GithubHelp home page GithubHelp logo

lguzzon-scratchbook / pisshoff Goto Github PK

View Code? Open in Web Editor NEW

This project forked from w4/pisshoff

0.0 0.0 0.0 233 KB

🧸 fully isolated honeypot ssh server using thrussh

License: Do What The F*ck You Want To Public License

Rust 93.66% Nix 6.34%

pisshoff's Introduction

pisshoff

A very simple SSH server using thrussh that exposes mocked versions of a bash shell, some commands and SSH subsystems to act as a honeypot for would-be crackers.

All actions undertaken on the connection by the client are recorded in JSON format in an audit log file.

What does the server expose?

Commands

  • echo
  • exit
  • ls
  • pwd
  • scp
  • uname
  • whoami

Subsystems

  • shell
  • sftp

How?

None of the commands or utilities shell out or otherwise interact with your operating system, you can essentially consider the honeypot "airgapped". Although for all intents and purposes it feels like you're connecting to an actual server, you're actually interacting with very simple partial reimplementations of common commands and utilities that don't do anything but return the expected output and write to an audit log.

Example

$ ssh [email protected]
bash-5.1$ pwd
/root
bash-5.1$ echo test
test
bash-5.1$ uname -a
Linux cd5079c0d642 5.15.49 #1 SMP PREEMPT Tue Sep 13 07:51:32 UTC 2022 x86_64 GNU/Linux
bash-5.1$ whoami
root
bash-5.1$ exit
$ echo test > test
$ scp test [email protected]:test
([email protected]) Password:
test                                                                                                      100%    5     0.1KB/s   00:00
$ cat audit.log | tail -n 2 | jq
{
  "connection_id": "464d87c9-e8fc-4d24-ab6f-34ee67b094f5",
  "ts": "2023-08-10T20:46:09.837165036Z",
  "peer_address": "127.0.0.1:31732",
  "host": "my-cool-honeypot.dev",
  "environment_variables": [
    ["LC_TERMINAL_VERSION", "4.5.20"],
    ["LANG", "en_GB.UTF-8"],
    ["LC_TERMINAL", "iTerm2"]
  ],
  "events": [
    {
      "start_offset": {
        "secs": 1,
        "nanos": 362803172
      },
      "action": {
        "type": "login-attempt",
        "credential-type": "public-key",
        "kind": "ssh-ed25519",
        "fingerprint": "AAAAC3NzaC1lZDI1NTE5AAAAIK3kwN10QmXsnt7jlZ7mYWXdwjfBmgK3fIp5rji"
      }
    },
    {
      "start_offset": {
        "secs": 7,
        "nanos": 85973767
      },
      "action": {
        "type": "login-attempt",
        "credential-type": "username-password",
        "username": "root",
        "password": "root"
      }
    },
    {
      "start_offset": {
        "secs": 7,
        "nanos": 190169895
      },
      "action": {
        "type": "shell-requested"
      }
    },
    {
      "start_offset": {
        "secs": 11,
        "nanos": 153124524
      },
      "action": {
        "type": "exec-command",
        "args": ["pwd"]
      }
    },
    {
      "start_offset": {
        "secs": 14,
        "nanos": 342192712
      },
      "action": {
        "type": "exec-command",
        "args": ["echo", "test"]
      }
    },
    {
      "start_offset": {
        "secs": 63,
        "nanos": 599852779
      },
      "action": {
        "type": "exec-command",
        "args": ["uname", "-a"]
      }
    },
    {
      "start_offset": {
        "secs": 67,
        "nanos": 368327325
      },
      "action": {
        "type": "exec-command",
        "args": ["whoami"]
      }
    },
    {
      "start_offset": {
        "secs": 166,
        "nanos": 208707438
      },
      "action": {
        "type": "exec-command",
        "args": ["exit"]
      }
    }
  ]
}
{
  "...": "...",
  "events": [
    "...",
    {
      "start_offset": {
        "secs": 4,
        "nanos": 196898172
      },
      "action": {
        "type": "subsystem-request",
        "name": "sftp"
      }
    },
    {
      "start_offset": {
        "secs": 4,
        "nanos": 404745407
      },
      "action": {
        "type": "write-file",
        "path": "test",
        "content": [116, 101, 115, 116, 10] // test
      }
    }
  ]
}

Running the server

An example configuration is provided within the repository, running the server is as simple as building the binary using cargo build --release and calling ./pisshoff-server -c config.toml.

pisshoff's People

Contributors

w4 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.