regit / pshitt Goto Github PK

Passwords of SSH Intruders Transferred to Text

License: GNU General Public License v3.0

Python 100.00%

pshitt's Introduction

PSHITT

Introduction

pshitt (for Passwords of SSH Intruders Transferred to Text) is a lightweight fake SSH server designed to collect authentication data sent by intruders. It basically collects username and password used by SSH bruteforce software and writes the extracted data to a file in JSON format.

pshitt is written in Python and uses paramiko to implement the SSH layer.

Installing pshitt

From Python Packaging Index (PyPI) using pip

pip install pshitt

Install from source

git clone https://github.com/regit/pshitt.git

NOTE: if you are installing from source, make sure you install paramiko and python-daemon packages.

Running pshitt

If you installed via pip

./pshitt -o passwords.json

If you installed from source, go into the source directory and run

./pshitt.py -o passwords.json

This will run a fake SSH server listening on port 2200 to catch authentication data sent by the intruders. Information about SSH connection attempt will be stored in the passwords.json using JSON as format

{"username": "root", "src_ip": "116.10.191.184", "password": "P@ssword", \
 "src_port": 41397, "timestamp": "2014-06-25T21:35:21.660303"}

Full options are available via '-h' option

usage: pshitt [-h] [-o OUTPUT] [-k KEY] [-l LOG] [-p PORT] [-t THREADS] [-v]
              [-D]

Passwords of SSH Intruders Transferred to Text

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT, --output OUTPUT
                        File to export collected data
  -k KEY, --key KEY     Host RSA key
  -l LOG, --log LOG     File to log info and debug
  -p PORT, --port PORT  TCP port to listen to
  -t THREADS, --threads THREADS
                        Maximum number of client threads
  -v, --verbose         Show verbose output, use multiple times increase
                        verbosity
  -D, --daemon          Run as unix daemon

Using pshitt data

As the format is JSON, it is easy to use the data in data analysis software such as Splunk or Logstash.

Here's a sample configuration for logstash

input {
   file {
      path => [ "/var/log/pshitt.log" ]
      codec =>   json
      type => "json-log"
   }
}

filter {
    # warn logstash that timestamp is the one to use
    if [type] == "json-log" {
        date {
            match => [ "timestamp", "ISO8601" ]
        }
    }

    # optional but geoip is interesting
    if [src_ip]  {
        geoip {
            source => "src_ip"
            target => "geoip"
            add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
            add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }
        mutate {
            convert => [ "[geoip][coordinates]", "float" ]
        }
    }
}

output {
  elasticsearch {
       host => "localhost"
  }
}

Basically, it is just enough to mention that the pshitt.log file is using JSON format.

pshitt's People

Contributors

Stargazers

Watchers

pshitt's Issues

Running without root?

Hello,
can I run pshitt.py without sudo, so it doesn't run with root privileges.

I understand, one needs root rights to open a port. But is there some way to avoid sudo ./pshitt.py ?

Just concerned in case there's a bug inside this script or it's libraries.

Running in daemon mode not working

Hello,
I am able to run pshitt with a command like "sudo ./pshitt.py -p 22 -l log.txt -o passwords.json" and it is collecting all login attempts.

But when starting it with -D argument, login attempts are not possible.

Trying to log in I get this error messages:

`
ssh [email protected]

[email protected]'s password:

Bad packet length 842019379.

padding error: need 842019379 block 16 mod 3

ssh_dispatch_run_fatal: Connection to XXX.XX.XX.XXX port 22: message authentication code incorrect

root@xxx-pc:/mnt/c/Users/xxx# ssh [email protected]

[email protected]'s password:

Bad packet length 1163022880.

Connection to XXX.XX.XX.XXX closed by remote host.

Connection to XXX.XX.XX.XXX closed.

root@xxx-pc:/mnt/c/Users/xxx# ssh [email protected]

[email protected]'s password:

Bad packet length 842019379.

padding error: need 842019379 block 16 mod 3

ssh_dispatch_run_fatal: Connection to XXX.XX.XX.XXX port 22: message authentication code incorrect
`

Log file does not produce any output, even with -vvvv argument.

paramiko.ssh_exception.SSHException: Error reading SSH protocol banner

When running pshitt with verbose logging, I get tons of this error messages: "Error reading SSH protocol banner"

Here's what I get running "sudo ./pshitt.py -p 22 -o passwords.json"

ERR [20230110-22:06:21.469] thr=1   paramiko.transport: Exception: Error reading SSH protocol banner
2023-01-10 22:06:21,469 paramiko.transport ERROR    Exception: Error reading SSH protocol banner
ERR [20230110-22:06:21.472] thr=1   paramiko.transport: Traceback (most recent call last):
2023-01-10 22:06:21,472 paramiko.transport ERROR    Traceback (most recent call last):
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2211, in _check_banner
2023-01-10 22:06:21,472 paramiko.transport ERROR      File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2211, in _check_banner
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:     buf = self.packetizer.readline(timeout)
2023-01-10 22:06:21,472 paramiko.transport ERROR        buf = self.packetizer.readline(timeout)
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:   File "/usr/lib/python3/dist-packages/paramiko/packet.py", line 380, in readline
2023-01-10 22:06:21,472 paramiko.transport ERROR      File "/usr/lib/python3/dist-packages/paramiko/packet.py", line 380, in readline
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:     buf += self._read_timeout(timeout)
2023-01-10 22:06:21,472 paramiko.transport ERROR        buf += self._read_timeout(timeout)
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:   File "/usr/lib/python3/dist-packages/paramiko/packet.py", line 609, in _read_timeout
2023-01-10 22:06:21,472 paramiko.transport ERROR      File "/usr/lib/python3/dist-packages/paramiko/packet.py", line 609, in _read_timeout
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:     raise EOFError()
2023-01-10 22:06:21,472 paramiko.transport ERROR        raise EOFError()
ERR [20230110-22:06:21.472] thr=1   paramiko.transport: EOFError
2023-01-10 22:06:21,472 paramiko.transport ERROR    EOFError
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:
2023-01-10 22:06:21,473 paramiko.transport ERROR
ERR [20230110-22:06:21.473] thr=1   paramiko.transport: During handling of the above exception, another exception occurred:
2023-01-10 22:06:21,473 paramiko.transport ERROR    During handling of the above exception, another exception occurred:
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:
2023-01-10 22:06:21,473 paramiko.transport ERROR
ERR [20230110-22:06:21.473] thr=1   paramiko.transport: Traceback (most recent call last):
2023-01-10 22:06:21,473 paramiko.transport ERROR    Traceback (most recent call last):
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2039, in run
2023-01-10 22:06:21,473 paramiko.transport ERROR      File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2039, in run
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:     self._check_banner()
2023-01-10 22:06:21,473 paramiko.transport ERROR        self._check_banner()
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2215, in _check_banner
2023-01-10 22:06:21,473 paramiko.transport ERROR      File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2215, in _check_banner
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:     raise SSHException(
2023-01-10 22:06:21,473 paramiko.transport ERROR        raise SSHException(
ERR [20230110-22:06:21.473] thr=1   paramiko.transport: paramiko.ssh_exception.SSHException: Error reading SSH protocol banner
2023-01-10 22:06:21,473 paramiko.transport ERROR    paramiko.ssh_exception.SSHException: Error reading SSH protocol banner
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:
2023-01-10 22:06:21,473 paramiko.transport ERROR

Here's output with -vvvv
https://pastebin.com/997Yrt72

The first login "username 'test' with password 'asd'" in done be me, the other attempts are not mine.
Still it is collecting passwords, so seems to work, but I have to disable verbose.

Python 3 support

Hello,

This is a clever, lean and fast program to catch malicious botnets. It is indeed a very important tool. Could you kindly port it to python 3 so it can still be used by people? Thanks in advance.

"No such file or directory /-/-/test_rsa.key"

Hi, I'm pretty new to Linux as a whole but followed the installation instructions but got this error, how do I get around this?

Thanks :)

regit / pshitt Goto Github PK

pshitt's Introduction

PSHITT

Introduction

Installing pshitt

Running pshitt

Using pshitt data

pshitt's People

Contributors

Stargazers

Watchers

Forkers

pshitt's Issues

Running without root?

Running in daemon mode not working

paramiko.ssh_exception.SSHException: Error reading SSH protocol banner

Python 3 support

"No such file or directory /-/-/test_rsa.key"

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent