Unveiling the Sweet Sting: My Homemade Raspberry Pi Honeypot
First Things First
I can only imagine what some of you reading this are thinking right now. "Ok Sam, this technology stuff is cool, but WTF is a Raspberry Pi and what do you mean you made a Honey Pot out of it? I have no idea what a Honey Pot is! Maybe slow it down a bit and explain how pie and honey have anything to do with hacking or cybersecurity. No worries, if you've never heard of either, I'm going to break it down for you. If you have heard of both and are just here for the technical details, go ahead and skip down to a few sections to "Here's to the Sweet Stuff"
Raspberry Pi:
A Raspberry Pi is a tiny, affordable computer that you can hold in your hand. It's like a magical box that can do all sorts of digital tricks. While it's small, don't underestimate it, because it's a versatile and powerful tool.
Imagine it as the brain of your DIY projects. Want to build a robot, create a home weather station, or even make your own video game console? The Raspberry Pi can do it all. It's like the Swiss Army knife of computers, but much smaller and way more fun.
You can connect it to a TV or a monitor, add a keyboard and a mouse, and voila, you have a computer that's perfect for learning how to code, playing games, or even browsing the web. Kids and adults alike use Raspberry Pi to explore the wonders of technology and bring their ideas to life.
Think of it as a little computer that's big on possibilities. Whether you're a tech whiz or just curious about what computers can do, the Raspberry Pi is your ticket to a world of digital adventures. It's like having a tiny computer genie in your pocket, ready to grant your tech wishes!
Honey Pot:
A honeypot is like a digital decoy in the world of computers and cybersecurity. Imagine it as a digital trap, designed to attract hackers and cyber-criminals. Just like a pot of honey attracts bees, a honeypot lures in those who are up to no good in the online world.
But here's the clever part: a honeypot isn't a real computer or system that contains valuable data. Instead, it's a fake, carefully set up to look like something interesting to hackers. It's like a shiny treasure chest, but when someone tries to open it, they discover that it's empty or filled with fake information.
Why use a honeypot? Well, it's a bit like catching a spy. By watching what hackers do when they think they're breaking into something valuable, cybersecurity experts can learn about their tactics and techniques. It's like leaving out breadcrumbs for a naughty squirrel and then studying its behavior.
Honeypots help protect real computer systems by diverting cyber-attacks away from them. They also provide valuable insights into the latest cyber threats, helping cybersecurity professionals stay one step ahead of the bad guys.
So, in the world of computers, a honeypot is like a digital detective tool, enticing cyber-criminals and helping us understand and defend against their tricks. It's like setting a trap to catch a crafty fox in the online wilderness! Now that you are all subject matter experts on what raspberry pi's and honey pots are, let's get to the sweet stuff!
Here's to the Sweet Stuff!
So I took an old rasberry pi that I had lying around... yes, I have random computers and parts "laying around". You never know when you need to build a sweet touch screen music player for your bar you build downstairs, or make a video game console, or just simply want to hack someone and get rid of the evidence with a credit card sized computer...JOKING!. I do not condone anything illegal, which is one of the reasons I wanted to test this project out. So yeah, back to the action. I grabbed my raspberry pi and started using my best friend Google to see what software was already available for me to install. After some searching, I came across this article.
http://medium.com/swlh/installing-dshield-honeypot-on-a-raspberry-pi-e10d967825b2I quite literally followed this entire article step by step. The reason for this, someone's already done it, why re-invent the wheel? I'm sure I could have configured my pi using cowrie to establish a honey pot... but, if I can just download a script that automatically does that for me, I'm going to do it!
(A picture of my SWEET Raspberry Pi and my Hak5 stickers on my laptop. )
Once I got my Pi completely configured and up and running, I went to an online port scanner service to test against my newly made honey pot.
As you can see the honey pot is working. It's showing ssh and telnet open, and filtered ports for other popular services, which would be shown as open on other port scans. This is one of those moments for hackers that, if they see something configured so poorly like this, they have to ask the question, "Is this too good to be true, or is it really some low hanging fruit right now?"
Naturally, they are going to want to find out! And who could really resist this?? These weren't all of the ports that were open on the Pi either.
Not even a minute later, I'm getting pings from my ISP telling me they are blocking attacks to my Pi from blacklisted IP addresses in North Korea!
With this alert, I realized that I needed to turn off the protection my ISP was providing to my Pi, which was in a DMZ. I managed to turn it off for just the Pi and continued my journey in catching hackers!
Within seconds of removing this protection provided by my awesome ISP, I started witnessing connections to outside IP addresses while running netstat -atoc.
If you look closely (even if you've never looked at nestat output) you will see that the raspberry pi IP address (under local address, 192.168.0.173) has an established connection on port 2223 with an outside IP address of 114.239.233.48. I looked up the IP address to at least get a country of origin and somewhat of a location guess.
Come to find out, it was an IP address from China. There were quite literally dozens of other IP addresses trying to connect to port 2223 and port 2222. I read on a few sites that port 2222 was a very common port to try and attack due to it generally being an alternate ssh port. Had these intruders been able to actually login to a service on that port, they could have done some damage. But, luckily for us, the port looked open, but no service was actually running on that port.
The other connections you see, such as "mail2.dshield.org" and the connection to port 12222 is myself ssh'd into the Pi and dshield emailing updates to itself for tracking. Once I ran a continuous scan, I was seeing at least 5 IP addresses every second trying to connect to 2222 and 2223. Every IP that I reverse searched for geolocation resolved to IP's in China. My assumption is that there is a few bots just scanning everything on the internet. Most hackers today aren't really going to do port scans on everything on the internet. They will use things like Shodan.io. If you're not familiar with Shodan.io it is like a super-powered search engine, but it's not searching for websites or articles. Instead, it's on the hunt for internet-connected devices and systems. Think of it as a digital detective that scans the web for computers, cameras, smart devices, and much more. Quite literally it scans the internet.
While traditional search engines like Google help you find information on the internet, Shodan.io helps you find internet-connected things themselves. It's like having a telescope to peer into the digital landscape, revealing devices you didn't even know existed.
Shodan.io can tell you things like:
Which webcams are broadcasting their video feeds online.
What types of industrial control systems are connected to the internet.
How many vulnerable servers or devices are out there, waiting to be secured.
Like I previously mentioned, I'm not going to re-invent the wheel, hackers won't either. They will use information that's already been enumerated. If looking for low hanging fruit, they could be doing simple searches on misconfigured web servers, or Pi's, or whatever they want to hack to grab that low hanging fruit. While the things that seemed to be hitting my Pi were more like scanners. Which highly suggests that it was automated scanners rather than individual or team hackers.
Finally, The Ending!
If you've made it this far, I applaud you. I feel like I go off the deep end sometimes. I tried to obtain the logs from SANS after letting the Pi run for 24 hours, but was unsuccessful as I accidentally opted to not record logs. It was late at night while setting it up and I wasn't thinking. I may go back and redo it sometime, but I was able to gain some valuable information for myself. What did I learn from this? All hackers are from China. Joking. I learned quite a few things.
It's very simple to misconfigure a web server or even a computer that's exposed to the internet.
My ISP protection is actually pretty decent.
Hackers don't necessarily go after things that are immediately popping up on the internet, but there are devices or bots out there scanning all devices.
It is amazing how fast it was for my Pi to hit the internet to getting scanned.
NEVER OPT OUT OF LOGGING! If you want to feel dumb like I did, then by all means, don't log.
I hope you enjoyed this, and if you have any questions, please feel free to leave a comment below. If you want to try this experiment at home, please ensure you understand what the DMZ is on your network, and how it works, and how to open/close and put machines in it.
-Sam
