Blog
An Attacker’s Guide to Evading Honeypots - Part 3
·
Thursday, September 21, 2023

Ghost Threat Research Team
In the first post of this blog series we looked at the JA3 behavior of specific tools as well as their capabilities to mask JA3 analysis. In the second post we explored how to use JA3 randomization to discover and map honeypots deployed in cloud infrastructure. In this third and final post we will detail how to use these same techniques to determine which CVEs the honeypot network can detect. This will give us a sense of the types of vulnerabilities prioritized by threat intelligence organizations as they expand their detection capabilities. A list of all the CVEs we observed is included at the end of this post.
Similar to part 2 of this blog, the information here is a combination of our research and findings from multiple threat intelligence providers and it has been anonymized for security and courtesy. We present the research and findings as if they are for a single hypothetical company named ACME.
Quite a few of the CVEs they can identify have "low" EPSS scores while there's only one with a "low" CVSS score. This could indicate they're not including EPSS scoring in their risk model. The severities for EPSS and CVSS are ranked as follows:
Critical: CVSS ≥ 9.0; EPSS ≥ 0.90
High: CVSS 6.0~9.0; EPSS 0.60~0.89
Medium: CVSS 3.0~6.0, EPSS 0.30~0.59
Low: CVSS 0.0~2.9; EPSS 0.0~0.29
Note: Counts may not all add up due to some CVEs not having an EPSS or CVSS score assigned yet.
We pulled the tags from the nuclei CVE templates and correlated them with the 300 flagged CVEs to see if ACME is focusing on any particular technology or vulnerability type. Below we see that Remote Code Execution (RCE) and Local File Inclusion (LFI) are the primary areas of focus for ACME.
When looking at the distribution of the cve year tag, we see that ACME primarily focuses on those RCE vulnerabilities that are less than six years old, with the oldest being 14 years.
Years of focus for ACME
When looking at the individual technologies, ACME does seem to prioritize specific ones. Namely a blend of SOHO and enterprise networking equipment, Apache, VMware, Wordpress, Confluence/Jira, and Oracle technologies like Weblogic and Coldfusion.
Technologies of observed CVEs by ACME
The full list of technologies is included at the end of the blog.
As a final observation, 41 CVEs observed by ACME were not among the CVEs used in the nuclei scans. This represents only an 86% accuracy in detecting the correct vulnerability being exploited. Upon investigation we found that some of the reported CVEs are part of a CVE series, meaning the CVE number of the nuclei template is part of the same vulnerability chain ACME reported, but with a different CVE number. However, most of these did not have a matching nuclei template. For example: CVE-2020-29390 (ZeroShell RCE) was observed, but there is no correlating nuclei template.
A list of all observed CVEs is included at the end of the blog.
Conclusion
In this blog series we detailed how to evade honeypots using JA3 hash randomization to enumerate and analyze the honeynets of threat intelligence providers. These providers frequently supply their intelligence to different security tools and services. By accurately mapping and excluding their honeynets, scans can be conducted more discreetly, making detection considerably more challenging.
While honeynets are a valuable tool and an important part of threat feed intelligence, it's good to remember that savvy attackers can evade these kinds of routine detection mechanisms and organizations should seek to include security measures that focus on application/API usage and behavior patterns like the Ghost platform.
Additional Resources
Python script for running nuclei scans
Full list of technologies:
To actually generate and send our request, we need to add a "Sender" node too. Let's add that and an Output node to capture and generate some output.
Wiring Up Your First Request
Let's wire it up and send the first request. A "Sender" node needs several inputs:
A trigger event to trigger the request. This can come from the "replacements" or from the "start".
The "request" input is the formatted request to use. In this case, the one we imported.
Then, move the mouse near the output section of "Start" and the circle will be highlighted. Once that has happened, click and hold the left mouse button and drag the wire over to attach it to the "start" of the "Sender" node. Repeat to wire everything up as shown.
Then, click the "Output" node, and in the "Template" section type "Done!"
Now our basic workflow is ready to run! Click the play arrow in the bottom left and it will fire our request off.
Capturing and Displaying Response Data
Now that we have the basics of wiring up a workflow, let's capture and display our IP address returned in the response.
Add another node, this time adding an "Extractor" node. Disconnect our sender's output from the Output node and instead connect the Sender to the "response" of the Extractor and the output of the Extractor to the Output node.
Click the "Extractor" node and select "Entire Body" from the Type menu, and I set the variable I want this captured in to $RESP_BODY$
and then I changed my Output template to the following:
In Reaper, variables are named in between two $ characters and can be accessed in anything from output to request nodes, in the event we want to say, replace a header value.
Then click the play button again, and we should see our IP displayed in the output window!
Basic Fuzzing: Sniper Mode
Next, let's try adding a Fuzzer to show a basic fuzz similar to Burp's Intruder sniper tool.
Click on the Fuzzer to open its menu. Let's change the placeholder variable's name. We will set it to $PLACEHOLDER$
And change our numeric list to run from 0 to 5.
The Fuzzer node will replace anything with that placeholder with the values in its list, during its loop phase. We will need to rewire our workflow to leverage the fuzzer. Anything connected to the right of the fuzzer is "downstream" of the Fuzzer and will be within its loop.
Then we need to take advantage of the fuzzer, so I modified the URL in the request to include the $PLACEHOLDER$
variable. I also changed my output template to:
We wire the fuzzer's "output" to a sender's "replacements" option.
After clicking play, we can see we fired off 5 requests to http://icanhazip.com/0, http://icanhazip.com/1, and so forth.
More Advanced Fuzzing: Pitch Fork
We can accomplish a similar task as intruder's "Pitchfork" attack type. To do this, wire up two Fuzzers to the start node. This will loop through each payload set simultaneously.
Let's add another fuzzer node and a merger node. The merger node will merge two sets of variables together to input them into the "replacements" section of the sender.
I simply set mine to use the CSV: a,b,c,d,e and changed my output to:
You can import this workflow to play with yourself. Download the atk file and click the folder icon in your workflow pane, and select the file to import it.
More Advanced Fuzzing: Cluster Bomb
Another common Intruder attack type is the "Cluster Bomb", which will try all possible combinations of the different payload sets.
In Reaper, you can consider a Fuzzer node like a for loop. Daisy chaining multiple fuzzers together will create the conditions for a "Cluster Bomb" style attack.
I set my Output to:
And Fuzzer A to use a numeric list from 1-5, and Fuzzer B to use a CSV of a,b,c,d,e,f
You can see from the output that it loops over each combination of each fuzzer, like a nested for loop.
I have attached the workflow below so you can import it to your Reaper instance to play around with.
Keep an eye out for more Reaper how-to guides!