Take you to T-POT: Introduction, installation, use, optimization, update of the Multi-honeypot platform revolution

T-pot 19.03 t-pot 19.03 runs on heavily run Docker (Sid), docker-compose and includes dockerized versions of the following honeypots adbhoney, ciscoasa, conpot, cowrie, dionaea, elasticpot, glastopf, glutton, heralding, honeypy, honeytrap, mailoney, medpot, rdpy, snare, tanner Furthermore we use the following tools Cockpit for a lightweight, webui for…

T-Pot:Multi-Honeypot-Platform-Revolution

Take you to the T-POT platform revolution: brief, install, use, optimize, update

0 x00 briefly

1. Project Introduction

DTAG Community honeypot project, official profile, project address

2. System architecture

T-pot Mumulti-Honeypot platform-Revolution system architecture diagram

3. Situation overview

Collect statistics on attack behaviors in real time, clear statistics on various reports, and accurately locate the attack source IP address and real geographical location.

4. Technical concepts

T-pot Is a Linux-based network installer. The honeypot daemon and other supporting components in use have been containerized using Docker. This allows us to run multiple honeypot daemons on the same network interface, while keeping the footprint small and limiting each honeypot to its own environment.

(1) Dockerized Honeypots

The t-pot contains the following types of Dockerized Honeypots

  • Adbhoney low interaction industrial control honeypot provides a range of generic industrial control protocols that can simulate complex industrial control infrastructure.

  • Ciscoasa is based on the interactive SSH honeypot modified by Kippo, which can record the violent attacks on accounts and passwords, provide a forged file system environment to record the hacking operations, and save the files downloaded through wget/curl and the files uploaded through SFTP and SCP.

  • Conpot low interaction industrial control honeypot, providing a range of generic industrial control protocols, capable of simulating complex industrial control infrastructure.

  • Based on the interactive SSH honeypot changed by Kippo, Cowrie can record the violent attacks on accounts and passwords, provide a forged file system environment to record the hacking operations, and save the files downloaded through wget/curl and the files uploaded through SFTP and SCP.

  • Dionaea Dionaea is an application running on Linux. It runs in the network environment. It opens the default port of common Internet services, simulates the normal service to give feedback when there is an external connection, and records the incoming and outgoing network data flow. The network data is processed according to categories after being detected by the detection module. If shellcode is present, simulation is carried out. The program will automatically download the malicious files specified in Shellcode or the following attack command.

  • Elasticpot simulates the neck-pot of elastcisearch RCE vulnerabilities by using a fake function to respond to requests from /,/_search, / _Nodes for vulnerable ES instances in JSON format.

  • Glastopf Honeypot for low interaction Web applications. Glastopf Honeypot is capable of simulating thousands of Web vulnerabilities, responding to different attack methods, and collecting data from the attack process on the target Web application. Its goal is to achieve low interaction for automated vulnerability scanning/exploitation tools by categorizing vulnerability exploitation modes and returning reasonable results for a certain type of exploitation mode.

  • Glutton all eat honey pot, can feed the honey pot.

  • Heralding a document to capture a honey pot.

  • Honeypy a low interaction honeypot with stronger media interaction. HoneyPy is written in Python for ease of use: deploy, extend functionality with plug-ins, and apply custom configurations. The level of interaction is determined by the functionality of the plug-in. Plug-ins can be created to simulate UDP-based or TCP-based services to provide more interaction. By default, all activity is logged to a file, but publishing honeypot activity to Twitter or a Web service endpoint is fine.

  • Honeytrap observes attacks on TCP or UDP services, emulates well-known services as a daemon, and is able to analyze attack strings and execute instructions to download files accordingly.

  • Mailoney SMTP honeypot, open relay, reputation collector written through Python.

  • medpot

  • Rdpy is an RDP and VNC protocol implemented in Python. Rdpy can be used as both a server and a client. Rdpy also provides a honeypot for recording RDP processes

  • Snare SNARE /Tanner is the successor to Glastopf, the Web honeypot. A SNARE is a Web application honeypot sensor that can attract all kinds of malware from the Internet.

  • Tanner Snare/Tanner is the successor to The Web honeypot Glastopf. TANNER is a remote data analysis and classification service used to evaluate HTTP requests and compose responses to SNARE event services.

(2) Further Tools

The following tools are installed on the host

  • Cockpit for a lightweight, webui for docker, os, Real-time Performance Monitoring and Web Terminal.Cockpit makes It easy for Linux system administrators, system maintainers, and developers to manage their servers and perform simple tasks. Such as managing storage, detecting logs, starting or stopping services, and a few other tasks. Its reporting interface adds some nice features that make it easy to switch between the terminal and the Web interface. In addition, it not only makes it easy to manage a single server, but more importantly, multiple servers connected over the network can be managed simultaneously in one place with a single click.
  • Cyberchef a web app for encryption, encoding, compression and data analysis. British intelligence agency GCHQ has released a new open source Web tool that could help security researchers better analyze and decrypt data. The tool is called CyberChef, and it has been described by GCHQ as the Online Swiss Army Knife. CyberChef is a very simple and intuitive Web application that allows users to perform a wide variety of Web operations in a Web browser. These operations include creating hexdumps, doing simple encodings like XOR or Base64, performing complex encryption processes like AES, DES, and Blowfish, compressing or decompressing data, calculating hashes and checksums, and parsing IPv6 and X.509 data.”
  • ELK stack to beautifully visualize all the events captured by T-Pot. Gracefully visualize attack events captured by t-pot
  • Elasticsearch Head a web front end for browsing and interacting with an Elastic Search cluster. A Web front end to browse and operate the ElasticSearch cluster.
  • Spiderfoot an Open source Intelligence Automation tool. Spiderfoot is a free, open source web information collection tool written in Python. Suitable for Linux, *BSD and Windows systems. In addition, it provides users with an easy-to-use GUI interface. In terms of functionality, SpiderFoot is also very considerate for us. Through SpiderFoot, we can obtain all kinds of information about the target, such as website subdomains, email addresses, Web server versions, and so on. SpiderFoot’s simple Web-based interface enables you to start scanning immediately after installation – simply set up the target domain name to scan and enable the appropriate scan module.
  • Suricata a Network Security Monitoring engine. Open source network security threat detection engine.

0 x01 installation

1. Environment preparation

  • The Debian version 9.7 or later is recommended. The Debian version is debian-9.9.0-AMd64-xFCE. The Debian version is Debian Release.

  • 6-8 GB RAM (less RAM is possible but might introduce swapping)

  • 128 GB SSD (smaller is possible but limits the capacity of storing events)

  • Network via DHCP

  • A working, non-proxied, internet connection

2. Project download

git clone https://github.com/dtag-dev-sec/tpotce
Copy the code

3. Install the script

cd tpotce/iso/installer/
su root
Copy the code
  • 3.1 Method 1: Manual configuration
./install.sh --type=user
Copy the code
  • 3.2 Method 2: Automatic configuration
Cp tpot.conf.dist tpot.conf. /install.sh --type=auto --conf=tpot.conf Password w3b $ecretCopy the code

The installation process takes a long time because the files to be downloaded are mostly from foreign sources. After the installation is complete, the system will automatically restart.

3. First run

  • SSH and Web Access

    Browser and access the Admin UI: https://<your.ip>:64294

    SSH to access the command line: ssh -l username -p 64295 <your.ip>

user: [tsec or user] you chose during one of the post Debian install methods

pass: [password] you chose during the Debian installation

  • Kibana Dashboard

    Browser and access the Web UI: https://<your.ip>:64297

User: [user] you chose during the installation, according to tpot.conf pass: [password] you chose during the installation, according to tpot.conf user name webuser, w3b$ecret

0 x02 use

1. Server management: Web Access

(1) System

Cockpit Overview

(2) Container

Cockpit Containers

The login user needs to be added to the Docker user group.

$sudo usermod -ag docker $USERCopy the code

(3) Terminal

Cockpit Terminal

2.Tools

(1) Cyberchef

(2) ES Head Plugin

(3) the Spiderfoot

Honeypot visualization: Kibana Dashboard

Involves a lot of Kibana visual configuration,

0 x03 optimization

Updates

For the ones of you who want to live on the bleeding edge of T-Pot development we introduced an update feature which will allow you to update all T-Pot relevant files to be up to date with the T-Pot master branch. If you made any relevant changes to the T-Pot relevant config files make sure to create a backup first.

  • The Update script will
  • merciless overwrite local changes to be in sync with the T-Pot master branch
  • upgrade the system to the packages available in Debian (Sid)
  • update all resources to be in-sync with the T-Pot master branch
  • ensure all T-Pot relevant system files will be patched / copied into the original T-Pot state

You simply run the update script:

cd /opt/tpot/
./update.sh -y
Copy the code

0x04 Update log

20 Aug 2020

T – Pot released Version 20.06

20 Aug 2020 On June, We finally released T-pot 20.06 after an extensive period of testing to ensure the update process (which is) Still in beta) is not likely to break things. With T-pot 20.06 released we are proud to see that T-pot is now growing Faster than before. t-pot 20.06 comes with new honeypots, such as Dicompot, A new Elasticpot and HoneySAP. All of which have Kibana dashboards available to get you covered…

The Upgrade from 19.03 x

If you are running T-pot 19.x you can upgrade to T-pot 20.06.0 by running /opt/tpot/update.sh. Please be aware of upgrades can break things, so please backup all of your data or take snapshot of your machine before you run the update procedure. To protect possible changes of your Kibana objects you need to manually export (backup) your objects and manually import (overwrite) the provided T-Pot Kibana Objects after upgrading.

Changelog

  • Release T – Pot 20.06.0

After 4 months of public testing with the NextGen edition T-Pot 20.06 can finally be released.

  • Debian Buster

With the release of Debian Buster T-Pot now has access to all packages required right out of the box.

  • Add new honeypots

①Dicompot by @nsmfoo is a low interaction honeypot for the Dicom protocol which is the international standard to process medical imaging information. Together with Medpot which supports the HL7 protocol T-Pot is now offering a Medical Honeysap by SecureAuthCorp is a low interaction honeypot for the SAP services, In case of T-pot configured for the SAP router. ③Elasticpot by Vesselin Bontchev replaces ElasticpotPY as a low interaction honeypot for Elasticsearch with more features, plugins and scripted responses.

  • Rebuild Images

All docker images were rebuilt based on the latest (and stable running) versions of the tools and honeypots. Mostly the Images now run on Alpine 3.12 / Debian Buster. However some honeypots/tools still reuire Alpine 3.11/3.10 to run properly.

  • Install Types

All docker-compose files (/opt/tpot/etc/compose) were remixed and most of the NextGen honeypots are now available in Standard. There is now a Medical Installation Type with Dicompot and Medpot which will be of most interest for medical institutions to get started with T-Pot.

  • Update Tools

Connecting to T-Pot via https://:64297 brings you to the T-Pot Landing Page now which is based on Heimdall and the Latest NGINX enforcing TLS 1.3. The ELK stack was updated to 7.8.0 and stripped down to The necessary core functions (where possible) for T-Pot while keeping ELK RAM requirements to a minimum (8GB of RAM is recommended now). The number of index pattern fields was reduced to 697 which increases performance significantly. There are 22 Kibana Dashboards, 397 Kibana Visualizations and 24 Kibana Searches readily available to cover all your needs to get started and familiar Cyberchef was updated to 9.21.0. Elasticsearch Head was updated to the latest version available on GitHub. Spiderfoot was updated to latest 3.1 dev.

  • Landing Page

After logging into T-Pot via web you are now greeted with a beautifully designed landing page. Countless Tweaks and improvements Under the hood lots of tiny tweaks, improvements and a few bugfixes will increase your overall experience with T-Pot.