Cannot connect to honeypot (Disconnecting with error, code 10)

Question

Cannot connect to honeypot (Disconnecting with error, code 10)

ppan5 opened this issue 6 years ago · 9 comments

Hello everyone,

i would like to try honssh and set up two VMs in Virtualbox. Both with Ubuntu 16.04 installed and fully updated. Unfortunately, it is not possible for me to connect to the honeypot via honssh.

On the first VM runs honssh with a NAT and an internal network. All requirements are installed (python2.7, python-twisted, python-mysqldb, python-geoip, python-watchdog). Additionally, /etc/sysctl.conf has been edited to enable net.ipv4.ip_forward=1.
The network configuration:
NAT: 10.0.2.15/24, 10.0.2.2 (Gateway)
Internal Network: 192.168.100.254/24
This VM gets a port forwarding (22 → 2222) from the host.

The second VM is connected to the internal network (192.168.100.4/24). openssh-server is installed and /etc/ssh/sshd_config is edited: Port 22, RSAAuthentication no, PubkeyAuthentication no, PasswordAuthentication yes.

Both VMs can ping each other, the first VM can access the internet. telnet 192.168.100.4 22 shows the banner.

My configuration and the honssh.log is attached.

Maybe you find my mistake, i already tried a lot with e.g. iptables. Unfortunately, everything was unsuccessful. My setup described above is new with no further modifications.

Thanks
honssh_cfg.txt
honssh_log.txt

Answer 1 · 2018-06-02T10:27:11.000Z

Hi,

Does it work with advNet disabled?

Answer 2 · 2018-06-02T12:42:00.000Z

Hello tnich,

yes, disabling advNet works. I thought I have tested it yesterday. But the problem with disabling advNet is that now my NAT gateway (10.0.2.2) is logged as the attacker's IP.

Also, I noticed that calling a simple post-auth-script is not working:

#-----------------------#
#   HONEYPOT SCRIPT     #
#-----------------------#
[honeypot-script]
# Documentation to come
enabled = true

# Should HonSSH use this plugin to get the honeypot details (before authentication)
pre-auth = false

# Should HonSSH use this plugin to get the honeypot details (after authentication)
post-auth = true

# ./script IP LOCALIP PORT LOCALPORT
pre-auth-script = 

# ./script IP LOCALIP PORT LOCALPORT USERNAME PASSWORD
post-auth-script = /home/ppan/test.py

This simple script should create a file and write all given arguments (IP LOCALIP PORT LOCALPORT USERNAME PASSWORD) in it. Did I misunderstand the syntax?

Answer 3 · 2018-06-02T14:10:42.000Z

Ok, can you now re-enable advNet and also do:
[devmode]
enabled=true

Then re-run it and send me the new log file. Also it might be useful to see your iptables rules.

The honeypot-script is used to decide where HonSSH should forward connections to. For example, if the attacker's IP is, send it to x.x.x.x honeypot, else send it to y.y.y.y honeypot.

If you want a script to be run when someone logs in, look at the [output-app_hooks] section.

Answer 4 · 2018-06-02T14:58:28.000Z

Hello tnich,

thank you for your fast replies.

I followed your instructions and got this output:

honsshctrl.sh[2467]: Starting honssh in background...
2018-06-02 16:46:08+0200 [-] Log opened.
2018-06-02 16:46:08+0200 [-] [SERVER] - Acquiring SSH Version String from honey_ip:honey_port
2018-06-02 16:46:08+0200 [-] Starting factory <honssh.client.HonsshSlimClientFactory instance at 0x7fb5bd0b0f38>
2018-06-02 16:46:08+0200 [-] HonsshServerFactory starting on 2222
2018-06-02 16:46:08+0200 [-] Starting factory <honssh.server.HonsshServerFactory instance at 0x7fb5bd0b0fc8>
2018-06-02 16:46:09+0200 [HonsshSlimClientTransport,client] [CLIENT] - Got SSH Version String: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
2018-06-02 16:46:09+0200 [HonsshSlimClientTransport,client] Disconnecting with error, code 10
reason: user closed connection
2018-06-02 16:46:09+0200 [HonsshSlimClientTransport,client] connection lost
2018-06-02 16:46:09+0200 [HonsshSlimClientTransport,client] [HONSSH] - HonSSH Boot Sequence Complete - Ready for attacks!
2018-06-02 16:46:09+0200 [-] Stopping factory <honssh.client.HonsshSlimClientFactory instance at 0x7fb5bd0b0f38>
2018-06-02 16:47:07+0200 [-] [PRE_AUTH] - Connecting to Honeypot: honssh-proxy (192.168.100.4:22)
2018-06-02 16:47:07+0200 [-] [ADV-NET] - HonSSH Interface created
2018-06-02 16:47:08+0200 [-] [ADV-NET] - HonSSH FakeIP and iptables rules added
2018-06-02 16:47:08+0200 [-] Starting factory <honssh.client.HonsshClientFactory instance at 0x7fb5bd0b0d40>
2018-06-02 16:47:08+0200 [HonsshServerTransport,0,10.0.2.2] kex alg, key alg: diffie-hellman-group14-sha1 ssh-rsa
2018-06-02 16:47:08+0200 [HonsshServerTransport,0,10.0.2.2] outgoing: aes256-ctr hmac-sha1 none
2018-06-02 16:47:08+0200 [HonsshServerTransport,0,10.0.2.2] incoming: aes256-ctr hmac-sha1 none
2018-06-02 16:47:08+0200 [HonsshServerTransport,0,10.0.2.2] NEW KEYS
2018-06-02 16:47:08+0200 [HonsshServerTransport,0,10.0.2.2] [SERVER] - CONNECTION TO HONEYPOT NOT READY, BUFFERING PACKET
2018-06-02 16:47:18+0200 [-] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7fb5bd0b0d40>
2018-06-02 16:47:18+0200 [-] [PRE_AUTH][ERROR] - COULD NOT CONNECT TO HONEYPOT AFTER 10 SECONDS - DISCONNECTING CLIENT
2018-06-02 16:47:18+0200 [-] Disconnecting with error, code 10
reason: user closed connection
2018-06-02 16:47:18+0200 [HonsshServerTransport,0,10.0.2.2] connection lost

iptables -S:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

iptables -L -v -n
Chain INPUT (policy ACCEPT 88 packets, 13097 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 84 packets, 19481 bytes)
pkts bytes target prot opt in out source destination

Thank you very much for your help.

Answer 5 · 2018-06-02T15:19:34.000Z

The honeypot VM (192.168.100.4), that has a default gateway of the HonSSH server (192.168.100.254) right?

and sorry, can you provide the output from iptables-save instead?

Answer 6 · 2018-06-02T15:49:21.000Z

Hello tnich,

I checked the default gateway on the honeypot VM and found the misconfiguration (sorry for that).
Now I can connect with advNet enabled but still get my gateway as the attacker IP.

Output from iptables-save:

*nat
:PREROUTING ACCEPT [3:270]
:INPUT ACCEPT [3:270]
:OUTPUT ACCEPT [32:3396]
:POSTROUTING ACCEPT [31:3336]
-A PREROUTING -s 192.168.100.4/32 -d 10.0.2.2/32 -p tcp -m tcp --sport 22 -j DNAT --to-destination 11.1.3.3
-A POSTROUTING -s 11.1.3.3/32 -d 192.168.100.4/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 10.0.2.2
COMMIT

Answer 7 · 2018-06-02T15:54:28.000Z

Cool, we're getting there!

It should all be working now, those NAT rules look like advNet is doing it's job. Looks like they should be source NAT'ting out as the attacker IP 10.0.2.2?

How are you testing it?

Answer 8 · 2018-06-02T16:36:22.000Z

Hello tnich,

I have another system in the network which connects to the honssh/honeypot host via ssh. The connection is established and everything is logged fine.

But the attacker IP (it should be 192.168.x.x) is logged as 10.0.2.2. I know it is the NAT gateway, but was hoping the external IP (192.168.x.x) was forwarded.

Answer 9 · 2018-06-02T19:57:37.000Z

Hello tnich,

thank you very much for your time and effort. HonSSH was working correctly, it was Virtualbox. Changed the config and it works great.