Capturing attacks on IoT devices with a multi-purpose IoT honeypot A thesis submitted in fulfilment of the requirements for the degree of Master of Technology by Krishnaprasad P DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING INDIAN INSTITUTE OF TECHNOLOGY KANPUR May 2017 i Abstract Name of the student: Krishnaprasad P Roll No: 15111021 Degree for which submitted: M.Tech. Department: Computer Science and Engineering Thesis title: Capturing attacks on IoT devices with a multi-purpose IoT honeypot Thesis supervisor: Dr. Sandeep Shukla Month and year of thesis submission: May 2017 The past few years have seen a meteoric rise in the use of IoT (Internet of Things) devices. This has resulted in malicious attackers targeting IoT devices more and more. The reluctance of users to change the default credentials of such devices has made attacking the devices much more effective. A major example of such attacks being the mirai botnet attack on October 2016 that targeted DNS providers and rendered many major websites unavailable. To counter this rapid increase in IoT attacks, we propose a new IoT honeypot that can capture attacks coming through 4 common channels: Telnet, SSH, HTTP and CWMP. The attacks which are captured are then analyzed to find common patterns and gain intelligence. Acknowledgements I would extend my sincere gratitude to Dr. Sandeep Shukla for guiding me in this project. I would also like to thank Rohit Sehgal and Nishit Majithia for their help and co-operation during various phases in the project. I am grateful to my friends for being there for me all the time. I am also thankful to my parents and brother for the love they have given me. Finally, I would like to thank the open-source community for providing me with lots and lots of help. iii Contents Abstract ii Acknowledgements iii Contents iv List of Figures vii List of Tables viii Abbreviations ix 1 Introduction1 1.1 Honeypots.................................2 1.1.1 Classification of honeypots....................2 1.1.1.1 Based on interaction..................2 1.1.1.2 Based on deployment..................2 1.1.2 Honeynets.............................3 1.2 Objective.................................3 1.3 Organization...............................3 2 Previous work5 2.0.1 Popular honeypots........................6 2.0.1.1 Kippo..........................6 2.0.1.2 Cowrie..........................7 2.0.1.3 Dionaea.........................7 2.0.1.4 Glastopf.........................7 2.0.1.5 Thug..........................7 2.0.1.6 HonSSH.........................8 2.1 IoT Honeypots..............................8 iv Contents v 2.1.1 Telnet-iot-honeypot........................8 2.1.2 HoneyThing............................8 2.1.3 MTPot...............................8 2.1.4 IoTPOT..............................9 3 Reconnaissance with existing work 10 3.1 Attack using our honeypot........................ 11 3.2 Another notable attack.......................... 13 3.3 Conclusion................................. 13 4 Honeypot Concept and Design 14 4.1 Basic design................................ 14 4.2 frontend.................................. 15 4.2.1 Protocols supported....................... 15 4.2.1.1 Telnet.......................... 15 4.2.1.2 SSH........................... 16 4.2.1.3 HTTP.......................... 16 4.2.1.4 CWMP......................... 16 4.2.2 Machine Requirements...................... 17 4.2.2.1 Twisted......................... 17 4.2.2.2 Python Libraries used................. 17 ConfigParser........................ 18 geoip2........................... 18 pyes............................ 18 4.2.2.3 ELK stack........................ 18 Elasticsearch:....................... 18 Logstash:.......................... 19 Kibana:.......................... 19 4.2.3 Code implementation....................... 20 4.2.3.1 Telnet proxy...................... 20 4.2.3.2 HTTP proxy...................... 21 4.2.3.3 CWMP proxy...................... 22 4.2.3.4 SSH proxy........................ 22 4.2.3.5 Docker.......................... 23 4.2.3.6 ELK stack........................ 23 4.3 Backend.................................. 24 4.3.1 OpenWRT............................. 24 4.3.2 EasyCWMP............................ 26 4.3.3 HoneyThing............................ 27 5 Advantages over current honeypots 28 Contents vi 6 Analysis and Conclusions 30 6.1 Analysis.................................. 30 6.2 Telnet attacks............................... 30 6.2.0.1 Pattern obtained.................... 30 6.2.1 Some major attacks........................ 32 6.2.1.1 Attack 1......................... 32 6.2.1.2 Attack 2......................... 32 6.2.1.3 Attack 3......................... 34 6.2.1.4 Attack 4......................... 34 6.2.2 Conclusions............................ 34 6.3 HTTP attacks............................... 35 6.3.1 Some major attacks........................ 35 6.3.2 Conclusions............................ 36 6.4 CWMP attacks.............................. 38 6.4.1 Conclusions............................ 40 7 Future Work 41 A Codes used 42 Bibliography 43 List of Figures 1.1 Example of a honeynet [11].......................4 2.1 CyberCop Sting [9]............................6 2.2 IoTPOT design [33]............................9 3.1 Distribution of attacks by country.................... 11 4.1 IoTPOT basic design........................... 14 4.2 CWMP protocol [31]........................... 17 4.3 Frontend design.............................. 18 4.4 ELK stack................................. 19 4.5 Telnet proxy................................ 21 4.6 Backend design: Configuration 1..................... 25 4.7 Backend design: Configuration 2..................... 27 6.1 Distribution of attacks per protocol................... 31 6.2 Geographical map based on the number of Telnet attacks....... 33 6.3 Country-wise count of HTTP attacks.................. 36 6.4 Geographical map of number of HTTP attacks............. 37 6.5 Country-wise count of CWMP attacks................. 38 6.6 Geographical map of number of CWMP attacks............ 39 vii List of Tables 3.1 Top 5 countries from which attackers connected............ 11 6.1 Top 5 countries from which HTTP attacks originated......... 35 6.2 Top 5 countries from which CWMP attacks originated........ 38 viii Abbreviations IoT Internet of Things DNS Domain Name System DDoS Distributed Denial of Service DTK Deception Toolkit HTTP HyperText Transfer Protocol CWMP CPE WAN Management Protocol SSH Secure SHell SCP Secure Copy SCP Secure File Transfer Protocol TLS Transport Layer Security PHP PHP: Hypertext Preprocessor HTML HyperText Markup Language MHN Modern Honey Network RSH Remote Shell CPE Customer Premises Equipment ACS Auto Configuration Server XML Extended Markup Language SOAP Simple Object Access Protocol API Application Programming Interface JSON JavaScript Object Notation TFTP Trivial File Transfer Protocol C&CCommand And Control ix Dedicated to my family and friends x Chapter 1 Introduction Internet of Things(IoT) [26] in its very basic sense just defines any physical device connected to the internet. The fact that the devices are connected to a network allows them to communicate with each other and share data. Any physical device connected to internet can be considered to be an IoT device. Popular examples include thermostats, refrigerators, televisions, health monitoring devices and home automation systems. Even the various sensors, actuators and measurement instru- ments in power grids could be classified as IoTs. The past few years have seen a rapid increase in the use of IoT devices. More and more people are relying on IoTs in their daily lives. The increase in popularity of IoTs has also led to an increase in the number of attacks targeting such devices. The past year has seen multiple attacks targeting IoT devices. The majority of these are DDoS attacks which are mounted after infecting the devices which are then used for spreading the infection further. The infected devices are used to mount a DDoS attack on a target later. The most prominent of such attacks came using mirai, [27] a malware that attacked devices with weak login credentials and then used the infected devices to spread further. On October 21, 2016, a massive DDoS attack [21] was mounted using mirai that targeted Dyn, a DNS provider. It affected a large number of internet users in USA. The same mirai was also used to mount attacks in Germany and UK. 1 Chapter 1. Introduction 2 There are lots of other such malwares which are used for infecting and attacking systems. Theses malwares are usually only detected after a large scale attack. To capture such files and attacks at the nascent stage, honeypots are used. 1.1 Honeypots A honeypot [14] is a system that acts as a trap to lure and ensnare attackers. Generally it will be a system that will be made attractive to the attackers by making it appear vulnerable and which may contain information that would be of use to a malicious intruder or the system could be used in an attack against another system. But in reality, all the activities of the attacker will be logged and then used for analysis to gain intelligence and prevent further such attacks. Honeypots can be classified according to various parameters. 1.1.1 Classification of honeypots 1.1.1.1 Based on interaction Low interaction honeypots usually present an attacker with an emulated set of services with limited functionalities. Such honeypots are mainly used to find data about the source of attacks rather than the methods used in these attacks. High interaction