144 lines
5.7 KiB
Markdown
144 lines
5.7 KiB
Markdown
# ⚠️ UNFINISHED PROJECT ⚠️
|
|
|
|
> A try to write a own ssh honeypot. Higly inspirated by [sshesame](https://github.com/jaksi/sshesame).
|
|
|
|
# sshoneypot
|
|
|
|
Go 1.10
|
|
|
|
**sshoneypot** easy is a fake ssh server that lets everyone connect, logs their activity and can be implemented easily in your project, or can be used as a standalone application.
|
|
The ssh server has a emulated, full functional linux filesystem. For more details about the filesystem see [here](info/fs.go).
|
|
It also contains some basic linux commands like `cd`, `ls` or `stat`. You can add commands by yourself too, see [here](#own-commands) how.
|
|
|
|
The project itself is just a library, but you can run it standalone via [docker](#Docker).
|
|
|
|
## Docker
|
|
|
|
## Own commands
|
|
|
|
If the standard commands aren't enough, you can easily implement you owns
|
|
|
|
```go
|
|
package main
|
|
|
|
func main() {
|
|
}
|
|
```
|
|
|
|
## Warning
|
|
This software, just like any other, might contain bugs. Given the popular nature of SSH, you probably shouldn't run it unsupervised as root on a production server on port 22. Use common sense.
|
|
|
|
## Motivation
|
|
I was just curious what all these guys were up to:
|
|
```
|
|
sshd[8128]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<client> user=root
|
|
sshd[8128]: Failed password for root from <client> port 37510 ssh2
|
|
sshd[8128]: Received disconnect from <client> port 37510:11: [preauth]
|
|
sshd[8128]: Disconnected from <client> port 37510 [preauth]
|
|
sshd[8141]: Received disconnect from <client> port 59353:11: [preauth]
|
|
sshd[8141]: Disconnected from <client> port 59353 [preauth]
|
|
sshd[8151]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<client> user=root
|
|
sshd[8151]: Failed password for root from <client> port 63785 ssh2
|
|
sshd[8159]: Received disconnect from <client> port 24889:11: [preauth]
|
|
sshd[8159]: Disconnected from <client> port 24889 [preauth]
|
|
```
|
|
|
|
## Details
|
|
`sshesame` accepts and logs
|
|
* every password authentication request,
|
|
* every SSH channel open request and
|
|
* every SSH request
|
|
|
|
**without actually executing anything on the host**.
|
|
|
|
For more details, read the [relevant RFC](https://tools.ietf.org/html/rfc4254).
|
|
|
|
## Installing
|
|
### From source
|
|
* [Install go](https://golang.org/doc/install) (version 1.4 or newer required)
|
|
* `go get -u github.com/jaksi/sshesame`
|
|
|
|
### Snap
|
|
`snap install sshesame`
|
|
|
|
Package created and maintained by [chadmiller](https://github.com/chadmiller).
|
|
|
|
You can find the package [here](https://code.launchpad.net/~privacy-squad/+junk/sshesame-snap).
|
|
|
|
## Examples
|
|
|
|
```go
|
|
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"github.com/bytedream/sshoneypot/sshoneypot"
|
|
)
|
|
|
|
func main() {
|
|
fmt.Println("aa")
|
|
}
|
|
```
|
|
|
|
## Usage
|
|
```
|
|
$ sshesame -h
|
|
Usage of sshesame:
|
|
-host_key string
|
|
a file containing a private key to use
|
|
-json_logging
|
|
enable logging in JSON
|
|
-listen_address string
|
|
the local address to listen on (default "localhost")
|
|
-port uint
|
|
the port number to listen on (default 2022)
|
|
-server_version string
|
|
The version identification of the server (RFC 4253 section 4.2 requires that this string start with "SSH-2.0-") (default "SSH-2.0-sshesame")
|
|
```
|
|
Consider creating a private key to use with sshesame, for example using `ssh-keygen`.
|
|
|
|
## Example output
|
|
```
|
|
Connection: client=<client>:45782
|
|
Login: client=<client>:45782, user="root", password="cisco"
|
|
Established SSH connection: client=<client>:45782
|
|
New channel: clinet=<client>:45782, type=direct-tcpip, payload={DestinationAddress:<something> DestinationPort:110 SourceAddress:192.168.0.1 SourcePort:0}
|
|
Failed to read from channel: EOF
|
|
New channel: clinet=<client>:45782, type=direct-tcpip, payload={DestinationAddress:<something> DestinationPort:143 SourceAddress:192.168.0.1 SourcePort:0}
|
|
Failed to read from channel: EOF
|
|
New channel: clinet=<client>:45782, type=direct-tcpip, payload={DestinationAddress:<something> DestinationPort:587 SourceAddress:192.168.0.1 SourcePort:0}
|
|
Failed to read from channel: EOF
|
|
New channel: clinet=<client>:45782, type=direct-tcpip, payload={DestinationAddress:<something> DestinationPort:587 SourceAddress:192.168.0.1 SourcePort:0}
|
|
Failed to read from channel: EOF
|
|
New channel: clinet=<client>:45782, type=session, payload=[]
|
|
Request: client=<client>:45782, channel=session, type=exec, payload={Command:/sbin/ifconfig}
|
|
Failed to read from terminal: EOF
|
|
New channel: clinet=<client>:45782, type=session, payload=[]
|
|
Request: client=<client>:45782, channel=session, type=exec, payload={Command:cat /proc/meminfo}
|
|
Failed to read from terminal: EOF
|
|
New channel: clinet=<client>:45782, type=session, payload=[]
|
|
Request: client=<client>:45782, channel=session, type=exec, payload={Command:2>/dev/null sh -c 'cat /lib/libdl.so* || cat /lib/librt.so* || cat /bin/cat || cat /sbin/ifconfig'}
|
|
Failed to read from terminal: EOF
|
|
New channel: clinet=<client>:45782, type=session, payload=[]
|
|
Request: client=<client>:45782, channel=session, type=exec, payload={Command:cat /proc/version}
|
|
Failed to read from terminal: EOF
|
|
New channel: clinet=<client>:45782, type=session, payload=[]
|
|
Request: client=<client>:45782, channel=session, type=exec, payload={Command:uptime}
|
|
Failed to read from terminal: EOF
|
|
Disconnect: client=<client>:45782
|
|
```
|
|
So what happened here?
|
|
* A client logged in with the user "root" and the password "cisco"
|
|
* Using TCP/IP forwarding over SSH, they tried to connect to a few remote mail servers over POP3 (port 110), IMAP (port 143) and Submission (port 587)
|
|
* They tried to execute a few commands to get some information about the host
|
|
|
|
Again, if you're interested in the technical details of SSH, read the [RFC](https://tools.ietf.org/html/rfc4254).
|
|
|
|
## Inspired
|
|
|
|
This project was inspired from some the following projects
|
|
|
|
- [sshesame](https://github.com/jaksi/sshesame) (another go based fake ssh server)
|
|
|
|
## Implementation
|