Basic Honeypot: Analysing Payload/Attacks

This is a followup to building a basic honeypot. In this post we analysing attacks that we have collected over one week, eh wait actually over only one day. It so happens that there were around 100,000 payload attack collected in one day and I think this is enough data for now to analyse (manually).

Note that the payloads below are only the first payload sent before the attacks actually begin. Also there were many attacks to discover open ports which I have ignored/not worth documenting.

Microsoft Remote Desktop Vulnerability

The large majority of attacks (a whopping 75%) sustained by the honeypot were attacks to detect vulnerable Microsoft Remote Desktop servers. The payload was as follows:

b'\x03\x00\x00+&\xe0\x00\x00\x00\x00\x00Cookie: mstshash=hello\r\n\x01\x00\x08\x00\x03\x00\x00\x00'

The attacker uses this payload to detect if there are any compromised windows machines accessible. If you are interested you can find more information here: https://medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef

Windows Authentication Protocol Exploit

This one is likely a SMB Relay attack being conducted to eventually try to gain access to a windows machine by exploiting a design flaw(at that time). The payload looks like the following:

b'\x00\x00\x00T\xffSMBr\x00\x00\x00\x00\x18\x01(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/K\x00\x00\xc5^\x001\x00\x02LANMAN1.0\x00\x02LM1.2X002\x00\x02NT LANMAN 1.0\x00\x02NT LM 0.12\x00'

You can read more into it here: https://resources.infosecinstitute.com/topic/exploiting-windows-authentication-protocols-part-01/

Find Accessible /.env files

This was a simple GET request to attempt to access .env file which is a configuration used by frameworks like Docker. This contains information like API keys or even passwords.

'GET /.env HTTP/1.1\r\nHost: 128.199.193.172\r\nUser-Agent: Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36\r\nAccept-Encoding: gzip, deflate\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nAccept-Language: en-US,en;q=0.9,fr;q=0.8\r\n\r\n'

It has been reported before that botnets scan the internet to find accessible .env files to attempt attacks. I guess this is proved true here around 0.4% of the attacks were .env file discovery attacks. You can read more about it here: https://www.zdnet.com/article/botnets-have-been-silently-mass-scanning-the-internet-for-unsecured-env-files/

Android Debug Bridge Exploit

I am not sure about this but it looks like an attack to ADB and checking for shell access. Payload is as follows:

b'CNXN\x00\x00\x00\x01\x00\x00\x04\x00\x1b\x00\x00\x00M\n\x00\x00\xbc\xb1\xa7\xb1host::features=cmd,shell_v2'

No concrete reference to the payload above but the following shows the seriousness of the issue: https://labs.bitdefender.com/2018/09/hide-and-seek-iot-botnet-learns-new-tricks-uses-adb-over-internet-to-exploit-thousands-of-android-devices/

Exposed Apache Solr Admin Access

Simply an accessible admin page of Apache Solr. This should not be publicly accessible for obvious reasons.

'GET /solr/admin/info/system?wt=json HTTP/1.1\r\nHost: 128.199.193.172:8983\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n' from ('45.155.205.225', 55070)

CVE-2019-7238 RCE vulnerability in Sonatype Nexus Repository Manager

Based on the reference below this is a vulnerability present Sonatype Nexus Repository Manager installations prior to version 3.15.0. The payload attack is as follows:

'POST /service/extdirect HTTP/1.1\r\nHost: 128.199.193.172:8081\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\r\nContent-Length: 293\r\nContent-Type: application/json\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n{"action":"coreui_Component","data":[{"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"1==1"},{"property":"type","value":"jexl"}],"limit":50,"page":1,"sort":[{"direction":"ASC","property":"name"}],"start":0}],"method":"previewAssets","tid":18,"type":"rpc"}'

You can read more about it in this link: https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/

Vulnerable Ethereum Node

Although I am not sure if this attack was actually to find vulnerable Ethereum nodes, there are Ethereum nodes vulnerable to json-rpc attacks. The payload attack is as follows:

'POST / HTTP/1.0\r\nContent-Length: 51\r\nContent-Type: application/json\r\n\r\n{"id":0,"jsonrpc":"2.0","method":"eth_blockNumber"}'

As I go through the attacks collected I am realising that the list is too long and sadly won’t be able to go through all of them manually. In the coming days I will try to think of a better way to identify and categorise them.

Anyway I hope that this was informative and that this post has motivated you to take the necessary precautions. The web is a scary place!