---
title: Honeypot using Google Console
---
## Weeks 3 Project: Honeypot using Google Console
:::info
☝️ NOTE: An Support documentation for: https://courses.codepath.com/courses/cyb102/unit/9#!project
:::
**Summary:** Setup a honeypot and intercept some attempted attacks in the wild.
### Background
A [honeypot](https://en.wikipedia.org/wiki/Honeypot_(computing)) is a decoy application, server, or other networked resource that intentionally exposes insecure features which, when exploited by an attacker, will reveal information about the methods, tools, and possibly even the identity of that attacker. Honeypots are commonly used by security researchers to understand the threat landscape facing developers and system administrators, collecting data that might include:
- Information about sources of malicious network traffic such as IP addresses, geographic origin, targeted ports, etc.
- Information used to harden resources against email spammers
- Malware samples
- DB vulnerabilities such as SQLI techniques
There are two broad categories of honeypots:
- **Low-interaction honeypots** provide simulations of target resources, typically using emulation or virtualization, to reduce resource consumption, simplify configuration and deployment, and provide solid containment features
- **High-interaction honeypots** expose non-simulated target resources in a way that more closely imitates a production environment to attract more sophisticated attackers and understand more complicated exploitation routes
For example, a low-interaction honeypot might _emulate_ a server capable of accepting SSH connections through a combination of exposed ports and decoy responses, whereas the high-interaction version would feature an _actual_ SSH server possibly misconfigured in some way
that makes it vulnerable. In the low-interaction example, attempted exploitation would quickly lead to a dead end for the attacker, perhaps revealing only an IP address and a few attempted commands to the honeypot's maintainer. In the high-interaction example, the attacker would potentially be able to compromise the server, wasting more time and giving away more information about his or her goals.
### Overview
In this assignment, you will stand up a basic honeypot and demonstrate its effectiveness at detecting and/or collecting data about an attack. Guided instructions for doing this using specific software are provided below, but you are free to take any approach you wish that demonstrates the following basic principles:
- Successful configuration and deployment of a network-accessible honeypot server with two primary features:
- An attack surface that is vulnerable or exposed in some way to network-based attacks
- A network security feature such as an IDS configured to detect and log such attacks
- Illustration of at least one attack against the honeypot that can be detected or logged in a way that captures information about the attack or the attacker
-----
## Walkthrough
Keeping in mind that there are many ways one could fulfill the above requirements, in this section, we will walkthrough a basic honeypot deployment using a well-supported open source honeypot: [Modern Honey Network (MHN)](https://github.com/threatstream/mhn). MHN's architecture is modular and extensible and comes with many options for deploying different types of honey pots. In MHN architecture, there is a single admin VM which is used to deploy, manage and collect information from the honeypots, which are deployed as separate VMs. Thus to run MHN, we'll need to setup _at least two VMs_: the single **Admin VM** and at least one **Honeypot VM**.
### Milestone 0: To the Cloud!
To complete this assignment, you'll need access to a cloud hosting provider to provision the VMs. Many providers offer time-limited free trial accounts with resource limitations, and you should easily be able to complete the requirements for this assignment within these limitations -- though you may need to ensure you cleanup before your trial period expires. The setup we'll walkthrough below has been tested to work with micro-sized VMs with < 1GB memory and < 10GB disk space, so you may often be able to use the smallest possible option when provisioning VMs. All servers in this setup use Ubuntu 14.04 (trusty) -- and most cloud providers offer this as an option. Note that Ubuntu 16.04 and 17.04 will not work.
You can use any cloud provider to which you already have access or that offers a free trial, though you'll need to be familiar with its usage and / or limitations. If you're not sure where to start, we recommend [Google Cloud Platform's Free Tier](https://cloud.google.com/free/), and while we'll provide general guidelines that should work with most cloud providers, the instructions below will also show insets labeled **GCP Users** with commands and settings specific to Google Cloud Platform. If you are confident about working with an alternate cloud provider such as AWS feel free to adapt the below instructions accordingly. If this is your first foray into the world of cloud computing, consider starting a GCP trial so you can follow the more specific instructions below.
So to get started, make sure you have authenticated access to your cloud provider. You can provision the VMs any way you like, but you will need to be able to access the VMs via SSH.
#### GCP Users
- Learning GCP:
https://cloud.google.com/free/
https://www.qwiklabs.com/quests/23
### Initialize Google Cloud Shell
1. Creating project:
* Create a new project: https://console.cloud.google.com/compute/instances?project
* Select “project” from the left top
* Click on new project
* Choose project name
* Then click create.
2. Enable Compute
3. Initialize Cloud Shell Editor
Click on Open in new window to have shell on new window for clear view:
4. Enable billing:
```console
gcloud beta billing accounts list
```
- This will ask for authorization.
### Find your region and zone
```console
gcloud compute regions list
```
```console
gcloud compute zones list
```
### Set region/zone
```console
gcloud config set compute/zone us-central1-f
```
```console
gcloud compute project-info add-metadata \
--metadata google-compute-default-region=us-central1,google-compute-default-zone=us-central1-f
```
### Configure Firewall
```console
gcloud compute firewall-rules list
```
```console
gcloud compute firewall-rules create http \
--allow tcp:80 \
--description="Allow HTTP from Anywhere" \
--direction ingress \
--target-tags="mhn-admin"
gcloud compute firewall-rules create honeymap \
--allow tcp:3000 \
--description="Allow HoneyMap Feature from Anywhere" \
--direction ingress \
--target-tags="mhn-admin"
gcloud compute firewall-rules create hpfeeds \
--allow tcp:10000 \
--description="Allow HPFeeds from Anywhere" \
--direction ingress \
--target-tags="mhn-admin"
gcloud compute firewall-rules create wideopen \
--description="Allow TCP and UDP from Anywhere" \
--direction ingress \
--priority=1000 \
--network=default \
--action=allow \
--rules=tcp,udp \
--source-ranges=0.0.0.0/0 \
--target-tags="honeypot"
```
### Verify Firewall (Linux/MacOS bash)
```console
gcloud compute firewall-rules list --format="table(
name,
network,
direction,
priority,
sourceRanges.list():label=SRC_RANGES,
allowed[].map().firewall_rule().list():label=ALLOW,
targetTags.list():label=TARGET_TAGS,
disabled
)"
```
### Verify Firewall (Windows Google Cloud SDK Shell)
```console
gcloud compute firewall-rules list --format="table(name,network,direction,priority,sourceRanges.list():label=SRC_RANGES,allowed[].map().firewall_rule().list():label=ALLOW,targetTags.list():label=TARGET_TAGS,disabled)"
```
### MHN Admin
MHN is currently only supported on Ubuntu 18.04, 16.04 or CentOS 6.9
```console
gcloud compute images list | grep ubuntu-minimal
```
Create VM
```console
gcloud compute instances create "mhn-admin" \
--machine-type "n1-standard-1" \
--subnet "default" \
--maintenance-policy "MIGRATE" \
--tags "mhn-admin" \
--image-family "ubuntu-minimal-1804-lts" \
--image-project "ubuntu-os-cloud" \
--boot-disk-size "10" \
--boot-disk-type "pd-standard" \
--boot-disk-device-name "mhn-admin"
```
Setup SSH
- You can shh from the VMInstances page:
- https://console.cloud.google.com/compute/instances?cloudshell=true&project=YOUR_Project_ID
or
You will see new instance created with "mhn-admin" - ssh into the mhn admin, this will open up SSH-in-browser for interactions:
### Update, Download and Install MHN-Admin
```console
sudo apt update && sudo apt install git python-magic -y
```
```console
cd /opt/
```
```console
sudo git clone https://github.com/pwnlandia/mhn.git
```
```console
cd mhn/
```
```console
sudo sed -i 's/Flask-SQLAlchemy==2.3.2/Flask-SQLAlchemy==2.5.1/'g server/requirements.txt
```
```consol
sudo ./install.sh
```
### Configure
Take note of the ‘Superuser email’, ‘Superuser password’ and ‘Server base url’. These will be be your credentials for logging in to the MHN Admin webserver.
- Choose a random username and password (do not use anything related to your original email or password)
```console!
===========================================================
MHN Configuration
===========================================================
Do you wish to run in Debug mode?: y/n n
Superuser email: someone@something.somewhere
Superuser password: passwordHidden
Server base url ["http://1.2.3.4"]:
Honeymap url ["http://1.2.3.4:3000"]:
Mail server address ["localhost"]:
Mail server port [25]:
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [""]:
Mail server password [""]:
Mail default sender [""]:
Path for log file ["mhn.log"]:
```
#### Confirm successful installation
```conso=
sudo /etc/init.d/nginx status
sudo /etc/init.d/supervisor status
sudo supervisorctl status
```
:::info
Once the above three commands runs without any errors, your setup of MHN is successful.
:::
### Configure Honeypot
Return to the original terminal and enter the following to create the honeypot VM.
:::warning
The Gcloud console use --> `username@cloudshell:~$`
Make sure its not -> `username@mhn-admin:~$`
:::
- Once on cloudshell type below:
```consol
gcloud compute instances create "honeypot-1" \
--machine-type "n1-standard-1" \
--subnet "default" \
--maintenance-policy "MIGRATE" \
--tags "honeypot" \
--image-family "ubuntu-minimal-1804-lts" \
--image-project "ubuntu-os-cloud" \
--boot-disk-size "10" \
--boot-disk-type "pd-standard" \
--boot-disk-device-name "honeypot-1"
```
SSH:
- You can shh from the VMInstances page:
- https://console.cloud.google.com/compute/instances?cloudshell=true&project=YOUR_Project_ID
- You will see new instance created with "honeypot-1" - ssh into the mhn admin, this will open up SSH-in-browser for interactions:
- same as how you sshed in to the mhn-admin)
### Deploy Honeypot Sensors
- Go to Mhn cloudshell terminal
- `username@mhn-admin`
- If you forgot to write down the public IP of the MHN admin site you can use the following command in the MHN Admin’s SSH terminal session:
```console
curl ipinfo.io/ip
```
### Connect to the MHN Admin IP address in your favorite web browser and login.
- http://IPAddress/ui/login/dashboard
use superuser email and password used during setup
### Click Deploy and Select Script.
Copy Deploy Command.
### Enter the command in the honeypot terminal and confirm successful deployment.
#### Attacks:
- Sample attack:
- You can follow Milestone 5: Attack! from course portal:
- https://courses.codepath.com/courses/cyb102/unit/9#!project
```console=
nmap -A -T4 HoneyPot_IP_Address
nmap -sV -sC HoneyPot_IP_Address
```
- You can see ative attacks coming from various locations on map
- usually, attacks are live and immediate.
- http://IP_ADDRESS/ui/honeymap/
Attacks:
## Payloads:
- Wait for 30 minutes, don't leave it open for long, this will make file analysis hard.
### Dump Sensor Database
After you are finished gathering honey you can dump the sensor database from an mhn-admin terminal.
```console
mongoexport --db mnemosyne --collection session > session.json
```
The file may be quite large if the honeynet has been running for several days. You can shrink it down to 5 mebibytes with the following command.
```console
truncate --size="<5M" session.json
```
### Transfer sensor data back to your computer
#### Method 1:
You can also use gcloud’s built-in scp but it won’t handle tildes (~) properly. This means you’ll need to specify the absolute path to the source file. Replace USERNAME with your’s. Note that usernames are case sensitive.
```console
gcloud compute scp mhn-admin:/home/USERNAME/session.json ./session.json
```
#### Method 2:
on the top right corner click on download; give obsolute path to file
## Clean Up:
### Method 1:
When you are done you can delete everything and stop billing by deleting your project.
- Use username@cloudshell:
```console=
gcloud projects list
gcloud projects delete mhn-admin
```
### Method 2:
Select project settings:
Selct and click "DELETE"
----
## Issue 1:
- In case if you can see the attacks on the map but, when you navigate to the Attacks tab, it shows 0 attacks. Its due to python versions
#### Troubleshoot:
- Go to MHN console:
username@mhn-admin:
```con=
username@mhn-admin:
cd /opt/mnemosyne/env/lib/python2.7/site-packages/gevent
sudo vim hub.py
```
You might need to install vim:
`sudo apt install vim`
`sudo vim hub.py`
click "i" to start editing, and comment below five lines
- click "esc" :wq to save and exit file
Restart the mnemosyne,
```con
sudo supervisorctl restart mnemosyne
```
You will see below response:
```
mnemosyne: ERROR (not running)
mnemosyne: started
```
Navigate to Honeymap - you will see attacks immediately, same goes with payloads.
----
### Parent Document:
https://hackmd.io/@nkogkneeto/H1YKtqk9r#Find-your-region-and-zone
Sign in with Wallet
Connect another wallet