Updated to support latest repos and opencanary

colbyprior · May 7, 2021 · 4b63838 · 4b63838
1 parent 2f2e7c4
commit 4b63838
Show file tree

Hide file tree

Showing 6 changed files with 138 additions and 9 deletions.
diff --git a/cowrie.md b/cowrie.md
@@ -21,7 +21,7 @@ If you want to stop the running container you will need to press `ctrl+c` to can
 ## 1.2 Configuring Cowrie
 There are some default config files we can copy into our docker mount. Note we may need sudo permissions to view this folder.
 
-If you are having permissions problems then run `sudo chown -R ubuntu /var/lib/docker/volumes`. This isn't good practice but it's just a workshop.
+If you are having permissions problems then run `sudo chown -R ubuntu /var/lib/docker/volumes` This isn't good practice but it's just a workshop.
 
 ```
 cp ~/volumes/cowrie_cowrie-etc/_data/cowrie.cfg.dist ~/volumes/cowrie_cowrie-etc/_data/cowrie.cfg
@@ -42,7 +42,7 @@ sudo ls -l ~/volumes/cowrie_cowrie-var/_data/lib/cowrie/downloads/
 
 ## 2.3 Make your honeypot "sweeter"
 - Try configuring a non-default hostname, kernel version, ssh version for the honeypot.
-- Also change the usernames and passwords that the honeypot accepts in the `userdb.txt`.
+- Also change the usernames and passwords that the honeypot accepts in `~/volumes/cowrie_cowrie-etc/_data/userdb.txt` 
 
 # 3 Elasticsearch and Kibana
 Elasticsearch and Kibana have already been insalled using apt.
@@ -55,6 +55,12 @@ sudo systemctl start kibana
 Note: Kibana can take a minute to start up.
 You should now be able to access kibana via `http://<Public_IP>:5601`.
 
+To find the URL kibana should be availalbe on, run the following
+
+```sh
+echo http://$(curl -fsq http://169.254.169.254/latest/meta-data/public-ipv4/):5601/
+```
+
 ## 3.1 Configure Filebeat
 We need to put config in filebeat so that it will watch for events in the Cowrie report log and send the json events to Elasticsearch.
 `sudo vim /etc/filebeat/filebeat.yml`
@@ -99,12 +105,12 @@ Try creating a data table or pie graph showing top attacker addresses, username,
 If you get an attacker connect please be careful with dropped files. Look up their filehashes in VirusTotal.
 
 # 4 Enable telnet
-In the `cowrie.cfg` look for the setting to enable telnet. Enable it and restart the docker container.
+In the `~/volumes/cowrie_cowrie-etc/_data/cowrie.cfg` look for the setting to enable telnet. Enable it and restart the docker container.
 
 Connect to your server using telnet on port 23.
 
 # 5 Submittting malware samples to MISP
-- Uncomment the output_misp module in `cowrie.cfg`.
+- Uncomment the output_misp module in `~/volumes/cowrie_cowrie-etc/_data/cowrie.cfg`
 - Replace the base_url and api_key with the ones provided.
 - For the purposes of this tutorial only, disable verify_cert.
 - Restart the docker container.

diff --git a/filebeat.yml b/filebeat.yml
@@ -20,6 +20,24 @@ filebeat.inputs:
   paths:
     - /home/ubuntu/tanner/docker/log/tanner_report.json
   json.keys_under_root: true
+- type: log
+  enabled: true
+  paths:
+    - /var/tmp/opencanary.log
+  json.keys_under_root: true
+  processors:
+    - decode_json_fields:
+        fields: ["inner"]
+    - rename:
+        fields:
+        - from: "src_host"
+          to: "src_ip"
+        - from: "logdata.PASSWORD"
+          to: "password"
+        - from: "logdata.USERNAME"
+          to: "username"
+        ignore_missing: true
+        fail_on_error: false
 
 setup.template.settings:
   index.number_of_shards: 1

diff --git a/opencanary.md b/opencanary.md
@@ -0,0 +1,99 @@
+# 1.0 Opencanary Guide
+
+## 1.1 Initial setup
+
+
+OpenCanary is started by running:
+
+```
+source ~/env/bin/activate
+cd ~/opencanary
+```
+
+On the first run, create an opencanary config
+```
+opencanaryd --copyconfig
+```
+
+This will create a folder and config file in `/etc/opencanaryd/opencanary.conf`
+
+
+# 2.0 Exercises
+
+## 2.1 Configure opencanary
+
+You must now edit the config file to determine which services and logging options you would like to enable.
+
+`sudo vim /etc/opencanaryd/opencanary.conf`
+
+Play around and try enable the following services:
+- SMB
+- MSSQL
+- MYSQL
+- VNC
+
+
+## 2.2 Run open canary
+This will run opencanary in dev mode which will allow you to see the live output from opencanary
+```
+opencanaryd --start
+```
+
+
+## 2.3 Fake an attack
+```sh
+ftp SERVER_IP
+Connected to SERVER_IP.
+220 FTP server ready
+
+Name (SERVER_IP:ubuntu): honeypot
+
+331 Password required for honeypot.
+Password: FAKE_PASSWORD
+530 Sorry, Authentication failed.
+Login failed.
+
+ftp> exit
+221 Goodbye.
+
+```
+
+## 2.4 Check your logs
+
+Check that opencanary is picking up your failed ftp authentication logs
+`less /var/tmp/opencanary.log`
+
+
+## 2.5 Elasticsearch and Kibana setup
+Add the following log config to the `filebeat.inputs:` section in `/etc/filebeat/filebeat.yml`.
+```
+- type: log
+  enabled: true
+  paths:
+    - /var/tmp/opencanary.log
+  json.keys_under_root: true
+  processors:
+    - decode_json_fields:
+        fields: ["inner"]
+    - rename:
+        fields:
+        - from: "src_host"
+          to: "src_ip"
+        - from: "logdata.PASSWORD"
+          to: "password"
+        - from: "logdata.USERNAME"
+          to: "username"
+        ignore_missing: true
+        fail_on_error: false
+```
+
+
+## 2.6 Refresh the index
+Now we need to make sure the index is refreshed so we can properly search over our new data types.
+1. Restart filebeat `systemctl restart filebeat`
+2. Visit Kibana and go in to Management
+3. Select index management
+4. Select your filebeat index
+5. Click the refresh icon to refresh the index.
+
+
diff --git a/setup/install.sh b/setup/install.sh
@@ -2,7 +2,7 @@
 
 # install
 sudo apt update
-sudo apt install -y docker.io docker-compose jq git nano sqlite3
+sudo apt install -y docker.io docker-compose jq git nano sqlite3 python3-dev python3-pip python3-virtualenv python3-venv python3-scapy samba libpcap-dev
 
 # clone repos
 git clone https://github.com/cowrie/docker-cowrie
@@ -25,3 +25,8 @@ sudo apt-get install elasticsearch kibana -y
 # docker permissions
 sudo usermod -aG docker ${USER}
 newgrp docker
+
+# install opencanary
+virtualenv env/
+. env/bin/activate
+pip install opencanary scapy pcapy
diff --git a/setup/preload.sh b/setup/preload.sh
@@ -6,6 +6,7 @@ docker-compose build
 
 # thug pre-build
 cd ~/thug/docker/
+cp -r ~/thug/tests/samples/ ~/thug/
 # add to dockerfile apt installs:
 #    vim \
 #    jq \

diff --git a/thug.md b/thug.md
@@ -6,7 +6,7 @@ Run the docker container with an interactive shell.
 
 ```
 cd thug
-docker run -it -v ~/thug/samples:/samples thug:demo /bin/bash
+docker run -it -v ~/thug/tests/samples:/samples thug:demo /bin/bash
 ```
 
 # 2 Running Thug
@@ -31,16 +31,16 @@ After running the analysis there will be a output letting you know where the out
 
 ```
 # Thug analysis logs saved at /tmp/thug/logs/01a14e6f7f3630a8378b3c24698b32ed/20200727044545
-less /tmp/thug/logs/01a14e6f7f3630a8378b3c24698b32ed/20200727044545/analysis/json/analysis.json
-cat /tmp/thug/logs/01a14e6f7f3630a8378b3c24698b32ed/20200727044545/analysis/json/analysis.json | jq ."exploits"
+less /tmp/thug/logs/aa785aa5193ee38511e4a485c0a7bd0d/20200727044545/analysis/json/analysis.json
+cat /tmp/thug/logs/aa785aa5193ee38511e4a485c0a7bd0d/20200727044545/analysis/json/analysis.json | jq ."exploits"
 ```
 
 # 3 Exercises
 For each of the follwing samples:
 1. `domino.html`
 2. `ssreader_0day.html`
 3. `blackhole.html`
-The samples are also available for reading via github: https://github.com/buffer/thug/tree/master/samples/exploits
+The samples are also available for reading via github: https://github.com/buffer/thug/tree/master/tests/samples/exploits
 
 For each sample try to find out the following:
 - Look at the raw sample. Can you tell what its trying to do?