diff --git a/README.md b/README.md index 07a7a68..11e8a68 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # Kippo +With added HPfeeds support for MHN compatibility. 07-08-2014 + Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker. Kippo is inspired, but not based on [Kojoney](http://kojoney.sourceforge.net/). diff --git a/kippo.cfg.dist b/kippo.cfg.dist index 73cee22..3d80dad 100644 --- a/kippo.cfg.dist +++ b/kippo.cfg.dist @@ -14,6 +14,11 @@ # (default: 2222) ssh_port = 2222 +# Source Port to report in logs (useful if you use iptables to forward ports to kippo) +reported_ssh_port = 22 + +report_public_ip = true + # Hostname for the honeypot. Displayed by the shell prompt of the virtual # environment. # @@ -193,3 +198,10 @@ interact_port = 5123 #[database_textlog] #logfile = kippo-textlog.log + +#[database_hpfeeds] +#server = hpfeeds.mysite.org +#port = 10000 +#identifier = abc123 +#secret = secret +#debug=false diff --git a/kippo/commands/wget.py b/kippo/commands/wget.py index ce18937..752ce6e 100644 --- a/kippo/commands/wget.py +++ b/kippo/commands/wget.py @@ -84,7 +84,7 @@ def download(self, url, fakeoutfile, outputfile, *args, **kwargs): host = parsed.hostname port = parsed.port or (443 if scheme == 'https' else 80) path = parsed.path or '/' - if scheme == 'https' or port != 80: + if scheme == 'https' or port == 443 or port == 8443: self.writeln('Sorry, SSL not supported in this release') self.exit() return None diff --git a/kippo/core/dblog.py b/kippo/core/dblog.py index 59fba1b..ea3bc86 100644 --- a/kippo/core/dblog.py +++ b/kippo/core/dblog.py @@ -39,6 +39,18 @@ def __init__(self, cfg): ('^Remote SSH version: (?P.*)$', self.handleClientVersion), )] + + self.reported_ssh_port = None + if self.cfg.has_option('honeypot', 'reported_ssh_port'): + self.reported_ssh_port = int(cfg.get('honeypot', 'reported_ssh_port')) + + self.report_public_ip = False + if self.cfg.has_option('honeypot', 'report_public_ip'): + if cfg.get('honeypot', 'report_public_ip') == "true" or cfg.get('honeypot', 'report_public_ip') == "1": + self.report_public_ip = True + import urllib + self.public_ip = urllib.urlopen('http://myip.threatstream.com').readline() + self.start(cfg) def logDispatch(self, sessionid, msg): @@ -68,10 +80,16 @@ def emit(self, ev): match = self.re_connected.match(ev['message'][0]) if match: sessionid = int(match.groups()[4]) - self.sessions[sessionid] = \ - self.createSession( - match.groups()[0], int(match.groups()[1]), - match.groups()[2], int(match.groups()[3])) + peerIP, peerPort = match.groups()[0], int(match.groups()[1]) + hostIP, hostPort = match.groups()[2], int(match.groups()[3]) + if self.reported_ssh_port: + hostPort = self.reported_ssh_port + if self.report_public_ip: + hostIP = self.public_ip + + self.sessions[sessionid] = self.createSession( + peerIP, peerPort, hostIP, hostPort + ) return match = self.re_sessionlog.match(ev['system']) if not match: diff --git a/kippo/core/honeypot.py b/kippo/core/honeypot.py index 6cd07ad..e6be215 100644 --- a/kippo/core/honeypot.py +++ b/kippo/core/honeypot.py @@ -531,9 +531,12 @@ def sendKexInit(self): transport.SSHServerTransport.sendKexInit(self) def dataReceived(self, data): + # Workaround libssh not working with Twisted Hydra not working (by mercolino) + isLibssh = data.find('libssh', data.find('SSH-')) != -1 + transport.SSHServerTransport.dataReceived(self, data) # later versions seem to call sendKexInit again on their own - if twisted.version.major < 11 and \ + if (twisted.version.major < 11 or isLibssh) and \ not self.hadVersion and self.gotVersion: self.sendKexInit() self.hadVersion = True diff --git a/kippo/dblog/hpfeeds.py b/kippo/dblog/hpfeeds.py new file mode 100644 index 0000000..53134cc --- /dev/null +++ b/kippo/dblog/hpfeeds.py @@ -0,0 +1,255 @@ +from kippo.core import dblog +from twisted.python import log +from datetime import datetime + +import os +import struct +import hashlib +import json +import socket +import uuid + +BUFSIZ = 16384 + +OP_ERROR = 0 +OP_INFO = 1 +OP_AUTH = 2 +OP_PUBLISH = 3 +OP_SUBSCRIBE = 4 + +MAXBUF = 1024**2 +SIZES = { + OP_ERROR: 5+MAXBUF, + OP_INFO: 5+256+20, + OP_AUTH: 5+256+20, + OP_PUBLISH: 5+MAXBUF, + OP_SUBSCRIBE: 5+256*2, +} + +KIPPOCHAN = 'kippo.sessions' + +class BadClient(Exception): + pass + +# packs a string with 1 byte length field +def strpack8(x): + if isinstance(x, str): x = x.encode('latin1') + return struct.pack('!B', len(x)) + x + +# unpacks a string with 1 byte length field +def strunpack8(x): + l = x[0] + return x[1:1+l], x[1+l:] + +def msghdr(op, data): + return struct.pack('!iB', 5+len(data), op) + data +def msgpublish(ident, chan, data): + return msghdr(OP_PUBLISH, strpack8(ident) + strpack8(chan) + data) +def msgsubscribe(ident, chan): + if isinstance(chan, str): chan = chan.encode('latin1') + return msghdr(OP_SUBSCRIBE, strpack8(ident) + chan) +def msgauth(rand, ident, secret): + hash = hashlib.sha1(bytes(rand)+secret).digest() + return msghdr(OP_AUTH, strpack8(ident) + hash) + +class FeedUnpack(object): + def __init__(self): + self.buf = bytearray() + def __iter__(self): + return self + def next(self): + return self.unpack() + def feed(self, data): + self.buf.extend(data) + def unpack(self): + if len(self.buf) < 5: + raise StopIteration('No message.') + + ml, opcode = struct.unpack('!iB', buffer(self.buf,0,5)) + if ml > SIZES.get(opcode, MAXBUF): + raise BadClient('Not respecting MAXBUF.') + + if len(self.buf) < ml: + raise StopIteration('No message.') + + data = bytearray(buffer(self.buf, 5, ml-5)) + del self.buf[:ml] + return opcode, data + +class hpclient(object): + def __init__(self, server, port, ident, secret, debug): + print 'hpfeeds client init broker {0}:{1}, identifier {2}'.format(server, port, ident) + self.server, self.port = server, int(port) + self.ident, self.secret = ident.encode('latin1'), secret.encode('latin1') + self.debug = debug + self.unpacker = FeedUnpack() + self.state = 'INIT' + + self.connect() + self.sendfiles = [] + self.filehandle = None + + def connect(self): + self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.s.settimeout(3) + try: self.s.connect((self.server, self.port)) + except: + print 'hpfeeds client could not connect to broker.' + self.s = None + else: + self.s.settimeout(None) + self.handle_established() + + def send(self, data): + if not self.s: + self.connect() + + if not self.s: return + self.s.send(data) + + def close(self): + self.s.close() + self.s = None + + def handle_established(self): + if self.debug: print 'hpclient established' + while self.state != 'GOTINFO': + self.read() + + #quickly try to see if there was an error message + self.s.settimeout(0.5) + self.read() + self.s.settimeout(None) + + def read(self): + if not self.s: return + try: d = self.s.recv(BUFSIZ) + except socket.timeout: + return + + if not d: + if self.debug: log.msg('hpclient connection closed?') + self.close() + return + + self.unpacker.feed(d) + try: + for opcode, data in self.unpacker: + if self.debug: log.msg('hpclient msg opcode {0} data {1}'.format(opcode, data)) + if opcode == OP_INFO: + name, rand = strunpack8(data) + if self.debug: log.msg('hpclient server name {0} rand {1}'.format(name, rand)) + self.send(msgauth(rand, self.ident, self.secret)) + self.state = 'GOTINFO' + + elif opcode == OP_PUBLISH: + ident, data = strunpack8(data) + chan, data = strunpack8(data) + if self.debug: log.msg('publish to {0} by {1}: {2}'.format(chan, ident, data)) + + elif opcode == OP_ERROR: + log.err('errormessage from server: {0}'.format(data)) + else: + log.err('unknown opcode message: {0}'.format(opcode)) + except BadClient: + log.err('unpacker error, disconnecting.') + self.close() + + def publish(self, channel, **kwargs): + try: + self.send(msgpublish(self.ident, channel, json.dumps(kwargs).encode('latin1'))) + except Exception, e: + log.err('connection to hpfriends lost: {0}'.format(e)) + log.err('connecting') + self.connect() + self.send(msgpublish(self.ident, channel, json.dumps(kwargs).encode('latin1'))) + + def sendfile(self, filepath): + # does not read complete binary into memory, read and send chunks + if not self.filehandle: + self.sendfileheader(i.file) + self.sendfiledata() + else: self.sendfiles.append(filepath) + + def sendfileheader(self, filepath): + self.filehandle = open(filepath, 'rb') + fsize = os.stat(filepath).st_size + headc = strpack8(self.ident) + strpack8(UNIQUECHAN) + headh = struct.pack('!iB', 5+len(headc)+fsize, OP_PUBLISH) + self.send(headh + headc) + + def sendfiledata(self): + tmp = self.filehandle.read(BUFSIZ) + if not tmp: + if self.sendfiles: + fp = self.sendfiles.pop(0) + self.sendfileheader(fp) + else: + self.filehandle = None + self.handle_io_in(b'') + else: + self.send(tmp) + + +class DBLogger(dblog.DBLogger): + def start(self, cfg): + print 'hpfeeds DBLogger start' + + server = cfg.get('database_hpfeeds', 'server') + port = cfg.get('database_hpfeeds', 'port') + ident = cfg.get('database_hpfeeds', 'identifier') + secret = cfg.get('database_hpfeeds', 'secret') + debug = cfg.get('database_hpfeeds', 'debug') + + self.client = hpclient(server, port, ident, secret, debug) + self.meta = {} + + # We have to return an unique ID + def createSession(self, peerIP, peerPort, hostIP, hostPort): + session = uuid.uuid4().hex + startTime=datetime.now().isoformat() + self.meta[session] = {'session':session,'startTime':startTime,'endTime':'','peerIP': peerIP, 'peerPort': peerPort, + 'hostIP': hostIP, 'hostPort': hostPort, 'loggedin': None, + 'credentials':[], 'commands':[],"unknownCommands":[],'urls':[],'version': None, 'ttylog': None } + return session + + def handleConnectionLost(self, session, args): + log.msg('publishing metadata to hpfeeds') + meta = self.meta[session] + self.meta[session]['endTime']=datetime.now().isoformat() + ttylog = self.ttylog(session) + if ttylog: meta['ttylog'] = ttylog.encode('hex') + self.client.publish(KIPPOCHAN, **meta) + + def handleLoginFailed(self, session, args): + u, p = args['username'], args['password'] + self.meta[session]['credentials'].append((u,p)) + + def handleLoginSucceeded(self, session, args): + u, p = args['username'], args['password'] + self.meta[session]['loggedin'] = (u,p) + + def handleCommand(self, session, args): + c = args['input'] + self.meta[session]['commands'].append(c) + + def handleUnknownCommand(self, session, args): + uc = args['input'] + self.meta[session]['unknownCommands'].append(uc) + + def handleInput(self, session, args): + pass + + def handleTerminalSize(self, session, args): + pass + + def handleClientVersion(self, session, args): + v = args['version'] + self.meta[session]['version'] = v + + def handleFileDownload(self,session,args): + url = args['url'] + self.meta[session]['urls'].append(url) + + +# vim: set sw=4 et: