sshsyrup

module
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 7, 2018 License: GPL-3.0

README

Build Status Build status

Syrup

A SSH honeypot with rich features written in Go

Features
  • SSH self-defined accounts and passwords, also allow any logins
  • Fake shell. Records shell sessions and upload to asciinema.org (Or, if you wish, can log as UML-compatible format)
  • Virtual Filesystem for browsing and fooling intruder
  • SFTP/SCP support for uploading/downloading files
  • Logs client key fingerprints
  • Logs in JSON format for easy parsing
  • Push activities to ElasticSearch for analysis and storage
  • Record local and remote host when client attempt to create port redirection
  • Structure allows extending command sets with ease
See Recorded Session in Action!

asciicast

Requirements
  • Linux, Mac or Windows (I've only tested in Windows/WSL/Linux on ARMv7, suppose the other platforms should work as expected)
  • Go 1.9 or up (For building)
  • dep (For building)
Download

You may find the pre-build packages for various platform on the release tab. If you find the platform you need is not on the list, you can follow the building procedure in the next section.

Building

Run the following command in shell to get latest package and build it

go get -u github.com/mkishere/sshsyrup
cd ~/go/src/github.com/mkishere/sshsyrup
dep ensure
go build -ldflags "-s -w" -o sshsyrup ./cmd/syrup
go build -ldflags "-s -w" -o createfs ./cmd/createfs
Setting up for the first run

  • Create and modify config.json. Here are the sample configuration (minimal setup)

    {
    "server.addr": "0.0.0.0",
    "server.port": 22,
    "server.allowRandomUser": false
}

  • Prepare the virtual filesystem image by downloading the filesystem.zip from master branch or create your own by running

    ./createfs -p / -o filesystem.zip

    Since we'll need to read every file from the directory, it will take some time to load. For Windows, since there are no user/group information, the file/directory owner will always be root.

    Alternatively, you can create your own image file by using zip in Linux (or any compatible zip utility file that is capable preserving uid/gid, symbolic links and timestamps in zip file). After all the image created is a standard zip file. Theoretically you can zip your entire filesystem into a zip file and hosted in Syrup, but remember to exclude sensitive files like /etc/passwd

  • Prepare user and passwd file Put passwd and group file in the same directory as config.json. The format of both files are the same as their real-life counterpart in /etc, except that passwd also stores the password in the second field of each line, and asterisk(*) in password field can be used to denote matching any password.

  • Generate SSH private key and renamed as id_rsa and put it in the same directory

    ssh-keygen -t rsa

  • Start the server

    ./sshsyrup
Running from a Docker instance

Currently there is a Docker image based on the latest build:

  docker pull mkishere/sshsyrup

The current Dockerfile is a two-stage Dockerfile that will first compile sshsyrup and generate/copy the required files (id_rsa, filesystem.zip, config.json, sample group and passwd into a clean Docker image (based on scratch, so really lightweight (doesn't even have /bin/sh! :-)

This will generate a new image in your local computer repository. To run it, you will need to know first on which port you want your instance to listen. By default (config.json), the internal sshsyrup listens on 22. You do not need to change this. Just use the -p docker option to change the externally listening port :

docker run -d -p 9999:22 sshsyrup

If you want to see what happens (logs) in the Docker instance, get the instance id (docker ps) and then run docker logs -f YOUR_INSTANCE_ID.

Configuration parameters

See wiki

Logging

By default Syrup will create a logging file in logs/ directory with file name activity.log in JSON format.

Some fields you may interested in:

Field Name Description
clientStr Client identification string
sessionId Session ID is the unique identifier for each SSH session
srcIP Client IP
time Log time
user User account client used to login
password Password used by client to login, only available when logging in
pubKeyFingerprint Public key fingerprint client tries to authenticate
cmd The command user type in shell
remoteHost The remote host client instruct the server to connect to
localHost The local host client instruct the server to connect to
path The file/directory client is trying to access in SCP/SFTP

Please note that Syrup will no longer append dates to log files. Use a proper log rotation tool (e.g. logrotate) to do the work.

Also, each terminal session (the shell) will be logged into a separate file under logs/sessions in asciinema v2 format.

Contributing

Feel free to submit feature request/bug report via the GitHub issue tracker.

For submitting PR, do the following steps:

  1. Fork
  2. Create a branch for the feature/bugfix containing your changes on your fork
  3. Submit PR with your branch

It is advised that creating an issue to discuss the matter in advance if your change is large :)

TODO
  • Minimal set of POSIX commands/utilities
  • Port redirection
  • Shell parser

Directories

Path Synopsis
cmd
createfs
syrup
os
command
termlogger

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.