- New Features
- Roadmap & Plans
- How to use
I noticed some SSH attacks against my systems were not logged in complete detail and I started to work on additional logging, from there I’ve added ‘ssh exec commands’ support, SFTP support, SCP support, direct-tcpip (proxying) support and many other features.
To distinguish this from the original software, I have now renamed the system to "Cowrie". All features below are incorporated in my cowrie repository on github.
Cowrie now supports the SFTP protocol to upload and download files. Uploaded files are placed into the ‘dl/’ directory, like files that were downloaded by ‘wget’. SFTP offers a file system interface to the pickled fs and you can list any file available in there. Downloads are also supported, if the contents are in honeyfs. Programmatically it is based on the Conch code, and uses a UNIX file system like interface to the pickled file system.
One way to run remote commands is ‘exec’ commands. Like so:
Support for this has been merged into the original Kippo repository, so it’s probably already in your version. This includes logging and executing these commands.
I’ve seen other uses as well, where malicious code is uploaded through stdin. Less common now, but I did see this last year:
So I added ‘stdin’ logging whenever standard-in data is encountered in combination with an exec command.
SSH tunnelling (direct-tcpip) support
I added logging initially for additional channels and saw I received some ‘direct-tcpip’ requests. This is the TCP/IP tunneling through SSH. After some more modifications, kippo now pretends to accept these requests so it can log the initial connection data. This is often HTTP, but sometimes SSL, BitTorrent and sometimes something else.
SSH Fingerprint logging
Some adversaries have (accidently?) public keys configured on their attack hosts. The SSH client attempts to login with this public key. Cowrie now accept, logs and then denies public-key authentication. An easy way to fingerprint (sic) attackers.
SSH Protocol Updates
I’ve enabled the diffie-hellman-group-exchange-sha1 algorithm. And updated the ciphers to the ones supported by OpenSSH. Als added ‘dss’ keys.
It’s good to realize that Cowrie is a medium interaction honeypot, and there will always be ways to fingerprint the honeypot. Another easy way is to look just at the ciphers offered by the SSH server.
I added additional commmands:
- uname -r
SSH has a way to transfer the exit status of the remote command back to the original host. This is called exit status.
Original kippo sends no exit status. Cowrie always sends a ‘0’ exit code signifying succes, regardless of the command that’s executed.
Command line support
Cowrie supports additional emacs keybindings such as ctrl-a (start of line), ctrl-e (end of line), ctrl-p (previous command), ctrl-n (next command), ctrl-b (one character left) and ctrl-f (one character forward)
I added ‘which’, ‘netstat’, ‘gcc’ from kippo-extra by basilfx.
Usernames and passwords.
I added wildcard support for the password database. Passwords can now be ‘*’ to allow any password. There’s also a ‘!’ operator to deny explicit passwords. The rules are evaluated in order, so the ‘*’ should usually come last. My userdb is now:
- ‘ls’ output is now alphabetical
- ‘wget’ allowed to http using non-80 ports
- disabled the ‘exit-jail’ that gave people the fake ‘localhost’ prompt after logout
- Fixed ability to ping IP addresses like 555.555.555.555
- The bannerfile is now always ‘<honeyfs>>/etc/issue.net’.
I added hpeeds.py from threatstream’s repository. It uses sockets and no deferred and should not work all that well with Twisted’s asynchronous system, but in practice people use it.
I’m in the process of converting Cowrie to more structured logging and a new dblog framework that’s more extensible. One result so far is a JSON dblog plugin. This logs the same information as the general dblog modules, but in JSON format, so it can be easily picked up by log analysis tools. It writes timestamps in UTC with microseconds and adds a unique UUID session identifier to each log entry. It also adds argument as their own JSON attributes so text log parsing is no longer necessary.
ELK (ElasticSearch, LogStash, Kibana)
The nice thing about logstash is that it can do data enrichment offline. There’s no need to configure GeoIP into Cowrie, just load the IP data in logstash and enrich with GeoIP data such as country and city and ASN number from Maxmind:
If you then load data in a Kibana dashboard it should look something like this:
I ported katkad’s SHAsum patches to log binaries, and made some modifications to consolidate the log messages. Malware is now saved as its SHA-256 checksum, and only once per unique sample.
Roadmap & Plans
Most of the current development plans focus on improving the logging. Currently the logging is unstructured text and there is even internal log parsing with regexes to create database entries in some of the dblog modules. I’d like to move to structured output formats to make data easier to parse. The JSON output will improve and contain more data in structured fields.
How to use
To use Cowrie, simply copy from https://github.com/micheloosterhof/cowrie. The configuration is almost a drop-in replacement for the original Kippo, with a few small changes to the configuration file.
Keep an eye out for these new options in your cowrie.cfg:
If you run into issues, feel free to get on touch on Twitter, check the current issues or create a new one. Patches are also welcome.