0x01, foreword

, honey jar was an important product to detect threats in the online red and blue attack and defense. The defending party often used the honey jar to analyze the attacking behavior, capture loopholes, and even counterattack. The attacker could find and avoid the honey jar through the honey jar identification technique. Therefore, it is necessary for us to study how to identify the honey jar from the angle of the red team’s attack

0x02 introduced that

honey jar was a security threat detecting technique. Its essence was to lure and deceive the attacker, and to gain value by recording the attacker’s attack log. The security staff could deduce the intention and means of the attacker by analyzing the attacking records of the honey jar

according to the interaction characteristics of the honey jars, they can be divided into low and high interaction honeypots. The latter provided a real system that was easy to be attacked, in order to make the attacker think that he was attacking a real system. In some of the actual construction of the honeypot by Party A, Party A also proposed the idea of using the real service elements to build the honeypot system. However, the low interaction honey jar was not so complicated. It provided an imperfect interaction system, and some of them even only simulated a response. Most of the low interaction honeypots on the Internet were open source. Because of its unique open characteristic, people could recognize and avoid its features

in the process of this analysis, the detecting target was to use the open honey jar with the default configuration. We have investigated 19 open source honeypots and Fuzz testing feature honeypots. The purpose of this analysis was to find out the features of the open source honeypot from the perspective of the attacker, and at the same time, complete the distribution of all kinds of open source honeypots over the network. The honey jar for this analysis was shown in table 2-1

table 2-1 the honey jars analyzed this time

0x03 feature based honey jars detection

3.1 the return feature of the open honey jars

when part of the open honey jars were imitating each agreement, there would be some obvious features in the response, which could be used to test the honey jars

take Dionaea’s Memcached agreement as an example. When the Memcached agreement was implemented, Dionaea made many of the Dionaea’s Dionaea’s Dionaea’s Dionaea’s version, libevent, and rusage values into a random way_ The user and so on were fixed

, the honeypot could be confirmed by combination and inquiry of its fixed factors. The features of other honeypots on the agreement were as shown in table 3-1

the honey jar with the response feature of the agreement in table 3-1


the defects of the agreement’s implementation were not perfect. We can judge whether it is a honey jar by sending some special request packets to get the response

3.2.1 SSH

SSH Secure Shell is a kind of encrypted network transmission. It is most often used as a remote log in. It took five steps for the SSH server to establish a connection with the client:

to negotiate the version number. At the stage of key negotiation. In the approval stage. The conversation request stage. In the interaction stage

The SSH honeypot also needed to realize these five steps when imitating the agreement. Kippo was a classic SSH honeypot that had stopped updating. She used twisted to simulate the SSH. In the latest version of KIPPO, the old twistd15 Version 1. This version had an obvious feature. In the interaction stage, the SSH version of the client needed to be in the form of SSH- main version – Secondary version. When the version was not supported, it needed to be in the form of SSH-1.9-OpenSSH_ 5.9p1 will make an error ¡° bad version1. 9¡± And cut off the connection. According to the Kippo’s configuration, it only supported two main versions, SSH-2.0-X and SSH-1.99-X. The other main versions would make mistakes

3.2.2 Mysql agreement

part of Mysql honey jar would build a malicious MySQL server. The attacker would connect to the malicious MySQL server and send a query request. The malicious MySQL server would read the files the attacker pointed at

https://github.com/Gifts/Rogue-MySql-Server You can fake a malicious MySQL server and use the MySQL client to connect. The malicious MySQL server has successfully read the /etc/password content of the client

the steps of detecting this kind of honey jar could be divided into the following steps:

faking the connection between the client and the honey jar mysql, sending the MySQL inquiry request and accepting the MySQL server’s response, Through the analysis of the structure of the fake MySQL client’s data packet that read the file, the length of the file +1, x00x00x01xfb, and the file name

, we can use the socket to construct the corresponding process to identify the fake MySQL server and grab the read file name

Telnet was implemented in the

Hfish honey jar.

3.2.3 Telnet was monitored at the 23 port. The simulated agreement acquiesced that there was no need to verify, and it also made a response model to the results of each order. When the command was empty or the line was changed directly, it would respond to the default model, which was test. Therefore, he could use this feature to test the honey jar on the telnet service

3.3 the obvious features of WEB

some open source honeypots provide web services. These web services often have some obvious features that can be used to test the honey jar. Such as the specific JS file and build_ Hash or version number

take Hfish as an example. By default, HFIsh had installed a landing page of WordPress on the 8080 port. On the page, there was a JavaScript file named x.js, which was used to record the password of the log in name that had been tried to explode. He could directly judge whether the x.js file on the WordPress landing page was a honey jar or not

and the glastopf honey jar. It was obvious that they didn’t disguise themselves. It could be identified by the input box of blog comments at the bottom of the page

the features of other open source honeypots on the WEB were shown in the following table

table 3-2 honey jars with obvious WEB characteristics

3.4 and

some open honey jars had the features of ordering to execute upper and lower civilization. This section took Cowrie and Hfish as an example

2020 in June, the research team found that the new Aisuru test of Mirai could detect the open honey jar of Cowrie according to the context of the command. When the three requirements were met, the Aisuru would be identified as a honey jar:

the device name was localhost. All the processes in the device were started on June 22nd or June 23rd. The user name was Richard

he checked the source code of Cowrie and found that the starting time of the process was either 22 on June or 23 on June when he executed the PS command in the acquiescence. However, in the latest version of Cowrie, Richard was replaced by Phil, and the host name was changed from localhost to svr04

was inspired by the Aisuru, which could detect the honey jar according to some specific context. For example, the latest version of Cowrie was equipped with some fixed results. For example, cat/proc/meminfo didn’t change no matter how many times he executed. It was impossible in the real system

speaking of the Hfish honey pot, Hfish also had the SSH agreement. By default, the listener was on the 22 port. The SSH of the honeypot could also be easily identified through the context. Just like the telnet agreement, the SSH agreement would acquiesce in the default test when it went back to the car and changed the route

3.5 Fuzz testing features

Fuzztesting it was a method of safety test, in which random data was input into the test system to check the system’s response or status, in order to discover potential security loopholes. Some of the honey jars used the idea of Fuzztesting to realize the honey jar system. Through the introduction of brother zom3y3 in NetLab, “discover the unknown malicious software threat through the Anglerfish honey jar”, we know that the Fuzztesting honey jar has the following features:

respond to the TCP SYN Packet of any port. According to the characteristics of the agreement, the correct response would always be returned. He returned to the set of pre-defined or random Payload features

it was easy to judge the honey jar by hands. The purpose was to simulate the fuzzing feature of the jar and to realize the interference to the reader through a pre-defined large number of words. This type of honey jar could be judged by the features of the cross service. For example, if the HTTP service was opened and responded to the UPnP at the same time, or it was judged by the length or number of the server. As the service of the honeypot was unknown, quake marked it as an unknown honeypot. He could use the app:¡± Unknown honey jar ¡± Search

0x04 the use of the open honey jars

4.1 the distribution of the honey jars

after confirming the features of some open honey jars, we used the features to make a full network match, and found 369161 service data and 72948 independent IP. The distribution of honey jars around the world and throughout the country was as shown in the map

it could be seen that among these open source honeypots, China had the largest number. Among them, Taiwan took up 1/3 of the shares and ranked first in China. Moreover, in the global ranking, Taiwan was the number one province

according to the distribution of ASN, the number of ASN was TOP5 in the world. They found that most of the open source honeypot was deployed in cloud advertising company or education network

4.2 life span

, combined with the service assets of honey jars and the annual distribution of ASNTOP5, the number of honey jars had three peaks throughout the year, which were April, June and December

when they discussed the fuzztesting of the honey jar before, they found that the response contained a lot of key words related to service, which were used to disturb the service recognition of the scanner. It was found that the honeypot with the key words of Weblogic in the service’s response began to explode in November. We knew that in October, the CVE-2020-14882weblogic was exposed without authorization. From this, it could be seen that this kind of honey jar could be flexibly equipped according to the hot spot loopholes, in order to catch the target

0x05 conclusion

in this paper, through the return feature of the honey jar agreement, the defects of the agreement, the obvious WEB feature and the Fuzztesting feature, the common 19 kinds of open source honeypots were analyzed. Our research found that there are more than 369161 honey jars in the Internet. These honey jars can be detected by the simplest feature, because these honey jars are open on the Internet under the condition of default configuration, which is basically a state of self exposure

according to the global distribution, there are a large number of honey jars in Taiwan. In the ASN distribution of the global honey jars, they are mainly distributed in the cloud advertising company and education network. At the same time, there were three peaks in the total number of honey jars in April, June and December. And from the response words of some honey jars, the number of honey jars might increase with the exposure of the hot spot loopholes

in the end, all the honey jars involved in this article can be searched in the Quake. We provide three channels:

directly search the specific honey jars. The searching sentences are in the attached file (all users can use it). Use type:¡± Honey jar ¡± To acquire all the honeypot devices on the Internet (senior members and lifelong members can use them)

you can directly check it in the Quake topic column. The topic address is as follows:


0x06 reference

[1] new progress in the study of honey jar and Phil Electronic and information technology 2019 (02)

[2] identification method of industrial control honey jar based on data packet division [J] and lean sun In the meantime 2019(03)

[3] VETTERL, A., AND CLAYTON, R. Bitter harvest: Systematicallyfingerprinting low- and medium-interaction honeypots at internet scale. In 12thUSENIX Workshop on Offensive Technologies, WOOT¡¯ 18.

[4] http://books.gigatux.nl/mirror/honeypot/final/ch09lev1sec1.html

[5] https://mp.weixin.qq.com/s/_hpJP6bTuoH-3cQtDawGOw


[7] https://hal.archives-ouvertes.fr/hal-00762596/document

[8] https://subs.emis.de/LNI/Proceedings/Proceedings170/177.pdf

[9] https://www.freebuf.com/articles/ics-articles/230402.html

[10] http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/

[11] https://github.com/mushorg/conpot

[12] https://github.com/cowrie/cowrie

[13] https://github.com/DinoTools/dionaea

[14] https://github.com/jordan-wright/elastichoney

[15] https://github.com/bontchev/elasticpot

[16] https://github.com/mushorg/glastopf

[17] https://github.com/hacklcx/HFish/

[18] https://github.com/omererdem/honeything

[19] https://github.com/desaster/kippo

[20] https://github.com/madirish/kojoney2

[21] https://github.com/jrwren/nepenthes

[22] https://github.com/thinkst/opencanary

[23] https://github.com/Gifts/Rogue-MySql-Server

[24] https://github.com/jaksi/sshesame

[25] https://github.com/Cymmetria/weblogic_honeypot

[26] https://github.com/bg6cq/whoisscanme

[27] https://github.com/zeroq/amun

[28] https://github.com/foospidy/HoneyPy

[29] https://github.com/Cymmetria/StrutsHoneypot