Forensics

cowrie v1.6.0 releases: Cowrie SSH/Telnet Honeypot

do son April 4, 2019 No Comments ssh honeypottelnet honeypot

What is Cowrie

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.

Cowrie is developed by Michel Oosterhof.

Features

Some interesting features:

  • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
  • Possibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are included
  • Session logs stored in an UML Compatible format for easy replay with original timings
  • Cowrie saves files downloaded with wget/curl or uploaded with SFTP and SCP for later inspection

Additional functionality over standard kippo:

  • SFTP and SCP support for file upload
  • Support for SSH exec commands
  • Logging of direct-tcp connection attempts (ssh proxying)
  • Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
  • Logging in JSON format for easy processing in log management solutions
  • Many, many additional commands

Files of interest:

  • cowrie.cfg – Cowrie’s configuration file. Default values can be found in cowrie.cfg.dist
  • data/fs.pickle – fake filesystem
  • data/userdb.txt – credentials allowed or disallowed to access the honeypot
  • dl/ – files transferred from the attacker to the honeypot are stored here
  • honeyfs/ – file contents for the fake filesystem – feel free to copy a real system here or use bin/fsctl
  • log/cowrie.json – transaction output in JSON format
  • log/cowrie.log – log/debug output
  • log/tty/*.log – session logs
  • txtcmds/ – file contents for the fake commands
  • bin/createfs – used to create the fake filesystem
  • bin/playlog – utility to replay session logs

Changelog

v1.6.0

  • 2019-03-31 New documentation theme
  • 2019-03-23 Greynoise output plugin (@mzfr)
  • 2019-03-19 direct-tcp forwarding now written to databases (@gborges)
  • 2019-03-19 Reverse DNS output plugin (@mzfr)
  • 2019-03-17 Shell emulation pipe upgrade (@NunoNovais)
  • 2019-03-14 Shell emulation environment variables improved (@NunoNovais)
  • 2019-03-14 SSH crypto parameters now configurable in config file (@msharma)
  • 2019-03-13 Disable keyboard-interactive authentication by default with option to enable
  • 2019-03-13 Added wccrontabchpasswd command (@NunoNovais)
  • 2019-
  • 2019-03-07 Output of ssh -V now configurable in cowrie.cfg with ssh_version setting
  • 2019-03-07 Multiple timezone support in cowrie.cfg timezone directive. Default timezone is now UTC for both cowrie.log and cowrie.json
  • 2019-03-12 Handle multiple password prompt. Option to enable or disable keyboard interactive prompt.

Docker

Docker versions are available.

  • Get the Dockerfile directly at
    https://github.com/cowrie/docker-cowrie
  • Run from the Docker registry with:
    docker pull cowrie/cowrie


Install

Use

Copyright (c) 2009 UPI Tamminen All rights reserved.

Source: https://github.com/micheloosterhof/

Share