Legal Crap◇ Don't perform this stuff on a target you don't have explicit written legal permission with. If you choose to do so, well, you're on your own in taking that risk. Best to do this stuff with Azcwr or your own lab environment.
• Topic Discussion
◇ T-Pot Honeypot Program
◇ Some way to either host or install the program. Be it on a metal box, virtual machine, or VPS. Be sure to read the requirements on the github links above.
◇ I chose to host it on my own virtual server.
▪ VM Specs:
- 2x CPU's
- 8GB RAM
- 100GB Storage
◇ I was looking for something like a swiss army knife for honeypots so that I could visualize and see what all these hits on my firewall are doing.
◇ My main requirement was that I didn't want to run a bunch of metal, or virtual machines for that matter, all running one or a few honeypots.
◇ Along with having to keep track of all the firewall rules that I'd have to point each type to. Crazy in my mind.
◇ And it had to be open source. Sure there are packages out there that you can pay for. I don't feel like paying $$$. Insert cheap Jewish bastard comment
◇ In my searching I came across this T-Pot program.
◇ Here's a quick graphic showing what all T-Pot does, what honeypots are included, along with how information is gathered, stored, accessed, and viualized. (Warning, busy graphic below)
▪ Full size graphic link: https://github.com/dtag-dev-sec/tpotce/blob/master/doc/architecture.png
◇ The biggest thing that lead to installing and trying this honeypot out is it's use of them in one simple package.
◇ Below are the current honeypots being used by T-Pot as of this article
◇ Below are the tools used to access the data stored by the honeypots
• Setup & Execution
◇ Setup of T-Pot was really straightforward. I chose to install it on a Debian 10 (Buster) image on my VPS.
◇ During the install I chose the NextGen install type
◇ Once the installer finished, the system rebooted, and then access was verified via a web browser.
◇ Then it was as simple as forwarding all the honeypot ports from my firewall to the T-Pot VM and letting it run overnight to capture happening in the virtual wild wild west.
◇ From the Kibana link you will see the main T-Pot link along with all the other dashboards setup for each individual honeypot.
◇ Think of T-Pot as the top level dashboard. Information comes in and is displayed there.
◇ If you need to dig deeper you can locate which honeypot data is coming in at and then select that specific honeypot's dashboard.
◇ Below are images from the main T-Pot dashboard. It looks like you're drinking from a firehose, however, once you get a handle on how the data comes in it's easy to navigate.
◇ Below is an image of the Cowrie honeypot showing what's been attempted here.
• Issues I Had & Explanation
◇ One of the biggest issues I had was trying to install it on a no frill Ubuntu 16 or 18 LTS virtual machine. T-Pot has a makeiso function that I didn't go down the rabbit hole very deep and figure out.
◇ With that I decided to pull a Debian 10 ISO and install it on a blank virtual machine. This was the easiest route to go. Your mileage may vary.
◇ All in all it's a pretty cool system to see what's all going on at a deeper level instead of a firewall log showing connections being dropped or forwarded.
◇ Huge thanks have be said for XXXTheInternXXX.
◇ Once the system was setup he graciously volunteered to put the system thru some small paces to verify some functionality.
◇ And along with trying things up his sleeve on the VM.