ttylog_closed isn't called if the attacker drop the connection instead of exiting properly

Question

ttylog_closed isn't called if the attacker drop the connection instead of exiting properly

Closed this issue 8 years ago · 4 comments

Almost every attacker drop the connection instead of exiting properly (with the command exit for example). Because of that the hook ttylog_closed isn't called and my script (upload automatically the tty to asciinema) is never called too.

Normal exiting properly (with `exit` command)

2016-12-03T20:54:24+0800 [Uninitialized] [CLIENT] - New client connection
2016-12-03T20:54:24+0800 [HonsshClientTransport,client] kex alg, key alg: 'diffie-hellman-group-exchange-sha256' 'ssh-rsa'
2016-12-03T20:54:24+0800 [HonsshClientTransport,client] outgoing: 'aes256-ctr' 'hmac-sha2-512' 'none'
2016-12-03T20:54:24+0800 [HonsshClientTransport,client] incoming: 'aes256-ctr' 'hmac-sha2-512' 'none'
2016-12-03T20:54:24+0800 [HonsshClientTransport,client] REVERSE
2016-12-03T20:54:24+0800 [HonsshClientTransport,client] NEW KEYS
2016-12-03T20:54:24+0800 [HonsshClientTransport,client] [CLIENT] - Client Connection Secured
2016-12-03T20:54:25+0800 [HonsshServerTransport,111,xxxx.xxxx.xxxx.xxxx] NEW KEYS
2016-12-03T20:54:25+0800 [-] [PRE_AUTH] - CLIENT CONNECTED, REPLAYING BUFFERED PACKETS
2016-12-03T20:54:25+0800 [stdout#info] [VALIDATION] - [output-app_hooks][connection_made] must not be blank.
2016-12-03T20:54:26+0800 [HonsshClientTransport,client] [SSH] - Detected Public Key Auth - Disabling!
2016-12-03T20:54:28+0800 [-] [POST_AUTH] - Details the same as pre-auth, not re-directing
2016-12-03T20:54:28+0800 [stdout#info] [VALIDATION] - [output-app_hooks][login_successful] must not be blank.
2016-12-03T20:54:28+0800 [stdout#info] [VALIDATION] - [output-app_hooks][channel_opened] must not be blank.
2016-12-03T20:54:34+0800 [HonsshServerTransport,111,xxxx.xxxx.xxxx.xxxx] [TERM] - Entered command: echo test
2016-12-03T20:54:34+0800 [stdout#info] [VALIDATION] - [output-app_hooks][command_entered] must not be blank.
2016-12-03T20:54:37+0800 [HonsshServerTransport,111,xxxx.xxxx.xxxx.xxxx] [TERM] - Entered command: exit
2016-12-03T20:54:37+0800 [stdout#info] [VALIDATION] - [output-app_hooks][command_entered] must not be blank.
2016-12-03T20:54:37+0800 [stdout#info] [VALIDATION] - [output-app_hooks][channel_closed] must not be blank.
2016-12-03T20:54:37+0800 [HonsshServerTransport,111,xxxx.xxxx.xxxx.xxxx] Disconnecting with error, code 10
	reason: user closed connection
2016-12-03T20:54:37+0800 [HonsshServerTransport,111,xxxx.xxxx.xxxx.xxxx] connection lost
2016-12-03T20:54:37+0800 [HonsshServerTransport,111,xxxx.xxxx.xxxx.xxxx] [OUTPUT] - Lost Connection with the attacker: xxxx.xxxx.xxxx.xxxx
2016-12-03T20:54:37+0800 [stdout#info] [VALIDATION] - [output-app_hooks][connection_lost] must not be blank.
2016-12-03T20:54:37+0800 [HonsshClientTransport,client] connection lost
2016-12-03T20:54:37+0800 [HonsshClientTransport,client] [CLIENT] - Lost connection with the Honeypot: aliyun (192.168.0.2:22)
2016-12-03T20:54:37+0800 [honssh.client.HonsshClientFactory#info] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7f0d8de0f170>
2016-12-03T20:54:37+0800 [HonsshClientTransport,client] [PLUGIN][DOCKER] - Stopping container (192.168.0.2, 31895ca6f7a542324ac280bbba75890b409cc8878060aa02ea48b71fd092f83c)

Bad exiting (without `exit` command)

2016-12-03T20:56:03+0800 [Uninitialized] [CLIENT] - New client connection
2016-12-03T20:56:03+0800 [HonsshClientTransport,client] kex alg, key alg: 'diffie-hellman-group-exchange-sha256' 'ssh-rsa'
2016-12-03T20:56:03+0800 [HonsshClientTransport,client] outgoing: 'aes256-ctr' 'hmac-sha2-512' 'none'
2016-12-03T20:56:03+0800 [HonsshClientTransport,client] incoming: 'aes256-ctr' 'hmac-sha2-512' 'none'
2016-12-03T20:56:03+0800 [HonsshClientTransport,client] REVERSE
2016-12-03T20:56:03+0800 [HonsshClientTransport,client] NEW KEYS
2016-12-03T20:56:03+0800 [HonsshClientTransport,client] [CLIENT] - Client Connection Secured
2016-12-03T20:56:03+0800 [HonsshServerTransport,112,xxxx.xxxx.xxxx.xxxx] NEW KEYS
2016-12-03T20:56:03+0800 [stdout#info] [VALIDATION] - [output-app_hooks][connection_made] must not be blank.
2016-12-03T20:56:03+0800 [-] [PRE_AUTH] - CLIENT CONNECTED, REPLAYING BUFFERED PACKETS
2016-12-03T20:56:05+0800 [HonsshClientTransport,client] [SSH] - Detected Public Key Auth - Disabling!
2016-12-03T20:56:07+0800 [-] [POST_AUTH] - Details the same as pre-auth, not re-directing
2016-12-03T20:56:07+0800 [stdout#info] [VALIDATION] - [output-app_hooks][login_successful] must not be blank.
2016-12-03T20:56:07+0800 [stdout#info] [VALIDATION] - [output-app_hooks][channel_opened] must not be blank.
2016-12-03T20:56:12+0800 [HonsshServerTransport,112,xxxx.xxxx.xxxx.xxxx] [TERM] - Entered command: echo test
2016-12-03T20:56:12+0800 [stdout#info] [VALIDATION] - [output-app_hooks][command_entered] must not be blank.
2016-12-03T20:56:15+0800 [HonsshServerTransport,112,xxxx.xxxx.xxxx.xxxx] [TERM] - Entered command: echo test2
2016-12-03T20:56:15+0800 [stdout#info] [VALIDATION] - [output-app_hooks][command_entered] must not be blank.
2016-12-03T20:56:19+0800 [HonsshServerTransport,112,xxxx.xxxx.xxxx.xxxx] Disconnecting with error, code 10
	reason: user closed connection
2016-12-03T20:56:19+0800 [HonsshServerTransport,112,xxxx.xxxx.xxxx.xxxx] connection lost
2016-12-03T20:56:19+0800 [HonsshServerTransport,112,xxxx.xxxx.xxxx.xxxx] [OUTPUT] - Lost Connection with the attacker: xxxx.xxxx.xxxx.xxxx
2016-12-03T20:56:19+0800 [stdout#info] [VALIDATION] - [output-app_hooks][connection_lost] must not be blank.
2016-12-03T20:56:19+0800 [HonsshClientTransport,client] connection lost
2016-12-03T20:56:19+0800 [HonsshClientTransport,client] [CLIENT] - Lost connection with the Honeypot: aliyun (192.168.0.2:22)
2016-12-03T20:56:19+0800 [honssh.client.HonsshClientFactory#info] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7f0d8de17560>
2016-12-03T20:56:19+0800 [HonsshClientTransport,client] [PLUGIN][DOCKER] - Stopping container (192.168.0.2, 31895ca6f7a542324ac280bbba75890b409cc8878060aa02ea48b71fd092f83c)

Answer 1 · 2016-12-03T19:04:59.000Z

Same issue appears in mysql output.

Answer 2 · 2016-12-08T01:30:35.000Z

@unixfox would you mind checking this branch https://github.com/bang-uin/honssh/commits/feature/channel_close_fix ?

Answer 3 · 2016-12-08T09:41:25.000Z

I did applied a patch of your commits and it's working great, thank you @bang-uin !
Btw if you can push the branch this, it could be great :) : https://github.com/bang-uin/honssh/commits/feature/spoof_simultaneous_fixed_and_random

Answer 4 · 2016-12-08T11:03:36.000Z

I'm waiting on a reply from @tnich regarding https://github.com/bang-uin/honssh/commits/feature/spoof_simultaneous_fixed_and_random
As soon as we are inline i will add a pull request.

Normal exiting properly (with exit command)

Bad exiting (without exit command)

Normal exiting properly (with `exit` command)

Bad exiting (without `exit` command)