Building a stealthy SSH & Web Honeypot

Description

Honeypots are systems, which are usually vulnerable on purpose in order to attract attackers and analyze their behavior.

Different classifications of honeypots exist, such as low and medium interaction honeypots which emulate a system, or

high interaction honeypots allowing the attacker to control the system.

Related work presents fingerprinting techniques that can be used by attackers to identify honeypots. Implementations of

high interaction honeypots exist, however these are not compared to other honeypots in real deployments. We deploy Cowrie

and evaluate it against our own proposed stealthy high interaction SSH honeypot, which is a patched version of OpenSSH

running inside a Docker container. Since the combination of Secure Shell (SSH) and web servers is common on the internet,

we evaluate the effect of the presence of an additionally proposed web honeypot with Structured Query Language (SQL) and

Cross Site Scripting (XSS) injection vulnerabilities. We deploy commercial software running the latest as well as outdated versions

with vulnerabilities and observe whether attackers exploit these. In total 14 combinations of honeypots are deployed for four weeks

under four different domains.

Due to patching OpenSSH our proposed stealthy SSH honeypot behaves identically to the original software on a protocol level and

cannot be distinguished that way, unlike Cowrie which can be identified by differing advertisement of algorithm support. However,

by executing commands users can realize that the systems might be honeypots in both cases. While Remote Code Execution (RCE)

is observed in an outdated version of Confluence, attackers rather scan our custom vulnerable web honeypots for known software.

In an exceptional case we observe postings of advertisements via the XSS vul- nerable comment form. We observe that malicious

connections are rather established using the same protocol on different servers than different protocols on the same server. Some

attackers fingerprint the SSH honeypots and only download droppers and execute code if the system appears legitimate. As a result

we observe a botnet only download- ing and executing their cryptocurrency miners on our proposed SSH honeypot, while a minority

downloads and executes software only on Cowrie.

Additionally, we discovered flaws in web crawlers, search indexing or caching of Amazon, Google, Microsoft and others.