def loginSuccessful(self, username, password):
self.passwordTried = True
self.loginSuccess = True
dt = datetime.datetime.now().strftime("%Y%m%d_%H%M%S")
self.makeSessionFolder()
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.authLog(self.cfg.get('folders', 'log_path') + "/" + datetime.datetime.now().strftime("%Y%m%d"), self.endIP, username, password, True)
txtlog.log(self.txtlog_file, self.connectionString)
txtlog.log(self.txtlog_file, '[SSH ] Login Successful: ' + username + ':' + password)
if self.cfg.get('email', 'login') == 'true':
threads.deferToThread(self.email, 'HonSSH - Login Successful', self.txtlog_file)
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.handleLoginSucceeded(username, password)
self.dbLog.createSession(self.sessionID, self.endIP, self.endPort, self.cfg.get('honeypot', 'ssh_addr'), self.cfg.get('honeypot', 'ssh_port'))
self.dbLog.handleClientVersion(self.sessionID, self.version)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.handleLoginSucceeded(username, password)
self.hpLog.createSession(self.sessionID, self.endIP, self.endPort, self.cfg.get('honeypot', 'ssh_addr'), self.cfg.get('honeypot', 'ssh_port'))
self.hpLog.handleClientVersion(self.version)
if self.cfg.has_option('app_hooks', 'login_successful'):
if self.cfg.get('app_hooks', 'login_successful') != '':
cmdString = self.cfg.get('app_hooks', 'login_successful') + " LOGIN_SUCCESSFUL " + dt + " " + self.endIP + " " + username + " " + password
threads.deferToThread(self.runCommand, cmdString)
def connectionLost(self):
dt = self.getDateTime()
log.msg("[OUTPUT] Lost Connection with the attacker: %s" % self.endIP)
if not self.passwordTried:
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.authLog(dt, self.cfg.get('folders', 'log_path') + "/" + datetime.datetime.now().strftime("%Y%m%d"), self.endIP, '', '', False)
if self.loginSuccess:
if self.cfg.get('txtlog', 'enabled') == 'true':
if os.path.exists(self.txtlog_file):
txtlog.log(dt, self.txtlog_file, '[SSH ] Lost Connection with ' + self.endIP)
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.handleConnectionLost(dt, self.sessionID)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.handleConnectionLost(dt)
if self.cfg.get('email', 'attack') == 'true':
threads.deferToThread(self.email, self.sensorName + ' - Attack logged', self.txtlog_file, self.ttyFiles)
if self.cfg.has_option('app_hooks', 'connection_lost'):
if self.cfg.get('app_hooks', 'connection_lost') != '':
cmdString = self.cfg.get('app_hooks', 'connection_lost') + " CONNECTION_LOST " + dt + " " + self.endIP
threads.deferToThread(self.runCommand, cmdString)
self.connections.delConn(self.sensorName, self.endIP, self.endPort)
def loginSuccessful(self, username, password):
self.passwordTried = True
self.loginSuccess = True
dt = datetime.datetime.now().strftime("%Y%m%d_%H%M%S")
self.makeSessionFolder()
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.authLog(self.cfg.get('folders', 'log_path') + "/" + datetime.datetime.now().strftime("%Y%m%d"), self.endIP, username, password, True)
txtlog.log(self.txtlog_file, self.connectionString)
txtlog.log(self.txtlog_file, '[SSH ] Login Successful: ' + username + ':' + password)
if self.cfg.get('email', 'login') == 'true':
threads.deferToThread(self.email, self.sensorName + ' - Login Successful', self.txtlog_file)
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.handleLoginSucceeded(username, password)
self.dbLog.createSession(self.sessionID, self.endIP, self.endPort, self.honeyIP, self.honeyPort, self.sensorName)
self.dbLog.handleClientVersion(self.sessionID, self.version)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.handleLoginSucceeded(username, password)
self.hpLog.createSession(self.sessionID, self.endIP, self.endPort, self.honeyIP, self.honeyPort)
self.hpLog.handleClientVersion(self.version)
if self.cfg.has_option('app_hooks', 'login_successful'):
if self.cfg.get('app_hooks', 'login_successful') != '':
cmdString = self.cfg.get('app_hooks', 'login_successful') + " LOGIN_SUCCESSFUL " + dt + " " + self.endIP + " " + username + " " + password
threads.deferToThread(self.runCommand, cmdString)
def channelOpened(self, uuid, channelName):
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.log(self.txtlog_file, channelName + ' Opened Channel')
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.channelOpened(self.sessionID, uuid, channelName)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.channelOpened(uuid, channelName)
def channelOpened(self, uuid, channelName):
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.log(self.txtlog_file, channelName + ' Opened Channel')
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.channelOpened(self.sessionID, uuid, channelName)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.channelOpened(uuid, channelName)
def channelClosed(self, channel):
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.log(self.txtlog_file, channel.name + ' Closed Channel')
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.channelClosed(channel.uuid, channel.ttylog_file)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.channelClosed(channel.uuid, channel.ttylog_file)
if channel.ttylog_file != None:
self.ttyFiles.append(channel.ttylog_file)
def channelClosed(self, channel):
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.log(self.txtlog_file, channel.name + ' Closed Channel')
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.channelClosed(channel.uuid, channel.ttylog_file)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.channelClosed(channel.uuid, channel.ttylog_file)
if channel.ttylog_file != None:
self.ttyFiles.append(channel.ttylog_file)
def channelOpened(self, uuid, channelName):
dt = self.getDateTime()
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.log(dt, self.txtlog_file, channelName + ' Opened Channel')
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.channelOpened(dt, self.sessionID, uuid, channelName)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.channelOpened(dt, uuid, channelName)
self.connections.addChannel(self.sensorName, self.endIP, self.endPort, channelName, dt, uuid)
def generateMD5(self, channelName, dt, logPath, theIP, link, outFile):
f = file(outFile, 'rb')
md5 = hashlib.md5()
while True:
data = f.read(2**20)
if not data:
break
md5.update(data)
f.close()
theMD5 = md5.hexdigest()
theSize = os.path.getsize(outFile)
txtlog.log(self.txtlog_file, channelName + ' Downloaded: ' + link + ' - Saved: ' + outFile + ' - Size: ' + str(theSize) + ' - MD5: ' + str(theMD5))
txtlog.downloadLog(dt, logPath, theIP, link, outFile, theSize, theMD5)
def generateMD5(self, channelName, dt, logPath, theIP, link, outFile):
f = file(outFile, 'rb')
md5 = hashlib.md5()
while True:
data = f.read(2**20)
if not data:
break
md5.update(data)
f.close()
theMD5 = md5.hexdigest()
theSize = os.path.getsize(outFile)
txtlog.log(self.txtlog_file, channelName + ' Downloaded: ' + link + ' - Saved: ' + outFile + ' - Size: ' + str(theSize) + ' - MD5: ' + str(theMD5))
txtlog.downloadLog(dt, logPath, theIP, link, outFile, theSize, theMD5)
def generateSHA256(self, channelName, dt, logPath, theIP, link, outFile):
f = file(outFile, 'rb')
sha256 = hashlib.sha256()
while True:
data = f.read(2**20)
if not data:
break
sha256.update(data)
f.close()
theSHA256 = sha256.hexdigest()
theSize = os.path.getsize(outFile)
txtlog.log(dt, self.txtlog_file, channelName + ' Downloaded: ' + link + ' - Saved: ' + outFile + ' - Size: ' + str(theSize) + ' - SHA256: ' + str(theSHA256))
txtlog.downloadLog(dt, logPath, theIP, link, outFile, theSize, theSHA256)
def portForwardLog(self, channelName, connDetails):
dt = self.getDateTime()
theDNS = ''
try:
theDNS = ' (' + socket.gethostbyaddr(connDetails['srcIP'])[0] + ')'
except:
pass
txtlog.log(dt, self.txtlog_file, channelName + ' Source: ' + connDetails['srcIP'] + ':' + str(connDetails['srcPort']) + theDNS)
theDNS = ''
try:
theDNS = ' (' + socket.gethostbyaddr(connDetails['dstIP'])[0] + ')'
except:
pass
txtlog.log(dt, self.txtlog_file, channelName + ' Destination: ' + connDetails['dstIP'] + ':' + str(connDetails['dstPort']) + theDNS)
def channelClosed(self, channel):
dt = self.getDateTime()
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.log(dt, self.txtlog_file, channel.name + ' Closed Channel')
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.channelClosed(dt, channel.uuid, channel.ttylog_file)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.channelClosed(dt, channel.uuid, channel.ttylog_file)
if channel.ttylog_file != None:
self.ttyFiles.append(channel.ttylog_file)
self.connections.delChannel(self.sensorName, self.endIP, self.endPort, channel.uuid)
def fileDownloaded(self, input):
dt = self.getDateTime()
channelName, uuid, success, link, file, error = input
if success:
if self.cfg.get('txtlog', 'enabled') == 'true':
threads.deferToThread(self.generateSHA256, channelName, dt, self.cfg.get('folders', 'log_path') + '/downloads.log', self.endIP, link, file)
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.handleFileDownload(dt, uuid, link, file)
if self.cfg.has_option('app_hooks', 'download_finished'):
if self.cfg.get('app_hooks', 'download_finished') != '':
cmdString = self.cfg.get('app_hooks', 'download_finished') + " DOWNLOAD_FINISHED " + dt + " " + self.endIP + " " + link + " " + file
threads.deferToThread(self.runCommand, cmdString)
else:
log.msg('[OUTPUT][DOWNLOAD][ERR]' + error)
txtlog.log(self.getDateTime(), self.txtlog_file, channelName + ' [DOWNLOAD] - Cannot download URL: ' + link)
def commandEntered(self, uuid, channelName, theCommand):
if self.cfg.get('txtlog', 'enabled') == 'true':
theCMD = theCommand.replace('\n', '\\n')
txtlog.log(self.txtlog_file, channelName + " Command Executed: %s" % (theCMD))
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.handleCommand(uuid, theCommand)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.handleCommand(uuid, theCommand)
theCommandsSplit = re.findall(r'(?:[^;&|<>"\']|["\'](?:\\.|[^"\'])*[\'"])+', theCommand)
theCMDs = []
for cmd in theCommandsSplit:
theCMDs.extend(cmd.split('\n'))
for command in theCMDs:
command = command.strip().rstrip()
dt = datetime.datetime.now().strftime("%Y%m%d_%H%M%S")
if self.cfg.has_option('app_hooks', 'command_entered'):
if self.cfg.get('app_hooks', 'command_entered') != '':
cmdString = self.cfg.get('app_hooks', 'command_entered') + " COMMAND_ENTERED " + dt + " " + self.endIP + " '" + command + "'"
threads.deferToThread(self.runCommand, cmdString)
if self.cfg.get('download','active') == 'true':
if command.startswith('wget '):
command = command[4:]
commandArgs = re.findall(r'(?:[^\s"]|"(?:\\.|[^"])*")+', command)
args, links = getopt.getopt(commandArgs, 'VhbdqvFcNS46xErkKmpHLnp:e:o:a:i:B:t:O:T:w:Q:P:U:l:A:R:D:I:X:', ['version','help','background','execute=','output-file=','append-output=','debug','quiet','verbose','report-speed=','input-file=','force-html','base=','config=','bind-address=','tries=','output-document=', 'backups=','continue','progress=','timestamping','no-use-server-timestamps','server-response','spider','timeout=','dns-timeout=','connect-timeout=','read-timeout=','limit-rate=','wait=','waitretry=', 'random-wait','no-proxy','quota=','no-dns-cache','restrict-file-names=','inet4-only','inet6-only','prefer-family=','retry-connrefused','user='******'password='******'ask-password','no-iri','local-encoding=','remote-encoding=','unlink','force-directories','protocol-directories','cut-dirs=','directory-prefix=','default-page=','adjust-extension','http-user='******'http-password='******'no-http-keep-alive','no-cache','no-cookies','load-cookies=','save-cookies=','keep-session-cookies','ignore-length','header=','max-redirect=','proxy-user='******'proxy-password='******'referer=','save-headers','user-agent=','post-data=','post-file=','method=','body-data=','body-file=','content-disposition','content-on-error','trust-server-names','auth-no-challenge','secure-protocol=','https-only','no-check-certificate','certificate=','certificate-type=','private-key=','private-key-type=','ca-certificate=','ca-directory=','random-file=','egd-file=','warc-file=','warc-header=','warc-max-size=','warc-cdx','warc-dedup=','no-warc-compression','no-warc-digests','no-warc-keep-log','warc-tempdir=','ftp-user='******'ftp-password='******'no-remove-listing','no-glob','no-passive-ftp','preserve-permissions','retr-symlinks','recursive','level=','delete-after','convert-links','backup-converted','mirror','page-requisites','strict-comments','accept=','reject=','accept-regex=','reject-regex=','regex-type=','domains=','exclude-domains=','follow-ftp','follow-tags=','ignore-tags=','ignore-case','span-hosts','relative','include-directories=','exclude-directories=','no-verbose','no-clobber','no-directories','no-host-directories','no-parent'])
username = ''
password = ''
for a in args:
if a[0] in ['user', 'http-user', 'ftp-user']:
username = a[1]
if a[0] in ['password', 'http-password', 'ftp-password']:
password = a[1]
for l in links:
self.activeDownload(channelName, uuid, l, username, password)
def commandEntered(self, uuid, channelName, theCommand):
if self.cfg.get('txtlog', 'enabled') == 'true':
theCMD = theCommand.replace('\n', '\\n')
txtlog.log(self.txtlog_file, channelName + " Command Executed: %s" % (theCMD))
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.handleCommand(uuid, theCommand)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.handleCommand(uuid, theCommand)
theCommandsSplit = re.findall(r'(?:[^;&|<>"\']|["\'](?:\\.|[^"\'])*[\'"])+', theCommand)
theCMDs = []
for cmd in theCommandsSplit:
theCMDs.extend(cmd.split('\n'))
for command in theCMDs:
command = command.strip().rstrip()
dt = datetime.datetime.now().strftime("%Y%m%d_%H%M%S")
if self.cfg.has_option('app_hooks', 'command_entered'):
if self.cfg.get('app_hooks', 'command_entered') != '':
cmdString = self.cfg.get('app_hooks', 'command_entered') + " COMMAND_ENTERED " + dt + " " + self.endIP + " '" + command + "'"
threads.deferToThread(self.runCommand, cmdString)
if self.cfg.get('download','active') == 'true':
if command.startswith('wget '):
command = command[4:]
commandArgs = re.findall(r'(?:[^\s"]|"(?:\\.|[^"])*")+', command)
args, links = getopt.getopt(commandArgs, 'VhbdqvFcNS46xErkKmpHLnp:e:o:a:i:B:t:O:T:w:Q:P:U:l:A:R:D:I:X:', ['version','help','background','execute=','output-file=','append-output=','debug','quiet','verbose','report-speed=','input-file=','force-html','base=','config=','bind-address=','tries=','output-document=', 'backups=','continue','progress=','timestamping','no-use-server-timestamps','server-response','spider','timeout=','dns-timeout=','connect-timeout=','read-timeout=','limit-rate=','wait=','waitretry=', 'random-wait','no-proxy','quota=','no-dns-cache','restrict-file-names=','inet4-only','inet6-only','prefer-family=','retry-connrefused','user='******'password='******'ask-password','no-iri','local-encoding=','remote-encoding=','unlink','force-directories','protocol-directories','cut-dirs=','directory-prefix=','default-page=','adjust-extension','http-user='******'http-password='******'no-http-keep-alive','no-cache','no-cookies','load-cookies=','save-cookies=','keep-session-cookies','ignore-length','header=','max-redirect=','proxy-user='******'proxy-password='******'referer=','save-headers','user-agent=','post-data=','post-file=','method=','body-data=','body-file=','content-disposition','content-on-error','trust-server-names','auth-no-challenge','secure-protocol=','https-only','no-check-certificate','certificate=','certificate-type=','private-key=','private-key-type=','ca-certificate=','ca-directory=','random-file=','egd-file=','warc-file=','warc-header=','warc-max-size=','warc-cdx','warc-dedup=','no-warc-compression','no-warc-digests','no-warc-keep-log','warc-tempdir=','ftp-user='******'ftp-password='******'no-remove-listing','no-glob','no-passive-ftp','preserve-permissions','retr-symlinks','recursive','level=','delete-after','convert-links','backup-converted','mirror','page-requisites','strict-comments','accept=','reject=','accept-regex=','reject-regex=','regex-type=','domains=','exclude-domains=','follow-ftp','follow-tags=','ignore-tags=','ignore-case','span-hosts','relative','include-directories=','exclude-directories=','no-verbose','no-clobber','no-directories','no-host-directories','no-parent'])
username = ''
password = ''
for a in args:
if a[0] in ['user', 'http-user', 'ftp-user']:
username = a[1]
if a[0] in ['password', 'http-password', 'ftp-password']:
password = a[1]
for l in links:
self.activeDownload(channelName, uuid, l, username, password)
def connectionLost(self):
log.msg("[OUTPUT] Lost Connection with the attacker: %s" % self.endIP)
if not self.passwordTried:
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.authLog(self.cfg.get('folders', 'log_path') + "/" + datetime.datetime.now().strftime("%Y%m%d"), self.endIP, '', '', False)
if self.loginSuccess:
if self.cfg.get('txtlog', 'enabled') == 'true':
if os.path.exists(self.txtlog_file):
txtlog.log(self.txtlog_file, '[SSH ] Lost Connection with ' + self.endIP)
if self.cfg.get('database_mysql', 'enabled') == 'true':
self.dbLog.handleConnectionLost(self.sessionID)
if self.cfg.get('hpfeeds', 'enabled') == 'true':
self.hpLog.handleConnectionLost()
if self.cfg.get('email', 'attack') == 'true':
threads.deferToThread(self.email, 'HonSSH - Attack logged', self.txtlog_file, self.ttyFiles)
dt = datetime.datetime.now().strftime("%Y%m%d_%H%M%S")
if self.cfg.has_option('app_hooks', 'connection_lost'):
if self.cfg.get('app_hooks', 'connection_lost') != '':
cmdString = self.cfg.get('app_hooks', 'connection_lost') + " CONNECTION_LOST " + dt + " " + self.endIP
threads.deferToThread(self.runCommand, cmdString)
def errLog(self, message):
dt = self.getDateTime()
self.makeSessionFolder()
txtlog.log(dt, self.txtlog_file + "-err", message)
def advancedLog(self, message):
self.makeSessionFolder()
txtlog.log(self.txtlog_file + "-adv", message)
def errLog(self, message):
self.makeSessionFolder()
txtlog.log(self.txtlog_file + "-err", message)
def genericLog(self, message):
self.makeSessionFolder()
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.log(self.txtlog_file, message)
def genericLog(self, message):
self.makeSessionFolder()
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.log(self.txtlog_file, message)
def errLog(self, message):
self.makeSessionFolder()
txtlog.log(self.txtlog_file + "-err", message)
def advancedLog(self, message):
self.makeSessionFolder()
txtlog.log(self.txtlog_file + "-adv", message)
def advancedLog(self, message):
dt = self.getDateTime()
self.makeSessionFolder()
txtlog.log(dt, self.txtlog_file + "-adv", message)
def genericLog(self, message):
dt = self.getDateTime()
self.makeSessionFolder()
if self.cfg.get('txtlog', 'enabled') == 'true':
txtlog.log(dt, self.txtlog_file, message)