Northern Kentucky University



CIT 480: Securing Computer SystemsLab #14: HoneypotsName: _____________________1: IntroductionIn this lab, we will configure a honeypot using the Cowrie open source ssh honeypot, and use it to detect and observe attacks started from an online password guessing tool, Hydra. We will use the following two VMs:Client: Kali LinuxServer: Metasploitable2We will run both Hydra and Kippo on the Kali VM, and we will attempt password guessing with Hydra against both VMs.ReferencesKippo home page, home page, diary, : Password Guessing with HydraHydra is an online password guessing tool. Given a list of usernames and passwords, Hydra uses each possible combination to attempt to login to a network service. Therefore, if you give Hydra a list of 10 usernames and a list of 100 passwords, it will then make 1000 attempts to login to the designated service. Hydra is capable of guessing login credentials on a wide variety of systems, including ssh, web applications, mail servers, database servers, and more. We will run Hydra on the Kali VM. Run hydra to see which options you will need to use$ hydra -hCreate two files, one containing a list of usernames, and the other containing a list of passwords. The list of usernames should be stored in a file named users and contain the following strings:msfadminrootstudentThe list of passwords should be stored in a file named passwords and contain the following:passwordpassword1nku2014msfadmintoor1234562.1: Use Hydra to attempt to find ssh credentials on the Metasploitable2 VM. Include the output of Hydra below, bolding the line where Hydra found the correct login credentials (that line will also be partially bolded on the screen). We use the –t 1 option to use only a single thread, because some ssh servers will refuse to work with too many threads.$ hydra –t 1 -L users -P passwords SERVER_IP ssh -V2286067945 2.2: Repeat the attack against your Kali VM. Did it work or not? Include the output of Hydra below.$ hydra –t 1 -L users -P passwords 127.0.0.1 ssh -V22860146052.3: Let's examine the logs on the Metasploitable VM to see if we can detect the password guessing attack. Authentication logs are stored in /var/log.auth.log, which is only accessible by root for security.Include one of the log entries in the box below. Bold the IP address from which the attack was launched.$ sudo grep ssh /var/log/auth.log | less2286067945 2.4: How many different valid usernames were attacked? How many invalid ones? $ sudo grep ssh /var/log/auth.log | less2286067945 2.5: How many unsuccessful attacks do you find in the log? How many successful ones? Use a combination of the grep and wc commands to compute these two numbers. Write both your answers and the commands that generated them in the box below.2286067945 3: Installing the Cowrie HoneypotOn the Kali VM, install the packages that Cowrie depends on and create a cowrie user.# apt-get update# apt-get install apache2 python-twisted# adduser --disabled-password cowrieDownload Cowrie and copy the example configuration file.# su – cowrie$ git clone $ cd cowrie$ cp cowrie.cfg.dist cowrie.cfgFinally start Cowrie as the kippo user$ ./start.shIt will take a minute for Cowrie to start in the background. By default, Cowrie runs on port 2222, which is handy in this lab as we already have an ssh server running on default port 22. For a production honeypot, we would want to change Cowrie to run on the default port, but for this lab, we’ll keep it on port 2222.3.1: Attempt a password guessing attack against Cowrie. Which username and password pair(s) were correct?$ hydra –s 2222 –t 1 -L users -P passwords 127.0.0.1 ssh -V 22860308610 3.2: Open a new terminal window and use ssh to log into Cowrie with the credentials guessed via Hydra above. Replace USERNAME with the one found above. What prompt do you see?$ ssh -l USERNAME -p 2222 127.0.0.1 031753.3: In your terminal window on Kali (not on the honeypot), can you find the successful ssh login in the honeypot’s log file? Write the log entries for the successful login in the box below.$ cd ~cowrie/cowrie/log$ less cowrie.log0387353.4: In your Kali terminal window, watch the honeypot log entries using the tail -f command. This command will print anything new that is added to a file. In the other terminal, inside your ssh session to Cowrie, run commands to identify the OS and hardware of the “server” that you have logged into. Do any of the commands show output that you would not expect from a legitimate Linux server? What are usernames of all accounts with passwords?# id# uname -a# cat /proc/cpuinfo# cat /proc/meminfo# cat /etc/passwd# cat /etc/shadow762088903.5: Install Hydra inside the honeypot, then run it. What happens when you attempt to run it?# apt-get install hydra# hydra082553.6: Download a file inside Cowrie. Does it appear to work?# wget cat index.html3.7: In your terminal window on Kali (not on the honeypot), check for the index.html file. Cowrie saves these files in the dl directory. Is there a file in dl that is identical to the index.html file downloaded above? $ cd ~cowrie/cowrie/dl$ ls -l3.8: What happens when you use ssh from the honeypot?# ssh root@kosh.nku.edu38100996953.9: Find at least one command that demonstrates that Cowrie is not a valid Linux server, because the results of the command do not make sense, and cannot be explained by a missing or broken software package (as the failure of the hydra command could be explained since it is not installed on most systems.) Write the command line in the box below, along with the output that demonstrates that the command is behaving in a way that could not be explained by the command not being installed or being of the wrong version.228601079504: Submitting the LabBring a printed copy with your name on it to the next class period after which this lab was given. Online students turn in via Blackboard. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download