This is a basic guide of how to install and run Cowrie.
You can run Cowrie by running the following.
cd ~/cowrie/docker/
docker-compose up
If you want to stop the running container you will need to press ctrl+c to cancel.
Logs can be viewed via:
tail ~/cowrie/docker/cowrie-var/log/cowrie/cowrie.json
The default config can be viewed here: https://github.com/cowrie/cowrie/blob/master/etc/cowrie.cfg.dist
The Cowrie config file is under ~/cowrie/docker/cowrie-etc/. Try changing the default hostname
hostname = svr04
- SSH to the server using credentials in the default userdb. Try pulling down a file from the internet using wget and exit the shell.
- The default userdb is here: https://github.com/cowrie/cowrie/blob/master/etc/userdb.example
- Connect to the honeypot and download a file using wget. The log will output the filehash of the file.
- Get the file from the honeypot artifacts.
sudo cat ~/cowrie/docker/cowrie-var/lib/cowrie/downloads/<filehash>
- Try configuring a non-default hostname, kernel version, ssh version for the honeypot.
- Modify the default userdb.
Run cowrie with the extra port mapping and telnet option.
[telnet]
# Enable Telnet support, disabled by default
enabled = true
Connect to your server using telnet on port 23.
- Uncomment the output_misp module in
~/cowrie/docker/cowrie-etc/cowrie.cfg.dst - Replace the base_url and api_key with the ones provided.
- For the purposes of this tutorial only, disable verify_cert.
- Restart the docker container.
- Connect to the honeypot and pull down a file via wget. The file should be pushed to a MISP event.