We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hello,
I am trying to deploy cowrie in proxy mode with the following settings:
backend = proxy # Guest details (for a generic x86-64 guest, like Ubuntu) guest_hypervisor = qemu backend = pool backend_ssh_host = localhost backend_ssh_port = 2022 pool_max_vms = 4 pool = local # Endpoint to listen on for incoming SSH connections. listen_endpoints = tcp:9090:interface=0.0.0.0
Everything excluded is set to default value, except for the real backend credentials. Iptables are configured to redirect port 22 to port 9090.
Successfully logging to the honeypot through Putty does not redirect me to VM, instead it shows the following error message:
This is how it looks in logs:
2022-11-15T14:40:02.714110Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: x.x.x.x:x (10.0.0.4:9090) [session: 11699cf73924] 2022-11-15T14:40:02.724076Z [FrontendSSHTransport,520,x.x.x.x] Remote SSH version: SSH-2.0-PuTTY_Release_0.76 2022-11-15T14:40:02.733713Z [backend_pool.pool_server.PoolServerFactory] Received connection from 127.0.0.1:41042 2022-11-15T14:40:02.734290Z [Uninitialized] Connected to backend pool 2022-11-15T14:40:02.734577Z [PoolServer,521,127.0.0.1] Requesting a VM for attacker @ x.x.x.x 2022-11-15T14:40:02.734771Z [PoolServer,521,127.0.0.1] Providing VM id 0 2022-11-15T14:40:02.735102Z [PoolClient,client] Got backend data from pool: 192.168.150.217:22 2022-11-15T14:40:02.735196Z [PoolClient,client] Snapshot file: /home/cowrie/cowrie/var/lib/cowrie/snapshots/snapshot-ubuntu18.04-75999260d50340aa9098062da1650500.qcow2 2022-11-15T14:40:02.735334Z [cowrie.ssh_proxy.client_transport.BackendSSHFactory#info] Starting factory <cowrie.ssh_proxy.client_transport.BackendSSHFactory object at 0x7f8a9c87f370> 2022-11-15T14:40:02.782461Z [FrontendSSHTransport,520,x.x.x.x] SSH client hassh fingerprint: 5b7713a9ef2d162b16ea018fa8d40f02 2022-11-15T14:40:02.783927Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519' 2022-11-15T14:40:02.784027Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha1' b'none' 2022-11-15T14:40:02.784101Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha1' b'none' 2022-11-15T14:40:02.850464Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] NEW KEYS 2022-11-15T14:40:02.850962Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] starting service b'ssh-userauth' 2022-11-15T14:40:04.530477Z [Uninitialized] Connected to SSH backend at b'192.168.150.217' 2022-11-15T14:40:04.530869Z [Uninitialized] Connected to honeypot backend 2022-11-15T14:40:05.694227Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'student' trying auth b'none' 2022-11-15T14:40:10.343627Z [FrontendSSHTransport,520,x.x.x.x] Connection to backend not ready, buffering packet from frontend 2022-11-15T14:40:10.344638Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'student' trying auth b'password' 2022-11-15T14:40:10.345534Z [FrontendSSHTransport,520,x.x.x.x] login attempt [b'student'/b'student'] succeeded 2022-11-15T14:40:10.362593Z [FrontendSSHTransport,520,x.x.x.x] Initialized emulated server as architecture: linux-x64-lsb 2022-11-15T14:40:10.419995Z [FrontendSSHTransport,520,x.x.x.x] Connection to backend not ready, buffering packet from frontend # this might be the point, where the error shows up 2022-11-15T14:40:33.175725Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ecdsa-sha2-nistp256' 2022-11-15T14:40:33.176223Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha2-512' b'none' 2022-11-15T14:40:33.176309Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha2-512' b'none' 2022-11-15T14:40:41.233811Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] NEW KEYS 2022-11-15T14:40:41.234285Z [BackendSSHTransport,client] Backend Connection Secured 2022-11-15T14:40:41.251355Z [BackendSSHTransport,client] Will auth with backend: x/x 2022-11-15T14:40:41.251870Z [BackendSSHTransport,client] got channel b'session' request 2022-11-15T14:40:54.764575Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost 2022-11-15T14:40:54.765091Z [FrontendSSHTransport,520,x.x.x.x] Connection lost after 50 seconds 2022-11-15T14:40:54.774787Z [BackendSSHTransport,client] Lost connection with the pool backend: id 0 2022-11-15T14:40:54.775126Z [cowrie.ssh_proxy.client_transport.BackendSSHFactory#info] Stopping factory <cowrie.ssh_proxy.client_transport.BackendSSHFactory object at 0x7f8a9c87f370> 2022-11-15T14:40:54.775420Z [PoolServer,521,127.0.0.1] Freeing VM 0
Sometimes there's different logged events after successful login attempt:
2022-11-15T01:00:45.902697Z [BackendSSHTransport,client] [SSH] Detected Public Key Auth - Disabling! 2022-11-15T01:00:53.399529Z [FrontendSSHTransport,57,x.x.x.x] Unhandled Error Traceback (most recent call last): File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/log.py", line 96, in callWithLogger return callWithContext({"system": lp}, func, *args, **kw) File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/log.py", line 80, in callWithContext return context.call({ILogContext: newCtx}, func, *args, **kw) File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/context.py", line 117, in callWithContext return self.currentContext().callWithContext(ctx, func, *args, **kw) File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/context.py", line 82, in callWithContext return func(*args, **kw) --- <exception caught here> --- File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/posixbase.py", line 487, in _doReadOrWrite why = selectable.doRead() File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/tcp.py", line 248, in doRead return self._dataReceived(data) File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/tcp.py", line 253, in _dataReceived rval = self.protocol.dataReceived(data) File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 244, in dataReceived self.dispatchMessage(message_num, packet[1:]) File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 261, in dispatchMessage self.packet_buffer(message_num, payload) File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 434, in packet_buffer self.sshParse.parse_num_packet("[SERVER]", message_num, payload) File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/protocols/ssh.py", line 330, in parse_num_packet channel = self.get_channel(self.extract_int(4), parent) File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/protocols/ssh.py", line 406, in get_channel if channel[search] == channel_num: builtins.KeyError: 'clientID' 2022-11-15T01:00:53.401422Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost
I tried using terminal to log in instead, this however produces different, but still unsuccessful results:
Error message:
dispatch_protocol_error: type 7 seq 7 Connection to x closed by remote host. Connection to x closed.
Logged events are the same.
Expected behavior After successful authentication cowrie connects attacker with the VM.
Server (please complete the following information):
The text was updated successfully, but these errors were encountered:
Same here
Sorry, something went wrong.
No branches or pull requests
Hello,
I am trying to deploy cowrie in proxy mode with the following settings:
Everything excluded is set to default value, except for the real backend credentials. Iptables are configured to redirect port 22 to port 9090.
Successfully logging to the honeypot through Putty does not redirect me to VM, instead it shows the following error message:
This is how it looks in logs:
Sometimes there's different logged events after successful login attempt:
I tried using terminal to log in instead, this however produces different, but still unsuccessful results:
Error message:
Logged events are the same.
Expected behavior
After successful authentication cowrie connects attacker with the VM.
Server (please complete the following information):
The text was updated successfully, but these errors were encountered: