FILE DOWNLOADS NOT WORKING

Question

FILE DOWNLOADS NOT WORKING

imranqutab opened this issue 6 years ago · 11 comments

thanks in advance, i am confused with file downloading, configurations state It will not be able to capture commands such as: url=www.test.url; wget $url so what packages will work with file dowloading and what is local store, i cant see where file will be stored if captured? waiting for response.

Answer 1 · 2019-01-09T08:33:00.000Z

The files will be saved in the session folder (where the other session details, like the logs are).
Passive downloading will capture any files that are transferred through the SSH session through SCP or SFTP.
Active downloading will look for any commands that start with wget, and will attempt to download the links. This will capture things like "wget http://www.test.url", but it is not clever enough to capture non-URLs (like the example above).
Do you require any extra explanation?

Answer 2 · 2019-01-09T13:08:54.000Z

thanks, i tried with file downloading, file was downloaded sucessfully on honeypot(real server) but was not stored in sessions, it was simple file from https://archive.apache.org/dist/kafka/0.11.0.0/kafka-0.11.0.0-src.tgz(kafka web) and i used wget command.

Answer 3 · 2019-01-09T13:09:59.000Z

Can I see the cfg and honssh.log files please?

Answer 4 · 2019-01-09T13:49:37.000Z

sure.

cfg.txt
log.txt

Answer 5 · 2019-01-09T13:52:15.000Z

[download]
active = false

That should be true for active downloading...

Answer 6 · 2019-01-09T14:14:23.000Z

by setting active = true , honssh logs generates
[-] [OUTPUT] - ('297f2bf6b36b4ff29c0007ceca7bc15a', False, "http://'https://www-us.apache.org/dist/kafka/2.0.1/kafka_2.12-2.0.1.tgz'", None, '<urlopen error [Errno -2] Name or service not known>')

Answer 7 · 2019-01-09T14:16:27.000Z

Yeah, it's not perfect. It's because you are doing:
wget 'https://www-us.apache.org/dist/kafka/2.0.1/kafka_2.12-2.0.1.tgz'
and Honssh is looking for:
wget https://www-us.apache.org/dist/kafka/2.0.1/kafka_2.12-2.0.1.tgz
(no quotes)

Answer 8 · 2019-01-09T14:47:18.000Z

using wget https://www-us.apache.org/dist/kafka/2.0.1/kafka_2.12-2.0.1.tgz still not worked, there is a empty directory downloads and honssh logs is
2019-01-09T06:21:25-0800 [HonsshServerTransport,0,192.168.80.137] [TERM] - Entered command: 1.tgzwget 'https://www-us.apache.org/dist/kafka/2.0.1/kafka_2.12-2.0.1

Answer 9 · 2019-01-09T14:48:59.000Z

Can you try a different file please?
This feature is only "best effort" so may not work some of the time.

Answer 10 · 2019-01-13T10:40:49.000Z

thank you so much bro, when you expect honssh new release with full wget capturing feature?

Answer 11 · 2019-01-13T14:16:21.000Z

I don't think I'll ever do a release with full wget integration. HonSSH is designed to focus on the SSH traffic. I believe different tools should be used to passively inspect and capture other types of traffic from high interaction honeypots.
For example with HTTP/S, I would implement mitmproxy in parallel to HonSSH.