2018/2/7 0:54:28 【原创】
Cowrie是一种中等交互的SSH和Telnet蜜罐,用于记录暴力攻击和攻击者执行的shell交互。github
Cowrie由Michel Oosterhof开发。说明
所需软件:
Python 2.7+,(由于 Twisted 依赖关系,Python 3还不支持)
python 的 virtualenv
特征:
由于在部署环境的时候发现网上存在的教程都是基于 cowrie V1.0 的,所以此篇针对 github 上最新版本的 cowrie。
root@xu:~# adduser cowrie
root@xu:~# apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind
root@xu:~# cd /opt
root@xu:~# apt-get install git
root@xu:~# git clone http://github.com/micheloosterhof/cowrie
root@xu:~# chown -R cowrie:cowrie /opt/cowrie
root@xu:~# apt-get install virtualenv
root@xu:~# cd /opt/cowrie
root@xu:/opt/cowrie# virtualenv cowrie-env
root@xu:/opt/cowrie# source cowrie-env/bin/activate
(cowrie-env) root@xu:/opt/cowrie# pip install --upgrade pip
(cowrie-env) root@xu:/opt/cowrie# pip install --upgrade -r requirements.txt
安装配置文件
Cowrie的配置存储在cowrie.cfg.dist和cowrie.cfg中。这两个文件都在启动时读取,其中来自cowrie.cfg的条目优先。.dist文件可以被升级覆盖,cowrie.cfg不会被触及。要使用标准配置运行,不需要更改任何内容。例如,要启用telnet,请创建cowrie.cfg并仅输入以下内容:
(cowrie-env) root@xu:/opt/cowrie# vim cowrie.cfg
[telnet]
enabled = true
生成DSA密钥(可选)
这一步不应该是必要的,但是Twisted的某些版本不兼容。为了提前避免问题,运行:
(cowrie-env) root@xu:/opt/cowrie# cd data/
(cowrie-env) root@xu:/opt/cowrie/data# ls
fs.pickle userdb.txt
(cowrie-env) root@xu:/opt/cowrie/data# ssh-keygen -t dsa -b 1024 -f ssh_host_dsa_key
(cowrie-env) root@xu:/opt/cowrie/data# cd ..
cowrie@xu:/opt/cowrie$ cd bin/
cowrie@xu:/opt/cowrie/bin$ ./cowrie start
Using default Python virtual environment "/opt/cowrie/cowrie-env"
Starting cowrie: [twistd --umask 0022 --pidfile var/run/cowrie.pid -l log/cowrie.log cowrie ]...
cowrie 默认在端口 2222 上运行,也可以在配置文件中修改。
以下防火墙规则将端口 22 上的传入流量转发到端口 2222 上
cowrie@xu:/opt/cowrie/bin$ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
此处提示 cowrie 用户不在 sudoers 文件中,可以设置将 cowrie 添加至 sudoers 文件
root@xu:~# vim /etc/sudoers
root ALL=(ALL:ALL) ALL
cowrie ALL=(ALL:ALL) ALL
cowrie@xu:/opt/cowrie/bin$ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
cowrie@xu:/opt/cowrie/bin$ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 redir ports 2222
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
配置额外的输出插件(可选)
Cowrie自动将事件数据输出到?/ cowrie / log中的文本和JSON日志文件。额外的输出插件可以配置为以其他方式记录数据。支持的输出插件包括:
Cuckoo
ELK (Elastic) Stack
Graylog
Kippo-Graph
Splunk
SQL (MySQL, SQLite3, RethinkDB)
有关详细信息,请参阅?/ cowrie / doc / [Output Plugin] /README.md。
cowrie@xu:/opt/cowrie$ bin/cowrie stop
cowrie@xu:/opt/cowrie$ git pull
cowrie@xu:/opt/cowrie$ pip install --upgrade -r requirements.txt
cowrie@xu:/opt/cowrie$ bin/cowrie start
root@xu:~# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
cowrie@xu:/opt$ sudo apt-get install mysql-server libmysqlclient-dev python-mysqldb
cowrie@xu:/opt$ source cowrie/cowrie-env/bin/activate
(cowrie-env) cowrie@xu:/opt$ pip install mysqlclient
以前使用的 MySQL-python 是过时的,当你使用 mysqlclient 出现问题的时候,可以使用 MySQL-python :
root@xu:/opt# pip install MySQL-python
(cowrie-env) cowrie@xu:/opt/cowrie=$ mysql -u root -p
为数据库创建一个cowrie用户帐户并授予访问权限:
mysql> CREATE DATABASE cowrie;
所有特权
mysql> GRANT ALL ON cowrie.* TO 'cowrie'@'localhost' IDENTIFIED BY 'cowrie';
限制特权或者说是赋予 cowrie 账户较少的权限(与上面的二选一)
mysql> GRANT INSERT, SELECT, UPDATE ON cowrie.* TO 'cowrie'@'localhost' IDENTIFIED BY 'cowrie';
应用特权设置并退出 mysql
mysql> FLUSH PRIVILEGES;
mysql> exit
使用cowrie帐户登录到MySQL数据库,以验证正确的访问权限,并加载doc / sql /目录中提供的数据库模式
(cowrie-env) cowrie@xu:/opt/cowrie$ cd doc/sql/
(cowrie-env) cowrie@xu:/opt/cowrie/doc/sql# mysql -u cowrie -p
mysql> show databases;
mysql> use cowrie;
mysql> source mysql.sql;
Query OK, 0 rows affected (0.02 sec)
mysql> exit
Cowrie配置
在输出插件部分取消注释并更新以下条目到?/ cowrie / cowrie.cfg (415行)
(cowrie-env) root@xu:/opt/cowrie# vim cowrie.cfg.dist
[output_mysql]
host = localhost
database = cowrie
username = cowrie
password = cowrie
port = 3306
debug = false
(cowrie-env) cowrie@xu:/opt/cowrie/bin$ ./cowrie restart
注:本来做到这一步出现了错误:提示找不到 MyAQLdb 模块,在调试过程中,尝试了上面的 pip install mysql-python 百度说这个是[python版本导致的不同(解决办法链接)](https://stackoverflow.com/questions/454854/no-module-named-mysqldb),此外,还修改了 cowrie-env 目录的属主,不知道具体不清楚具体是哪一个方法解决了此办法,建议出错后再来尝试。
$ sudo chown -R cowrie:cowrie /opt/cowrie-env
验证MySQL输出引擎是否已加载
(cowrie-env) cowrie@xu:/opt/cowrie$ cd bin/log/
(cowrie-env) cowrie@xu:/opt/cowrie/log$ tail cowrie.log
2018-02-07T13:35:09+0800 [-] Loaded output engine: jsonlog
2018-02-07T13:35:09+0800 [-] Loaded output engine: mysql
2018-02-07T13:35:09+0800 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 17.9.0 (/opt/cowrie/cowrie-env/bin/python2 2.7.14) starting up.
2018-02-07T13:35:09+0800 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2018-02-07T13:35:09+0800 [-] CowrieSSHFactory starting on 2222
2018-02-07T13:35:09+0800 [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory <cowrie.ssh.factory.CowrieSSHFactory instance at 0x7f00e9fe65a8>
2018-02-07T13:35:09+0800 [-] Ready to accept SSH connections
确认事件已记录到MySQL数据库
确认 iptables 规则已经正确填写
root@xu:~# iptables-save
-A PREROUTING -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222
使用 linus 或者 windows 的 Xshell 登录此 cowrie 蜜罐
[c:\~]$ ssh cowrie@10.10.10.156 22
登录密码在文件里有保存( !123456 表示 非123456 的密码都可登录,可以手动添加账户 cowrie 的登录密码)。
root@xu:/opt/cowrie/data# cat userdb.txt
root:x:!root
root:x:!123456
root:x:*
richard:x:*
richard:x:fout
cowrie:x:!root
cowrie:x:!123456
cowrie:x:*
登录成功之后,在 mysql 查询
(cowrie-env) cowrie@xu:/opt/cowrie/log$ mysql -u cowrie -p
mysql> show databases;
mysql> use cowrie;
mysql> SELECT * FROM auth;
+----+--------------+---------+----------+----------+---------------------+
| id | session | success | username | password | timestamp |
+----+--------------+---------+----------+----------+---------------------+
| 1 | b9e664291b7f | 0 | cowrie | sa | 2018-02-07 13:47:28 |
| 2 | 2c1dfc230aa8 | 1 | cowrie | dsadsa | 2018-02-07 13:55:48 |
+----+--------------+---------+----------+----------+---------------------+
mysql> SELECT * FROM sessions;
+--------------+---------------------+---------------------+--------+------------+----------+--------+
| id | starttime | endtime | sensor | ip | termsize | client |
+--------------+---------------------+---------------------+--------+------------+----------+--------+
| 2c1dfc230aa8 | 2018-02-07 13:55:47 | NULL | 1 | 10.10.10.1 | 25x133 | 1 |
| b9e664291b7f | 2018-02-07 13:47:25 | 2018-02-07 13:49:25 | 1 | 10.10.10.1 | NULL | 1 |
+--------------+---------------------+---------------------+--------+------------+----------+--------+
mysql> SELECT * FROM input;
Empty set (0.00 sec)
(cowrie-env) cowrie@xu:/opt/cowrie$ cd doc/systemd/
(cowrie-env) cowrie@xu:/opt/cowrie/doc/systemd$ sudo cp cowrie.service /etc/systemd/system
(cowrie-env) cowrie@xu:/opt/cowrie$ sudo systemctl daemon-reload
(cowrie-env) cowrie@xu:/opt/cowrie/bin$ sudo service cowrie start
Job for cowrie.service failed because the control process exited with error code.
See "systemctl status cowrie.service" and "journalctl -xe" for details.
(cowrie-env) cowrie@xu:/opt/cowrie/bin$ systemctl status cowrie.service
● cowrie.service - Cowrie SSH and Telnet Honeypot
Loaded: loaded (/etc/systemd/system/cowrie.service; enabled; vendor preset: e
Active: failed (Result: exit-code) since Wed 2018-02-07 16:04:13 CST; 1min 1s
Docs: https://github.com/micheloosterhof/cowrie
Process: 6113 ExecStart=/home/cowrie/cowrie/bin/cowrie start (code=exited, sta
(cowrie-env) cowrie@xu:/opt/cowrie/bin$ sudo vim /etc/systemd/system/cowrie.service
:.,$s/home\/cowrie\/cowrie/opt\/cowrie/g
(cowrie-env) cowrie@xu:/opt/cowrie$ sudo systemctl daemon-reload
(cowrie-env) cowrie@xu:/opt/cowrie$ sudo systemctl enable cowrie.service
cowrie@xu:~$ vim /etc/sysctl.conf
net.ipv4.ip_forward=1
root@xu:~# iptables-save
root@xu:~# iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
root@xu:~# iptables-save
进行综合测试
使用 其他的 linux 系统或者 windows 进行测试
[c:\~]$ ssh root@10.10.10.156 22
[c:\~]$ ssh cowrie@10.10.10.156 22
root@kali:~# ssh root@10.10.10.156 22
使用 Xshell 进行文件上传(上传了四个文件)
查看 cowrie 中的 README.md 查看文件系统介绍:
cowrie.cfg - Cowrie的配置文件。默认值可以在cowrie.cfg.dist
data/fs.pickle - 假的文件系统
data/userdb.txt - 允许或不允许访问蜜罐的凭证
dl/ - 从攻击者传输到蜜罐的文件存储在这里
honeyfs/ - 假文件系统的文件内容 - 随意在这里复制一个真实的系统或使用 bin/fsctl
log/cowrie.json - JSON格式的事务输出
log/cowrie.log - 日志/调试输出
log/tty/*.log - 会话日志
txtcmds/ - 伪造命令的文件内容
bin/createfs - 用于创建假文件系统
bin/playlog - 重播会话日志的实用程序
多次测试之后在 mysql 进行查询
cowrie@xu:/opt/cowrie/dl$ ls
cowrie@xu:/opt/cowrie/log$ ls
cowrie@xu:/opt/cowrie/log$ tail cowrie.log
cowrie@xu:/opt/cowrie/log$ tail cowrie.json
cowrie@xu:/opt/cowrie/log$ tail lastlog.txt
cowrie@xu:/opt/cowrie/log$ ls tty/
mysql> select * from sessions;
mysql> select * from sessions;
+--------------+---------------------+---------------------+--------+--------------+----------+--------+
| id | starttime | endtime | sensor | ip | termsize | client |
+--------------+---------------------+---------------------+--------+--------------+----------+--------+
| 09ed9c90ebe9 | 2018-02-07 16:55:08 | 2018-02-07 16:58:09 | 1 | 10.10.10.1 | 19x62 | 1 |
| 2c1dfc230aa8 | 2018-02-07 13:55:47 | 2018-02-07 13:58:49 | 1 | 10.10.10.1 | 25x133 | 1 |
| 31651a37bcd6 | 2018-02-07 16:49:25 | 2018-02-07 16:49:30 | 1 | 10.10.10.1 | 25x133 | 1 |
| 43f73636d26c | 2018-02-07 16:40:50 | 2018-02-07 16:41:02 | 1 | 10.10.10.1 | 25x133 | 1 |
| 4714f186ec42 | 2018-02-07 16:49:46 | 2018-02-07 16:49:57 | 1 | 10.10.10.1 | 25x133 | 1 |
| 5a4b5bea9617 | 2018-02-07 16:49:32 | 2018-02-07 16:52:41 | 1 | 10.10.10.1 | 25x133 | 1 |
| 6327065959e7 | 2018-02-07 16:55:12 | 2018-02-07 16:55:32 | 1 | 10.10.10.1 | NULL | 1 |
| b9e664291b7f | 2018-02-07 13:47:25 | 2018-02-07 13:49:25 | 1 | 10.10.10.1 | NULL | 1 |
| bbd771976331 | 2018-02-07 16:41:27 | 2018-02-07 16:41:29 | 1 | 10.10.10.1 | NULL | 1 |
| d14cbe468774 | 2018-02-07 16:51:27 | 2018-02-07 16:52:17 | 1 | 10.10.10.136 | NULL | 2 |
| fb0cb8e223db | 2018-02-07 16:41:33 | 2018-02-07 16:44:36 | 1 | 10.10.10.1 | 25x133 | 1 |
| fc652ae43d7d | 2018-02-07 16:52:20 | 2018-02-07 16:52:33 | 1 | 10.10.10.136 | NULL | 2 |
+--------------+---------------------+---------------------+--------+--------------+----------+--------+
12 rows in set (0.00 sec)
mysql> mysql> select * from auth;
+----+--------------+---------+----------+----------+---------------------+
| id | session | success | username | password | timestamp |
+----+--------------+---------+----------+----------+---------------------+
| 1 | b9e664291b7f | 0 | cowrie | sa | 2018-02-07 13:47:28 |
| 2 | 2c1dfc230aa8 | 1 | cowrie | dsadsa | 2018-02-07 13:55:48 |
| 3 | 43f73636d26c | 1 | root | | 2018-02-07 16:40:52 |
| 4 | fb0cb8e223db | 1 | cowrie | dsa | 2018-02-07 16:41:36 |
| 5 | 31651a37bcd6 | 1 | cowrie | | 2018-02-07 16:49:25 |
| 6 | 5a4b5bea9617 | 0 | cowrie | 123456 | 2018-02-07 16:49:38 |
| 7 | 5a4b5bea9617 | 1 | cowrie | dsadff | 2018-02-07 16:49:40 |
| 8 | 4714f186ec42 | 0 | root | 123456 | 2018-02-07 16:49:48 |
| 9 | 4714f186ec42 | 0 | root | root | 2018-02-07 16:49:51 |
| 10 | 4714f186ec42 | 1 | root | dsad | 2018-02-07 16:49:53 |
| 11 | d14cbe468774 | 1 | root | das | 2018-02-07 16:51:32 |
| 12 | fc652ae43d7d | 0 | root | 123456 | 2018-02-07 16:52:23 |
| 13 | fc652ae43d7d | 0 | root | 123456 | 2018-02-07 16:52:26 |
| 14 | fc652ae43d7d | 0 | root | root | 2018-02-07 16:52:27 |
| 15 | fc652ae43d7d | 1 | root | sss | 2018-02-07 16:52:30 |
| 16 | 09ed9c90ebe9 | 1 | root | sss | 2018-02-07 16:55:09 |
| 17 | 6327065959e7 | 1 | root | sss | 2018-02-07 16:55:14 |
+----+--------------+---------+----------+----------+---------------------+
17 rows in set (0.00 sec)
mysql> select * from input;
+----+--------------+---------------------+-------+---------+-------+
| id | session | timestamp | realm | success | input |
+----+--------------+---------------------+-------+---------+-------+
| 1 | 43f73636d26c | 2018-02-07 16:41:02 | NULL | 1 | exit |
| 2 | 31651a37bcd6 | 2018-02-07 16:49:30 | NULL | 1 | exit |
| 3 | 4714f186ec42 | 2018-02-07 16:49:57 | NULL | 1 | exit |
| 4 | 5a4b5bea9617 | 2018-02-07 16:50:53 | NULL | 0 | ftp |
| 5 | 5a4b5bea9617 | 2018-02-07 16:50:57 | NULL | 0 | sftp |
| 6 | 5a4b5bea9617 | 2018-02-07 16:50:59 | NULL | 0 | cftp |
| 7 | 5a4b5bea9617 | 2018-02-07 16:51:05 | NULL | 1 | scp |
| 8 | d14cbe468774 | 2018-02-07 16:51:32 | NULL | 0 | 22 |
| 9 | fc652ae43d7d | 2018-02-07 16:52:30 | NULL | 0 | 22 |
| 10 | 09ed9c90ebe9 | 2018-02-07 16:55:34 | NULL | 1 | ls |
+----+--------------+---------------------+-------+---------+-------+
10 rows in set (0.00 sec)