【蜜罐】Cowrie:一款SSH / Telnet蜜罐

0x01 简介

cowrie是一款基于kippo更改的中交互ssh蜜罐,部署在公网可以用于收集恶意IP,丰富密码字典和攻击样本,部署在内网可以用于入侵感知和拖延攻击时间。

 

0x02 安装部署

修改/etc/ssh/sshd_config

将Port 22修改为Port 222

然后重启服务systemctl restart sshd

Cowrie与Kippo一样不支持Root启动,默认的启动端口是2222,所以需要通过iptables将22端口转发到2222端口

[root@localhost yum.repos.d]# systemctl start firewalld

[root@localhost yum.repos.d]# firewall-cmd --permanent --add-port=222/tcp

success

[root@localhost yum.repos.d]# firewall-cmd --zone=public --add-masquerade --permanent

success

[root@localhost yum.repos.d]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=2222 --permanent

success

[root@localhost yum.repos.d]# firewall-cmd --permanent --list-all

public (default)

  interfaces:

  sources:

  services: dhcpv6-client ssh

  ports: 222/tcp

  masquerade: yes

  forward-ports: port=22:proto=tcp:toport=2222:toaddr=

  icmp-blocks:

  rich rules:

      

[root@localhost yum.repos.d]# firewall-cmd --reload

success

安装Cowrie

yum install -y epel-release

yum install -y gcc libffi-devel python-devel openssl-devel git python-pip pycrypto

adduser cowrie -p hehe123

git clone https://github.com/micheloosterhof/cowrie.git

chown -R cowrie:cowrie cowrie/

cd cowrie

mv cowrie.cfg.dist cowrie.cfg

编辑cowrie.cfg

去掉listen_port = 2222的注释

pip install -r requirements.txt

 

0x03 数据库安装

[root@localhost data]# pip install mysql-python

[root@localhost data]# yum install mariadb-server mariadb-devel mariadb

[root@localhost data]# systemctl start mariadb

[root@localhost data]# mysqladmin -u root password hehe123

 

MariaDB [(none)]> CREATE DATABASE cowrie;

Query OK, 1 row affected (0.00 sec)

MariaDB [cowrie]> source /home/cowrie/cowrie/doc/sql/mysql.sql;

MariaDB [cowrie]> show tables;

+------------------+

| Tables_in_cowrie |

+------------------+

| auth             |

| clients          |

| downloads        |

| input            |

| keyfingerprints  |

| sensors          |

| sessions         |

| ttylog           |

+------------------+

8 rows in set (0.00 sec)

然后修改cowrie.cfg中关于mysql的配置,启动Cowrie

[root@localhost cowrie]# su cowrie

[cowrie@localhost cowrie]$ ./bin/cowrie start

Not using Python virtual environment

Starting cowrie: [twistd   --umask 0022 --pidfile var/run/cowrie.pid -l log/cowrie.log cowrie ]...

登录密码记录

MariaDB [cowrie]> select * from auth;

+----+--------------+---------+----------+----------+---------------------+

| id | session      | success | username | password | timestamp           |

+----+--------------+---------+----------+----------+---------------------+

|  1 | c66e2505a393 |       1 | root     | hehe123  | 2017-09-13 23:58:48 |

+----+--------------+---------+----------+----------+---------------------+

1 row in set (0.01 sec)

执行命令记录

MariaDB [cowrie]> select * from input;

+----+--------------+---------------------+-------+---------+---------+

| id | session      | timestamp           | realm | success | input   |

+----+--------------+---------------------+-------+---------+---------+

|  1 | c66e2505a393 | 2017-09-13 23:58:51 | NULL  |       1 | whoami  |

+----+--------------+---------------------+-------+---------+---------+

1 row in set (0.01 sec)

下载文件记录

MariaDB [cowrie]> select * from downloads\G

*************************** 1. row ***************************

       id: 1

  session: c66e2505a393

timestamp: 2017-09-14 00:01:23

      url: https://www.baidu.com/img/bd_logo1.png

  outfile: dl/264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

   shasum: 264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

1 row in set (0.00 sec)

 

0x04 目录结构

data/userdb.txt:设置SSH密码文件

[root@localhost cowrie]# cat data/userdb.txt

root:x:!root

root:x:!123456

root:x:*

txtcmds/*:命令执行返回结果文件

[root@localhost bin]# file df

df: ASCII text

[root@localhost bin]# cat df

Filesystem                                              Size  Used Avail Use% Mounted on

rootfs                                                  4.7G  731M  3.8G  17% /

udev                                                     10M     0   10M   0% /dev

tmpfs                                                    25M  192K   25M   1% /run

/dev/disk/by-uuid/65626fdc-e4c5-4539-8745-edc212b9b0af  4.7G  731M  3.8G  17% /

tmpfs                                                   5.0M     0  5.0M   0% /run/lock

tmpfs                                                   101M     0  101M   0% /run/shm

dl/*:攻击者通过curl/wget下载的文件。

[root@localhost dl]# ls

264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

/bin/playlog:用于重演会话日志,日志存在于log/tty/目录下,可以查看攻击者执行命令过程。

[root@localhost cowrie]# ./bin/playlog  log/tty/20170913-233922-21cf6e129ef5-0i.log

data/fs.pickle:伪装的文件系统

honeyfs/:伪装文件系统的文件内容

[root@localhost cowrie]# cat honeyfs/etc/issue 

Debian GNU/Linux 7 \n \l

log/cowrie.json:JSON格式的处理输出

log/cowrie.log:log/debug输出