procfs/bash tricks and detecting Cowrie

Yep, I’m messing with Cowrie again. Just a quick post, about another category of post-authentication detection mechanisms I found for Cowrie. These should detect honeypots that the previous hassh trick fails to detect. This time, due to how the “procfs” on Linux works, and some bash fun. There are actually a couple of detection methods …

Using “hassh” to Identify Probable SSH Honeypots.

After my last post on SSH honeypots and some productive chats with some other people interested in honeypots, I decided to go a bit further and see if I could come up with more ways to identify them with minimal actual effort – something that could be trivially integrated into a scanning pipeline. So I …

Detecting SSH Honeypots with non-persistent filesystems.

A lot has been written on the topic of detecting SSH honeypots in the past, usually using their canned responses against them, SSH protocol quirks, them accepting every password, etc. While experimenting with honeypots based on Docker and suchlike, which spin up a new container for each attacker that logs in, which can be a …

Build Log: Micro Marquee from MadLab.

Just another quick image dump of another MadLab build, this time the Micro Marquee from them. This was a very straightforward build, started with the resistors, followed by the capacitors, then the IC socket and matrix display. Add on the buttons, battery clip, and seat the IC and away you go! “Programming” your messages into …