Honeypots

Overview

A honeypot is a network-attached system set up as a decoy to lure cyber attackers and detect, deflect, and study hacking attempts to gain unauthorized access to information systems. The function of a honeypot is to represent itself on the internet as a potential target for attackers, usually, a server or other high-value asset, and then gather information and notify defenders of any attempts to access the honeypot by unauthorized users.

The honeypot mimics a real computer system, with applications and data, fooling cybercriminals into thinking that it is a legitimate target. For example, it can look like a company's customer billing system, which is a frequent target for attack by criminals who want to find credit card numbers. Once the hackers are in, they can be tracked, and their behavior assessed for clues on how to make the real network more secure.

Honeypots attract attackers by building in deliberate security vulnerabilities. For instance, a honeypot may have ports that respond to a port scan or weak passwords. Ports are left open to entice attackers into the honeypot environment, rather than the more secure live network.

A honeypot isn't set up to address a specific problem, like a firewall or anti-virus. Instead, it's an information tool that can help you understand existing threats to your business and spot the emergence of new threats. With the intelligence obtained from a honeypot, security efforts can be prioritized and focused.

Accedian provides a honeypot solution that can run inside your network, track the attacker’s activity, and display these attacks in the form of alerts on the Interceptor UI.

Running Honeypot Instances

First, you need a roadrunner. Roadrunner is a communication module between agents such as honeypots and the Skylight platform. Create the roadrunner connector config from UI, download, and start the roadrunner.

Reference (https://docs.accedian.io/docs/analytics-setting-up-roadrunner)

To create a roadrunner configuration:

1. Login to the UI.
2. Navigate to Session ► Connectors
3. Create the roadrunner configuration, as shown below.

4. Once the configuration is created, download it as shown below.

5. Once the config is downloaded, un-tar the solution.
   The following files should be displayed:

6. Open the run.sh
   Make sure that below line has only ${CURRENT_DIR} in use.

Example:

docker run -d -v "${CURRENT_DIR}/":"/tmp/config":z -v "${CURRENT_DIR}":"/tmp/files":z -v "${CURRENT_DIR} 

7. Run the following run.sh shell script:

bash [run.sh](http://run.sh) 

Roadrunner container will start running as shown below.

Now it is time to start the honeypot itself. The honeypot is available as a docker image.

Different types of honeypot can be run by the automated script honeytrap_run.sh. The script honeytrap_run.sh registers the honeypot agent and retrieves the authentication secret from sensor agent orchestrate.

Once the secret is retrieved, it will start the stipulated Honeypot type as a docker container.

The command below shows the input parameters for the script:

honeytrap_run.sh <TENANT> <ADMIN_USER> <ADMIN_PASSWORD> <AGENT_ID> <AGENT_DATA_BROKER> <AGENT_DATA_BROKER_PORT> <AGENT_FLAVOUR> <HONEYTRAP_VERSION>

• < TENANT> - URL of the tenant

• <ADMIN_USER> - Admin username (It can be default deployment admin - admin@datahub.com or any other user with admin access)

• <ADMIN_PASSWORD> - Admin password

• <AGENT_ID> - UUID of the format 4a0e1250-d6e0-44e9-acb9-5a93172a24fb. You can generate one from https://www.uuidtools.com/v4 and use it. This ID should be unique for every honeypot agent for a particular tenant.

• <AGENT_DATA_BROKER> - IP of the system where roadrunner is running. If it is running on the same system where honeypot needs to run, keep it “rr”.

• <AGENT_DATA_BROKER_PORT> - 55888

• <AGENT_FLAVOUR> - Type of the honeypot you would like to run. For example ssh, ftp, or ldap.

• <HONEYTRAP_VERSION> - optional field. If not provided, the latest image of honeytrap is pulled.

bash honeytrap_run.sh https://darth-maul.dev.cyber.npav.accedian.net admin@datahub.com <password> 4a0e1250-d6e0-44e9-acb9-5a93172a24fb rr 55888 ssh

To run the Honeytrap docker container

1. Ensure that the below ports are not occupied on the machine intended to run the docker image. Otherwise, “Ports are not available” error will be displayed and the docker image will not be able to run.

2. Download the script as shown below (use run2308.sh for v.23.08, honeytrap_run.sh for the previous version):

honeytrap_run.sh

run_23_08.sh

3. Run the shell script honeytrap_run.sh with the correct parameters (as explained above).

You will now be asked if you want to set up honeypot in a multi-zone environment. If the answer is yes, it will ask for zone_id and this needs to be entered as per the requirement. If the answer is no the honeypot agent will be started.

Example Alerts Generated by an SSH honeypot and LDAP honeypot

To create alerts for different honeypots

Alerts can be generated for testing with below commands.

SSH type

ssh -p 22 root@ < IP address>

LDAP type

ldapsearch -x -b "dc=example,dc=com" -H ldap://< IP address >

FTP type

ftp < IP address >

SMB Share

As of release 23.08, interceptor has added a new flavour: SMB Share. This feature covers common use cases, such as Windows share, MacOS share, Linux share.

23.11 Features

These features were introduced in release 23.11:

Raspberry Pi Support

Honeypots now support the linux/arm64/v8 (Rasberry Pi) architecture. The process to run honeypots remains the same. The appropriate image for the host platform would be automatically downloaded by honeytrap_run.sh shell script.

Note: The roadrunner does not support Rasberry Pi , it must run on a machine that can connect to the honeypot running on the Rasberry PI.

A sample command is shown below. Note that 10.0.0.1 is the IP where the roadrunner connector is running.

bash honeytrap_run.sh https://trailfinders.dev1.cyber.npav.accedian.net admin@datahub.com <password> 0cfc306c-436c-47f5-bf32-253b6a7a7a71 10.0.0.1 55888 elasticsearch

Custom MAC Address

Honeypots can be run with a custom MAC address. The latest honeytrap_run.sh script provides an option to enter a custom MAC address (or skip by pressing Enter).

Note: Limitations when assigning a MAC address include:

• MAC Address Filtering: Some networks or security setups might have MAC address filtering in place, where only specific MAC addresses are allowed to connect to the network.
• Reserved MAC Addresses: Some MAC address ranges are reserved for specific purposes or manufacturers. Using certain MAC addresses might trigger errors in certain contexts.
• Docker or System Limitations: Certain software or virtualization platforms might have limitations on the MAC addresses that can be assigned.