top of page

"THE STEAMING T-POT"

A PROJECT BY DARNELL MAIDEN

STEP (24).png

INTRODUCTION

IN CYBERSECURITY, THE DEFENSIVE MEASURE WE CREATE ARE ONLY AS GOOD AS THE INTELLIGENCE THEY ARE BASED ON. THIS PROJECT SHOWCASES THE CAUSE, BEING A WAY TO DETECT ATTACKERS THROUGH A FAKE MACHINE, AND THE EFFECT, SUCH AS ANALYTICAL DATA ON AN ATTACK MAP TO PINPOINT PATTERNS AND FIND DIRECT SOURCES OR CLOSE LEADS. THIS LAB IS A DEEP DIVE INTO THE REALM OF ATTACKERS ALL OVER THE WORLD. EVIDENTLY, THIS LAB WILL SHOWCASE THE INITIAL RECONNAISSANCE TO THE DELIVERY OF MALICIOUS PAYLOADS. LET US TAKE IN THE STEAM OF RAW INTERNET NOISE AND TURN IT INTO A CUP OF SATISFACTORY DATA THAT WE CAN GRAB A HOLD OF.

THE PROBLEM:

FIREWALLS AND REACTIVE SECURITY MEASURES OFTEN LEAVE ORGANIZATIONS IN THE DARK. IF WE RELY ON SIGNATURES ALONE WE WILL MISS OUT ON ZERO-DAY EXPLOITS AND OTHER BEHAVIORS. THERE ARE MANY ATTACKS THAT GO UNNOTICED UNTIL A BREACH HAS ALREADY OCCURRED, LEAVING US UNAWARE OF THE METHODS OR ORIGINS OF THE THREAT.

THE SOLUTION:

BY DEPLOYING A HONEYPOT, WE BAIT ATTACKERS INTO REVEALING THEIR TOOLS AND INTENTIONS IN A SANDBOXED ENVIRONMENT. THIS RAW ATTACK DATA CAN BE CONVERTED INTO VISUAL MAPS AND CHARTS, ALLOWING US TO PINPOINT ATTACKER GEOLOCATIONS AND IDENTIFY ATTACK VECTORS WHICH WE CAN USE TO DEVELOP BETTER DEFENSIVE PERIMETERS.

TECH STACK

DIGITAL OCEAN
UBUNTU IMAGE 24.04
T-POT

LET US BEGIN...

I HEADED TO DIGITAL OCEAN TO CREATE AN ACCOUNT. THIS IS A CLOUD HOSTED PLATFORM THAT PROVIDES REMOTE INFRASTRUCTURE WHERE MY HONEYPOT WILL LIVE.

AFTER I CREATED MY ACCOUNT, I CLICKED ON THE DROPLETS SECTION. THIS IS WHERE I WILL MANAGE MY VIRTUAL MACHINES. THINK OF IT AS A CONTROL ROOM AND THE DROPLET AS A BLANK COMPUTER IN THE CLOUD.

STEP (2).png

ONCE I WAS IN THE DROPLETS SECTION, I SELECTED THE REGION THAT WAS CLOSEST TO ME, MY VM IMAGE (UBUNTU 24.04), MY DROPLET PLAN (STORAGE), AND I ALSO CONFIGURED SOME CREDENTIALS AS WELL.

STEP (3).png
STEP (4).png
STEP (5).png
STEP (6).png

OKAY, NOW IT'S TIME TO GET INTO MY VM. I'LL COPY MY IP ADDRESS, OPEN UP POWERSHELL, AND LOG IN THROUGH SSH WITH MY ROOT CREDENTIALS I CREATED EARLIER.

STEP (7).png
STEP (8)_edited.jpg
STEP (11)_edited_edited.jpg

THEN AFTER INPUTTING MY PASSWORD, I WAS IN. THIS GIVES ME ALL THE INFORMATION ABOUT MY UBUNTU IMAGE AND ANY UPGRADES THAT CAN AND NEED TO BE APPLIED.

STEP (12)_edited_edited.jpg

NOW THAT THE PROCESS IS AUTHENTICATED, I'LL TYPE:
APT-GET UPDATE && APT-GET UPGRADE -Y
THIS ALLOWS ME TO SYNCHRONIZE MY PACKAGE INDEX FILES WITH THEIR REPOSITORIES AND ENSURE ALL CURRENTLY INSTALLED SOFTWARE IS RUNNING ON THE LATEST, MOST SECURE VERSIONS BEFORE I BEGIN THE T-POT INSTALLATION.

STEP (13).png

AFTER THAT PROCESS WAS COMPLETED I DECIDED TO PUT MYSELF IN THE SYSTEM AND MAKE MYSELF A SUDO USER AS WELL. THIS GIVES ME THE PROPER AUTHORIZATION AND CLEARANCE WHEN CLONING THE GIT FILE FOR THE T-POT.

STEP (14).png

LET'S CHANGE TO THE HOME DIRECTORY AND CLONE THE GIT FOR T-POT.

ONCE THAT WAS COMPLETE, I TYPED [ LS ]
TO MAKE SURE I HAVE THE "TPOTCE" DIRECTORY. I NAVIGATED THERE USING [ CD TPOTCE/ ] THEN USED [ LS ] TO LIST THE CONTENTS. I FOUND AN INSTALL SCRIPT [ INSTALL.SH ] AND BEGAN THE PROCESS BY TYPING [ ./INSTALL.SH ] . AFTER TYPING 'Y' (YES), I INPUT MY PASSWORD AND THE INSTALLATION BEGAN.

STEP (18).png

MY SSH PORT FOR THE HONEYPOT WILL CHANGE TO 64295. THIS IS IMPORTANT. I'LL USE THIS TO LOG BACK IN LATER.

WHEN I GOT TO THIS SECTION, I CHOSE "H" FOR THE STANDARD INSTALLATION. I DIDN'T NEED ANYTHING TOO FANCY AND THIS LAB WAS A ONE-SHOT, SO SIMPLICITY IS ALWAYS KEY IN THIS SITUATION. AFTER THIS WAS CONFIGURED, I TYPED IN MY USERNAME, ENTERED 'Y', AND ENTERED MY PASSWORD AS WELL.

STEP (19).png

AFTER THE INSTALLATION WAS COMPLETE, I REBOOTED MY INSTANCE USING SUDO PRIVILEGES AND I ALSO REBOOTED MY VM IN DIGITAL OCEAN.

STEP (21)_edited.jpg

I LOGGED BACK INTO MY SSH USING THE DESIGNATED PORT:
[ SSH -P 64295 ROOT@<VM-IP-ADDRESS> ]
TYPED IN MY PASSWORD AND DID A SYSTEM STATUS CHECK USING:
[ SYSTEMCTL STATUS TPOT ]

STEP (22)_edited.jpg

NOW IF I WANTED TO ACCESS THE WEBGUI OF TPOT I WOULD GO TO MY BROWSER AND TYPE:
[ HTTPS://<PUBLIC-IP-OF-VM>:64297 ]
AND I WOULD SEE AN SSH SIGN IN SCREEN LIKE THIS.

STEP (23)_edited_edited.jpg

AND BOOM, WE'RE IN

LET'S BREAK THIS DOWN...

  • THE "ATTACK MAP" IS A LIVE DASHBOARD THAT USES GEOIP DATA TO VISUALIZE THE REAL-TIME ORGIN, DENSITY, AND FREQUENCY OF GLOBAL CYBER THREATS.
     

  • "CYBERCHEF" AND "SPIDERFOOT" ARE USED FOR DEOBFUSCATING CODE AND GATHERING OSINT ON ATTACKING IP ADDRESSES.
     

  • ELASTICVUE IS A SPECIALIZED BROWSER-BASED TOOL THAT PROVIDES A SIMPLIFIED VIEW OF YOUR DATA CLUSTERS. IT ALLOWS YOU TO INSPECT RAW INDICES, CHECK THE HEALTH OF YOUR DATA NODES, AND PERFORM MANUAL QUERIES WITHOUT THE COMPLEXITY OF THE FULL KIBANA INTERFACE.
     

  • KIBANA IS LIKE THE OPEN WINDOW TO THE DATA WE COLLECT. IT PROVIDES THE USER INTERFACE FOR THE ELK STACK, ALLOWING YOU TO CREATE INTERACTIVE CHARTS, GRAPHS, AND THE LIVE ATTACK MAP. IT TURNS COMPLEX LOGS INTO A VISUAL STORY THAT IS EASY TO PRESENT AND ANALYZE.
     

AND NOW... FOR THE MAIN EVENT. AFTER LEAVING MY COMPUTER FOR A FEW MINUTES AND LETTING THE T-POT RUN WHILE I MADE BROWN RICE, I CAM BACK TO THIS MALARKEY...

MY T-POT WAS ABLE TO CATCH ATTACKERS RED-HANDED TRYING TO BREAK INTO A FAKE MACHINE WITH NOTHING ON IT. YOU MIGHT AS WELL BREAK INTO AN ATM WITH MONOPOLY MONEY. SORRY ATTACKERS, YOU LOSE.

CONCLUSION:

ALL OF THIS STARTED FROM A BLANK UBUNTU MACHINE IMAGE AND TRANSFORMED INTO A DIGITAL SNITCH FOR ATTACKER ANALYSIS AND DATA COLLECTION FOR ANY THREATS. I USED THE ELK STACK TO MY ADVANTAGE AND GOT THE ONE UP ON ALL THE ATTACKERS THAT HACKED THE MACHINE. THAT STEAMING CUP I MENTIONED EARLIER? WELL, WHO KNEW VICTORY WOULD TASTE SO DAMN GOOD. I SUCCESSFULLY DISPLAYED THE LABS COMPONENTS, WALKED THROUGH THE PROCESS, AND GAVE EVIDENTIAL DATA TO MY CAUSE AS WELL. CASE CLOSED..... NOW HIRE ME SO I CAN QUIT MY PIZZA JOBS.
- S.M.

bottom of page