Deploy a Honeypot in Cowrie

Introduction

In this lab, you will learn how to deploy Cowrie, a medium-interaction SSH honeypot that captures and analyzes attacker behavior. You'll set up Cowrie in a Python virtual environment and configure it to mimic a real SSH service while enabling comprehensive logging.

Through this hands-on exercise, you'll test the honeypot by simulating attacks and analyzing the generated logs. This practical experience will help you understand how honeypots function as cybersecurity tools for threat detection and analysis.

Install Cowrie

In this step, you will install Cowrie, a medium-interaction SSH honeypot designed to log brute force attacks and shell interaction performed by attackers. Cowrie is implemented in Python and can be easily installed using pip. A honeypot is a security mechanism that mimics real systems to attract and study malicious activity, helping security professionals understand attack patterns.

1. First, ensure you are in the default working directory. This is where we'll keep all project files organized:

   cd ~/project

2. Install required system dependencies for Cowrie. These packages provide essential components needed for Cowrie to run properly, including Python development tools and cryptographic libraries:

   sudo apt-get update && sudo apt-get install -y python3-venv python3-dev libssl-dev libffi-dev build-essential

3. Create a Python virtual environment for Cowrie. Virtual environments keep project dependencies isolated from your system Python installation, preventing potential conflicts:

   python3 -m venv cowrie-env

4. Activate the virtual environment. When activated, any Python packages you install will go into this isolated environment rather than your system-wide Python:

   source cowrie-env/bin/activate

5. Install Cowrie using pip. Pip is Python's package manager that will download and install Cowrie along with its dependencies:

   pip install cowrie

6. Verify the installation by checking the Cowrie version. This confirms the package was installed correctly and shows which version you're running:

   cowrie --version

   You should see output similar to:

   cowrie 2.1.0

7. Deactivate the virtual environment when done. This returns you to your system's default Python environment:

   deactivate

Configure Honeypot Settings

In this step, you will configure the Cowrie honeypot settings to customize its behavior and logging capabilities. The configuration files act as the brain of your honeypot, determining how it interacts with potential attackers and what data gets recorded for analysis.

1. First, activate the Python virtual environment created in the previous step. This isolates Cowrie's dependencies from your system Python:

   cd ~/project
   source cowrie-env/bin/activate

2. Generate the default configuration files. These templates contain all available settings with their default values:

   cowrie-gen-config

   This will create configuration files in ~/project/cowrie-env/etc/cowrie/

3. Edit the main configuration file using nano, a beginner-friendly text editor:

   nano cowrie-env/etc/cowrie/cowrie.cfg

4. Modify these key settings (use arrow keys to navigate, Ctrl+O to save, Ctrl+X to exit):

   • Change listen_port = 2222 to listen_port = 22 - this makes the honeypot appear as a standard SSH server
   • Set enabled = true under [output_json] section - enables structured logging for easier analysis
   • Set enabled = true under [output_textlog] section - provides human-readable logs

5. Create a dedicated directory for log files. Keeping logs separate helps with organization and analysis:

   mkdir -p ~/project/cowrie-logs

6. Update the logging path in the configuration to point to your new directory:

   nano cowrie-env/etc/cowrie/cowrie.cfg

   Find the log_path setting and change it to:

   log_path = /home/labex/project/cowrie-logs

7. Verify your configuration changes by checking the modified settings:

   grep -E 'listen_port|enabled|log_path' cowrie-env/etc/cowrie/cowrie.cfg

   You should see output reflecting your changes, confirming the configuration was saved correctly.

Start the SSH Service

In this step, you will start the Cowrie honeypot SSH service that will listen for incoming connections. Since we're running in a Docker container without systemd, we'll use direct process execution. This approach is simpler than traditional service management and better suited for containerized environments.

1. First, ensure you're in the correct directory and activate the virtual environment. The virtual environment contains all the necessary Python dependencies isolated from your system:

   cd ~/project
   source cowrie-env/bin/activate

2. Start the Cowrie service in the background. The -n flag makes it run in non-daemon mode (showing output directly in terminal), while & puts the process in the background so you can continue using the terminal:

   cowrie start -n &

3. Verify the service is running by checking the process list. This command filters all running processes to show only those containing "cowrie":

   ps aux | grep cowrie

   You should see output similar to:

   labex   12345  0.0  0.5  12345  6789 ?        S    12:34   0:00 python cowrie start -n

4. Check if the service is listening on port 22. This is crucial because SSH connections will come to this port. The command shows all network services and their listening ports:

   sudo netstat -tulnp | grep 22

   You should see output indicating Python is listening on port 22.

5. To make the service persistent across terminal sessions, create a simple keep-alive script. This ensures the honeypot stays running even if you close your terminal:

   nano cowrie-keepalive.sh

   Add the following content:

   #!/bin/bash
   source ~/project/cowrie-env/bin/activate
   cowrie start -n

6. Make the script executable so it can be run directly:

   chmod +x cowrie-keepalive.sh

7. You can now run the honeypot by executing this script. It will activate the environment and start Cowrie in one step:

   ./cowrie-keepalive.sh

Simulate an Attack

In this step, you will simulate an SSH brute force attack against your Cowrie honeypot to verify its logging capabilities. This simulation helps demonstrate how real-world attackers might try to gain unauthorized access, and how the honeypot records these attempts for analysis.

1. First, ensure your Cowrie honeypot is running (from previous step):

   ps aux | grep cowrie

   This command checks if the Cowrie process is active. You should see 'cowrie' in the output list.

2. Install the SSH client if not already available:

   sudo apt-get install -y openssh-client

   The openssh-client package provides the ssh command we'll use to connect to our honeypot. The '-y' flag automatically confirms any prompts.

3. Simulate a brute force attack by attempting multiple SSH connections with common username/password combinations:

   for i in {1..5}; do
     sshpass -p 'password' ssh -o StrictHostKeyChecking=no -p 22 labex@localhost
     sshpass -p 'admin' ssh -o StrictHostKeyChecking=no -p 22 admin@localhost
     sshpass -p 'root' ssh -o StrictHostKeyChecking=no -p 22 root@localhost
   done

   This script tries common username/password pairs (like root/password) five times each. The '-o StrictHostKeyChecking=no' prevents SSH from asking about unknown hosts, making automation easier.

4. Simulate a more sophisticated attack using hydra (pre-installed in LabEx VM):

   hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 4 -vV localhost ssh

   Hydra is a powerful brute-forcing tool. Here it tries combinations from provided wordlists (-L for usernames, -P for passwords). The '-t 4' limits to 4 parallel attempts, and '-vV' shows detailed output.

5. Verify the attacks were logged by checking the Cowrie logs:

   ls -l ~/project/cowrie-logs/

   After running attacks, this command shows new log files containing details of all connection attempts. These logs are what security analysts would examine in a real deployment.

Check Attack Logs

In this step, you will analyze the attack logs generated by Cowrie to understand the simulated attacks from the previous step. The logs contain valuable security information about the attack attempts. Cowrie automatically records all interaction attempts in two formats: a simple text log for quick reading and a structured JSON log for detailed analysis.

1. First, navigate to the log directory where Cowrie stores all its log files:

   cd ~/project/cowrie-logs

2. View the text-based log file (most recent first). The ls -lt command shows files sorted by modification time, while tail displays the last 20 lines of the most recent log:

   ls -lt cowrie.log*
   tail -n 20 cowrie.log

   You should see entries showing failed login attempts with timestamps, usernames, and IP addresses.

3. Examine the JSON log file for structured data. The jq tool helps parse JSON, and less allows scrolling through long output:

   jq '.' cowrie.json | less

   Look for entries with "eventid": "cowrie.login.failed" which indicate unsuccessful authentication attempts.

4. Search for specific attack patterns targeting common admin accounts. The grep command searches for text patterns in files:

   grep -a "root" cowrie.log
   grep -a "admin" cowrie.log

5. Generate a summary of attack attempts. These commands extract and count the most frequently attempted usernames and passwords from the JSON logs:

   echo "Top usernames attempted:"
   jq -r 'select(.eventid=="cowrie.login.failed") | .username' cowrie.json | sort | uniq -c | sort -nr
   
   echo -e "\nTop passwords attempted:"
   jq -r 'select(.eventid=="cowrie.login.failed") | .password' cowrie.json | sort | uniq -c | sort -nr

6. View source IP information (will show localhost in this simulation). This extracts the IP addresses of connecting clients:

   jq -r 'select(.eventid=="cowrie.session.connect") | .src_ip' cowrie.json

Summary

In this lab, you have learned how to deploy a Cowrie SSH honeypot to monitor and analyze cyber attacks. The process included setting up a Python virtual environment, configuring SSH ports, and enabling JSON logging for detailed attack data collection.

You also gained practical experience in starting the honeypot service, simulating attacks, and analyzing logged data. This hands-on exercise demonstrated how security tools can mimic real systems to detect and study malicious activities effectively.