def __init__(self, username, server):
avatar.ConchUser.__init__(self)
self.username = username.decode('utf-8')
self.server = server
self.channelLookup[b'session'] = sshsession.HoneyPotSSHSession
try:
pwentry = pwd.Passwd().getpwnam(self.username)
self.uid = pwentry['pw_uid']
self.gid = pwentry['pw_gid']
self.home = pwentry['pw_dir']
except:
self.uid = 1001
self.gid = 1001
self.home = '/home'
# SFTP support enabled only when option is explicitly set
try:
if CONFIG.getboolean('ssh', 'sftp_enabled') == True:
self.subsystemLookup[b'sftp'] = conchfiletransfer.FileTransferServer
except ValueError as e:
pass
# SSH forwarding disabled only when option is explicitly set
self.channelLookup[b'direct-tcpip'] = forwarding.cowrieOpenConnectForwardingClient
try:
if CONFIG.getboolean('ssh', 'forwarding') == False:
del self.channelLookup[b'direct-tcpip']
except:
pass
def __init__(self):
self.host = CONFIG.get(self.RETHINK_DB_SEGMENT, 'host')
self.port = CONFIG.getint(self.RETHINK_DB_SEGMENT, 'port')
self.db = CONFIG.get(self.RETHINK_DB_SEGMENT, 'db')
self.table = CONFIG.get(self.RETHINK_DB_SEGMENT, 'table')
self.password = CONFIG.get(self.RETHINK_DB_SEGMENT, 'password', raw=True)
cowrie.core.output.Output.__init__(self)
def checkUserPass(self, theusername, thepassword, ip):
# UserDB is the default auth_class
authname = auth.UserDB
# Is the auth_class defined in the config file?
if CONFIG.has_option('honeypot', 'auth_class'):
authclass = CONFIG.get('honeypot', 'auth_class')
authmodule = "cowrie.core.auth"
# Check if authclass exists in this module
if hasattr(modules[authmodule], authclass):
authname = getattr(modules[authmodule], authclass)
else:
log.msg('auth_class: %s not found in %s' % (authclass, authmodule))
theauth = authname()
if theauth.checklogin(theusername, thepassword, ip):
log.msg(eventid='cowrie.login.success',
format='login attempt [%(username)s/%(password)s] succeeded',
username=theusername,
password=thepassword)
return True
else:
log.msg(eventid='cowrie.login.failed',
format='login attempt [%(username)s/%(password)s] failed',
username=theusername,
password=thepassword)
return False
def start(self):
"""
"""
log.msg("WARNING: Beta version of new hpfeeds enabled. This will become hpfeeds in a future release.")
if CONFIG.has_option('output_hpfeeds', 'channel'):
self.channel = CONFIG.get('output_hpfeeds', 'channel')
if CONFIG.has_option('output_hpfeeds', 'endpoint'):
endpoint = CONFIG.get('output_hpfeeds', 'endpoint')
else:
server = CONFIG.get('output_hpfeeds', 'server')
port = CONFIG.getint('output_hpfeeds', 'port')
if CONFIG.has_option('output_hpfeeds', 'tlscert'):
with open(CONFIG.get('output_hpfeeds', 'tlscert')) as fp:
authority = ssl.Certificate.loadPEM(fp.read())
options = ssl.optionsForClientTLS(server, authority)
endpoint = endpoints.SSL4ClientEndpoint(reactor, server, port, options)
else:
endpoint = endpoints.HostnameEndpoint(reactor, server, port)
ident = CONFIG.get('output_hpfeeds', 'identifier')
secret = CONFIG.get('output_hpfeeds', 'secret')
self.meta = {}
self.client = ClientSessionService(endpoint, ident, secret)
self.client.startService()
def download(self, url, fakeoutfile, outputfile, *args, **kwargs):
try:
parsed = compat.urllib_parse.urlparse(url)
scheme = parsed.scheme
host = parsed.hostname.decode('utf8')
port = parsed.port or (443 if scheme == 'https' else 80)
if scheme != b'http' and scheme != b'https':
raise NotImplementedError
except Exception:
self.errorWrite('curl: (1) Protocol "{}" not supported or disabled in libcurl\n'.format(scheme))
self.exit()
return None
factory = HTTPProgressDownloader(
self, fakeoutfile, url, outputfile, *args, **kwargs)
out_addr = None
if CONFIG.has_option('honeypot', 'out_addr'):
out_addr = (CONFIG.get('honeypot', 'out_addr'), 0)
if scheme == 'https':
contextFactory = ssl.ClientContextFactory()
contextFactory.method = SSL.SSLv23_METHOD
reactor.connectSSL(host, port, factory, contextFactory, bindAddress=out_addr)
else: # Can only be http
self.connection = reactor.connectTCP(
host, port, factory, bindAddress=out_addr)
return factory.deferred
def __init__(self):
self.sessions = {}
self.ttylogs = {}
# FIXME figure out what needs to be done here regarding
self.re_sessionlog = re.compile(
r'.*HoneyPotSSHTransport,([0-9]+),[:a-f0-9.]+$')
# cowrie.session.connect is special since it kicks off new logging session,
# and is not handled here
self.events = {
'cowrie.login.success': self.handleLoginSucceeded,
'cowrie.login.failed': self.handleLoginFailed,
'cowrie.log.open': self.handleTTYLogOpened,
'cowrie.command.success': self.handleCommand,
'cowrie.command.failed': self.handleUnknownCommand,
'cowrie.session.file_download': self.handleFileDownload,
'cowrie.command.input': self.handleInput,
'cowrie.client.version': self.handleClientVersion,
'cowrie.client.size': self.handleTerminalSize,
'cowrie.session.closed': self._connectionLost,
'cowrie.log.closed': self.handleTTYLogClosed,
}
self.reported_ssh_port = None
if CONFIG.has_option('honeypot', 'reported_ssh_port'):
self.reported_ssh_port = CONFIG.getint('honeypot', 'reported_ssh_port')
self.report_public_ip = False
if CONFIG.has_option('honeypot', 'report_public_ip'):
if CONFIG.getboolean('honeypot', 'report_public_ip') == True:
self.report_public_ip = True
import urllib
self.public_ip = urllib.urlopen('http://myip.threatstream.com').readline()
self.start()
def __init__(self):
addr = CONFIG.get('output_socketlog', 'address')
self.host = addr.split(':')[0]
self.port = int(addr.split(':')[1])
self.timeout = CONFIG.getint('output_socketlog', 'timeout')
cowrie.core.output.Output.__init__(self)
def __init__(self):
cowrie.core.output.Output.__init__(self)
fn = CONFIG.get('output_jsonlog', 'logfile')
self.epoch_timestamp = CONFIG.getboolean('output_jsonlog', 'epoch_timestamp', fallback=False)
dirs = os.path.dirname(fn)
base = os.path.basename(fn)
self.outfile = cowrie.python.logfile.CowrieDailyLogFile(base, dirs, defaultMode=0o664)
def connectionMade(self):
pt = self.getProtoTransport()
self.realClientIP = pt.transport.getPeer().host
self.realClientPort = pt.transport.getPeer().port
self.logintime = time.time()
log.msg(eventid='cowrie.session.params', arch=self.user.server.arch)
try:
timeout = CONFIG.getint('honeypot', 'interactive_timeout')
except Exception:
timeout = 180
self.setTimeout(timeout)
# Source IP of client in user visible reports (can be fake or real)
try:
self.clientIP = CONFIG.get('honeypot', 'fake_addr')
except Exception:
self.clientIP = self.realClientIP
# Source IP of server in user visible reports (can be fake or real)
if CONFIG.has_option('honeypot', 'internet_facing_ip'):
self.kippoIP = CONFIG.get('honeypot', 'internet_facing_ip')
else:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80))
self.kippoIP = s.getsockname()[0]
except Exception:
self.kippoIP = '192.168.0.1'
finally:
s.close()
def __init__(self, username, server):
avatar.ConchUser.__init__(self)
self.username = username.decode('utf-8')
self.server = server
self.channelLookup[b'session'] = sshsession.HoneyPotSSHSession
try:
pwentry = pwd.Passwd().getpwnam(self.username)
self.temporary = False
except KeyError:
pwentry = pwd.Passwd().setpwentry(self.username)
self.temporary = True
self.uid = pwentry['pw_uid']
self.gid = pwentry['pw_gid']
self.home = pwentry['pw_dir']
# SFTP support enabled only when option is explicitly set
if CONFIG.getboolean('ssh', 'sftp_enabled', fallback=False):
self.subsystemLookup[b'sftp'] = conchfiletransfer.FileTransferServer
# SSH forwarding disabled only when option is explicitly set
if CONFIG.getboolean('ssh', 'forwarding', fallback=True):
self.channelLookup[b'direct-tcpip'] = forwarding.cowrieOpenConnectForwardingClient
def __init__(self):
"""
"""
facilityString = CONFIG.get('output_localsyslog', 'facility')
self.format = CONFIG.get('output_localsyslog', 'format')
self.facility = vars(syslog)['LOG_' + facilityString]
self.syslog = twisted.python.syslog.SyslogObserver(prefix='cowrie', facility=self.facility)
cowrie.core.output.Output.__init__(self)
def start(self):
server = CONFIG.get('output_hpfeeds', 'server')
port = CONFIG.getint('output_hpfeeds', 'port')
ident = CONFIG.get('output_hpfeeds', 'identifier')
secret = CONFIG.get('output_hpfeeds', 'secret')
debug = CONFIG.getboolean('output_hpfeeds', 'debug')
self.client = hpclient(server, port, ident, secret, debug)
self.meta = {}
def __init__(self):
"""
"""
self.host = CONFIG.get('output_elasticsearch', 'host')
self.port = CONFIG.get('output_elasticsearch', 'port')
self.index = CONFIG.get('output_elasticsearch', 'index')
self.type = CONFIG.get('output_elasticsearch', 'type')
self.pipeline = CONFIG.get('output_elasticsearch', 'pipeline')
cowrie.core.output.Output.__init__(self)
def cowrieOpenConnectForwardingClient(remoteWindow, remoteMaxPacket, data, avatar):
"""
This function will redirect an SSH forward request to another address
or will log the request and do nothing
"""
remoteHP, origHP = forwarding.unpackOpen_direct_tcpip(data)
log.msg(eventid='cowrie.direct-tcpip.request',
format='direct-tcp connection request to %(dst_ip)s:%(dst_port)s from %(src_ip)s:%(src_port)s',
dst_ip=remoteHP[0], dst_port=remoteHP[1],
src_ip=origHP[0], src_port=origHP[1])
# Forward redirect
redirectEnabled = CONFIG.getboolean('ssh', 'forward_redirect', fallback=False)
if redirectEnabled:
redirects = {}
items = CONFIG.items('ssh')
for i in items:
if i[0].startswith('forward_redirect_'):
destPort = i[0].split('_')[-1]
redirectHP = i[1].split(':')
redirects[int(destPort)] = (redirectHP[0], int(redirectHP[1]))
if remoteHP[1] in redirects:
remoteHPNew = redirects[remoteHP[1]]
log.msg(eventid='cowrie.direct-tcpip.redirect',
format='redirected direct-tcp connection request from %(src_ip)s:%(src_port)' +
'd to %(dst_ip)s:%(dst_port)d to %(new_ip)s:%(new_port)d',
new_ip=remoteHPNew[0], new_port=remoteHPNew[1],
dst_ip=remoteHP[0], dst_port=remoteHP[1],
src_ip=origHP[0], src_port=origHP[1])
return SSHConnectForwardingChannel(remoteHPNew, remoteWindow=remoteWindow, remoteMaxPacket=remoteMaxPacket)
# TCP tunnel
tunnelEnabled = CONFIG.getboolean('ssh', 'forward_tunnel', fallback=False)
if tunnelEnabled:
tunnels = {}
items = CONFIG.items('ssh')
for i in items:
if i[0].startswith('forward_tunnel_'):
destPort = i[0].split('_')[-1]
tunnelHP = i[1].split(':')
tunnels[int(destPort)] = (tunnelHP[0], int(tunnelHP[1]))
if remoteHP[1] in tunnels:
remoteHPNew = tunnels[remoteHP[1]]
log.msg(eventid='cowrie.direct-tcpip.tunnel',
format='tunneled direct-tcp connection request %(src_ip)s:%(src_port)' +
'd->%(dst_ip)s:%(dst_port)d to %(new_ip)s:%(new_port)d',
new_ip=remoteHPNew[0], new_port=remoteHPNew[1],
dst_ip=remoteHP[0], dst_port=remoteHP[1],
src_ip=origHP[0], src_port=origHP[1])
return TCPTunnelForwardingChannel(remoteHPNew,
remoteHP,
remoteWindow=remoteWindow,
remoteMaxPacket=remoteMaxPacket)
return FakeForwardingChannel(remoteHP, remoteWindow=remoteWindow, remoteMaxPacket=remoteMaxPacket)
def start(self):
server = CONFIG.get('output_xmpp', 'server')
user = CONFIG.get('output_xmpp', 'user')
password = CONFIG.get('output_xmpp', 'password')
muc = CONFIG.get('output_xmpp', 'muc')
resource = ''.join([choice(string.ascii_letters)
for i in range(8)])
jid = user + '/' + resource
application = service.Application('honeypot')
self.run(application, jid, password, JID(None, [muc, server, None]), server)
def __init__(self):
"""
Initializing the class
"""
self.index = CONFIG.get('output_splunklegacy', 'index')
self.username = CONFIG.get('output_splunklegacy', 'username')
self.password = CONFIG.get('output_splunklegacy', 'password', raw=True)
self.host = CONFIG.get('output_splunklegacy', 'host')
self.port = CONFIG.getint('output_splunklegacy', 'port')
cowrie.core.output.Output.__init__(self)
def __init__(self, *args, **kw):
"""
Initialize logging
"""
self.ttylogPath = CONFIG.get('honeypot', 'log_path')
self.downloadPath = CONFIG.get('honeypot', 'download_path')
self.ttylogEnabled = CONFIG.getboolean('honeypot', 'ttylog', fallback=True)
self.bytesReceivedLimit = CONFIG.getint('honeypot', 'download_limit_size', fallback=0)
channel.SSHChannel.__init__(self, *args, **kw)
def __init__(self):
self.auth_key = CONFIG.get('output_dshield', 'auth_key')
self.userid = CONFIG.get('output_dshield', 'userid')
self.batch_size = CONFIG.getint('output_dshield', 'batch_size')
try:
self.debug = CONFIG.getboolean('output_dshield', 'debug')
except:
self.debug = False
cowrie.core.output.Output.__init__(self)
def __init__(self, realm):
self.hostname = CONFIG.get('honeypot', 'hostname')
try:
self.arch = random.choice(CONFIG.get('shell', 'arch').split(','))
# TODO trim whitespace
except NoOptionError:
self.arch = 'linux-x64-lsb'
log.msg("Initialized emulated server as architecture: {}".format(self.arch))
def __init__(self, realm):
self.hostname = CONFIG.get('honeypot', 'hostname')
try:
arches = [arch.strip() for arch in CONFIG.get('shell', 'arch').split(',')]
self.arch = random.choice(arches)
except NoOptionError:
self.arch = 'linux-x64-lsb'
log.msg("Initialized emulated server as architecture: {}".format(self.arch))
def __init__(self):
self.user = CONFIG.get('output_csirtg', 'username') or USERNAME
self.feed = CONFIG.get('output_csirtg', 'feed') or FEED
self.token = CONFIG.get('output_csirtg', 'token') or TOKEN
try:
self.description = CONFIG.get('output_csirtg', 'description')
except Exception:
self.description = DESCRIPTION
self.context = {}
self.client = Client(token=self.token)
cowrie.core.output.Output.__init__(self)
def run(self, application, jidstr, password, muc, server):
self.xmppclient = XMPPClient(JID(jidstr), password)
if CONFIG.has_option('output_xmpp', 'debug') and \
CONFIG.getboolean('output_xmpp', 'debug') is True:
self.xmppclient.logTraffic = True # DEBUG HERE
(user, host, resource) = jid.parse(jidstr)
self.muc = XMPPLoggerProtocol(
muc, server, user + '-' + resource)
self.muc.setHandlerParent(self.xmppclient)
self.xmppclient.setServiceParent(application)
self.anonymous = True
self.xmppclient.startService()
def makeTftpRetrieval(self):
"""
"""
progresshook = Progress(self).progresshook
if CONFIG.has_option('honeypot', 'download_limit_size'):
self.limit_size = CONFIG.getint('honeypot', 'download_limit_size')
self.artifactFile = Artifact(self.file_to_get)
tclient = None
url = ''
try:
tclient = tftpy.TftpClient(self.hostname, int(self.port))
# tftpy can't handle unicode string as filename
# so we have to convert unicode type to str type
tclient.download(str(self.file_to_get), self.artifactFile, progresshook)
url = 'tftp://%s/%s' % (self.hostname, self.file_to_get.strip('/'))
self.file_to_get = self.fs.resolve_path(self.file_to_get, self.protocol.cwd)
if hasattr(tclient.context, 'metrics'):
self.fs.mkfile(self.file_to_get, 0, 0, tclient.context.metrics.bytes, 33188)
else:
self.fs.mkfile(self.file_to_get, 0, 0, 0, 33188)
except tftpy.TftpException:
if tclient and tclient.context and not tclient.context.fileobj.closed:
tclient.context.fileobj.close()
if url:
# log to cowrie.log
log.msg(format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s',
url=url,
outfile=self.artifactFile.shasumFilename,
shasum=self.artifactFile.shasum)
self.protocol.logDispatch(eventid='cowrie.session.file_download',
format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s',
url=url,
outfile=self.artifactFile.shasumFilename,
shasum=self.artifactFile.shasum,
destfile=self.file_to_get)
# Update the honeyfs to point to downloaded file
self.fs.update_realfile(self.fs.getfile(self.file_to_get), self.artifactFile.shasumFilename)
self.fs.chown(self.file_to_get, self.protocol.user.uid, self.protocol.user.gid)
def __init__(self, sftpserver, filename, flags, attrs):
self.sftpserver = sftpserver
self.filename = filename
self.transfer_completed = 0
self.bytesReceived = 0
self.bytesReceivedLimit = CONFIG.getint('honeypot', 'download_limit_size', fallback=0)
openFlags = 0
if flags & FXF_READ == FXF_READ and flags & FXF_WRITE == 0:
openFlags = os.O_RDONLY
if flags & FXF_WRITE == FXF_WRITE and flags & FXF_READ == 0:
openFlags = os.O_WRONLY
if flags & FXF_WRITE == FXF_WRITE and flags & FXF_READ == FXF_READ:
openFlags = os.O_RDWR
if flags & FXF_APPEND == FXF_APPEND:
openFlags |= os.O_APPEND
if flags & FXF_CREAT == FXF_CREAT:
openFlags |= os.O_CREAT
if flags & FXF_TRUNC == FXF_TRUNC:
openFlags |= os.O_TRUNC
if flags & FXF_EXCL == FXF_EXCL:
openFlags |= os.O_EXCL
if "permissions" in attrs:
filemode = attrs["permissions"]
del attrs["permissions"]
else:
filemode = 0o777
fd = sftpserver.fs.open(filename, openFlags, filemode)
if attrs:
self.sftpserver.setAttrs(filename, attrs)
self.fd = fd
# Cache a copy of file in memory to read from in readChunk
if flags & FXF_READ == FXF_READ:
self.contents = self.sftpserver.fs.file_contents(self.filename)
def getCommand(self, cmd, paths):
if not len(cmd.strip()):
return None
path = None
if cmd in self.commands:
return self.commands[cmd]
if cmd[0] in ('.', '/'):
path = self.fs.resolve_path(cmd, self.cwd)
if not self.fs.exists(path):
return None
else:
for i in [
'%s/%s' % (self.fs.resolve_path(x, self.cwd), cmd)
for x in paths
]:
if self.fs.exists(i):
path = i
break
txt = os.path.normpath('{}/txtcmds/{}'.format(CONFIG.get('honeypot', 'share_path'), path))
if os.path.exists(txt) and os.path.isfile(txt):
return self.txtcmd(txt)
if path in self.commands:
return self.commands[path]
log.msg("Can't find command {}".format(path))
return None
def connectionMade(self):
"""
Called when the connection is made from the other side.
We send our version, but wait with sending KEXINIT
"""
self.transportId = uuid.uuid4().hex[:12]
src_ip = self.transport.getPeer().host
ipv4_search = self.ipv4rex.search(src_ip)
if ipv4_search is not None:
src_ip = ipv4_search.group(1)
log.msg(
eventid='cowrie.session.connect',
format="New connection: %(src_ip)s:%(src_port)s (%(dst_ip)s:%(dst_port)s) [session: %(session)s]",
src_ip=src_ip,
src_port=self.transport.getPeer().port,
dst_ip=self.transport.getHost().host,
dst_port=self.transport.getHost().port,
session=self.transportId,
sessionno='S{0}'.format(self.transport.sessionno),
protocol='ssh'
)
self.transport.write('{0}\r\n'.format(self.ourVersionString).encode('ascii'))
self.currentEncryptions = transport.SSHCiphers(b'none', b'none', b'none', b'none')
self.currentEncryptions.setKeys(b'', b'', b'', b'', b'', b'')
self.startTime = time.time()
self.setTimeout(CONFIG.getint('honeypot', 'authentication_timeout', fallback=120))
def operating_system():
"""
"""
try:
return CONFIG.get('shell', 'operating_system')
except NoOptionError:
return 'GNU/Linux'
def kernel_build_string():
"""
"""
try:
return CONFIG.get('shell', 'kernel_build_string')
except NoOptionError:
return '#1 SMP Debian 3.2.68-1+deb7u1'
def kernel_name():
"""
"""
try:
return CONFIG.get('shell', 'kernel_name')
except NoOptionError:
return 'Linux'
def kernel_version():
"""
"""
try:
return CONFIG.get('shell', 'kernel_version')
except NoOptionError:
return '3.2.0-4-amd64'
def __init__(self):
self.slack_channel = CONFIG.get('output_slack', 'channel')
self.slack_token = CONFIG.get('output_slack', 'token')
cowrie.core.output.Output.__init__(self)
def __init__(self):
self.url_base = CONFIG.get('output_cuckoo', 'url_base').encode('utf-8')
self.api_user = CONFIG.get('output_cuckoo', 'user')
self.api_passwd = CONFIG.get('output_cuckoo', 'passwd', raw=True)
self.cuckoo_force = int(CONFIG.getboolean('output_cuckoo', 'force'))
cowrie.core.output.Output.__init__(self)
class CowrieSSHChannel(channel.SSHChannel):
"""
This is an SSH channel with built-in logging
"""
ttylogEnabled = True
ttylogFile = ""
bytesReceived = 0
bytesReceivedLimit = 0
bytesWritten = 0
name = b'cowrie-ssh-channel'
startTime = None
ttylogPath = CONFIG.get('honeypot', 'log_path')
downloadPath = CONFIG.get('honeypot', 'download_path')
ttylogEnabled = CONFIG.getboolean('honeypot', 'ttylog', fallback=True)
bytesReceivedLimit = CONFIG.getint('honeypot',
'download_limit_size',
fallback=0)
def __repr__(self):
"""
Return a pretty representation of this object.
@return Pretty representation of this object as a string
@rtype: L{str}
"""
return "Cowrie SSH Channel {}".format(self.name)
def __init__(self, *args, **kw):
"""
Initialize logging
"""
channel.SSHChannel.__init__(self, *args, **kw)
def channelOpen(self, specificData):
self.startTime = time.time()
self.ttylogFile = '%s/tty/%s-%s-%s.log' % (
self.ttylogPath, time.strftime('%Y%m%d-%H%M%S'),
self.conn.transport.transportId, self.id)
log.msg(eventid='cowrie.log.open',
ttylog=self.ttylogFile,
format="Opening TTY Log: %(ttylog)s")
ttylog.ttylog_open(self.ttylogFile, time.time())
channel.SSHChannel.channelOpen(self, specificData)
def closed(self):
log.msg(
eventid='cowrie.log.closed',
format="Closing TTY Log: %(ttylog)s after %(duration)d seconds",
ttylog=self.ttylogFile,
size=self.bytesReceived + self.bytesWritten,
duration=time.time() - self.startTime)
ttylog.ttylog_close(self.ttylogFile, time.time())
channel.SSHChannel.closed(self)
def dataReceived(self, data):
"""
Called when we receive data from the user
@type data: L{bytes}
@param data: Data sent to the server from the client
"""
self.bytesReceived += len(data)
if self.bytesReceivedLimit and self.bytesReceived > self.bytesReceivedLimit:
log.msg("Data upload limit reached for channel {}".format(self.id))
self.eofReceived()
return
if self.ttylogEnabled:
ttylog.ttylog_write(self.ttylogFile, len(data), ttylog.TYPE_INPUT,
time.time(), data)
channel.SSHChannel.dataReceived(self, data)
def write(self, data):
"""
Called when we send data to the user
@type data: L{bytes}
@param data: Data sent to the client from the server
"""
if self.ttylogEnabled:
ttylog.ttylog_write(self.ttylogFile, len(data), ttylog.TYPE_OUTPUT,
time.time(), data)
self.bytesWritten += len(data)
channel.SSHChannel.write(self, data)
def start(self):
try:
optlist, args = getopt.getopt(self.args, 'cqO:P:', 'header=')
except getopt.GetoptError as err:
self.errorWrite('Unrecognized option\n')
self.exit()
return
if len(args):
url = args[0].strip()
else:
self.errorWrite('wget: missing URL\n')
self.errorWrite('Usage: wget [OPTION]... [URL]...\n\n')
self.errorWrite('Try `wget --help\' for more options.\n')
self.exit()
return
outfile = None
self.quiet = False
for opt in optlist:
if opt[0] == '-O':
outfile = opt[1]
if opt[0] == '-q':
self.quiet = True
# for some reason getopt doesn't recognize "-O -"
# use try..except for the case if passed command is malformed
try:
if not outfile:
if '-O' in args:
outfile = args[args.index('-O') + 1]
except:
pass
if '://' not in url:
url = 'http://%s' % url
urldata = compat.urllib_parse.urlparse(url)
url = url.encode('utf8')
if outfile is None:
outfile = urldata.path.split('/')[-1]
if not len(outfile.strip()) or not urldata.path.count('/'):
outfile = 'index.html'
if outfile != '-':
outfile = self.fs.resolve_path(outfile, self.protocol.cwd)
path = os.path.dirname(outfile)
if not path or not self.fs.exists(path) or not self.fs.isdir(path):
self.errorWrite(
'wget: %s: Cannot open: No such file or directory\n' %
outfile)
self.exit()
return
self.url = url
self.limit_size = 0
if CONFIG.has_option('honeypot', 'download_limit_size'):
self.limit_size = CONFIG.getint('honeypot', 'download_limit_size')
self.downloadPath = CONFIG.get('honeypot', 'download_path')
self.artifactFile = Artifact(outfile)
# HTTPDownloader will close() the file object so need to preserve the name
d = self.download(url, outfile, self.artifactFile)
if d:
d.addCallback(self.success, outfile)
d.addErrback(self.error, url)
else:
self.exit()
def start(self):
"""
"""
try:
host = CONFIG.get('output_influx', 'host')
except:
host = ''
try:
port = CONFIG.getint('output_influx', 'port')
except:
port = 8086
self.client = None
try:
self.client = InfluxDBClient(host=host, port=port)
except InfluxDBClientError as e:
log.err("output_influx: I/O error({0}): '{1}'".format(
e.errno, e.strerror))
return
if self.client is None:
log.err("output_influx: cannot instantiate client!")
return
if (CONFIG.has_option('output_influx', 'username')
and CONFIG.has_option('output_influx', 'password')):
username = CONFIG.get('output_influx', 'username')
password = CONFIG.get('output_influx', 'password')
self.client.switch_user(username, password)
try:
dbname = CONFIG.get('output_influx', 'database_name')
except:
dbname = 'cowrie'
retention_policy_duration_default = '12w'
retention_policy_name = dbname + "_retention_policy"
if CONFIG.has_option('output_influx', 'retention_policy_duration'):
retention_policy_duration = CONFIG.get(
'output_influx', 'retention_policy_duration')
match = re.search('^\d+[dhmw]{1}$', retention_policy_duration)
if not match:
log.err(
("output_influx: invalid retention policy."
"Using default '{}'..").format(retention_policy_duration))
retention_policy_duration = retention_policy_duration_default
else:
retention_policy_duration = retention_policy_duration_default
database_list = self.client.get_list_database()
dblist = [str(elem['name']) for elem in database_list]
if dbname not in dblist:
self.client.create_database(dbname)
self.client.create_retention_policy(retention_policy_name,
retention_policy_duration,
1,
database=dbname,
default=True)
else:
retention_policies_list = self.client.get_list_retention_policies(
database=dbname)
rplist = [str(elem['name']) for elem in retention_policies_list]
if retention_policy_name not in rplist:
self.client.create_retention_policy(retention_policy_name,
retention_policy_duration,
1,
database=dbname,
default=True)
else:
self.client.alter_retention_policy(
retention_policy_name,
database=dbname,
duration=retention_policy_duration,
replication=1,
default=True)
self.client.switch_database(dbname)
except:
import pickle
import os
import time
import fnmatch
import hashlib
import re
import stat
import errno
from twisted.python import log
from cowrie.core.config import CONFIG
PICKLE = pickle.load(open(CONFIG.get('shell', 'filesystem'), 'rb'))
A_NAME, \
A_TYPE, \
A_UID, \
A_GID, \
A_SIZE, \
A_MODE, \
A_CTIME, \
A_CONTENTS, \
A_TARGET, \
A_REALFILE = list(range(0, 10))
T_LINK, \
T_DIR, \
T_FILE, \
T_BLK, \
def makeService(self, options):
"""
Construct a TCPServer from a factory defined in Cowrie.
"""
if options["help"] is True:
print("""Usage: twistd [options] cowrie [-h]
Options:
-h, --help print this help message.
Makes a Cowrie SSH/Telnet honeypot.
""")
sys.exit(1)
if os.name == 'posix' and os.getuid() == 0:
print('ERROR: You must not run cowrie as root!')
sys.exit(1)
log.msg("Python Version {}".format(str(sys.version).replace('\n', '')))
log.msg("Twisted Version {}.{}.{}".format(__version__.major, __version__.minor, __version__.micro))
# ssh is enabled by default
try:
enableSSH = CONFIG.getboolean('ssh', 'enabled')
except (configparser.NoSectionError, configparser.NoOptionError):
enableSSH = True
# telnet is disabled by default
try:
enableTelnet = CONFIG.getboolean('telnet', 'enabled')
except (configparser.NoSectionError, configparser.NoOptionError):
enableTelnet = False
if enableTelnet is False and enableSSH is False:
print('ERROR: You must at least enable SSH or Telnet')
sys.exit(1)
# Load db loggers
self.dbloggers = []
for x in CONFIG.sections():
if not x.startswith('database_'):
continue
engine = x.split('_')[1]
try:
dblogger = __import__('cowrie.dblog.{}'.format(engine),
globals(), locals(), ['dblog']).DBLogger()
log.addObserver(dblogger.emit)
self.dbloggers.append(dblogger)
log.msg("Loaded dblog engine: {}".format(engine))
except:
log.err()
log.msg("Failed to load dblog engine: {}".format(engine))
# Load output modules
self.output_plugins = []
for x in CONFIG.sections():
if not x.startswith('output_'):
continue
if CONFIG.getboolean(x, 'enabled') is False:
continue
engine = x.split('_')[1]
try:
output = __import__('cowrie.output.{}'.format(engine),
globals(), locals(), ['output']).Output()
log.addObserver(output.emit)
self.output_plugins.append(output)
log.msg("Loaded output engine: {}".format(engine))
except ImportError as e:
log.err("Failed to load output engine: {} due to ImportError: {}".format(engine, e))
log.msg("Please install the dependencies for {} listed in requirements-output.txt".format(engine))
except Exception:
log.err()
log.msg("Failed to load output engine: {}".format(engine))
topService = service.MultiService()
application = service.Application('cowrie')
topService.setServiceParent(application)
if enableSSH:
factory = cowrie.ssh.factory.CowrieSSHFactory()
factory.tac = self
factory.portal = portal.Portal(core.realm.HoneyPotRealm())
factory.portal.registerChecker(
core.checkers.HoneypotPublicKeyChecker())
factory.portal.registerChecker(
core.checkers.HoneypotPasswordChecker())
if CONFIG.has_option('honeypot', 'auth_none_enabled') and \
CONFIG.getboolean('honeypot', 'auth_none_enabled') is True:
factory.portal.registerChecker(
core.checkers.HoneypotNoneChecker())
if CONFIG.has_section('ssh'):
listen_endpoints = get_endpoints_from_section(CONFIG, 'ssh', 2222)
else:
listen_endpoints = get_endpoints_from_section(CONFIG, 'honeypot', 2222)
create_endpoint_services(reactor, topService, listen_endpoints, factory)
if enableTelnet:
f = cowrie.telnet.transport.HoneyPotTelnetFactory()
f.tac = self
f.portal = portal.Portal(core.realm.HoneyPotRealm())
f.portal.registerChecker(core.checkers.HoneypotPasswordChecker())
listen_endpoints = get_endpoints_from_section(CONFIG, 'telnet', 2223)
create_endpoint_services(reactor, topService, listen_endpoints, f)
return topService
def __init__(self):
self.userdb = []
self.userdb_file = '%s/userdb.txt' % CONFIG.get('honeypot', 'data_path')
self.load()
