除錯過程發現之前有 2 個需要修正的地方。
[telnet]
enabled = true
cp /home/cowrie/cowrie/etc/userdb.example /home/cowrie/cowrie/etc/userdb.txt
在上一篇的虛擬環套件都裝好後,就可以開始按照官方文件來修改 cowrie 的設定檔及測試。這篇採用的 Proxy 方式是在同一台主機中安裝虛擬環境 qemu 並建立一個虛擬主機,之後將連線導到該虛擬主機中並監控。
Cowrie 使用 Proxy 的步驟大致分兩個部份,一是將模式從 shell 改為 proxy,二是設定要使用的測試環境 backend pool 。
因為我們仍不想動到 cowrie.cfg.dist,因此相關要變動的參數還是在 cowrie.cfg 新增。
nano /home/cowrie/cowrie/etc/cowrie.cfg
以下說明設定檔的內容:
修改Cowrie 的模式很簡單,只要將 backend 改為 proxy 即可。
[honeypot]
backend = proxy
要注意區段在 [honeypot] 中,不要跟 [proxy] 的搞混
第二個部份是 proxy 本身,必須與 backend pool 一起考慮。
proxy 區段保留 backend 為 pool ,表示我們的測試虛擬主機讓 Cowrie 來管理,並且設定pool = local 表示虛擬主機與 Cowrie 是在同一台主機上。
另外 backend_user,backend_pass 是指虛擬主機上的帳號密碼,如果用官方的 image 保持預設即可。
[proxy]
backend = pool
pool = local
# real credentials to log into backend
backend_user = root
backend_pass = root
backend_pool 是指虛擬主機的環境,因為跑預設的 kvm 不能成功,在此改為 qemu
[backend_pool]
guest_hypervisor = qemu
guest_qemu_machine = pc-q35-2.10
guest_qemu_machine 可支援的環境可下指令查詢「qemu-system-x86_64 -machine help」
以上改完後即可重開 Cowrie
/home/cowrie/cowrie/bin/cowrie restart
成功時的 log 可以看到 QEMU及VM 開機的情況
tail /home/cowrie/cowrie/var/log/cowrie/cowrie.log
2022-10-12T17:23:55.015620Z [-] PoolServerFactory starting on 6415
2022-10-12T17:23:55.016495Z [backend_pool.pool_server.PoolServerFactory#info] Starting factory <backend_pool.pool_server.PoolServerFactory object at 0x7f70282af0d0>
2022-10-12T17:23:55.145134Z [-] Connection to QEMU established
2022-10-12T17:23:55.146096Z [-] Could not get domain list
2022-10-12T17:23:55.146459Z [-] Could not get network list
2022-10-12T17:23:55.489380Z [backend_pool.pool_server.PoolServerFactory] Received connection from 127.0.0.1:53252
2022-10-12T17:23:55.490334Z [Uninitialized] Initialising pool with Cowrie settings...
2022-10-12T17:23:55.490911Z [PoolClient,client] VM pool fully initialised
2022-10-12T17:23:55.491592Z [PoolClient,client] CowrieSSHFactory starting on 2222
2022-10-12T17:23:55.491727Z [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory <cowrie.ssh.factory.CowrieSSHFactory object at 0x7f7024dc1250>
2022-10-12T17:23:55.641147Z [PoolClient,client] Ready to accept SSH connections
2022-10-12T17:23:57.827978Z [-] Guest cowrie-ubuntu18.04_eb947f154ba840df994b81b2911022c6 has booted
2022-10-12T17:24:00.024025Z [-] Guest cowrie-ubuntu18.04_39987989425c4f29a0ed0100ba8da112 has booted
2022-10-12T17:24:02.812072Z [-] Guest cowrie-ubuntu18.04_887962ceb1234960933df63be0c342f9 has booted
2022-10-12T17:24:05.880443Z [-] Guest cowrie-ubuntu18.04_75954020ac8a4998986508673255d5d3 has booted
2022-10-12T17:24:09.311615Z [-] Guest cowrie-ubuntu18.04_0af7d83cd5f04db5a5546a85bc8d094b has booted
2022-10-12T17:26:09.901863Z [-] Guest 0 ready for connections @ 192.168.150.238! (boot 132s)
2022-10-12T17:26:10.023409Z [-] Guest 1 ready for connections @ 192.168.150.226! (boot 129s)
2022-10-12T17:26:10.216278Z [-] Guest 2 ready for connections @ 192.168.150.116! (boot 127s)
2022-10-12T17:26:16.125847Z [-] Guest 3 ready for connections @ 192.168.150.130! (boot 130s)
注意一定要稍等虛擬機開機,待以上的 Guest xxx ready for connections 才能開始測試。
Proxy 設定成功後,外部連線的體感方面,最大差別為是在真實的環境互動,不容易發現指令出錯而露餡的問題。
以下是 telnet 時在 Cowrie 的 log:
2022-10-13T01:20:01.776166Z [Uninitialized] Connected to Telnet backend at b'192.168.150.138'
2022-10-13T01:20:01.776310Z [Uninitialized] Connected to honeypot backend
2022-10-13T01:20:02.148050Z [BackendTelnetTransport,client] Login prompt from backend
2022-10-13T01:20:06.161068Z [FrontendTelnetTransport,2,192.168.41.99] User input login: test
2022-10-13T01:20:06.183898Z [BackendTelnetTransport,client] Password prompt from backend
2022-10-13T01:20:07.976896Z [FrontendTelnetTransport,2,192.168.41.99] User input password: test
2022-10-13T01:20:07.997906Z [FrontendTelnetTransport,2,192.168.41.99] login attempt [b'test'/b'test'] succeeded
2022-10-13T01:20:08.780124Z [FrontendTelnetTransport,2,192.168.41.99] CMD: b'test'
2022-10-13T01:20:08.865866Z [twisted.web.client._HTTP11ClientFactory#info] Starting factory _HTTP11ClientFactory(<function HTTPConnectionPool._newConnection.<locals>.quiescentCallback at 0x7f747d35a0d0>, <twisted.internet.endpoints._WrapperEndpoint object at 0x7f747d351850>)
以下是 SSH 時在 Cowrie 的 log:
目前登錄成功後有「Remote side sent SSH2_MSG_EXT_INFO after USERAUTH_SUCCESS」的錯誤,待除錯ing...
2022-10-13T01:21:32.090333Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: 192.168.41.99:57498 (192.168.41.185:2222) [session: 49cab075325e]
2022-10-13T01:21:32.187918Z [backend_pool.pool_server.PoolServerFactory] Received connection from 127.0.0.1:48818
2022-10-13T01:21:32.188500Z [Uninitialized] Connected to backend pool
2022-10-13T01:21:32.188816Z [PoolServer,8,127.0.0.1] Requesting a VM for attacker @ 192.168.41.99
2022-10-13T01:21:32.189018Z [PoolServer,8,127.0.0.1] Providing VM id 0
2022-10-13T01:21:32.189355Z [PoolClient,client] Got backend data from pool: 192.168.150.138:22
2022-10-13T01:21:32.189455Z [PoolClient,client] Snapshot file: /home/cowrie/cowrie/var/lib/cowrie/snapshots/snapshot-ubuntu18.04-1ed48e3fb45f441996e20a7a57bacc84.qcow2
2022-10-13T01:21:32.189592Z [cowrie.ssh_proxy.client_transport.BackendSSHFactory#info] Starting factory <cowrie.ssh_proxy.client_transport.BackendSSHFactory object at 0x7f747d351760>
2022-10-13T01:21:32.190569Z [Uninitialized] Connected to SSH backend at b'192.168.150.138'
2022-10-13T01:21:32.190832Z [Uninitialized] Connected to honeypot backend
2022-10-13T01:21:32.193717Z [FrontendSSHTransport,4,192.168.41.99] Remote SSH version: SSH-2.0-MoTTY_Release_0.77
2022-10-13T01:21:32.217440Z [FrontendSSHTransport,4,192.168.41.99] SSH client hassh fingerprint: 0198b477ac2115cc6d445da1fbb2d6c0
2022-10-13T01:21:32.219509Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519'
2022-10-13T01:21:32.219639Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha1' b'zlib'
2022-10-13T01:21:32.219768Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha1' b'zlib'
2022-10-13T01:21:32.383067Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] NEW KEYS
2022-10-13T01:21:32.383699Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] starting service b'ssh-userauth'
2022-10-13T01:21:32.420586Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ecdsa-sha2-nistp256'
2022-10-13T01:21:32.420771Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha2-512' b'none'
2022-10-13T01:21:32.420873Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha2-512' b'none'
2022-10-13T01:21:32.523141Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] NEW KEYS
2022-10-13T01:21:32.523317Z [BackendSSHTransport,client] Backend Connection Secured
2022-10-13T01:21:32.523498Z [BackendSSHTransport,client] Connection to client not ready, buffering packet from backend
2022-10-13T01:21:34.177729Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'test' trying auth b'none'
2022-10-13T01:21:35.661230Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'test' trying auth b'password'
2022-10-13T01:21:35.711072Z [FrontendSSHTransport,4,192.168.41.99] login attempt [b'test'/b'test'] succeeded
2022-10-13T01:21:35.712512Z [FrontendSSHTransport,4,192.168.41.99] Initialized emulated server as architecture: linux-x64-lsb
2022-10-13T01:21:35.741934Z [FrontendSSHTransport,4,192.168.41.99] Will auth with backend: root/root
2022-10-13T01:21:37.250228Z [FrontendSSHTransport,4,192.168.41.99] got channel b'session' request
2022-10-13T01:21:37.251033Z [FrontendSSHTransport,4,192.168.41.99] got channel b'session' request
2022-10-13T01:21:39.457649Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost
2022-10-13T01:21:39.457899Z [FrontendSSHTransport,4,192.168.41.99] Connection lost after 7 seconds
2022-10-13T01:21:39.459873Z [BackendSSHTransport,client] Lost connection with the pool backend: id 0
Cowrie 官方文件 - 使用 Proxy
【cowrie蜜罐系列2】cowrie蜜罐配置代理成为高交互蜜罐(避免踩坑)