"Please Hack My Computer"
2024 ж. 24 Мам.
1 011 080 Рет қаралды
jh.live/pwyc || Jump into Pay What You Can training for Active Defense & Cyber Deception -- at whatever cost makes sense for you! jh.live/pwyc
00:00 - Cowrie
02:18 - It's a trap!
05:04 - Results
05:42 - IP Addresses
06:57 - Interaction Count
08:02 - Login Attempts
11:00 - Commands Ran
16:13 - Final Thoughts
Free Cybersecurity Education and Ethical Hacking with John Hammond
📧 JOIN MY NEWSLETTER ➡ jh.live/email
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥 KZhead ALGORITHM ➡ Like, Comment, & Subscribe!
Yes I knew it was a honeypot. Which is why I replaced the honeypot that you had with my own honeypot. To make it look real to you, I fabricated a bunch of attack attempts and routed all the legit attempts to my honeypot, giving me all their activity and zero day attacks that were tried. Better luck next time, John.
Pics, or it didn't happen...
@@nordgaren2358 for security all evidence is destroyed sorry ¯\_(ツ)_/¯
@@nordgaren2358 /s
real
True.
A lot of the login attempts are probably bots trying to hack you that don't even know about the challenge. When I got my first Raspberry Pi I had port 22 exposed for a few days and I had thousands of login attempts when I read through the logs.
Those exist?
@@danialrafida fuck Ton of them
Same with my old nextcloud instance, a lot of chinese bots.
@@danialrafid yes, lots of bots just scroll through the web looking for open ports
@@nullpwn are yall still calling isreal china to avoid getting banned. so boring.
Before you said it was a honeypot I was concerned that some bad actor would just make it their honeypot. Assuming you had good intentions . I learned multiple valuable lessons. 1)don't trust anyone. 2)protect yourself 3)if it's too easy it's too easy
haha this had 69 likes and I made it 70 edit: yes. I am a monster
@@thevalarauka101 no
@@thevalarauka101you monster 😨
@@thevalarauka101 how dawre you!
The site name made me feel if I clicked on it I would be a failure
1) Sees a malicious URL in the logs of the honeypot 2) Proceeds to copy and open said URL in the browser
Johns a cybersecurity researcher, I think he probably understands that there's not a ton of risk in simply opening a webpage.
@@Jofoyo Plus not like he is doing this on his personal computer lol
@@Jofoyothere is, but I think he uses a virtual machine with an antivirus
@@dvxv4016 Even if you download a malicious file you still have to run it, its not going to get opened by itself or do anything
@@dvxv4016no reason to run an anti virus on a virtual machine lol
Not a hacker, but the indicator of a honeypot is definitely telling people to try to hack it, lol.
Haha! Also the passwords are dead giveaway. xD
*>Not a hacker* Those skiddies aren’t too.
@@Bossanova. Excuse them for not being le master haxxor straight out of the womb like yourself
@@Bossanova. Yeah how many boxes have you rooted, how many vuln reports have you written? calling these guys having some fun on an advertised ctf 'skiddies' is such an obvious self report lmao
@@IsAMank Sure thing, now get back to pretending to be a big cool hacker.
This makes me think of docker containers are more sandboxed than I'd thought? I'd love to see a video exploring the limits of the sandbox security!
“A sandbox is only as sandboxed as the sandbox is sandboxed.” 👍
I 100% agree
Hey where can i find the result file of honeypot
well if you don't have a real shell there's not much you can do
Some one correct me if I’m wrong but that’s essentially the concept. Containerizing you get access to one donent mean you have while thing.
Thank you. Not only did you perform the test, but you made the results available to others.
Where?
@Johnhammond is a O.G. 👍
where?
I notice there are many issues with passwords. People forget them, they get hacked, etc. Just don't use them! Easier for everybody.
😂
WRITE THAT DOWN!!! WRITE THAT DOWN!!!!!
yess you can use auth files instead, just make sure to back them up properly
@@drishalballaney6590 woooosh
@@drishalballaney6590 this. having an authorized ssh key is genuinely good for security
It was kinda obvious that it was honeypot
I thought so too...glad to know gut feeling was correct.
@@Innocuils yeah ikr
@@sumukhchitloor6259 With all that dramatic music I was hoping he was about to go into a rant about how everyone DDOS'd him off the net. Well guys couldn't get anything for the video so here are some generic tips for everyone. lol
@@DudeSoWin lmao
Was it him asking you to hack it?
Up to the point I learned it's not hosted by the same person who issued the invite I thought it's a fun idea. But then I got worried for all the folks who were baited into trying to hack into Digital Ocean's infrastructure.
I love the part where you just dig through the data it's always nice to have you explain the fun and funky stuff going on. Especially the things you didn't expect users to do :D would love to see something like this again ^^
Hey do you know where to find result files of honeypot
@oneyw9391 yes this would be great XD I think with a little bit of js css or else ... someone could build an amazing animation showing all actions on a timeline which can be run like a video... maybe use a slider or whatever to progress the data XD
At 6:00 he hides the ip's, but who launches an attack using their real ip address? Don't hackers hide That too?
@@johndank2209 it was a public invitation, some people may have tried it out of curiosity with no understanding of the field and this being their first time ever messing with something like it
I love all of this. You gave an easy target for the lesser experienced such as myself but you also ended up turning it all into a lesson for not only yourself but everyone who tried and failed to notice it was honeypot. I didn’t know about this challenge but I love the concept of all of it. Subbing for future content!
At 6:00 he hides the ip's, but who launches an attack using their real ip address? Don't hackers hide That too?
Since this obviously wasn't a serious attack there's a good chance someone might not have done this. Or they forgot to use one. Safer to hide the IPs
@@johndank2209 You'll realize that most people dont even use IP especially the good hackers like these shows in the vid because they trust John would not do anything with their data
@@johndank2209 Not always. Besides, better safe than sorry.
Well, I've run more than a few Cowrie instances myself (it was how a colleague and I made the initial discovery of the Hajime worm). For me, the biggest clue that this is a honeypot is the hostname being set to the default "svr04" :)
"why did you give it internet access?" is a valid concern because you're effectively running a tor exit node allowing anyone to use you as a proxy
It would be neat if there was an SSH daemon that once it detected a brute force or other problematic login attempts, placed the user into a honeypot server as opposed to live. But you know, even the web interface would update based on your changes, but only for the individual user. I know it would be complicated, but I also know it would be doable.
Actually, it's an actual technique used by some companies. They setup decoy machines exposed to the internet, or only to the intranet, and they simulate their company network, sometimes even simulating user activity, and if the hacker goes to hack that network and pivots to other machines, the SOC can track their movement and block them out.
@@vwvvvww neat!
You might be (I'm no expert) able to do that with fail2ban and a bunch of tooling.
It needs to take them into an endless sparse tree of honeypots Using AI to create realistic BS all the way down
@@askhowiknow5527that is genius. Make them think that they’re getting closer and closer to hacking the mainframe when they’re infact in a honey pot 😂
This is so awesome. Such valuable insights to how "bad actors" try and exploit
At 6:00 he hides the ip's, but who launches an attack using their real ip address? Don't hackers hide That too?
@@johndank2209 its just for the safety of protecting ones identity since of course you don't want to cause potential harm if it is real.
@@Theultramadmanbut aren't IP addresses dynamic? So what harm would it do
@@bikdigdaddy Yes you're correct, most normal IP's are residential or similar and is dynamic meaning it won't be of much harm. However, some may also be static IP's, or some have yet to change, or assigned to specific geographical regions or ISPs, or can be logged during the upload of the video or they are assigned from a limited pool of addresses controlled by the ISP. Either way, releasing IP's is still dangerous as it can be used maliciously or similar during the upload of the video, which this video is not trying to cause.
The payload command you show at 14:50 is a payload for the Mirai Botnet. Pretty standard stuff for compromised machines nowadays
Hey, is he shared the result files of honeypot?
@@oneyw9391he said so but i couldnt find it
@@oneyw9391 doesnt seem he shared them bruh lol
@@oneyw9391 Looked in the description, can't find the files...
Hahaha, pretty fun to see my honeypot echo being featured. Thanks for the fun time! Edit: I used rockyou and was amused that it worked :)
ehco
I'm not a big Social Media user so I never seen the tweet or post on LinkedIn. You should consider posting things like this on the community tab of your page. Great vide, as always!
I agree with this post
Yeah, I would've loved to play around with this, but I don't use Twitter at all, anymore.
@@KettLovahr Because now Threads exist, right? :D
@@WarNinGXK Thread is dying too
@@WarNinGXK threads is dead.
I had no idea you were such a prolific youtuber when I first met you at the hacking class you did at the connectwise conference last year. You are a TOTAL badass in my book, and a very nice gentleman. I greeted you later at the hotel's food court to tell you how much I appreciated the course. Long haired blond dude sitting in the back row. Thanks for being a cool guy :]
Very nice to see, been a while since I've done any cyber sec stuff so fun to see the commands run.
Would have been interesting if you set up different honeypots for each site it was posted on to see if the users from different sites had different techniques
People who hacked in were questioning "internet access" as in outgoing internet from the honey pot to the internet. Pwned boxes are a great jump point to hack other computers on the internet, and your honeypot would allow them to do that. Ephemeral filesystems will still let this happen, and even without any write access to the filesystem a user could run python interactively and paste a hacking script.
If they had super user perms, they could do a nice coredump and even if on a modern machine it is ungodly and unreadable by a human, by patterns you can see that it's not a genuine install, or at least probably. Edit : Or if you can't turn it on, it's also suspicious
Great experiment! I remember seeing this on Twitter a few days ago, great follow up video
I’m pretty early in my journey into cybersecurity and it’s been pretty hard, buts it’s nice to know that I already understood all the commands that people ran to navigate and manipulate your honeypot, even if I had no idea that you could put them together like that. Great video
Thanks for setting this up John! It was fun hacking into it and now I’m inspire to create my own 🎉
Did literally ANYONE think it WASN'T going to be monitored/spoofed/a trap?
Petty cool exercise. It would be interesting to leave it on for an extended period to collect, document, and publish all interesting attempts to help organizations improve their security posture.
Collect successful and unsuccessful attempts separately and train a ml algorithm on it!
Hey, do you know where to find result files of this honeypot
@@fightme5543 Yes, would it would be great.
@@oneyw9391 In the video he mentioned he would post the log files somewhere and I don't see any links so far.
@@SelvanSoft I bet you there's too much sensitive data
Wow what a fun challenge. Following this channel was one of the best decisions i made almost 2 years ago. Never stops giving.
There was that one person who was able to break out of the docker container and redacted the log files. Now it's their machine ;)
he said it is a digitalocean VPS which means they are actually still inside a virtual machine at that point. if they escape the virtual machine then they have hacked a digitalocean datacenter
@@tacokoneko then hes a keter SCP at that point
How???
I felt something abnormal at hydra so I left at hydra. I found 22, and a different port came open my way. But the other port didn't responded again. Even no banner too. 😂 Edit:- I've put a message at login attempt. So that you can know that I found you at ssh itself. I suspected you must be logging as I already said so stopped at ssh login itself.
Patterns and practices. Great video JH!!!
Thanks for Sharing! This was awesome.
Never got into cybersec but what an interesting video. Great idea, instead of imagine scenarios, just let people throw stuff at it and log them.
Great video, would love to see more like this!
This is my favorite video you've ever made, John. Nice work!
Thanks for the video!
4:57: What was the telltale sign for me was that signing in with different shell instances and had different views of the filesystem. Also: Too easy
Damn this was cool and honestly as noob it helped fill in alot of blanks for me. Well done
After loggin back in to the server and seeing changes we did are gone i would think people would know something is up
I love line 4133 of the commands "echo this is a honeypot"; someone was onto you XD
I allways wanted to set up my own honeypot. Thank you for this inspiration!
awesome John same here with some buddies am not soo much of social media user. but all in all this is great
i think the best way to counter your experiment once one noticed it was a honey pot would've been to setup a script to send a constant stream of random strings run as commands in the terminal so that your logs gets filled with garbage. I'm not much of a hacker but i really wonder how you would've reacted if someone did that
He would probably just use a script to sift all that garbage data out by only listing valid commands. If they're randomly trying commands. there's probably not a ton that could be done, but they'd probably run out of inputs to try and it'd just stack up.
@@Jofoyo ah yeah it's true that it'd be easy to just check for valid commands if we just used random garbage, didn't even cross my mind. However in case of randomised valid commands it would be easy to run an infinite amount of them without running out. Just imagine if you ran grep with a bunch of random following words (using a mock engine to have words that make sens), poof that's all grep gone. then do the same with a bunch of other commands and the poor guy will have a really bad time trying to fix his logs. It might even be possible to automate the whole thing to deduce what type of input a command is expecting and generate random ones that seems likely for all commands in /bin ... could be fun to code
@@sorannmw3500 Thinking about it again, I'm betting the original logs were sorted by computer or connection specific data, before being merged into what he shows in the video, so he could easily clean out garbage users, which again nullifies that unless you're using thousands of proxy computers to bombard shit with, which, I think is probably out of scope.
@@Jofoyo well DDoS is a thing so it's not that much out of scope but yeah if it can be filtered by user, DDoS spam attack would be the last valid way In this case i can only think of one last possibility which would be to filter out users that have done more than X number of actions, this might cut interesting content but would effectively clean the logs and require the attacker to make sure his bots only do a reasonable number of spam which then would greatly reduce the amount of spamming in the logs
Very fun video, thanks!
This was entertaining as heck. Very informative. I'm adjacent in the field so I could understand a lot of it but it opened my eyes to a lot. Quick question, since password policy guidelines are enforced pretty much everywhere, would this still be a realistic exercise? Were there any other ways into the environment if password bruteforcing was not feasible?
@John Hammond - Where is the list of commands you said you would post?
That was dope, now I'm gonna jump down a rabbit hole of honeypot videos
very informative thank you
question. what if i search for the course of a ping using traceroute? i can see that it is a honeypot right? is the honeypot necessarily on the same network as the database server?
Love the breakdown
Great video, and use of music. Loved the production on this one.
Great video John. 👍😉
Great video!
Really fun vid, thanks for making it. Did you end up posting all the data online? Would be fun to check out. I couldn't find a link.
I wonder if you could modify Cowrie to give unique filesystems _not_ per login, but persistent per ISP (ASN), to throw off basic detection
8:43 I think I know a few Linux distros that had their root password as “toor”
Did you remove leading spaces from the command prompts or did nobody use leading spaces?
Amazing video!
I've always been kind of curious about setting up a honeypot myself, just cause it'd be fun to see what people get up to on it.
First he lays a hunny pot, now he expects the ones that didn't fall for the honey pot to tell him how they knew? You'd like that wouldn't you lol >.>
Well, if you touch a file, logout, log back in and your file is not there, something is obviously afoot
preeeeeeeeetty cool, i actually learnt a bit!
9:01 what's with the line 9? 102 login attemts with "[root/" ? Is that all spaces out of the screen or did some character mess up your listing? 🤔
You are a legend john..❤
it is hilarious to me that I would have had an easier time getting in than apparently quite a number of cybersec people, as I would have tried root/toor in the first 5 attempts. looks like some people should update their pw-lists.
Wow John this was a cool video for sure. Loved seeing some of the commands people were attempting to run. I do wonder how many connection attempts there were when you first spun it before announcing it on social media?
Now it would be interesting to see if this honeypot approach could be used selectively. Maybe you really really need to access something remotely but you also want to get the time to shut it down should someone get their nose into it so you add an honeypot layer. Like maybe one of the users is real and has its command transmitted to the actual SSH session. Or maybe none of it is real but if you type your password instead of interacting with the fake session you get in. Maybe put midly weak passwords on users so they don't notice right away it's a honeypot and that's done. Considering it's constantly surveilled, you could probably keep track of any IP that made an attempt on the "users" and refuse them even if they type the right password. Could save some time too.
Really cool video!
this experiment is awesome wow
The accounting sub-directory in the gibson is working really hard. We've got this IP 108 online and workloads enough for like 10 users. I think we got ourself a hacker!
The number one tell-tale sign that it was a honeypot: You asked people to hack it
I have no idea what any of this is but very epic 👍🏻
exaclty, i didn't think you'd make it that easy so i suspected something. i didn't know it was cowrie tho. i found another ssh port on 22222 , i think, which made me wonder why someone would have ssh open twice.
you could also check the locations of the ip adress and collect some country data, like X attempts from USA, C from China, etc pp
That sorted list of interactions per IP just casually obeying Zipf's law.
aint called a law for nuthin
Dshield is super cool! Have a look at that project too :)
Is there a way to set up cowrie to get a semi-persistent system, so it might look a bit more difficult to detect that it's not a real system, because if it's always gone instantly when you relog it might be a good indicator to detect that you're in a honeypot and if it get's wiped randomly between 2-8hrs it might look more like someone actually cleaned up the system so it looks more like an actual system ^^
The world needs more John Hammond. Thank you for being awesome.
@John Hammond I need this on my network! Can't have enough honeypots!
Not sure why this was recommended but this is sick!!!
What music tracks did you use, loved the video and the music!
you need to do more of these
11:28 how can I check if I have a miner installed in my computer? Complete noob just super interested in all of this geek stuff. Great video!
Thank you 😂👌💕
"I'll make this info available to you guys" (never makes it available) that was the real betrayal
Someone's password attempt was 50cents and I find that funny somehow.
that was real life expirience show case and damn it was cool and informational to see what "Amateurs, and Middle Class Hacker would do" i missed it... i dont use socials only youtube and DC thats it. So if you do such events again please make a Short or a Short-Video of it . BTW I would have fallen for it. Have a nice Day / Week see you at ur next Vid.
I didn't do this, but I bet a telltale sign that it was a honeypot would be that it would just be an empty file system, especially a few days after the link was released.
I’ve got an intermediate level in python and low low beginner level in server dev, and this video opened my eyes to so many fun things in cyber sec!
I realized when you set up a domain, pretty quickly the bots come in and attempt to log in wherever it can. Its weird, how it looks for stuff on your site that doesn't exist.
I learnt new thing today what is honeypot as beginner I feel I am growing my knowledge day by day🙂
Yes i was hable to hakk it and i found out it was caw dairy that you used i also removed the honey dog server and I had complete aces of the server and i made all so eficient i only required one atempt and i also added mine cripto minor and a maincrazt server i play with all my frends theyre real i have much frends.
Might be interesting to do a video on honeypots vs deception Technologies with practicals
Ive been sitting here going "no way port 22 is the actual ssh port it's gotta be a trap"
most of those random user names are probably ssh scanners that arn't related to people trying to do the challenge. Stand up a new server with ssh open and just watch, you'll see junk like that.
We should have more of these
Im curious why there are no one time interactions at 7:50? Is it because of some sort of SYN / ACK transmission?
Dionaea + Cowrie. Cowrie is very limited to it's features. Don't count on 1 honey service only unless if you have vCPU and memory to make a T-Pot
COOL VIDEO !!