Running an SFTP Honeypot

Honeypots are great tools to detect an intrusion in your network. The idea is to setup some fake services that have no other purpose than logging the activity of an attacker.

In this post, we will setup one of such tool that goes with the name of Cowrie SSH honeypot and can be used not only for SSH but also SFTP. Setting it up is as simple as:

~ # docker pull cowrie/cowrie:latest
latest: Pulling from cowrie/cowrie
f531499c6b73: Already exists
e8d9a567199d: Already exists
...
...
0bdabdbb5012: Already exists
eecb68a89556: Already exists
4f4fb700ef54: Already exists
Digest: sha256:ca5bdeb93cc53b79b0784cfb59c00626a5dcb393e06d35be0dc7ad13b85e32f2
Status: Downloaded newer image for cowrie/cowrie:latest
docker.io/cowrie/cowrie:latest

followed by:

~ # docker run -p 2222:2222 cowrie/cowrie:latest
...
2024-08-06T06:39:08+0000 [-] Python Version 3.11.2 (main, May 2 2024, 11:59:08) [GCC 12.2.0]
2024-08-06T06:39:08+0000 [-] Twisted Version 24.3.0
2024-08-06T06:39:08+0000 [-] Cowrie Version 2.5.0
2024-08-06T06:39:08+0000 [-] Loaded output engine: jsonlog
2024-08-06T06:39:08+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 24.3.0 (/cowrie/cowrie-env/bin/python3 3.11.2) starting up.
2024-08-06T06:39:08+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2024-08-06T06:39:08+0000 [-] CowrieSSHFactory starting on 2222
2024-08-06T06:39:08+0000 [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory <cowrie.ssh.factory.CowrieSSHFactory object at 0x7fdfc0264c10>
2024-08-06T06:39:08+0000 [-] Generating new RSA keypair...
2024-08-06T06:39:08+0000 [-] Generating new ECDSA keypair...
2024-08-06T06:39:08+0000 [-] Generating new ed25519 keypair...
2024-08-06T06:39:08+0000 [-] Ready to accept SSH connections

Now that our honeypot is running, anybody connecting to it via any kind of SFTP client and attempting to run anything like this:

~ # sftp -P 2222 root@localhost
root@localhost's password:
Connected to localhost.
sftp>
put virus.bin
Uploading virus.bin to /root/virus.bin
virus.bin 100% 200 133.1KB/s 00:00
sftp>
exit
~ #

will logs the entire conversation in the honeypot for you to review. In the case above we got:

2024-08-06T06:45:54+0000 [cowrie.ssh.factory.CowrieSSHFactory] No moduli, no diffie-hellman-group-exchange-sha1
2024-08-06T06:45:54+0000 [cowrie.ssh.factory.CowrieSSHFactory] No moduli, no diffie-hellman-group-exchange-sha256
2024-08-06T06:45:54+0000 [cowrie.ssh.factory.CowrieSSHFactory] New connection: 172.17.0.1:47890 (172.17.0.3:2222) [session: e8b0ede018b3]
2024-08-06T06:45:54+0000 [HoneyPotSSHTransport,2,172.17.0.1] Remote SSH version: SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3
2024-08-06T06:45:54+0000 [HoneyPotSSHTransport,2,172.17.0.1] SSH client hassh fingerprint: aae6b9604f6f3356543709a376d7f657
2024-08-06T06:45:54+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519'
2024-08-06T06:45:54+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] outgoing: b'aes128-ctr' b'hmac-sha2-256' b'none'
2024-08-06T06:45:54+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] incoming: b'aes128-ctr' b'hmac-sha2-256' b'none'
2024-08-06T06:45:54+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] NEW KEYS
2024-08-06T06:45:54+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-userauth'
2024-08-06T06:45:54+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'none'
2024-08-06T06:45:56+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'password'
2024-08-06T06:45:56+0000 [HoneyPotSSHTransport,2,172.17.0.1] Could not read etc/userdb.txt, default database activated
2024-08-06T06:45:56+0000 [HoneyPotSSHTransport,2,172.17.0.1] login attempt [b'root'/b'test'] succeeded
2024-08-06T06:45:56+0000 [HoneyPotSSHTransport,2,172.17.0.1] Initialized emulated server as architecture: linux-x64-lsb
2024-08-06T06:45:56+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' authenticated with b'password'
2024-08-06T06:45:56+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-connection'
2024-08-06T06:45:56+0000 [cowrie.ssh.connection.CowrieSSHConnection#debug] got channel b'session' request
2024-08-06T06:45:56+0000 [cowrie.ssh.session.HoneyPotSSHSession#info] channel open
2024-08-06T06:45:56+0000 [cowrie.ssh.connection.CowrieSSHConnection#debug] got global b'no-more-sessions@openssh.com' request
2024-08-06T06:45:56+0000 [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,2,172.17.0.1] request_env: LANG=en_US.UTF-8
2024-08-06T06:45:56+0000 [twisted.conch.ssh.session#info] Asking for subsystem "b'sftp'"
2024-08-06T06:45:56+0000 [cowrie.shell.avatar.CowrieUser#debug] Subsystem lookup: {b'sftp': <class 'twisted.conch.ssh.filetransfer.FileTransferServer'>}
2024-08-06T06:45:56+0000 [twisted.conch.ssh.filetransfer.FileTransferServer#info] dispatching: INIT requestId=3
2024-08-06T06:45:56+0000 [twisted.conch.ssh.filetransfer.FileTransferServer#info] dispatching: REALPATH requestId=1
2024-08-06T06:46:06+0000 [twisted.conch.ssh.filetransfer.FileTransferServer#info] dispatching: OPEN requestId=2
2024-08-06T06:46:06+0000 [HoneyPotSSHTransport,2,172.17.0.1] SFTP openFile: b'/root/virus.bin'
2024-08-06T06:46:06+0000 [twisted.conch.ssh.filetransfer.FileTransferServer#info] dispatching: WRITE requestId=4
2024-08-06T06:46:06+0000 [twisted.conch.ssh.filetransfer.FileTransferServer#info] dispatching: CLOSE requestId=3
2024-08-06T06:46:06+0000 [twisted.conch.ssh.filetransfer.FileTransferServer#info] closing: b'\x00\x00\x00\x03' b'8760330431421'
2024-08-06T06:46:06+0000 [HoneyPotSSHTransport,2,172.17.0.1] SFTP Uploaded file "virus.bin" to var/lib/cowrie/downloads/370e0efc52f7577cbe99b7a8f5229e03fca23a81872be3f4b2d58198a1ed5fcc
2024-08-06T06:47:04+0000 [cowrie.ssh.connection.CowrieSSHConnection#info] sending close 0
2024-08-06T06:47:04+0000 [cowrie.ssh.session.HoneyPotSSHSession#info] remote close
2024-08-06T06:47:04+0000 [HoneyPotSSHTransport,2,172.17.0.1] Got remote error, code 11 reason: b'disconnected by user'
2024-08-06T06:47:04+0000 [HoneyPotSSHTransport,2,172.17.0.1] avatar root logging out
2024-08-06T06:47:04+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#info] connection lost
2024-08-06T06:47:04+0000 [HoneyPotSSHTransport,2,172.17.0.1] Connection lost after 69 seconds

As you can see from the logs, the file transferred by the attacker is made available on the container under var/lib/cowrie/downloads/ so you can apply any kind of forinsics you want.