Honssh disconnects client if Honeypot server donot respond in 10 sec
rosehgal opened this issue · 19 comments
How to do this ? My target honeypot system is windows that runs bitwise ssh server. HonSSH keep in saying
[SERVER] - CONNECTION TO HONEYPOT NOT READY, BUFFERING PACKET 2017-03-01T12:17:40+0530 [honssh.client.HonsshClientFactory#info] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7f2f5d0f5cf8> 2017-03-01T12:17:40+0530 [-] [PRE_AUTH][ERROR] - COULD NOT CONNECT TO HONEYPOT AFTER 10 SECONDS - DISCONNECTING CLIENT
but when i manually connect to the ssh server , it runs actually ? How to resolve ?
hello, I am not sure now, but I got trouble in honeypot, when attacker changed the password. can you login with credentials which honssh uses for this honepot ?
Hi,
That usually means the HonSSH machine cannot connect to the honeypot. Can you SSH from the HonSSH machine to the Windows honeypot?
I've never tested HonSSH with Windows, so I have no idea how it will behave 😄
@tnich This is the point. I am able to ssh to windows directly from the machine but not via honeypot.
But i see the Honssh implementation is independent of the platform so should that be a concern ?
- is there any activity in the SSH server logs?
- is there a firewall blocking honssh?
- wrong credentials?
You need to provide us with more information otherwise it will be hard to help you.
- firewall is not blocking the ssh connection that i am sure of. Windows firewall is surely off and on system on which honssh is running firewall is disabled
- Credentials are fine, as i said i am able to do ssh to the windows machine without honssh perfectly.
- and which ssh server logs are you talking about ?
In details,
my system consist of windows VM and that VM runs ssh server, honssh honey_ip and honey_port are set to those of VM's.
On client request I am getting these errors in honssh logs
[SERVER] - CONNECTION TO HONEYPOT NOT READY, BUFFERING PACKET 2017-03-01T12:17:40+0530 [honssh.client.HonsshClientFactory#info] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7f2f5d0f5cf8> 2017-03-01T12:17:40+0530 [-] [PRE_AUTH][ERROR] - COULD NOT CONNECT TO HONEYPOT AFTER 10 SECONDS - DISCONNECTING CLIENT
and which ssh server logs are you talking about ?
I'm talking about the destination ssh server logs (your windows machine)
@bang-uin according to the logs in windows, honssh is able to connect with it for the first time but the connection gets disclosed immediately + from next request from attack no logs are seen in the windows ssh. I could figure out that the reason for this could be honssh. As in honssh.logs the data, the connection seems to be closed in 10 sec, but sometime windows sshd responds slowly. more that 10 sec i guess.
@r0hi7 - Sorry for the slow reply.
You can try changing the connection_timeout value in the configuration to longer than 10s.
Also, do you have "Advanced Networking" enabled? Try disabling it?
@tnich are you talking about the honssh configuration or the winsshd configuration?
@r0hi7 - What did you change to get that result? Single lines from the log file do not help too much.
@tnich I think there is some issue with SSH-2.0-twisted. HoneyPot is not able to connect. But openssh client is. More of logs:
Also i just followed your instructions.
`
2017-03-07T16:23:55+0530 [HonsshServerTransport,6,] kex alg, key alg: 'diffie-hellman-group14-sha1' 'ssh-rsa'
2017-03-07T16:23:55+0530 [HonsshServerTransport,6,] outgoing: 'aes128-ctr' 'hmac-sha1' 'none'
2017-03-07T16:23:55+0530 [HonsshServerTransport,6,] incoming: 'aes128-ctr' 'hmac-sha1' 'none'
2017-03-07T16:23:58+0530 [HonsshServerTransport,6,] NEW KEYS
2017-03-07T16:23:59+0530 [HonsshServerTransport,6 ] [SERVER] - CONNECTION TO HONEYPOT NOT READY, BUFFERING PACKET
2017-03-07T16:24:05+0530 [honssh.client.HonsshClientFactory#info] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7f9ae65a37e8>
2017-03-07T16:24:05+0530 [-] [PRE_AUTH][ERROR] - COULD NOT CONNECT TO HONEYPOT AFTER 100 SECONDS - DISCONNECTING CLIENT
2017-03-07T16:24:05+0530 [-] Disconnecting with error, code 10
`
@r0hi7 - Thanks, have you disabled advanced networking in the honssh configuration too?
And yeah, there could be some incompatibility with HonSSH and Windows SSH clients, as I said before I have not tested it.
@tnich Thanks. Yes it did.
It could be the reason. It would be okay to close the disscussion now. Thanks a lot. :)