Build an easy RDP Honeypot with Raspberry PI 3 and observe the infamous attacks as (BlueKeep) CVE-2019–0708 alt3kx Follow Jun 5, 2019 · 5 min read

Last weeks a big activity on networks trying to attack RDP service , maybe a botnets looking an infected “zombies” on RDP services or perhaps the bad guys trying to exploit the new attack called (BlueKeep) CVE-2019–0708 ? Inspect the traffic and setup your own honeypot with RP3.

RDP Honeypot Raspberry PI 3

Technical Requirements:

Hardware:

1. Raspberry PI3 Essential Packages

1. Wireshark

2. tcpdump

3. bro

4. rdpy

5. tcpick

Installation

Step1: Flash your Kali image to your Raspberry PI3 , I chose this one https://images.offensive-security.com/arm-images/kali-linux-2019.2-rpi3-nexmon.img.x z, and I used Etcher software to flashing your SD card on windows environment (easy&quickly) https://www.balena.io/etcher/?ref=etcher_footer

Flashing SD card with Etcher

Step2: Once flashed proceed to update/upgrade everything:

# apt-get update && apt-get upgrade && apt-get dist-upgrade

Kali on Raspberry PI 3

Step3: install the python-rdpy packages

# pip install twisted pyopenssl qt4reactor service_identity rsa pyasn1

# pip install rdpy

# apt-get install python-qt4

Step4: Validation, If everything was OK should be executing the following commands:

# rdpy-rdpcredsspmitm.py

# rdpy-rdpmitm.py

# rdpy-rssplayer.py

# rdpy-vncscreenshot.py

# rdpy-rdpclient.py

# rdpy-rdphoneypot.py

# rdpy-rdpscreenshot.py

# rdpy-vncclient.py Note: On Kali Linux I received some errors with Twisted packages just I fixed with following commands:

# bzip2 -d Twisted-19.2.0.tar.bz2

# tar -xvf Twisted-19.2.0.tar

# python setup.py install # wget -c https://twistedmatrix.com/Releases/Twisted/19.2/Twisted-19.2.0.tar.bz2 # bzip2 -d Twisted-19.2.0.tar.bz2# tar -xvf Twisted-19.2.0.tar# python setup.py install

Executing rdpy-rdpclient.py & rdpy-rdphoneypot.py

Step5: Create a MiTM attack and record the session (RSS files), the idea is get show a visible screen for intruders (Fake Remote Desktop):

# rdpy-rdpmitm.py -o /root/honeypots_arsenal/ 192.168.1.17 Where 192.168.1.17 is the real Windows Server 2008 IP address with RDP service enable Start a RDP connection to your localhost or 127.0.0.1 using xfreerdp # xfreerdp --no-nla 127.0.0.1 To see: [*] INFO: *******************************************

[*] INFO: * SSL Security selected *

[*] INFO: ******************************************* ^C

RDP session recorded (RSS file)

Step6: Replay your session recorded with rdpy-rssplayer.py command, this is the record (screen) that intruders will see:

# rdpy-rssplayer.py 20190601025837_127.0.0.1_1.rss

Step7: Time to run your RDP Honeypot , just execute the following command:

# rdpy-rdphoneypot.py 20190601025837_127.0.0.1_1.rss

Executing rdpy-rdphoneypot.py with session recorded (RSS file)

Step8: Check if the RDP service is listen on port 3389 into your Raspberry PI using nmap

# nmap -F localhost

Running nmap to check the RDP service is listen locally

Step9: Setup your router to give access to the intruders on service 3389 (Remote Desktop Protocol) and test if the RDP service is listen on port 3389 using nmap

NAT/PAT Setup Orange Router

nmap -F (your external IP address)

Running nmap to check the RDP service is listen remote

Step10: Enable your tcpdump and capture all the traffic arrive on port 3389

# tcpdump tcp port 3389 -i eth0 -vvX -w rdp.pcap

Capturing traffic on port 3389 with tcpdump

Packet Analysis

Step11: Install tcpick , wireshark , bro and perform an analysis of pcap file (rdp.pcap)

# apt-get install tcpick

# apt-get install wireshark

# apt-get install cmake make gcc g++ flex git bison python-dev swig libpcap-dev libssl-dev zlib1g-dev -y

# apt-get install libgeoip-dev -y

# apt-get install libmaxminddb-dev

# apt-get install bro broctl bro-aux -y Packet analysis with tcpick

# tcpick -C -yP -r rdp.pcap | more Voila!

Executing tcpick (Packet Analysis)

Step12: Review in deep with human readable logs using bro (the following command will create log files)

# bro -r rdp.pcap -C

Generating human readable logs with bro command

# cat rdp.log | bro-cut id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name | more

Reading rdp.log file with bro-cut

Resources

https://github.com/citronneur/rdpy

https://stackoverflow.com/questions/17476761/importerror-no-module-named-twisted-internet

https://tools.kali.org/reporting-tools/rdpy

https://docs.zeek.org/en/stable/quickstart/#managing-bro-with-brocontrol

https://blog.rapid7.com/2017/06/24/how-to-install-and-configure-bro-on-ubuntu-linux/