These past months I’ve been working in the Google Summer of Code program with The Honeynet Project, in a project called Cowrie, about which I’ve talked in a previous post. Cowrie, in turn, is maintained by Michel Oosterhof, with whom I really had the pleasure of working these past months. Whew, that was a mouthful of links, but I’ve got my references done with for now… I have talked about the experience in the official report, so this post will focus a bit more on the technical challenges I faced and my main takeaways, as well as serving to showcase the new features that have been added.

Since summer 2014 I’ve been working on extensions and contributions to the well known Kippo honeypot developed by desaster. I noticed some SSH attacks against my systems were not logged in full detail and I started to work on additional logging, from there I’ve added ‘ssh exec commands’ support, SFTP support, SCP support, direct-tcpip (proxying) support and many other features. To distinguish this from the original software, I have now renamed the system to "Cowrie".

This came in recently in one of my honeypots, same IP address that attempted to download SSH bruteforcing scripts before, but this latest attempt shows a new method of operations. In the log below you can see they attempt to run ‘perl’. Kippo accepts the perl command, but we don’t see what’s executed. 2015-02-17 08:13:56+0000 [kippo.core.ssh.HoneyPotSSHFactory] New connection: AAA.BBB.CCC.DDD:40346 (127.0.0.1:2222) [session: 491] 2015-02-17 08:13:57+0000 [HoneyPotTransport,491,AAA.BBB.CCC.DDD] KEXINIT: client supported key exchange: ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman -group1-sha1'] 2015-02-17 08:13:57+0000 [HoneyPotTransport,491,AAA.