7MS #574: Annoying Attackers with ADHD

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Hey friends! Today we're looking at ADHD - Active Defense Harbinger Distribution - a cool VM full of tools designed to annoy/attribute/attack pesky attackers! ADHD gets you up and running with these tools quickly, but the distro hasn't been updated in a while, so I switched to a vanilla Kali system and setup a cowrie SSH honeypot as follows:

Install prerequisites:

sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv

Configure cowrie user

sudo adduser --disabled-password cowrie
sudo su - cowrie
git clone https://github.com/cowrie/cowrie.git ~/cowrie

Install cowrie dependencies (as a sudo user)

cd /home/cowrie/cowrie
pip3 install -r requirements.txt

Setup python venv (as cowrie user)

virtualenv cowrie-env
source cowrie-env/bin/activate
cd etc
cp cowrie.cfg.dist cowrie.cfg

Edit cowrie.cfg (as cowrie user)

I recommend editing the hostname hostname, and setting the [Telnet] value to enabled.

Setup firewall rules to forward 22 and 23 to honeypot ports (as sudo user)

sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

sudo iptables -t nat -A PREROUTING -p tcp --dport 23 -j REDIRECT --to-port 2223

Run cowrie (as cowrie user)

bin/cowrie start

# Add files to file system
bin/fsctl share/cowrie/fs.pickle
fs.pickle:/$ touch /home/phil/myfile 1024
fs.pickle: chown 1000 /home/phil/myfile

Edit cowrie /etc/passwd (as cowrie user)

nano honeyfs/etc/passwd

Edit the phil user to be joe or whoever

Then:

bin/fsctl share/cowrie/fs.pickle
mv /home/phil /home/joe
cowrie restart

Customize login banner or motd (as cowrie user)

nano honeyfs/etc/issue
nano honeyfs/etc/motd

Create user database of valid logins and passwords (as cowrie user)

cd ~/cowrie/etc
cp userdb.example userdb.txt
nano userdb.txt

Watch the logs fly!

tail -f ~/cowrie/var/log/cowrie/cowrie.log