Using “hassh” to Identify Probable SSH Honeypots.

After my last post on SSH honeypots and some productive chats with some other people interested in honeypots, I decided to go a bit further and see if I could come up with more ways to identify them with minimal actual effort – something that could be trivially integrated into a scanning pipeline.

So I chose Cowrie, the successor to Kippo, as my target for this. Cowrie is really nice, I actually use it myself. They also seemed to care enough to open a bug in order to fix the observed issue where Paramiko errors were allowing one to fingerprint honeypots.

I also decided that in-scope would be the last few release versions of Cowrie, and only in their default, “as per docs” configuration. This is partially down to time constraints on my end, and partly down to the fact that this is a user problem, and if the end user does some config work, this fingerprinting method fails.

Due to some issues getting pre-2.0.0 releases to work, I stopped there. Though I suspect fingerprinting older (pre-2.x) ones will be a lot easier, as the 1.6 release was when functionality was added to allow customising the SSH crypto parameters. I’ll revisit this sometime.

I also decided that I didn’t particularly mind if the detection method was a bit noisy or prone to false positives. For an attacker, a method of filtering out honeypots that also results in a loss of a few not-honeypots isn’t a big deal – the internet is fucking huge and full of trivially compromised systems. The value of not showing up in someones “threat intelligence” feed is probably higher than the value of the systems one “loses out on”.

So I decided to generate a few hassh fingerprints, and search on Shodan and BinaryEdge to see what I could find. At some point I would like to set up an instance of “Passive SSH” to gather my own data on SSH servers on the internet, but that is a future project.

To generate the fingerprints I used this nmap script.

In the table below, I present my results.

Cowrie VersionHassh FingerprintShodanBinaryEdge
2.2.0955c30f421cf76aa1c82d3f5b0d7768b1,7593,583 
2.1.0955c30f421cf76aa1c82d3f5b0d7768b1,7593,583 
2.0.2a3266857eb3a0039f98e93cb345afd8b1,6582,149
2.0.1a3266857eb3a0039f98e93cb345afd8b1,6582,149
2.0.0a3266857eb3a0039f98e93cb345afd8b1,6582,149

I picked a few hosts at random from the Shodan and BinaryEdge results and looked at them, and they smelled sus – Eau de Honeypot.

So what did we learn, exactly?

Well, it turns out there are probably a few thousand default Cowrie honeypots out there, at least, in their default configuration which can be readily fingerprinted using hassh and filtered out of ones SSH scanning before launching some kind of attack.

Honeypot operators would be rather wise to customise their setups to blend in better, so that they don’t get flagged quite as easily. This includes myself.

Anyway, I might revisit this later, hopefully its been somewhat interesting for you!

%d bloggers like this: