Thursday, September 15, 2016

Anatomy of a Real Linux Intrusion Part I: Running a MiTM SSH honeypot

During the coming 4 or 5 post I'm going to write about some interesting Linux attacks and intrusions I've been recently investigating.  I will share some of the tools I've analysed, including several Trojanized tools, scanners, Rootkits, etc.

I've been running Linux Honeypots for a while. Around 7 years ago I did some research using Sebek which works at kernel level, hooking the system call. Based on this research, I did a talk / presentation to the students of the Master in Security and Forensics at Dublin City University.

A few years ago I started using Kippo honeypot running in several Raspberry Pi spread across different ISP providers and countries.

Recently,  I migrated some of my honeypots to a new Raspberry Pi 3 model B. This new Raspberry has WiFi integrated which it is very cool.  Instead of continue using Kippo, I decided to install honssh (a fork from Kippo), which permits to do a SSH MiTM. The main advantage of this high interaction honeypot setup is that attackers are accessing a real system.

The setup is as follow:

  • 2 Raspberry pi running Raspbian: Raspberry Pi 3 with Wifi and Eth0, and Raspberry Pi 2 with only eth0
  • The Raspberry Pi 3 connects though WiFi to the router. 
  • The Interface eth0 of the Raspberry Pi 3 connects to the eth0 or Raspberry Pi 2. With this setup the traffic from/to Raspberry Pi 2 goes always through Rasperry Pi 3.
  • Proper NAT and firewall rules are setup in Raspberry Pi 3
  • Port 22 is NAT on the router to Raspberry Pi 3
  • HonSSH runs on Raspberry Pi 3 which does SSH MiTM. Any incoming SSH connection is redirected to Raspberry 2, which runs a real Debian system

On the Raspberry Pi 3 host, I run iptables to have control on the traffic. Basically, from the Raspberry Pi 2, which is the ones that will be compromised,  I only accept outgoing HTTP, NTP and DNS and Incoming SSH. The rest is blocked. The iptables script I created is as follow:

/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables --policy FORWARD DROP

/sbin/iptables -A INPUT  -i wlan0 -p 6 --dport 22222 -j ACCEPT
/sbin/iptables -A INPUT  -i wlan0 -p 6 --dport 2222 -j ACCEPT

/sbin/iptables -A INPUT -i wlan0  -p tcp --dport ftp -j ACCEPT
/sbin/iptables -A INPUT -i wlan0   -p tcp --dport ftp-data -j ACCEPT
/sbin/iptables -A INPUT -p ALL -i wlan0 -m state --state  ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p ALL -i eth0 -m state --state  ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp -i wlan0  -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
/sbin/iptables -A INPUT  -i eth0  -j DROP 

/sbin/iptables -A FORWARD -p ALL -m state --state  ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD  -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A FORWARD  -p udp --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD  -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD   -p tcp  --dport 123 -j ACCEPT
/sbin/iptables -A FORWARD   -p udp  --dport 123 -j ACCEPT

/sbin/iptables -A FORWARD   --dst  -j DROP
/sbin/iptables -A INPUT -i eth0   --dst  -j DROP
/sbin/iptables -A FORWARD  -p icmp -j ACCEPT

In the Honssh Wiki you can find some documentation to set it up. I did a couple of additional things:
  • In Raspberry Pi 2 I created several accounts easy to brute force
  • The sshd keys from the SSHD in Raspberry Pi 2 were copied to the HonSSH, hence the keys are the same. This makes more difficult to spot the MiTM SSH through SSH finger printing
  • The default openssh-server in Raspbian 8, is 6.7. This version doesn't support SSH legacy protocols. I included manually some of them to be compatible with some of the attacks. Hence, I included this line in /etc/ssh/sshd_config
  • Advanced networking is enabled on HonSSH to fool the attacker

There is a bug in HonSSH, so from time to time the HonSSH process crashes. I created a cron script which runs every 5 minutes, in order to check if the process is running, if not, the process is relaunched. The script is as follow


process=`ps auxw | grep  /usr/bin/twistd | grep -v grep | awk '{print $2}'`
if [ $process > 1 ]
 echo $process
 cd /home/admin/honssh-master/
 ./ stop; rm; ./ stop;  ./ start &


Now the fun begins :)