Code Monkey home page Code Monkey logo

pshitt's Introduction

PSHITT

Introduction

pshitt (for Passwords of SSH Intruders Transferred to Text) is a lightweight fake SSH server designed to collect authentication data sent by intruders. It basically collects username and password used by SSH bruteforce software and writes the extracted data to a file in JSON format.

pshitt is written in Python and uses paramiko to implement the SSH layer.

Installing pshitt

From Python Packaging Index (PyPI) using pip

pip install pshitt

Install from source

git clone https://github.com/regit/pshitt.git

NOTE: if you are installing from source, make sure you install paramiko and python-daemon packages.

Running pshitt

If you installed via pip

./pshitt -o passwords.json

If you installed from source, go into the source directory and run

./pshitt.py -o passwords.json

This will run a fake SSH server listening on port 2200 to catch authentication data sent by the intruders. Information about SSH connection attempt will be stored in the passwords.json using JSON as format

{"username": "root", "src_ip": "116.10.191.184", "password": "P@ssword", \
 "src_port": 41397, "timestamp": "2014-06-25T21:35:21.660303"}

Full options are available via '-h' option

usage: pshitt [-h] [-o OUTPUT] [-k KEY] [-l LOG] [-p PORT] [-t THREADS] [-v]
              [-D]

Passwords of SSH Intruders Transferred to Text

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT, --output OUTPUT
                        File to export collected data
  -k KEY, --key KEY     Host RSA key
  -l LOG, --log LOG     File to log info and debug
  -p PORT, --port PORT  TCP port to listen to
  -t THREADS, --threads THREADS
                        Maximum number of client threads
  -v, --verbose         Show verbose output, use multiple times increase
                        verbosity
  -D, --daemon          Run as unix daemon

Using pshitt data

As the format is JSON, it is easy to use the data in data analysis software such as Splunk or Logstash.

Here's a sample configuration for logstash

input {
   file {
      path => [ "/var/log/pshitt.log" ]
      codec =>   json
      type => "json-log"
   }
}

filter {
    # warn logstash that timestamp is the one to use
    if [type] == "json-log" {
        date {
            match => [ "timestamp", "ISO8601" ]
        }
    }

    # optional but geoip is interesting
    if [src_ip]  {
        geoip {
            source => "src_ip"
            target => "geoip"
            add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
            add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }
        mutate {
            convert => [ "[geoip][coordinates]", "float" ]
        }
    }
}

output {
  elasticsearch {
       host => "localhost"
  }
}

Basically, it is just enough to mention that the pshitt.log file is using JSON format.

pshitt's People

Contributors

btbytes avatar regit avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar

pshitt's Issues

Running without root?

Hello,
can I run pshitt.py without sudo, so it doesn't run with root privileges.

I understand, one needs root rights to open a port. But is there some way to avoid sudo ./pshitt.py ?

Just concerned in case there's a bug inside this script or it's libraries.

Running in daemon mode not working

Hello,
I am able to run pshitt with a command like "sudo ./pshitt.py -p 22 -l log.txt -o passwords.json" and it is collecting all login attempts.

But when starting it with -D argument, login attempts are not possible.

Trying to log in I get this error messages:

`
ssh [email protected]

[email protected]'s password:

Bad packet length 842019379.

padding error: need 842019379 block 16 mod 3

ssh_dispatch_run_fatal: Connection to XXX.XX.XX.XXX port 22: message authentication code incorrect

root@xxx-pc:/mnt/c/Users/xxx# ssh [email protected]

[email protected]'s password:

Bad packet length 1163022880.

Connection to XXX.XX.XX.XXX closed by remote host.

Connection to XXX.XX.XX.XXX closed.

root@xxx-pc:/mnt/c/Users/xxx# ssh [email protected]

[email protected]'s password:

Bad packet length 842019379.

padding error: need 842019379 block 16 mod 3

ssh_dispatch_run_fatal: Connection to XXX.XX.XX.XXX port 22: message authentication code incorrect
`

Log file does not produce any output, even with -vvvv argument.

paramiko.ssh_exception.SSHException: Error reading SSH protocol banner

When running pshitt with verbose logging, I get tons of this error messages: "Error reading SSH protocol banner"

Here's what I get running "sudo ./pshitt.py -p 22 -o passwords.json"

ERR [20230110-22:06:21.469] thr=1   paramiko.transport: Exception: Error reading SSH protocol banner
2023-01-10 22:06:21,469 paramiko.transport ERROR    Exception: Error reading SSH protocol banner
ERR [20230110-22:06:21.472] thr=1   paramiko.transport: Traceback (most recent call last):
2023-01-10 22:06:21,472 paramiko.transport ERROR    Traceback (most recent call last):
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2211, in _check_banner
2023-01-10 22:06:21,472 paramiko.transport ERROR      File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2211, in _check_banner
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:     buf = self.packetizer.readline(timeout)
2023-01-10 22:06:21,472 paramiko.transport ERROR        buf = self.packetizer.readline(timeout)
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:   File "/usr/lib/python3/dist-packages/paramiko/packet.py", line 380, in readline
2023-01-10 22:06:21,472 paramiko.transport ERROR      File "/usr/lib/python3/dist-packages/paramiko/packet.py", line 380, in readline
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:     buf += self._read_timeout(timeout)
2023-01-10 22:06:21,472 paramiko.transport ERROR        buf += self._read_timeout(timeout)
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:   File "/usr/lib/python3/dist-packages/paramiko/packet.py", line 609, in _read_timeout
2023-01-10 22:06:21,472 paramiko.transport ERROR      File "/usr/lib/python3/dist-packages/paramiko/packet.py", line 609, in _read_timeout
ERR [20230110-22:06:21.472] thr=1   paramiko.transport:     raise EOFError()
2023-01-10 22:06:21,472 paramiko.transport ERROR        raise EOFError()
ERR [20230110-22:06:21.472] thr=1   paramiko.transport: EOFError
2023-01-10 22:06:21,472 paramiko.transport ERROR    EOFError
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:
2023-01-10 22:06:21,473 paramiko.transport ERROR
ERR [20230110-22:06:21.473] thr=1   paramiko.transport: During handling of the above exception, another exception occurred:
2023-01-10 22:06:21,473 paramiko.transport ERROR    During handling of the above exception, another exception occurred:
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:
2023-01-10 22:06:21,473 paramiko.transport ERROR
ERR [20230110-22:06:21.473] thr=1   paramiko.transport: Traceback (most recent call last):
2023-01-10 22:06:21,473 paramiko.transport ERROR    Traceback (most recent call last):
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2039, in run
2023-01-10 22:06:21,473 paramiko.transport ERROR      File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2039, in run
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:     self._check_banner()
2023-01-10 22:06:21,473 paramiko.transport ERROR        self._check_banner()
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2215, in _check_banner
2023-01-10 22:06:21,473 paramiko.transport ERROR      File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2215, in _check_banner
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:     raise SSHException(
2023-01-10 22:06:21,473 paramiko.transport ERROR        raise SSHException(
ERR [20230110-22:06:21.473] thr=1   paramiko.transport: paramiko.ssh_exception.SSHException: Error reading SSH protocol banner
2023-01-10 22:06:21,473 paramiko.transport ERROR    paramiko.ssh_exception.SSHException: Error reading SSH protocol banner
ERR [20230110-22:06:21.473] thr=1   paramiko.transport:
2023-01-10 22:06:21,473 paramiko.transport ERROR

Here's output with -vvvv
https://pastebin.com/997Yrt72

The first login "username 'test' with password 'asd'" in done be me, the other attempts are not mine.
Still it is collecting passwords, so seems to work, but I have to disable verbose.

Python 3 support

Hello,

This is a clever, lean and fast program to catch malicious botnets. It is indeed a very important tool. Could you kindly port it to python 3 so it can still be used by people? Thanks in advance.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.