0x01 简介

cowrie是一款基于kippo更改的中交互ssh蜜罐,部署在公网可以用于收集恶意IP,丰富密码字典和攻击样本,部署在内网可以用于入侵感知和拖延攻击时间。

 

0x02 安装部署

修改/etc/ssh/sshd_config

将Port 22修改为Port 222

然后重启服务systemctl restart sshd

Cowrie与Kippo一样不支持Root启动,默认的启动端口是2222,所以需要通过iptables将22端口转发到2222端口

[root@localhost yum.repos.d]# systemctl start firewalld

[root@localhost yum.repos.d]# firewall-cmd --permanent --add-port=222/tcp

success

[root@localhost yum.repos.d]# firewall-cmd --zone=public --add-masquerade --permanent

success

[root@localhost yum.repos.d]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=2222 --permanent

success

[root@localhost yum.repos.d]# firewall-cmd --permanent --list-all

public (default)

  interfaces:

  sources:

  services: dhcpv6-client ssh

  ports: 222/tcp

  masquerade: yes

  forward-ports: port=22:proto=tcp:toport=2222:toaddr=

  icmp-blocks:

  rich rules:

      

[root@localhost yum.repos.d]# firewall-cmd --reload

success

安装Cowrie

yum install -y epel-release

yum install -y gcc libffi-devel python-devel openssl-devel git python-pip pycrypto

adduser cowrie -p hehe123

git clone https://github.com/micheloosterhof/cowrie.git

chown -R cowrie:cowrie cowrie/

cd cowrie

mv cowrie.cfg.dist cowrie.cfg

编辑cowrie.cfg

去掉listen_port = 2222的注释

pip install -r requirements.txt

 

0x03 数据库安装

[root@localhost data]# pip install mysql-python

[root@localhost data]# yum install mariadb-server mariadb-devel mariadb

[root@localhost data]# systemctl start mariadb

[root@localhost data]# mysqladmin -u root password hehe123

 

MariaDB [(none)]> CREATE DATABASE cowrie;

Query OK, 1 row affected (0.00 sec)

MariaDB [cowrie]> source /home/cowrie/cowrie/doc/sql/mysql.sql;

MariaDB [cowrie]> show tables;

+------------------+

| Tables_in_cowrie |

+------------------+

| auth             |

| clients          |

| downloads        |

| input            |

| keyfingerprints  |

| sensors          |

| sessions         |

| ttylog           |

+------------------+

8 rows in set (0.00 sec)

然后修改cowrie.cfg中关于mysql的配置,启动Cowrie

[root@localhost cowrie]# su cowrie

[cowrie@localhost cowrie]$ ./bin/cowrie start

Not using Python virtual environment

Starting cowrie: [twistd   --umask 0022 --pidfile var/run/cowrie.pid -l log/cowrie.log cowrie ]...

登录密码记录

MariaDB [cowrie]> select * from auth;

+----+--------------+---------+----------+----------+---------------------+

| id | session      | success | username | password | timestamp           |

+----+--------------+---------+----------+----------+---------------------+

|  1 | c66e2505a393 |       1 | root     | hehe123  | 2017-09-13 23:58:48 |

+----+--------------+---------+----------+----------+---------------------+

1 row in set (0.01 sec)

执行命令记录

MariaDB [cowrie]> select * from input;

+----+--------------+---------------------+-------+---------+---------+

| id | session      | timestamp           | realm | success | input   |

+----+--------------+---------------------+-------+---------+---------+

|  1 | c66e2505a393 | 2017-09-13 23:58:51 | NULL  |       1 | whoami  |

+----+--------------+---------------------+-------+---------+---------+

1 row in set (0.01 sec)

下载文件记录

MariaDB [cowrie]> select * from downloads\G

*************************** 1. row ***************************

       id: 1

  session: c66e2505a393

timestamp: 2017-09-14 00:01:23

      url: https://www.baidu.com/img/bd_logo1.png

  outfile: dl/264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

   shasum: 264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

1 row in set (0.00 sec)

 

0x04 目录结构

data/userdb.txt:设置SSH密码文件

[root@localhost cowrie]# cat data/userdb.txt

root:x:!root

root:x:!123456

root:x:*

txtcmds/*:命令执行返回结果文件

[root@localhost bin]# file df

df: ASCII text

[root@localhost bin]# cat df

Filesystem                                              Size  Used Avail Use% Mounted on

rootfs                                                  4.7G  731M  3.8G  17% /

udev                                                     10M     0   10M   0% /dev

tmpfs                                                    25M  192K   25M   1% /run

/dev/disk/by-uuid/65626fdc-e4c5-4539-8745-edc212b9b0af  4.7G  731M  3.8G  17% /

tmpfs                                                   5.0M     0  5.0M   0% /run/lock

tmpfs                                                   101M     0  101M   0% /run/shm

dl/*:攻击者通过curl/wget下载的文件。

[root@localhost dl]# ls

264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

/bin/playlog:用于重演会话日志,日志存在于log/tty/目录下,可以查看攻击者执行命令过程。

[root@localhost cowrie]# ./bin/playlog  log/tty/20170913-233922-21cf6e129ef5-0i.log

data/fs.pickle:伪装的文件系统

honeyfs/:伪装文件系统的文件内容

[root@localhost cowrie]# cat honeyfs/etc/issue 

Debian GNU/Linux 7 \n \l

log/cowrie.json:JSON格式的处理输出

log/cowrie.log:log/debug输出

 

 

漏洞详情
CVE-2017-1000367:当确定tty时,Sudo没有正确解析/ proc / [pid] / stat的内容,本地攻击者可能会使用此方法来覆盖文件系统上的任何文件,从而绕过预期权限或获取root shell。

利用前提
1)必须开启了Selinux
2)用于必须要有sudo权限,即用户需要添加到/etc/sudoers中

检查方法
Centos /RHEL /SUSE /OpenSuse:rpm -qa|grep sudo
Ubuntu /Debian:dpkg -l sudo

修复方案
yum update sudo

修复版本

1、Centos /Redhat
Centos /RHEL 7 :1.8.6p7-22.el7_3
Centos /RHEL 6 :1.8.6p3-28.el6_9
Centos /RHEL 5 :1.7.2p1-30.el5_11
2、Ubuntu
Ubuntu 14.04:1.8.9p5-1ubuntu1.4
Ubuntu 16.04:1.8.16-0ubuntu1.4
Ubuntu 16.10:1.8.16-0ubuntu3.2
Ubuntu 17.04:1.8.19p1-1ubuntu1.1
3、Debian
Debian wheezy:1.8.5p2-1+nmu3+deb7u3
Debian jessie:1.8.10p3-1+deb8u4
4、SUSE /OpenSuse
1.8.10p3-2.11.1
1.8.10p3-10.5.1

CentOS7下测试过程:
查看下sudo的版本:

[root@localhost yum.repos.d]# rpm -qa | grep sudo
sudo-1.8.6p7-16.el7.x86_64

添加sudo权限

[root@localhost yum.repos.d]# grep 'vinc' /etc/sudoers
vinc ALL=(ALL) NOPASSWD: /usr/bin/sum

检测Selinux是否开启

[root@localhost yum.repos.d]# getenforce 
Enforcing

提权程序:https://github.com/c0d3z3r0/sudo-CVE-2017-1000367
普通账户vinc对/etc/motd没有写入权限。

[vinc@localhost tmp]$ ll /etc/motd
-rw-r--r--. 1 root root 106 7月 6 19:44 /etc/motd
[vinc@localhost ~]$ echo 1 > /etc/motd
-bash: /etc/motd: 权限不够
然后执行提权程序
[vinc@localhost tmp]$ gcc -o sudopwn sudopwn.c -lutil
[vinc@localhost tmp]$ ./sudopwn 
[vinc@localhost tmp]$ cat /etc/motd 
/usr/bin/sum:无法识别的选项“--
HELLO
WORLD
”
Try '/usr/bin/sum --help' for more information.

发现/etc/motd被覆盖了。

参考文章:
http://bbs.pediy.com/thread-218260.htm
https://github.com/c0d3z3r0/sudo-CVE-2017-1000367