MD-Honeypot-SSH

Abstract

With the amount of network connected devices every increasing, and many of them running the Secure Shell (SSH) protocol to facilitate remote management, research into SSH attacks is more important than ever. SSH honeypots can be used to act like vulnerable systems while gathering valuable data on the attacker and its methods in the meantime. The SSH handshake is a currently undervalued asset in these honeypots as a lot of data is already exchanged in this early part of the protocol. In this thesis we propose the MD-Honeypot-SSH framework that can be used to gather threat intelligence research data on the SSH handshake. We show the design choices made in the development of the framework and consider which data is useful to collect in the SSH handshake for future research. As part of the framework we modify an existing OpenSSH implementation to allow us to log any relevant branching decisions made in the server. We then use this logging data to create state machines of the server behaviour while handling a specific connection. We use these state machines to compare different connections and show, as a proof of concept, that we can group these connections based on the used client. The main contribution of this thesis is to provide the MD-Honeypot-SSH framework as a tool to future research, and we provide some recommendations for future research directions.