\n\nThis page has been machine-translated from the original page.
\n
The other day I wrote an article about setting up a honeypot on Azure, and this is a continuation of that.
\nAs I begin actual honeypot operations, I decided to review the modules and honeypots that T-Pot runs, which I installed last time.
\nThere were 25 types of honeypots built into T-Pot, so it took quite a while lol
\nThe content of this article is not intended to encourage acts that violate social order.
\nPlease be aware that attempting attacks on environments other than your own or those you have permission to access may violate the “Act on Prohibition of Unauthorized Computer Access (Unauthorized Access Prohibition Act)“.
\nAll statements are attributed to me personally, not to any organization I belong to.
\n\nAs seen at the end of the previous article, the T-Pot console after login looks like this.
\nThis time I’ll look at each console.
\n“Cockpit” is a web console application that can monitor Linux system containers, storage, networks, services, logs, etc.
\nReference: cockpit-project/cockpit: There’s code a goin’ on
\nAs shown in the image above, it visualizes system resource usage in real time.
\nConvenient.
\nA local version of Cyberchef is available for use within the T-Pot machine.
\nA web console for viewing and operating Elastic Search Clusters.
\nReference: ElasticSearch Head
\nReference: Free and Open Search: The Creators of Elasticsearch, ELK & Kibana | Elastic
\nElastic Search is a distributed search and analytics engine.
\nIn other words, it’s a tool for efficiently extracting necessary information from large amounts of information.
\nIt seems Elasticsearch can be used for various purposes.
\nReference: Elasticsearch: The Official Distributed Search & Analytics Engine | Elastic
\nI don’t fully understand it yet, but it seems Elasticsearch is composed of Clusters consisting of multiple Elasticsearch Server Nodes to increase search traffic and distribute data and writes.
\nI think Elasticsearch Head is probably a tool that can operate this Cluster.
\nI’ll write about detailed usage in another article sometime.
\nKibana is a tool for visualizing data in conjunction with Elasticsearch.
\nYou can perform data analysis and graphical visualization in Kibana using data stored in Elasticsearch.
\nIn T-Pot, dashboards for visualizing information collected by each honeypot were created by default.
\nSpiderfoot is an OSS OSINT tool.
\nReference: Home - SpiderFoot
\nIt seems you can automate intelligent information gathering.
\nFor example, it seems you could automate intelligent analysis such as associating information like IP addresses collected by honeypots, email addresses, URLs, etc. with specific attack campaigns.
\nSince I haven’t opened T-Pot to the internet yet and no data has been collected, I’ll try this once I start actual operation.
\nT-Pot’s GitHub repository is linked.
\nReference: GitHub - telekom-security/tpotce: T-Pot - The All In One Honeypot Platform
\nIt’s quite detailed, but the overall picture of T-Pot looks like this.
\nReference image: tpotce/architecture.png at master · telekom-security/tpotce
\nThe aforementioned tools and honeypots are each launched as containers managed by docker-compose.
\nThis image shows only 18 honeypots, but as of this article’s writing (2022/02/14), T-Pot has a total of 25 honeypots.
\nAmazing.
\nSince we’re here, let’s roughly look at what each honeypot is.
\n“ADBHoney” is a honeypot for Android Debug Bridge (ADB) over TCP/IP.
Reference: huuck/ADBHoney: Low interaction honeypot designed for Android Debug Bridge over TCP/IP
\nAndroid Debug Bridge (ADB) is a command-line tool that enables communication with Android devices.
You can perform debugging by connecting from an ADB client to a daemon (adbd) running on an Android device.
Reference: Android Debug Bridge (adb) | Android Developers
\nNormally, ADB on devices is only done through protected communication, but if the ADB service port is exposed unprotected to the internet, the device accepts arbitrary code execution from malicious attackers over the internet.
\n“ADBHoney” is a honeypot aimed at catching attacks targeting this open port 5555 with the purpose of downloading malware.
“Cisco ASA honeypot” is a honeypot that can detect attacks against CVE-2018-0101, which causes DoS and RCE.
It’s a vulnerability rated 10.0 in CVSSv3, and seems to be an exploitation of double-free.
\nSo there are also honeypots aimed only at collecting attacks against specific vulnerabilities.
\nReference: CVE - CVE-2018-0101
\nReference: JVNDB-2018-001897 - JVN iPedia - Vulnerability Countermeasure Information Database
\n“Honepot for CVE-2019-19781 (Citrix ADC)” is also a honeypot targeting a specific vulnerability.
\nIt catches attacks aimed at exploiting CVE-2019-19781.
Reference: MalwareTech/CitrixHoneypot: Detect and log CVE-2019-19781 scan and exploitation attempts.
\nThis vulnerability also allows RCE through exploitation.
\nIt’s rated 9.8 in CVSSv3, and is a path traversal vulnerability.
\nReference: Alert Regarding Vulnerabilities in Multiple Citrix Products (CVE-2019-19781)
\nReference: JVNDB-2019-013490 - JVN iPedia - Vulnerability Countermeasure Information Database
\n“CONPOT” is a honeypot for catching attacks against industrial facilities.
\nIt emulates complex infrastructure environments using common industrial control protocols.
\nI don’t really understand how it’s done specifically, but it seems it can also intentionally delay responses to simulate an environment under certain load.
\nReference: Conpot
\n“Cowrie” seems to be able to monitor brute force attacks against SSH and Telnet, as well as attacker behavior after system intrusion.
\nReference: cowrie/cowrie: Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io
\n“Cowrie” can change what behavior it catches depending on the operation mode, but looking at T-Pot’s default configuration file, it seems SSH, Telnet, JSON format logging, etc. are all enabled.
\nReference: tpotce/cowrie.cfg at master · telekom-security/tpotce
\n“DDoSPot” is a honeypot for catching UDP-based DDoS attacks.
\nIt supports the following services:
\nReference: aelth/ddospot: NTP, DNS, SSDP, Chargen and generic UDP-based amplification DDoS honeypot
\n“Dicompot” is a honeypot targeting A Digital Imaging and Communications in Medicine (DICOM).
Reference: nsmfoo/dicompot: DICOM Honeypot
\nDICOM seems to refer to the format of medical images taken with CT, MRI, CR, etc., and the communication protocol standards between medical imaging equipment that handles them.
\nReference: DICOM - Wikipedia
\nI heard about this standard for the first time, but port 104 is known as a common communication port, and attacks targeting this port have also been observed.
\n“Dionaea” means Venus flytrap in Japanese, and is a honeypot aimed at collecting malware.
\nReference: DinoTools/dionaea: Home of the dionaea honeypot
\nMalware acquired by “Dionaea” seems to be saved in the binaries directory.
Reference: Collecting Malware with Honeypot Dionaea, Scanning with API, and Visualizing the Results - Qiita
\n“ElasticPot” is a honeypot that emulates a vulnerable Elasticsearch server and captures attacks against Elasticsearch.
\nReference: Vesselin Bontchev / ElasticPot · GitLab
\n“Endlessh” is an SSH tarpit.
\nReference: skeeto/endlessh: SSH tarpit that slowly sends an endless banner
\nWhat is a “tarpit”, you ask? It’s a system aimed at wasting attackers’ time and resources by intentionally delaying server-side responses.
\nReference: Tarpit | Cybersecurity Information Bureau
\n“Endlessh” is an SSH tarpit that hangs attackers’ SSH clients and wastes up to several days of time.
\nReference: Endlessh: an SSH Tarpit
\n“Glutton” is a honeypot that functions as a proxy between attackers and other honeypots, and can capture and record attacker traffic using methods similar to MITM.
\nReference: mushorg/glutton: Generic Low Interaction Honeypot
\nReference: An analysis of Glutton — All Eating honeypot | by Muhammad Tayyab Sheikh (CS Tayyab) | Medium
\n“Heralding” is a honeypot for capturing traffic and credentials when attackers attempt authentication.
\nReference: johnnykv/heralding: Credentials catching honeypot
\nUsing “Heralding”, you can capture authentication information used by attackers.
\nReference: Heralding - Credentials catching honeypot - SecTechno
\n“HellPot” is a honeypot based on Heffalump that sends unlimited streams to malicious attackers, overflowing their memory and storage.
\nReference: yunginnanet/HellPot: HellPot is a portal to endless suffering meant to punish unruly HTTP bots.
\nIt’s a different approach from SSH tarpit, but there are quite a few honeypots like this that are counter-traps against attackers.
\n“Honeypots” is a honeypot that can monitor network traffic, BOT activity, and credential information used by attackers.
\n“Honeypots” incorporates 23 different simple honeypots.
\n\nThis is the first pattern I’ve seen where multiple honeypots are embedded within a honeypot that’s part of T-Pot.
\n“HoneyPy” is a honeypot that can emulate TCP and UDP services and capture attacker activity.
\nReference: foospidy/HoneyPy: A low to medium interaction honeypot.
\nReference: Home - HoneyPy Docs
\nBy adding services in units called plugins, it seems you can capture attacks against TCP/UDP services such as DNS and Telnet.
\nReference: Plugins - HoneyPy Docs
\n“HoneySAP” is a honeypot for capturing attacks against SAP systems.
\nReference: SecureAuthCorp/HoneySAP: HoneySAP: SAP Low-interaction research honeypot
\nThe documentation specifically states it can capture the purposes and techniques of attackers targeting SAP services.
\nReference: HoneySAP: SAP Low-interaction honeypot — HoneySAP 0.1.2 documentation
\n“Honeytrap” emulates TCP and UDP services and captures attacker network traffic.
\n\n“IPP Honey” is an Internet Printing Protocol Honeypot.
Reference: Vesselin Bontchev / IPP Honey · GitLab
\nIt emulates printers exposed to the internet and can capture attacks against printers.
\n“Log4Pot” is a honeypot targeting the Log4Shell vulnerability “CVE-2021-44228”, which is currently having a major impact worldwide.
\nReference: thomaspatzke/Log4Pot: A honeypot for the Log4Shell vulnerability (CVE-2021-44228).
\nThis honeypot captures behavior related to Log4Shell exploitation.
\n“Mailoney” is an SMTP honeypot.
\nReference: phin3has/mailoney: An SMTP Honeypot
\nIt can capture attacks against SMTP ports.
\n“medpot” seems to be an HL7/FHIR honeypot.
Reference: schmalle/medpot: HL7 / FHIR honeypot
\nI wondered what HL7/FHIR was, but it seems to be a communication protocol being standardized for medical information exchange.
Reference: Research on HL7 FHIR
\nAs expected, the medical field is quite targeted.
\n“RDPY” is a honeypot that implements Microsoft RDP in Python.
\nReference: citronneur/rdpy: Remote Desktop Protocol in Twisted Python
\n“RedisHoneyPot” is a honeypot targeting the Redis protocol.
\nReference: cypwnpwnsocute/RedisHoneyPot: High Interaction Honeypot Solution for Redis protocol
\nWritten in Golang.
\n“SNARE” and “TANNER” are web application honeypot sensors.
\nReference: MushMush
\n“TANNER” seems to be a module that evaluates events captured by “SNARE” and determines how “SNARE” should respond to attackers.
\nFor now, I’ve reviewed all the components of the latest version of T-Pot (as of 2022/02/15).
\nI want to start actual operation soon, but there still seems to be a lot to do.
","fields":{"slug":"/honeypot-tpot-modules-en","tagSlugs":["/tag/security-en/","/tag/honey-pot-en/","/tag/azure-en/","/tag/備忘録/","/tag/english/"]},"frontmatter":{"date":"2022-02-16","description":"","tags":["Security (en)","HoneyPot (en)","Azure (en)","備忘録","English"],"title":"Continuing Adventures of a Novice Honeypotter Playing Safely with T-Pot [Investigating All T-Pot Modules]","socialImage":{"publicURL":"/static/c401b2f18052c899f8cdbf1869ca44e3/honeypot-tpot-modules.png"}}}},"pageContext":{"slug":"/honeypot-tpot-modules-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}