Catching Flies with Honeypots

    

By: Jason Alvarez,
Follow me on twitter @0xBanana


An exploration into running a T-Pot honeypot service for fun and intellectual profit!

A large focus in my career has been threat hunting and incident response. I’ve spent a lot of time using proprietary tools to chase bad guys and analyze TONS of log data.

Today I wanted to share with you a project that I not only think is REALLY FREAKIN COOL but also very valuable for anyone looking to learn about

  • Threat Intelligence
  • Threat hunting
  • Log analysis
  • “The global threat landscape”

It’s called T-Pot and it is a Honeypot.


I touched briefly on the topic of this tool in my previous posts in setting a digital forensics lab in the cloud, part 1, part 2, part 3 - go check them out!


What is a honeypot

A honeypot is a system or service designed to detect, deflect, or otherwise counteract attempts at unauthorized access or use of computer systems.

In other words, it’s a fake service, designed to look like a real service, to trick attackers and other bad actors looking to compromise systems. Attackers will perform scans, attempt exploits, and even upload malicious files to these honeypots in attempt to exploit them to gain access to underlying systems*.

*Hint: They’re not exploitable and the underlying system is safe.

Why would you want to use one

There are many reasons someone would want to run their own honeypot tool or infrastructure, the big one that I can see is the insight gained from attacker data. Enterprise and company networks can use this data to enrich their own threat intelligence program, or even use it to start their own. Researchers can use the data to shed light on unseen internet activity and build a database of malicious intent.

More data isn’t always better, but some data is better than no data.

What we’re using - T-pot

T-Pot is a “low-interaction” honeypot - Once it’s set up there is minimal engineering/administrative need. It works right out of the box and requires no application configuration. It is very much a set it and forget it type of appliance. As long as it has the needed internet connectivity it will collect events and store them for later analysis.

What is in the box? And how does it work?

This honeypot system provides you 19 different honeypots, 7 tools to aid in analysis, including a fully configured ELK stack with a beautiful Kibana dashboard for high level visualization and understanding.

T-pot is a container based system and relies completely on docker and the configuration files that power it. This means it’s easy to add, remove, and upgrade containers (honeypots and system tools) but also that any mistake in edits can render the entire system inoperable; so make changes with care and maybe some testing on a t-pot instance that isn’t in a production environment.

Once the system is booted and services are running there will be honeypots listening on dozens of ports, waiting for attackers to scan, connect, and action on them. The logs are collected, normalized (using logstash), and inserted into the elasticsearch database to be visualized using Kibana.

The system diagram below shows the composition of the system, network data flows as well as retention, port access and system requirements. It’s very dense but extremely informative graphic!

How do I get one

The setup on a fresh compute instance is very a straight forward two (2) part process.

Step 1 Perform installation

T-Pot is no small service, it requires some decent specs so be sure to provision the correct cloud hardware or have a dedicated machine for it.

System requirements from documentation suggest

  • 8 GB RAM
  • 128 GB SSD

I run my instance in Google Cloud Platform and use a n1-standard-2 machine with no issues, based on your system specification, your milage may vary.

Here is a small bash script that will work for that; but also please review the documentation as there are other installation methods that might work better for you!

#!/bin/bash
sudo su - 

# Install required packages
apt-get update 
apt-get install git docker-compose apt-transport-https ca-certificates curl gnupg-agent software-properties-common python3-pip -y 

# Install docker
$(curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -)
apt-key fingerprint 0EBFCD88 
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" 
apt-get update -y 
apt-get install docker-ce docker-ce-cli containerd.io -y 

# Clone the t-pot repo & install
git clone https://github.com/telekom-security/tpotce 
cd tpotce/iso/installer/
cp tpot.conf.dist tpot.conf
./install.sh --type=auto --conf=tpot.conf
reboot -n

Step 2 - Configure network access

In order to t-pot to collect the data it does, it needs an unfiltered internet connection; meaning, you do not want a firewall between it and the public internet. I set up my instances in the cloud; if you’re setting yours up at home you will need to place the machine in a DMZ or otherwise allow all port access to it from the internet.

Post installation administrative services have have been shifted to high port numbers:

  • SSH has moved from port 22 to port 64295
  • HTTPS administrative interface running on 64297

Both services are password* protected and therefore these ports can be left unfiltered, however if the option exists in your network to restrict access to specific IP addresses or ranges, I would enable this option to protect these services two from attack.

*Note: SSH users/configuration should not have changed and the web service access credentials are defined during installation in tpot.conf.

Sit back and watch the dashboard

If your installation and firewall configuration were successful all you have to do now is wait. In my experiments a fully stood up system will start seeing attacks within the first 15 minutes of it being exposed to the public internet. Once attacks start to come in your dashboard will fill out with rich detail that you can click (pivot) into for a deeper look.

After a week of scans and attacks coming my way I collected over 1 million events with over 3 million atomic indicators to dig into. These indicators can then be used to build out or augment your threat intelligence capabilities.


In this post we covered how to deploy a T-Pot honeypot and the use cases of why someone would want to use this tool on their own network.

In the next post I’ll be covering how to deploy a T-Pot using Terraform on Google Cloud Platform, don’t miss it!

Subscribe to the cloud.weekly newsletter!

I write a weekly-ish newsletter on cloud, devops, and privacy called cloud.weekly!
It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.