Rooba
/
cowrie
mirror of https://github.com/cowrie/cowrie.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io
1,287 Commits 2 Branches 21 Tags 58 MiB
Python 98.4%
Shell 0.7%
Makefile 0.5%
Dockerfile 0.4%
Go to file
Michel Oosterhof e5c5921f85 change to python-dateutil 2016-10-23 12:37:06 +04:00
bin python3 compat 2016-09-18 21:25:50 +00:00
cowrie allow -h switch, fix -v 2016-10-23 03:54:22 +00:00
data add correct entry for / 2016-01-13 19:09:48 +04:00
dl Added 'empty' folders … 2014-05-28 05:00:21 +01:00
doc add documentation to systemd entry 2016-07-28 15:17:34 +04:00
honeyfs remove default issue.net 2016-09-07 12:10:47 +04:00
log/tty Added 'empty' folders … 2014-05-28 05:00:21 +01:00
twisted/plugins document -p switch 2016-10-18 22:10:31 +04:00
txtcmds add empty output for stty 2016-04-16 10:11:54 +00:00
.gitattributes cowrie rename 2015-05-12 14:57:29 +00:00
.gitignore ignore macosx files 2016-01-17 10:33:08 +04:00
.travis.yml without semicolon works 2016-09-07 11:36:07 +04:00
CHANGELOG.md telnet changelog 2016-08-22 16:08:49 +04:00
INSTALL.md add service_identity to debian package based install 2016-10-18 05:20:04 +00:00
README.md new FAQ location 2016-09-18 16:48:49 +00:00
cowrie.cfg.dist doc fix 2016-10-18 22:10:31 +04:00
requirements.txt change to python-dateutil 2016-10-23 12:37:06 +04:00
start.sh set PYTHONPATH 2016-09-18 15:54:23 +04:00
stop.sh Remove "\n" in stop.sh. 2016-02-18 12:12:50 +08:00

README.md

Cowrie

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.

Cowrie is developed by Michel Oosterhof.

Features

Some interesting features:

  • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
  • Possibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are included
  • Session logs stored in an UML Compatible format for easy replay with original timings
  • Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection

Additional functionality over standard kippo:

  • SFTP and SCP support for file upload
  • Support for SSH exec commands
  • Logging of direct-tcp connection attempts (ssh proxying)
  • Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
  • Logging in JSON format for easy processing in log management solutions
  • Many, many additional commands

Requirements

Software required:

  • Python 2.7+, (Python 3 not yet supported due to Twisted dependencies)
  • Zope Interface 3.6.0+
  • Twisted 12.0+
  • python-crypto
  • python-cryptography
  • python-pyasn1
  • python-gmpy2 (recommended)
  • python-mysqldb (for MySQL output)
  • python-OpenSSL

Files of interest:

  • cowrie.cfg - Cowrie's configuration file. Default values can be found in cowrie.cfg.dist
  • data/fs.pickle - fake filesystem
  • data/userdb.txt - credentials allowed or disallowed to access the honeypot
  • dl/ - files transferred from the attacker to the honeypot are stored here
  • honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here or use bin/fsctl
  • log/cowrie.json - transaction output in JSON format
  • log/cowrie.log - log/debug output
  • log/tty/*.log - session logs
  • txtcmds/ - file contents for the fake commands
  • bin/createfs - used to create the fake filesystem
  • bin/playlog - utility to replay session logs

Is it secure?

Maybe. See FAQ

I have some questions!

Please visit https://github.com/micheloosterhof/cowrie/issues

Contributors

Many people have contributed to Cowrie over the years. Special thanks to:

  • Upi Tamminen (desaster) for all his work developing Kippo on which Cowrie was based