Detecting Cowrie in “proxy” Mode

So in "proxy" mode, Cowrie is pretty damn powerful. It proxies you through to a backend pool of live systems or virtual machines. It is god damn awesome. My previous detection methods based on shell stuff don't work, because you are proxied through to a live system. Also, if you hit the honeypot twice from …

procfs/bash tricks and detecting Cowrie

Yep, I'm messing with Cowrie again. Just a quick post, about another category of post-authentication detection mechanisms I found for Cowrie. These should detect honeypots that the previous hassh trick fails to detect. This time, due to how the "procfs" on Linux works, and some bash fun. There are actually a couple of detection methods …

Using “hassh” to Identify Probable SSH Honeypots.

After my last post on SSH honeypots and some productive chats with some other people interested in honeypots, I decided to go a bit further and see if I could come up with more ways to identify them with minimal actual effort - something that could be trivially integrated into a scanning pipeline. So I …

Detecting SSH Honeypots with non-persistent filesystems.

A lot has been written on the topic of detecting SSH honeypots in the past, usually using their canned responses against them, SSH protocol quirks, them accepting every password, etc. While experimenting with honeypots based on Docker and suchlike, which spin up a new container for each attacker that logs in, which can be a …