def connectionMade(self):
"""
Called when the connection is made from the other side.
We send our version, but wait with sending KEXINIT
"""
self.transportId = uuid.uuid4().hex[:12]
src_ip = self.transport.getPeer().host
ipv4_search = self.ipv4rex.search(src_ip)
if ipv4_search is not None:
src_ip = ipv4_search.group(1)
log.msg(
eventid='cowrie.session.connect',
format="New connection: %(src_ip)s:%(src_port)s (%(dst_ip)s:%(dst_port)s) [session: %(session)s]",
src_ip=src_ip,
src_port=self.transport.getPeer().port,
dst_ip=self.transport.getHost().host,
dst_port=self.transport.getHost().port,
session=self.transportId,
sessionno='S{0}'.format(self.transport.sessionno),
protocol='ssh'
)
self.transport.write('{0}\r\n'.format(self.ourVersionString).encode('ascii'))
self.currentEncryptions = transport.SSHCiphers(b'none', b'none', b'none', b'none')
self.currentEncryptions.setKeys(b'', b'', b'', b'', b'', b'')
self.startTime = time.time()
self.setTimeout(CONFIG.getint('honeypot', 'authentication_timeout', fallback=120))
def start(self):
"""
"""
try:
host = CONFIG.get('output_influx', 'host')
except:
host = ''
try:
port = CONFIG.getint('output_influx', 'port')
except:
port = 8086
self.client = None
try:
self.client = InfluxDBClient(host=host, port=port)
except InfluxDBClientError as e:
log.err("output_influx: I/O error({0}): '{1}'".format(
e.errno, e.strerror))
return
if self.client is None:
log.err("output_influx: cannot instantiate client!")
return
if (CONFIG.has_option('output_influx', 'username') and
CONFIG.has_option('output_influx', 'password')):
username = CONFIG.get('output_influx', 'username')
password = CONFIG.get('output_influx', 'password')
self.client.switch_user(username, password)
try:
dbname = CONIFG.get('output_influx', 'database_name')
else:
def connectionMade(self):
"""
"""
pt = self.getProtoTransport()
self.realClientIP = pt.transport.getPeer().host
self.realClientPort = pt.transport.getPeer().port
self.clientVersion = self.getClientVersion()
self.logintime = time.time()
try:
timeout = CONFIG.getint('honeypot', 'interactive_timeout')
except:
timeout = 180
self.setTimeout(timeout)
# Source IP of client in user visible reports (can be fake or real)
try:
self.clientIP = CONFIG.get('honeypot', 'fake_addr')
except:
self.clientIP = self.realClientIP
if CONFIG.has_option('honeypot', 'internet_facing_ip'):
self.kippoIP = CONFIG.get('honeypot', 'internet_facing_ip')
else:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80))
self.kippoIP = s.getsockname()[0]
except:
self.kippoIP = '192.168.0.1'
finally:
s.close()
def __init__(self):
self.sessions = {}
self.ttylogs = {}
# FIXME figure out what needs to be done here regarding
self.re_sessionlog = re.compile(
r'.*HoneyPotSSHTransport,([0-9]+),[:a-f0-9.]+$')
# cowrie.session.connect is special since it kicks off new logging session,
# and is not handled here
self.events = {
'cowrie.login.success': self.handleLoginSucceeded,
'cowrie.login.failed': self.handleLoginFailed,
'cowrie.log.open': self.handleTTYLogOpened,
'cowrie.command.success': self.handleCommand,
'cowrie.command.failed': self.handleUnknownCommand,
'cowrie.session.file_download': self.handleFileDownload,
'cowrie.command.input': self.handleInput,
'cowrie.client.version': self.handleClientVersion,
'cowrie.client.size': self.handleTerminalSize,
'cowrie.session.closed': self._connectionLost,
'cowrie.log.closed': self.handleTTYLogClosed,
}
self.reported_ssh_port = None
if CONFIG.has_option('honeypot', 'reported_ssh_port'):
self.reported_ssh_port = CONFIG.getint('honeypot', 'reported_ssh_port')
self.report_public_ip = False
if CONFIG.has_option('honeypot', 'report_public_ip'):
if CONFIG.getboolean('honeypot', 'report_public_ip') == True:
self.report_public_ip = True
import urllib
self.public_ip = urllib.urlopen('http://myip.threatstream.com').readline()
self.start()
def __init__(self, *args, **kw):
channel.CowrieSSHChannel.__init__(self, *args, **kw)
#self.__dict__['*****@*****.**'] = self.request_agent
try:
keyPath = CONFIG.get('proxy', 'private_key')
self.keys.append(keys.Key.fromFile(keyPath))
except:
self.keys = None
knownHostsPath = CONFIG.get('proxy', 'known_hosts')
self.knownHosts = KnownHostsFile.fromPath(knownHostsPath)
log.msg("knownHosts = " + repr(self.knownHosts))
self.host = CONFIG.get('proxy', 'host')
self.port = CONFIG.getint('proxy', 'port')
self.user = CONFIG.get('proxy', 'user')
try:
self.password = CONFIG.get('proxy', 'password')
except:
self.password = None
log.msg("host = " + self.host)
log.msg("port = " + str(self.port))
log.msg("user = " + self.user)
self.client = ProxyClient(self)
def __init__(self):
addr = CONFIG.get('output_socketlog', 'address')
self.host = addr.split(':')[0]
self.port = int(addr.split(':')[1])
self.timeout = CONFIG.getint('output_socketlog', 'timeout')
cowrie.core.output.Output.__init__(self)
def connectionMade(self):
"""
"""
self.transportId = uuid.uuid4().hex[:12]
sessionno = self.transport.sessionno
self.startTime = time.time()
try:
self.setTimeout(CONFIG.getint('honeypot',
'authentication_timeout'))
except NoOptionError:
self.setTimeout(120)
log.msg(
eventid='cowrie.session.connect',
format=
'New connection: %(src_ip)s:%(src_port)s (%(dst_ip)s:%(dst_port)s) [session: %(session)s]',
src_ip=self.transport.getPeer().host,
src_port=self.transport.getPeer().port,
dst_ip=self.transport.getHost().host,
dst_port=self.transport.getHost().port,
session=self.transportId,
sessionno='T{0}'.format(str(sessionno)),
protocol='telnet')
TelnetTransport.connectionMade(self)
def __init__(self):
self.sessions = {}
self.ttylogs = {}
# FIXME figure out what needs to be done here regarding
self.re_sessionlog = re.compile(
r'.*HoneyPotSSHTransport,([0-9]+),[:a-f0-9.]+$')
# cowrie.session.connect is special since it kicks off new logging session,
# and is not handled here
self.events = {
'cowrie.login.success': self.handleLoginSucceeded,
'cowrie.login.failed': self.handleLoginFailed,
'cowrie.command.success': self.handleCommand,
'cowrie.command.failed': self.handleUnknownCommand,
'cowrie.session.file_download': self.handleFileDownload,
'cowrie.command.input': self.handleInput,
'cowrie.client.version': self.handleClientVersion,
'cowrie.client.size': self.handleTerminalSize,
'cowrie.session.closed': self._connectionLost,
'cowrie.log.closed': self.handleTTYLogClosed,
}
self.reported_ssh_port = None
if CONFIG.has_option('honeypot', 'reported_ssh_port'):
self.reported_ssh_port = CONFIG.getint('honeypot', 'reported_ssh_port')
self.report_public_ip = False
if CONFIG.has_option('honeypot', 'report_public_ip'):
if CONFIG.getboolean('honeypot', 'report_public_ip') == True:
self.report_public_ip = True
import urllib
self.public_ip = urllib.urlopen('http://myip.threatstream.com').readline()
self.start()
def start(self):
log.msg("WARNING: Beta version of new hpfeeds enabled. This will become hpfeeds in a future release.")
if CONFIG.has_option('output_hpfeeds', 'channel'):
self.channel = CONFIG.get('output_hpfeeds', 'channel')
if CONFIG.has_option('output_hpfeeds', 'endpoint'):
endpoint = CONFIG.get('output_hpfeeds', 'endpoint')
else:
server = CONFIG.get('output_hpfeeds', 'server')
port = CONFIG.getint('output_hpfeeds', 'port')
if CONFIG.has_option('output_hpfeeds', 'tlscert'):
with open(CONFIG.get('output_hpfeeds', 'tlscert')) as fp:
authority = ssl.Certificate.loadPEM(fp.read())
options = ssl.optionsForClientTLS(server, authority)
endpoint = endpoints.SSL4ClientEndpoint(reactor, server, port, options)
else:
endpoint = endpoints.HostnameEndpoint(reactor, server, port)
ident = CONFIG.get('output_hpfeeds', 'identifier')
secret = CONFIG.get('output_hpfeeds', 'secret')
self.meta = {}
self.client = ClientSessionService(endpoint, ident, secret)
self.client.startService()
def connectionMade(self):
"""
Called when the connection is made from the other side.
We send our version, but wait with sending KEXINIT
"""
self.transportId = uuid.uuid4().hex[:12]
src_ip = self.transport.getPeer().host
ipv4rex = re.compile(r'^::ffff:(\d+\.\d+\.\d+\.\d+)$')
ipv4_search = ipv4rex.search(src_ip)
if ipv4_search is not None:
src_ip = ipv4_search.group(1)
log.msg(
eventid='cowrie.session.connect',
format="New connection: %(src_ip)s:%(src_port)s (%(dst_ip)s:%(dst_port)s) [session: %(session)s]",
src_ip=src_ip,
src_port=self.transport.getPeer().port,
dst_ip=self.transport.getHost().host,
dst_port=self.transport.getHost().port,
session=self.transportId,
sessionno='S{0}'.format(self.transport.sessionno),
protocol='ssh'
)
self.transport.write('{0}\r\n'.format(self.ourVersionString).encode('ascii'))
self.currentEncryptions = transport.SSHCiphers(b'none', b'none', b'none', b'none')
self.currentEncryptions.setKeys(b'', b'', b'', b'', b'', b'')
self.startTime = time.time()
try:
self.setTimeout(CONFIG.getint('honeypot', 'authentication_timeout'))
except NoOptionError:
self.setTimeout(120)
def __init__(self, sftpserver, filename, flags, attrs):
self.sftpserver = sftpserver
self.filename = filename
self.transfer_completed = 0
self.bytesReceived = 0
self.bytesReceivedLimit = CONFIG.getint('honeypot', 'download_limit_size', fallback=0)
openFlags = 0
if flags & FXF_READ == FXF_READ and flags & FXF_WRITE == 0:
openFlags = os.O_RDONLY
if flags & FXF_WRITE == FXF_WRITE and flags & FXF_READ == 0:
openFlags = os.O_WRONLY
if flags & FXF_WRITE == FXF_WRITE and flags & FXF_READ == FXF_READ:
openFlags = os.O_RDWR
if flags & FXF_APPEND == FXF_APPEND:
openFlags |= os.O_APPEND
if flags & FXF_CREAT == FXF_CREAT:
openFlags |= os.O_CREAT
if flags & FXF_TRUNC == FXF_TRUNC:
openFlags |= os.O_TRUNC
if flags & FXF_EXCL == FXF_EXCL:
openFlags |= os.O_EXCL
if "permissions" in attrs:
filemode = attrs["permissions"]
del attrs["permissions"]
else:
filemode = 0o777
fd = sftpserver.fs.open(filename, openFlags, filemode)
if attrs:
self.sftpserver.setAttrs(filename, attrs)
self.fd = fd
# Cache a copy of file in memory to read from in readChunk
if flags & FXF_READ == FXF_READ:
self.contents = self.sftpserver.fs.file_contents(self.filename)
def __init__(self, *args, **kw):
channel.CowrieSSHChannel.__init__(self, *args, **kw)
keyPath = CONFIG.get('proxy', 'private_key')
self.keys.append(keys.Key.fromFile(keyPath))
try:
keyPath = CONFIG.get('proxy', 'private_key')
self.keys.append(keys.Key.fromFile(keyPath))
except NoOptionError:
self.keys = None
knownHostsPath = CONFIG.get('proxy', 'known_hosts')
self.knownHosts = KnownHostsFile.fromPath(knownHostsPath)
self.host = CONFIG.get('proxy', 'host')
self.port = CONFIG.getint('proxy', 'port')
self.user = CONFIG.get('proxy', 'user')
try:
self.password = CONFIG.get('proxy', 'password')
except NoOptionError:
self.password = None
log.msg("knownHosts = {0}".format(repr(self.knownHosts)))
log.msg("host = {0}".format(self.host))
log.msg("port = {0}".format(self.port))
log.msg("user = {0}".format(self.user))
self.client = ProxyClient(self)
def __init__(self, *args, **kw):
channel.CowrieSSHChannel.__init__(self, *args, **kw)
keyPath = CONFIG.get('proxy', 'private_key')
self.keys.append(keys.Key.fromFile(keyPath))
try:
keyPath = CONFIG.get('proxy', 'private_key')
self.keys.append(keys.Key.fromFile(keyPath))
except NoOptionError:
self.keys = None
knownHostsPath = CONFIG.get('proxy', 'known_hosts')
self.knownHosts = KnownHostsFile.fromPath(knownHostsPath)
self.host = CONFIG.get('proxy', 'host')
self.port = CONFIG.getint('proxy', 'port')
self.user = CONFIG.get('proxy', 'user')
try:
self.password = CONFIG.get('proxy', 'password')
except NoOptionError:
self.password = None
log.msg("knownHosts = {0}".format(repr(self.knownHosts)))
log.msg("host = {0}".format(self.host))
log.msg("port = {0}".format(self.port))
log.msg("user = {0}".format(self.user))
self.client = ProxyClient(self)
def __init__(self):
self.host = CONFIG.get(self.RETHINK_DB_SEGMENT, 'host')
self.port = CONFIG.getint(self.RETHINK_DB_SEGMENT, 'port')
self.db = CONFIG.get(self.RETHINK_DB_SEGMENT, 'db')
self.table = CONFIG.get(self.RETHINK_DB_SEGMENT, 'table')
self.password = CONFIG.get(self.RETHINK_DB_SEGMENT, 'password', raw=True)
cowrie.core.output.Output.__init__(self)
def connectionMade(self):
pt = self.getProtoTransport()
self.realClientIP = pt.transport.getPeer().host
self.realClientPort = pt.transport.getPeer().port
self.logintime = time.time()
log.msg(eventid='cowrie.session.params', arch=self.user.server.arch)
try:
timeout = CONFIG.getint('honeypot', 'interactive_timeout')
except Exception:
timeout = 180
self.setTimeout(timeout)
# Source IP of client in user visible reports (can be fake or real)
try:
self.clientIP = CONFIG.get('honeypot', 'fake_addr')
except Exception:
self.clientIP = self.realClientIP
# Source IP of server in user visible reports (can be fake or real)
if CONFIG.has_option('honeypot', 'internet_facing_ip'):
self.kippoIP = CONFIG.get('honeypot', 'internet_facing_ip')
else:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80))
self.kippoIP = s.getsockname()[0]
except Exception:
self.kippoIP = '192.168.0.1'
finally:
s.close()
def start(self):
host = CONFIG.get('output_stingarfluentd', 'fluent_host')
port = CONFIG.getint('output_stingarfluentd', 'fluent_port')
app = CONFIG.get('output_stingarfluentd', 'app')
self.sender = sender.FluentSender(app, host=host, port=port)
self.meta = {}
def makeTftpRetrieval(self):
"""
"""
progresshook = Progress(self).progresshook
if CONFIG.has_option('honeypot', 'download_limit_size'):
self.limit_size = CONFIG.getint('honeypot', 'download_limit_size')
self.artifactFile = Artifact(self.file_to_get)
tclient = None
url = ''
try:
tclient = tftpy.TftpClient(self.hostname, int(self.port))
# tftpy can't handle unicode string as filename
# so we have to convert unicode type to str type
tclient.download(str(self.file_to_get), self.artifactFile,
progresshook)
url = 'tftp://%s/%s' % (self.hostname, self.file_to_get.strip('/'))
self.file_to_get = self.fs.resolve_path(self.file_to_get,
self.protocol.cwd)
if hasattr(tclient.context, 'metrics'):
self.fs.mkfile(self.file_to_get, 0, 0,
tclient.context.metrics.bytes, 33188)
else:
self.fs.mkfile(self.file_to_get, 0, 0, 0, 33188)
except tftpy.TftpException:
if tclient and tclient.context and not tclient.context.fileobj.closed:
tclient.context.fileobj.close()
if url:
# log to cowrie.log
log.msg(
format=
'Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s',
url=url,
outfile=self.artifactFile.shasumFilename,
shasum=self.artifactFile.shasum)
self.protocol.logDispatch(
eventid='cowrie.session.file_download',
format=
'Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s',
url=url,
outfile=self.artifactFile.shasumFilename,
shasum=self.artifactFile.shasum,
destfile=self.file_to_get)
# Update the honeyfs to point to downloaded file
self.fs.update_realfile(self.fs.getfile(self.file_to_get),
self.artifactFile.shasumFilename)
self.fs.chown(self.file_to_get, self.protocol.user.uid,
self.protocol.user.gid)
def __init__(self):
addr = CONFIG.get('output_socketlog', 'address')
self.host = addr.split(':')[0]
self.port = int(addr.split(':')[1])
self.timeout = CONFIG.getint('output_socketlog', 'timeout')
cowrie.core.output.Output.__init__(self)
def start(self):
"""
"""
log.msg("WARNING: Beta version of new hpfeeds enabled. This will become hpfeeds in a future release.")
if CONFIG.has_option('output_hpfeeds', 'channel'):
self.channel = CONFIG.get('output_hpfeeds', 'channel')
if CONFIG.has_option('output_hpfeeds', 'endpoint'):
endpoint = CONFIG.get('output_hpfeeds', 'endpoint')
else:
server = CONFIG.get('output_hpfeeds', 'server')
port = CONFIG.getint('output_hpfeeds', 'port')
if CONFIG.has_option('output_hpfeeds', 'tlscert'):
with open(CONFIG.get('output_hpfeeds', 'tlscert')) as fp:
authority = ssl.Certificate.loadPEM(fp.read())
options = ssl.optionsForClientTLS(server, authority)
endpoint = endpoints.SSL4ClientEndpoint(reactor, server, port, options)
else:
endpoint = endpoints.HostnameEndpoint(reactor, server, port)
ident = CONFIG.get('output_hpfeeds', 'identifier')
secret = CONFIG.get('output_hpfeeds', 'secret')
self.meta = {}
self.client = ClientSessionService(endpoint, ident, secret)
self.client.startService()
def start(self):
server = CONFIG.get('output_hpfeeds', 'server')
port = CONFIG.getint('output_hpfeeds', 'port')
ident = CONFIG.get('output_hpfeeds', 'identifier')
secret = CONFIG.get('output_hpfeeds', 'secret')
debug = CONFIG.getboolean('output_hpfeeds', 'debug')
self.client = hpclient(server, port, ident, secret, debug)
self.meta = {}
def start(self):
server = CONFIG.get('output_hpfeeds', 'server')
port = CONFIG.getint('output_hpfeeds', 'port')
ident = CONFIG.get('output_hpfeeds', 'identifier')
secret = CONFIG.get('output_hpfeeds', 'secret')
debug = CONFIG.getboolean('output_hpfeeds', 'debug')
self.client = hpclient(server, port, ident, secret, debug)
self.meta = {}
def __init__(self):
self.auth_key = CONFIG.get('output_dshield', 'auth_key')
self.userid = CONFIG.get('output_dshield', 'userid')
self.batch_size = CONFIG.getint('output_dshield', 'batch_size')
try:
self.debug = CONFIG.getboolean('output_dshield', 'debug')
except Exception:
self.debug = False
cowrie.core.output.Output.__init__(self)
def __init__(self):
"""
Initializing the class
"""
self.index = CONFIG.get('output_splunklegacy', 'index')
self.username = CONFIG.get('output_splunklegacy', 'username')
self.password = CONFIG.get('output_splunklegacy', 'password', raw=True)
self.host = CONFIG.get('output_splunklegacy', 'host')
self.port = CONFIG.getint('output_splunklegacy', 'port')
cowrie.core.output.Output.__init__(self)
def __init__(self, *args, **kw):
"""
Initialize logging
"""
self.ttylogPath = CONFIG.get('honeypot', 'log_path')
self.downloadPath = CONFIG.get('honeypot', 'download_path')
self.ttylogEnabled = CONFIG.getboolean('honeypot', 'ttylog', fallback=True)
self.bytesReceivedLimit = CONFIG.getint('honeypot', 'download_limit_size', fallback=0)
channel.SSHChannel.__init__(self, *args, **kw)
def __init__(self):
"""
Initializing the class
"""
self.index = CONFIG.get('output_splunklegacy', 'index')
self.username = CONFIG.get('output_splunklegacy', 'username')
self.password = CONFIG.get('output_splunklegacy', 'password', raw=True)
self.host = CONFIG.get('output_splunklegacy', 'host')
self.port = CONFIG.getint('output_splunklegacy', 'port')
cowrie.core.output.Output.__init__(self)
def __init__(self):
self.auth_key = CONFIG.get('output_dshield', 'auth_key')
self.userid = CONFIG.get('output_dshield', 'userid')
self.batch_size = CONFIG.getint('output_dshield', 'batch_size')
try:
self.debug = CONFIG.getboolean('output_dshield', 'debug')
except:
self.debug = False
cowrie.core.output.Output.__init__(self)
def makeTftpRetrieval(self):
"""
"""
progresshook = Progress(self).progresshook
if CONFIG.has_option('honeypot', 'download_limit_size'):
self.limit_size = CONFIG.getint('honeypot', 'download_limit_size')
self.artifactFile = Artifact(self.file_to_get)
tclient = None
url = ''
try:
tclient = tftpy.TftpClient(self.hostname, int(self.port))
# tftpy can't handle unicode string as filename
# so we have to convert unicode type to str type
tclient.download(str(self.file_to_get), self.artifactFile, progresshook)
url = 'tftp://%s/%s' % (self.hostname, self.file_to_get.strip('/'))
self.file_to_get = self.fs.resolve_path(self.file_to_get, self.protocol.cwd)
if hasattr(tclient.context, 'metrics'):
self.fs.mkfile(self.file_to_get, 0, 0, tclient.context.metrics.bytes, 33188)
else:
self.fs.mkfile(self.file_to_get, 0, 0, 0, 33188)
except tftpy.TftpException:
if tclient and tclient.context and not tclient.context.fileobj.closed:
tclient.context.fileobj.close()
if url:
# log to cowrie.log
log.msg(format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s',
url=url,
outfile=self.artifactFile.shasumFilename,
shasum=self.artifactFile.shasum)
self.protocol.logDispatch(eventid='cowrie.session.file_download',
format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s',
url=url,
outfile=self.artifactFile.shasumFilename,
shasum=self.artifactFile.shasum,
destfile=self.file_to_get)
# Update the honeyfs to point to downloaded file
self.fs.update_realfile(self.fs.getfile(self.file_to_get), self.artifactFile.shasumFilename)
self.fs.chown(self.file_to_get, self.protocol.user.uid, self.protocol.user.gid)
def __init__(self, *args, **kw):
"""
Initialize logging
"""
self.ttylogPath = CONFIG.get('honeypot', 'log_path')
self.downloadPath = CONFIG.get('honeypot', 'download_path')
self.ttylogEnabled = CONFIG.getboolean('honeypot',
'ttylog',
fallback=True)
self.bytesReceivedLimit = CONFIG.getint('honeypot',
'download_limit_size',
fallback=0)
channel.SSHChannel.__init__(self, *args, **kw)
def setService(self, service):
"""
Remove login grace timeout, set zlib compression after auth
"""
# Reset timeout. Not everyone opens shell so need timeout at transport level
if service.name == b'ssh-connection':
self.setTimeout(CONFIG.getint('honeypot', 'interactive_timeout', fallback=300))
# when auth is successful we enable compression
# this is called right after MSG_USERAUTH_SUCCESS
if service.name == 'ssh-connection':
if self.outgoingCompressionType == '*****@*****.**':
self.outgoingCompression = zlib.compressobj(6)
if self.incomingCompressionType == '*****@*****.**':
self.incomingCompression = zlib.decompressobj()
transport.SSHServerTransport.setService(self, service)
def connectionMade(self):
self.transportId = uuid.uuid4().hex[:12]
sessionno = self.transport.sessionno
self.startTime = time.time()
self.setTimeout(CONFIG.getint('honeypot', 'authentication_timeout', fallback=120))
log.msg(eventid='cowrie.session.connect',
format='New connection: %(src_ip)s:%(src_port)s (%(dst_ip)s:%(dst_port)s) [session: %(session)s]',
src_ip=self.transport.getPeer().host,
src_port=self.transport.getPeer().port,
dst_ip=self.transport.getHost().host,
dst_port=self.transport.getHost().port,
session=self.transportId,
sessionno='T{0}'.format(str(sessionno)),
protocol='telnet')
TelnetTransport.connectionMade(self)
def __init__(self, *args, **kw):
"""
Initialize logging
"""
self.ttylogPath = CONFIG.get('honeypot', 'log_path')
self.downloadPath = CONFIG.get('honeypot', 'download_path')
try:
self.ttylogEnabled = CONFIG.getboolean('honeypot', 'ttylog')
except NoOptionError:
self.ttylogEnabled = True
try:
self.bytesReceivedLimit = CONFIG.getint('honeypot', 'download_limit_size')
except NoOptionError:
self.bytesReceivedLimit = 0
channel.SSHChannel.__init__(self, *args, **kw)
def start(self):
try:
port = CONFIG.getint('output_mysql', 'port')
except Exception:
port = 3306
try:
self.db = ReconnectingConnectionPool(
'MySQLdb',
host=CONFIG.get('output_mysql', 'host'),
db=CONFIG.get('output_mysql', 'database'),
user=CONFIG.get('output_mysql', 'username'),
passwd=CONFIG.get('output_mysql', 'password', raw=True),
port=port,
cp_min=1,
cp_max=1)
except MySQLdb.Error as e:
log.msg("output_mysql: Error %d: %s" % (e.args[0], e.args[1]))
def _cbLogin(self, ial):
"""
Fired on a successful login
"""
interface, protocol, logout = ial
protocol.windowSize = self.windowSize
self.protocol = protocol
self.logout = logout
self.state = 'Command'
self.transport.write(b'\n')
# Remove the short timeout of the login prompt.
self.transport.setTimeout(CONFIG.getint('honeypot', 'interactive_timeout', fallback=300))
# replace myself with avatar protocol
protocol.makeConnection(self.transport)
self.transport.protocol = protocol
def _cbLogin(self, ial):
"""
Fired on a successful login
"""
interface, protocol, logout = ial
protocol.windowSize = self.windowSize
self.protocol = protocol
self.logout = logout
self.state = 'Command'
self.transport.write(b'\n')
# Remove the short timeout of the login prompt.
self.transport.setTimeout(
CONFIG.getint('honeypot', 'interactive_timeout', fallback=300))
# replace myself with avatar protocol
protocol.makeConnection(self.transport)
self.transport.protocol = protocol
def __init__(self, prot=None, *a, **kw):
insults.ServerProtocol.__init__(self, prot, *a, **kw)
self.bytesReceived = 0
self.ttylogPath = CONFIG.get('honeypot', 'ttylog_path')
self.downloadPath = CONFIG.get('honeypot', 'download_path')
try:
self.ttylogEnabled = CONFIG.getboolean('honeypot', 'ttylog')
except Exception:
self.ttylogEnabled = True
self.redirFiles = set()
self.bytesReceivedLimit = CONFIG.getint('honeypot', 'download_limit_size', fallback=0)
if prot is protocol.HoneyPotExecProtocol:
self.type = 'e' # Execcmd
else:
self.type = 'i' # Interactive
def start(self):
try:
port = CONFIG.getint('output_mysql', 'port')
except Exception:
port = 3306
try:
self.db = ReconnectingConnectionPool(
'MySQLdb',
host=CONFIG.get('output_mysql', 'host'),
db=CONFIG.get('output_mysql', 'database'),
user=CONFIG.get('output_mysql', 'username'),
passwd=CONFIG.get('output_mysql', 'password', raw=True),
port=port,
cp_min=1,
cp_max=1,
charset='utf8mb4',
use_unicode=True
)
except MySQLdb.Error as e:
log.msg("output_mysql: Error %d: %s" % (e.args[0], e.args[1]))
def __init__(self, sftpserver, filename, flags, attrs):
self.sftpserver = sftpserver
self.filename = filename
self.transfer_completed = 0
self.bytesReceived = 0
try:
self.bytesReceivedLimit = CONFIG.getint('honeypot',
'download_limit_size')
except:
self.bytesReceivedLimit = 0
openFlags = 0
if flags & FXF_READ == FXF_READ and flags & FXF_WRITE == 0:
openFlags = os.O_RDONLY
if flags & FXF_WRITE == FXF_WRITE and flags & FXF_READ == 0:
openFlags = os.O_WRONLY
if flags & FXF_WRITE == FXF_WRITE and flags & FXF_READ == FXF_READ:
openFlags = os.O_RDWR
if flags & FXF_APPEND == FXF_APPEND:
openFlags |= os.O_APPEND
if flags & FXF_CREAT == FXF_CREAT:
openFlags |= os.O_CREAT
if flags & FXF_TRUNC == FXF_TRUNC:
openFlags |= os.O_TRUNC
if flags & FXF_EXCL == FXF_EXCL:
openFlags |= os.O_EXCL
if "permissions" in attrs:
filemode = attrs["permissions"]
del attrs["permissions"]
else:
filemode = 0o777
fd = sftpserver.fs.open(filename, openFlags, filemode)
if attrs:
self.sftpserver.setAttrs(filename, attrs)
self.fd = fd
# Cache a copy of file in memory to read from in readChunk
if flags & FXF_READ == FXF_READ:
self.contents = self.sftpserver.fs.file_contents(self.filename)
def start(self):
"""
docstring here
"""
try:
port = CONFIG.getint('output_mysql', 'port')
except:
port = 3306
try:
self.db = ReconnectingConnectionPool(
'MySQLdb',
host=CONFIG.get('output_mysql', 'host'),
db=CONFIG.get('output_mysql', 'database'),
user=CONFIG.get('output_mysql', 'username'),
passwd=CONFIG.get('output_mysql', 'password', raw=True),
port=port,
cp_min=1,
cp_max=1
)
except MySQLdb.Error as e:
log.msg("output_mysql: Error %d: %s" % (e.args[0], e.args[1]))
def start(self):
try:
host = CONFIG.get('output_influx', 'host')
except Exception:
host = ''
try:
port = CONFIG.getint('output_influx', 'port')
except Exception:
port = 8086
try:
ssl = CONFIG.getboolean('output_influx', 'ssl')
except Exception:
ssl = False
self.client = None
try:
self.client = InfluxDBClient(host=host, port=port, ssl=ssl, verify_ssl=ssl)
except InfluxDBClientError as e:
log.err("output_influx: I/O error({0}): '{1}'".format(
e.errno, e.strerror))
return
if self.client is None:
log.err("output_influx: cannot instantiate client!")
return
if (CONFIG.has_option('output_influx', 'username') and
CONFIG.has_option('output_influx', 'password')):
username = CONFIG.get('output_influx', 'username')
password = CONFIG.get('output_influx', 'password', raw=True)
self.client.switch_user(username, password)
try:
dbname = CONFIG.get('output_influx', 'database_name')
except Exception:
dbname = 'cowrie'
retention_policy_duration_default = '12w'
retention_policy_name = dbname + "_retention_policy"
if CONFIG.has_option('output_influx', 'retention_policy_duration'):
retention_policy_duration = CONFIG.get(
'output_influx', 'retention_policy_duration')
match = re.search(r'^\d+[dhmw]{1}$', retention_policy_duration)
if not match:
log.err(("output_influx: invalid retention policy."
"Using default '{}'..").format(
retention_policy_duration))
retention_policy_duration = retention_policy_duration_default
else:
retention_policy_duration = retention_policy_duration_default
database_list = self.client.get_list_database()
dblist = [str(elem['name']) for elem in database_list]
if dbname not in dblist:
self.client.create_database(dbname)
self.client.create_retention_policy(
retention_policy_name, retention_policy_duration, 1,
database=dbname, default=True)
else:
retention_policies_list = self.client.get_list_retention_policies(
database=dbname)
rplist = [str(elem['name']) for elem in retention_policies_list]
if retention_policy_name not in rplist:
self.client.create_retention_policy(
retention_policy_name, retention_policy_duration, 1,
database=dbname, default=True)
else:
self.client.alter_retention_policy(
retention_policy_name, database=dbname,
duration=retention_policy_duration,
replication=1, default=True)
self.client.switch_database(dbname)
def makeTftpRetrieval(self):
"""
"""
progresshook = Progress(self).progresshook
if CONFIG.has_option('honeypot', 'download_limit_size'):
self.limit_size = CONFIG.getint('honeypot', 'download_limit_size')
self.download_path = CONFIG.get('honeypot', 'download_path')
tmp_fname = '%s_%s_%s_%s' % \
(time.strftime('%Y%m%d%H%M%S'),
self.protocol.getProtoTransport().transportId,
self.protocol.terminal.transport.session.id,
re.sub('[^A-Za-z0-9]', '_', self.file_to_get))
self.safeoutfile = os.path.join(self.download_path, tmp_fname)
tclient = None
try:
tclient = tftpy.TftpClient(self.hostname, int(self.port))
tclient.download(self.file_to_get, self.safeoutfile, progresshook)
url = 'tftp://%s/%s' % (self.hostname, self.file_to_get.strip('/'))
self.file_to_get = self.fs.resolve_path(self.file_to_get,
self.protocol.cwd)
if hasattr(tclient.context, 'metrics'):
self.fs.mkfile(self.file_to_get, 0, 0,
tclient.context.metrics.bytes, 33188)
else:
self.fs.mkfile(self.file_to_get, 0, 0, 0, 33188)
except tftpy.TftpException as err:
if tclient and tclient.context and not tclient.context.fileobj.closed:
tclient.context.fileobj.close()
if os.path.exists(self.safeoutfile):
if os.path.getsize(self.safeoutfile) == 0:
os.remove(self.safeoutfile)
self.safeoutfile = None
return
with open(self.safeoutfile, 'rb') as f:
#shasum = hashlib.sha256(f.read()).hexdigest()
shasum = hashlib.md5(f.read()).hexdigest()
hash_path = os.path.join(self.download_path, shasum)
# If we have content already, delete temp file
if not os.path.exists(hash_path):
os.rename(self.safeoutfile, hash_path)
else:
os.remove(self.safeoutfile)
log.msg("Not storing duplicate content " + shasum)
self.protocol.logDispatch(
eventid='cowrie.session.file_download',
format=
'Downloaded tftpFile (%(url)s) with SHA-256 %(shasum)s to %(outfile)s',
url=url,
outfile=hash_path,
shasum=shasum)
# Link friendly name to hash
# os.symlink(shasum, self.safeoutfile)
self.safeoutfile = None
# Update the honeyfs to point to downloaded file
self.fs.update_realfile(self.fs.getfile(self.file_to_get),
hash_path)
self.fs.chown(self.file_to_get, self.protocol.user.uid,
self.protocol.user.gid)
self.exit()
def start(self):
try:
optlist, args = getopt.getopt(self.args, 'sho:O', ['help', 'manual', 'silent'])
except getopt.GetoptError as err:
# TODO: should be 'unknown' instead of 'not recognized'
self.write("curl: {}\n".format(err))
self.write("curl: try 'curl --help' or 'curl --manual' for more information\n")
self.exit()
return
for opt in optlist:
if opt[0] == '-h' or opt[0] == '--help':
self.curl_help()
return
elif opt[0] == '-s' or opt[0] == '--silent':
self.silent = True
if len(args):
if args[0] is not None:
url = str(args[0]).strip()
else:
self.write("curl: try 'curl --help' or 'curl --manual' for more information\n")
self.exit()
return
if '://' not in url:
url = 'http://' + url
urldata = compat.urllib_parse.urlparse(url)
outfile = None
for opt in optlist:
if opt[0] == '-o':
outfile = opt[1]
if opt[0] == '-O':
outfile = urldata.path.split('/')[-1]
if outfile is None or not len(outfile.strip()) or not urldata.path.count('/'):
self.write('curl: Remote file name has no length!\n')
self.exit()
return
if outfile:
outfile = self.fs.resolve_path(outfile, self.protocol.cwd)
path = os.path.dirname(outfile)
if not path or \
not self.fs.exists(path) or \
not self.fs.isdir(path):
self.write('curl: %s: Cannot open: No such file or directory\n' % outfile)
self.exit()
return
url = url.encode('ascii')
self.url = url
self.limit_size = 0
if CONFIG.has_option('honeypot', 'download_limit_size'):
self.limit_size = CONFIG.getint('honeypot', 'download_limit_size')
self.download_path = CONFIG.get('honeypot', 'download_path')
if not hasattr(self, 'safeoutfile'):
tmp_fname = '%s_%s_%s_%s' % \
(time.strftime('%Y%m%d%H%M%S'),
self.protocol.getProtoTransport().transportId,
self.protocol.terminal.transport.session.id,
re.sub('[^A-Za-z0-9]', '_', url.decode('ascii')))
self.safeoutfile = os.path.join(self.download_path, tmp_fname)
self.deferred = self.download(url, outfile, self.safeoutfile)
if self.deferred:
self.deferred.addCallback(self.success, outfile)
self.deferred.addErrback(self.error, url)
def __init__(self):
self.timeout = [
CONFIG.getint('output_reversedns', 'timeout', fallback=3)
]
cowrie.core.output.Output.__init__(self)
def __init__(self):
self.timeout = [CONFIG.getint(
'output_reversedns', 'timeout', fallback=3)]
cowrie.core.output.Output.__init__(self)
def start(self):
"""
"""
try:
host = CONFIG.get('output_influx', 'host')
except:
host = ''
try:
port = CONFIG.getint('output_influx', 'port')
except:
port = 8086
self.client = None
try:
self.client = InfluxDBClient(host=host, port=port)
except InfluxDBClientError as e:
log.err("output_influx: I/O error({0}): '{1}'".format(
e.errno, e.strerror))
return
if self.client is None:
log.err("output_influx: cannot instantiate client!")
return
if (CONFIG.has_option('output_influx', 'username')
and CONFIG.has_option('output_influx', 'password')):
username = CONFIG.get('output_influx', 'username')
password = CONFIG.get('output_influx', 'password', raw=True)
self.client.switch_user(username, password)
try:
dbname = CONFIG.get('output_influx', 'database_name')
except:
dbname = 'cowrie'
retention_policy_duration_default = '12w'
retention_policy_name = dbname + "_retention_policy"
if CONFIG.has_option('output_influx', 'retention_policy_duration'):
retention_policy_duration = CONFIG.get(
'output_influx', 'retention_policy_duration')
match = re.search('^\d+[dhmw]{1}$', retention_policy_duration)
if not match:
log.err(
("output_influx: invalid retention policy."
"Using default '{}'..").format(retention_policy_duration))
retention_policy_duration = retention_policy_duration_default
else:
retention_policy_duration = retention_policy_duration_default
database_list = self.client.get_list_database()
dblist = [str(elem['name']) for elem in database_list]
if dbname not in dblist:
self.client.create_database(dbname)
self.client.create_retention_policy(retention_policy_name,
retention_policy_duration,
1,
database=dbname,
default=True)
else:
retention_policies_list = self.client.get_list_retention_policies(
database=dbname)
rplist = [str(elem['name']) for elem in retention_policies_list]
if retention_policy_name not in rplist:
self.client.create_retention_policy(retention_policy_name,
retention_policy_duration,
1,
database=dbname,
default=True)
else:
self.client.alter_retention_policy(
retention_policy_name,
database=dbname,
duration=retention_policy_duration,
replication=1,
default=True)
self.client.switch_database(dbname)
def start(self):
"""
"""
try:
optlist, args = getopt.getopt(self.args, 'cqO:P:', 'header=')
except getopt.GetoptError as err:
self.errorWrite('Unrecognized option\n')
self.exit()
return
if len(args):
url = args[0].strip()
else:
self.errorWrite('wget: missing URL\n')
self.errorWrite('Usage: wget [OPTION]... [URL]...\n\n')
self.errorWrite('Try `wget --help\' for more options.\n')
self.exit()
return
outfile = None
self.quiet = False
for opt in optlist:
if opt[0] == '-O':
outfile = opt[1]
if opt[0] == '-q':
self.quiet = True
# for some reason getopt doesn't recognize "-O -"
# use try..except for the case if passed command is malformed
try:
if not outfile:
if '-O' in args:
outfile = args[args.index('-O') + 1]
except:
pass
if '://' not in url:
url = 'http://%s' % url
urldata = compat.urllib_parse.urlparse(url)
url = url.encode('utf8')
if outfile is None:
outfile = urldata.path.split('/')[-1]
if not len(outfile.strip()) or not urldata.path.count('/'):
outfile = 'index.html'
if outfile != '-':
outfile = self.fs.resolve_path(outfile, self.protocol.cwd)
path = os.path.dirname(outfile)
if not path or not self.fs.exists(path) or not self.fs.isdir(path):
self.errorWrite('wget: %s: Cannot open: No such file or directory\n' % outfile)
self.exit()
return
self.url = url
self.limit_size = 0
if CONFIG.has_option('honeypot', 'download_limit_size'):
self.limit_size = CONFIG.getint('honeypot', 'download_limit_size')
self.downloadPath = CONFIG.get('honeypot', 'download_path')
self.artifactFile = Artifact(outfile)
# HTTPDownloader will close() the file object so need to preserve the name
d = self.download(url, outfile, self.artifactFile)
if d:
d.addCallback(self.success, outfile)
d.addErrback(self.error, url)
else:
self.exit()
class CowrieSSHChannel(channel.SSHChannel):
"""
This is an SSH channel with built-in logging
"""
ttylogEnabled = True
ttylogFile = ""
bytesReceived = 0
bytesReceivedLimit = 0
bytesWritten = 0
name = b'cowrie-ssh-channel'
startTime = None
ttylogPath = CONFIG.get('honeypot', 'log_path')
downloadPath = CONFIG.get('honeypot', 'download_path')
ttylogEnabled = CONFIG.getboolean('honeypot', 'ttylog', fallback=True)
bytesReceivedLimit = CONFIG.getint('honeypot',
'download_limit_size',
fallback=0)
def __repr__(self):
"""
Return a pretty representation of this object.
@return Pretty representation of this object as a string
@rtype: L{str}
"""
return "Cowrie SSH Channel {}".format(self.name)
def __init__(self, *args, **kw):
"""
Initialize logging
"""
channel.SSHChannel.__init__(self, *args, **kw)
def channelOpen(self, specificData):
self.startTime = time.time()
self.ttylogFile = '%s/tty/%s-%s-%s.log' % (
self.ttylogPath, time.strftime('%Y%m%d-%H%M%S'),
self.conn.transport.transportId, self.id)
log.msg(eventid='cowrie.log.open',
ttylog=self.ttylogFile,
format="Opening TTY Log: %(ttylog)s")
ttylog.ttylog_open(self.ttylogFile, time.time())
channel.SSHChannel.channelOpen(self, specificData)
def closed(self):
log.msg(
eventid='cowrie.log.closed',
format="Closing TTY Log: %(ttylog)s after %(duration)d seconds",
ttylog=self.ttylogFile,
size=self.bytesReceived + self.bytesWritten,
duration=time.time() - self.startTime)
ttylog.ttylog_close(self.ttylogFile, time.time())
channel.SSHChannel.closed(self)
def dataReceived(self, data):
"""
Called when we receive data from the user
@type data: L{bytes}
@param data: Data sent to the server from the client
"""
self.bytesReceived += len(data)
if self.bytesReceivedLimit and self.bytesReceived > self.bytesReceivedLimit:
log.msg("Data upload limit reached for channel {}".format(self.id))
self.eofReceived()
return
if self.ttylogEnabled:
ttylog.ttylog_write(self.ttylogFile, len(data), ttylog.TYPE_INPUT,
time.time(), data)
channel.SSHChannel.dataReceived(self, data)
def write(self, data):
"""
Called when we send data to the user
@type data: L{bytes}
@param data: Data sent to the client from the server
"""
if self.ttylogEnabled:
ttylog.ttylog_write(self.ttylogFile, len(data), ttylog.TYPE_OUTPUT,
time.time(), data)
self.bytesWritten += len(data)
channel.SSHChannel.write(self, data)
def start(self):
try:
optlist, args = getopt.getopt(self.args, 'cqO:P:', 'header=')
except getopt.GetoptError:
self.errorWrite('Unrecognized option\n')
self.exit()
return
if len(args):
url = args[0].strip()
else:
self.errorWrite('wget: missing URL\n')
self.errorWrite('Usage: wget [OPTION]... [URL]...\n\n')
self.errorWrite('Try `wget --help\' for more options.\n')
self.exit()
return
outfile = None
self.quiet = False
for opt in optlist:
if opt[0] == '-O':
outfile = opt[1]
if opt[0] == '-q':
self.quiet = True
# for some reason getopt doesn't recognize "-O -"
# use try..except for the case if passed command is malformed
try:
if not outfile:
if '-O' in args:
outfile = args[args.index('-O') + 1]
except Exception:
pass
if '://' not in url:
url = 'http://%s' % url
urldata = compat.urllib_parse.urlparse(url)
url = url.encode('utf8')
if outfile is None:
outfile = urldata.path.split('/')[-1]
if not len(outfile.strip()) or not urldata.path.count('/'):
outfile = 'index.html'
if outfile != '-':
outfile = self.fs.resolve_path(outfile, self.protocol.cwd)
path = os.path.dirname(outfile)
if not path or not self.fs.exists(path) or not self.fs.isdir(path):
self.errorWrite(
'wget: %s: Cannot open: No such file or directory\n' %
outfile)
self.exit()
return
self.url = url
self.limit_size = 0
if CONFIG.has_option('honeypot', 'download_limit_size'):
self.limit_size = CONFIG.getint('honeypot', 'download_limit_size')
self.downloadPath = CONFIG.get('honeypot', 'download_path')
self.artifactFile = Artifact(outfile)
# HTTPDownloader will close() the file object so need to preserve the name
d = self.download(url, outfile, self.artifactFile)
if d:
d.addCallback(self.success, outfile)
d.addErrback(self.error, url)
else:
self.exit()
class LoggingServerProtocol(insults.ServerProtocol):
"""
Wrapper for ServerProtocol that implements TTY logging
"""
redirlogOpen = False # it will be set at core/protocol.py
stdinlogOpen = False
ttylogOpen = False
ttylogPath = CONFIG.get('honeypot', 'ttylog_path')
downloadPath = CONFIG.get('honeypot', 'download_path')
ttylogEnabled = CONFIG.getboolean('honeypot', 'ttylog', fallback=True)
bytesReceivedLimit = CONFIG.getint('honeypot',
'download_limit_size',
fallback=0)
bytesReceived = 0
redirFiles = set()
def __init__(self, prot=None, *a, **kw):
insults.ServerProtocol.__init__(self, prot, *a, **kw)
if prot is protocol.HoneyPotExecProtocol:
self.type = 'e' # Execcmd
else:
self.type = 'i' # Interactive
def getSessionId(self):
transportId = self.transport.session.conn.transport.transportId
channelId = self.transport.session.id
return (transportId, channelId)
def connectionMade(self):
transportId, channelId = self.getSessionId()
self.startTime = time.time()
if self.ttylogEnabled:
self.ttylogFile = '%s/%s-%s-%s%s.log' % \
(self.ttylogPath, time.strftime('%Y%m%d-%H%M%S'),
transportId, channelId, self.type)
ttylog.ttylog_open(self.ttylogFile, self.startTime)
self.ttylogOpen = True
self.ttylogSize = 0
self.stdinlogFile = '%s/%s-%s-%s-stdin.log' % \
(self.downloadPath, time.strftime('%Y%m%d-%H%M%S'), transportId, channelId)
if self.type == 'e':
self.stdinlogOpen = True
else:
self.stdinlogOpen = False
insults.ServerProtocol.connectionMade(self)
if self.type == 'e':
cmd = self.terminalProtocol.execcmd.encode('utf8')
ttylog.ttylog_write(self.ttylogFile, len(cmd),
ttylog.TYPE_INTERACT, time.time(), cmd)
def write(self, data):
if self.ttylogEnabled and self.ttylogOpen:
ttylog.ttylog_write(self.ttylogFile, len(data), ttylog.TYPE_OUTPUT,
time.time(), data)
self.ttylogSize += len(data)
insults.ServerProtocol.write(self, data)
def dataReceived(self, data):
"""
Input received from user
"""
self.bytesReceived += len(data)
if self.bytesReceivedLimit and self.bytesReceived > self.bytesReceivedLimit:
log.msg(format='Data upload limit reached')
self.eofReceived()
return
if self.stdinlogOpen:
with open(self.stdinlogFile, 'ab') as f:
f.write(data)
elif self.ttylogEnabled and self.ttylogOpen:
ttylog.ttylog_write(self.ttylogFile, len(data), ttylog.TYPE_INPUT,
time.time(), data)
# prevent crash if something like this was passed:
# echo cmd ; exit; \n\n
if self.terminalProtocol:
insults.ServerProtocol.dataReceived(self, data)
def eofReceived(self):
"""
Receive channel close and pass on to terminal
"""
if self.terminalProtocol:
self.terminalProtocol.eofReceived()
def loseConnection(self):
"""
Override super to remove the terminal reset on logout
"""
self.transport.loseConnection()
def connectionLost(self, reason):
"""
FIXME: this method is called 4 times on logout....
it's called once from Avatar.closed() if disconnected
"""
if self.stdinlogOpen:
try:
with open(self.stdinlogFile, 'rb') as f:
shasum = hashlib.sha256(f.read()).hexdigest()
shasumfile = os.path.join(self.downloadPath, shasum)
if os.path.exists(shasumfile):
os.remove(self.stdinlogFile)
duplicate = True
else:
os.rename(self.stdinlogFile, shasumfile)
duplicate = False
log.msg(
eventid='cowrie.session.file_download',
format=
'Saved stdin contents with SHA-256 %(shasum)s to %(outfile)s',
url='stdin',
duplicate=duplicate,
outfile=shasumfile,
shasum=shasum,
destfile='')
except IOError:
pass
finally:
self.stdinlogOpen = False
if self.redirFiles:
for rp in self.redirFiles:
rf = rp[0]
if rp[1]:
url = rp[1]
else:
url = rf[rf.find('redir_') + len('redir_'):]
try:
if not os.path.exists(rf):
continue
if os.path.getsize(rf) == 0:
os.remove(rf)
continue
with open(rf, 'rb') as f:
shasum = hashlib.sha256(f.read()).hexdigest()
shasumfile = os.path.join(self.downloadPath, shasum)
if os.path.exists(shasumfile):
os.remove(rf)
duplicate = True
else:
os.rename(rf, shasumfile)
duplicate = False
log.msg(
eventid='cowrie.session.file_download',
format=
'Saved redir contents with SHA-256 %(shasum)s to %(outfile)s',
url=url,
duplicate=duplicate,
outfile=shasumfile,
shasum=shasum,
destfile=url)
except IOError:
pass
self.redirFiles.clear()
if self.ttylogEnabled and self.ttylogOpen:
ttylog.ttylog_close(self.ttylogFile, time.time())
self.ttylogOpen = False
shasum = ttylog.ttylog_inputhash(self.ttylogFile)
shasumfile = os.path.join(self.ttylogPath, shasum)
if os.path.exists(shasumfile):
duplicate = True
os.remove(self.ttylogFile)
else:
duplicate = False
os.rename(self.ttylogFile, shasumfile)
umask = os.umask(0)
os.umask(umask)
os.chmod(shasumfile, 0o666 & ~umask)
log.msg(
eventid='cowrie.log.closed',
format='Closing TTY Log: %(ttylog)s after %(duration)d seconds',
ttylog=shasumfile,
size=self.ttylogSize,
shasum=shasum,
duplicate=duplicate,
duration=time.time() - self.startTime)
insults.ServerProtocol.connectionLost(self, reason)
def start(self):
"""
"""
try:
optlist, args = getopt.getopt(self.args, 'sho:O',
['help', 'manual', 'silent'])
except getopt.GetoptError as err:
# TODO: should be 'unknown' instead of 'not recognized'
self.write("curl: {}\n".format(err))
self.write(
"curl: try 'curl --help' or 'curl --manual' for more information\n"
)
self.exit()
return
for opt in optlist:
if opt[0] == '-h' or opt[0] == '--help':
self.curl_help()
return
elif opt[0] == '-s' or opt[0] == '--silent':
self.silent = True
if len(args):
if args[0] is not None:
url = str(args[0]).strip()
else:
self.write(
"curl: try 'curl --help' or 'curl --manual' for more information\n"
)
self.exit()
return
if '://' not in url:
url = 'http://' + url
urldata = compat.urllib_parse.urlparse(url)
outfile = None
for opt in optlist:
if opt[0] == '-o':
outfile = opt[1]
if opt[0] == '-O':
outfile = urldata.path.split('/')[-1]
if outfile is None or not len(
outfile.strip()) or not urldata.path.count('/'):
self.write('curl: Remote file name has no length!\n')
self.exit()
return
if outfile:
outfile = self.fs.resolve_path(outfile, self.protocol.cwd)
path = os.path.dirname(outfile)
if not path or \
not self.fs.exists(path) or \
not self.fs.isdir(path):
self.write('curl: %s: Cannot open: No such file or directory\n' % \
(outfile,))
self.exit()
return
url = url.encode('ascii')
self.url = url
self.limit_size = 0
if CONFIG.has_option('honeypot', 'download_limit_size'):
self.limit_size = CONFIG.getint('honeypot', 'download_limit_size')
self.download_path = CONFIG.get('honeypot', 'download_path')
if not hasattr(self, 'safeoutfile'):
tmp_fname = '%s_%s_%s_%s' % \
(time.strftime('%Y%m%d%H%M%S'),
self.protocol.getProtoTransport().transportId,
self.protocol.terminal.transport.session.id,
re.sub('[^A-Za-z0-9]', '_', url.decode('ascii')))
self.safeoutfile = os.path.join(self.download_path, tmp_fname)
self.deferred = self.download(url, outfile, self.safeoutfile)
if self.deferred:
self.deferred.addCallback(self.success, outfile)
self.deferred.addErrback(self.error, url)