Detecting SSH Honeypots with non-persistent filesystems.

A lot has been written on the topic of detecting SSH honeypots in the past, usually using their canned responses against them, SSH protocol quirks, them accepting every password, etc.

While experimenting with honeypots based on Docker and suchlike, which spin up a new container for each attacker that logs in, which can be a bit harder to detect, I realised there was a really, really simple way to detect them. This technique also works for Kippo, Cowrie, and a few other honeypot platforms.

Basically, you exploit the fact that the filesystem you are dropped into won’t persist across connections, and by simply writing a file and reading it back across a couple of connections, you can quickly check if a box is a honeypot or not.

Bear in mind – this technique is not foolproof, and should be combined with other steps to determine if a host is a honeypot or not. Defence in depth isn’t just for blue teams and defenders, it is also highly important to not be lead astray by honeypots/network deception in offensive operations. Nothing feels worse than uploading your very nice, bespoke post exploitation toolkit to a honeypot and having it burned by some threat intelligence people.

We can break this down into a few steps, and then write a program to check if a host is possibly a honeypot or not using this technique.

Step 1: Decide on a path to write to. Something in /tmp/ is good. Vary this across runs, generate randomly.
Step 2: Decide what content to write to that path. Vary this across runs, generate randomly.
Step 3: Log into the host using the credentials you have.
Step 4: Write the contents you generated to the path you chose, using “echo” or similar.
Step 5: Log out.
Step 6: Log into the host (again) using the credentials you have.
Step 7: Try read from the path you wrote the file to.
Step 8: Check if the file contents match. If they don’t match, or the file simply doesn’t exist, it is possibly a honeypot. If they do match, it is possibly not a honeypot.

The script I wrote to do this can be found on Github. I was going to go over all the bits involved, but then realised I have some posts on using Paramiko in the drafts that need completing so will save the in depth discussion of writing the damn thing for those.

I also noticed that with some honeypots (Cowrie), executing commands via SSH in this fashion caused failures, so I added this as a possible way to flag honeypots.

Some honeypots could try be clever by creating a semi persistent FS, say, for every connecting IP or AS or something. A future work could be to connect a few times using different SOCKS proxies or Tor exits and see if there are differences.

%d bloggers like this: