In this post I’ll outline a method to detect Cowrie honeypots in both “shell” and “proxy” mode based on SSH Host Keys, post authentication. The method involved is quite simple. It also works on some other honeypots.
Firstly, we grab the hosts SSH public key. This can be easily done by using the ssh-keyscan utility. Just provide the target host and optionally specify a target port with “-p”.
Save this somewhere, and then log into the honeypot and run cat /etc/ssh/ssh_host_rsa_key.pub to grab the host key from the box itself.
On Cowrie in “shell” mode, this file doesn’t actually return anything, so you get an interesting error where “ls” tells you it exists, but “cat” cannot get at it:
root@svr04:~# cat /etc/ssh/ssh_host_rsa_key.pub
cat: /etc/ssh/ssh_host_rsa_key.pub: No such file or directory
root@svr04:~# cd /etc/ssh
root@svr04:/etc/ssh# ls -la
drwxr-xr-x 1 root root 4096 2013-04-05 12:02 .
drwxr-xr-x 1 root root 4096 2013-04-05 12:06 ..
-rw-r--r-- 1 root root 136156 2013-04-05 12:02 moduli
-rw-r--r-- 1 root root 1669 2013-04-05 12:02 ssh_config
-rw------- 1 root root 668 2013-04-05 12:02 ssh_host_dsa_key
-rw-r--r-- 1 root root 599 2013-04-05 12:02 ssh_host_dsa_key.pub
-rw------- 1 root root 227 2013-04-05 12:02 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 171 2013-04-05 12:02 ssh_host_ecdsa_key.pub
-rw------- 1 root root 1675 2013-04-05 12:02 ssh_host_rsa_key
-rw-r--r-- 1 root root 391 2013-04-05 12:02 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root 2489 2013-04-05 12:02 sshd_config
root@svr04:/etc/ssh#
So we know now its a honeypot, and to abandon that host. This is certainly a bug that Cowrie can fix in the Shell mode I think.
In “Proxy” mode, where the SSH connection is passed along to a real host, we do the same thing, but what we do instead is compare the two values – in Proxy mode, Cowrie proxies the SSH connection along, basically doing a Person in the Middle attack. The host keys won’t match up, so you know something is wrong.
Here is an example using one of my test systems on Digital Ocean.
$ ssh -p 2222 -l root 67.205.157.10 "cat /etc/ssh/ssh_host_rsa_key.pub"
root@67.205.157.10's password:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCblkCf2peYrL5rApXBEdBVDkkR+sUpJRxb5na+7vcD5CT+oaqVGmzYGJHEPwFvDBFMRUzqXOQgL/tu8H5BVEaB4vI57v5YpRdINDsIcCAe5vqEiRtT21tAoCOijikHVEk6WGf2KDm9DBS0dQR5bXdiOgC251kJfiIlPGmYfpoBYM6IO0aKkHXn9S5Wie8g+mcqY0RpCGzz/bGdkcjleOgVPElmzxB6BmOf/B+ktMQa2qmMbu9UrTFeKjVsPxwkckdd700kIlxDEvhjAtLJD2VmLvavnIFa1fjBNmWAH9ly7Jyrfe9TXktCgS3quLxhiwGxaRQau0hSEXbQtp0EZ8V5 root@ubuntu
$ ssh-keyscan -p 2222 67.205.157.10
# 67.205.157.10:2222 SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# 67.205.157.10:2222 SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
[67.205.157.10]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+w6yIFaYKw3glGZzgErX75CPKrf6j0SyumhurosNxnx6vgZrmnNtxeL/6W/UcwCpHIzAij5aU3fXklS8dyBnOE51TA8OSP5KR6QTznycKvITF7z+gHPkz1wkk80mPxsqABMRSDjMylWDQntdRSlqprW2fI0dmKKpfuxYdZnQcZ2TOLyBQoTJLX9DulNSLjd/WWNsbMAJC6kO0ZSSy2s66qdRW+F1OJ9SiKxpNj0Yn97L3Ityn/MOpKHEh6bFRB8qRxJu/H0gMVuI4iauYZrx3y9I5ayipNzs1ow8rBRENR/Bs4pOJpIELDGCUsPSJKAzwVU/VQ14OMvbS5JnaPX0T
# 67.205.157.10:2222 SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
$
It quickly becomes apparent that something is rotten in the state of Denmark when the keys don’t match, so we leave this host well alone.
Anyways, hopefully someone finds this useful. Hopefully honeypots will improve to get around this trickery? Maybe?
Darren Martyn 