Blue Team Project: Building a Honeypot with a data Dashboard.

Photo by Sonja Langford on Unsplash

You know, there is a ton of Red Team stuff to do. Be it TryHackMe/HackTheBox or Bug Bounties or playing in CTFs. You can really dig into the Red Team side of Cybersecurity. This is fantastic and transferable for the most part but when it comes to getting Blue Team experience without a Blue Team job, the kind that helps with resume building for SOC Analyst or other entry level roles, it feels a bit limited at times. So I really jump on any project that falls more into the defensive category. I was voicing this to a Senior Threat Analyst at a local Cybersecurity meetup the other day and he pitched me this idea (among others, more on that later) but I had never heard of it. I was planning to setup a Honeypot on my own but little did I know, there’s a whole project already in place for building a Honeypot and tracking the attacks. On top of that, you contribute to the Defensive Community! This project is the SANS Internet Storm Center project.

About Internet Storm Center

The history and information about the SANS Internet Storm Center can be found in this video but to give you an idea as to what the project is about, the name says it all “Storm Center” which like any other storm center, it’s an aggregation of data collected from sensors. Rather than getting weather reports, this project is collecting data from Honeypots setup around the world that send telemetry back to SANS with types of connection or attacks that are hitting Raspberry Pis, VMs or other devices taking part in this project. The Internet Storm Center started back in the late 90’s, when Y2K was at the top of everyone’s mind. It was self reported back then and served as a way to monitor vulnerabilities hackers may take advantage of while machines were being updated for Y2K. This grew into what we will be working on in this project, I hope that you decide to take part in the Internet Storm Center and learn as much as I did while working through this.

I have a Raspberry Pi Zero W hanging around but this project needs an Ethernet port. I jumped on eBay but was outbid and sniped for every single Raspberry Pi due to a shortage at the moment. Rather than throw in the towel or pay entirely too much for one, I sought out an alternative. I won’t go into details as to what other System on a Chip (I’m sure there is a SOC joke here but I can’t think of one) devices are available and which works best for what, there are plenty of YouTube videos from far more knowledgeable people than I on the subject. I landed on the Libre Computers Le Potato, partially because I like the name but the price point of $35 new for 2 GBs of RAM and a lot of the same bells and whistles as a Raspberry Pi 3 sold me on it.

However! Mine got stuck in a boot loop, I spent a long time thinking this was me but it’s an issue with USB scanning. Click here if you have this issue.

Setting up the Libre Le Potato is really straight forward, I went with the Rasbian OS and used the Raspberry Pi Imager to configure the SD card. Instructions for finding the OS designed for your board can be find on the Libre website along with how to configure and update your device. I won’t go over these steps as this type of walkthrough can be found a lot of places online but I will remind you to change the default password, there is a step involved that will not install if you are using the default username and password. However, if you have any questions, please feel free to leave a comment.

Now that your Libre or Raspberry Pi is up and running with the basic setup, plug your device into an ethernet port on your router and update by running the below then restarting.Sudo apt-get update
Sudo apt-get upgrade
Reboot

You will also need Git installed, so run the below command in Terminal.Sudo apt install -y git

Also, make sure you enable SSH either by using the GUI and navigating to Start > Preferances > Raspberry Pi Configuration > Enable SSH or launch your Terminal and run the below then navigating to SSH from there.Sudo raspi-config

It’s time to get your network configured. The video from SANS has an overview of the type of network setup you may have, you can watch that herebut further on in that video the links no longer work so I will provide the commands later. Setting up your network could be as simple as finding your routers IP address with ifconfig/ipconfig, navigating to that IP address, signing in with your admin credentials (If they are the default, change them while you are there), finding your Raspberry Pi/Libre, setting Port Forwarding to it (ports 22, 23, 443, 80 and 8000 but that is up to you. This installation will setup alternative ports for these) and reserving its IP address or setting it statically. However, in the world of user friendly devices this may take more doing. I wrote a post describing my adventure in setting up Port Forwarding on an Xfinity router, it was a whole thing. You can check it out here.

Alternatively, you can set it up a DMZ. I wouldn’t suggest this as it opens up a much larger hole in your network but live your life.

Time to clone the repository. We’ve already installed Git so all we need to do is run the installer.Git clone https://github.com/DShield-ISC/dshield.git

Let’s change change directory.Cd dshield/bin/

Now that we’re in the correct directory, we can install some prerequisites. Ignore any errors you see but this is optional so don’t sweat it too much.Sudo ./prep.sh

An API key is going to be needed for the next step. If you haven’t already, head to the SANS website here and create an account. Log in and navigate to My Account, your API key will be at the top. Please note that this key should remain private, if you do end up showing it somehow, just reset your key. Keep this key and the email address used with SANS handy for the next part of the set up.

If you have not already, reboot the Raspberry pi. Now, let’s install DShield. Run the below command, accept the defaults, put in your API key and note any errors you get, just in case you need to do some more network configuration.Sudo dshield/bin/install.sh

Let’s reboot again then we can verify the installation. Verifying the install can happen whenever you like, just run the following.Sudo dshield/bin/status.sh

You may get an error for /var/log/dshield.log but it may just need more time to gather information, wait 5–10 minutes and run the command again. You could also get an error for Webserver Exposed, this means your honeypot is not exposed to the internet so check your port forwarding. If you get an error for /srv/cowrie/cowrie.cfg, run the installer again.

That’s it for the installation! How do we run updates though? Well, it updates on its own and reboots once a day. However, if you want to run an update manually, run the below.git pull

If you want to clean up the install and run updates at the same time, you can run the below. It may take a long time to run depending on your device but let it run and check in on it.sudo ./install.sh –update

Where’s all that fun data? Well, it could take 30 minutes to an hour to show up on the SANS website but you will see the updates on the main dashboard when you sign in. What do you do with all that fun data? Look into what they are trying on your Honeypot, use VirusTotal to look into the IP address and write a report to speak about during interviews. I am working on another post to showcase some of my findings but I would love to hear about some of yours!

Leave a Reply

Your email address will not be published. Required fields are marked *