⚠️ UNFINISHED PROJECT ⚠️
A try to write a own ssh honeypot. Higly inspirated by sshesame.
sshoneypot
Go 1.10
sshoneypot easy is a fake ssh server that lets everyone connect, logs their activity and can be implemented easily in your project, or can be used as a standalone application.
The ssh server has a emulated, full functional linux filesystem. For more details about the filesystem see here.
It also contains some basic linux commands like cd, ls or stat. You can add commands by yourself too, see here how.
The project itself is just a library, but you can run it standalone via docker.
Docker
Own commands
If the standard commands aren't enough, you can easily implement you owns
package main
func main() {
}
Warning
This software, just like any other, might contain bugs. Given the popular nature of SSH, you probably shouldn't run it unsupervised as root on a production server on port 22. Use common sense.
Motivation
I was just curious what all these guys were up to:
sshd[8128]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<client> user=root
sshd[8128]: Failed password for root from <client> port 37510 ssh2
sshd[8128]: Received disconnect from <client> port 37510:11: [preauth]
sshd[8128]: Disconnected from <client> port 37510 [preauth]
sshd[8141]: Received disconnect from <client> port 59353:11: [preauth]
sshd[8141]: Disconnected from <client> port 59353 [preauth]
sshd[8151]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<client> user=root
sshd[8151]: Failed password for root from <client> port 63785 ssh2
sshd[8159]: Received disconnect from <client> port 24889:11: [preauth]
sshd[8159]: Disconnected from <client> port 24889 [preauth]
Details
sshesame accepts and logs
- every password authentication request,
- every SSH channel open request and
- every SSH request
without actually executing anything on the host.
For more details, read the relevant RFC.
Installing
From source
- Install go (version 1.4 or newer required)
go get -u github.com/jaksi/sshesame
Snap
snap install sshesame
Package created and maintained by chadmiller.
You can find the package here.
Examples
package main
import (
"fmt"
"github.com/bytedream/sshoneypot/sshoneypot"
)
func main() {
fmt.Println("aa")
}
Usage
$ sshesame -h
Usage of sshesame:
-host_key string
a file containing a private key to use
-json_logging
enable logging in JSON
-listen_address string
the local address to listen on (default "localhost")
-port uint
the port number to listen on (default 2022)
-server_version string
The version identification of the server (RFC 4253 section 4.2 requires that this string start with "SSH-2.0-") (default "SSH-2.0-sshesame")
Consider creating a private key to use with sshesame, for example using ssh-keygen.
Example output
Connection: client=<client>:45782
Login: client=<client>:45782, user="root", password="cisco"
Established SSH connection: client=<client>:45782
New channel: clinet=<client>:45782, type=direct-tcpip, payload={DestinationAddress:<something> DestinationPort:110 SourceAddress:192.168.0.1 SourcePort:0}
Failed to read from channel: EOF
New channel: clinet=<client>:45782, type=direct-tcpip, payload={DestinationAddress:<something> DestinationPort:143 SourceAddress:192.168.0.1 SourcePort:0}
Failed to read from channel: EOF
New channel: clinet=<client>:45782, type=direct-tcpip, payload={DestinationAddress:<something> DestinationPort:587 SourceAddress:192.168.0.1 SourcePort:0}
Failed to read from channel: EOF
New channel: clinet=<client>:45782, type=direct-tcpip, payload={DestinationAddress:<something> DestinationPort:587 SourceAddress:192.168.0.1 SourcePort:0}
Failed to read from channel: EOF
New channel: clinet=<client>:45782, type=session, payload=[]
Request: client=<client>:45782, channel=session, type=exec, payload={Command:/sbin/ifconfig}
Failed to read from terminal: EOF
New channel: clinet=<client>:45782, type=session, payload=[]
Request: client=<client>:45782, channel=session, type=exec, payload={Command:cat /proc/meminfo}
Failed to read from terminal: EOF
New channel: clinet=<client>:45782, type=session, payload=[]
Request: client=<client>:45782, channel=session, type=exec, payload={Command:2>/dev/null sh -c 'cat /lib/libdl.so* || cat /lib/librt.so* || cat /bin/cat || cat /sbin/ifconfig'}
Failed to read from terminal: EOF
New channel: clinet=<client>:45782, type=session, payload=[]
Request: client=<client>:45782, channel=session, type=exec, payload={Command:cat /proc/version}
Failed to read from terminal: EOF
New channel: clinet=<client>:45782, type=session, payload=[]
Request: client=<client>:45782, channel=session, type=exec, payload={Command:uptime}
Failed to read from terminal: EOF
Disconnect: client=<client>:45782
So what happened here?
- A client logged in with the user "root" and the password "cisco"
- Using TCP/IP forwarding over SSH, they tried to connect to a few remote mail servers over POP3 (port 110), IMAP (port 143) and Submission (port 587)
- They tried to execute a few commands to get some information about the host
Again, if you're interested in the technical details of SSH, read the RFC.
Inspired
This project was inspired from some the following projects
- sshesame (another go based fake ssh server)