cowrie/README.md


# Welcome to the Cowrie GitHub repository

This is the official repository for the Cowrie SSH and Telnet
Honeypot effort.

# What is Cowrie

Cowrie is a medium interaction SSH and Telnet honeypot designed to
log brute force attacks and the shell interaction performed by the
attacker.

[Cowrie](http://github.com/micheloosterhof/cowrie/) is developed by Michel Oosterhof.

## Features

Some interesting features:

* Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
* Possibility of adding fake file contents so the attacker can `cat` files such as `/etc/passwd`. Only minimal file contents are included
* Session logs stored in an [UML Compatible](http://user-mode-linux.sourceforge.net/)  format for easy replay with original timings
* Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection

Additional functionality over standard kippo:

* SFTP and SCP support for file upload
* Support for SSH exec commands
* Logging of direct-tcp connection attempts (ssh proxying)
* Forward SMTP connections to SMTP Honeypot (e.g. [mailoney](https://github.com/awhitehatter/mailoney))
* Logging in JSON format for easy processing in log management solutions
* Many, many additional commands

## Requirements

Software required:

* Python 2.7+, (Python 3 not yet supported due to Twisted dependencies)
* python-virtualenv

For Python dependencies, see requirements.txt

## Files of interest:

* `cowrie.cfg` - Cowrie's configuration file. Default values can be found in `cowrie.cfg.dist`
* `data/fs.pickle` - fake filesystem
* `data/userdb.txt` - credentials allowed or disallowed to access the honeypot
* `dl/` - files transferred from the attacker to the honeypot are stored here
* `honeyfs/` - file contents for the fake filesystem - feel free to copy a real system here or use `bin/fsctl`
* `log/cowrie.json` - transaction output in JSON format
* `log/cowrie.log` - log/debug output
* `log/tty/*.log` - session logs
* `txtcmds/` - file contents for the fake commands
* `bin/createfs` - used to create the fake filesystem
* `bin/playlog` - utility to replay session logs

## Is it secure?

Maybe. See [FAQ](https://github.com/micheloosterhof/cowrie/wiki/Frequently-Asked-Questions)

## I have some questions!

Please visit https://github.com/micheloosterhof/cowrie/issues

## Contributors

Many people have contributed to Cowrie over the years. Special thanks to:

* Upi Tamminen (desaster) for all his work developing Kippo on which Cowrie was based
add readme file 2014-05-27 20:31:54 +00:00
update text 2016-11-09 18:36:15 +00:00			`# Welcome to the Cowrie GitHub repository`
update READM 2016-11-09 11:24:59 +00:00
			`This is the official repository for the Cowrie SSH and Telnet`
			`Honeypot effort.`

			`# What is Cowrie`

			`Cowrie is a medium interaction SSH and Telnet honeypot designed to`
			`log brute force attacks and the shell interaction performed by the`
			`attacker.`
add readme file 2014-05-27 20:31:54 +00:00
update README 2016-08-22 13:14:17 +00:00			`[Cowrie](http://github.com/micheloosterhof/cowrie/) is developed by Michel Oosterhof.`
add readme file 2014-05-27 20:31:54 +00:00
			`## Features`
Tweaked README (Files of interest) 2016-01-22 00:11:05 +00:00
add readme file 2014-05-27 20:31:54 +00:00			`Some interesting features:`
Tweaked README (Files of interest) 2016-01-22 00:11:05 +00:00
add readme file 2014-05-27 20:31:54 +00:00			`* Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included`
Tweaked README (Files of interest) 2016-01-22 00:11:05 +00:00			* Possibility of adding fake file contents so the attacker can `cat` files such as `/etc/passwd`. Only minimal file contents are included
Removed all trailing spaces 2014-05-28 04:13:55 +00:00			`* Session logs stored in an [UML Compatible](http://user-mode-linux.sourceforge.net/) format for easy replay with original timings`
missed some renames 2015-05-12 15:01:57 +00:00			`* Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection`
add readme file 2014-05-27 20:31:54 +00:00
more 2015-05-12 15:05:54 +00:00			`Additional functionality over standard kippo:`

			`* SFTP and SCP support for file upload`
			`* Support for SSH exec commands`
			`* Logging of direct-tcp connection attempts (ssh proxying)`
smtp forward 2016-04-25 14:45:44 +00:00			`* Forward SMTP connections to SMTP Honeypot (e.g. [mailoney](https://github.com/awhitehatter/mailoney))`
more 2015-05-12 15:05:54 +00:00			`* Logging in JSON format for easy processing in log management solutions`
			`* Many, many additional commands`

add readme file 2014-05-27 20:31:54 +00:00			`## Requirements`
Tweaked README (Files of interest) 2016-01-22 00:11:05 +00:00
add readme file 2014-05-27 20:31:54 +00:00			`Software required:`

document py3 2016-08-16 12:46:52 +00:00			`* Python 2.7+, (Python 3 not yet supported due to Twisted dependencies)`
in README.md refer to requirements.txt 2017-01-30 10:33:29 +00:00			`* python-virtualenv`

			`For Python dependencies, see requirements.txt`
start.sh and requirements improvements & no moduli fail fix with key exchanges (#194) * Extra arguments to start.sh and improved requirements doc Added possibly to pass extra arguments to twistd in start.sh (e.g. `env XARGS=--nodaemon ./start.sh`). Fixed list of the dependencies based on the issue micheloosterhof/cowrie#132 and added example of dependencies in practice for alpine:3.4. * Fixes no moduli fail with key exchanges Tries to fix issue micheloosterhof/cowrie#193 * Missing requirement and fixed logging 2016-06-19 13:36:48 +00:00
remove link 2015-05-12 15:26:42 +00:00			`## Files of interest:`
add readme file 2014-05-27 20:31:54 +00:00
Tweaked README (Files of interest) 2016-01-22 00:11:05 +00:00			* `cowrie.cfg` - Cowrie's configuration file. Default values can be found in `cowrie.cfg.dist`
			* `data/fs.pickle` - fake filesystem
			* `data/userdb.txt` - credentials allowed or disallowed to access the honeypot
			* `dl/` - files transferred from the attacker to the honeypot are stored here
update doc 2016-04-28 10:46:57 +00:00			* `honeyfs/` - file contents for the fake filesystem - feel free to copy a real system here or use `bin/fsctl`
Tweaked README (Files of interest) 2016-01-22 00:11:05 +00:00			* `log/cowrie.json` - transaction output in JSON format
			* `log/cowrie.log` - log/debug output
			* `log/tty/*.log` - session logs
			* `txtcmds/` - file contents for the fake commands
update doc 2016-04-28 10:46:57 +00:00			* `bin/createfs` - used to create the fake filesystem
			* `bin/playlog` - utility to replay session logs
add readme file 2014-05-27 20:31:54 +00:00
			`## Is it secure?`
Tweaked README (Files of interest) 2016-01-22 00:11:05 +00:00
new FAQ location 2016-09-18 16:48:49 +00:00			`Maybe. See [FAQ](https://github.com/micheloosterhof/cowrie/wiki/Frequently-Asked-Questions)`
add readme file 2014-05-27 20:31:54 +00:00
			`## I have some questions!`
Tweaked README (Files of interest) 2016-01-22 00:11:05 +00:00
cowrie rename 2015-05-12 14:57:29 +00:00			`Please visit https://github.com/micheloosterhof/cowrie/issues`
update README 2016-08-22 13:14:17 +00:00
			`## Contributors`

			`Many people have contributed to Cowrie over the years. Special thanks to:`

			`* Upi Tamminen (desaster) for all his work developing Kippo on which Cowrie was based`