Honeypot Fun

1 minute read

At the Legal Informatics and Forensic Science Institute, we are preparing to do some research on IoT smart homes. Part of that is setting up a slightly-less-secure system. I run some honeypots on my home networks, but I was interested to see what is coming in to the known University IP range.

I had an extra Raspberry Pi laying around, and decided to run cowrie (kippo) SSH honeypot. Mostly because it is very fast to set up, gives you an idea of where attacks are coming from, and also gives a list of usernames and passwords that people are trying. More on the setup of cowrie later.

After putting cowrie online, it took 28 minutes before the first connection. This is actually longer than I expected. Possibly because the IP was up before, but port 22 was not open.

After 12 hours, login attempts from the following addresses:

Login Attempts IP Address Country
1 146.66.163.107Russia
3 185.103.252.14Russia
9 195.154.58.76France
18 159.122.123.183Germany
40 117.102.109.18Indonesia
41 193.201.227.200Ukraine
91 94.79.5.102Russia
126 193.201.227.86Ukraine
336 202.83.25.95 India

Remember that the country doesn't actually mean anything. These could be proxies, tor, hacked servers, etc.

The top usernames and passwords are not very surprising.

Tries Username / Password
21 [root/123456]
19 [root/default]
18 [admin/support]
18 [admin/default]
18 [admin/123123]
8 [root/admin]
6 [admin/admin]
5 [test/test]
5 [support/support]
5 [root/qwerty]

Probably the most interesting thing is that the first attack was that the first attack was trying some sort of buffer-overflow. Although they were connecting to SSH and sending (weird) user/pass combinations, after the connection was rejected they were sending really long strings. I suspect it is some sort of honeypot detection, or it exploits certain versions of SSH? Not sure.

Anyway, for a 1 hour project it is easy and interesting. Definitely something that students could do in an afternoon.

Leave a Comment