brief introduction
T-pot honeypot is a community honeypot project under Deutsche Telekom. It is a system based on docker container that integrates many honeypot programs for different applications. At present, the highest version released is t-pot 17.10 released on November 7, 2017. According to the official introduction, a new version will be released every year.
Project address: https://github.com/dtag-dev-sec/tpotce
Form
The figure above is a part of the latest version of t-pot. T-pot can be understood as an integration of so many systems.
Here is a brief introduction to each part
Elastic-Search
- Project address: https://www.elastic.co/products/elasticsearch
- Listening port: 64298 (local, can be used through the web service of port 64297)
Elastic search is a very powerful full-text search engine, which can quickly query massive data
In the practical application of t-pot, the logs generated by each honeypot will be imported into elastic search, so you can use elastic search to retrieve, and you can also use it to query and export data under various complex conditions
Logstash
- Project address: https://www.elastic.co/products/logstash
- Monitor address: n / A
Logstash is used to receive the logs delivered from the honeypot, filter and format the data, and then submit it to elastic search for storage and indexing
Kibana
- Project address: https://www.elastic.co/products/kibana
- Listening port: 64296 (local, can be used through the web service of port 64297)
Kibana is used for visual query of data, supports output of various graphs such as histogram, line chart, pie chart, sunrise chart, etc., and can also analyze the trend of a certain feature of honeypot log through time series.
Head
- Project address: https://mobz.github.io/elasticsearch-head/
- Listening port: 64302 (local, can be used through the web service of port 64297)
Head is a web page front-end, which is mainly used to interact with elastic search cluster.
Unlike kibana above, his visualization is relatively low, but it is easier to operate the data directly, similar to the existence of phpMyAdmin
Conpot
- Project address: http://conpot.org/
- Listening port: 1025 50100
Conpot is a honeypot of low interactive industrial control system. It has a series of common industrial control protocols built in, and it is easy to modify and expand. It can cheat the attacker as much as it can to get the ultimate goal of the attacker
Cowrie
- Project address: http://www.micheloosterhof.com/cowrie/
- Listening port: 2222 2223
Cowrie is a moderately interactive SSH / telnet honeypot designed to record brute force cracking and shell operations after login
The main functions are:
- It provides a fake file system (similar to Debian 5.0), and can add and delete files
- Randomly add the contents of some files to allow attackers to use cat functions, such as / etc / passwd
cat
/etc/passwd
- Provides a call back log in UML compatible format, which can be used to replay a session
- Save the files downloaded through WGet and curl for subsequent analysis
Dionaea
- Project address: https://github.com/dinotools/dionaea
- Listening port: 21 42 69 / UDP 8081 135 443 445 1433 1723 1883 1900 / UDP 3306 5060 / UDP 5061 / UDP
Dionaea is a series of honeypot systems developed based on Python language and analyzed by libemu as shellcode. It supports a variety of different protocols, as shown in the following table
- Blackhole
- Epmap
- FTP
- Http
- Memcache
- Mirror
- Mqtt
- MSSQL
- Mysql
- PPTP
- SIP
- SMB
- TFTP
- UPnP
ElasticPot
- Project address: https://github.com/schmale/elasticpotpy
- Listening port: 9200
Elasticpot is an elasticsearch honeypot
EMobility
- Project address: https://github.com/dtag-dev-sec/mobility
- Listening port: 8080
Emobility is a highly interactive honeypot for the next generation of transportation infrastructure (charging point system) to collect the motives and methods of attackers.
The system mainly includes central charging system, charging point and simulated user transactions.
Glastopf
- Project address: https://github.com/mushorg/glastopf
- Listening port: 80
Glassopf is a web honeypot developed by Python language, which can provide various simulation based on vulnerability types
HoneyTrap
- Project address: https://github.com/armedpot/honeytrap
- Listening port: nfqueue
Honeytrap is a low interactive honeypot. By listening to nfqueue user mode packets, it is equivalent to listening to all other non listening ports
The main function is to observe the attacker's behavior, at the same time, it can parse the string of the attack, and download and save it accordingly
Mailoney
- Project address: https://github.com/awhitehatter/mailoney
- Listening port: 25
Mailoney is an SMTP honeypot
Rdpy
- Project address: https://github.com/citroneur/rdpy
- Listening port: 3389
Rdpy is an RDP and VNC protocol implemented in Python. It can be used as a server and a client. It also provides a honeypot of RDP to record the RDP process
Vnclowpot
- Project address: https://github.com/magicerquis/vnclowpot
- Listening port: 5900
Vnclowpot is a low interactive VNC honeypot, which is mainly used to record the authentication process of VNC
Suricata
- Project address: https://github.com/oisf/suricata
Suricata is a network IDS, IPS and NSM engine, which mainly analyzes and records some useful information in the connection
P0f
- Project address: http://lcamtuf.coredump.cx/p0f3/
P0f uses a series of complex traffic fingerprint identification to passively identify the other party's information in TCP / IP communication, such as the system and online time of the other party
install
Mirror installation
https://github.com/dtag-dev-sec/tpotce/releases/download/17.10/tpot.iso
Install under existing system
Currently, it supports installation under the new Ubuntu 16.04 (64bit) system
https://github.com/dtag-dev-sec/t-pot-autoinstall
Interface
The interface of t-pot is probably the web interface of kibana, ES head and other components
The honeypots in kibana in the last 7 days (August 15, 2018 to August 22, 2018) will be shown below for reference
(attack map)
(total amount and trend of attacks)
(attack area distribution)
(username and password of SSH honeypot record)
Journal
Basically, the logs of each honeypot are imported into elastic search, so we can quickly find the logs we want in the huge logs. However, I am not familiar with the syntax of elastic search, so I will record several commonly used structures for future use
Use location: ES head - > composite query
ES Head -> 复合查询
Query logs from an IP
{
"query": {
"bool": {
"must": [
{
"term": {
"src_ip.keyword": "127.6.6.6"
}
}
]
}
},
"from": 0,
"size": 50
}
Query logs from an IP and arrange them in reverse order by date
{
"query": {
"bool": {
"must": [
{
"term": {
"src_ip.keyword": "127.6.6.6"
}
}
]
}
},
"from": 0,
"size": 50,
"sort": [
{
"@timestamp": "desc"
}
]
}
List the most frequently used user names from the Cowrie honeypot
{
"query": {
"bool": {
"must": [
{
"term": {
"type.keyword": "Cowrie"
}
}
]
}
},
"aggs": {
"genres": {
"terms": {
"field": "username.keyword",
"size": 10
}
}
},
"size": 0
}
2018.08.21
root - 19660
admin - 7267
空 - 2626
enable - 876
shell - 870
user - 596
Administrator - 571
super - 515
superuser - 514
tech - 375
By the way, I listed the first 20 passwords. Just change the query parameters
空 - 5255
1234 - 1024
system - 876
admin - 862
sh - 846
password - 833
123456 - 802
12345 - 623
ibmdb2 - 514
user - 434
pass - 421
1111 - 415
7ujMko0admin - 414
666666 - 413
888888 - 412
54321 - 410
changeme - 384
cat1029 - 380
alpine - 377
manager - 363
List logs from Suricata with port 80 and user agent starting with Python request
{
"query": {
"bool": {
"must": [
{
"term": {
"type.keyword": "Suricata"
}
},
{
"term": {
"dest_port": "80"
}
},
{
"wildcard": {
"http.http_user_agent.keyword": "python-request*"
}
}
],
"must_not": [],
"should": []
}
},
"size": 50
}
Reference link
dtag-dev-sec/tpotce: T-Pot Universal Installer and T-Pot ISO Creator
dtag-dev-sec/t-pot-autoinstall: Autoinstall T-Pot on Ubuntu 16.04
T-Pot 17.10 - Multi-Honeypot Platform rEvolution
Construction of honeypot platform based on docker: t-pot 17.10 - freebuf Internet security new media platform | focus on hackers and Geeks