Yes I knew it was a honeypot. Which is why I replaced the honeypot that you had with my own honeypot. To make it look real to you, I fabricated a bunch of attack attempts and routed all the legit attempts to my honeypot, giving me all their activity and zero day attacks that were tried. Better luck next time, John.
A lot of the login attempts are probably bots trying to hack you that don't even know about the challenge. When I got my first Raspberry Pi I had port 22 exposed for a few days and I had thousands of login attempts when I read through the logs.
Before you said it was a honeypot I was concerned that some bad actor would just make it their honeypot. Assuming you had good intentions . I learned multiple valuable lessons. 1)don't trust anyone. 2)protect yourself 3)if it's too easy it's too easy
@@Bossanova. Yeah how many boxes have you rooted, how many vuln reports have you written? calling these guys having some fun on an advertised ctf 'skiddies' is such an obvious self report lmao
@@sumukhchitloor6259 With all that dramatic music I was hoping he was about to go into a rant about how everyone DDOS'd him off the net. Well guys couldn't get anything for the video so here are some generic tips for everyone. lol
I love all of this. You gave an easy target for the lesser experienced such as myself but you also ended up turning it all into a lesson for not only yourself but everyone who tried and failed to notice it was honeypot. I didn’t know about this challenge but I love the concept of all of it. Subbing for future content!
@@johndank2209 You'll realize that most people dont even use IP especially the good hackers like these shows in the vid because they trust John would not do anything with their data
I love the part where you just dig through the data it's always nice to have you explain the fun and funky stuff going on. Especially the things you didn't expect users to do :D would love to see something like this again ^^
@oneyw9391 yes this would be great XD I think with a little bit of js css or else ... someone could build an amazing animation showing all actions on a timeline which can be run like a video... maybe use a slider or whatever to progress the data XD
@@johndank2209 it was a public invitation, some people may have tried it out of curiosity with no understanding of the field and this being their first time ever messing with something like it
Up to the point I learned it's not hosted by the same person who issued the invite I thought it's a fun idea. But then I got worried for all the folks who were baited into trying to hack into Digital Ocean's infrastructure.
I had no idea you were such a prolific youtuber when I first met you at the hacking class you did at the connectwise conference last year. You are a TOTAL badass in my book, and a very nice gentleman. I greeted you later at the hotel's food court to tell you how much I appreciated the course. Long haired blond dude sitting in the back row. Thanks for being a cool guy :]
I'm not a big Social Media user so I never seen the tweet or post on LinkedIn. You should consider posting things like this on the community tab of your page. Great vide, as always!
@@bikdigdaddy Yes you're correct, most normal IP's are residential or similar and is dynamic meaning it won't be of much harm. However, some may also be static IP's, or some have yet to change, or assigned to specific geographical regions or ISPs, or can be logged during the upload of the video or they are assigned from a limited pool of addresses controlled by the ISP. Either way, releasing IP's is still dangerous as it can be used maliciously or similar during the upload of the video, which this video is not trying to cause.
It would be neat if there was an SSH daemon that once it detected a brute force or other problematic login attempts, placed the user into a honeypot server as opposed to live. But you know, even the web interface would update based on your changes, but only for the individual user. I know it would be complicated, but I also know it would be doable.
Actually, it's an actual technique used by some companies. They setup decoy machines exposed to the internet, or only to the intranet, and they simulate their company network, sometimes even simulating user activity, and if the hacker goes to hack that network and pivots to other machines, the SOC can track their movement and block them out.
Well, I've run more than a few Cowrie instances myself (it was how a colleague and I made the initial discovery of the Hajime worm). For me, the biggest clue that this is a honeypot is the hostname being set to the default "svr04" :)
Would have been interesting if you set up different honeypots for each site it was posted on to see if the users from different sites had different techniques
Petty cool exercise. It would be interesting to leave it on for an extended period to collect, document, and publish all interesting attempts to help organizations improve their security posture.
he said it is a digitalocean VPS which means they are actually still inside a virtual machine at that point. if they escape the virtual machine then they have hacked a digitalocean datacenter
People who hacked in were questioning "internet access" as in outgoing internet from the honey pot to the internet. Pwned boxes are a great jump point to hack other computers on the internet, and your honeypot would allow them to do that. Ephemeral filesystems will still let this happen, and even without any write access to the filesystem a user could run python interactively and paste a hacking script.
If they had super user perms, they could do a nice coredump and even if on a modern machine it is ungodly and unreadable by a human, by patterns you can see that it's not a genuine install, or at least probably. Edit : Or if you can't turn it on, it's also suspicious
I felt something abnormal at hydra so I left at hydra. I found 22, and a different port came open my way. But the other port didn't responded again. Even no banner too. 😂 Edit:- I've put a message at login attempt. So that you can know that I found you at ssh itself. I suspected you must be logging as I already said so stopped at ssh login itself.
i think the best way to counter your experiment once one noticed it was a honey pot would've been to setup a script to send a constant stream of random strings run as commands in the terminal so that your logs gets filled with garbage. I'm not much of a hacker but i really wonder how you would've reacted if someone did that
He would probably just use a script to sift all that garbage data out by only listing valid commands. If they're randomly trying commands. there's probably not a ton that could be done, but they'd probably run out of inputs to try and it'd just stack up.
@@Jofoyo ah yeah it's true that it'd be easy to just check for valid commands if we just used random garbage, didn't even cross my mind. However in case of randomised valid commands it would be easy to run an infinite amount of them without running out. Just imagine if you ran grep with a bunch of random following words (using a mock engine to have words that make sens), poof that's all grep gone. then do the same with a bunch of other commands and the poor guy will have a really bad time trying to fix his logs. It might even be possible to automate the whole thing to deduce what type of input a command is expecting and generate random ones that seems likely for all commands in /bin ... could be fun to code
@@sorannmw3500 Thinking about it again, I'm betting the original logs were sorted by computer or connection specific data, before being merged into what he shows in the video, so he could easily clean out garbage users, which again nullifies that unless you're using thousands of proxy computers to bombard shit with, which, I think is probably out of scope.
@@Jofoyo well DDoS is a thing so it's not that much out of scope but yeah if it can be filtered by user, DDoS spam attack would be the last valid way In this case i can only think of one last possibility which would be to filter out users that have done more than X number of actions, this might cut interesting content but would effectively clean the logs and require the attacker to make sure his bots only do a reasonable number of spam which then would greatly reduce the amount of spamming in the logs
I’m pretty early in my journey into cybersecurity and it’s been pretty hard, buts it’s nice to know that I already understood all the commands that people ran to navigate and manipulate your honeypot, even if I had no idea that you could put them together like that. Great video
it is hilarious to me that I would have had an easier time getting in than apparently quite a number of cybersec people, as I would have tried root/toor in the first 5 attempts. looks like some people should update their pw-lists.
Yes i was hable to hakk it and i found out it was caw dairy that you used i also removed the honey dog server and I had complete aces of the server and i made all so eficient i only required one atempt and i also added mine cripto minor and a maincrazt server i play with all my frends theyre real i have much frends.
The accounting sub-directory in the gibson is working really hard. We've got this IP 108 online and workloads enough for like 10 users. I think we got ourself a hacker!
exaclty, i didn't think you'd make it that easy so i suspected something. i didn't know it was cowrie tho. i found another ssh port on 22222 , i think, which made me wonder why someone would have ssh open twice.
I didn't do this, but I bet a telltale sign that it was a honeypot would be that it would just be an empty file system, especially a few days after the link was released.
most of those random user names are probably ssh scanners that arn't related to people trying to do the challenge. Stand up a new server with ssh open and just watch, you'll see junk like that.
Now it would be interesting to see if this honeypot approach could be used selectively. Maybe you really really need to access something remotely but you also want to get the time to shut it down should someone get their nose into it so you add an honeypot layer. Like maybe one of the users is real and has its command transmitted to the actual SSH session. Or maybe none of it is real but if you type your password instead of interacting with the fake session you get in. Maybe put midly weak passwords on users so they don't notice right away it's a honeypot and that's done. Considering it's constantly surveilled, you could probably keep track of any IP that made an attempt on the "users" and refuse them even if they type the right password. Could save some time too.
I'm amused you think those 2200 IPs map to 2200 unique actors, and they aren't mostly just the typical botnets out there hammering literally everything everywhere.
I'd like to see what you find on and what happens to a computer, if you put it on the net with no virus protection or a firewall and completely exposed to the net lol Try a win xp, win 7, win 10, win 11, Ubuntu, Mac
This was entertaining as heck. Very informative. I'm adjacent in the field so I could understand a lot of it but it opened my eyes to a lot. Quick question, since password policy guidelines are enforced pretty much everywhere, would this still be a realistic exercise? Were there any other ways into the environment if password bruteforcing was not feasible?
As soon as I saw the only service was an unsecure SSH channel, knowing who asked to hack the system, I suspected it was a honeypot. It's just such a clear railroading for an entry point. To make a honeypot more effective, you have to obscure it a little more and make access seem more like someone at least tried to prevent entry.
I wonder if you could use that box to masscan or some other bs. Obvious hint it's a honeypot: you setup a permanent reverse shell and it dies as soon as you disconnect
I mean, you clearly are well capable in cybersec, so if you ask people to hack something they'd expect it to be a challenge, so if its as easy as finding an exposed port and bruteforcing your way in, its pretty obvious that there's something sus going on behind the scenes.
Was not there at the time but i can tell you if i was I'm 100% sure id know it was a honeypot for the simple reason that i would have gotten in and not seen an absolute disaster of a file system. Im a novice at this and if i was the first one to crack a challenge that on its own is insanely suspicious because id expect others to have long before me in which case id see evidence of that. Its like someone issuing a challenge to thousands of people with a reward for the first winner and when you get there after many others before you the challenge is just 15 + 10 and you win the prize, that would be insanely suspicious.
question. what if i search for the course of a ping using traceroute? i can see that it is a honeypot right? is the honeypot necessarily on the same network as the database server?
Should have ran a crypto miner on it while keeping the connection open so the box doesn't expire. I would have done an *online* port scan, keeping my IP secret for initial discovery. And when there would only be ssh open, i would have bailed before even touching it, knowing of the honey inside.
![เขามัทรี - เอ็กซ์ ศุภกฤต - จอนนี่มิวสิค [ Official MV ]](http://i.ytimg.com/vi/AS9ufKuQIVs/mqdefault.jpg)
Yes I knew it was a honeypot. Which is why I replaced the honeypot that you had with my own honeypot. To make it look real to you, I fabricated a bunch of attack attempts and routed all the legit attempts to my honeypot, giving me all their activity and zero day attacks that were tried. Better luck next time, John.
Pics, or it didn't happen...
@@nordgaren2358 for security all evidence is destroyed sorry ¯\_(ツ)_/¯
@@nordgaren2358 /s
real
It's true, I was there. I was the pot.
A lot of the login attempts are probably bots trying to hack you that don't even know about the challenge. When I got my first Raspberry Pi I had port 22 exposed for a few days and I had thousands of login attempts when I read through the logs.
Those exist?
@@drm.himselfa fuck Ton of them
Same with my old nextcloud instance, a lot of chinese bots.
@@drm.himself yes, lots of bots just scroll through the web looking for open ports
@@nullpwn are yall still calling isreal china to avoid getting banned. so boring.
1) Sees a malicious URL in the logs of the honeypot
2) Proceeds to copy and open said URL in the browser
Johns a cybersecurity researcher, I think he probably understands that there's not a ton of risk in simply opening a webpage.
@@Jofoyo Plus not like he is doing this on his personal computer lol
@@Jofoyothere is, but I think he uses a virtual machine with an antivirus
@@dvxv4016 Even if you download a malicious file you still have to run it, its not going to get opened by itself or do anything
@@dvxv4016no reason to run an anti virus on a virtual machine lol
Before you said it was a honeypot I was concerned that some bad actor would just make it their honeypot. Assuming you had good intentions . I learned multiple valuable lessons. 1)don't trust anyone.
2)protect yourself
3)if it's too easy it's too easy
haha this had 69 likes and I made it 70
edit: yes. I am a monster
@@thevalarauka101 no
@@thevalarauka101you monster 😨
@@thevalarauka101 how dawre you!
The site name made me feel if I clicked on it I would be a failure
Not a hacker, but the indicator of a honeypot is definitely telling people to try to hack it, lol.
Haha! Also the passwords are dead giveaway. xD
*>Not a hacker*
Those skiddies aren’t too.
@@Bossanova. Excuse them for not being le master haxxor straight out of the womb like yourself
@@Bossanova. Yeah how many boxes have you rooted, how many vuln reports have you written? calling these guys having some fun on an advertised ctf 'skiddies' is such an obvious self report lmao
@@IsAMank
Sure thing, now get back to pretending to be a big cool hacker.
This makes me think of docker containers are more sandboxed than I'd thought? I'd love to see a video exploring the limits of the sandbox security!
“A sandbox is only as sandboxed as the sandbox is sandboxed.” 👍
I 100% agree
Hey where can i find the result file of honeypot
well if you don't have a real shell there's not much you can do
Some one correct me if I’m wrong but that’s essentially the concept. Containerizing you get access to one donent mean you have while thing.
Thank you. Not only did you perform the test, but you made the results available to others.
Where?
@Johnhammond is a O.G. 👍
where?
I notice there are many issues with passwords. People forget them, they get hacked, etc. Just don't use them! Easier for everybody.
😂
WRITE THAT DOWN!!! WRITE THAT DOWN!!!!!
yess you can use auth files instead, just make sure to back them up properly
@@drishalballaney6590 woooosh
@@drishalballaney6590 this. having an authorized ssh key is genuinely good for security
It was kinda obvious that it was honeypot
I thought so too...glad to know gut feeling was correct.
@@Innocuils yeah ikr
@@sumukhchitloor6259 With all that dramatic music I was hoping he was about to go into a rant about how everyone DDOS'd him off the net. Well guys couldn't get anything for the video so here are some generic tips for everyone. lol
@@DudeSoWin lmao
Was it him asking you to hack it?
I love all of this. You gave an easy target for the lesser experienced such as myself but you also ended up turning it all into a lesson for not only yourself but everyone who tried and failed to notice it was honeypot. I didn’t know about this challenge but I love the concept of all of it. Subbing for future content!
At 6:00 he hides the ip's, but who launches an attack using their real ip address? Don't hackers hide That too?
Since this obviously wasn't a serious attack there's a good chance someone might not have done this. Or they forgot to use one. Safer to hide the IPs
@@johndank2209 You'll realize that most people dont even use IP especially the good hackers like these shows in the vid because they trust John would not do anything with their data
@@johndank2209 Not always. Besides, better safe than sorry.
"why did you give it internet access?" is a valid concern because you're effectively running a tor exit node allowing anyone to use you as a proxy
I love the part where you just dig through the data
it's always nice to have you explain the fun and funky stuff going on. Especially the things you didn't expect users to do :D
would love to see something like this again ^^
Hey do you know where to find result files of honeypot
@oneyw9391 yes this would be great XD I think with a little bit of js css or else ... someone could build an amazing animation showing all actions on a timeline which can be run like a video... maybe use a slider or whatever to progress the data XD
At 6:00 he hides the ip's, but who launches an attack using their real ip address? Don't hackers hide That too?
@@johndank2209 it was a public invitation, some people may have tried it out of curiosity with no understanding of the field and this being their first time ever messing with something like it
Hahaha, pretty fun to see my honeypot echo being featured. Thanks for the fun time!
Edit: I used rockyou and was amused that it worked :)
ehco
Up to the point I learned it's not hosted by the same person who issued the invite I thought it's a fun idea. But then I got worried for all the folks who were baited into trying to hack into Digital Ocean's infrastructure.
I had no idea you were such a prolific youtuber when I first met you at the hacking class you did at the connectwise conference last year. You are a TOTAL badass in my book, and a very nice gentleman. I greeted you later at the hotel's food court to tell you how much I appreciated the course. Long haired blond dude sitting in the back row. Thanks for being a cool guy :]
I'm not a big Social Media user so I never seen the tweet or post on LinkedIn. You should consider posting things like this on the community tab of your page. Great vide, as always!
I agree with this post
Yeah, I would've loved to play around with this, but I don't use Twitter at all, anymore.
@@KettLovahr Because now Threads exist, right? :D
@@WarNinGXK Thread is dying too
@@WarNinGXK threads is dead.
This is so awesome. Such valuable insights to how "bad actors" try and exploit
At 6:00 he hides the ip's, but who launches an attack using their real ip address? Don't hackers hide That too?
@@johndank2209 its just for the safety of protecting ones identity since of course you don't want to cause potential harm if it is real.
@@Theultramadmanbut aren't IP addresses dynamic? So what harm would it do
@@bikdigdaddy Yes you're correct, most normal IP's are residential or similar and is dynamic meaning it won't be of much harm.
However, some may also be static IP's, or some have yet to change, or assigned to specific geographical regions or ISPs, or can be logged during the upload of the video or they are assigned from a limited pool of addresses controlled by the ISP.
Either way, releasing IP's is still dangerous as it can be used maliciously or similar during the upload of the video, which this video is not trying to cause.
It would be neat if there was an SSH daemon that once it detected a brute force or other problematic login attempts, placed the user into a honeypot server as opposed to live. But you know, even the web interface would update based on your changes, but only for the individual user. I know it would be complicated, but I also know it would be doable.
Actually, it's an actual technique used by some companies. They setup decoy machines exposed to the internet, or only to the intranet, and they simulate their company network, sometimes even simulating user activity, and if the hacker goes to hack that network and pivots to other machines, the SOC can track their movement and block them out.
@@vwvvvww neat!
You might be (I'm no expert) able to do that with fail2ban and a bunch of tooling.
It needs to take them into an endless sparse tree of honeypots
Using AI to create realistic BS all the way down
@@askhowiknow5527that is genius. Make them think that they’re getting closer and closer to hacking the mainframe when they’re infact in a honey pot 😂
Well, I've run more than a few Cowrie instances myself (it was how a colleague and I made the initial discovery of the Hajime worm). For me, the biggest clue that this is a honeypot is the hostname being set to the default "svr04" :)
The payload command you show at 14:50 is a payload for the Mirai Botnet. Pretty standard stuff for compromised machines nowadays
Hey, is he shared the result files of honeypot?
@@oneyw9391he said so but i couldnt find it
@@oneyw9391 doesnt seem he shared them bruh lol
@@oneyw9391
Looked in the description, can't find the files...
Would have been interesting if you set up different honeypots for each site it was posted on to see if the users from different sites had different techniques
Did literally ANYONE think it WASN'T going to be monitored/spoofed/a trap?
Petty cool exercise. It would be interesting to leave it on for an extended period to collect, document, and publish all interesting attempts to help organizations improve their security posture.
Collect successful and unsuccessful attempts separately and train a ml algorithm on it!
Hey, do you know where to find result files of this honeypot
@@fightme5543 Yes, would it would be great.
@@oneyw9391 In the video he mentioned he would post the log files somewhere and I don't see any links so far.
@@SelvanSoft I bet you there's too much sensitive data
There was that one person who was able to break out of the docker container and redacted the log files. Now it's their machine ;)
he said it is a digitalocean VPS which means they are actually still inside a virtual machine at that point. if they escape the virtual machine then they have hacked a digitalocean datacenter
@@tacokoneko then hes a keter SCP at that point
How???
People who hacked in were questioning "internet access" as in outgoing internet from the honey pot to the internet. Pwned boxes are a great jump point to hack other computers on the internet, and your honeypot would allow them to do that. Ephemeral filesystems will still let this happen, and even without any write access to the filesystem a user could run python interactively and paste a hacking script.
Litterally understood about 9% of this video
If they had super user perms, they could do a nice coredump and even if on a modern machine it is ungodly and unreadable by a human, by patterns you can see that it's not a genuine install, or at least probably.
Edit : Or if you can't turn it on, it's also suspicious
I felt something abnormal at hydra so I left at hydra. I found 22, and a different port came open my way. But the other port didn't responded again. Even no banner too. 😂
Edit:- I've put a message at login attempt. So that you can know that I found you at ssh itself. I suspected you must be logging as I already said so stopped at ssh login itself.
Wow what a fun challenge. Following this channel was one of the best decisions i made almost 2 years ago. Never stops giving.
"I'll make this info available to you guys"
(never makes it available)
that was the real betrayal
I love line 4133 of the commands "echo this is a honeypot"; someone was onto you XD
After loggin back in to the server and seeing changes we did are gone i would think people would know something is up
i think the best way to counter your experiment once one noticed it was a honey pot would've been to setup a script to send a constant stream of random strings run as commands in the terminal so that your logs gets filled with garbage. I'm not much of a hacker but i really wonder how you would've reacted if someone did that
He would probably just use a script to sift all that garbage data out by only listing valid commands. If they're randomly trying commands. there's probably not a ton that could be done, but they'd probably run out of inputs to try and it'd just stack up.
@@Jofoyo ah yeah it's true that it'd be easy to just check for valid commands if we just used random garbage, didn't even cross my mind. However in case of randomised valid commands it would be easy to run an infinite amount of them without running out.
Just imagine if you ran grep with a bunch of random following words (using a mock engine to have words that make sens), poof that's all grep gone. then do the same with a bunch of other commands and the poor guy will have a really bad time trying to fix his logs.
It might even be possible to automate the whole thing to deduce what type of input a command is expecting and generate random ones that seems likely for all commands in /bin ... could be fun to code
@@sorannmw3500 Thinking about it again, I'm betting the original logs were sorted by computer or connection specific data, before being merged into what he shows in the video, so he could easily clean out garbage users, which again nullifies that unless you're using thousands of proxy computers to bombard shit with, which, I think is probably out of scope.
@@Jofoyo well DDoS is a thing so it's not that much out of scope but yeah if it can be filtered by user, DDoS spam attack would be the last valid way
In this case i can only think of one last possibility which would be to filter out users that have done more than X number of actions, this might cut interesting content but would effectively clean the logs and require the attacker to make sure his bots only do a reasonable number of spam which then would greatly reduce the amount of spamming in the logs
Never got into cybersec but what an interesting video. Great idea, instead of imagine scenarios, just let people throw stuff at it and log them.
4:57: What was the telltale sign for me was that signing in with different shell instances and had different views of the filesystem.
Also: Too easy
Thanks for setting this up John! It was fun hacking into it and now I’m inspire to create my own 🎉
That sorted list of interactions per IP just casually obeying Zipf's law.
aint called a law for nuthin
I’m pretty early in my journey into cybersecurity and it’s been pretty hard, buts it’s nice to know that I already understood all the commands that people ran to navigate and manipulate your honeypot, even if I had no idea that you could put them together like that. Great video
The number one tell-tale sign that it was a honeypot: You asked people to hack it
it is hilarious to me that I would have had an easier time getting in than apparently quite a number of cybersec people, as I would have tried root/toor in the first 5 attempts.
looks like some people should update their pw-lists.
Damn this was cool and honestly as noob it helped fill in alot of blanks for me. Well done
Someone's password attempt was 50cents and I find that funny somehow.
I was fully expecting someone to break out of the cowrie sandbox image and actually gain control of the machine.
First he lays a hunny pot, now he expects the ones that didn't fall for the honey pot to tell him how they knew? You'd like that wouldn't you lol >.>
Well, if you touch a file, logout, log back in and your file is not there, something is obviously afoot
Very nice to see, been a while since I've done any cyber sec stuff so fun to see the commands run.
@John Hammond - Where is the list of commands you said you would post?
You know he's talking too fast when you set playback speed to 0.75 and it sounds like a normal person talking lol
That was dope, now I'm gonna jump down a rabbit hole of honeypot videos
8:43 I think I know a few Linux distros that had their root password as “toor”
That IP address that contacted the server 150k times was probably a DoS attack
Yes i was hable to hakk it and i found out it was caw dairy that you used i also removed the honey dog server and I had complete aces of the server and i made all so eficient i only required one atempt and i also added mine cripto minor and a maincrazt server i play with all my frends theyre real i have much frends.
This is my favorite video you've ever made, John. Nice work!
The accounting sub-directory in the gibson is working really hard. We've got this IP 108 online and workloads enough for like 10 users. I think we got ourself a hacker!
Great experiment! I remember seeing this on Twitter a few days ago, great follow up video
Patterns and practices. Great video JH!!!
I allways wanted to set up my own honeypot. Thank you for this inspiration!
9:01 what's with the line 9? 102 login attemts with "[root/" ? Is that all spaces out of the screen or did some character mess up your listing? 🤔
exaclty, i didn't think you'd make it that easy so i suspected something. i didn't know it was cowrie tho. i found another ssh port on 22222 , i think, which made me wonder why someone would have ssh open twice.
As soon as you said the server's hostname was srv04 I knew it was a Cowrie honeypot, since I run one myself as well and that's the default hostname
Wait, you're telling me the guy who asked me to hack him wanted me to hack him?!?!?! Crazy
Ive been sitting here going "no way port 22 is the actual ssh port it's gotta be a trap"
I wonder if you could modify Cowrie to give unique filesystems _not_ per login, but persistent per ISP (ASN), to throw off basic detection
I didn't do this, but I bet a telltale sign that it was a honeypot would be that it would just be an empty file system, especially a few days after the link was released.
most of those random user names are probably ssh scanners that arn't related to people trying to do the challenge. Stand up a new server with ssh open and just watch, you'll see junk like that.
ifconfig apparently beats up the stealthiness of cowrie
I'm surprised by the lack of uname runs. The first thing I would hypothetically want to know is the distribution I'm on.
11:28 how can I check if I have a miner installed in my computer? Complete noob just super interested in all of this geek stuff. Great video!
Thanks for Sharing! This was awesome.
Now it would be interesting to see if this honeypot approach could be used selectively. Maybe you really really need to access something remotely but you also want to get the time to shut it down should someone get their nose into it so you add an honeypot layer. Like maybe one of the users is real and has its command transmitted to the actual SSH session. Or maybe none of it is real but if you type your password instead of interacting with the fake session you get in. Maybe put midly weak passwords on users so they don't notice right away it's a honeypot and that's done.
Considering it's constantly surveilled, you could probably keep track of any IP that made an attempt on the "users" and refuse them even if they type the right password. Could save some time too.
Not sure id call it a honeypot when you are invited to access it. Fun to see the results tho!
i said "maybe his social media accoint was hacked and this is some sort of watering hole attack" hahaha
Thanks for the video!
as soon as you posted a link and said to attack it i knew it was a trap
I thought 'half hundred' was a slip of the tongue in the moment, but then you said it again. The word is fifty.
Surprised none of them attempted to improve the security
having nothing to do with the scene, this is such an interesting experiment from an outsiders perspective.
I'm amused you think those 2200 IPs map to 2200 unique actors, and they aren't mostly just the typical botnets out there hammering literally everything everywhere.
Surprised no one got into the actual server
I have not even a guess what 60% of those words mean but I don't feel like I missed out on the ultimate meaning, which is interesting
The world needs more John Hammond. Thank you for being awesome.
Couldn't this have gotten people in trouble if they actually managed to escape the docker?
Now the are in a VM
@@hjf3022 it was a digital ocean node afaik
i wouldnt be surprised if he told them about this and this was a free large scale pentest he got paid for
I'd like to see what you find on and what happens to a computer, if you put it on the net with no virus protection or a firewall and completely exposed to the net lol
Try a win xp, win 7, win 10, win 11, Ubuntu, Mac
Propably formatted in seconds
This was entertaining as heck. Very informative. I'm adjacent in the field so I could understand a lot of it but it opened my eyes to a lot. Quick question, since password policy guidelines are enforced pretty much everywhere, would this still be a realistic exercise? Were there any other ways into the environment if password bruteforcing was not feasible?
As soon as I saw the only service was an unsecure SSH channel, knowing who asked to hack the system, I suspected it was a honeypot. It's just such a clear railroading for an entry point. To make a honeypot more effective, you have to obscure it a little more and make access seem more like someone at least tried to prevent entry.
I wonder if you could use that box to masscan or some other bs.
Obvious hint it's a honeypot: you setup a permanent reverse shell and it dies as soon as you disconnect
I could tell it was a honeypot after 2 minutes of logging in, and immediately got off. Did not know it was Cowrie.
I mean, you clearly are well capable in cybersec, so if you ask people to hack something they'd expect it to be a challenge, so if its as easy as finding an exposed port and bruteforcing your way in, its pretty obvious that there's something sus going on behind the scenes.
this experiment is awesome wow
I think a really nice defense idea would be not just blocking access, but immediately retracing it
You are a legend john..❤
All fun and games until you realise this man could technically make a case against all the people attempting to hack his site 💀
With permissio
Was not there at the time but i can tell you if i was I'm 100% sure id know it was a honeypot for the simple reason that i would have gotten in and not seen an absolute disaster of a file system. Im a novice at this and if i was the first one to crack a challenge that on its own is insanely suspicious because id expect others to have long before me in which case id see evidence of that. Its like someone issuing a challenge to thousands of people with a reward for the first winner and when you get there after many others before you the challenge is just 15 + 10 and you win the prize, that would be insanely suspicious.
question. what if i search for the course of a ping using traceroute? i can see that it is a honeypot right? is the honeypot necessarily on the same network as the database server?
Great video, would love to see more like this!
How can i get into cyber security ???.. should i go to a school or is TH-cam enough???
Should have ran a crypto miner on it while keeping the connection open so the box doesn't expire.
I would have done an *online* port scan, keeping my IP secret for initial discovery.
And when there would only be ssh open, i would have bailed before even touching it, knowing of the honey inside.
curious why that's a clear sign of it being a honey pot
@@kiituriiIn the real world there are usually many ports open, only having port 22 is suspicious
@@mollthecoder sure but he specifically asked for it to be hacked so I at least would assume it was just some ctf type of thing
@@kiiturii That's fair enough
wow this video gave adblocker a real challenge thanks for that i guess
you could also check the locations of the ip adress and collect some country data, like X attempts from USA, C from China, etc pp
I learnt new thing today what is honeypot as beginner I feel I am growing my knowledge day by day🙂
I knew it was a honeypot and removed all the honey. Good try, Pooh Bear!