def test_automated_extension(self): """Objective: Test if the dork database extends on new requests to the honeypot. Input: A test request with URL: http://localhost:8080/test.php?c=test Expected Results: An entry in the 'inurl' db table containing '/test.php'. Notes: The test adds the '/test.php' entry to the database.""" attack_event = attack.AttackEvent() attack_event.matched_pattern = "internal_test" attack_event.parsed_request = util.HTTPRequest() attack_event.parsed_request.url = "/thiswillNeVeRHaPPend.php?c=test" print "Attack event prepared." pages_dir = tempfile.mkdtemp() try: (db, engine, dork_generator) = self.dork_generator_chain('sql', pages_dir) dork_generator.regular_generate_dork(0) dork_generator.collect_dork(attack_event) print "Done collecting the path from the event and writing to the database." sql = "SELECT * FROM inurl WHERE content = :x" result = engine.connect().execute(sql, x='/thiswillNeVeRHaPPend.php').fetchall() print "Done fetching the entries matching the request URL" self.assertTrue(len(result) > 0) print "Number of entries in the database matching our URL:", print len(result), print "which equates our expectation." finally: if os.path.isdir(pages_dir): shutil.rmtree(pages_dir)
def test_unknown_emulator(self): """Objective: Emulator testing for non-malicious requests. Input: http://localhost:8080/ Expected Result: One of the generated attack surfaces. Notes:""" tmp_file = os.path.join(self.data_dir, 'dork_pages', format(str(uuid.uuid4()))) with open(tmp_file, 'w+') as f: f.write("tmpfile") print "Starting 'unknown' request emulation module" event = attack.AttackEvent() event.http_request = HTTPHandler('', None) event.matched_pattern = "unknown" event.http_request.path = "/" event.source_addr = ("127.0.0.1", "8080") request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080/" emulator.handle(event) remote_hash = hashlib.md5( event.http_request.get_response_body()).hexdigest() local_hash = hashlib.md5(emulator.template).hexdigest() print "Hash of the local 'response' file:", local_hash self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched a generated attack surface item."
def test_hpfeeds_event_with_file(self): """Objective: Testing if a event containing a file can be transmitted using hpfriends.""" config_file = tempfile.mkstemp()[1] with open(config_file, 'w') as f: f.writelines(helpers.gen_config('')) #create dummy file file_name = 'dummy_file' with open(os.path.join(self.files_dir, file_name), 'w') as f: f.write('test_test_test_test_test') logger = HPFeedsLogger(self.tmpdir, config=config_file, reconnect=False) event = attack.AttackEvent() event.http_request = HTTPHandler('', None) event.raw_request = "GET /honeypot_test HTTP/1.1\r\nHost: honeypot\r\n\r\n" event.file_name = file_name logger.insert(event) gevent.sleep(2) # if None we did not connect self.assertIsNotNone(logger.hpc.wait) error_message = logger.hpc.wait(2) self.assertIsNone(error_message)
def setUp(self): self.event = attack.AttackEvent() self.event.parsed_request = util.HTTPRequest() self.event.parsed_request.url = "/test.php" self.event.parsed_request.parameters_dict = { "q": "SELECT A FROM B", } self.data_dir = tempfile.mkdtemp()
def setUp(self): self.event = attack.AttackEvent() self.event.parsed_request = util.HTTPRequest() self.work_dir = tempfile.mkdtemp() self.data_dir = os.path.join(self.work_dir, 'data/') package_directory = os.path.dirname( os.path.abspath(inspect.getfile(RequestHandler))) #original data as stored with new glatopf installations self.original_data_dir = os.path.join(package_directory, 'emulators/data/') #copy the data to a isolated data directory shutil.copytree(self.original_data_dir, self.data_dir)
def test_phpcgi_source_code_disclosure_emulator(self): """Objective: Emulator testing for PHP CGI source code disclosure CVE-2012-1823 Input: http://localhost:8080/index.php?-s Expected Result: Source code disclosure Notes:""" event = attack.AttackEvent() event.http_request = HTTPHandler('GET /index.php?-s HTTP/1.0', None) event.matched_pattern = "php_cgi_rce" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) emulator.handle(event) self.assertEquals(event.http_request.get_response(), """<code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />page </span><span style="color: #007700">= </span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'page'</span><span style="color: #007700">];<br />include(</span><span style="color: #0000BB">page</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?><br /></span> </span>""")
def test_mongodb_insert(self): conn_string = helpers.create_mongo_database(fill=False) db_name = uri_parser.parse_uri(conn_string)['database'] try: maindb = log_mongodb.Database(conn_string) #prepare attack event attack_event = attack.AttackEvent() attack_event.event_time = self.event_time = datetime.now( ).strftime("%Y-%m-%d %H:%M:%S") attack_event.matched_pattern = "test_test" attack_event.source_addr = ("192.168.1.201", 12345) attack_event.parsed_request = util.HTTPRequest() attack_event.parsed_request.url = "/breadandbytter.php?a=b" attack_event.parsed_request.method = "GET" attack_event.parsed_request.header = { 'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.3', 'Connection': 'keep-alive' } attack_event.parsed_request.body = "some stuff" maindb.insert(attack_event) with warnings.catch_warnings(record=True): collection = MongoClient(conn_string)[db_name]['events'] results = list(collection.find()) #Check if database returned the correct amount self.assertEqual(len(list(results)), 1) entry = results[0] self.assertEqual(entry["pattern"], "test_test") self.assertEqual(entry["request"]["body"], "some stuff") self.assertEqual(entry["request"]["parameters"], "") self.assertEqual(entry["request"]["url"], "/breadandbytter.php?a=b") self.assertEqual(entry["request"]["header"]['Accept-Charset'], "ISO-8859-1,utf-8;q=0.7,*;q=0.3") self.assertEqual(entry["request"]["header"]['Connection'], "keep-alive") self.assertEqual(entry["request"]["method"], "GET") self.assertEqual(entry["source"][0], "192.168.1.201") self.assertEqual(entry["source"][1], 12345) finally: helpers.delete_mongo_testdata(conn_string)
def test_phpinfo_emulator(self): """Objective: Emulator testing for phpinfo.php requests Input: http://localhost/phpinfo.php Expected Result: Result of the phpinfo() function Notes:""" event = attack.AttackEvent() event.http_request = HTTPHandler('GET /info.php?param1 HTTP/1.0', None) event.matched_pattern = "phpinfo" #self.event.http_request.method = 'GET' #self.event.http_request.url = "/info.php?param1" event.matched_pattern = "phpinfo" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) emulator.handle(event) self.assertTrue("PHP Version " in event.http_request.get_response()) self.assertTrue("Zend Extension" in event.http_request.get_response())
def test_put_method(self): """Objective: Test handling of a PUT requests Input: curl -XPUT http://localhost/ Expected Result: request verb is PUT, matcher pattern is put Notes:""" event = attack.AttackEvent() event.http_request = HTTPHandler('PUT / HTTP/1.0', None) self.assertTrue(event.http_request.request_verb == "PUT") method_handlers = method_handler.HTTPMethods(self.data_dir) event.matched_pattern = getattr( method_handlers, event.http_request.command, method_handlers.GET)(event.http_request) self.assertTrue(event.matched_pattern == 'put') request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) emulator.handle(event) self.assertTrue('Created' in event.http_request.get_response())
def test_phpcgi_rce_emulator(self): """Objective: Emulator testing for PHP CGI remote code execution CVE-2012-1823 Input: http://localhost/-d+allow_url_include=on+-d+safe_mode=off+-d+open_basedir=off-d+auto_prepend_file=php://input POST: <?php echo("rce attempt"); ?> Expected Result: Remote command execution of a echo command Notes:""" GlastopfHoneypot.prepare_sandbox(self.work_dir) os.mkdir(os.path.join(self.data_dir, 'files/')) request = "POST /index.php?-d+allow_url_include=on+-d+safe_mode=off+-d+open_basedir=off-d+auto_prepend_file=php://input HTTP/1.0\r\n\r\n" \ '<?php echo "testing"; ?>' event = attack.AttackEvent() event.http_request = HTTPHandler(request, None) event.matched_pattern = "php_cgi_rce" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) emulator.handle(event) print "Return value:", event.http_request.get_response() self.assertTrue("""testing""" == event.http_request.get_response())
def test_hpfeeds_event(self): """Objective: Testing if a basic event can be transmitted using hpfriends.""" config_file = tempfile.mkstemp()[1] with open(config_file, 'w') as f: f.writelines(helpers.gen_config('')) logger = HPFeedsLogger(self.tmpdir, os.getcwd(), config=config_file, reconnect=False) event = attack.AttackEvent() event.http_request = HTTPHandler('', None) event.raw_request = "GET /honeypot_test HTTP/1.1\r\nHost: honeypot\r\n\r\n" logger.insert(event) gevent.sleep(2) # if None we did not connect self.assertIsNotNone(logger.hpc.wait) error_message = logger.hpc.wait(2) self.assertIsNone(error_message)
def test_dummy_emulator(self): """Objective: Tests the dummy emulator added to prove extensibility. Input: http://localhost:8080/ Expected Results: Returns a short message for verification. Notes: The dummy emulator fulfills minimal emulator requirements.""" print "Starting Dummy emulator module test" event = attack.AttackEvent() event.http_request = HTTPHandler('', None) event.matched_pattern = "dummy" print "Loading module" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Trying to handle an event with the dummy module" emulator.handle(event) self.assertEqual(event.http_request.get_response_body(), "dummy response") print "Return value: '" + event.http_request.get_response_body() + "'", print "equates our expectation."
def test_sqla_insert(self): #in-memory sqlite database sqla_engine = create_engine("sqlite:///") maindb = log_sql.Database(sqla_engine) #prepare attack event attack_event = attack.AttackEvent() attack_event.event_time = self.event_time = datetime.now().strftime( "%Y-%m-%d %H:%M:%S") attack_event.matched_pattern = "test_test" attack_event.source_addr = ("192.168.1.201", 12345) attack_event.parsed_request = util.HTTPRequest() attack_event.parsed_request.url = "/breadandbytter.php?a=b" attack_event.parsed_request.method = "GET" attack_event.parsed_request.header = { 'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.3', 'Connection': 'keep-alive' } attack_event.parsed_request.body = "some stuff" #insert attack event maindb.insert(attack_event) #try to extract event from the database sql = "SELECT * FROM events" results = sqla_engine.connect().execute(sql).fetchall() #Check if database returned the correct amount self.assertEqual(len(list(results)), 1) entry = results[0] #check basic attributes #source self.assertEqual(entry[2], "192.168.1.201:12345") #method self.assertEqual(entry[3], "GET") #request_url self.assertEqual(entry[4], "/breadandbytter.php?a=b") #resuest_header self.assertEqual( entry[7], '{"Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.3", "Connection": "keep-alive"}' ) #request_body self.assertEqual(entry[8], "some stuff") #pattern self.assertEqual(entry[9], "test_test")
def test_rfi_emulator_with_malformed_uri(self): # TODO: Handle return value from sandbox """Objective: Remote File Injection test with malformed uri Input: http://localhost:8080/test.php?p="http://google.com/index.html Expected Result: The return value from the PHP sandbox. Notes: Injected file contains <?php echo("test successful"); ?>""" GlastopfHoneypot.prepare_sandbox(self.work_dir) print "Starting remote file inclusion test" event = attack.AttackEvent() event.http_request = HTTPHandler('GET /test.php?p=http://1durch0.de/test_file.txt HTTP/1.0', None) event.matched_pattern = "rfi" helpers.create_sandbox(self.data_dir) request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080" + event.http_request.path emulator.handle(event) self.assertEqual(event.http_request.get_response(), "test successful") print "Return value 'test successful', matching our expectation."
def test_lfi_emulator(self): """Objective: Local File Inclusion module testing. Input: http://localhost:8080/test.php?p=../../../../../etc/passwd Expected Result: The passwd file from the virtual file system. Notes:""" print "Starting local file inclusion test" event = attack.AttackEvent() event.matched_pattern = "lfi" event.http_request = HTTPHandler('', None) event.http_request.request_path = "/test.php?p=../../../../../etc/passwd" print "Sending request:", "http://localhost:8080" + event.http_request.path print "Loading the emulator and handling the request." request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) emulator.handle(event) #TODO: Check it contains user names... response = event.http_request.get_response() self.assertIn('root:x:0:0:root:/root:/bin/bash', response) self.assertIn('daemon:x:1:1:daemon:/usr/sbin:/bin/sh', response)
def test_rfi_emulator_with_malformed_uri(self): # TODO: Handle return value from sandbox """Objective: Remote File Injection test with malformed uri Input: http://localhost:8080/test.php?p="http://google.com/index.html Expected Result: The return value from the PHP sandbox. Notes: Injected file contains <?php echo("test successful"); ?>""" GlastopfHoneypot.prepare_sandbox(self.work_dir) print "Starting remote file inclusion test" event = attack.AttackEvent() url = "https://gist.githubusercontent.com/glaslos/02c4c4be39fb03b3bbee5c862cd304c6/raw/adf146469e8eeee4498874164ecd80c70ffb4e7a/test_file.txt" event.http_request = HTTPHandler( 'GET /test.php?p={} HTTP/1.0'.format(url), None) event.matched_pattern = "rfi" helpers.create_sandbox(self.data_dir) request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080" + event.http_request.path emulator.handle(event) self.assertEqual(event.http_request.get_response(), "test successful") print "Return value 'test successful', matching our expectation."
def test_pma_emulator(self): """Objective: Testing an emulator for PHPMyAdmin specific attacks. Input: http://localhost:8080/phpmyadmin Expected Result: The PHPMyAdmin set-up page. Notes: This module is for a specific attack against PHPMyAdmin""" with open(os.path.join(self.data_dir, 'phpmyadmin/script_setup.php'), 'r') as setup_php: page = setup_php.read() local_hash = hashlib.md5(page).hexdigest() print "Hash of the local 'script' file:", local_hash event = attack.AttackEvent() event.matched_pattern = "phpmyadmin" event.http_request = HTTPHandler('', None) request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080/phpmyadmin/setup.php" emulator.handle(event) remote_hash = hashlib.md5(emulator.page).hexdigest() self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched the hash of the local file."
def test_robots_emulator(self): """Objective: Test the robots.txt emulator. Input: http://localhost:8080/robots.txt Expected Response: The robots.txt page. Notes: The robots.txt is provided by the honeypot""" print "Starting robot.txt request handling module" with open(os.path.join(self.data_dir, 'robots/robots.txt'), 'r') as robots_file: robots = robots_file.read() local_hash = hashlib.md5(robots).hexdigest() print "Hash of the local 'robots' file:", local_hash event = attack.AttackEvent() event.http_request = HTTPHandler('GET /robots.txt HTTP/1.0', None) event.matched_pattern = "robots" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080/robots.txt" emulator.handle(event) remote_hash = hashlib.md5(event.http_request.get_response()).hexdigest() self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched content of robots.txt."
def test_style_css_emulator(self): """Objective: Test the style.css emulator. Input: http://localhost:8080/styles.css Expected Result: The styles.css file. Notes: Definitions used for the attacks surface style parameters.""" print "Starting style.css emulator test" with open(os.path.join(self.data_dir, 'style/style.css'), 'r') as style_file: style = style_file.read() local_hash = hashlib.md5(style).hexdigest() print "Hash of the local 'style' file:", local_hash event = attack.AttackEvent() event.http_request = HTTPHandler('', None) event.matched_pattern = "style_css" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080/style.css" emulator.handle(event) remote_hash = hashlib.md5(event.http_request.get_response_body()).hexdigest() self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched content of style.css."
def test_mongodb_insert(self): conn_string = helpers.create_mongo_database(fill=False) db_name = uri_parser.parse_uri(conn_string)["database"] try: maindb = log_mongodb.Database(conn_string) attack_event = attack.AttackEvent() attack_event.event_time = self.event_time = datetime.now( ).strftime("%Y-%m-%d %H:%M:%S") attack_event.matched_pattern = "test_test" attack_event.source_addr = ("192.168.1.201", 12345) request = ("GET /breadandbytter.php?a=b HTTP/1.0\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" "ISO-8859-1,utf-8;q=0.7,*;q=0.3r\n" "Connection: keep-alive\r\n\r\n" "some stuff") attack_event.http_request = HTTPHandler(request, None) maindb.insert(attack_event) with warnings.catch_warnings(record=True): collection = MongoClient(conn_string)[db_name]["events"] results = list(collection.find()) #Check if database returned the correct amount self.assertEqual(len(list(results)), 1) entry = results[0] self.assertEqual(entry["source"][0], "192.168.1.201") self.assertEqual(entry["source"][1], 12345) self.assertEqual(entry["pattern"], "test_test") self.assertEqual(entry["request_raw"], request) self.assertEqual(entry["request_url"], "/breadandbytter.php?a=b") finally: helpers.delete_mongo_testdata(conn_string)
def test_sqla_insert(self): #in-memory sqlite database sqla_engine = create_engine("sqlite:///") maindb = log_sql.Database(sqla_engine) #prepare attack event attack_event = attack.AttackEvent() timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S") attack_event.event_time = timestamp attack_event.matched_pattern = "test_test" attack_event.source_addr = ("192.168.1.201", 12345) request = ('GET /breadandbytter.php?a=b HTTP/1.0\r\n' 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n' 'ISO-8859-1,utf-8;q=0.7,*;q=0.3r\n' 'Connection: keep-alive\r\n\r\n' 'some stuff') attack_event.http_request = HTTPHandler(request, None) #insert attack event maindb.insert(attack_event) #try to extract event from the database sql = "SELECT * FROM events" results = sqla_engine.connect().execute(sql).fetchall() #Check if database returned the correct amount self.assertEqual(len(list(results)), 1) print results[0] entry = results[0] #check basic attributes #time self.assertEqual(entry[1], timestamp) #source self.assertEqual(entry[2], "192.168.1.201:12345") #request_url self.assertEqual(entry[3], "/breadandbytter.php?a=b") #request_body self.assertEqual(entry[4], request) #pattern self.assertEqual(entry[5], "test_test")
def test_automated_extension(self): """Objective: Test if the dork database extends on new requests to the honeypot. Input: A test request with URL: http://localhost:8080/test.php?c=test Expected Results: An entry in the 'inurl' db table containing '/test.php'. Notes: The test adds the '/test.php' entry to the database.""" attack_event = attack.AttackEvent() attack_event.matched_pattern = "internal_test" attack_event.http_request = HTTPHandler( 'GET /thiswillNeVeRHaPPend.php?c=test', None) print("Attack event prepared.") (db, engine, dork_generator) = self.dork_generator_chain('sql') dork_generator.regular_generate_dork(0) dork_generator.collect_dork(attack_event) print( "Done collecting the path from the event and writing to the database." ) sql = "SELECT * FROM inurl WHERE content = :x" result = engine.connect().execute( sql, x='/thiswillNeVeRHaPPend.php').fetchall() print("Done fetching the entries matching the request URL") self.assertTrue(len(result) > 0) print("Number of entries in the database matching our URL:") print(len(result)) print("which equates our expectation.")
def setUp(self): self.event = attack.AttackEvent() self.event.http_request = HTTPHandler( 'GET /test.php?q=SELECT%20A%20FROM%20B', None) self.data_dir = tempfile.mkdtemp()