
pip3 install -r requirements.txt
Setup python venv (as cowrie user)
virtualenv cowrie-env
source cowrie-env/bin/activate
cd etc
cp cowrie.cfg.dist cowrie.cfg
Edit cowrie.cfg (as cowrie user)
I recommend editing the hostname hostname, and setting the [Telnet] value to enabled.
Setup firewall rules to forward 22 and 23 to honeypot ports (as sudo user)
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
sudo iptables -t nat -A PREROUTING -p tcp --dport 23 -j REDIRECT --to-port 2223
Run cowrie (as cowrie user)
bin/cowrie start
# Add files to file system
bin/fsctl share/cowrie/fs.pickle
fs.pickle:/$ touch /home/phil/myfile 1024
fs.pickle: chown 1000 /home/phil/myfile
Edit cowrie /etc/passwd (as cowrie user)
nano honeyfs/etc/passwd
Edit the phil user to be joe or whoever
Then:
bin/fsctl share/cowrie/fs.pickle
mv /home/phil /home/joe
cowrie restart
Customize login banner or motd (as cowrie user)
nano honeyfs/etc/issue
nano honeyfs/etc/motd
Create user database of valid logins and passwords (as cowrie user)
cd ~/cowrie/etc
cp userdb.example userdb.txt
nano userdb.txt
Watch the logs fly!
tail -f ~/cowrie/var/log/cowrie/cowrie.log