opencanary二次开发(1)-日志格式

栏目: Python · 发布时间: 5年前

内容简介:opencanary/modules目录下为模拟的服务或协议脚本。opencanary/logger.py 为日志生成脚本,我就是在这个文件里直接改了几行代码向web端发送日志,例如post2server函数和log函数;且LoggerBase类定义了各种日志类型。我将opencanary蜜罐框架分析的日志和服务(协议)用xmind进行记录,方便有兴趣的同学进行对照着开发。

opencanary/modules目录下为模拟的服务或协议脚本。

opencanary/logger.py 为日志生成脚本,我就是在这个文件里直接改了几行代码向web端发送日志,例如post2server函数和log函数;且LoggerBase类定义了各种日志类型。

日志格式xmind

我将opencanary蜜罐框架分析的日志和服务(协议)用xmind进行记录,方便有兴趣的同学进行对照着开发。

其中opencanary_web数据库honeypot的OpencanaryLog表的字段也是根据根据日志所包含的所有字段进行设计和开发中随时扩表的。

opencanary二次开发(1)-日志格式

监听端口

当把opencanary配置选项全部开启之后

tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:1433            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:3389            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:9418            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:6379            0.0.0.0:*               LISTEN      12683/python
udp        0      0 0.0.0.0:57197           0.0.0.0:*                           8994/python
udp        0      0 0.0.0.0:5060            0.0.0.0:*                           12683/python
udp        0      0 0.0.0.0:69              0.0.0.0:*                           12683/python
udp        0      0 0.0.0.0:123             0.0.0.0:*                           12683/python
udp        0      0 0.0.0.0:161             0.0.0.0:*                           12683/python

应用日志

HTTP

触发方式

访问蜜罐http页面

日志格式

{"dst_host": "172.18.200.58", "dst_port": 80, "local_time": "2019-01-07 13:47:45.817940", "logdata": {"HOSTNAME": "172.18.200.58", "PASSWORD": "admin888", "PATH": "/index.html", "SKIN": "nasLogin", "USERAGENT": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:61.0) Gecko/20100101 Firefox/61.0", "USERNAME": "admin"}, "logtype": 3001, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54488}

FTP

触发方式

任意ftp客户端

日志格式

{"dst_host": "172.18.200.58", "dst_port": 21, "local_time": "2019-01-07 13:50:54.264032", "logdata": {"PASSWORD": "admin123", "USERNAME": "ftpadmin"}, "logtype": 2000, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54573}

SSH

触发方式

任意SSH客户端

日志格式

{"dst_host": "172.18.200.58", "dst_port": 2222, "local_time": "2019-01-07 13:54:27.811101", "logdata": {"SESSION": "3"}, "logtype": 4000, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54639}
{"dst_host": "172.18.200.58", "dst_port": 2222, "local_time": "2019-01-07 13:54:27.888686", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "REMOTEVERSION": "SSH-2.0-OpenSSH_7.0 ZOC_7.16.1"}, "logtype": 4001, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54639}
{"dst_host": "172.18.200.58", "dst_port": 2222, "local_time": "2019-01-07 13:54:32.444224", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "PASSWORD": "root123", "REMOTEVERSION": "SSH-2.0-OpenSSH_7.0 ZOC_7.16.1", "USERNAME": "root"}, "logtype": 4002, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54639}

Telnet

触发方式

telnet 172.18.200.58

日志格式

{"dst_host": "172.18.200.58", "dst_port": 23, "honeycred": false, "local_time": "2019-01-07 13:56:45.341785", "logdata": {"PASSWORD": "admin888", "USERNAME": "admin123"}, "logtype": 6001, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54676}

MYSQL

触发方式

mysql -h172.18.200.58 -uroot -p

日志格式

{"dst_host": "172.18.200.58", "dst_port": 3306, "local_time": "2019-01-07 13:58:25.922257", "logdata": {"PASSWORD": "18076c09615de80ddb2903191b783714918b4c4f", "USERNAME": "root"}, "logtype": 8001, "node_id": "opencanary-1", "src_host": "172.18.220.253", "src_port": 46662}

git协议

触发方式

git clone git://192.168.1.7:9418/tmp.git

日志格式

{"dst_host": "192.168.1.7", "dst_port": 9418, "local_time": "2019-01-05 15:38:46.368627", "logdata": {"HOST": "192.168.1.7:9418", "REPO": "tmp.git"}, "logtype": 16001, "node_id": "opencanary-1", "src_host": "192.168.1.3", "src_port": 57606}

NTP协议

触发方式

git clone git://192.168.1.7:9418/tmp.git

ntp监听的是udp的123端口

日志格式

{"dst_host": "0.0.0.0", "dst_port": 123, "local_time": "2019-01-05 15:58:52.075987", "logdata": {"NTP CMD": "monlist"}, "logtype": 11001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 57886}

redis

触发方式

(env) [[email protected] Honeypot]# redis-cli -h 192.168.1.7
192.168.1.7:6379> keys *
(error) NOAUTH Authentication required.
192.168.1.7:6379> config get requirepass
(error) ERR unknown command 'config'
192.168.1.7:6379> auth admin
(error) ERR invalid password
192.168.1.7:6379>

日志格式

{"dst_host": "192.168.1.7", "dst_port": 6379, "local_time": "2019-01-05 16:05:11.637269", "logdata": {"ARGS": "", "CMD": "COMMAND"}, "logtype": 17001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 34471}
{"dst_host": "192.168.1.7", "dst_port": 6379, "local_time": "2019-01-05 16:08:14.786249", "logdata": {"ARGS": "*", "CMD": "KEYS"}, "logtype": 17001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 34471}
{"dst_host": "192.168.1.7", "dst_port": 6379, "local_time": "2019-01-05 16:09:36.418200", "logdata": {"ARGS": "get requirepass", "CMD": "CONFIG"}, "logtype": 17001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 34471}
{"dst_host": "192.168.1.7", "dst_port": 6379, "local_time": "2019-01-05 16:10:09.802402", "logdata": {"ARGS": "admin", "CMD": "AUTH"}, "logtype": 17001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 34471}

TCP Banner

触发方式

telnet 192.168.1.6 8001

日志格式

{"dst_host": "192.168.1.6", "dst_port": 8001, "local_time": "2019-01-05 17:18:51.601478", "logdata": {"BANNER_ID": "1", "DATA": "", "FUNCTION": "CONNECTION_MADE"}, "logtype": 18002, "node_id": "opencanary-1", "src_host": "192.168.1.3", "src_port": 59176}
{"dst_host": "192.168.1.6", "dst_port": 8001, "local_time": "2019-01-05 17:19:12.996007", "logdata": {"BANNER_ID": "1", "DATA": "", "FUNCTION": "DATA_RECEIVED"}, "logtype": 18004, "node_id": "opencanary-1", "src_host": "192.168.1.3", "src_port": 59176}

LOG_TCP_BANNER_CONNECTION_MADE = 18001

LOG_TCP_BANNER_KEEP_ALIVE_CONNECTION_MADE = 18002

LOG_TCP_BANNER_KEEP_ALIVE_SECRET_RECEIVED = 18003

LOG_TCP_BANNER_KEEP_ALIVE_DATA_RECEIVED = 18004

LOG_TCP_BANNER_DATA_RECEIVED = 18005

VNC

触发方式

我在mac电脑上用vnc viewer连接

日志格式

{"dst_host": "192.168.1.7", "dst_port": 5000, "local_time": "2019-01-06 08:21:28.951940", "logdata": {"VNC Client Response": "58c00be9ee5b7f3b666771dd2bda9309", "VNC Password": "<Password was not in the common list>", "VNC Server Challenge": "953e2dff7e4d3a3114527c282817ce1d"}, "logtype": 12001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 54634}

RDP

触发方式

我在mac电脑上用Microsoft Remote Desktop Beta.app连接

日志格式

{"dst_host": "192.168.1.7", "dst_port": 3389, "local_time": "2019-01-06 08:59:13.890934", "logdata": {"DOMAIN": "", "HOSTNAME": "HelloHost", "PASSWORD": "helloword", "USERNAME": "administrator1"}, "logtype": 14001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 59955}
{"dst_host": "192.168.1.7", "dst_port": 3389, "local_time": "2019-01-06 08:59:26.868856", "logdata": {"INPUT": ""}, "logtype": 14001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 59955}

windows console模式登录的会出现INPUT字段

SIP

触发方式

hydra -l adminsip -p password 192.168.1.7 sip

日志格式

{"dst_host": "0.0.0.0", "dst_port": 5060, "local_time": "2019-01-06 09:55:12.578148", "logdata": {"HEADERS": {"call-id": ["[email protected]"], "content-length": ["0"], "cseq": ["1 REGISTER"], "from": ["<sip:[email protected]>"], "to": ["<sip:[email protected]>"], "via": ["SIP/2.0/UDP 10.0.2.15:46759;received=192.168.1.7"]}}, "logtype": 15001, "node_id": "opencanary-1", "src_host": "192.168.1.7", "src_port": 46759}

SNMP

触发方式

hydra -p password 192.168.1.7 snmp

日志格式

{"dst_host": "0.0.0.0", "dst_port": 161, "local_time": "2019-01-06 11:17:27.266214", "logdata": {"COMMUNITY_STRING": "password", "REQUESTS": ["1.3.6.1.2.1.1.1"]}, "logtype": 13001, "node_id": "opencanary-1", "src_host": "192.168.1.7", "src_port": 47112}

NMAP

OS探测触发方式

sudo nmap -v -Pn -O 192.168.1.7

日志格式

{"dst_host": "192.168.1.7", "dst_port": "21", "local_time": "2019-01-06 16:35:24.356080", "logdata": {"FIN": "", "ID": "37499", "IN": "eth1", "LEN": "60", "MAC": "08:00:27:da:4c:e2:6c:96:cf:dd:ee:bd:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "PSH": "", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "56", "URG": "", "URGP": "0", "WINDOW": "256"}, "logtype": 5002, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": "40098"}

SYN探测触发方式

sudo nmap -sS 192.168.1.7

日志格式

{"dst_host": "192.168.1.7", "dst_port": "21", "local_time": "2019-01-06 16:35:24.190176", "logdata": {"ID": "51918", "IN": "eth1", "LEN": "56", "MAC": "08:00:27:da:4c:e2:6c:96:cf:dd:ee:bd:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "58", "URGP": "0", "WINDOW": "512"}, "logtype": 5001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": "40088"}

FIN探测触发方式

sudo nmap -sF 192.168.1.7

日志格式

{"dst_host": "192.168.1.7", "dst_port": "23", "local_time": "2019-01-06 16:46:18.336954", "logdata": {"FIN": "", "ID": "29768", "IN": "eth1", "LEN": "40", "MAC": "08:00:27:da:4c:e2:6c:96:cf:dd:ee:bd:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "TOS": "0x00", "TTL": "59", "URGP": "0", "WINDOW": "1024"}, "logtype": 5005, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": "35116"}

XmasTree探测触发方式

sudo nmap -sX 192.168.1.7

日志格式

{"dst_host": "192.168.1.7", "dst_port": "139", "local_time": "2019-01-06 16:48:46.225539", "logdata": {"FIN": "", "ID": "19984", "IN": "eth1", "LEN": "40", "MAC": "08:00:27:da:4c:e2:6c:96:cf:dd:ee:bd:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "PSH": "", "RES": "0x00", "TOS": "0x00", "TTL": "56", "URG": "", "URGP": "0", "WINDOW": "1024"}, "logtype": 5004, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": "50913"}

Null探测触发方式

sudo nmap -sN 192.168.1.7

日志格式

{"dst_host": "192.168.1.7", "dst_port": "5060", "local_time": "2019-01-06 16:51:07.789903", "logdata": {"ID": "26441", "IN": "eth1", "LEN": "40", "MAC": "08:00:27:da:4c:e2:6c:96:cf:dd:ee:bd:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "TOS": "0x00", "TTL": "50", "URGP": "0", "WINDOW": "1024"}, "logtype": 5003, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": "58015"}

MSSQL

mssql登录 sql 账户认证

SQLPro for MSSQL

日志格式

{"dst_host": "172.18.200.58", "dst_port": 1433, "local_time": "2019-01-07 09:04:58.690137", "logdata": {"AppName": "SQLPro for MSSQL (hankinsoft.com)", "CltIntName": "DB-Library", "Database": "test", "HostName": "Piroguehost", "Language": "us_english", "Password": "sa123456", "ServerName": "172.18.200.58:1433", "UserName": "sa"}, "logtype": 9001, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 64344}

mssql登录win身份认证

SQLPro for MSSQL

日志格式

{"dst_host": "172.18.200.58", "dst_port": 1433, "local_time": "2019-01-07 09:13:28.669829", "logdata": {"PASSWORD": "", "USERNAME": ""}, "logtype": 9002, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 64499}

HTTPPROXY

触发方式

可以通过浏览器配置一个带有认证的http代理,随便访问一个链接。

日志格式

{"dst_host": "172.18.200.58", "dst_port": 8080, "local_time": "2019-01-07 13:26:47.761297", "logdata": {"PASSWORD": "passsquid", "USERNAME": "squidadmin"}, "logtype": 7001, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 53798}

以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

Linux命令行与shell脚本编程大全 第3版

Linux命令行与shell脚本编程大全 第3版

[美]布鲁姆,布雷斯纳汉 / 门佳、武海峰 / 人民邮电出版社 / 2016-8-1 / CNY 109.00

这是一本关于Linux命令行与shell脚本编程的全方位教程,主要包括四大部分:Linux命令行,shell脚本编程基础,高级shell脚本编程,如何创建实用的shell脚本。本书针对Linux系统的最新特性进行了全面更新,不仅涵盖了详尽的动手教程和现实世界中的实用信息,还提供了与所学内容相关的参考信息和背景资料。通过本书的学习,你将轻松写出自己的shell脚本。一起来看看 《Linux命令行与shell脚本编程大全 第3版》 这本书的介绍吧!

JSON 在线解析
JSON 在线解析

在线 JSON 格式化工具

SHA 加密
SHA 加密

SHA 加密工具

Markdown 在线编辑器
Markdown 在线编辑器

Markdown 在线编辑器