Set Up a Secure
Shell Honeypot
1
READY YOUR BOX
You may be familiar with Docker, particularly if you’ve read
the tutorial on page 54. We’re going to use it here to manage
our honeypot, because it makes restoring a destroyed system as
simple as a single command. And given that we’re actively trying
to make something disposable, destructible, and dedicated,
the ideal platform is a Raspberry Pi; we tried the Pi Zero, but a
combination of its ARM v6 processor, low power, and the staunch
refus al of the l atest Raspbian Buster to pl ay nice drove us tow ard
a RPi 3 Model B—don’t let that stop you trying, but be aware that
you may be in for some heartache. You may, if you don’t want to
draw attention to the rest of your network, run your honeypot
on someone else’s hardware: A VPS, or virtual private server,
is generally cheap to rent, and grants you access to a full Linux
shell. We’re going to take the risk, but that’s definitely an option.2
INSTALL A HOST OS
First up, prepare your RPi. Grab a microSD card, head to
http://www.raspberrypi.org, download Raspbian Lite (where
we’re going, we don’t need desktops), then install it on the card
[Image A]. Just for a change, use the excellent Balena Etcher
(www.balena.io/etcher) this time. But don’t pop the card in
your RPi quite yet—ignore Windows’ protestations about the
card needing formatting, and open up the drive volume marked
“boot.” Create a blank text document in the root folder—we’re
going to use this file, in an area completely inaccessible to your
honeypot, to preload your Wi-Fi credentials, so you can boot the
Pi headless. Skip this step if you’re attached by Ethernet. OpenWHETHER THEY’RE OPPORTUNISTIC “SCRIPT KIDDIES,” actual paid hackers on some Chinese
pay roll, or zombie computer s compromised by malw are, there’s a huge number of forces tr y ing
to sniff around your network. A quick browse of your router’s firewall logs (or those of Windows’
own second-line-of-defense firewall) will likely make for worrying reading: Your ports are
probably being scanned, probed, and poked to within an inch of their lives. There’s little you
can do, save for sleuthing out the snoopers and stopping them in real life (something we don’t
endorse). Instead, how about taking the path of least resistance, and just letting them in?
Crazy talk, right? Not so much. Setting up a honeypot, a sandboxed and safe area of your
network, running on disposable hardware, which appears from the outside to be a juicy server
worthy of exploitation, is an interesting idea with a nefarious side effect: Hackers can poke
around and ideally feel as if they have accomplished something, thus thoroughly and fruitlessly
wasting their time. If that doesn’t make you feel good, your heart needs hacking. –ALEX COXYOU’LL NEED THIS
A RASPBERRY PI
Version 2 or better.RASPBIAN BUSTER
The latest spin on the Pi OS.COWRIE
A great honeypot (see https://
github.com/cowrie).the file, and insert the following (replacing <name> and
<password> for your SSID and network key).
country=US
ctrl_interface=DIR=/var/run/wpa_supplicant
GROUP=netdev
update_config=1network={
ssid="<name>”
psk="<password>”
key_mgmt=WPA-PSK
}
>> Save it with the name wpa_supplicant.conf. Then
create a second empty file (Ethernet users, you’ll need
to do this, too) called simply ssh , which tells Raspbian
you want SSH (Secure Shell) switched on. Put the card
in your Pi, power it up, and boot up your headless system.3
FIND IT
You need to find the IP address of your Pi in order
to connect—try using your router’s web interface
to see what’s connected. You’ll need this interface later,
so now is a good time to get connected. Log in to your Pi
via SSH using PuTTY (www.putty.org) with the usernameBA56 MAXIMUMPC SEP 2019 maximumpc.com
R&D