Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io

Overview

Cowrie

travis circleci codecov

Welcome to the Cowrie GitHub repository

This is the official repository for the Cowrie SSH and Telnet Honeypot effort.

What is Cowrie

Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.

Cowrie is maintained by Michel Oosterhof.

Documentation

The Documentation can be found here.

Slack

You can join the Cowrie community at the following Slack workspace.

Features

  • Choose to run as an emulated shell (default):
    • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
    • Possibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are included
    • Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection
  • Or proxy SSH and telnet to another system
    • Run as a pure telnet and ssh proxy with monitoring
    • Or let Cowrie manage a pool of Qemu emualted servers to provide the systems to login to

For both settings:

  • Session logs are stored in an UML Compatible format for easy replay with the bin/playlog utility.
  • SFTP and SCP support for file upload
  • Support for SSH exec commands
  • Logging of direct-tcp connection attempts (ssh proxying)
  • Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
  • JSON logging for easy processing in log management solutions

Docker

Docker versions are available.

Requirements

Software required:

  • Python 3.6+
  • python-virtualenv

For Python dependencies, see requirements.txt.

Files of interest:

  • etc/cowrie.cfg - Cowrie's configuration file. Default values can be found in etc/cowrie.cfg.dist.
  • share/cowrie/fs.pickle - fake filesystem
  • etc/userdb.txt - credentials to access the honeypot
  • honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here or use bin/fsctl
  • honeyfs/etc/issue.net - pre-login banner
  • honeyfs/etc/motd - post-login banner
  • var/log/cowrie/cowrie.json - transaction output in JSON format
  • var/log/cowrie/cowrie.log - log/debug output
  • var/lib/cowrie/tty/ - session logs, replayable with the bin/playlog utility.
  • var/lib/cowrie/downloads/ - files transferred from the attacker to the honeypot are stored here
  • share/cowrie/txtcmds/ - file contents for simple fake commands
  • bin/createfs - used to create the fake filesystem
  • bin/playlog - utility to replay session logs

Data Sharing

Cowrie will by default upload data on crashes and Python exceptions to api.cowrie.org. This information is used to improve the honeypot and is not shared with third parties. It can be disabled by setting enabled=false in [output_crashreporter].

Contributors

Many people have contributed to Cowrie over the years. Special thanks to:

  • Upi Tamminen (desaster) for all his work developing Kippo on which Cowrie was based
  • Dave Germiquet (davegermiquet) for TFTP support, unit tests, new process handling
  • Olivier Bilodeau (obilodeau) for Telnet support
  • Ivan Korolev (fe7ch) for many improvements over the years.
  • Florian Pelgrim (craneworks) for his work on code cleanup and Docker.
  • Guilherme Borges (sgtpepperpt) for SSH and telnet proxy (GSoC 2019)
  • And many many others.
Comments
  • Setting up ELK to work with Cowrie

    Setting up ELK to work with Cowrie

    Hello folks,

    I'd like to use Kibana to visualize the events in the Cowrie log and have been failing so far. Yes, I have read this article and also issue #402, as well as the documentation.

    To begin with, my setup is fairly simple - just one Cowrie honeypot and ELK installed on the same machine (and supposed to be used on the same machine). So, I don't need Filebeat to ship logs to another machine, correct? Also, I gather from issue #402 that I no longer need an nginx server like the first article mentioned above says, yes?

    So far I've done the following:

    1. Installed elasticsearch, logstash and kibana on the same virtual machine where Cowrie is.
    2. Created /var/log/kibana and modified /etc/kibana/kibana.yml according to the documentation.
    3. Downloaded the GeoIP data and put it in /var/opt/logstash/vendor/geoip/.
    4. Copied cowrie/doc/elk/logstash-cowrie.conf to /etc/logstash/conf.d/ after modifying some paths to make sure they reflect my environment.
    5. Started the service logstash.

    However, the file /tmp/cowrie-logstash.log is not created. What am I missing? Do I need to change some ownerships - e.g., stuff in /etc/logstash/ is currently owned by root.

    Also, does this mean that with this setup Kibana can visualize only one day's worth of data? The file cowrie.json gets renamed after midnight and a new one is created.

    question 
    opened by bontchev 77
  • Not capturing any Mirai samples

    Not capturing any Mirai samples

    I ran a pretty much out-of-the-box Cowrie installation on a virtual machine for a couple of hours. Although the logs show that various Mirai variants have hit 127 times, to my amazement not even a single sample was captured. Going through the logs, I can identify the following cases:

    1. In the vast majority of cases the capturing has failed because of this issue. The discussion of the issue suggests that a hotfix for the problem is available - could we get it merged to master, please?

    2. The second case looks like pretty much a standard Mirai; I do not understand what exactly is failing. It seems to me that the honeypot is providing the right answers. Here is a sample session from the logs:

    2017-01-16T18:32:58+0200 [cowrie.telnet.transport.HoneyPotTelnetFactory] New connection: 109.236.92.144:55305 (192.168.0.104:23) [session: TT10]
    2017-01-16T18:33:01+0200 [CowrieTelnetTransport,10,109.236.92.144] login attempt [root/anko] succeeded
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Opening TTY Log: log/tty/20170116-183302-None-10i.log
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: enable
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: enable 
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Reading txtcmd from "txtcmds/bin/enable"
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: shell
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command not found: shell
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: sh
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: sh 
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ps; /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ps
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: ps
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox cat /proc/mounts; /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cat /proc/mounts
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cat /proc/mounts
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox echo -e '\x6b\x61\x6d\x69/dev' > /dev/.nippon; /bin/busybox cat /dev/.nippon; /bin/busybox rm /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox echo -e '\x6b\x61\x6d\x69/dev' > /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: echo -e '\x6b\x61\x6d\x69/dev'
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cat /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cat /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox rm /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: rm /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: cd /
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cd /
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox cp /bin/echo dvrHelper; >dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cp /bin/echo dvrHelper
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cp /bin/echo dvrHelper
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: > dvrHelper
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox chmod 777 /dvrHelper
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: chmod 777 /dvrHelper
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox cat /bin/echo
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cat /bin/echo
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cat /bin/echo
    2017-01-16T18:33:03+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ECCHI
    2017-01-16T18:33:03+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:35:04+0200 [CowrieTelnetTransport,10,109.236.92.144] Closing TTY Log: log/tty/20170116-183302-None-10i.log after 121 seconds
    2017-01-16T18:35:04+0200 [CowrieTelnetTransport,10,109.236.92.144] honeypot terminal protocol connection lost [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionDone'>: Connection was closed cleanly.
    2017-01-16T18:35:04+0200 [CowrieTelnetTransport,10,109.236.92.144] Connection lost after 126 seconds
    
    1. The third case is completely weird, it seems that the bot is sending commands containing '0x00' characters? Here is a sample session log:
    2017-01-16T18:32:34+0200 [cowrie.telnet.transport.HoneyPotTelnetFactory] New connection: 122.224.33.171:31513 (192.168.0.104:23) [session: TT8]
    2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] login attempt [root/888888] succeeded
    2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] Opening TTY Log: log/tty/20170116-183236-None-8i.log
    2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] Warning: state changed and new state returned
    2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: enable
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Command found: enable 
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Reading txtcmd from "txtcmds/bin/enable"
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: system
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Command not found: system
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: shell
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Command not found: shell
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
    2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: sh
    2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] Command found: sh 
    2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
    2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: /bin/busybox MIRAI
    2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] Command found: /bin/busybox MIRAI
    2017-01-16T18:32:39+0200 [CowrieTelnetTransport,8,122.224.33.171] Closing TTY Log: log/tty/20170116-183236-None-8i.log after 2 seconds
    2017-01-16T18:32:39+0200 [CowrieTelnetTransport,8,122.224.33.171] honeypot terminal protocol connection lost [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionDone'>: Connection was closed cleanly.
    2017-01-16T18:32:39+0200 [CowrieTelnetTransport,8,122.224.33.171] Connection lost after 4 seconds
    
    opened by bontchev 30
  • Logging in a MySQL database

    Logging in a MySQL database

    Hello folks,

    Elasticsearch crapped very badly on me and I had to rebuild the whole database from scratch, so I don't trust it any more. Unfortunately, Kibana depends on it, which means that if I scrap it, I won't be able to use Kibana for visualizations. However, a colleague told me that he could very easily make the visualizations I currently use if the data is in a MySQL database. So, I am not trying to make Cowrie save its data in such a database. Unfortunately, I am also failing miserably, so I could use your help.

    To begin with, I followed this guide. It's from a couple of years ago, but it seems mostly actual, because everything worked - the database was created with the corresponding tables and structure. I have modified the [output_mysql] section in cowrie.cfg accordingly, to specify the host containing the database, user name, password, etc. I used a stand-alone Python script to check that I can indeed connect to the database from the machine on which Cowrie is running and do some trivial stuff, like getting the MySQL version.

    Unfortunately, when I start Cowrie, I get the error message

    'Failed to load output engine: mysql due to ImportError: No module named MySQLdb'

    Now, the module mysql-python is installed - I installed it while following the guide mentioned above. But it wasn't installed (yet) when I installed Cowrie, months ago. I guess that means it isn't installed in the virtual environment cowrie-env? How do I install it there? (I was hoping that the virtual environment would see modules that are globally installed on the system, but I guess it doesn't.) I hope I don't need to scrap the whole Cowrie installation and re-install it from scratch?

    opened by bontchev 27
  • i have gone throuth all steps for cowrie honeypot but got this error after ./start.sh

    i have gone throuth all steps for cowrie honeypot but got this error after ./start.sh

    this errors displayed Starting cowrie with extra arguments [] ... Unhandled Error Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 579, in parseOptions usage.Options.parseOptions(self, options) File "/usr/lib/python2.7/dist-packages/twisted/python/usage.py", line 262, in parseOptions for (cmd, short, parser, doc) in self.subCommands: File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 596, in subCommands for plug in sorted(plugins, key=attrgetter('tapname')): File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 213, in getPlugins allDropins = getCache(package) --- --- File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 171, in getCache provider = pluginModule.load() File "/usr/lib/python2.7/dist-packages/twisted/python/modules.py", line 389, in load return self.pathEntry.pythonPath.moduleLoader(self.name) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 303, in namedAny topLevelPackage = _importAndCheckStack(trialname) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 250, in _importAndCheckStack reraise(excValue, excTraceback) File "/home/cowrie/cowrie/twisted/plugins/cowrie_plugin.py", line 46, in from cowrie.core.config import readConfigFile File "/home/cowrie/cowrie/cowrie/core/config.py", line 8, in import configparser exceptions.ImportError: No module named configparser

    Unhandled Error Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/twisted/python/usage.py", line 447, in str return self.getSynopsis() + '\n' + self.getUsage(width=None) File "/usr/lib/python2.7/dist-packages/twisted/python/usage.py", line 483, in getUsage for (cmd, short, parser, desc) in self.subCommands: File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 596, in subCommands for plug in sorted(plugins, key=attrgetter('tapname')): File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 213, in getPlugins allDropins = getCache(package) --- --- File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 171, in getCache provider = pluginModule.load() File "/usr/lib/python2.7/dist-packages/twisted/python/modules.py", line 389, in load return self.pathEntry.pythonPath.moduleLoader(self.name) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 303, in namedAny topLevelPackage = _importAndCheckStack(trialname) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 250, in _importAndCheckStack reraise(excValue, excTraceback) File "/home/cowrie/cowrie/twisted/plugins/cowrie_plugin.py", line 46, in from cowrie.core.config import readConfigFile File "/home/cowrie/cowrie/cowrie/core/config.py", line 8, in import configparser exceptions.ImportError: No module named configparser

    Usage: twistd [options] Options: --savestats save the Stats object rather than the text output of the profiler. -o, --no_save do not save state on shutdown -e, --encrypted The specified tap/aos file is encrypted. -n, --nodaemon don't daemonize, don't use default umask of 0077 --originalname Don't try to change the process name --syslog Log to syslog, not to file --euid Set only effective user-id rather than real user-id. (This option has no effect unless the server is running as root, in which case it means not to shed all privileges after binding ports, retaining the option to regain privileges in cases such as spawning processes. Use with caution.) -l, --logfile= log to a specified file, - for stdout --logger= A fully-qualified name to a log observer factory to use for the initial log observer. Takes precedence over --logfile and --syslog (when available). -p, --profile= Run in profile mode, dumping results to specified file. --profiler= Name of the profiler to use (profile, cprofile). [default: cprofile] -f, --file= read the given .tap file [default: twistd.tap] -y, --python= read an application from within a Python file (implies -o) -s, --source= Read an application from a .tas file (AOT format). -d, --rundir= Change to a supplied directory before running [default: .] --prefix= use the given prefix when syslogging [default: twisted] --pidfile= Name of the pidfile [default: twistd.pid] --chroot= Chroot to a supplied directory before running -u, --uid= The uid to run as. -g, --gid= The gid to run as. --umask= The (octal) file creation mask to apply. --help-reactors Display a list of possibly available reactor names. --version Print version information and exit. --spew Print an insanely verbose log of everything that happens. Useful when debugging freezes or locks in complex code. -b, --debug Run the application in the Python Debugger (implies nodaemon), sending SIGUSR2 will drop into debugger -r, --reactor= Which reactor to use (see --help-reactors for a list of possibilities) --help Display this help and exit.

    twistd reads a twisted.application.service.Application out of a file and runs it. Commands: conch A Conch SSH service. dns A domain name server. ftp An FTP server. inetd An inetd(8) replacement. mail An email service manhole An interactive remote debugger service accessible via telnet and ssh and providing syntax coloring and basic line editing functionality. manhole-old An interactive remote debugger service. news A news server. portforward A simple port-forwarder. procmon A process watchdog / supervisor socks A SOCKSv4 proxy service. telnet A simple, telnet-based remote debugging service. web A general-purpose web server which can serve from a filesystem or application resource. words A modern words server xmpp-router An XMPP Router server

    question 
    opened by rereee 26
  • output_mysql not sending data

    output_mysql not sending data

    In the database, only table sessions' has many data, the other tables such asauth,clients,input,ttyloghave no data. Andlog/cowrie.logandlog/cowrie.jsonhave become binary files... What's the matter?... Here are the screenshots: ![zj1 qzbl r0g 4lj a qb](https://cloud.githubusercontent.com/assets/17915615/19677173/9e3e8ea6-9aca-11e6-9c18-53d88e7605e2.png) ![ut1 5_7k 7qrggv4b7pdith](https://cloud.githubusercontent.com/assets/17915615/19677209/c6d128e2-9aca-11e6-9e2e-e5f2b20fadf8.png) ![9tl8 i r pn80bh 1j olr](https://cloud.githubusercontent.com/assets/17915615/19677228/dbc4b962-9aca-11e6-8fec-573ca4a6df38.png) ![ceppb dwca w r4 if 4 d](https://cloud.githubusercontent.com/assets/17915615/19677240/eec24a34-9aca-11e6-9c1f-5eba6fedd259.png) ![cllo45bi hr n14ysdsw_vi](https://cloud.githubusercontent.com/assets/17915615/19677266/0d140bda-9acb-11e6-8503-ebc1fc94d3a2.png) ![gsz g 6 04mj5vp0u n](https://cloud.githubusercontent.com/assets/17915615/19677314/4be3439e-9acb-11e6-8c03-d4bd6132f799.png) In tablesensors`, the ip is my server ip...

    bug 
    opened by NitroCao 26
  • Cowrie writes to MySQL in local time zone

    Cowrie writes to MySQL in local time zone

    I know that when Cowrie produces a JSON log, the timestamps there are in UTC. But how are they stored in a MySQL database?

    I'm asking because I hit some rather bizarre problem. I'm trying to make a simple graph of the number of login attempts for every hour using Grafana as the visualizer. The graph looks fine but the time (the X-axis) is shifted by 3 hours.

    My local time zone is UTC+3 right now (GMT+2 geographically, plus 1 hour daylight savings). Grafana is configured to display times in the local time zone of the viewer. One explanation for the mismatch could be that the data itself is wrong - i.e., is stored in local time in the database, instead of in UTC.

    The problem is, I can't figure out exactly what is happening. Cowrie writes the data to the database using the STR_TO_DATE() MySQL function, which takes two arguments - the date itself (presumably in UTC, because it's the same thing that's written to the JSON log?) and a format string, which is set to '%Y-%m-%dT%H:%i:%s.%fZ'. Doesn't this mean that the timestamp ought to go as an UTC timestamp in the database? Besides, I've read somewhere that timestamp data is stored always as UTC timestamps by MySQL. Assuming that the time zone of my MySQL server is set to UTC+3, wouldn't that mean that an unnecessary conversion is made and 3 hours are subtracted from the timestamp?

    Maybe Cowrie should set the time zone of its MySQL connection to UTC+0? Like

    SET time_zone='+00:00';

    bug 
    opened by bontchev 22
  • Problem in ./start.sh exceptions.AttributeError: 'module' object has no attribute 'IPluggableAuthenticationModules'

    Problem in ./start.sh exceptions.AttributeError: 'module' object has no attribute 'IPluggableAuthenticationModules'

    I have an error in start.sh (I'm on Ubuntu 14.04) :

    (envirt)[email protected]:~/kippo/kippo-master$ ./start.sh twistd (the Twisted daemon) 16.0.0 Copyright (c) 2001-2016 Twisted Matrix Laboratories. See LICENSE for details. Starting kippo in the background... Unhandled Error Traceback (most recent call last): File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 617, in run runApp(config) File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/scripts/twistd.py", line 25, in runApp _SomeApplicationRunner(config).run() File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 348, in run self.application = self.createOrGetApplication() File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 413, in createOrGetApplication application = getApplication(self.config, passphrase) --- --- File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 424, in getApplication application = service.loadApplication(filename, style, passphrase) File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/service.py", line 411, in loadApplication passphrase) File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/persisted/sob.py", line 224, in loadValueFromFile eval(codeObj, d, d) File "kippo.tac", line 26, in import kippo.core.auth File "/home/michel/kippo/kippo-master/kippo/core/auth.py", line 102, in class HoneypotPasswordChecker: File "/home/michel/kippo/kippo-master/kippo/core/auth.py", line 105, in HoneypotPasswordChecker credentialInterfaces = (credentials.IUsernamePassword, credentials.IPluggableAuthenticationModules) exceptions.AttributeError: 'module' object has no attribute 'IPluggableAuthenticationModules'

    Failed to load application: 'module' object has no attribute 'IPluggableAuthenticationModules'

    Please help me. Thanks

    question 
    opened by miha237 22
  • userdb not checked

    userdb not checked

    I have copied the userdb.example to userdb.txt in the etc folder, by running this command: [email protected] cp userdb.example eserdb.txt. I then stopped cowrie and started it again.

    However, I still can access the honeypot with username root, and password root, even though in the userdb, it says root:x:!root

    question 
    opened by RunnyRun 21
  • How do you customize the honeypot filesystem?

    How do you customize the honeypot filesystem?

    From the documentation, it seems that all I'd need to do to replace Cowrie's default filesystem is to do:

    • Copy a new file system to honeyfs
    • Run ./bin/createfs -l honeyfs -o data/fs.pickle

    When I tried to do this from a OpenWRT filesystem, the commands executed successfully but commands in the honeypot (e.g. ls, cp, rm don't work). /bin/busybox works, but running /bin/busybox ls errors out with applet not found.

    I'm using Python 3.5 on Ubuntu 16.04.

    question 
    opened by supriyo-biswas 21
  • Can't stop Cowrie

    Can't stop Cowrie

    Been playing around with Cowrie and am loving it. But it won't stop for me unless I kill the process. I'm starting it by ~/cowrie/bin/./cowrie start. Doing a ~/cowrie/bin/./cowrie stop doesn't stop it though. There is no error message at console from the stop command and it just returns me to a prompt after I push enter.

    I have to lookup the process with "ps aux" and kill it by the PID. Is this normal? Running Ubuntu Server 16.

    opened by biggen1684 20
  • commands not executing when directory path contains symbolic links

    commands not executing when directory path contains symbolic links

    Hi Michel,

    I can't explain why but my Cowrie doesn't accept the usual commands like "ls", "cat", "ping" bash: cat: command not found bash: ls: command not found

    wget, curl, help, the (customized) txtcmds works fine.

    I'm running Centos 7, I have customized the honeyfs files, txtcmds and generated a filesystem with createfs.py (cleaned with fsctl.py)

    Any hints ?

    Regards.

    bug 
    opened by AbyssAndreal 20
  • Unable to connect to honeypot VM through proxy

    Unable to connect to honeypot VM through proxy

    Hello,

    I am trying to deploy cowrie in proxy mode with the following settings:

    backend = proxy
    
    # Guest details (for a generic x86-64 guest, like Ubuntu)
    guest_hypervisor = qemu
    
    backend = pool
    backend_ssh_host = localhost
    backend_ssh_port = 2022
    
    pool_max_vms = 4
    pool = local
    
    # Endpoint to listen on for incoming SSH connections.
    listen_endpoints = tcp:9090:interface=0.0.0.0
    

    Everything excluded is set to default value, except for the real backend credentials. Iptables are configured to redirect port 22 to port 9090.

    Successfully logging to the honeypot through Putty does not redirect me to VM, instead it shows the following error message:

    image

    This is how it looks in logs:

    2022-11-15T14:40:02.714110Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: x.x.x.x:x (10.0.0.4:9090) [session: 11699cf73924]
    2022-11-15T14:40:02.724076Z [FrontendSSHTransport,520,x.x.x.x] Remote SSH version: SSH-2.0-PuTTY_Release_0.76
    2022-11-15T14:40:02.733713Z [backend_pool.pool_server.PoolServerFactory] Received connection from 127.0.0.1:41042
    2022-11-15T14:40:02.734290Z [Uninitialized] Connected to backend pool
    2022-11-15T14:40:02.734577Z [PoolServer,521,127.0.0.1] Requesting a VM for attacker @ x.x.x.x
    2022-11-15T14:40:02.734771Z [PoolServer,521,127.0.0.1] Providing VM id 0
    2022-11-15T14:40:02.735102Z [PoolClient,client] Got backend data from pool: 192.168.150.217:22
    2022-11-15T14:40:02.735196Z [PoolClient,client] Snapshot file: /home/cowrie/cowrie/var/lib/cowrie/snapshots/snapshot-ubuntu18.04-75999260d50340aa9098062da1650500.qcow2
    2022-11-15T14:40:02.735334Z [cowrie.ssh_proxy.client_transport.BackendSSHFactory#info] Starting factory <cowrie.ssh_proxy.client_transport.BackendSSHFactory object at 0x7f8a9c87f370>
    2022-11-15T14:40:02.782461Z [FrontendSSHTransport,520,x.x.x.x] SSH client hassh fingerprint: 5b7713a9ef2d162b16ea018fa8d40f02
    2022-11-15T14:40:02.783927Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519'
    2022-11-15T14:40:02.784027Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha1' b'none'
    2022-11-15T14:40:02.784101Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha1' b'none'
    2022-11-15T14:40:02.850464Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] NEW KEYS
    2022-11-15T14:40:02.850962Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] starting service b'ssh-userauth'
    2022-11-15T14:40:04.530477Z [Uninitialized] Connected to SSH backend at b'192.168.150.217'
    2022-11-15T14:40:04.530869Z [Uninitialized] Connected to honeypot backend
    2022-11-15T14:40:05.694227Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'student' trying auth b'none'
    2022-11-15T14:40:10.343627Z [FrontendSSHTransport,520,x.x.x.x] Connection to backend not ready, buffering packet from frontend
    2022-11-15T14:40:10.344638Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'student' trying auth b'password'
    2022-11-15T14:40:10.345534Z [FrontendSSHTransport,520,x.x.x.x] login attempt [b'student'/b'student'] succeeded
    2022-11-15T14:40:10.362593Z [FrontendSSHTransport,520,x.x.x.x] Initialized emulated server as architecture: linux-x64-lsb
    2022-11-15T14:40:10.419995Z [FrontendSSHTransport,520,x.x.x.x] Connection to backend not ready, buffering packet from frontend
    # this might be the point, where the error shows up
    2022-11-15T14:40:33.175725Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ecdsa-sha2-nistp256'
    2022-11-15T14:40:33.176223Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha2-512' b'none'
    2022-11-15T14:40:33.176309Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha2-512' b'none'
    2022-11-15T14:40:41.233811Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] NEW KEYS
    2022-11-15T14:40:41.234285Z [BackendSSHTransport,client] Backend Connection Secured
    2022-11-15T14:40:41.251355Z [BackendSSHTransport,client] Will auth with backend: x/x
    2022-11-15T14:40:41.251870Z [BackendSSHTransport,client] got channel b'session' request
    2022-11-15T14:40:54.764575Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost
    2022-11-15T14:40:54.765091Z [FrontendSSHTransport,520,x.x.x.x] Connection lost after 50 seconds
    2022-11-15T14:40:54.774787Z [BackendSSHTransport,client] Lost connection with the pool backend: id 0
    2022-11-15T14:40:54.775126Z [cowrie.ssh_proxy.client_transport.BackendSSHFactory#info] Stopping factory <cowrie.ssh_proxy.client_transport.BackendSSHFactory object at 0x7f8a9c87f370>
    2022-11-15T14:40:54.775420Z [PoolServer,521,127.0.0.1] Freeing VM 0
    

    Sometimes there's different logged events after successful login attempt:

    2022-11-15T01:00:45.902697Z [BackendSSHTransport,client] [SSH] Detected Public Key Auth - Disabling!
    2022-11-15T01:00:53.399529Z [FrontendSSHTransport,57,x.x.x.x] Unhandled Error
            Traceback (most recent call last):
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/log.py", line 96, in callWithLogger
                return callWithContext({"system": lp}, func, *args, **kw)
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/log.py", line 80, in callWithContext
                return context.call({ILogContext: newCtx}, func, *args, **kw)
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/context.py", line 117, in callWithContext
                return self.currentContext().callWithContext(ctx, func, *args, **kw)
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/context.py", line 82, in callWithContext
                return func(*args, **kw)
            --- <exception caught here> ---
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/posixbase.py", line 487, in _doReadOrWrite
                why = selectable.doRead()
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/tcp.py", line 248, in doRead
                return self._dataReceived(data)
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/tcp.py", line 253, in _dataReceived
                rval = self.protocol.dataReceived(data)
              File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 244, in dataReceived
                self.dispatchMessage(message_num, packet[1:])
              File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 261, in dispatchMessage
                self.packet_buffer(message_num, payload)
              File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 434, in packet_buffer
                self.sshParse.parse_num_packet("[SERVER]", message_num, payload)
              File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/protocols/ssh.py", line 330, in parse_num_packet
                channel = self.get_channel(self.extract_int(4), parent)
              File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/protocols/ssh.py", line 406, in get_channel
                if channel[search] == channel_num:
            builtins.KeyError: 'clientID'
    
    2022-11-15T01:00:53.401422Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost
    

    I tried using terminal to log in instead, this however produces different, but still unsuccessful results:

    Error message:

    dispatch_protocol_error: type 7 seq 7
    Connection to x closed by remote host.
    Connection to x closed.
    

    Logged events are the same.

    Expected behavior After successful authentication cowrie connects attacker with the VM.

    Server (please complete the following information):

    • OS: Linux cowrie 5.15.0-1022-azure 27~20.04.1-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux
    • Python: Python 3.8.10
    opened by katsonka 0
  • Prometheus support

    Prometheus support

    Is your feature request related to a problem? Please describe. I would like to monitor the honeypot using prometheus.

    Describe the solution you'd like An optional http endpoint for some metrics.

    Describe alternatives you've considered Parsing the logfiles is also possible but cumbersome. Especially if you want to see the number of current active connections and so on.

    Additional context The cowrie process is running in k8s where prometheus is a common monitoring tool.

    enhancement help wanted 
    opened by runningman84 0
  • awk error

    awk error

    Describe the bug Wrong awk syntax should give an error without exiting the emulated honeypot

    Expected behavior Output:

    awk: cmd. line:1: Hi.txt
    awk: cmd. line:1:   ^ syntax error
    

    Additional context Log file:

    2022-11-12T12:59:40.584083Z [HoneyPotSSHTransport,2,127.0.0.1] CMD: awk Hi.txt
    2022-11-12T12:59:40.584726Z [HoneyPotSSHTransport,2,127.0.0.1] Command found: awk Hi.txt
    2022-11-12T12:59:40.585040Z [HoneyPotSSHTransport,2,127.0.0.1] Unhandled Error
    	Traceback (most recent call last):
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/python/log.py", line 96, in callWithLogger
    	    return callWithContext({"system": lp}, func, *args, **kw)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/python/log.py", line 80, in callWithContext
    	    return context.call({ILogContext: newCtx}, func, *args, **kw)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/python/context.py", line 117, in callWithContext
    	    return self.currentContext().callWithContext(ctx, func, *args, **kw)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/python/context.py", line 82, in callWithContext
    	    return func(*args, **kw)
    	--- <exception caught here> ---
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/internet/posixbase.py", line 487, in _doReadOrWrite
    	    why = selectable.doRead()
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/internet/tcp.py", line 248, in doRead
    	    return self._dataReceived(data)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/internet/tcp.py", line 253, in _dataReceived
    	    rval = self.protocol.dataReceived(data)
    	  File "/home/cowrie/cowrie/src/cowrie/ssh/transport.py", line 146, in dataReceived
    	    self.dispatchMessage(messageNum, packet[1:])
    	  File "/home/cowrie/cowrie/src/cowrie/ssh/transport.py", line 150, in dispatchMessage
    	    transport.SSHServerTransport.dispatchMessage(self, message_num, payload)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/conch/ssh/transport.py", line 790, in dispatchMessage
    	    self.service.packetReceived(messageNum, payload)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/conch/ssh/service.py", line 50, in packetReceived
    	    return f(packet)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/conch/ssh/connection.py", line 265, in ssh_CHANNEL_DATA
    	    channel.dataReceived(data)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/conch/ssh/session.py", line 165, in dataReceived
    	    self.client.transport.write(data)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/conch/ssh/session.py", line 225, in write
    	    self.proto.dataReceived(data)
    	  File "/home/cowrie/cowrie/src/cowrie/insults/insults.py", line 126, in dataReceived
    	    insults.ServerProtocol.dataReceived(self, data)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/conch/insults/insults.py", line 520, in dataReceived
    	    self.terminalProtocol.keystrokeReceived(ch, None)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/conch/recvline.py", line 435, in keystrokeReceived
    	    m()
    	  File "/home/cowrie/cowrie/src/cowrie/shell/protocol.py", line 329, in handle_RETURN
    	    return recvline.RecvLine.handle_RETURN(self)
    	  File "/home/cowrie/cowrie/cowrie-env/lib/python3.10/site-packages/twisted/conch/recvline.py", line 493, in handle_RETURN
    	    self.lineReceived(line)
    	  File "/home/cowrie/cowrie/src/cowrie/shell/protocol.py", line 190, in lineReceived
    	    self.cmdstack[-1].lineReceived(line)
    	  File "/home/cowrie/cowrie/src/cowrie/shell/honeypot.py", line 114, in lineReceived
    	    self.runCommand()
    	  File "/home/cowrie/cowrie/src/cowrie/shell/honeypot.py", line 329, in runCommand
    	    self.protocol.call_command(pp, cmdclass, *cmd_array[0]["rargs"])
    	  File "/home/cowrie/cowrie/src/cowrie/shell/protocol.py", line 310, in call_command
    	    HoneyPotBaseProtocol.call_command(self, pp, cmd, *args)
    	  File "/home/cowrie/cowrie/src/cowrie/shell/protocol.py", line 199, in call_command
    	    obj.start()
    	  File "/home/cowrie/cowrie/src/cowrie/commands/awk.py", line 88, in start
    	    self.output(self.input_data)
    	  File "/home/cowrie/cowrie/src/cowrie/commands/awk.py", line 120, in output
    	    inputlines = input.split("\n")
    	builtins.AttributeError: 'NoneType' object has no attribute 'split'
    
    bug 
    opened by MandiYang 1
  • S3 Output doesn't upload data to bucket or show errors

    S3 Output doesn't upload data to bucket or show errors

    Describe the bug I'm using latest docker image of cowrie from Docker hub with configured S3 output, even if S3 is configured (including credentials) the data is not uploaded in S3 bucket, logs also don't show anything. Also I checked AWS logs and there is no activity from the user which I set-up.

    To Reproduce Steps to reproduce the behavior:

    1. Install Docker
    2. Run 'docker run -e COWRIE_OUTPUT_S3_ENABLED=true -p 2222:2222'

    Expected behavior Upload log data to S3 bucket

    Server (please complete the following information):

    • OS: [e.g. RedHat Linux 7.1, output of uname -a]

    Additional context

    docker run -e COWRIE_OUTPUT_S3_ENABLED=true -p 2222:2222 cowrie/cowrie:latest 
    /cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:97: CryptographyDeprecationWarning: Blowfish has been deprecated
      b"blowfish-cbc": (algorithms.Blowfish, 16, modes.CBC),
    /cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:101: CryptographyDeprecationWarning: CAST5 has been deprecated
      b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC),
    /cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:106: CryptographyDeprecationWarning: Blowfish has been deprecated
      b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR),
    /cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:107: CryptographyDeprecationWarning: CAST5 has been deprecated
      b"cast128-ctr": (algorithms.CAST5, 16, modes.CTR),
    2022-11-10T03:18:48+0000 [-] Python Version 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
    2022-11-10T03:18:48+0000 [-] Twisted Version 22.4.0
    2022-11-10T03:18:48+0000 [-] Cowrie Version 2.3.0
    2022-11-10T03:18:48+0000 [-] Loaded output engine: jsonlog
    2022-11-10T03:18:48+0000 [-] Loaded output engine: s3
    2022-11-10T03:18:48+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 22.4.0 (/cowrie/cowrie-env/bin/python3 3.9.2) starting up.
    2022-11-10T03:18:48+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
    2022-11-10T03:18:48+0000 [-] CowrieSSHFactory starting on 2222
    2022-11-10T03:18:48+0000 [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory <cowrie.ssh.factory.CowrieSSHFactory object at 0x7ff99c1ffdc0>
    2022-11-10T03:18:48+0000 [-] Generating new RSA keypair...
    2022-11-10T03:18:48+0000 [-] Generating new ECDSA keypair...
    2022-11-10T03:18:49+0000 [-] Generating new ed25519 keypair...
    2022-11-10T03:18:49+0000 [-] Ready to accept SSH connections
    2022-11-10T03:19:02+0000 [cowrie.ssh.factory.CowrieSSHFactory] No moduli, no diffie-hellman-group-exchange-sha1
    2022-11-10T03:19:02+0000 [cowrie.ssh.factory.CowrieSSHFactory] No moduli, no diffie-hellman-group-exchange-sha256
    2022-11-10T03:19:02+0000 [cowrie.ssh.factory.CowrieSSHFactory] New connection: 172.16.0.1:62648 (172.16.0.2:2222) [session: 61d28cc80ef1]
    2022-11-10T03:19:02+0000 [HoneyPotSSHTransport,0,172.17.0.1] Remote SSH version: SSH-2.0-OpenSSH_8.6
    2022-11-10T03:19:02+0000 [HoneyPotSSHTransport,0,172.17.0.1] SSH client hassh fingerprint: ae8bdXXXXXXXXXXXXXXXXXXXX56
    2022-11-10T03:19:02+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519'
    2022-11-10T03:19:02+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] outgoing: b'aes128-ctr' b'hmac-sha2-512' b'none'
    2022-11-10T03:19:02+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] incoming: b'aes128-ctr' b'hmac-sha2-512' b'none'
    2022-11-10T03:19:04+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] NEW KEYS
    2022-11-10T03:19:04+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-userauth'
    2022-11-10T03:19:04+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'none'
    2022-11-10T03:19:04+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'publickey'
    2022-11-10T03:19:04+0000 [HoneyPotSSHTransport,0,172.17.0.1] public key attempt for user b'root' of type b'ssh-rsa' with fingerprint d4:82:39:d0:81:65
    2022-11-10T03:19:04+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' failed auth b'publickey'
    2022-11-10T03:19:04+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] reason: ('Incorrect signature', None)
    2022-11-10T03:19:04+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'publickey'
    2022-11-10T03:19:04+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#error] Unsupported key type [email protected] or bad key
    2022-11-10T03:19:04+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' failed auth b'publickey'
    2022-11-10T03:19:04+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] unauthorized login: ()
    2022-11-10T03:19:08+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'password'
    2022-11-10T03:19:08+0000 [HoneyPotSSHTransport,0,172.17.0.1] Could not read etc/userdb.txt, default database activated
    2022-11-10T03:19:08+0000 [HoneyPotSSHTransport,0,172.17.0.1] login attempt [b'root'/b'test'] succeeded
    2022-11-10T03:19:08+0000 [HoneyPotSSHTransport,0,172.17.0.1] Initialized emulated server as architecture: linux-x64-lsb
    2022-11-10T03:19:08+0000 [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' authenticated with b'password'
    2022-11-10T03:19:08+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-connection'
    2022-11-10T03:19:08+0000 [cowrie.ssh.connection.CowrieSSHConnection#debug] got channel b'session' request
    2022-11-10T03:19:08+0000 [cowrie.ssh.session.HoneyPotSSHSession#info] channel open
    2022-11-10T03:19:08+0000 [cowrie.ssh.connection.CowrieSSHConnection#debug] got global b'[email protected]' request
    2022-11-10T03:19:08+0000 [twisted.conch.ssh.session#info] Handling pty request: b'xterm-256color' (38, 115, 0, 0)
    2022-11-10T03:19:08+0000 [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,0,172.17.0.1] Terminal Size: 115 38
    2022-11-10T03:19:08+0000 [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,0,172.17.0.1] request_env: LANG=en_US.UTF-8
    2022-11-10T03:19:08+0000 [twisted.conch.ssh.session#info] Getting shell
    2022-11-10T03:19:12+0000 [HoneyPotSSHTransport,0,172.17.0.1] CMD: test
    2022-11-10T03:19:12+0000 [HoneyPotSSHTransport,0,172.17.0.1] Can't find command test
    2022-11-10T03:19:12+0000 [HoneyPotSSHTransport,0,172.17.0.1] Command not found: test
    2022-11-10T03:19:13+0000 [HoneyPotSSHTransport,0,172.17.0.1] Received CTRL-D, exiting..
    2022-11-10T03:19:13+0000 [twisted.conch.ssh.session#info] exitCode: 0
    2022-11-10T03:19:13+0000 [cowrie.ssh.connection.CowrieSSHConnection#debug] sending request b'exit-status'
    2022-11-10T03:19:13+0000 [HoneyPotSSHTransport,0,172.17.0.1] Closing TTY Log: var/lib/cowrie/tty/ba95016f2dbccab4bb9ad49192729b6d9eb20fca0dc80105647dac01917cf43c after 5 seconds
    2022-11-10T03:19:13+0000 [cowrie.ssh.connection.CowrieSSHConnection#info] sending close 0
    2022-11-10T03:19:13+0000 [cowrie.ssh.session.HoneyPotSSHSession#info] remote close
    2022-11-10T03:19:13+0000 [HoneyPotSSHTransport,0,172.17.0.1] Got remote error, code 11 reason: b'disconnected by user'
    2022-11-10T03:19:13+0000 [HoneyPotSSHTransport,0,172.17.0.1] avatar root logging out
    2022-11-10T03:19:13+0000 [cowrie.ssh.transport.HoneyPotSSHTransport#info] connection lost
    2022-11-10T03:19:13+0000 [HoneyPotSSHTransport,0,172.17.0.1] Connection lost after 11 seconds
    
    opened by tigorv 0
  • SSH logins are not logged

    SSH logins are not logged

    I have setup cowrie as mentioned in this article: https://cowrie.readthedocs.io/en/latest/INSTALL.html

    I'm only seeing Cowrie logging all Telnet connections to port 23. But it is not logging any SSH connections (22). What I might be missing?

    Expected behavior 1> I'm seeing many of these connections in cowrie logs: 2022-10-14T19:28:43.573327Z [cowrie.telnet.factory.HoneyPotTelnetFactory] New connection: 182.211.245.169:50233 2> But none for SSH

    Server (please complete the following information):

    • OS: Linux my-linux-debian 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64 GNU/Linux
    • Python: Python 3.9.2
    question 
    opened by arunvl88 6
  • How to send Cowrie output to an ELK stack

    How to send Cowrie output to an ELK stack

    https://cowrie.readthedocs.io/en/latest/elk/README.html ElasticSearch Installation Enable the services: In the official documentation after this line: sudo systemctl enable elasticsearch logstash kibana filebeat nginx kindly add the following line: sudo systemctl start elasticsearch

    reason: "curl http://localhost:9200" is not possible without "sudo systemctl start elasticsearch" reason: few might get stuck at this point. trying to figure out what's wrong.

    opened by KumarDevdat 9
Releases(v2.4.0)
  • v2.4.0(Jul 16, 2022)

    Release 2.4.0


    • Deprecate Python 3.7
    • Early support for Python 3.11
    • ThreatJammer output plugin (@diegoparrilla)
    • Telegram output plugin (@Louren)
    • Discord output plugin (@CyberSparkNL)
    • Updated mongodb output plugin
    • Dependency upgrades
    • Docker repo merged with this one
    • wget and curl rewritten using treq.
    • Migrate test framework from trial to unittest (@lazycrazyowl)
    Source code(tar.gz)
    Source code(zip)
  • v2.3.0(Oct 17, 2021)

    Release 2.3.0 Deprecate Python 3.6 Support Python 3.10 Dependency updates MISP Output plugin extension add new public keys ECDSAKeys and ed25519 (#1627) fix userdb.example (#1619) cache url submission to virustotal MySQL connector (#1575) - needs new external dependency mysql-connector-python Fix mysql string expansion (#1565) Rewrite CSIRTG output plugin to use new library version Fixed the Slack output to work with the versions 2.x of slackclient fix MySQL error handling fix tar command limit connections to private address ranges Update GreyNoise Output Script to Use Community API (#1524) Implement getopt-style parsing for uname (#1516) Allow SSLv3 connections for wget and curl Support for 301 redirects in wget Malshare update API (#1472) Remove hpfeeds.py infavour of hpfeeds3.py

    Source code(tar.gz)
    Source code(zip)
  • v2.2.0(Nov 11, 2020)

    Release 2.2.0

    • Deprecate Python 2.7 and 3.5
    • Command substitution with backticks (PeterSufliarsky)
    • Better chmod command line parsing (PeterSufliarsky)
    • Add uniq command (PeterSufliarsky)
    • Enhanced command substitution functionality.
    • Fix nc hang
    • Rename built-in user richard to phil, it's used as detection mechanism.
    • Binary suppport for cat, grep and other commands
    • Azure Sentinel output plugin
    Source code(tar.gz)
    Source code(zip)
  • v2.1.0(May 10, 2020)

    • Deprecate Python 2.7. Still works but removed from testing suite and fixing 2.7 problems will no longer have priority.
    • Disable crashreporter
    • Updated ELK documentation and output plugin
    • tee command added. Updates to cat, dd and wc.
    • Fixed SSH compression issue with AsyncSSH client
    • AbuseIP output plugin.
    Source code(tar.gz)
    Source code(zip)
  • v2.0.2(Nov 5, 2019)

  • v2.0.1(Nov 2, 2019)

  • v1.9.7(Oct 4, 2019)

  • v2.0.0(Oct 15, 2019)

    • Based on @sgtpepperpt's excellent work for GSoC we are now releasing Cowrie 2.0.0 with Proxy Support! Cowrie can now run in Proxy Mode and run a set of real live systems in the back-end using Qemu for more accurate backend simulation.
    Source code(tar.gz)
    Source code(zip)
  • 1.6.0(Apr 4, 2019)

    Release 1.6.0

    • 2019-03-31 New documentation theme
    • 2019-03-23 Greynoise output plugin (@mzfr)
    • 2019-03-19 direct-tcp forwarding now written to databases (@gborges)
    • 2019-03-19 Reverse DNS output plugin (@mzfr)
    • 2019-03-17 Shell emulation pipe upgrade (@nunonovais)
    • 2019-03-14 Shell emulation environment variables improved (@nunonovais)
    • 2019-03-14 SSH crypto parameters now configurable in config file (@msharma)
    • 2019-03-13 Disable keyboard-interactive authentication by default with option to enable
    • 2019-03-13 Added wc, crontab, chpasswd command (@nunonovais)
    • 2019-
    • 2019-03-07 Output of ssh -V now configurable in cowrie.cfg with ssh_version setting
    • 2019-03-07 Multiple timezone support in cowrie.cfg timezone directive. Default timezone is now UTC for both cowrie.log and cowrie.json
    • 2019-03-12 Handle multiple password prompt. Option to enable or disable keyboard interactive prompt.
    Source code(tar.gz)
    Source code(zip)
  • 1.5.3(Feb 12, 2019)

    Release 1.5.3

    • 2019-01-27 Telnet NAWS negotation removed to stop NMAP cowrie detection
    • 2019-01-27 Various fixes for Python2/3 compatibility
    • 2019-01-09 Documentation converted to ReStructuredText
    • 2018-12-04 Fixes for VT outut plugin to only submit new files
    Source code(tar.gz)
    Source code(zip)
  • 1.5.2(Nov 20, 2018)

    Release 1.5.2

    • 2018-11-19 Fix tftp exception and tftp test
    • 2018-11-14 Remove dblog mechanism and splunk legacy output plugin.
    • 2018-11-01 Add Python3 support for Splunk output plugin
    • 2018-10-23 Improved free command
    • 2018-10-20 Improved uname command
    • 2018-10-16 Save VT results to JSON log
    Source code(tar.gz)
    Source code(zip)
  • 1.4.1(Aug 6, 2018)

  • v1.0.0-alpha(Aug 7, 2015)

Owner
Cowrie
Cowrie Project
Cowrie
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
A honeypot for the Log4Shell vulnerability (CVE-2021-44228)

Log4Pot A honeypot for the Log4Shell vulnerability (CVE-2021-44228). License: GPLv3.0 Features Listen on various ports for Log4Shell exploitation. Det

Thomas Patzke 76 Nov 9, 2022
Web3 Pancakeswap Sniper & honeypot detector Take Profit/StopLose bot written in python3, For ANDROID WIN MAC & LINUX

?? Pancakeswap BSC Sniper Bot web3 with honeypot detector (ANDROID WINDOWS MAC LINUX) ?? ⭐️ ⭐️ ⭐️ First SNIPER BOT for ANDROID & WINDOWS with honeypot

Mayank 10 Sep 27, 2022
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien

null 9.1k Nov 18, 2022
A simple multi-threaded distributed SSH brute-forcing tool written in Python.

OrbitalDump A simple multi-threaded distributed SSH brute-forcing tool written in Python. How it Works When the script is executed without the --proxi

K4YT3X 393 Nov 20, 2022
SSH Tool For OSINT and then Cracking.

sshmap SSH Tool For OSINT and then Cracking. Linux Systems Only Usage: Scanner Syntax: scanner start/stop/status - Sarts/stops/sho

Miss Bliss 5 Apr 4, 2022
This python script will automate the testing for the Log4J vulnerability for HTTP and HTTPS connections.

Log4J-Huntress-Automate-Script This python script will automate the testing for the Log4J vulnerability for HTTP and HTTPS connections. Pre-Requisits

null 1 Dec 16, 2021
🍯 16 honeypots in a single pypi package (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres & MySQL)

Easy to setup customizable honeypots for monitoring network traffic, bots activities and username\password credentials. The current available honeypot

QeeqBox 242 Nov 22, 2022
SSH-Restricted deploys an SSH compliance rule (AWS Config) with auto-remediation via AWS Lambda if SSH access is public.

SSH-Restricted SSH-Restricted deploys an SSH compliance rule with auto-remediation via AWS Lambda if SSH access is public. SSH-Auto-Restricted checks

Adrian Hornsby 30 Nov 8, 2022
🐛 Self spreading Botnet based on Mirai C&C Arch, spreading through SSH and Telnet protocol.

HBot Self spreading Botnet based on Mirai C&C Arch, spreading through SSH and Telnet protocol. Modern script fullly written in python3. Warning. This

Ѵιcнч 137 Nov 14, 2022
A python script that will use hydra to get user and password to login to ssh, ftp, and telnet

Hydra-Auto-Hack A python script that will use hydra to get user and password to login to ssh, ftp, and telnet Project Description This python script w

null 2 Jan 16, 2022
https://django-storages.readthedocs.io/

Installation Installing from PyPI is as easy as doing: pip install django-storages If you'd prefer to install from source (maybe there is a bugfix in

Josh Schneier 2.3k Nov 22, 2022
https://django-storages.readthedocs.io/

Installation Installing from PyPI is as easy as doing: pip install django-storages If you'd prefer to install from source (maybe there is a bugfix in

Josh Schneier 2.3k Nov 17, 2022
PyStan, a Python interface to Stan, a platform for statistical modeling. Documentation: https://pystan.readthedocs.io

PyStan NOTE: This documentation describes a BETA release of PyStan 3. PyStan is a Python interface to Stan, a package for Bayesian inference. Stan® is

Stan 215 Nov 21, 2022
PyStan, a Python interface to Stan, a platform for statistical modeling. Documentation: https://pystan.readthedocs.io

PyStan PyStan is a Python interface to Stan, a package for Bayesian inference. Stan® is a state-of-the-art platform for statistical modeling and high-

Stan 214 Nov 18, 2022