一个非常简单的 SSH 服务器,使用thrussh公开bashshell 的模拟版本、一些命令和 SSH 子系统,充当潜在破解者的蜜罐。
客户端在连接上执行的所有操作都以 JSON 格式记录在审核日志文件中。
服务器暴露了什么?
命令
- echo
- exit
- ls
- pwd
- scp
- uname
- whoami
子系统
- shell
- sftp
如何?
没有任何命令或实用程序会退出或以其他方式与您的操作系统交互,您基本上可以将蜜罐视为“气隙”。尽管出于所有意图和目的,感觉就像您正在连接到实际的服务器,但实际上您正在与常见命令和实用程序的非常简单的部分重新实现进行交互,这些命令和实用程序除了返回预期输出并写入审核日志之外不执行任何操作。
例子
$ ssh root@127.0.0.1
bash-5.1$ pwd
/root
bash-5.1$ echo test
test
bash-5.1$ uname -a
Linux cd5079c0d642 5.15.49 #1 SMP PREEMPT Tue Sep 13 07:51:32 UTC 2022 x86_64 GNU/Linux
bash-5.1$ whoami
root
bash-5.1$ exit
$ echo test > test
$ scp test root@127.0.0.1:test
(root@127.0.0.1) Password:
test 100% 5 0.1KB/s 00:00$ cat audit.log | tail -n 2 | jq
{
"connection_id": "464d87c9-e8fc-4d24-ab6f-34ee67b094f5",
"ts": "2023-08-10T20:46:09.837165036Z",
"peer_address": "127.0.0.1:31732",
"host": "my-cool-honeypot.dev",
"environment_variables": [
["LC_TERMINAL_VERSION", "4.5.20"],
["LANG", "en_GB.UTF-8"],
["LC_TERMINAL", "iTerm2"]
],
"events": [
{
"start_offset": {
"secs": 1,
"nanos": 362803172
},
"action": {
"type": "login-attempt",
"credential-type": "public-key",
"kind": "ssh-ed25519",
"fingerprint": "AAAAC3NzaC1lZDI1NTE5AAAAIK3kwN10QmXsnt7jlZ7mYWXdwjfBmgK3fIp5rji"
}
},
{
"start_offset": {
"secs": 7,
"nanos": 85973767
},
"action": {
"type": "login-attempt",
"credential-type": "username-password",
"username": "root",
"password": "root"
}
},
{
"start_offset": {
"secs": 7,
"nanos": 190169895
},
"action": {
"type": "shell-requested"
}
},
{
"start_offset": {
"secs": 11,
"nanos": 153124524
},
"action": {
"type": "exec-command",
"args": ["pwd"]
}
},
{
"start_offset": {
"secs": 14,
"nanos": 342192712
},
"action": {
"type": "exec-command",
"args": ["echo", "test"]
}
},
{
"start_offset": {
"secs": 63,
"nanos": 599852779
},
"action": {
"type": "exec-command",
"args": ["uname", "-a"]
}
},
{
"start_offset": {
"secs": 67,
"nanos": 368327325
},
"action": {
"type": "exec-command",
"args": ["whoami"]
}
},
{
"start_offset": {
"secs": 166,
"nanos": 208707438
},
"action": {
"type": "exec-command",
"args": ["exit"]
}
}
]
}
{
"...": "...",
"events": [
"...",
{
"start_offset": {
"secs": 4,
"nanos": 196898172
},
"action": {
"type": "subsystem-request",
"name": "sftp"
}
},
{
"start_offset": {
"secs": 4,
"nanos": 404745407
},
"action": {
"type": "write-file",
"path": "test",
"content": [116, 101, 115, 116, 10] // test
}
}
]
}运行服务器
从源头
存储库中提供了示例配置,运行服务器就像使用cargo build --release并调用构建二进制文件一样简单./pisshoff-server -c config.toml。
NixOS
在 NixOS 上运行 pisshoff 非常简单,只需将模块导入到 flake.nix 中并使用提供的服务即可:
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
pisshoff = {
url = "github:w4/pisshoff";
inputs.nixpkgs = "nixpkgs";
};
};
outputs = { nixpkgs, ... }: {
nixosConfigurations.mySystem = nixpkgs.lib.nixosSystem {
modules = [
pisshoff.nixosModules.default
{
services.pisshoff = {
enable = true;
settings = {
listen-address = "127.0.0.1:2233";
access-probability = "0.2";
audit-output-file = "/var/log/pisshoff/audit.jsonl";
};
};
}
...
];
};
};
}Docker
在 Docker 中运行 pisshoff 也很简单:
$ docker run -d --name pisshoff ghcr.io/w4/pisshoff:master
$ docker exec -it pisshoff tail -f audit.jsonl项目地址
pisshoff:【Github地址】
© 版权声明
THE END
暂无评论内容