Yes I knew it was a honeypot. Which is why I replaced the honeypot that you had with my own honeypot. To make it look real to you, I fabricated a bunch of attack attempts and routed all the legit attempts to my honeypot, giving me all their activity and zero day attacks that were tried. Better luck next time, John.
A lot of the login attempts are probably bots trying to hack you that don't even know about the challenge. When I got my first Raspberry Pi I had port 22 exposed for a few days and I had thousands of login attempts when I read through the logs.
@@Bossanova. Yeah how many boxes have you rooted, how many vuln reports have you written? calling these guys having some fun on an advertised ctf 'skiddies' is such an obvious self report lmao
Before you said it was a honeypot I was concerned that some bad actor would just make it their honeypot. Assuming you had good intentions . I learned multiple valuable lessons. 1)don't trust anyone. 2)protect yourself 3)if it's too easy it's too easy
@@sumukhchitloor6259 With all that dramatic music I was hoping he was about to go into a rant about how everyone DDOS'd him off the net. Well guys couldn't get anything for the video so here are some generic tips for everyone. lol
I love all of this. You gave an easy target for the lesser experienced such as myself but you also ended up turning it all into a lesson for not only yourself but everyone who tried and failed to notice it was honeypot. I didn’t know about this challenge but I love the concept of all of it. Subbing for future content!
@@johndank2209 You'll realize that most people dont even use IP especially the good hackers like these shows in the vid because they trust John would not do anything with their data
@@bikdigdaddy Yes you're correct, most normal IP's are residential or similar and is dynamic meaning it won't be of much harm. However, some may also be static IP's, or some have yet to change, or assigned to specific geographical regions or ISPs, or can be logged during the upload of the video or they are assigned from a limited pool of addresses controlled by the ISP. Either way, releasing IP's is still dangerous as it can be used maliciously or similar during the upload of the video, which this video is not trying to cause.
I love the part where you just dig through the data it's always nice to have you explain the fun and funky stuff going on. Especially the things you didn't expect users to do :D would love to see something like this again ^^
@oneyw9391 yes this would be great XD I think with a little bit of js css or else ... someone could build an amazing animation showing all actions on a timeline which can be run like a video... maybe use a slider or whatever to progress the data XD
@@johndank2209 it was a public invitation, some people may have tried it out of curiosity with no understanding of the field and this being their first time ever messing with something like it
It would be neat if there was an SSH daemon that once it detected a brute force or other problematic login attempts, placed the user into a honeypot server as opposed to live. But you know, even the web interface would update based on your changes, but only for the individual user. I know it would be complicated, but I also know it would be doable.
Actually, it's an actual technique used by some companies. They setup decoy machines exposed to the internet, or only to the intranet, and they simulate their company network, sometimes even simulating user activity, and if the hacker goes to hack that network and pivots to other machines, the SOC can track their movement and block them out.
Up to the point I learned it's not hosted by the same person who issued the invite I thought it's a fun idea. But then I got worried for all the folks who were baited into trying to hack into Digital Ocean's infrastructure.
I felt something abnormal at hydra so I left at hydra. I found 22, and a different port came open my way. But the other port didn't responded again. Even no banner too. 😂 Edit:- I've put a message at login attempt. So that you can know that I found you at ssh itself. I suspected you must be logging as I already said so stopped at ssh login itself.
Well, I've run more than a few Cowrie instances myself (it was how a colleague and I made the initial discovery of the Hajime worm). For me, the biggest clue that this is a honeypot is the hostname being set to the default "svr04" :)
Would have been interesting if you set up different honeypots for each site it was posted on to see if the users from different sites had different techniques
I'm not a big Social Media user so I never seen the tweet or post on LinkedIn. You should consider posting things like this on the community tab of your page. Great vide, as always!
If they had super user perms, they could do a nice coredump and even if on a modern machine it is ungodly and unreadable by a human, by patterns you can see that it's not a genuine install, or at least probably. Edit : Or if you can't turn it on, it's also suspicious
Yes i was hable to hakk it and i found out it was caw dairy that you used i also removed the honey dog server and I had complete aces of the server and i made all so eficient i only required one atempt and i also added mine cripto minor and a maincrazt server i play with all my frends theyre real i have much frends.
People who hacked in were questioning "internet access" as in outgoing internet from the honey pot to the internet. Pwned boxes are a great jump point to hack other computers on the internet, and your honeypot would allow them to do that. Ephemeral filesystems will still let this happen, and even without any write access to the filesystem a user could run python interactively and paste a hacking script.
I had no idea you were such a prolific youtuber when I first met you at the hacking class you did at the connectwise conference last year. You are a TOTAL badass in my book, and a very nice gentleman. I greeted you later at the hotel's food court to tell you how much I appreciated the course. Long haired blond dude sitting in the back row. Thanks for being a cool guy :]
i think the best way to counter your experiment once one noticed it was a honey pot would've been to setup a script to send a constant stream of random strings run as commands in the terminal so that your logs gets filled with garbage. I'm not much of a hacker but i really wonder how you would've reacted if someone did that
He would probably just use a script to sift all that garbage data out by only listing valid commands. If they're randomly trying commands. there's probably not a ton that could be done, but they'd probably run out of inputs to try and it'd just stack up.
@@Jofoyo ah yeah it's true that it'd be easy to just check for valid commands if we just used random garbage, didn't even cross my mind. However in case of randomised valid commands it would be easy to run an infinite amount of them without running out. Just imagine if you ran grep with a bunch of random following words (using a mock engine to have words that make sens), poof that's all grep gone. then do the same with a bunch of other commands and the poor guy will have a really bad time trying to fix his logs. It might even be possible to automate the whole thing to deduce what type of input a command is expecting and generate random ones that seems likely for all commands in /bin ... could be fun to code
@@sorannmw3500 Thinking about it again, I'm betting the original logs were sorted by computer or connection specific data, before being merged into what he shows in the video, so he could easily clean out garbage users, which again nullifies that unless you're using thousands of proxy computers to bombard shit with, which, I think is probably out of scope.
@@Jofoyo well DDoS is a thing so it's not that much out of scope but yeah if it can be filtered by user, DDoS spam attack would be the last valid way In this case i can only think of one last possibility which would be to filter out users that have done more than X number of actions, this might cut interesting content but would effectively clean the logs and require the attacker to make sure his bots only do a reasonable number of spam which then would greatly reduce the amount of spamming in the logs
he said it is a digitalocean VPS which means they are actually still inside a virtual machine at that point. if they escape the virtual machine then they have hacked a digitalocean datacenter
I'd like to see what you find on and what happens to a computer, if you put it on the net with no virus protection or a firewall and completely exposed to the net lol Try a win xp, win 7, win 10, win 11, Ubuntu, Mac
Petty cool exercise. It would be interesting to leave it on for an extended period to collect, document, and publish all interesting attempts to help organizations improve their security posture.
it is hilarious to me that I would have had an easier time getting in than apparently quite a number of cybersec people, as I would have tried root/toor in the first 5 attempts. looks like some people should update their pw-lists.
exaclty, i didn't think you'd make it that easy so i suspected something. i didn't know it was cowrie tho. i found another ssh port on 22222 , i think, which made me wonder why someone would have ssh open twice.
most of those random user names are probably ssh scanners that arn't related to people trying to do the challenge. Stand up a new server with ssh open and just watch, you'll see junk like that.
I mean, you clearly are well capable in cybersec, so if you ask people to hack something they'd expect it to be a challenge, so if its as easy as finding an exposed port and bruteforcing your way in, its pretty obvious that there's something sus going on behind the scenes.
I wonder if you could use that box to masscan or some other bs. Obvious hint it's a honeypot: you setup a permanent reverse shell and it dies as soon as you disconnect
Now it would be interesting to see if this honeypot approach could be used selectively. Maybe you really really need to access something remotely but you also want to get the time to shut it down should someone get their nose into it so you add an honeypot layer. Like maybe one of the users is real and has its command transmitted to the actual SSH session. Or maybe none of it is real but if you type your password instead of interacting with the fake session you get in. Maybe put midly weak passwords on users so they don't notice right away it's a honeypot and that's done. Considering it's constantly surveilled, you could probably keep track of any IP that made an attempt on the "users" and refuse them even if they type the right password. Could save some time too.
I'm amused you think those 2200 IPs map to 2200 unique actors, and they aren't mostly just the typical botnets out there hammering literally everything everywhere.
Should have ran a crypto miner on it while keeping the connection open so the box doesn't expire. I would have done an *online* port scan, keeping my IP secret for initial discovery. And when there would only be ssh open, i would have bailed before even touching it, knowing of the honey inside.
Can you list real block devices? If so then what if you concatenate the entire drive along with the boot record, not just a partition? Will that work? And if it doesn't work what if you concatenate the fake partition you 'have access to... would that information revealed show its a honeypot 🍯?
question. what if i search for the course of a ping using traceroute? i can see that it is a honeypot right? is the honeypot necessarily on the same network as the database server?
it was easy to know that was a honeypot when i was bruting it i was pulling the banners of every server very obvious and free -gt gave invalid results for a box
As a former Cowrie user, I can tell you that some of these commands are definitely not related to this RU-vid channel. Like the [mM]iner stuff, I've personally seen and reverse engineered that attack already on my server 😂
I'm pretty sure there would have been more or less the same number of login attempts on the machine if it was for the video. I once checked ssh logs on my server, and there were THOUSANDS of attempts.
Oh yeah port 22 is going to get hit a ton there are plenty of bots out there that routinely scan the entire address space looking for open SSH servers to try and exploit.
The accounting sub-directory in the gibson is working really hard. We've got this IP 108 online and workloads enough for like 10 users. I think we got ourself a hacker!