Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns - Ilirjana Zymberi

Page created by Thelma Francis
 
CONTINUE READING
Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns - Ilirjana Zymberi
Ilirjana Zymberi

Honeypots: A Means of Sensitizing
Awareness of Cybersecurity
Concerns

Metropolia University of Applied Sciences
Bachelor of Engineering
Information and Communication Technology
Bachelor’s Thesis
1 May 2021
Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns - Ilirjana Zymberi
Abstract

Author:                   Ilirjana Zymberi
Title:                    Honeypots: A Means of Sensitizing Awareness of
                          Cybersecurity Concerns
Number of Pages:          39 pages
Date:                     1 May 2021

Degree:                   Bachelor of Engineering
Degree Programme:         Information and Communication Technology
Professional Major:       Internet of Things and Cloud Computing
Instructors:              Erik Pätynen, Senior Lecturer

The cybersecurity landscape is constantly evolving, meaning threat actors continually
find and develop novel ways to cause disruptions across networks, systems, and
devices. To counter these disruptions, there is a need to find new ways of detecting
and defending.

The objective of this thesis was to gain an understanding of current threats facing
cybersecurity and to identify the usefulness of honeypot systems in a network. The
goal was to set up two honeypots, the first one being the DShield Honeypot system
installed and set up on a Raspberry Pi, which ran for five days. The second honeypot
system, T-Pot, installed on a dedicated laptop ran for six days. These honeypot
systems were deployed on a private network for research purposes to gain data of
threat actors, such as source IP addresses, country of origin or the exploits used.

Using this data, an analysis of the results was conducted, providing an insight and
understanding into cybersecurity threats facing a network. In conclusion, the study
has given understanding of how honeypots can work as a valuable resource in
securing networks.

Keywords:                 cybersecurity, honeypot, intrusion detection system
Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns - Ilirjana Zymberi
Tiivistelmä

Tekijä:                     Ilirjana Zymberi
Otsikko:                    Hunajapurkit: Tapa lisätä tietoisuutta kyberturvallisuuteen
                            liittyviin huoliin
Sivumäärä:                  39 sivua
Aika:                       1.5.2021

Tutkinto:                   Insinööri (AMK)
Tutkinto-ohjelma:           Tieto- ja viestintätekniikka
Ammatillinen pääaine:       IoT ja Pilvipalvelut
Ohjaajat:                   Lehtori Erik Pätynen

Kyberturvallisuus kehittyy jatkuvasti ja niiden mukana myös niihin liittyvät uhkat.
Kyberrikolliset keksivät jatkuvasti keinoja aiheuttaa häiriöitä organisaatioiden sekä
yksilöiden verkostoihin ja niihin kuuluviin laitteisiin. Jotta näitä uhkia vastaan voidaan
taistella, on kehitettävä keinoja niiden voittamiseksi.

Tämän työn tarkoituksena on pyrkiä ymmärtämään kyberturvallisuuden merkitys
nykyisessä maailmassa ja hunajapurkkien rooli siinä.

Tavoitteena oli rakentaa kaksi hunajapurkkia, joista ensimmäinen on DShield
hunajapurkkisysteemi, joka asennettiin Raspberry Pi -laitteeseen. Toinen
hunajapurkkisysteemi on T-Pot, joka asennettiin tälle tehtävälle omistautuneelle
kannettavalle tietokoneelle. Dshield hunajapurkki oli päällä viisi päivää ja T-Pot
systeemi oli taas kuusi päivää toiminnassa. Näiden päivien aikana nämä
hunajapurkkisysteemit keräsivät monenlaista dataa, kuten hyökkääjien IP-osoitteita,
hyökkääjän sijaintitietoja sekä keinot, joita hyökkäyksen yritykseen on käytetty.

Näiden kerättyjen tietojen ja tulosten analysointi auttoi pääsemään jyvälle uhkista,
joita systeemit kohtaavat. Lopputuloksena ymmärrettiin hunajapurkkien merkitys
resurssina kyberturvallisuuden parantamiseksi.

Avainsanat: tietoturva, hunajapurkki
Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns - Ilirjana Zymberi
Contents

List of Abbreviations

1   Introduction                                                     1

2   Technical background                                             2

    2.1 Cybersecurity history                                        2
    2.2 Current state of Cybersecurity                               5
    2.3 Honeypots                                                    6
         2.3.1 Definition of Honeypots                               6
         2.3.2 Different Honeypot technologies                       7
         2.3.3 Honeypots that will be used                           9
         2.3.4 Selecting network deployment location for Honeypots   10
         2.3.5 Disadvantages of Honeypots                            12

3   Methodology                                                      13

    3.1 DShield installation                                         13
    3.2 T-Pot Installation                                           15
    3.3 Threat Actor Demonstration                                   24

4   Results and Analysis                                             28

    4.1 Dshield Data                                                 28
    4.2 T-Pot Data                                                   29

5   Discussion                                                       33

    5.1 Comparison                                                   33
    5.2 Limitations                                                  33
    5.3 Future research considerations                               34

6   Conclusion                                                       35

References                                                           37
Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns - Ilirjana Zymberi
List of Abbreviations

OS:      Operating System

IDS:      Intrusion Detection System

NIDS:    Network Intrusion Detection System.
Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns - Ilirjana Zymberi
1

1 Introduction

Currently, the rise of cybercrime has driven threat actors to find novel ways of
targeting and disrupting networks. Despite all implemented security measures
on a network, threat actors still find the means to gain access into systems and
acquire valuable data. There are multiple ways to defend a network from an
attack; regardless, there is no system that is fully safe in today’s world.
Cybercriminals have a variety of tools in their arsenal to conduct attacks. Over
the years, new types of attacks have been seen where individuals and
organizations have been victims of malicious exploitation.

This thesis will attempt to answer the following question: “How is it possible to
gain more knowledge of threats that are related to our networks?” This is not an
easy question to answer due to the broad and complex topic of cybersecurity as
one must consider multiple factors that affect it. Furthermore, this thesis will
discuss important facts and features of honeypots and their role in
cybersecurity.

Firstly, this paper will examine cybersecurity in general, which is followed by
what honeypots are, their differences and disadvantages. Secondly, the
methodology section will describe how two honeypots were chosen for the
project to collect data based on the needed criteria. In addition, the section
deals with the threat actors’ view. Thirdly, a comparison of the data collected
will be analysed, which is followed by a discussion of the limitations of the study
and future development possibilities.

Lastly, the conclusion will provide a summary of the main findings of this thesis.
Honeypots were chosen based on the needed criteria and they were set up in
dedicated devices in a home network environment for testing purposes. The aim
of this testing is to collect as much data as possible of the external threat and use
this information to analyse and improve the network and systems security in the
future.
Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns - Ilirjana Zymberi
2

2 Technical background

This section will discuss the technical aspects of the thesis, beginning with a
history of cybersecurity, pointing out key historical events which led to the
development of cybersecurity. Subsequently, this is followed by a description of
the current state and the latest threats in cybersecurity.

An in-depth analysis of honeypots, their role in cybersecurity, and their
advantages and disadvantages will be covered. It is relevant to know the
various types of honeypots available and their function. It is also useful to know
how demanding different honeypots are and how much monitoring they require.
Moreover, this thesis will look at the two honeypots chosen for this work in
detail, providing reasons why they were selected.

2.1 Cybersecurity history

Presently, it is easy for people to forget what it is like not to use technology on
an everyday basis. Cybersecurity was not a main concern in people’s lives
before the first use of interconnected devices. [1.] To understand cybersecurity
today and how it might develop in the future, it is important to be aware of
crucial historical events relating to cybersecurity.

Computer historians discovered the first cybersecurity related threat, the first
documented computer password breach during the 1960s. The password
breach involved a Massachusetts Institute of Technology (MIT) researcher
working with a mainframe. The mainframe was restricted by a four-hour time-
limit set by MIT’s time-sharing system. To overcome the time-limit he printed out
usernames and passwords in plain text and used them to allow himself more
than the allocated time limit. [2.]

The Advanced Research Projects Agency Network (ARPANET) was formed in
1967 and it set in motion the basis for cybersecurity. [3.] ARPANET was the
network that provided the foundation for the Internet to be built upon. [4.] Figure
Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns - Ilirjana Zymberi
3

1 illustrates the first logical mapping of an interconnected network from the year
1973.

Figure 1. The Logical Map of ARPANET. Copied from [5].

The 1970s brought significant development in cybersecurity, when the first
computer worm was created. Worms are a type of malicious software (malware)
that replicates itself from one computer to another one. Created by Bob
Thomas, the first worm would travel through ARPANET computers and would
display the text, “I’m the creeper, catch me if you can.” on victim computer
screens. [5.] Figure 2 below shows a printout of the worms’ output. Despite the
worm being harmless, it opened the possibility for causing issues on networks
in a malicious way.
Honeypots: A Means of Sensitizing Awareness of Cybersecurity Concerns - Ilirjana Zymberi
4

Figure 2. ‟I’m the creeper: Catch me if you can”. Copied from [6].

The 1980s saw an expansion of network usage and connections across
universities, industry and military sectors, and governments. The decade
witnessed the first use of government funded cyberattack, where the Soviet
Union hired a German computer hacker Marcus Hess, to break into 400 military
computers and steal military secrets of the United States. Even though the hack
was unsuccessful, it marked the beginning of cyberwarfare. [5.]

1987 is said to be the year cybersecurity was born, due to the first commercially
available products designed to defend systems from viruses. An example was
McAfee, founded by John McAfee, a piece of software which included a
VirusScan. [3.]

During the 1990s, researchers at NASA developed the first program which
would be known as a firewall. The need to create this kind of a program was
because their California base was attacked with a virus and the need to secure
their data was important. [5.]
5

2.2 Current state of Cybersecurity

The concept of cybersecurity has been around for the past five decades. As
time has passed, cybersecurity has taken a more important role in organizations
and people’s lives. Damaging reputation, wealth, health, and even losing ones’
life are a few examples of the consequences of cybercrimes. [7.]

The current state of cybersecurity has changed over the past thirty years, as
technology is a constantly evolving phenomenon, threat actors keep developing
new ways to attack. [3; 7.] Nowadays, using hacking tools is easier because all
the needed equipment is available online for download. Using these tools is not
challenging and anyone can attempt hacking because there is no need for the
same technical knowledge as in the past. [8.]

2.2.1 Current Cybersecurity Threats

Social engineering is still seen as the biggest threat today, as exploiting human
psychology is seen as the easiest means of accessing many systems. Every
third cyberattack conducted in 2020 included social engineering. [9.] There are
many types of social engineering attacks, such as phishing emails, scareware,
and baiting. Quid pro quo attacks, however, have become a prevailing social
engineering attack conducted by threat actors. This type of an attack attempts
to deceive the intended victim to install malware or provide sensitive information
by following instructions given by the threat actor pretending to be someone of a
legitimate source. For example, the threat actor may contact the victim via
phone call, acting as an IT support manager, and getting them to install
malware that they mask as a legitimate service. [7.]

Another common threat is ransomware, a type of malware which encrypts the
victim’s data and demands payment for decrypting the infected data. [9.] The
most common method of spreading ransomware is via email as this method is
cost effective and enables the threat actor to take advantage of botnets, a
6

network of compromised devices, to spread ransomware through large-scale
phishing efforts. [10.]

As different threats have developed over the years, so too have security
measures and tools needed to counter these threats and defend systems. The
following sub-section will introduce one of the many tools available, honeypots,
which is the focus of this thesis.

2.3 Honeypots

The purpose of this sub-section is to explain what honeypots are, the way they
can build threat awareness of a network, and how they can be utilized to
enhance a system’s security. Furthermore, a description of different honeypots
and the variety of purposes they can be applied to is provided. Finally, the
disadvantages of honeypots will be discussed.

A honeypot is a security tool that is intended to be probed and attacked by a
threat actor. There is a multitude of reasons why one would want to use a tool
like this. An important reason to have a honeypot is to study the patterns of
threat actors to develop a variety of defense mechanisms against attacks. [11.]

2.3.1 Definition of Honeypots

There is a range of definitions for honeypots, which has caused some confusion
of how they should be defined. Some see honeypots as a way to deceive threat
actors into thinking that they have managed to infiltrate a valuable system.
Whilst others see honeypots as a means of buying time when a threat actor is
attacking the honeypot instead of their systems. In addition, some view
honeypots as a basic Intrusion Detection System (IDS). [12.] Lance Spitzner
formally defined a honeypot in the following way: “A honeypot is a security
resource the value of which lies in being probed, attacked, or compromised”.
[8.]
7

Unlike IDSs or Network Intrusion Detection Systems (NIDS), the value of
honeypots lies on their capability of gathering data about threat actors, for
example the ability to store keystroke data of the interaction between threat
actor and honeypot. [13.] Additionally, honeypots can detect zero-day attacks,
which are exploits previously unseen and not yet understood by the
cybersecurity community. Moreover, any effort to reach services run by
honeypots are viewed as questionable by definition. As a result, data gathered
by them is more likely to give a true positive result. [12.]

Another important characteristic of a honeypot is that it can be run on any OS
and a variety of devices and run a limitless number of services. These services
will establish the angles by which a threat actor can probe or jeopardize a
system. [13.]

2.3.2 Different Honeypot technologies

The deployment type or build of a honeypot will depend on its purpose. For
example, if searching for a specific type of attack, one will need to configure the
honeypot to emulate the service to match the said attack. A honeypots’
customizability is a true advantage, as one can decide on the level of interaction
between the threat actor and the honeypot. This allows the honeypot deployer
to determine the type of data which will be collected. [8.]

Honeypots can be classified by their interaction level, service emulated or
generated fake data. The rest of this sub-section will define five categories of
honeypots. [14.]

High-interaction honeypots commonly emulate actual systems and their
purpose is to gather data of the threat actors moves, sometimes in real-time.
Emulating a real system can cause a honeypot to become a threat in itself.
Because of the system being rooted, the honeypot can be used by the threat
actor to take advantage of the honeypot and further their attack on the network
8

the honeypot is on. [14.] In addition to the risk of high-interaction honeypot,
these systems require more time and effort to set up and are more complex
when it comes to monitoring them [15].

Low-interaction honeypots are uncomplicated technically to implement. This
type of a honeypot can emulate a single to a few services that a threat actor can
interact with. Furthermore, these emulations are restricted, meaning that when
simulating, for example, a Telnet service, all commands might not work. [14]
The threat actors have limited interacting possibilities with the honeypot,
especially since these honeypots do not have an OS. The main task of a low-
interaction honeypot is to detect suspicious attempts and collect attempted login
credentials by threat actors or port-scans of the honeypot system. [12.] DShield
is an example of a low-interaction honeypot, as it emulates SSH, Telnet, or
HTTP requests, and if configured separately, firewall logs from the honeypot.
[16.]

A medium-interaction honeypot is a blend of high- and low-interaction
honeypots. They do not contain the same risks as the high-interaction
honeypots and are not as simple as a low-interaction honeypot. In other words,
these honeypots in a way combine the best features of both honeypot systems.
Medium-interaction systems do not simulate a full OS, but they virtualize
application layer services and enable all the responses and payloads a threat
actor would expect during an exploitation. [12.]

The purpose of a Honeyclient system is not to gather data by waiting for an
attack on the system, but by trying to find vulnerabilities and exploitations on its
own. [17.] These Honeypots are configured as client applications and aim to
find systems that have been compromised or contain malware. One type of a
Honeyclient is a web-based application, where its purpose is to find suspicious
websites. [14.]

A Honeytoken is not a conventional honeypot technology. This type of a
honeypots’ task is to lure a threat actor with falsely generated data of any form,
9

such as a file. This file could contain usernames or passwords and could be
named in a way that the threat actor recognizes the contents of it. The goal of
these lures is to deceive the threat actor to open the file and use the
credentials, which would trigger an alarm in the organization’s Security
Information Event Management (SIEM) system. This will provide defenders with
the knowledge of suspicious activity on the network. There are open-source
tools available to create honeytokens. An example of this would be found in
canarytokens.org. [14.]

2.3.3 Honeypots that will be used

The first honeypot described in this thesis is a low-interaction honeypot
developed by Internet Storm Center (ISC). This honeypot can be run on a
Raspberry Pi, which is a small and affordable computer that can be used for
multiple purposes, mainly for playing around [18]. Raspberry Pi was selected for
this honeypot because it is ideal for this because it is easy to use and due to
low-price it is easy to replace it if things go wrong.

The purpose of Dshield is to gather as much data conducted by malicious
hackers from the Internet. [19]. The DShield honeypot runs three services,
which are SSH, Tenet and HTTP. DShield collects SSH and Telnet data with
the Cowrie service. This service collects hackers’ attempts at guessing
usernames and passwords, i.e., login information. The HTTP part collects HTTP
requests and Dshield also collects firewall logs. [20.]

The second Honeypot used, T-Pot, is not a Honeypot, but rather a single
Honeypot system, which combines eighteen various dockerized Honeypot
services together. These dockerized services combined with tools such as
Cockpit, Cyberchef, and ELK Stack to provide a web user interface with real-
time performance monitoring, data analysis and visualization of the data.
Furthermore, T-Pot takes advantage of Suricata, an open-source threat
detection engine, which provides information on Common Vulnerabilities and
Exposures (CVE). [21.]
10

Table 1. Services running on T-Pot.

 Honeypot        Service role:
 name:
 Adbhoney        Utilizes the Android Debug Bridge (ADB) protocol to emulate
                 phones, TVs and DVRs connected to the host.
                 [21].
 Citrixhoneypot Creates a Hypertext Transfer Protocol Secure (HTTPS)
                 authentication for website access. Therefore, it emulates a
                 false website [22].
 Cowrie          Acts as an SSH and Telnet medium- to a high-interaction
                 honeypot, and it mainly logs the interaction performed by the
                 threat actor with the shell and brute force attacks [23].
 Dionaea         Aims to get a copy of malware for research purposes [24].

 Heralding       Service that collects only credentials [25].

 Honeysap        Low-interaction honeypot, where the only goal for it is to
                 collect data related on Session Announcement Protocol
                 (SAP) attacks [26].
 Mailoney        Focuses on Simple Mail Transfer Protocol (SMTP) traffic
                 [27].
 Rdpy            Python version of Microsoft Remote Desktop Protocol (RDP)
                 [28].
 Snare           Converts web pages into a surface to attack for threat actors
                 [29].

2.3.4 Selecting network deployment location for Honeypots

To ensure a honeypot is working properly and collecting the wanted data, it is
important to consider the network location of the honeypot. A honeypot used for
research purposes will differ in location compared to a honeypot used for
11

production purposes. Figure 3 below illustrates various locations in a network
topology where honeypots can be deployed. [8.]

Figure 3. Locations for Honeypots in the Network. Copied from [8].

As we can see from the figure, there are four possible locations, but where a
honeypot can be placed is not limited to only these. Honeypots can be used
singularly, or one can have multiple honeypots in various places on the network.
Honeypot A in the figure is placed outside of the network, where the threat actor
will find it when scanning the network and interacting with it. This successful
interaction will draw more attackers, therefore gain more knowledge of the types
of attacks on the network.

Honeypots B and C seen in Figure 3 are used for deceit, drawing the attacker to
them rather than the other devices on the network. These two honeypots are
examples of production honeypots, which are used mainly by organisations to
collect data such as source IP addresses.

On the other-hand, honeypot D is an example of a research honeypot, which
focuses more on the methods the threat actors use to break into a system.
12

Being close to the firewall and having its own independent network, this
honeypot cannot become a risk because the firewall blocks all outbound traffic,
meaning the threat actors cannot use the honeypot to attack other systems on
the network. [8.]

2.3.5 Disadvantages of Honeypots

A disadvantage with honeypots is that if they are erroneously configured, they
can cause a severe security threat to the system allowing an attacker to access
sensitive data through the honeypot. This would be the opposite of what we
want to do with the honeypot. [31.]

Developments in tools such as machine learning and artificial intelligence have
permitted threat actors to not only recognize honeypots but seek ways to further
exploit them [31]. A honeypot can become meaningless in a short time once a
threat actor realizes that it is not a genuine system. There are several ways for
a hacker to detect a honeypot and these ways differ when comparing if it is a
low- or high-interaction honeypot. Another risk is the threat actor noticing that
the system they are in is a honeypot, causing them to stop interacting with it
and avoiding it. [32.]

A disadvantage of low-interaction honeypots is that they do not provide an OS
and can disclose to the threat actor right away that they did not attack a genuine
system. These kinds of honeypots might not provide enough of a complex or
realistic looking service. [13].
13

   3 Methodology

   The following section will provide a detailed method for installing and running the
   two selected honeypot systems and is divided into three parts. The first part will
   describe how the first honeypot system, DShield, was installed and setup on a
   Raspberry Pi (RPi). The following part provides the installation and setup
   instructions for the second honeypot system, T-Pot honeypot. The last part of this
   section demonstrates how these honeypots are viewed by threat actors. Section
   four of the thesis, Results and Analysis, will analyze the data collected from the
   above-mentioned honeypot systems.

   3.1   DShield installation

   This sub-section is intended to provide a step-by-step means of installing and
   running the DShield honeypot system on an RPi. These instructions are
   interpreted from the Linux Format magazine [19].

1. The first step of the installation was to create a bootable Secure Digital (SD)
   card by using BalenaEtcher, an open-source utility used for writing optical disk
   images (ISO). For the purpose of this, Raspberry Pi Foundation’s own Debian
   based Operating System (OS), Raspberry Pi OS is used, which is ideal for the
   RPi 3B+ device in use. The OS with a Graphical User Interface (GUI) was
   chosen, rather than the recommended light version without a GUI because
   when using the light version, you will need to SSH into the device every time
   you need access. It is easier to use the GUI version and attach a monitor,
   keyboard, mouse, and Ethernet cable into the device.

2. When the OS installation is done, the terminal on the RPi will need to be
   opened and the following commands typed into the terminal:

         $   sudo   apt update
         $   sudo   apt upgrade
         $   sudo   apt install git
         $   sudo   reboot
14

   These commands make sure that the device is up-to date, and one of them
   installs git, which is essential for this Dshield Pi honeypot installation to
   succeed.

3. Next, it is needed to clone the repository by typing the following command:

         $ git clone https://github.com/DShield-ISC/dshield.git

4. After cloning the DShield repository, running the following installation script
   commands as root (Linux superuser) will install DShield on to the RPi:

         $ cd dshield/bin
         $ sudo ./install.sh

   Once the installation finalizes, the DShield honeypot is up and running.

   However, for the honeypot to retrieve data from attacks we need to expose it to
   the internet. This was done by going to the router’s management page
   (192.168.1.1) and from there applying port forwarding rules directed at the
   DShield honeypot IP address. The SSH port, 22, Telnet port, 23 and HTTP port,
   80 were used. All routers are not the same, which means port forwarding or
   adding the honeypot to the DMZ zone may vary depending on the type of
   management page the router has.

   After port forwarding is set up, one can view the results of connection attempts
   in real-time with the following command in the terminal:

         $ tail -f /var/log/dshield.log

   The next command shows the login attempts using telnet and SSH:

         $ tail -f /srv/cowrie/var/log/cowrie/cowrie.log

   This data can also be seen in the form of graphs and reports. After logging into
   the webpage https://dshield.org/, one can view the data in a more readable
   form, compared to what can be seen in the command line interface.
15

   3.2 T-Pot Installation

   This sub-section will provide detailed step-by-step instructions for the T-Pot
   honeypot system installation, and how to get the system running. These
   instructions are based on the README.md file, which can be found on the
   following GitHub page,

           https://github.com/telekom-security/tpotce/blob/master/README.md

   Before installation and setup was possible, it was important to check the
   technical hardware specifications for the device intended to run the T-Pot
   honeypot system. These specifications were as followed:

                    •   8 GB of RAM
                    •   A Solid-State Drive (SSD) with a minimum of 128 GB
                    •   DHCP enabled Network + Internet connection

   For the T-Pot honeypot system, a laptop which filled all the needed criteria was
   used.

1. The first step of the installation process was to clone the T-Pot repository. A
   separate computer running Ubuntu 20.04 Long-Term Support (LTS) was used
   to clone and build the T-Pot ISO. The following command clones the repository
   to the home directory and enters the newly created tpotce directory:

         $git clone https://github.com/telekom-security/tpotce
         $cd tpotce

2. The T-Pot ISO image can be built using the following script:

         $sudo ./makeiso.sh

3. After the ISO is built, the new tpot.iso file can be found in the directory. Using
   the Rufus utility, a program which allows one to format and create bootable
16

   USB installation media, seen in Figure 4, we write the newly created T-Pot ISO
   to the USB flash drive:

   Figure 4. Rufus utility.

4. The next step of the installation process is to use the USB installation media to
   boot the T-Pot ISO. It is important to verify the boot order of the computer used
   for the installation. This can be checked and changed, if needed, through the
   BIOS options.

5. When the computer is turned on, with the USB installation media plugged in,
   you will be prompted with the “Debian GNU/Linux installer boot menu”. It is then
   necessary to select the “Advanced options” option.

6. After selecting ‟Advanced options”, a prompt with several installation options
   will appear, with the first one being ‟Select your location”, as seen in Figure 5
   below:
17

   Figure 5. Location selections in installation process.

7. The next several prompts continue the base installation process. Due to the
   length limitation of this thesis images of each prompt will not be provided.
   However, the following list provides the prompts in order:

   -Select a language
   -Configure the keyboard
   -Choose a mirror of the Debian archive

8. After completing the installation prompts, the base system will begin installation.
   The installation progress prompt can be seen, as is shown in Figures 6 to 8
   below:

   Figure 6. Installing the base system.
18

   Figure 7. Configuring apt.

   Figure 8. Finishing the installation.

9. Once the base system has been installed, a prompt with the T-Pot-Installer will
   appear. The installer begins the installation of the T-Pot honeypot system on top
   of the Debian base system. Firstly, you need to choose the type, or edition, of
   the T-Pot you would like to use. As seen Figure 9 below, there are five editions
   to choose from. For this thesis, the Standard edition of T-Pot was chosen, as it
   suited the research needs.

   Figure 9. T-Pot installer: Honeypot type.
19

10. After selecting the edition, a prompt to set the password, as illustrated in Figure
   10 below, for console and SSH access, where tsec is the default user appears
   and is followed by a password repetition prompt.

   Figure 10. T-Pot installer: Password prompt.

11. Subsequently, one will need to create a username and password for the T-Pot
   Honeypot Systems’ web-based Dashboard. Figures 11 and 12 below show the
   two prompts.

   Figure 11. T-Pot installer: Web user creation prompt.

   Figure 12. T-Pot installer: Web user password prompt.

12. This completes the T-Pot honeypot system installation and is followed by an
   automatically executing installation script, where the various T-Pot services are
   installed via docker. Figure 13 below shows the beginning of the installation
   script.
20

Figure 13. Beginning of T-Pot installation script.

There are a few ways to verify the system is up and running. Firstly, one can
access the Admin User Interface (UI) by entering the following into the chosen
browser:

     https://:64294

Here 64294 is the Admin UI access port. One will be prompted for the tsec user
and the password, which was set during the installation, following the sign-in
where can be seen the webpage shown in Figure 14 below:

Figure 14. Admin UI interface on port 64294.
21

The Admin UI provides technical information, such as CPU, RAM, Hard drive
and network usage, and the current state of the computer running the T-Pot
system. Furthermore, one can edit users, view services, check on docker
containers, apply updates, and access the terminal.

The second way to confirm successful installation is to access the T-Pot
honeypot systems’ Dashboard, which is accessed through the 64297 port.

The following should be entered into the browser:

     https://:64297

A sign-in prompt will appear and here the web user and password created
during installation will allow access to the Dashboard, which is illustrated in
Figure 15. Section 4 of this paper will go into further detail of the dashboard and
perform an analysis on the results.

Figure 15. T-Pot web-based dashboard.

The last option of verifying a successful installation is to access the computer
directly, using the default user, tsec, and password. Finally, one can use SSH to
access the terminal of the T-Pot computer, by issuing the following command in
the terminal:
22

     $ssh -l tsec -p 64295 

Here 64295 is the SSH port for the system, as we should not use the default
port, 22. One can also use PuTTY, an SSH and telnet client for Windows
systems, as seen in Figure 16.

Figure 16. PuTTY SSH connection window.

Once SSH access is successful after sign-in, one can verify the various
docker containers and their related honeypot services which are running. By
navigating to the /opt/tpot/bin directory one can view the status of services by
running the dps.sh script as superuser.

     $cd /opt/tpot/bin
     $sudo ./dps.sh

Figure 17 below shows the output of the command in the figure, the names of
services, their status and running time, as well as the ports associated with
the services can be viewed.
23

Figure 17. Picture of the output: sudo ./dps.sh

As with DShield, port forwarding must be applied on the router, so the
honeypot services can be exposed attacks. Table 2 below shows which ports
were opened and the protocols and services associated with them.

Table 2. Services running on T-Pot with associated ports and protocols.

 Honeypot Service            Ports       Protocol
                             TCP 20      File Transfer Protocol (FTP) data
 Dionaea                                 transfer
                             TCP 21      File Transfer Protocol (FTP) control
                             TCP 445     Microsoft-DS (Directory Services)
                             TCP 22      Secure Shell (SSH) - secure logins
 Cowrie                      TCP 23      Telnet - unencrypted text
                                         communication
 Mailoney                    TCP 25      Simple Mail Transfer Protocol (SMTP)
 Snare                       TCP 80      Hypertext Transfer Protocol (HTTP)
                             TCP 110     Post Office Protocol, version 3
 Heralding                               (POP3)
24

                              TCP 143      Internet Message Access Protocol
                                           (IMAP)
                              TCP 993      Internet Message Access Protocol
                                           over TLS/SSL (IMAPS)
                              TCP 995      Post Office Protocol 3 over TLS/SSL
                                           (POP3S)
 Citrixhoneypot               TCP 443      Hypertext Transfer Protocol Secure
                                           (HTTPS)
 Honeysap                     TCP 3299     Session Announcement Protocol
                                           (SAP)
 Rdpy                         TCP 3389     Remote Desktop Protocol (RDP)
 Adbhoney                     TCP 5555     Android Debug Bridge (ADB)

3.3 Threat Actor Demonstration

The first step, as a threat actor, would be reconnaissance, where one would find
the public IP address of the victim. The second step would be to perform
scanning of the victim, in this case, using an online Nmap tool, https://pentest-
tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap#. Figure
18 below illustrates the results of the port scan.

Figure 18. Results of the online port scanning tool.
25

The next step would be to gain access to the victims’ system. As we can see
ports 80 and 443 are open. These are web browsers running on the T-Pot. As
the ports are public, anyone can have access to them. Figures 19 and 20 below
show the web browsers running on DShield and T-Pot.

Figure 19. DShield HTTP web server.

Figure 20. T-Pot HTTP web server.

As a threat actor, we can access the system via SSH or Telnet. By using SSH
we can see how DShield, and T-Pot simulate operating systems. DShield
emulates a Debian OS and as seen in Figure 21 after gaining access into the
honeypot.
26

Figure 21. SSH connection into DShield.

T-Pot, on the other hand, emulates Ubuntu when SSH access into it is gained,
as can be seen in Figure 22.

Figure 22. SSH connection into T-Pot

In the T-Pot it was also possible for the threat actor to access the emulated
shadow file, which contains all the hashed passwords, as it can be seen in
Figure 23 below. This gives more interaction for the threat actor with the
system.
27

Figure 23. T-Pot Shadow File.
28

4 Results and Analysis

This section will provide the collected results of the DShield and T-Pot honeypot
systems. A brief analysis of the results will highlight the most useful data
collected, explain the most common vulnerabilities, and provide the reader with
an understanding of threats towards networks.

4.1 Dshield Data

The data collected from the DShield honeypot was straightforward. As
mentioned earlier, DShield emulates three services, SSH, Telnet, and HTTP, so
the data collected was limited to the traffic involving these services.

Figure 24. Percentage data of how many of the attacks are attempted on which
port.

Figure 24 above provides the percentage of the attacks targeted towards
individual ports. It can be seen from the graph that most attacks were aimed at
port 22, which is known to be the port for SSH connections. Based on this, it
can be concluded that attacks made through SHH connections are the most
popular with 93 percent of attacks.
29

Figure 25. Data sorted based on from which source IP address the attacks
occurred.

Figure 25 illustrates the source IP addresses from which the attacks came from.
It can be seen that three of the threat actors’ IP addresses were seen more than
one time in the data and 85 percent of the attacks came from various different
IP addresses. Over the course of five days of running DShield, the total amount
of attacks recorded was 17,235.

4.2 T-Pot Data

After running for six days, the T-Pot system had collected a large amount of
data from various sources and different attack vectors. This data was
accessible through the T-Pot Dashboard, which includes a general dashboard
that shows a summary of all the honeypot services. It also includes a list of
individual services, which can be viewed independently, as shown in Figure 26.
30

Figure 26. T-Pot Dashboard service list.

For this thesis, the focus will be on the summarized T-Pot dashboard. The
dashboard provides insight into various types of data, such as the top ten
honeypot attacks, destination ports, attacks by country, source IP of the
attackers, top usernames and passwords used and many more.

These attack vectors were focused on the open ports, which were discussed in
section three. Firstly, the number of attacks that took place over the six days
that T-Pot was running will be discussed. As we can see from Figure 27, the
Cowrie service was attacked over 150,000 times. This is not surprising as
Cowrie emulates Telnet and SSH connections which are the most popular
amongst threat actors and unsafe to use publicly, especially Telnet.

Figure 27. T-Pot Top 10 Honeypot attacks.
31

P0f is a passive TCP/IP stack fingerprinting tool, which helps identify the
systems running on the machines threat actors use, such as OS. As we can
discern from the left-hand side of Figure 28 below, there are various operating
systems used to conduct attacks, most of them coming from an unknown
source, followed by Windows 7 or 8 and Linux 2.2.x-3.x OSs.

Figure 28. P0f OS Distribution and Attacks by Country.

The graph on the right in Figure 28 displays the number of attacks based on
country, where most of the attacks originated from Ireland.

An interesting discovery was that the general dashboard includes the top
usernames and passwords used to break into the T-Pot services, as shown in
Figure 29.

Figure 29. Most popular usernames and passwords.
32

The username “admin” was the most frequently used, the reason being that this
username comes as a default in many systems, and is generally not changed
by unmindful users, making it an optimal guess for threat actors. “123456” is the
most common password with over 15,000 counts. One way to explain this is
users not wanting to set a complicated password for the fear of forgetting it.

Another valuable tool in the T-Pot dashboard is the Suricata CVE data. As
mentioned earlier, Suricata is a threat detection engine, which provides CVE
identification. In Figure 30 below the vulnerability CVE-2001-0540 was the most
frequent vulnerability exploited. This vulnerability exploit takes advantage of
memory leak in terminal servers running on Windows NT and 2000 systems,
enabling threat actors to cause denial-of-service attacks.

Figure 30. Most common Suricata CVE and alert signature.

There is an abundance of data available through the T-Pot dashboard, allowing
users to become more aware of the threats facing their networks and systems.
33

5 Discussion

The purpose of this section is to compare the two honeypot systems used in
this work and analyse their limitations. Furthermore, future research
considerations will be proposed.

5.1 Comparison

Based on the amount of data collected from the two honeypot systems, it can
be stated that the T-Pot honeypot system produced a greater amount of data
compared to the DShield honeypot system for various reasons. Firstly, T-Pot
had fifteen ports open with nine services running, whilst DShield was limited to
three ports and three services. Naturally, having more services running enables
one to gather a higher volume of data.

Secondly, there was a difference in the visualization of the data collected. The
graphs provided by DShield were plain, lacked versatility, and could have
exhibited more data. T-Pot, on the other hand, not only displayed data, such as
source IP addresses, country of origin or passwords, used during attacks
occurring on the various honeypot services, but provided tables and allowed for
further inspection and analysis of the data.

Lastly, comparing the installation needs of the two honeypot systems, DShield
required rudimentary hardware and less installation steps, whereas the T-Pot
honeypot system needed a complex setup to get the range of services running
and demanded a larger hardware requirement.

5.2 Limitations

There were few factors that limited this thesis. Time was one of the limitations,
as the honeypots could have been running for a longer period. This may have
provided a wider variety of data collected and drawn more threat actors.
34

Another limitation was that there was a possibility to open more ports for the T-
Pot system to monitor. If all the ports had been opened, the length of the thesis
would have been too extensive and would have exceeded the limited page
amount. However, having these ports open would have possibly provided
different data forms.

Moreover, finding the current documentation of the honeypot systems was
challenging due to deprecation and lack of maintenance of these honeypot
systems, making them unsecure, unavailable, and impossible to set up.

5.3 Future research considerations

As for the future, I would firstly experiment with other types of honeypots or
honeypot systems, to gain a broader picture of what data can be collected.
Secondly, I would take into consideration different placements of honeypots in a
network, this would allow insight into the behaviour of threat actors in different
environments.

Thirdly, testing honeypots using virtual machines on a network rather than
running them on dedicated hardware could be one future research
consideration, as this could limit costs and possibly reduce set up and build
needs. Lastly, by using virtual machines the deployment of a Honeynet, a
network of honeypots, would become effortless.
35

6 Conclusion

The purpose of this thesis was to use honeypots as a means of sensitizing
awareness of cybersecurity concerns over a network. Firstly, reviewing
cybersecurity history and its current state provided insight into the importance of
securing networks, systems, and devices. By understanding the dangers of
cyber threats, tools can be used and developed to prevent and counter them. A
honeypot is an example of a valuable tool to detect and understand cyber
threats.

Honeypot systems are a very efficient and informative tool for not only collecting
threat actor data and attack tactics, but also acting as an intrusion detection
system. The versatile nature of honeypots makes them customizable for
different uses, purposes, and environments. However, there are certain
disadvantages with honeypots which should be taken into consideration when
they are deployed.

Secondly, this thesis provides a methodology on how two different honeypot
systems used in this work were installed, setup, and deployed. These two
honeypot systems were DShield, a low-interaction honeypot, and T-Pot, a
system of honeypot services that have varying degrees of interactions.
Furthermore, a demonstration of how a threat actor would approach these
systems was provided.

Thirdly, an analysis of the results collected by the two honeypot systems was
conducted. Viewing the various data types gave insight into the kinds of threats
targeted towards a network. Lastly, a comparison of these two honeypot
systems, limitations of this work, and future research suggestions were
discussed. It was seen that the T-Pot honeypot system provided more valuable
data in comparison to DShield system.
36

This thesis shows how honeypots can be easily deployed into any network and
how they can provide valuable data that builds awareness of cybersecurity
threats facing private and organizational networks.
37

References

1    Sutton, David. 2017. Cybersecurity: A Practioner’s Guide. Swindon: BCS
     Learning & Development Ltd.

2    Khalil, George. 2014. Password Security – Thirty-Five Years Later. SANS
     Institute.
     URL: https://www.sans.org/reading-room/whitepapers/basics/password-
     security-thirty-five-years-35592. Accessed 27 February 2021.

3    Chadd, Katie. 2020. The History of Cybersecurity. Avast.
     URL: https://blog.avast.com/history-of-cybersecurity-avast. Accessed 28
     February 2021.

4    Featherly, Kevin. 23 March 2021. ARPANET. Encyclopedia Britannica.
     URL: https://www.britannica.com/topic/ARPANET. Accessed 28 February
     2021.

5    Murphey, Dakota. 27 June 2019. A History of Information Security. IFSEC
     GLOBAL. URL: https://www.ifsecglobal.com/cyber-security/a-history-of-
     information-security/. Accessed 26 February 2021.

6    Core War: Creeper & Reaper.
     URL: https://corewar.co.uk/creeper.htm. Accessed 19 March 20.

7    Steinberg, Joseph. Cybersecurity for Dummies. 2019. Indianapolis: John
     Wiley and Sons.

8    Spitzner, Lance. 2002. Honeypots: Tracking Hackers. Boston: Addison-
     Wesley Professional.

9    Gurinaviciute, Juta. 3 February 2021. 5 Biggest Cybersecurity Threats:
     ‟How Hackers Utilize Remote Work and Human Error to Steal Corporate
     Data”.
     URL: https://www.securitymagazine.com/articles/94506-5-biggest-
     cybersecurity-threats. Accessed 1 March 2021.

10   McDonough, Bart. January 2019. Cyber Smart: Five Habits to Protect Your
     Family, Money and Identity from Cyber Criminals. Indianapolis: John Wiley
     & Sons, Inc.

11   Gerrit Göbel Jan, Dewald Andreas. 2011. Client-Honeypots: Exploring
     Malicious Websites. München: Oldenbourg.

12   Mohammed Mohssen, Rehnman Habib-ur. 2015. Honeypots and Routers.
     New York: Auerbach Publication.
38

13   Holz Thorsten, Provos Niels. 2007. Virtual Honeypots: From Botnet
     Tracking to Intrusion Detection. Addison-Wesley Professional.

14   Spasojevic Branko, Linn Ryan, Sims Stephen, Regaldo Daniel, Harris
     Shon, Ness Jonathan, Eagle Chris, Harper Allen. 2018. Gray Hat Hacking:
     The Ethical Hacker’s Handbook 5th Edition. McGraw-Hill.

15   Livshitz, Igor. 3 January 3 2019. What’s the Difference Between a High
     Interaction Honeypot and a Low Interaction Honeypot? Guardicore.
     URL: https://www.guardicore.com/blog/high-interaction-honeypot-versus-
     low-interaction-honeypot-comparison/. Accessed 1 March 2021.

16   Unknown writer.
     URL: https://isc.sans.edu/honeypot.html Accessed 27 February 2021.

17   1 November 2007. Honeyclients Bring New Twist to Honeypots.
     SearchSecurity.
     URL:https://searchsecurity.techtarget.com/magazineContent/Honeyclients-
     bring-new-twist-to-honeypots. Accessed 6 March 2021.

18   McManus Sean, Cook Mike. 2017. Raspberry Pi for Dummies. New
     Jersey: John Wiley & Sons, Inc.

19   Bidwell, Jonni. December 2020. Hackers Manual: Dshield Pi honeypot.
     Linux Magazine.

20   Unknown writer. URL: https://dshield.org/honeypot.html. Accessed 27
     February 2021.

21   20 August 2020. Telekom Security.
     URL: https://github.security.telekom.com/2020/08/honeypot-tpot-20.06-
     released.html#firstrun. Accessed 3 March 2021.

22   Cirlig, Gabriel. 9 November 2019. ADBHoney.
     Github-link: https://github.com/huuck/ADBHoney. Accessed 4 March 2021.

23   Bontchev, Vesselin.19 August 2020. Honeypot for CVE-2019-19781 (Citrix
     ADC).
     Github-link: https://github.com/bontchev/CitrixHoneypot. Accessed 4
     March 2021.

24   Oosterhof, Michel. 2018. ‟Welcome to Cowrie’s documentation!”.
     URL: https://cowrie.readthedocs.io/en/latest/index.html. Accessed 4 March
     2021.

25   27 December 2020. dionaea Documentation
     URL: https://readthedocs.org/projects/dionaea/downloads/pdf/latest/.
     Accessed 4 March 2021.
39

26   Vestergaard, Johnny. 27 Devember 2020. Heralding.
     Github-link: https://github.com/johnnykv/heralding. Accessed 4 March
     2021.

27   Gallo, Martin. 2021. HoneySAP: SAP Low-interaction honeypot.
     SecureAuth Corporation.
     Github-link: https://github.com/SecureAuthCorp/HoneySAP. Accessed 4
     March 2021.

28   Awhitehatter. 2021. Mailoney.
     Github-link: https://github.com/awhitehatter/mailoney. Accessed 4 March
     2021.

29   Peyrefitte, Sylvain. 10 April 2020. RDPY PyPI version.
     Github-link: https://github.com/citronneur/rdpy. Accessed 4 March 2021.

30   Rist Lukas, Vestergaard Johnny, Haslinger Daniel. 2020. Snare.
     URL: http://mushmush.org/. Accessed 5 March 2021.

31   Tsikerdekis Michail, Zeadally Sherali, Schlesener Amy, Sklavos Nicolas.
     Approaches for Preventing Honeypot Detection and Compromise. The
     Institute of Electrical and Electronics Engineers, Inc. (IEEE).
     URL:https://www.researchgate.net/publication/328430317_Approaches_fo
     r_Preventing_Honeypot_Detection_and_Compromise. Accessed 15
     March 2021.

32   Chismon, David. Hunting with Honeypots. F-Secure.
     URL: https://www.f-secure.com/en/consulting/our-thinking/hunting-with-
     honeypots. Accessed 17 March 2021.
You can also read