Cowrie – SSH/Telnet Honeypot

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
Cowrie is developed by Michel Oosterhof.Features
Some interesting features:

Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included

Possibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are included

Session logs stored in an UML Compatible format for easy replay with original timings

Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection

Additional functionality over standard kippo:

SFTP and SCP support for file upload

Support for SSH exec commands

Logging of direct-tcp connection attempts (ssh proxying)

Forward SMTP connections to SMTP Honeypot (e.g. mailoney)

Logging in JSON format for easy processing in log management solutions

Many, many additional commands

Requirements
Software required:

Python 2.7+, (Python 3 not yet supported due to Twisted dependencies)

python-virtualenv

For Python dependencies, see requirements.txtFiles of interest:

cowrie.cfg – Cowrie’s configuration file. Default values can be found in cowrie.cfg.dist

data/fs.pickle – fake filesystem

data/userdb.txt – credentials allowed or disallowed to access the honeypot

dl/ – files transferred from the attacker to the honeypot are stored here

honeyfs/ – file contents for the fake filesystem – feel free to copy a real system here or use bin/fsctl

log/cowrie.json – transaction output in JSON format

log/cowrie.log – log/debug output

log/tty/*.log – session logs

txtcmds/ – file contents for the fake commands

bin/createfs – used to create the fake filesystem

bin/playlog – utility to replay session logs

Read more.
Download Cowrie http://ift.tt/2qSCxU5 http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s