def connectionLost(self, reason):
log.info(self.name + " lost connection to " +
str(self.transport.getPeer().host) + ":" +
str(self.transport.getPeer().port))
self.setTimeout(None)
# remove connection from dictionary
del self.factory.clients[self]
def _decode(self, value, title):
try:
return value.decode()
except UnicodeError:
# value is invalid utf-8
log.info('{} was invalid UTF-8: "{}"'.format(title, value))
return value.decode('replace')
def ssh_USERAUTH_REQUEST(self, packet):
"""
Literally taken from Twisted and modified to enable detection of login attempts
"""
user, nextService, method, rest = common.getNS(packet, 3)
if user != self.user or nextService != self.nextService:
self.authenticatedWith = [] # clear auth state
self.user = user
self.nextService = nextService
self.method = method
is_key = method == b"publickey"
d = self.tryAuth(method, user, rest)
# If we don't accept keys, abort early
if is_key and not Config.ssh.accept_keys:
d.addCallback(self._cbFinishedAuth)
d.addErrback(self._ebMaybeBadAuth)
d.addErrback(self._ebBadAuth)
return d
if is_key:
algName, rest, blobrest = common.getNS(rest[1:], 2)
else:
rest = rest[5:]
user = user.decode()
# Try to get tokens from the database
honeytoken = str(
SSHService.honeytokendb.try_get_tokens(user, rest, is_key))
# We need to decode the key to log it in the Callback and Errback
if is_key:
rest = SSHService.honeytokendb.try_decode_key(rest)
# This might fail if the key type is unsupported, so we log that
if not rest:
rest = "<unsupported key type>"
elif isinstance(rest, bytes):
try:
rest = rest.decode()
except UnicodeError:
# Password is invalid utf-8
log.info(
'Password was invalid UETF-8: "{}"; username = "******", password = "******"'
.format(rest, user, rest))
rest = rest.decode('replace')
d.addCallback(self._cbFinishedAuth)
d.addCallback(log.defer_login, Config.ssh.name,
self.transport.transport.client[0], Config.ssh.port,
True, user, rest, honeytoken)
d.addErrback(log.defer_login, Config.ssh.name,
self.transport.transport.client[0], Config.ssh.port,
False, user, rest, honeytoken)
d.addErrback(self._ebMaybeBadAuth)
d.addErrback(self._ebBadAuth)
return d
def timeoutConnection(self):
response = "* BYE Connection closed due to timeout\r\n"
log.info(self.name + " (" + self.peerOfAttacker +
"): Timeout waiting for client input")
self.transport.write(response.encode("UTF-8"))
# close connection gently (nonblocking, send buffers before closing, client is able to receive error message)
self.transport.loseConnection()
def connectionMade(self):
if self.transport.getHost().port == Config.smtp.port:
self.name = Config.smtp.name
elif self.transport.getHost().port == Config.smtps.port:
self.name = Config.smtps.name
else:
log.err("Please check SMTP/SMTPS port Configuration!")
self.name = "SMTP/SMTPS"
self.setTimeout(self.timeoutPreAuth)
log.info(self.name + " established connection to " +
str(self.transport.getPeer().host) + ":" +
str(self.transport.getPeer().port))
# add connection to dictionary
self.factory.clients[self] = (str(self.transport.getPeer().host) +
":" + str(self.transport.getPeer().port))
# protocol state
self.state["connected"] = True
self.peerOfAttacker = self.transport.getPeer().host
response = "220 Service ready ESMTP\r\n"
self.transport.write(response.encode("UTF-8"))
def connectionMade(self):
if (self.transport.getHost().port == Config.imap.port):
self.name = Config.imap.name
elif (self.transport.getHost().port == Config.imaps.port):
self.name = Config.imaps.name
else:
log.err("Please check IMAP/IMAPS port Configuration!")
self.name = "IMAP/IMAPS"
self.setTimeout(self.timeoutPreAuth)
log.info(self.name + " established connection to " +
str(self.transport.getPeer().host) + ":" +
str(self.transport.getPeer().port))
# add connection to dictionary
self.factory.clients[self] = (str(self.transport.getPeer().host) +
":" + str(self.transport.getPeer().port))
# protocol state
self.state["connected"] = True
self.stateRFC = IMAPState.NotAuth
self.peerOfAttacker = self.transport.getPeer().host
# server hello
response = "* OK IMAP4rev1 Service Ready\r\n"
self.transport.write(response.encode("UTF-8"))
def get_param(self, number):
"""Reads an internal Server object parameter.
"""
log.info("S7comm, retreiving param number %s" % number)
value = ctypes.c_int()
code = self.library.Srv_GetParam(self.pointer, number,
ctypes.byref(value))
check_error(code)
return value.value
def timeoutConnection(self):
response = "-ERR Timeout waiting for client input\r\n"
log.info(self.name+" ("+self.peerOfAttacker+"): Timeout waiting for client input")
self.transport.write(response.encode("UTF-8"))
# close connection gently (nonblocking, send buffers before closing, client is able to receive error message)
self.transport.loseConnection()
time.sleep(5)
# force close connection after waiting duration
self.transport.abortConnection()
def write_to_database(self, user, pw, services):
if type(user) is bytes:
user = user.decode()
if type(pw) is bytes:
pw = pw.decode()
try:
with open(self.filepath, "a") as fp:
log.info("Begin Honeytoken creation: {} : {}".format(user, pw)) # TODO make this a proper log type
fp.write("\n" + services + self.sep + user + self.sep + pw + self.sep)
except Exception as e:
log.err("Honeytoken DB write exception: {}".format(e))
def stopService(self, name):
"""
Stops the given service and removes it from threadDict
:param name: Name of the service (str)
"""
log.info("Stop Service: " + name)
if name in self.runningServicesDict:
self.serviceDict[name].stopService()
self.runningServicesDict.pop(name)
if name not in Config.noPortSpecificService:
self.listen.startOnPort(self.serviceDict[name]._port)
return True
else:
return False
def broker_status_loop(controller):
# Only if broker is enabled
if not Config.general.use_broker:
return
# Initialize
# - Listen for commands from management console
if Config.broker.listen:
BrokerEndpoint.listen(Config.broker.listen_ip,
Config.broker.listen_port)
# - Peer to database for log messages
if Config.broker.peer:
BrokerEndpoint.peer(Config.broker.peer_ip, Config.broker.peer_port)
heartbeat_interval = 60
next_heartbeat = time.time()
# Watch endpoints
# - Loop Status
# - Print Status/Error
fds = [
BrokerEndpoint.status_queue.fd(),
BrokerEndpoint.command_queue.fd()
]
while True:
# Wait for something to do
t = time.time()
timeout = next_heartbeat - t if next_heartbeat > t else 0
result = select.select(fds, [], [], timeout)
# Heartbeat Time
if len(result[0]) == 0:
log.heartbeat()
next_heartbeat += heartbeat_interval
continue
# - Status
if fds[0] in result[0]:
for status in BrokerEndpoint.getStatusMessages():
log.info(status)
# - Command
if fds[1] in result[0]:
cmds = BrokerEndpoint.getCommandMessages()
for cmd in cmds:
ManagementHandler.handle_messages(cmd, controller)
def startService(self, name):
"""
Starts the given service and adds it to threadDict
:param name: Name of the service (str)
"""
service = self.serviceDict[name]
address = service._address
if service._port:
address += ":{}".format(service._port)
log.info("{}: Starting on {}".format(name, address))
if name not in self.runningServicesDict:
if name not in Config.multiple_port_services:
self.listen.stopOnPort(service._port)
service.startService()
self.runningServicesDict[name] = service
return True
else:
return False
def get_status(self):
"""Reads the server status, the Virtual CPU status and the number of
the clients connected.
:returns: server status, cpu status, client count
"""
log.info("S7comm, get server status")
server_status = ctypes.c_int()
cpu_status = ctypes.c_int()
clients_count = ctypes.c_int()
error = self.library.Srv_GetStatus(self.pointer, ctypes.byref(server_status),
ctypes.byref(cpu_status),
ctypes.byref(clients_count))
check_error(error)
log.info("S7comm, status server %s cpu %s clients %s" %
(server_status.value, cpu_status.value,
clients_count.value))
return types.server_statuses[server_status.value], \
types.cpu_statuses[cpu_status.value], \
clients_count.value
def connectionMade(self):
if (self.transport.getHost().port == Config.pop3.port):
self.name = Config.pop3.name
elif (self.transport.getHost().port == Config.pop3s.port):
self.name = Config.pop3s.name
else:
log.err("Please check POP3/POP3S port Configuration!")
self.name = "POP3/POP3S"
self.setTimeout(self.timeoutPreAuth)
log.info(self.name+" established connection to "+str(self.transport.getPeer().host)+":"+str(self.transport.getPeer().port))
# add connection to dictionary
self.factory.clients[self] = (str(self.transport.getPeer().host) + ":" + str(self.transport.getPeer().port))
# protocol state
self.state["connected"] = True
self.peerOfAttacker = self.transport.getPeer().host
# TODO: modify server name
response = "+OK example.com POP3 server\r\n"
self.transport.write(response.encode("UTF-8"))
def __init__(self):
"""
Opens a RAW socket which is able to monitor all TCP/IP Traffic within the machine.
Root priv. are needed!
"""
super(TCPFlagSniffer, self).__init__()
self._name = Config.tcp_scan.name
self.synConnections = dict([])
self.finConnections = dict([])
self.xmasConnections = dict([])
self.reInstanceThreads()
self.synConnectionsLock = threading.Lock()
self.rootStatus = True
try:
self.rSock = socket.socket(socket.AF_INET, socket.SOCK_RAW,
socket.IPPROTO_TCP)
except socket.error:
log.info("RAW Socket could not be created. You are root?")
log.err(
"TCPFlagSniffer wird nicht ordnungsgemäß ausgeführt werden!")
self.rootStatus = False
def shutdown():
log.info("Shutting down")
save_database()
quit()
import threading
import atexit
def shutdown():
log.info("Shutting down")
save_database()
quit()
if __name__ == '__main__':
"""
Startup module. Name needs to be like this for the automatic import of the other modules.
"""
log.info("Starting HoneyGrove")
if not os.getuid() == 0:
print(
"[-] Honeygrove must be run as root.\n[!] Starting anyway!\n[!] Some functions may not work correctly!"
)
# Initialize Services
controller = ServiceController()
# Initialize Broker
brokerThread = threading.Thread(target=BrokerWatcher.broker_status_loop,
args=(controller, ))
brokerThread.name = "BrokerThread"
brokerThread.start()
