Cowrie – SSH/Telnet Honeypot

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
Cowrie is developed by Michel Oosterhof.Features
Some interesting features:

Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included

Possibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are included

Session logs stored in an UML Compatible format for easy replay with original timings

Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection

Additional functionality over standard kippo:

SFTP and SCP support for file upload

Support for SSH exec commands

Logging of direct-tcp connection attempts (ssh proxying)

Forward SMTP connections to SMTP Honeypot (e.g. mailoney)

Logging in JSON format for easy processing in log management solutions

Many, many additional commands

Software required:

Python 2.7+, (Python 3 not yet supported due to Twisted dependencies)


For Python dependencies, see requirements.txtFiles of interest:

cowrie.cfg – Cowrie’s configuration file. Default values can be found in cowrie.cfg.dist

data/fs.pickle – fake filesystem

data/userdb.txt – credentials allowed or disallowed to access the honeypot

dl/ – files transferred from the attacker to the honeypot are stored here

honeyfs/ – file contents for the fake filesystem – feel free to copy a real system here or use bin/fsctl

log/cowrie.json – transaction output in JSON format

log/cowrie.log – log/debug output

log/tty/*.log – session logs

txtcmds/ – file contents for the fake commands

bin/createfs – used to create the fake filesystem

bin/playlog – utility to replay session logs

Read more.
Download Cowrie


Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do

Você está comentando utilizando sua conta Sair /  Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair /  Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair /  Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair /  Alterar )


Conectando a %s