I can't get Honssh working
unixfox opened this issue · 23 comments
Hi !
I set up and launch Honssh but it returns me an error:
Unhandled Error
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/twisted/application/app.py", line 648, in run
runApp(config)
File "/usr/local/lib/python2.7/dist-packages/twisted/scripts/twistd.py", line 25, in runApp
_SomeApplicationRunner(config).run()
File "/usr/local/lib/python2.7/dist-packages/twisted/application/app.py", line 379, in run
self.application = self.createOrGetApplication()
File "/usr/local/lib/python2.7/dist-packages/twisted/application/app.py", line 444, in createOrGetApplication
application = getApplication(self.config, passphrase)
--- <exception caught here> ---
File "/usr/local/lib/python2.7/dist-packages/twisted/application/app.py", line 455, in getApplication
application = service.loadApplication(filename, style, passphrase)
File "/usr/local/lib/python2.7/dist-packages/twisted/application/service.py", line 411, in loadApplication
passphrase)
File "/usr/local/lib/python2.7/dist-packages/twisted/persisted/sob.py", line 223, in loadValueFromFile
eval(codeObj, d, d)
File "honssh.tac", line 36, in <module>
from honssh import server, interact
exceptions.ImportError: No module named honssh
Failed to load application: No module named honssh
My configuration file: http://pastebin.com/wPBws10F
I tried using virtualenv too but it returns me the same error.
Please show me an 'ls' of the folder with honssh.tac in it.
There should be a folder called honssh in it with the code, the error says it cannot find it.
I reinstalled the VPS on Debian 8.6 and I'm getting another error:
Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 642, in run
runApp(config)
File "/usr/lib/python2.7/dist-packages/twisted/scripts/twistd.py", line 23, in runApp
_SomeApplicationRunner(config).run()
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 376, in run
self.application = self.createOrGetApplication()
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 441, in createOrGetApplication
application = getApplication(self.config, passphrase)
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 452, in getApplication
application = service.loadApplication(filename, style, passphrase)
File "/usr/lib/python2.7/dist-packages/twisted/application/service.py", line 405, in loadApplication
application = sob.loadValueFromFile(filename, 'application', passphrase)
File "/usr/lib/python2.7/dist-packages/twisted/persisted/sob.py", line 210, in loadValueFromFile
exec fileObj in d, d
File "honssh.tac", line 77, in <module>
serverFactory = server.HonsshServerFactory()
File "/root/honssh/honssh/server.py", line 130, in __init__
reactor.connectTCP(self.cfg.get('honeypot-static', 'honey_ip'), int(self.cfg.get('honeypot-static', 'honey_port')), clientFactory)
exceptions.ValueError: invalid literal for int() with base 10: ''
Failed to load application: invalid literal for int() with base 10: ''
"ls" of the folder:
root@honeypot:~/honssh# ls
honssh honssh.cfg honssh.cfg.default honsshctrl.sh honsshInteraction.py honssh.tac hpfeeds_server id_dsa id_dsa.pub id_rsa id_rsa.pub kippo logs plugins README requirements sessions users.cfg.default utils
That looks better. You need to fill in the honeypot-static section of the config file.
This tells honssh where to forward the ssh connection to (the honeypot).
Why I've to set up honeypot-static
when using honeypot-docker
?
You have honeypot-docker disabled in the configuration file though?
Sorry I forgot to update the config file on pastebin, it gives me the same error when filling enable on honeypot-docker
.
Here is my actual config file: http://pastebin.com/Bfj8mQce.
You also need to fill out ssh_banner otherwise honssh will try and figure it out from the honey_addr and honey_port options
My config file: http://pastebin.com/gVBFc8HZ
Thank you, it starts up but honssh is unable to establish the connection between the attacker and the docker container:
2016-10-29 21:26:11+0000 [-] (TCP Port 2222 Closed)
2016-10-29 21:26:11+0000 [-] Stopping factory <honssh.server.HonsshServerFactory instance at 0x7f8d641ca488>
2016-10-29 21:26:11+0000 [HonsshClientTransport,client] connection lost
2016-10-29 21:26:11+0000 [HonsshClientTransport,client] [CLIENT] - Lost connection with the Honeypot: test (172.17.0.2:22)
2016-10-29 21:26:11+0000 [HonsshClientTransport,client] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7f8d63f6bbd8>
2016-10-29 21:26:11+0000 [HonsshServerTransport,0,62.235.25.39] Disconnecting with error, code 10
reason: user closed connection
2016-10-29 21:26:11+0000 [HonsshServerTransport,0,62.235.25.39] connection lost
2016-10-29 21:26:11+0000 [HonsshServerTransport,0,62.235.25.39] [OUTPUT] - Lost Connection with the attacker: 62.235.25.39
2016-10-29 21:26:11+0000 [HonsshServerTransport,0,62.235.25.39] [PLUGIN][OUTPUT-CONTRIBUTE] - CONNECTION_LOST
2016-10-29 21:26:11+0000 [HonsshServerTransport,0,62.235.25.39] [PLUGIN][OUTPUT-TXTLOG] - CONNECTION_LOST
2016-10-29 21:26:12+0000 [-] Main loop terminated.
2016-10-29 21:26:12+0000 [-] Server Shut Down.
2016-10-29 21:26:33+0000 [-] Log opened.
2016-10-29 21:26:33+0000 [-] twistd 14.0.2 (/usr/bin/python 2.7.9) starting up.
2016-10-29 21:26:33+0000 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2016-10-29 21:26:33+0000 [-] HonsshServerFactory starting on 2222
2016-10-29 21:26:33+0000 [-] Starting factory <honssh.server.HonsshServerFactory instance at 0x7fb8ce0fd488>
2016-10-29 21:26:35+0000 [honssh.server.HonsshServerFactory] [PLUGIN][HONEYPOT-STATIC] - GET_PRE_AUTH_DETAILS
2016-10-29 21:26:35+0000 [-] [PRE_AUTH] - Connecting to Honeypot: test (172.17.0.2:22)
2016-10-29 21:26:35+0000 [-] [ADV-NET] - Advanced Networking disabled - Using client_addr
2016-10-29 21:26:35+0000 [-] Starting factory <honssh.client.HonsshClientFactory instance at 0x7fb8cde9ebd8>
2016-10-29 21:26:35+0000 [Uninitialized] [CLIENT] - New client connection
2016-10-29 21:26:35+0000 [HonsshClientTransport,client] kex alg, key alg: diffie-hellman-group-exchange-sha1 ssh-rsa
2016-10-29 21:26:35+0000 [HonsshClientTransport,client] outgoing: aes256-ctr hmac-sha1 none
2016-10-29 21:26:35+0000 [HonsshClientTransport,client] incoming: aes256-ctr hmac-sha1 none
2016-10-29 21:26:35+0000 [HonsshClientTransport,client] REVERSE
2016-10-29 21:26:35+0000 [HonsshClientTransport,client] NEW KEYS
2016-10-29 21:26:35+0000 [HonsshClientTransport,client] [CLIENT] - Client Connection Secured
2016-10-29 21:26:36+0000 [-] [PLUGIN][OUTPUT-TXTLOG] - CONNECTION_MADE
2016-10-29 21:26:36+0000 [-] [PRE_AUTH] - CLIENT CONNECTED, REPLAYING BUFFERED PACKETS
2016-10-29 21:27:56+0000 [-] Received SIGTERM, shutting down.
2016-10-29 21:27:56+0000 [-] (TCP Port 2222 Closed)
2016-10-29 21:27:56+0000 [-] Stopping factory <honssh.server.HonsshServerFactory instance at 0x7fb8ce0fd488>
2016-10-29 21:27:56+0000 [HonsshClientTransport,client] connection lost
2016-10-29 21:27:56+0000 [HonsshClientTransport,client] [CLIENT] - Lost connection with the Honeypot: test (172.17.0.2:22)
2016-10-29 21:27:56+0000 [HonsshClientTransport,client] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7fb8cde9ebd8>
2016-10-29 21:27:56+0000 [HonsshServerTransport,0,62.235.25.39] Disconnecting with error, code 10
reason: user closed connection
2016-10-29 21:27:56+0000 [HonsshServerTransport,0,62.235.25.39] connection lost
2016-10-29 21:27:56+0000 [HonsshServerTransport,0,62.235.25.39] [OUTPUT] - Lost Connection with the attacker: 62.235.25.39
2016-10-29 21:27:56+0000 [HonsshServerTransport,0,62.235.25.39] [PLUGIN][OUTPUT-CONTRIBUTE] - CONNECTION_LOST
2016-10-29 21:27:56+0000 [HonsshServerTransport,0,62.235.25.39] [PLUGIN][OUTPUT-TXTLOG] - CONNECTION_LOST
2016-10-29 21:27:56+0000 [-] Main loop terminated.
2016-10-29 21:27:56+0000 [-] Server Shut Down.
2016-10-29 21:28:52+0000 [-] Log opened.
2016-10-29 21:28:52+0000 [-] twistd 14.0.2 (/usr/bin/python 2.7.9) starting up.
2016-10-29 21:28:52+0000 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2016-10-29 21:28:52+0000 [-] HonsshServerFactory starting on 2222
2016-10-29 21:28:52+0000 [-] Starting factory <honssh.server.HonsshServerFactory instance at 0x7f39488a8b48>
2016-10-29 21:28:55+0000 [honssh.server.HonsshServerFactory] [PLUGIN][HONEYPOT-DOCKER] - GET_PRE_AUTH_DETAILS
2016-10-29 21:28:56+0000 [honssh.server.HonsshServerFactory] [PLUGIN][DOCKER] - Launched container (172.17.0.3, 362227adcd98a12d62549e8aabf5bd38eaad5912dbb9660848dd6f672893ff6c)
2016-10-29 21:28:56+0000 [-] [PRE_AUTH] - Connecting to Honeypot: 362227adcd98a12d62549e8aabf5bd38eaad5912dbb9660848dd6f672893ff6c (172.17.0.3:22)
2016-10-29 21:28:56+0000 [-] [ADV-NET] - Advanced Networking disabled - Using client_addr
2016-10-29 21:28:56+0000 [-] Starting factory <honssh.client.HonsshClientFactory instance at 0x7f39484095a8>
2016-10-29 21:28:56+0000 [Uninitialized] [CLIENT] - New client connection
2016-10-29 21:28:56+0000 [HonsshClientTransport,client] kex alg, key alg: diffie-hellman-group-exchange-sha1 ssh-rsa
2016-10-29 21:28:56+0000 [HonsshClientTransport,client] outgoing: aes256-ctr hmac-sha1 none
2016-10-29 21:28:56+0000 [HonsshClientTransport,client] incoming: aes256-ctr hmac-sha1 none
2016-10-29 21:28:56+0000 [HonsshClientTransport,client] REVERSE
2016-10-29 21:28:56+0000 [HonsshClientTransport,client] NEW KEYS
2016-10-29 21:28:56+0000 [HonsshClientTransport,client] [CLIENT] - Client Connection Secured
2016-10-29 21:28:56+0000 [-] [PLUGIN][OUTPUT-TXTLOG] - CONNECTION_MADE
2016-10-29 21:28:56+0000 [-] [PRE_AUTH] - CLIENT CONNECTED, REPLAYING BUFFERED PACKETS
2016-10-29 21:30:56+0000 [HonsshClientTransport,client] connection lost
2016-10-29 21:30:56+0000 [HonsshClientTransport,client] [CLIENT] - Lost connection with the Honeypot: 362227adcd98a12d62549e8aabf5bd38eaad5912dbb9660848dd6f672893ff6c (172.17.0.3:22)
2016-10-29 21:30:56+0000 [HonsshClientTransport,client] [PLUGIN][HONEYPOT-DOCKER] - CONNECTION_LOST
2016-10-29 21:30:56+0000 [HonsshClientTransport,client] [PLUGIN][DOCKER] - Stopping container (172.17.0.3, 362227adcd98a12d62549e8aabf5bd38eaad5912dbb9660848dd6f672893ff6c)
2016-10-29 21:30:56+0000 [HonsshClientTransport,client] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7f39484095a8>
On the attacker side, it gives me no output:
[emilien@HPDV7Arch ~]$ ssh root@95.85.41.93 -p 2222
Make sure you can ssh to the docker containers from the honssh box.
Also try disabling pre-auth in honeypot-docker for now.
Yes I can:
root@honeypot:~/honssh# ssh root@172.17.0.3
root@172.17.0.3's password:
root@test-box:~# uname -a
Linux test-box 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 x86_64 x86_64 GNU/Linux
If I disable pre-auth
the connection is closed immediately:
2016-10-29 21:39:17+0000 [HonsshClientTransport,client] REVERSE
2016-10-29 21:39:17+0000 [HonsshClientTransport,client] NEW KEYS
2016-10-29 21:39:17+0000 [HonsshClientTransport,client] [CLIENT] - Client Connection Secured
2016-10-29 21:39:17+0000 [HonsshClientTransport,client] REVERSE
2016-10-29 21:39:17+0000 [HonsshClientTransport,client] NEW KEYS
2016-10-29 21:39:17+0000 [HonsshClientTransport,client] [CLIENT] - Client Connection Secured
2016-10-29 21:39:17+0000 [-] [PLUGIN][OUTPUT-TXTLOG] - CONNECTION_MADE
2016-10-29 21:39:17+0000 [-] [PRE_AUTH] - CLIENT CONNECTED, REPLAYING BUFFERED PACKETS
2016-10-29 21:39:17+0000 [-] [PLUGIN][OUTPUT-TXTLOG] - CONNECTION_MADE
2016-10-29 21:39:17+0000 [-] [PRE_AUTH] - CLIENT CONNECTED, REPLAYING BUFFERED PACKETS
2016-10-29 21:39:17+0000 [-] [PLUGIN][OUTPUT-TXTLOG] - CONNECTION_MADE
2016-10-29 21:39:17+0000 [-] [PRE_AUTH] - CLIENT CONNECTED, REPLAYING BUFFERED PACKETS
2016-10-29 21:39:17+0000 [-] [PLUGIN][OUTPUT-TXTLOG] - CONNECTION_MADE
2016-10-29 21:39:17+0000 [-] [PRE_AUTH] - CLIENT CONNECTED, REPLAYING BUFFERED PACKETS
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] connection lost
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [CLIENT] - Lost connection with the Honeypot: a09ef26f6efb227afce1b3afe5a6d80aff48ab4493ed5a702a9184ca58b97450 (172.17.0.4:22)
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [PLUGIN][HONEYPOT-DOCKER] - CONNECTION_LOST
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [PLUGIN][DOCKER] - Stopping container (172.17.0.4, a09ef26f6efb227afce1b3afe5a6d80aff48ab4493ed5a702a9184ca58b97450)
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7f21db9cbab8>
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] connection lost
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [CLIENT] - Lost connection with the Honeypot: ce5e55dcfbb3ec68593dd9c923d50f02dfcc268f3cac83054cfb14ef6e3fa47e (172.17.0.5:22)
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [PLUGIN][HONEYPOT-DOCKER] - CONNECTION_LOST
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7f21db1866c8>
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [PLUGIN][DOCKER] - Stopping container (172.17.0.5, ce5e55dcfbb3ec68593dd9c923d50f02dfcc268f3cac83054cfb14ef6e3fa47e)
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] connection lost
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [CLIENT] - Lost connection with the Honeypot: 07fc07e467182b3a5c3be4ca2c0d3316a7f85f07c6669a0636a0678dd801f103 (172.17.0.3:22)
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [PLUGIN][HONEYPOT-DOCKER] - CONNECTION_LOST
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [PLUGIN][DOCKER] - Stopping container (172.17.0.3, 07fc07e467182b3a5c3be4ca2c0d3316a7f85f07c6669a0636a0678dd801f103)
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7f21da157680>
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] connection lost
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [CLIENT] - Lost connection with the Honeypot: b761289c3add4e676a2d4dcf72eebf163647a4aa0ce0146c80d077dbd683a673 (172.17.0.6:22)
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [PLUGIN][HONEYPOT-DOCKER] - CONNECTION_LOST
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] Stopping factory <honssh.client.HonsshClientFactory instance at 0x7f21da157908>
2016-10-29 21:41:17+0000 [HonsshClientTransport,client] [PLUGIN][DOCKER] - Stopping container (172.17.0.6, b761289c3add4e676a2d4dcf72eebf163647a4aa0ce0146c80d077dbd683a673)
2016-10-29 21:42:05+0000 [-] Received SIGTERM, shutting down.
2016-10-29 21:42:05+0000 [-] (TCP Port 2222 Closed)
2016-10-29 21:42:05+0000 [-] Stopping factory <honssh.server.HonsshServerFactory instance at 0x7f21dc712b48>
2016-10-29 21:42:05+0000 [HonsshServerTransport,0,62.235.25.39] Disconnecting with error, code 10
reason: user closed connection
2016-10-29 21:42:05+0000 [HonsshServerTransport,0,62.235.25.39] connection lost
2016-10-29 21:42:05+0000 [HonsshServerTransport,0,62.235.25.39] [OUTPUT] - Lost Connection with the attacker: 62.235.25.39
2016-10-29 21:42:05+0000 [HonsshServerTransport,0,62.235.25.39] [PLUGIN][OUTPUT-CONTRIBUTE] - CONNECTION_LOST
2016-10-29 21:42:05+0000 [HonsshServerTransport,0,62.235.25.39] [PLUGIN][OUTPUT-TXTLOG] - CONNECTION_LOST
2016-10-29 21:42:05+0000 [-] Main loop terminated.
2016-10-29 21:42:05+0000 [-] Server Shut Down.
2016-10-29 21:42:08+0000 [-] Log opened.
2016-10-29 21:42:08+0000 [-] twistd 14.0.2 (/usr/bin/python 2.7.9) starting up.
2016-10-29 21:42:08+0000 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2016-10-29 21:42:08+0000 [-] HonsshServerFactory starting on 2222
2016-10-29 21:42:08+0000 [-] Starting factory <honssh.server.HonsshServerFactory instance at 0x7f1b440beb48>
2016-10-29 21:42:10+0000 [honssh.server.HonsshServerFactory] [PRE_AUTH] - NO PLUGIN ENABLED FOR PRE_AUTH
2016-10-29 21:42:10+0000 [-] [PRE_AUTH][ERROR] - PLUGIN ERROR - DISCONNECTING ATTACKER
2016-10-29 21:42:10+0000 [-] Disconnecting with error, code 10
reason: user closed connection
2016-10-29 21:42:10+0000 [HonsshServerTransport,0,62.235.25.39] connection lost
Ah yeah, it's been a while since I used the docker plugin. Maybe enable pre auth and disable post auth?
If not, I'll look into it more tomorrow.
Disabling post-auth
and enabling pre-auth
has the same behavior with enabling both post-auth
and pre-auth
(the connection hangs out).
I tried using honeypot-static
but it has the same behavior too.
PS: If you need it, I can give you the credentials/access to the console of my VPS to diagnostic, it's just test machine (hosted on DigitalOcean).
And thank you very much for your support and your availability.
Sure, access to the VPS would be quicker than me setting up docker again.
Could you email me using the email address in the code?
Look at the top of any .py file in the code 😃
Resolved by putting in a correct SSH Banner. I should document it more!
Additional comment for visitors
If you installed the requirements using pip and you've this error when launching honssh:
honsshctrl.sh[21442]: Starting honssh in background...
Unhandled Error
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/twisted/application/app.py", line 648, in run
runApp(config)
File "/usr/local/lib/python2.7/dist-packages/twisted/scripts/twistd.py", line 25, in runApp
_SomeApplicationRunner(config).run()
File "/usr/local/lib/python2.7/dist-packages/twisted/application/app.py", line 379, in run
self.application = self.createOrGetApplication()
File "/usr/local/lib/python2.7/dist-packages/twisted/application/app.py", line 444, in createOrGetApplication
application = getApplication(self.config, passphrase)
--- <exception caught here> ---
File "/usr/local/lib/python2.7/dist-packages/twisted/application/app.py", line 455, in getApplication
application = service.loadApplication(filename, style, passphrase)
File "/usr/local/lib/python2.7/dist-packages/twisted/application/service.py", line 411, in loadApplication
passphrase)
File "/usr/local/lib/python2.7/dist-packages/twisted/persisted/sob.py", line 223, in loadValueFromFile
eval(codeObj, d, d)
File "honssh.tac", line 36, in <module>
from honssh import server, interact
exceptions.ImportError: No module named honssh
Failed to load application: No module named honssh
Try adding the PYTHONPATH
to the Linux vars:
export PYTHONPATH="$PYTHONPATH:/folder/to/honssh"
Hi,
HonSSH is looking for sections of the configuration file and cannot find them. For example:
[honeypot]
ssh_addr =
Have you deleted all these sections? Might be best to send me an email with the configuration file. Email can be found in the code.
It doesn't sound like you have set it up correctly. Are you happy to share your configuration file by email? You need to enable a pre_auth and post_auth plugin - usually just the static one.
Hello i have this error
/usr/lib/python2.7/dist-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography import x509
Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 662, in run
runApp(config)
File "/usr/lib/python2.7/dist-packages/twisted/scripts/twistd.py", line 25, in runApp
_SomeApplicationRunner(config).run()
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 380, in run
self.application = self.createOrGetApplication()
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 445, in createOrGetApplication
application = getApplication(self.config, passphrase)
--- ---
File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 456, in getApplication
application = service.loadApplication(filename, style, passphrase)
File "/usr/lib/python2.7/dist-packages/twisted/application/service.py", line 412, in loadApplication
application = sob.loadValueFromFile(filename, 'application')
File "/usr/lib/python2.7/dist-packages/twisted/persisted/sob.py", line 177, in loadValueFromFile
eval(codeObj, d, d)
File "honssh.tac", line 39, in
from honssh.config import Config
exceptions.ImportError: No module named honssh.config