Honeypot Detection: SSH Host Keys

In this post I’ll outline a method to detect Cowrie honeypots in both “shell” and “proxy” mode based on SSH Host Keys, post authentication. The method involved is quite simple. It also works on some other honeypots.

Firstly, we grab the hosts SSH public key. This can be easily done by using the ssh-keyscan utility. Just provide the target host and optionally specify a target port with “-p”.

Save this somewhere, and then log into the honeypot and run cat /etc/ssh/ssh_host_rsa_key.pub to grab the host key from the box itself.

On Cowrie in “shell” mode, this file doesn’t actually return anything, so you get an interesting error where “ls” tells you it exists, but “cat” cannot get at it:

root@svr04:~# cat /etc/ssh/ssh_host_rsa_key.pub 
cat: /etc/ssh/ssh_host_rsa_key.pub: No such file or directory
root@svr04:~# cd /etc/ssh
root@svr04:/etc/ssh# ls -la
drwxr-xr-x 1 root root   4096 2013-04-05 12:02 .
drwxr-xr-x 1 root root   4096 2013-04-05 12:06 ..
-rw-r--r-- 1 root root 136156 2013-04-05 12:02 moduli
-rw-r--r-- 1 root root   1669 2013-04-05 12:02 ssh_config
-rw------- 1 root root    668 2013-04-05 12:02 ssh_host_dsa_key
-rw-r--r-- 1 root root    599 2013-04-05 12:02 ssh_host_dsa_key.pub
-rw------- 1 root root    227 2013-04-05 12:02 ssh_host_ecdsa_key
-rw-r--r-- 1 root root    171 2013-04-05 12:02 ssh_host_ecdsa_key.pub
-rw------- 1 root root   1675 2013-04-05 12:02 ssh_host_rsa_key
-rw-r--r-- 1 root root    391 2013-04-05 12:02 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root   2489 2013-04-05 12:02 sshd_config
root@svr04:/etc/ssh# 

So we know now its a honeypot, and to abandon that host. This is certainly a bug that Cowrie can fix in the Shell mode I think.

In “Proxy” mode, where the SSH connection is passed along to a real host, we do the same thing, but what we do instead is compare the two values – in Proxy mode, Cowrie proxies the SSH connection along, basically doing a Person in the Middle attack. The host keys won’t match up, so you know something is wrong.

Here is an example using one of my test systems on Digital Ocean.

$ ssh -p 2222 -l root 67.205.157.10 "cat /etc/ssh/ssh_host_rsa_key.pub"
root@67.205.157.10's password: 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCblkCf2peYrL5rApXBEdBVDkkR+sUpJRxb5na+7vcD5CT+oaqVGmzYGJHEPwFvDBFMRUzqXOQgL/tu8H5BVEaB4vI57v5YpRdINDsIcCAe5vqEiRtT21tAoCOijikHVEk6WGf2KDm9DBS0dQR5bXdiOgC251kJfiIlPGmYfpoBYM6IO0aKkHXn9S5Wie8g+mcqY0RpCGzz/bGdkcjleOgVPElmzxB6BmOf/B+ktMQa2qmMbu9UrTFeKjVsPxwkckdd700kIlxDEvhjAtLJD2VmLvavnIFa1fjBNmWAH9ly7Jyrfe9TXktCgS3quLxhiwGxaRQau0hSEXbQtp0EZ8V5 root@ubuntu


$ ssh-keyscan -p 2222 67.205.157.10
# 67.205.157.10:2222 SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# 67.205.157.10:2222 SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
[67.205.157.10]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+w6yIFaYKw3glGZzgErX75CPKrf6j0SyumhurosNxnx6vgZrmnNtxeL/6W/UcwCpHIzAij5aU3fXklS8dyBnOE51TA8OSP5KR6QTznycKvITF7z+gHPkz1wkk80mPxsqABMRSDjMylWDQntdRSlqprW2fI0dmKKpfuxYdZnQcZ2TOLyBQoTJLX9DulNSLjd/WWNsbMAJC6kO0ZSSy2s66qdRW+F1OJ9SiKxpNj0Yn97L3Ityn/MOpKHEh6bFRB8qRxJu/H0gMVuI4iauYZrx3y9I5ayipNzs1ow8rBRENR/Bs4pOJpIELDGCUsPSJKAzwVU/VQ14OMvbS5JnaPX0T
# 67.205.157.10:2222 SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
$ 

It quickly becomes apparent that something is rotten in the state of Denmark when the keys don’t match, so we leave this host well alone.

Anyways, hopefully someone finds this useful. Hopefully honeypots will improve to get around this trickery? Maybe?

%d bloggers like this: