Cowrie instead of Kippo

[Ryan Schulze]

Hi,

I was just wondering if anyone has used Cowrie (a fork of Kippo) together with MHN. I noticed it has hpfeeds support, so probably it's just a matter of setting up a deploy script. I was planning on playing around with it next week and would be grateful if anyone who already had a look could share their experiences with it.

http://www.micheloosterhof.com/cowrie/

https://github.com/micheloosterhof/cowrie

[Dustin Lee]

I built a Docker instance of cowrie this week that I need to push to Hub. Was hoping to start my testing with MHN next week. 

Dustin

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/25a3c914-147a-47e3-ad6c-cb065f3c2df4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ryan Schulze]

I got side tracked by other projects, but finally got a chance to play around with cowrie today. The deployment script I use is pretty much the same one as the stock kippo script (attached below), the config file is slightly different and I changed the hpfeeds session to be "kippo" instead of "cowrie" so it's more of a drop-in replacement in mhn. The config has some interesting authentication options to play around with, https://github.com/micheloosterhof/cowrie/blob/master/cowrie.cfg.dist has more details on possible settings.

#!/bin/bash

set -e

set -x

if [ $# -ne 2 ]

    then

        echo "Wrong number of arguments supplied."

        echo "Usage: $0 <server_url> <deploy_key>."

        exit 1

fi

server_url=$1

deploy_key=$2

wget $server_url/static/registration.txt -O registration.sh

chmod 755 registration.sh

# Note: this will export the HPF_* variables

. ./registration.sh $server_url $deploy_key "cowrie"

apt-get update

apt-get -y install python-dev openssl python-openssl python-pyasn1 python-twisted git python-pip supervisor authbind

# Create Cowrie user

useradd -d /home/cowrie -s /bin/bash -m cowrie -g users

# Get the Cowrie source

cd /opt

git clone https://github.com/micheloosterhof/cowrie.git cowrie

cd cowrie

# Configure Cowrie

HONEYPOT_HOSTNAME="server-123"

HONEYPOT_SSH_VERSION="SSH-2.0-OpenSSH_6.7p1 Ubuntu-5ubuntu1.3"

cat > /opt/cowrie/cowrie.cfg <<EOF

[honeypot]

listen_addr = 0.0.0.0

listen_port = 22

hostname = ${HONEYPOT_HOSTNAME}

log_path = log

download_path = dl

contents_path = honeyfs

filesystem_file = data/fs.pickle

data_path = data

auth_class = UserDB

auth_none_enabled = false

txtcmds_path = txtcmds

rsa_public_key = data/ssh_host_rsa_key.pub

rsa_private_key = data/ssh_host_rsa_key

dsa_public_key = data/ssh_host_dsa_key.pub

dsa_private_key = data/ssh_host_dsa_key        

ssh_version_string = ${HONEYPOT_SSH_VERSION}

sftp_enabled = true

exec_enabled = true

interact_enabled = false

interact_port = 5123

[database_hpfeeds]

server = $HPF_HOST

port = $HPF_PORT

identifier = $HPF_IDENT

secret = $HPF_SECRET

debug = false

EOF

sed -i "s/KIPPOCHAN = .*/KIPPOCHAN = 'kippo.sessions'/" cowrie/dblog/hpfeeds.py

# Fix permissions for cowrie

chown -R cowrie:users /opt/cowrie

touch /etc/authbind/byport/22

chown cowrie /etc/authbind/byport/22

chmod 777 /etc/authbind/byport/22

# Setup cowrie to start at boot

cp start.sh start.sh.backup

cat > start.sh <<EOF

#!/bin/sh

cd /opt/cowrie

su cowrie -c "authbind --deep twistd -n -l log/cowrie.log --pidfile cowrie.pid cowrie"

EOF

chmod +x start.sh

# Config for supervisor.

cat > /etc/supervisor/conf.d/cowrie.conf <<EOF

[program:cowrie]

command=/opt/cowrie/start.sh

directory=/opt/cowrie

stdout_logfile=/opt/cowrie/log/cowrie.out

stderr_logfile=/opt/cowrie/log/cowrie.err

autostart=true

autorestart=true

redirect_stderr=true

stopsignal=QUIT

EOF

supervisorctl update

[greg.h...@gmail.com]

Great work!! i love it

[Jim Clausing]

Okay, I dropped the deploy script in the appropriate directory, but how do I get it to show up in the scripts drop down on the web page?  I assume I'm missing something simple, but all my google-ing to date has been for naught on how to do that.

---Jim

[Jason Trost]

Jim,

All you need to do is take the contents of this script and copy/paste it into the deploy page into a new script.  Give it a name and save it.  Then you can just select it and deploy as usual.

--Jason

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/53f8c60c-3e92-455d-8abf-ac2a79b2defc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone:  386.235.0078 | Twitter:  @jason_trost

[antel...@gmail.com]

Cowrie support added!!! :D

To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/53f8c60c-3e92-455d-8abf-ac2a79b2defc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.