Design and development of a honeypot testing system

The permeation of connected electronic devices in everyday life has exponentially increased since the beginning of this century. Connected devices are constantly exposed to potential threats, that could lead to sensitive data leaks. Data is the gold of the twenty-first century, thus making this risk not only a security problem but a critical economical issue. Modern IT systems are equipped with technological solutions that provide detection and protection against security risks. However, these systems do not produce comprehensive raw data about what they inspect. Complete information about the traffic towards a host could be useful to understand how malicious activities are performed. In order to carry out this task, honeypots can be employed. Honeypots are tools intended to mimic the behavior of a real machine, tricking an attacker into interact with them and exploit their apparent potential vulnerabilities. As honeypots are not real computers, it is important to assess how they respond with respect to an actual machine. As a matter of fact, the fidelity of the response is an important topic, because it participates to the ability of the honeypot to keep an attacker connected to it in pursuit of its goal. The activity of testing systems by probing and attacking them to get information about their behavior and discover vulnerabilities is known as penetration testing. Penetration testing techniques are composed of different phases that contribute to the assessment of a system security. In this work, we followed some of the penetration testing phases such as analysis, gaining and maintaining access, to evaluate honeypots behavior with respect to real machines. As a result, we developed a system called T-Hon capable of performing several attacks through the SSH protocol against different victims, managing the data collection and the target selection. The T-Hon system automates the attack process by controlling Metasploit, a framework for penetration testing activities, and controlling the selection of the victim through a proxy, which is in charge of collecting all the traffic data and correctly forward the communication to the right recipient. In order to evaluate T-Hon, we used Cowrie as test subject. Cowrie is a medium interaction SSH and Telnet honeypot. The tests consisted in performing several attacks against it and real systems, thus comparing the results to discover potential issues and odd behaviors of the honeypot response. Attacks, or exploits, are scripts specifically designed to exploit vulnerabilities in order to gain access to a system. In this case, the chosen attacks aim at gaining access to the victim through the SSH protocol, retrieving a shell and executing specific commands. The analysis and comparison of the data collected by T-Hon during these attacks toward both honeypots and actual systems highlighted some important discrepancies. We identified potential issues in Cowrie SSH connection protocol implementation, especially concerning the order in which messages are sent and how shell requests are managed. Thanks to the aforementioned findings, we proved the value and usefulness of the developed tool.