Xubuntu 17.10 部署 Cowrie 蜜罐
2018/2/7 0:54:28 【原创】
1. cowrie 简介
Cowrie是一种中等交互的SSH和Telnet蜜罐,用于记录暴力攻击和攻击者执行的shell交互。github
Cowrie由Michel Oosterhof开发。说明
所需软件:
-
Python 2.7+,(由于 Twisted 依赖关系,Python 3还不支持)
-
python 的 virtualenv
特征:
- 假的文件系统能够添加/删除文件。包括一个类似Debian 5.0安装的完整的假文件系统
- 添加假文件内容的可能性,以便攻击者可以cat像/etc/passwd。只包含最少的文件内容
- 会话日志以UML兼容 格式存储,便于重播和原始时间
- Cowrie保存用wget / curl下载的文件,或者用SFTP和scp上传的文件,以供日后检查
gitbub 上的安装帮助文件(INSTALL.md)
2. 开始部署 cowrie
此处开始为 root 环境
由于在部署环境的时候发现网上存在的教程都是基于 cowrie V1.0 的,所以此篇针对 github 上最新版本的 cowrie。
- 添加非 root 用户:此处使用 cowrie 为用户名
root@xu:~# adduser cowrie
- 安装依赖关系
root@xu:~# apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind
- 下载 cowrie
root@xu:~# cd /opt
root@xu:~# apt-get install git
root@xu:~# git clone http://github.com/micheloosterhof/cowrie
- 改变/opt/cowrie的拥有者
root@xu:~# chown -R cowrie:cowrie /opt/cowrie
- 安装 virtualenv
root@xu:~# apt-get install virtualenv
- 配置python虚拟环境
root@xu:~# cd /opt/cowrie
root@xu:/opt/cowrie# virtualenv cowrie-env
- 激活虚拟环境并安装软件包
root@xu:/opt/cowrie# source cowrie-env/bin/activate
(cowrie-env) root@xu:/opt/cowrie# pip install --upgrade pip
(cowrie-env) root@xu:/opt/cowrie# pip install --upgrade -r requirements.txt
-
安装配置文件
Cowrie的配置存储在cowrie.cfg.dist和cowrie.cfg中。这两个文件都在启动时读取,其中来自cowrie.cfg的条目优先。.dist文件可以被升级覆盖,cowrie.cfg不会被触及。要使用标准配置运行,不需要更改任何内容。例如,要启用telnet,请创建cowrie.cfg并仅输入以下内容:
(cowrie-env) root@xu:/opt/cowrie# vim cowrie.cfg
[telnet]
enabled = true
-
生成DSA密钥(可选)
这一步不应该是必要的,但是Twisted的某些版本不兼容。为了提前避免问题,运行:
(cowrie-env) root@xu:/opt/cowrie# cd data/
(cowrie-env) root@xu:/opt/cowrie/data# ls
fs.pickle userdb.txt
(cowrie-env) root@xu:/opt/cowrie/data# ssh-keygen -t dsa -b 1024 -f ssh_host_dsa_key
(cowrie-env) root@xu:/opt/cowrie/data# cd ..
3. 开始使用 cowrie
此处切换用户为 cowrie
- 开启 cowrie
cowrie@xu:/opt/cowrie$ cd bin/
cowrie@xu:/opt/cowrie/bin$ ./cowrie start
Using default Python virtual environment "/opt/cowrie/cowrie-env"
Starting cowrie: [twistd --umask 0022 --pidfile var/run/cowrie.pid -l log/cowrie.log cowrie ]...
- 端口重定向(可选)
所有端口重定向命令都是系统范围的,需要以root身份执行。
cowrie 默认在端口 2222 上运行,也可以在配置文件中修改。
以下防火墙规则将端口 22 上的传入流量转发到端口 2222 上
cowrie@xu:/opt/cowrie/bin$ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
此处提示 cowrie 用户不在 sudoers 文件中,可以设置将 cowrie 添加至 sudoers 文件
root@xu:~# vim /etc/sudoers
root ALL=(ALL:ALL) ALL
cowrie ALL=(ALL:ALL) ALL
cowrie@xu:/opt/cowrie/bin$ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
cowrie@xu:/opt/cowrie/bin$ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 redir ports 2222
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
-
配置额外的输出插件(可选)
Cowrie自动将事件数据输出到?/ cowrie / log中的文本和JSON日志文件。额外的输出插件可以配置为以其他方式记录数据。支持的输出插件包括:
Cuckoo
ELK (Elastic) Stack
Graylog
Kippo-Graph
Splunk
SQL (MySQL, SQLite3, RethinkDB)
有关详细信息,请参阅?/ cowrie / doc / [Output Plugin] /README.md。
- 更新Cowrie
cowrie@xu:/opt/cowrie$ bin/cowrie stop
cowrie@xu:/opt/cowrie$ git pull
cowrie@xu:/opt/cowrie$ pip install --upgrade -r requirements.txt
cowrie@xu:/opt/cowrie$ bin/cowrie start
- 设置路由转发功能
root@xu:~# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
4. 使用 mysql
下面介绍如何发送Cowrie输出到MySQL数据库
github 上的安装帮助文件(cowrie/doc/sql/README.md)
此下开始是 cowrie 用户权限
- 安装 mysql
cowrie@xu:/opt$ sudo apt-get install mysql-server libmysqlclient-dev python-mysqldb
cowrie@xu:/opt$ source cowrie/cowrie-env/bin/activate
(cowrie-env) cowrie@xu:/opt$ pip install mysqlclient
以前使用的 MySQL-python 是过时的,当你使用 mysqlclient 出现问题的时候,可以使用 MySQL-python :
root@xu:/opt# pip install MySQL-python
- MySQL配置
(cowrie-env) cowrie@xu:/opt/cowrie=$ mysql -u root -p
为数据库创建一个cowrie用户帐户并授予访问权限:
mysql> CREATE DATABASE cowrie;
所有特权
mysql> GRANT ALL ON cowrie.* TO 'cowrie'@'localhost' IDENTIFIED BY 'cowrie';
限制特权或者说是赋予 cowrie 账户较少的权限(与上面的二选一)
mysql> GRANT INSERT, SELECT, UPDATE ON cowrie.* TO 'cowrie'@'localhost' IDENTIFIED BY 'cowrie';
应用特权设置并退出 mysql
mysql> FLUSH PRIVILEGES;
mysql> exit
使用cowrie帐户登录到MySQL数据库,以验证正确的访问权限,并加载doc / sql /目录中提供的数据库模式
(cowrie-env) cowrie@xu:/opt/cowrie$ cd doc/sql/
(cowrie-env) cowrie@xu:/opt/cowrie/doc/sql# mysql -u cowrie -p
mysql> show databases;
mysql> use cowrie;
mysql> source mysql.sql;
Query OK, 0 rows affected (0.02 sec)
mysql> exit
-
Cowrie配置
在输出插件部分取消注释并更新以下条目到?/ cowrie / cowrie.cfg (415行)
(cowrie-env) root@xu:/opt/cowrie# vim cowrie.cfg.dist
[output_mysql]
host = localhost
database = cowrie
username = cowrie
password = cowrie
port = 3306
debug = false
重新开始 Cowrie
- 重重新启动 Cowrie
(cowrie-env) cowrie@xu:/opt/cowrie/bin$ ./cowrie restart
注:本来做到这一步出现了错误:提示找不到 MyAQLdb 模块,在调试过程中,尝试了上面的 pip install mysql-python 百度说这个是[python版本导致的不同(解决办法链接)](https://stackoverflow.com/questions/454854/no-module-named-mysqldb),此外,还修改了 cowrie-env 目录的属主,不知道具体不清楚具体是哪一个方法解决了此办法,建议出错后再来尝试。
$ sudo chown -R cowrie:cowrie /opt/cowrie-env
验证MySQL输出引擎是否已加载
(cowrie-env) cowrie@xu:/opt/cowrie$ cd bin/log/
(cowrie-env) cowrie@xu:/opt/cowrie/log$ tail cowrie.log
2018-02-07T13:35:09+0800 [-] Loaded output engine: jsonlog
2018-02-07T13:35:09+0800 [-] Loaded output engine: mysql
2018-02-07T13:35:09+0800 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 17.9.0 (/opt/cowrie/cowrie-env/bin/python2 2.7.14) starting up.
2018-02-07T13:35:09+0800 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2018-02-07T13:35:09+0800 [-] CowrieSSHFactory starting on 2222
2018-02-07T13:35:09+0800 [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory <cowrie.ssh.factory.CowrieSSHFactory instance at 0x7f00e9fe65a8>
2018-02-07T13:35:09+0800 [-] Ready to accept SSH connections
-
确认事件已记录到MySQL数据库
确认 iptables 规则已经正确填写
root@xu:~# iptables-save
-A PREROUTING -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222
使用 linus 或者 windows 的 Xshell 登录此 cowrie 蜜罐
[c:\~]$ ssh cowrie@10.10.10.156 22
登录密码在文件里有保存( !123456 表示 非123456 的密码都可登录,可以手动添加账户 cowrie 的登录密码)。
root@xu:/opt/cowrie/data# cat userdb.txt
root:x:!root
root:x:!123456
root:x:*
richard:x:*
richard:x:fout
cowrie:x:!root
cowrie:x:!123456
cowrie:x:*
登录成功之后,在 mysql 查询
(cowrie-env) cowrie@xu:/opt/cowrie/log$ mysql -u cowrie -p
mysql> show databases;
mysql> use cowrie;
mysql> SELECT * FROM auth;
+----+--------------+---------+----------+----------+---------------------+
| id | session | success | username | password | timestamp |
+----+--------------+---------+----------+----------+---------------------+
| 1 | b9e664291b7f | 0 | cowrie | sa | 2018-02-07 13:47:28 |
| 2 | 2c1dfc230aa8 | 1 | cowrie | dsadsa | 2018-02-07 13:55:48 |
+----+--------------+---------+----------+----------+---------------------+
mysql> SELECT * FROM sessions;
+--------------+---------------------+---------------------+--------+------------+----------+--------+
| id | starttime | endtime | sensor | ip | termsize | client |
+--------------+---------------------+---------------------+--------+------------+----------+--------+
| 2c1dfc230aa8 | 2018-02-07 13:55:47 | NULL | 1 | 10.10.10.1 | 25x133 | 1 |
| b9e664291b7f | 2018-02-07 13:47:25 | 2018-02-07 13:49:25 | 1 | 10.10.10.1 | NULL | 1 |
+--------------+---------------------+---------------------+--------+------------+----------+--------+
mysql> SELECT * FROM input;
Empty set (0.00 sec)
5. 用systemd自动启动Cowrie
github 上的设置自动启动帮助文件:cowrie/doc/systemd/README.md
- 将文件复制cowrie.service到/etc/systemd/system/
(cowrie-env) cowrie@xu:/opt/cowrie$ cd doc/systemd/
(cowrie-env) cowrie@xu:/opt/cowrie/doc/systemd$ sudo cp cowrie.service /etc/systemd/system
- 重新加载系统
(cowrie-env) cowrie@xu:/opt/cowrie$ sudo systemctl daemon-reload
- 开始 cowrie 报错
(cowrie-env) cowrie@xu:/opt/cowrie/bin$ sudo service cowrie start
Job for cowrie.service failed because the control process exited with error code.
See "systemctl status cowrie.service" and "journalctl -xe" for details.
- 解决错误:经查是因为 cowrie.service 中的路径错误。将 /home/cowrie/cowrie/bin/cowrie 改为 /opt/cowrie/bin/cowrie
使用 vim 命令替换方法(注意转义字符): vim 的命令使用方法
(cowrie-env) cowrie@xu:/opt/cowrie/bin$ systemctl status cowrie.service
● cowrie.service - Cowrie SSH and Telnet Honeypot
Loaded: loaded (/etc/systemd/system/cowrie.service; enabled; vendor preset: e
Active: failed (Result: exit-code) since Wed 2018-02-07 16:04:13 CST; 1min 1s
Docs: https://github.com/micheloosterhof/cowrie
Process: 6113 ExecStart=/home/cowrie/cowrie/bin/cowrie start (code=exited, sta
(cowrie-env) cowrie@xu:/opt/cowrie/bin$ sudo vim /etc/systemd/system/cowrie.service
:.,$s/home\/cowrie\/cowrie/opt\/cowrie/g
(cowrie-env) cowrie@xu:/opt/cowrie$ sudo systemctl daemon-reload
- 设置开机自启
(cowrie-env) cowrie@xu:/opt/cowrie$ sudo systemctl enable cowrie.service
6. 综合测试
- 注:在文件设置路由转发是永久性的,在iptables设置转发规则是一次性的。
cowrie@xu:~$ vim /etc/sysctl.conf
net.ipv4.ip_forward=1
root@xu:~# iptables-save
root@xu:~# iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
root@xu:~# iptables-save
-
进行综合测试
使用 其他的 linux 系统或者 windows 进行测试
[c:\~]$ ssh root@10.10.10.156 22
[c:\~]$ ssh cowrie@10.10.10.156 22
root@kali:~# ssh root@10.10.10.156 22
使用 Xshell 进行文件上传(上传了四个文件)
查看 cowrie 中的 README.md 查看文件系统介绍:
cowrie.cfg - Cowrie的配置文件。默认值可以在cowrie.cfg.dist
data/fs.pickle - 假的文件系统
data/userdb.txt - 允许或不允许访问蜜罐的凭证
dl/ - 从攻击者传输到蜜罐的文件存储在这里
honeyfs/ - 假文件系统的文件内容 - 随意在这里复制一个真实的系统或使用 bin/fsctl
log/cowrie.json - JSON格式的事务输出
log/cowrie.log - 日志/调试输出
log/tty/*.log - 会话日志
txtcmds/ - 伪造命令的文件内容
bin/createfs - 用于创建假文件系统
bin/playlog - 重播会话日志的实用程序
多次测试之后在 mysql 进行查询
cowrie@xu:/opt/cowrie/dl$ ls
cowrie@xu:/opt/cowrie/log$ ls
cowrie@xu:/opt/cowrie/log$ tail cowrie.log
cowrie@xu:/opt/cowrie/log$ tail cowrie.json
cowrie@xu:/opt/cowrie/log$ tail lastlog.txt
cowrie@xu:/opt/cowrie/log$ ls tty/
mysql> select * from sessions;
mysql> select * from sessions;
+--------------+---------------------+---------------------+--------+--------------+----------+--------+
| id | starttime | endtime | sensor | ip | termsize | client |
+--------------+---------------------+---------------------+--------+--------------+----------+--------+
| 09ed9c90ebe9 | 2018-02-07 16:55:08 | 2018-02-07 16:58:09 | 1 | 10.10.10.1 | 19x62 | 1 |
| 2c1dfc230aa8 | 2018-02-07 13:55:47 | 2018-02-07 13:58:49 | 1 | 10.10.10.1 | 25x133 | 1 |
| 31651a37bcd6 | 2018-02-07 16:49:25 | 2018-02-07 16:49:30 | 1 | 10.10.10.1 | 25x133 | 1 |
| 43f73636d26c | 2018-02-07 16:40:50 | 2018-02-07 16:41:02 | 1 | 10.10.10.1 | 25x133 | 1 |
| 4714f186ec42 | 2018-02-07 16:49:46 | 2018-02-07 16:49:57 | 1 | 10.10.10.1 | 25x133 | 1 |
| 5a4b5bea9617 | 2018-02-07 16:49:32 | 2018-02-07 16:52:41 | 1 | 10.10.10.1 | 25x133 | 1 |
| 6327065959e7 | 2018-02-07 16:55:12 | 2018-02-07 16:55:32 | 1 | 10.10.10.1 | NULL | 1 |
| b9e664291b7f | 2018-02-07 13:47:25 | 2018-02-07 13:49:25 | 1 | 10.10.10.1 | NULL | 1 |
| bbd771976331 | 2018-02-07 16:41:27 | 2018-02-07 16:41:29 | 1 | 10.10.10.1 | NULL | 1 |
| d14cbe468774 | 2018-02-07 16:51:27 | 2018-02-07 16:52:17 | 1 | 10.10.10.136 | NULL | 2 |
| fb0cb8e223db | 2018-02-07 16:41:33 | 2018-02-07 16:44:36 | 1 | 10.10.10.1 | 25x133 | 1 |
| fc652ae43d7d | 2018-02-07 16:52:20 | 2018-02-07 16:52:33 | 1 | 10.10.10.136 | NULL | 2 |
+--------------+---------------------+---------------------+--------+--------------+----------+--------+
12 rows in set (0.00 sec)
mysql> mysql> select * from auth;
+----+--------------+---------+----------+----------+---------------------+
| id | session | success | username | password | timestamp |
+----+--------------+---------+----------+----------+---------------------+
| 1 | b9e664291b7f | 0 | cowrie | sa | 2018-02-07 13:47:28 |
| 2 | 2c1dfc230aa8 | 1 | cowrie | dsadsa | 2018-02-07 13:55:48 |
| 3 | 43f73636d26c | 1 | root | | 2018-02-07 16:40:52 |
| 4 | fb0cb8e223db | 1 | cowrie | dsa | 2018-02-07 16:41:36 |
| 5 | 31651a37bcd6 | 1 | cowrie | | 2018-02-07 16:49:25 |
| 6 | 5a4b5bea9617 | 0 | cowrie | 123456 | 2018-02-07 16:49:38 |
| 7 | 5a4b5bea9617 | 1 | cowrie | dsadff | 2018-02-07 16:49:40 |
| 8 | 4714f186ec42 | 0 | root | 123456 | 2018-02-07 16:49:48 |
| 9 | 4714f186ec42 | 0 | root | root | 2018-02-07 16:49:51 |
| 10 | 4714f186ec42 | 1 | root | dsad | 2018-02-07 16:49:53 |
| 11 | d14cbe468774 | 1 | root | das | 2018-02-07 16:51:32 |
| 12 | fc652ae43d7d | 0 | root | 123456 | 2018-02-07 16:52:23 |
| 13 | fc652ae43d7d | 0 | root | 123456 | 2018-02-07 16:52:26 |
| 14 | fc652ae43d7d | 0 | root | root | 2018-02-07 16:52:27 |
| 15 | fc652ae43d7d | 1 | root | sss | 2018-02-07 16:52:30 |
| 16 | 09ed9c90ebe9 | 1 | root | sss | 2018-02-07 16:55:09 |
| 17 | 6327065959e7 | 1 | root | sss | 2018-02-07 16:55:14 |
+----+--------------+---------+----------+----------+---------------------+
17 rows in set (0.00 sec)
mysql> select * from input;
+----+--------------+---------------------+-------+---------+-------+
| id | session | timestamp | realm | success | input |
+----+--------------+---------------------+-------+---------+-------+
| 1 | 43f73636d26c | 2018-02-07 16:41:02 | NULL | 1 | exit |
| 2 | 31651a37bcd6 | 2018-02-07 16:49:30 | NULL | 1 | exit |
| 3 | 4714f186ec42 | 2018-02-07 16:49:57 | NULL | 1 | exit |
| 4 | 5a4b5bea9617 | 2018-02-07 16:50:53 | NULL | 0 | ftp |
| 5 | 5a4b5bea9617 | 2018-02-07 16:50:57 | NULL | 0 | sftp |
| 6 | 5a4b5bea9617 | 2018-02-07 16:50:59 | NULL | 0 | cftp |
| 7 | 5a4b5bea9617 | 2018-02-07 16:51:05 | NULL | 1 | scp |
| 8 | d14cbe468774 | 2018-02-07 16:51:32 | NULL | 0 | 22 |
| 9 | fc652ae43d7d | 2018-02-07 16:52:30 | NULL | 0 | 22 |
| 10 | 09ed9c90ebe9 | 2018-02-07 16:55:34 | NULL | 1 | ls |
+----+--------------+---------------------+-------+---------+-------+
10 rows in set (0.00 sec)
1466
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
