2009-11-22 07:07:58 +00:00
|
|
|
# Copyright (c) 2009 Upi Tamminen <desaster@gmail.com>
|
|
|
|
|
# See the COPYRIGHT file for more information
|
|
|
|
|
|
2010-07-13 17:06:32 +00:00
|
|
|
import os, time, anydbm, datetime
|
2009-11-22 07:07:58 +00:00
|
|
|
from kippo.core.honeypot import HoneyPotCommand
|
|
|
|
|
from twisted.internet import reactor
|
2009-11-22 08:09:59 +00:00
|
|
|
from kippo.core.config import config
|
2011-02-05 21:53:54 +00:00
|
|
|
from kippo.core.userdb import UserDB
|
2009-11-22 07:07:58 +00:00
|
|
|
|
|
|
|
|
commands = {}
|
|
|
|
|
|
|
|
|
|
class command_whoami(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
|
|
|
|
self.writeln(self.honeypot.user.username)
|
|
|
|
|
commands['/usr/bin/whoami'] = command_whoami
|
|
|
|
|
|
|
|
|
|
class command_uptime(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
2009-11-25 19:02:16 +00:00
|
|
|
self.writeln(' %s up 14 days, 3:53, 0 users, load average: 0.08, 0.02, 0.01' % \
|
2009-11-22 07:07:58 +00:00
|
|
|
time.strftime('%H:%M:%S'))
|
|
|
|
|
commands['/usr/bin/uptime'] = command_uptime
|
|
|
|
|
|
|
|
|
|
class command_w(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
2009-11-25 19:02:16 +00:00
|
|
|
self.writeln(' %s up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01' % \
|
2009-11-22 07:07:58 +00:00
|
|
|
time.strftime('%H:%M:%S'))
|
|
|
|
|
self.writeln('USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT')
|
2011-02-05 21:53:54 +00:00
|
|
|
self.writeln('%-8s pts/0 %s %s 0.00s 0.00s 0.00s w' % \
|
|
|
|
|
(self.honeypot.user.username,
|
|
|
|
|
self.honeypot.clientIP[:17].ljust(17),
|
2009-11-25 19:02:16 +00:00
|
|
|
time.strftime('%H:%M', time.localtime(self.honeypot.logintime))))
|
2009-11-22 07:07:58 +00:00
|
|
|
commands['/usr/bin/w'] = command_w
|
|
|
|
|
commands['/usr/bin/who'] = command_w
|
|
|
|
|
|
|
|
|
|
class command_echo(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
|
|
|
|
self.writeln(' '.join(self.args))
|
|
|
|
|
commands['/bin/echo'] = command_echo
|
|
|
|
|
|
2010-05-29 12:42:42 +00:00
|
|
|
# for testing purposes
|
|
|
|
|
class command_exxxit(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
|
|
|
|
self.honeypot.terminal.loseConnection()
|
|
|
|
|
commands['exxxit'] = command_exxxit
|
|
|
|
|
|
2009-11-22 07:07:58 +00:00
|
|
|
class command_exit(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
2011-02-03 16:35:54 +00:00
|
|
|
if 'PuTTY' in self.honeypot.clientVersion or \
|
|
|
|
|
'libssh' in self.honeypot.clientVersion or \
|
|
|
|
|
'sshlib' in self.honeypot.clientVersion:
|
|
|
|
|
self.honeypot.terminal.loseConnection()
|
|
|
|
|
return
|
2009-11-22 07:07:58 +00:00
|
|
|
self.honeypot.terminal.reset()
|
|
|
|
|
self.writeln('Connection to server closed.')
|
|
|
|
|
self.honeypot.hostname = 'localhost'
|
2009-11-23 14:45:48 +00:00
|
|
|
self.honeypot.cwd = '/root'
|
2009-11-22 07:07:58 +00:00
|
|
|
commands['exit'] = command_exit
|
2010-06-21 04:57:24 +00:00
|
|
|
commands['logout'] = command_exit
|
2009-11-22 07:07:58 +00:00
|
|
|
|
|
|
|
|
class command_clear(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
|
|
|
|
self.honeypot.terminal.reset()
|
|
|
|
|
commands['/usr/bin/clear'] = command_clear
|
|
|
|
|
|
|
|
|
|
class command_hostname(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
|
|
|
|
self.writeln(self.honeypot.hostname)
|
|
|
|
|
commands['/bin/hostname'] = command_hostname
|
|
|
|
|
|
|
|
|
|
class command_uname(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
|
|
|
|
if len(self.args) and self.args[0].strip() == '-a':
|
|
|
|
|
self.writeln(
|
|
|
|
|
'Linux %s 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux' % \
|
|
|
|
|
self.honeypot.hostname)
|
|
|
|
|
else:
|
|
|
|
|
self.writeln('Linux')
|
|
|
|
|
commands['/bin/uname'] = command_uname
|
|
|
|
|
|
|
|
|
|
class command_ps(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
|
|
|
|
if len(self.args) and self.args[0].strip().count('a'):
|
|
|
|
|
output = (
|
|
|
|
|
'USER PID %%CPU %%MEM VSZ RSS TTY STAT START TIME COMMAND',
|
|
|
|
|
'root 1 0.0 0.1 2100 688 ? Ss Nov06 0:07 init [2] ',
|
|
|
|
|
'root 2 0.0 0.0 0 0 ? S< Nov06 0:00 [kthreadd]',
|
|
|
|
|
'root 3 0.0 0.0 0 0 ? S< Nov06 0:00 [migration/0]',
|
|
|
|
|
'root 4 0.0 0.0 0 0 ? S< Nov06 0:00 [ksoftirqd/0]',
|
|
|
|
|
'root 5 0.0 0.0 0 0 ? S< Nov06 0:00 [watchdog/0]',
|
|
|
|
|
'root 6 0.0 0.0 0 0 ? S< Nov06 0:17 [events/0]',
|
|
|
|
|
'root 7 0.0 0.0 0 0 ? S< Nov06 0:00 [khelper]',
|
|
|
|
|
'root 39 0.0 0.0 0 0 ? S< Nov06 0:00 [kblockd/0]',
|
|
|
|
|
'root 41 0.0 0.0 0 0 ? S< Nov06 0:00 [kacpid]',
|
|
|
|
|
'root 42 0.0 0.0 0 0 ? S< Nov06 0:00 [kacpi_notify]',
|
|
|
|
|
'root 170 0.0 0.0 0 0 ? S< Nov06 0:00 [kseriod]',
|
|
|
|
|
'root 207 0.0 0.0 0 0 ? S Nov06 0:01 [pdflush]',
|
|
|
|
|
'root 208 0.0 0.0 0 0 ? S Nov06 0:00 [pdflush]',
|
|
|
|
|
'root 209 0.0 0.0 0 0 ? S< Nov06 0:00 [kswapd0]',
|
|
|
|
|
'root 210 0.0 0.0 0 0 ? S< Nov06 0:00 [aio/0]',
|
|
|
|
|
'root 748 0.0 0.0 0 0 ? S< Nov06 0:00 [ata/0]',
|
|
|
|
|
'root 749 0.0 0.0 0 0 ? S< Nov06 0:00 [ata_aux]',
|
|
|
|
|
'root 929 0.0 0.0 0 0 ? S< Nov06 0:00 [scsi_eh_0]',
|
|
|
|
|
'root 1014 0.0 0.0 0 0 ? D< Nov06 0:03 [kjournald]',
|
|
|
|
|
'root 1087 0.0 0.1 2288 772 ? S<s Nov06 0:00 udevd --daemon',
|
|
|
|
|
'root 1553 0.0 0.0 0 0 ? S< Nov06 0:00 [kpsmoused]',
|
|
|
|
|
'root 2054 0.0 0.2 28428 1508 ? Sl Nov06 0:01 /usr/sbin/rsyslogd -c3',
|
|
|
|
|
'root 2103 0.0 0.2 2628 1196 tty1 Ss Nov06 0:00 /bin/login -- ',
|
|
|
|
|
'root 2105 0.0 0.0 1764 504 tty2 Ss+ Nov06 0:00 /sbin/getty 38400 tty2',
|
|
|
|
|
'root 2107 0.0 0.0 1764 504 tty3 Ss+ Nov06 0:00 /sbin/getty 38400 tty3',
|
|
|
|
|
'root 2109 0.0 0.0 1764 504 tty4 Ss+ Nov06 0:00 /sbin/getty 38400 tty4',
|
|
|
|
|
'root 2110 0.0 0.0 1764 504 tty5 Ss+ Nov06 0:00 /sbin/getty 38400 tty5',
|
|
|
|
|
'root 2112 0.0 0.0 1764 508 tty6 Ss+ Nov06 0:00 /sbin/getty 38400 tty6',
|
|
|
|
|
'root 2133 0.0 0.1 2180 620 ? S<s Nov06 0:00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclien',
|
|
|
|
|
'root 4969 0.0 0.1 5416 1024 ? Ss Nov08 0:00 /usr/sbin/sshd',
|
|
|
|
|
'root 5673 0.0 0.2 2924 1540 pts/0 Ss 04:30 0:00 -bash',
|
|
|
|
|
'root 5679 0.0 0.1 2432 928 pts/0 R+ 04:32 0:00 ps %s' % ' '.join(self.args),
|
|
|
|
|
)
|
|
|
|
|
else:
|
|
|
|
|
output = (
|
|
|
|
|
' PID TTY TIME CMD',
|
|
|
|
|
' 5673 pts/0 00:00:00 bash',
|
|
|
|
|
' 5677 pts/0 00:00:00 ps %s' % ' '.join(self.args),
|
|
|
|
|
)
|
|
|
|
|
for l in output:
|
|
|
|
|
self.writeln(l)
|
|
|
|
|
commands['/bin/ps'] = command_ps
|
|
|
|
|
|
|
|
|
|
class command_id(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
2011-02-05 21:53:54 +00:00
|
|
|
u = self.honeypot.user
|
|
|
|
|
self.writeln('uid=%d(%s) gid=%d(%s) groups=%d(%s)' % \
|
|
|
|
|
(u.uid, u.username, u.gid, u.username, u.gid, u.username))
|
2009-11-22 07:07:58 +00:00
|
|
|
commands['/usr/bin/id'] = command_id
|
|
|
|
|
|
|
|
|
|
class command_passwd(HoneyPotCommand):
|
|
|
|
|
def start(self):
|
|
|
|
|
self.write('Enter new UNIX password: ')
|
|
|
|
|
self.honeypot.password_input = True
|
|
|
|
|
self.callbacks = [self.ask_again, self.finish]
|
2011-02-05 21:53:54 +00:00
|
|
|
self.passwd = None
|
2009-11-22 07:07:58 +00:00
|
|
|
|
2011-02-05 21:53:54 +00:00
|
|
|
def ask_again(self, line):
|
|
|
|
|
self.passwd = line
|
2009-11-22 07:07:58 +00:00
|
|
|
self.write('Retype new UNIX password: ')
|
|
|
|
|
|
2011-02-05 21:53:54 +00:00
|
|
|
def finish(self, line):
|
2009-11-22 07:07:58 +00:00
|
|
|
self.honeypot.password_input = False
|
2010-04-14 09:26:04 +00:00
|
|
|
|
2011-02-05 21:53:54 +00:00
|
|
|
if line != self.passwd:
|
|
|
|
|
self.writeln('Sorry, passwords do not match')
|
|
|
|
|
self.exit()
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
userdb = UserDB()
|
|
|
|
|
userdb.adduser(self.honeypot.user.username,
|
|
|
|
|
self.honeypot.user.uid, self.passwd)
|
2010-04-14 09:26:04 +00:00
|
|
|
|
|
|
|
|
self.writeln('passwd: password updated successfully')
|
2009-11-22 07:07:58 +00:00
|
|
|
self.exit()
|
|
|
|
|
|
|
|
|
|
def lineReceived(self, line):
|
|
|
|
|
print 'INPUT (passwd):', line
|
2010-04-14 09:26:04 +00:00
|
|
|
self.password = line.strip()
|
2011-02-05 21:53:54 +00:00
|
|
|
self.callbacks.pop(0)(line)
|
2009-11-22 07:07:58 +00:00
|
|
|
commands['/usr/bin/passwd'] = command_passwd
|
|
|
|
|
|
2010-10-25 15:08:53 +00:00
|
|
|
class command_shutdown(HoneyPotCommand):
|
|
|
|
|
def start(self):
|
|
|
|
|
if len(self.args) and self.args[0].strip().count('--help'):
|
|
|
|
|
output = (
|
|
|
|
|
"Usage: shutdown [-akrhHPfnc] [-t secs] time [warning message]",
|
|
|
|
|
"-a: use /etc/shutdown.allow ",
|
|
|
|
|
"-k: don't really shutdown, only warn. " ,
|
|
|
|
|
"-r: reboot after shutdown. " ,
|
|
|
|
|
"-h: halt after shutdown. " ,
|
|
|
|
|
"-P: halt action is to turn off power. " ,
|
|
|
|
|
"-H: halt action is to just halt. " ,
|
|
|
|
|
"-f: do a 'fast' reboot (skip fsck). " ,
|
|
|
|
|
"-F: Force fsck on reboot. " ,
|
|
|
|
|
"-n: do not go through \"init\" but go down real fast. " ,
|
|
|
|
|
"-c: cancel a running shutdown. " ,
|
|
|
|
|
"-t secs: delay between warning and kill signal. " ,
|
|
|
|
|
"** the \"time\" argument is mandatory! (try \"now\") **",
|
|
|
|
|
)
|
|
|
|
|
for l in output:
|
|
|
|
|
self.writeln(l)
|
|
|
|
|
self.exit()
|
|
|
|
|
elif len(self.args) > 1 and self.args[0].strip().count('-h') \
|
|
|
|
|
and self.args[1].strip().count('now'):
|
|
|
|
|
self.nextLine()
|
|
|
|
|
self.writeln(
|
|
|
|
|
'Broadcast message from root@%s (pts/0) (%s):' % \
|
|
|
|
|
(self.honeypot.hostname, time.ctime()))
|
|
|
|
|
self.nextLine()
|
|
|
|
|
self.writeln('The system is going down for maintenance NOW!')
|
|
|
|
|
reactor.callLater(3, self.finish)
|
|
|
|
|
elif len(self.args) > 1 and self.args[0].strip().count('-r') \
|
|
|
|
|
and self.args[1].strip().count('now'):
|
|
|
|
|
self.nextLine()
|
|
|
|
|
self.writeln(
|
|
|
|
|
'Broadcast message from root@%s (pts/0) (%s):' % \
|
|
|
|
|
(self.honeypot.hostname, time.ctime()))
|
|
|
|
|
self.nextLine()
|
|
|
|
|
self.writeln('The system is going down for reboot NOW!')
|
|
|
|
|
reactor.callLater(3, self.finish)
|
|
|
|
|
else:
|
|
|
|
|
self.writeln("Try `shutdown --help' for more information.")
|
|
|
|
|
self.exit()
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
def finish(self):
|
|
|
|
|
self.writeln('Connection to server closed.')
|
|
|
|
|
self.honeypot.hostname = 'localhost'
|
|
|
|
|
self.honeypot.cwd = '/root'
|
|
|
|
|
self.exit()
|
|
|
|
|
commands['/sbin/shutdown'] = command_shutdown
|
|
|
|
|
|
2009-11-22 07:07:58 +00:00
|
|
|
class command_reboot(HoneyPotCommand):
|
|
|
|
|
def start(self):
|
|
|
|
|
self.nextLine()
|
|
|
|
|
self.writeln(
|
|
|
|
|
'Broadcast message from root@%s (pts/0) (%s):' % \
|
|
|
|
|
(self.honeypot.hostname, time.ctime()))
|
|
|
|
|
self.nextLine()
|
|
|
|
|
self.writeln('The system is going down for reboot NOW!')
|
|
|
|
|
reactor.callLater(3, self.finish)
|
|
|
|
|
|
|
|
|
|
def finish(self):
|
|
|
|
|
self.writeln('Connection to server closed.')
|
|
|
|
|
self.honeypot.hostname = 'localhost'
|
2009-12-03 15:01:44 +00:00
|
|
|
self.honeypot.cwd = '/root'
|
2009-11-22 07:07:58 +00:00
|
|
|
self.exit()
|
|
|
|
|
commands['/sbin/reboot'] = command_reboot
|
|
|
|
|
|
2009-11-26 15:37:19 +00:00
|
|
|
class command_history(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
|
|
|
|
if len(self.args) and self.args[0] == '-c':
|
|
|
|
|
self.honeypot.historyLines = []
|
|
|
|
|
self.honeypot.historyPosition = 0
|
|
|
|
|
return
|
|
|
|
|
count = 1
|
|
|
|
|
for l in self.honeypot.historyLines:
|
|
|
|
|
self.writeln(' %s %s' % (str(count).rjust(4), l))
|
|
|
|
|
count += 1
|
|
|
|
|
commands['history'] = command_history
|
|
|
|
|
|
2010-06-01 04:34:53 +00:00
|
|
|
class command_date(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
|
|
|
|
time = datetime.datetime.utcnow();
|
|
|
|
|
self.writeln(time.strftime("%a %b %d %H:%M:%S UTC %Y"))
|
|
|
|
|
commands['/bin/date'] = command_date
|
|
|
|
|
|
2011-03-15 10:51:50 +00:00
|
|
|
class command_yes(HoneyPotCommand):
|
|
|
|
|
def start(self):
|
|
|
|
|
self.y()
|
|
|
|
|
|
|
|
|
|
def y(self):
|
|
|
|
|
self.writeln('y')
|
|
|
|
|
self.scheduled = reactor.callLater(0.01, self.y)
|
|
|
|
|
|
|
|
|
|
def ctrl_c(self):
|
|
|
|
|
self.scheduled.cancel()
|
|
|
|
|
self.exit()
|
|
|
|
|
commands['/usr/bin/yes'] = command_yes
|
|
|
|
|
|
2009-11-22 07:07:58 +00:00
|
|
|
class command_nop(HoneyPotCommand):
|
|
|
|
|
def call(self):
|
|
|
|
|
pass
|
|
|
|
|
commands['/bin/chmod'] = command_nop
|
|
|
|
|
commands['set'] = command_nop
|
|
|
|
|
commands['unset'] = command_nop
|
|
|
|
|
commands['export'] = command_nop
|
|
|
|
|
commands['/bin/bash'] = command_nop
|
|
|
|
|
commands['/bin/sh'] = command_nop
|
|
|
|
|
commands['/bin/kill'] = command_nop
|
2010-04-06 05:35:38 +00:00
|
|
|
commands['/bin/su'] = command_nop
|
2009-11-22 07:07:58 +00:00
|
|
|
|
|
|
|
|
# vim: set sw=4 et:
|
