中老年人的快樂就是這麼僕實無華
重灌、安裝、敲指令,享受時間條與鍵盤的喀喀聲。
T-Pot 裡的 Cowrie 這麼香,為什麼還要手動安裝呢? Cowrie 算上起源的 kippo 的發想的 Kojoney 0.0.1 Beta 也在 2005 年左右,都沒比 2003 的 honeyd 0.5 的老,但卻仍在持續更新中啊,不值得 Respect 一下嘛!
官方文件上提到的作業系統大都是 Debian 10、Ubuntu 18、Ubuntu 20。而這一次我們要測的環境如下
sudo apt-get install git python3-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenv
sudo adduser --disabled-password cowrie
Adding user `cowrie' ...
Adding new group `cowrie' (1001) ...
Adding new user `cowrie' (1001) with group `cowrie' ...
Creating home directory `/home/cowrie' ...
Copying files from `/etc/skel' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
sudo su - cowrie
cowrie@debian:~$ git clone http://github.com/cowrie/cowrie
Cloning into 'cowrie'...
warning: redirecting to https://github.com/cowrie/cowrie/
remote: Enumerating objects: 15911, done.
remote: Counting objects: 100% (230/230), done.
remote: Compressing objects: 100% (159/159), done.
remote: Total 15911 (delta 99), reused 185 (delta 70), pack-reused 15681
Receiving objects: 100% (15911/15911), 9.48 MiB | 15.53 MiB/s, done.
Resolving deltas: 100% (11028/11028), done.
cowrie@debian:~$ cd cowrie/
cowrie@debian:~/cowrie$ pwd
/home/cowrie/cowrie
virtualenv --python=python3 cowrie-env
created virtual environment CPython3.9.2.final.0-64 in 335ms
creator CPython3Posix(dest=/home/cowrie/cowrie/cowrie-env, clear=False, no_vcs_ignore=False, global=False)
seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/home/cowrie/.local/share/virtualenv)
added seed packages: pip==20.3.4, pkg_resources==0.0.0, setuptools==44.1.1, wheel==0.34.2
activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
source cowrie-env/bin/activate
(cowrie-env) cowrie@debian:~/cowrie$ pip install --upgrade pip
Requirement already satisfied: pip in ./cowrie-env/lib/python3.9/site-packages (20.3.4)
Collecting pip
Downloading pip-22.2.2-py3-none-any.whl (2.0 MB)
|████████████████████████████████| 2.0 MB 366 kB/s
Installing collected packages: pip
Attempting uninstall: pip
Found existing installation: pip 20.3.4
Uninstalling pip-20.3.4:
Successfully uninstalled pip-20.3.4
Successfully installed pip-22.2.2
(cowrie-env) cowrie@debian:~/cowrie$ pip install --upgrade -r requirements.txt
Collecting appdirs==1.4.4
Downloading appdirs-1.4.4-py2.py3-none-any.whl (9.6 kB)
Collecting attrs==22.1.0
Downloading attrs-22.1.0-py2.py3-none-any.whl (58 kB)
.
.
.
Requirement already satisfied: setuptools in ./cowrie-env/lib/python3.9/site-packages (from zope.interface>=4.4.2->twisted==22.4.0->-r requirements.txt (line 14)) (44.1.1)
Building wheels for collected packages: tftpy
Building wheel for tftpy (setup.py) ... done
Created wheel for tftpy: filename=tftpy-0.8.2-py3-none-any.whl size=29499 sha256=eaa7eb1423c4076e9a5ace57819e4ff051a1d8eb86bc341a5b5c9b9eb21b9756
Stored in directory: /home/cowrie/.cache/pip/wheels/d2/6f/14/6b5aac54a1559d0a5139d259add06fe0803118ab9fce22a18e
Successfully built tftpy
Installing collected packages: pyasn1, incremental, constantly, appdirs, zope.interface, urllib3, typing-extensions, tftpy, six, pyparsing, pycparser, pyasn1_modules, idna, configparser, charset-normalizer, certifi, bcrypt, attrs, requests, python-dateutil, packaging, hyperlink, cffi, Automat, twisted, cryptography, service_identity, pyopenssl, treq
Successfully installed Automat-20.2.0 appdirs-1.4.4 attrs-22.1.0 bcrypt-4.0.0 certifi-2022.9.24 cffi-1.15.1 charset-normalizer-2.1.1 configparser-5.3.0 constantly-15.1.0 cryptography-37.0.4 hyperlink-21.0.0 idna-3.4 incremental-21.3.0 packaging-21.3 pyasn1-0.4.8 pyasn1_modules-0.2.8 pycparser-2.21 pyopenssl-22.0.0 pyparsing-3.0.9 python-dateutil-2.8.2 requests-2.28.1 service_identity-21.1.0 six-1.16.0 tftpy-0.8.2 treq-22.2.0 twisted-22.4.0 typing-extensions-4.3.0 urllib3-1.26.12 zope.interface-5.4.0
這裡我們新增一個設定檔,而不去動會預設讀取的設定檔 cowrie.cfg.dist
nano etc/cowrie.cfg
加入以下字串
[telnet]
enabled = true
bin/cowrie start
Join the Cowrie community at: https://www.cowrie.org/slack/
Using activated Python virtual environment "/home/cowrie/cowrie/cowrie-env"
Starting cowrie: [twistd --umask=0022 --pidfile=var/run/cowrie.pid --logger cowrie.python.logfile.logger cowrie ]...
/home/cowrie/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:97: CryptographyDeprecationWarning: Blowfish has been deprecated
b"blowfish-cbc": (algorithms.Blowfish, 16, modes.CBC),
/home/cowrie/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:101: CryptographyDeprecationWarning: CAST5 has been deprecated
b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC),
/home/cowrie/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:106: CryptographyDeprecationWarning: Blowfish has been deprecated
b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR),
/home/cowrie/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/conch/ssh/transport.py:107: CryptographyDeprecationWarning: CAST5 has been deprecated
b"cast128-ctr": (algorithms.CAST5, 16, modes.CTR),
一個實際的例子為,我們為了安全將 SSH port 改為 40022,那麼合法的連線理論上就只有 40022 連進來的,因此從 port 22 就可以視為可疑的攻擊者。
exit
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
sudo iptables -t nat -A PREROUTING -p tcp --dport 23 -j REDIRECT --to-port 2223
上述的 exit 是跳出之前執行指令時的使用者 cowrie ,才能正確執行 sudo 指令
另外請注意 iptables 重開機以後就會失效!
先從另一台 ssh port 22 進入此台後,就可以在 cowrie 主機上看到相關連線
tail /home/cowrie/cowrie/var/log/cowrie/cowrie.json
{"eventid":"cowrie.login.failed","username":"test","password":"4321","message":"login attempt [test/4321] failed"
記得先將 SSH 改為其他 port 如 40022,不然現在的預設 port 22 就算帳號正確也是不能連的,因為已經被重新導向給 port 2222 ,交由 Cowrie 監控。
重啟 cowrie
/home/cowrie/cowrie/bin/cowrie restart
停止 cowrie
/home/cowrie/cowrie/bin/cowrie stop
log 位置
/home/cowrie/cowrie/var/log/cowrie/cowrie.json
/home/cowrie/cowrie/var/log/cowrie/cowrie.log
設定 Cowrie 假 SSH、telnet 可使用的帳號密碼
/home/cowrie/cowrie/etc/userdb.example
Cowie 官方文件
SSH蜜罐cowrie实战
COWRIE蜜罐部署
iThome鐵人賽
看影片追技術