cowrie#

cowrie
├── bin
├── CHANGELOG.rst
├── CONTRIBUTING.rst
├── docker
├── docs
├── etc
├── fs
├── honeyfs
├── INSTALL.rst
├── LICENSE.rst
├── Makefile
├── MANIFEST.in
├── pyproject.toml
├── README.rst
├── requirements-output.txt
├── requirements.txt
├── share
├── src
└── var

apt-get install git python3-pip python3-venv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind
adduser --disabled-password cowrie
git clone http://github.com/cowrie/cowrie
python3 -m venv cowrie-env
source cowrie-env/bin/activate
cowrie start
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

# cowrie.cfg
[honeypot]
sensor_name= iZj6cgqnpiye12okkzx3fxZ
hostname = iZj6cgqnpiye12okkzx3fxZ
log_path = var/log/cowrie
download_path = ${honeypot:state_path}/downloads
data_path = src/cowrie/data
state_path = var/lib/cowrie
etc_path = etc
contents_path = /cowrie/honeyfs
txtcmds_path = txtcmds
ttylog = true
ttylog_path = ${honeypot:state_path}/tty
idle_timeout = 180
authentication_timeout = 120
backend = shell
logtype = rotating
timezone = Asia/Shanghai
auth_class = UserDB
[backend_pool]
pool_only = false
recycle_period = 1500
listen_endpoints = tcp:6415:interface=127.0.0.1
save_snapshots = false
snapshot_path = ${honeypot:state_path}/snapshots
config_files_path = ${honeypot:data_path}/pool_configs
network_config = default_network.xml
nw_filter_config = default_filter.xml
libvirt_uri = qemu:///system
guest_config = default_guest.xml
guest_privkey = ${honeypot:state_path}/ubuntu18.04-guest
guest_tag = ubuntu18.04
guest_ssh_port = 22
guest_telnet_port = 23
guest_image_path = /home/cowrie/cowrie-imgs/ubuntu18.04-minimal.qcow2
guest_hypervisor = kvm
guest_memory = 512
guest_qemu_machine = pc-q35-bionic
use_nat = true
nat_public_ip = 192.168.1.40
[proxy]
backend = pool
backend_ssh_host = localhost
backend_ssh_port = 2022
backend_telnet_host = localhost
backend_telnet_port = 2023
pool_max_vms = 5
pool_vm_unused_timeout = 600
pool_share_guests = true
pool = local
pool_host = 192.168.1.40
pool_port = 6415
backend_user = root
backend_pass = root
telnet_spoof_authentication = true
telnet_username_prompt_regex = (\n|^)ubuntu login: .*
telnet_password_prompt_regex = .*Password: .*
telnet_username_in_negotiation_regex = (.*\xff\xfa.*USER\x01)(.*?)(\xff.*)
log_raw = false
[llm]
[shell]
filesystem = /cowrie/share/cowrie/fs.pickle
processes = ${honeypot:data_path}/cmdoutput.json
arch = linux-x64-lsb
kernel_version = 6.8.0-90-generic
hardware_platform = x86_64
operating_system = GNU/Linux
ssh_version = OpenSSH_9.6p1, OpenSSL 3.0.11  19 Sep 2023
[ssh]
enabled = true
rsa_public_key = ${honeypot:state_path}/ssh_host_rsa_key.pub
rsa_private_key = ${honeypot:state_path}/ssh_host_rsa_key
ecdsa_public_key = ${honeypot:state_path}/ssh_host_ecdsa_key.pub
ecdsa_private_key = ${honeypot:state_path}/ssh_host_ecdsa_key
ed25519_public_key = ${honeypot:state_path}/ssh_host_ed25519_key.pub
ed25519_private_key = ${honeypot:state_path}/ssh_host_ed25519_key
public_key_auth = ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
version = SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3
ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,cast128-cbc
macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-256,hmac-sha1,hmac-md5
compression = zlib@openssh.com,zlib,none
listen_endpoints = tcp:2222:interface=0.0.0.0
sftp_enabled = false
forwarding = false
forward_redirect = false
forward_tunnel = false
auth_publickey_allow_any = false
auth_keyboard_interactive_enabled = false
[telnet]
enabled = true
listen_endpoints = tcp:2223:interface=0.0.0.0
[output_jsonlog]
enabled = true
logfile = ${honeypot:log_path}/cowrie.json
epoch_timestamp = false
[output_textlog]
enabled = true
logfile = ${honeypot:log_path}/audit.log
format = text
[output_mysql]
enabled = true
host = 127.0.0.1
database = cowrie
username = cowrie
password = cowrie
port = 3306
debug = false
.....

# etc/userdb.txt
root:x:!
admin:x:!
ubuntu:x:!
centos:x:!

tomcat:x:*
oracle:x:*
*:x:somepassword
*:x:*

honeyfs/etc/
├── group
├── host.conf
├── hostname
├── hosts
├── inittab
├── issue
├── issue.net
├── motd
├── passwd
├── resolv.conf
└── shadow

source cowrie-env/bin/activate
#reatefs -l YOUR-DIR -d DEPTH -o custom.pickle
reatefs -l / -d 3 -o custom.pickle
#cowrie.cfg
[shell]
filesystem = custom.pickle

# 代码文件src/cowrie/commands/free.py
修改honeyfs/proc/meminfo

修改 honeyfs/proc/cpuinfo

honeyfs/etc/
├── group
├── host.conf
├── hostname #主机名
├── hosts 
├── inittab
├── issue # 虚拟操作系统信息
├── issue.net
├── motd # 虚拟操作系统欢迎信息
├── passwd
├── resolv.conf
└── shadow

su - cowrie
source cowrie/cowrie-env/bin/activate
pip install mysql-connector-python

# mysql
CREATE USER 'cowrie'@'localhost' IDENTIFIED BY 'PASSWORD HERE';
GRANT INSERT, SELECT, UPDATE ON cowrie.* TO 'cowrie'@'localhost';

cd ~/cowrie/docs/sql/
mysql -u cowrie -p
USE cowrie;
source mysql.sql;

# cowrie.cfg
[output_mysql]
host = localhost
database = cowrie
username = cowrie
password = PASSWORD HERE
port = 3306
debug = false
enabled = true

cd ~/cowrie/bin/
./cowrie restart

# filter.d/cowrie.conf
[Definition]
failregex = New connection: <HOST>:\d+

# jail.d
[cowrie]
enabled = true
filter = cowrie
logpath =  /cowrie/var/log/cowrie/audit.log
maxretry = 5
findtime = 600
bantime = 7d
backend = polling
action = iptables-allports