Honeypot Detection: SSH Host Keys

In this post I’ll outline a method to detect Cowrie honeypots in both “shell” and “proxy” mode based on SSH Host Keys, post authentication. The method involved is quite simple. It also works on some other honeypots. Firstly, we grab the hosts SSH public key. This can be easily done by using the ssh-keyscan utility. …

Detecting Cowrie in “proxy” Mode

So in “proxy” mode, Cowrie is pretty damn powerful. It proxies you through to a backend pool of live systems or virtual machines. It is god damn awesome. My previous detection methods based on shell stuff don’t work, because you are proxied through to a live system. Also, if you hit the honeypot twice from …

Using “hassh” to Identify Probable SSH Honeypots.

After my last post on SSH honeypots and some productive chats with some other people interested in honeypots, I decided to go a bit further and see if I could come up with more ways to identify them with minimal actual effort – something that could be trivially integrated into a scanning pipeline. So I …

AliumTerm: Reverse Shells over Tor, Part 1. Basics.

Before I begin, this project (which will unfold over a few blog posts) probably has no real application to “authorized intrusion activities” (red teaming, penetration testing, etc), and its release has largely been motivated by a desire to show how various problems were identified and overcome along the way. Kind of a “showing the work”. …