mirror of https://github.com/cowrie/cowrie.git
Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io
attackercowriecowrie-sshdeceptiondecoyhoneypotkipposcpsecuritysftpsshstarred-cowrie-repostarred-repotelnettelnet-honeypotthreat-analysisthreatintelthreat-sharing
d52886098e
|
||
|---|---|---|
| bin | ||
| cowrie | ||
| data | ||
| dl | ||
| doc | ||
| etc | ||
| honeyfs | ||
| log/tty | ||
| share | ||
| twisted/plugins | ||
| txtcmds | ||
| var | ||
| .gitattributes | ||
| .gitignore | ||
| .travis.yml | ||
| CHANGELOG.md | ||
| INSTALL.md | ||
| README.md | ||
| cowrie.cfg.dist | ||
| requirements-output.txt | ||
| requirements.txt | ||
README.md
Welcome to the Cowrie GitHub repository
This is the official repository for the Cowrie SSH and Telnet Honeypot effort.
What is Cowrie
Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
Cowrie is developed by Michel Oosterhof.
Features
Some interesting features:
- Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
- Possibility of adding fake file contents so the attacker can
catfiles such as/etc/passwd. Only minimal file contents are included - Session logs stored in an UML Compatible format for easy replay with original timings
- Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection
Additional functionality over standard kippo:
- SFTP and SCP support for file upload
- Support for SSH exec commands
- Logging of direct-tcp connection attempts (ssh proxying)
- Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
- Logging in JSON format for easy processing in log management solutions
- Many, many additional commands
Requirements
Software required:
- Python 2.7+, (Python 3 not yet supported due to Twisted dependencies)
- python-virtualenv
For Python dependencies, see requirements.txt
Files of interest:
cowrie.cfg- Cowrie's configuration file. Default values can be found incowrie.cfg.distdata/fs.pickle- fake filesystemdata/userdb.txt- credentials allowed or disallowed to access the honeypotdl/- files transferred from the attacker to the honeypot are stored herehoneyfs/- file contents for the fake filesystem - feel free to copy a real system here or usebin/fsctllog/cowrie.json- transaction output in JSON formatlog/cowrie.log- log/debug outputlog/tty/*.log- session logstxtcmds/- file contents for the fake commandsbin/createfs- used to create the fake filesystembin/playlog- utility to replay session logs
Is it secure?
Maybe. See FAQ
I have some questions!
Please visit https://github.com/micheloosterhof/cowrie/issues
Contributing
Cowrie welcomes any kind of contribution, please follow the next steps:
- Fork the project on github.com.
- Create a new branch.
- Commit changes to the new branch.
- Send a pull request.
Contributors
Many people have contributed to Cowrie over the years. Special thanks to:
- Upi Tamminen (desaster) for all his work developing Kippo on which Cowrie was based
- Dave Germiquet (davegermiquet) for TFTP support, unit testes, new process handling
- Olivier Bilodeau (obilodeau) for Telnet support
- Ivan Korolev (fe7ch) for many improvements over the years.
- And many many others.