opencanary二次开发(1)-日志格式

关键代码

opencanary/modules目录下为模拟的服务或协议脚本。
opencanary/logger.py 为日志生成脚本，我就是在这个文件里直接改了几行代码向web端发送日志，例如post2server函数和log函数；且LoggerBase类定义了各种日志类型。

日志格式xmind

我将opencanary蜜罐框架分析的日志和服务（协议）用xmind进行记录，方便有兴趣的同学进行对照着开发。
其中opencanary_web数据库honeypot的OpencanaryLog表的字段也是根据根据日志所包含的所有字段进行设计和开发中随时扩表的。

监听端口

当把opencanary配置选项全部开启之后

tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:1433            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:3389            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:9418            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      12683/python
tcp        0      0 0.0.0.0:6379            0.0.0.0:*               LISTEN      12683/python
udp        0      0 0.0.0.0:57197           0.0.0.0:*                           8994/python
udp        0      0 0.0.0.0:5060            0.0.0.0:*                           12683/python
udp        0      0 0.0.0.0:69              0.0.0.0:*                           12683/python
udp        0      0 0.0.0.0:123             0.0.0.0:*                           12683/python
udp        0      0 0.0.0.0:161             0.0.0.0:*                           12683/python

应用日志

HTTP

触发方式

访问蜜罐http页面

日志格式

{"dst_host": "172.18.200.58", "dst_port": 80, "local_time": "2019-01-07 13:47:45.817940", "logdata": {"HOSTNAME": "172.18.200.58", "PASSWORD": "admin888", "PATH": "/index.html", "SKIN": "nasLogin", "USERAGENT": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:61.0) Gecko/20100101 Firefox/61.0", "USERNAME": "admin"}, "logtype": 3001, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54488}

FTP

触发方式

任意ftp客户端

日志格式

{"dst_host": "172.18.200.58", "dst_port": 21, "local_time": "2019-01-07 13:50:54.264032", "logdata": {"PASSWORD": "admin123", "USERNAME": "ftpadmin"}, "logtype": 2000, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54573}

SSH

触发方式

任意SSH客户端

日志格式

{"dst_host": "172.18.200.58", "dst_port": 2222, "local_time": "2019-01-07 13:54:27.811101", "logdata": {"SESSION": "3"}, "logtype": 4000, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54639}

{"dst_host": "172.18.200.58", "dst_port": 2222, "local_time": "2019-01-07 13:54:27.888686", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "REMOTEVERSION": "SSH-2.0-OpenSSH_7.0 ZOC_7.16.1"}, "logtype": 4001, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54639}

{"dst_host": "172.18.200.58", "dst_port": 2222, "local_time": "2019-01-07 13:54:32.444224", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "PASSWORD": "root123", "REMOTEVERSION": "SSH-2.0-OpenSSH_7.0 ZOC_7.16.1", "USERNAME": "root"}, "logtype": 4002, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54639}

Telnet

触发方式

telnet 172.18.200.58

日志格式

{"dst_host": "172.18.200.58", "dst_port": 23, "honeycred": false, "local_time": "2019-01-07 13:56:45.341785", "logdata": {"PASSWORD": "admin888", "USERNAME": "admin123"}, "logtype": 6001, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 54676}

MYSQL

触发方式

mysql -h172.18.200.58 -uroot -p

日志格式

{"dst_host": "172.18.200.58", "dst_port": 3306, "local_time": "2019-01-07 13:58:25.922257", "logdata": {"PASSWORD": "18076c09615de80ddb2903191b783714918b4c4f", "USERNAME": "root"}, "logtype": 8001, "node_id": "opencanary-1", "src_host": "172.18.220.253", "src_port": 46662}

git协议

触发方式

git clone git://192.168.1.7:9418/tmp.git

日志格式

{"dst_host": "192.168.1.7", "dst_port": 9418, "local_time": "2019-01-05 15:38:46.368627", "logdata": {"HOST": "192.168.1.7:9418", "REPO": "tmp.git"}, "logtype": 16001, "node_id": "opencanary-1", "src_host": "192.168.1.3", "src_port": 57606}

NTP协议

触发方式

git clone git://192.168.1.7:9418/tmp.git

ntp监听的是udp的123端口

日志格式

{"dst_host": "0.0.0.0", "dst_port": 123, "local_time": "2019-01-05 15:58:52.075987", "logdata": {"NTP CMD": "monlist"}, "logtype": 11001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 57886}

redis

触发方式

(env) [root@honeypot Honeypot]# redis-cli -h 192.168.1.7
192.168.1.7:6379> keys *
(error) NOAUTH Authentication required.
192.168.1.7:6379> config get requirepass
(error) ERR unknown command 'config'
192.168.1.7:6379> auth admin
(error) ERR invalid password
192.168.1.7:6379>

日志格式

{"dst_host": "192.168.1.7", "dst_port": 6379, "local_time": "2019-01-05 16:05:11.637269", "logdata": {"ARGS": "", "CMD": "COMMAND"}, "logtype": 17001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 34471}

{"dst_host": "192.168.1.7", "dst_port": 6379, "local_time": "2019-01-05 16:08:14.786249", "logdata": {"ARGS": "*", "CMD": "KEYS"}, "logtype": 17001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 34471}

{"dst_host": "192.168.1.7", "dst_port": 6379, "local_time": "2019-01-05 16:09:36.418200", "logdata": {"ARGS": "get requirepass", "CMD": "CONFIG"}, "logtype": 17001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 34471}

{"dst_host": "192.168.1.7", "dst_port": 6379, "local_time": "2019-01-05 16:10:09.802402", "logdata": {"ARGS": "admin", "CMD": "AUTH"}, "logtype": 17001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 34471}

TCP Banner

触发方式

telnet 192.168.1.6 8001

日志格式

{"dst_host": "192.168.1.6", "dst_port": 8001, "local_time": "2019-01-05 17:18:51.601478", "logdata": {"BANNER_ID": "1", "DATA": "", "FUNCTION": "CONNECTION_MADE"}, "logtype": 18002, "node_id": "opencanary-1", "src_host": "192.168.1.3", "src_port": 59176}

{"dst_host": "192.168.1.6", "dst_port": 8001, "local_time": "2019-01-05 17:19:12.996007", "logdata": {"BANNER_ID": "1", "DATA": "", "FUNCTION": "DATA_RECEIVED"}, "logtype": 18004, "node_id": "opencanary-1", "src_host": "192.168.1.3", "src_port": 59176}

LOG_TCP_BANNER_CONNECTION_MADE = 18001
LOG_TCP_BANNER_KEEP_ALIVE_CONNECTION_MADE = 18002
LOG_TCP_BANNER_KEEP_ALIVE_SECRET_RECEIVED = 18003
LOG_TCP_BANNER_KEEP_ALIVE_DATA_RECEIVED = 18004
LOG_TCP_BANNER_DATA_RECEIVED = 18005

VNC

触发方式

我在mac电脑上用vnc viewer连接

日志格式

{"dst_host": "192.168.1.7", "dst_port": 5000, "local_time": "2019-01-06 08:21:28.951940", "logdata": {"VNC Client Response": "58c00be9ee5b7f3b666771dd2bda9309", "VNC Password": "<Password was not in the common list>", "VNC Server Challenge": "953e2dff7e4d3a3114527c282817ce1d"}, "logtype": 12001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 54634}

RDP

触发方式

我在mac电脑上用Microsoft Remote Desktop Beta.app连接

日志格式

{"dst_host": "192.168.1.7", "dst_port": 3389, "local_time": "2019-01-06 08:59:13.890934", "logdata": {"DOMAIN": "", "HOSTNAME": "HelloHost", "PASSWORD": "helloword", "USERNAME": "administrator1"}, "logtype": 14001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 59955}

{"dst_host": "192.168.1.7", "dst_port": 3389, "local_time": "2019-01-06 08:59:26.868856", "logdata": {"INPUT": ""}, "logtype": 14001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": 59955}

windows console模式登录的会出现INPUT字段

SIP

触发方式

hydra -l adminsip -p password 192.168.1.7 sip

日志格式

{"dst_host": "0.0.0.0", "dst_port": 5060, "local_time": "2019-01-06 09:55:12.578148", "logdata": {"HEADERS": {"call-id": ["[email protected]"], "content-length": ["0"], "cseq": ["1 REGISTER"], "from": ["<sip:[email protected]>"], "to": ["<sip:[email protected]>"], "via": ["SIP/2.0/UDP 10.0.2.15:46759;received=192.168.1.7"]}}, "logtype": 15001, "node_id": "opencanary-1", "src_host": "192.168.1.7", "src_port": 46759}

SNMP

触发方式

hydra -p password 192.168.1.7 snmp

日志格式

{"dst_host": "0.0.0.0", "dst_port": 161, "local_time": "2019-01-06 11:17:27.266214", "logdata": {"COMMUNITY_STRING": "password", "REQUESTS": ["1.3.6.1.2.1.1.1"]}, "logtype": 13001, "node_id": "opencanary-1", "src_host": "192.168.1.7", "src_port": 47112}

NMAP

OS探测触发方式

sudo nmap -v -Pn -O 192.168.1.7

日志格式

{"dst_host": "192.168.1.7", "dst_port": "21", "local_time": "2019-01-06 16:35:24.356080", "logdata": {"FIN": "", "ID": "37499", "IN": "eth1", "LEN": "60", "MAC": "08:00:27:da:4c:e2:6c:96:cf:dd:ee:bd:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "PSH": "", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "56", "URG": "", "URGP": "0", "WINDOW": "256"}, "logtype": 5002, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": "40098"}

SYN探测触发方式

sudo nmap -sS 192.168.1.7

日志格式

{"dst_host": "192.168.1.7", "dst_port": "21", "local_time": "2019-01-06 16:35:24.190176", "logdata": {"ID": "51918", "IN": "eth1", "LEN": "56", "MAC": "08:00:27:da:4c:e2:6c:96:cf:dd:ee:bd:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "58", "URGP": "0", "WINDOW": "512"}, "logtype": 5001, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": "40088"}

FIN探测触发方式

sudo nmap -sF 192.168.1.7

日志格式

{"dst_host": "192.168.1.7", "dst_port": "23", "local_time": "2019-01-06 16:46:18.336954", "logdata": {"FIN": "", "ID": "29768", "IN": "eth1", "LEN": "40", "MAC": "08:00:27:da:4c:e2:6c:96:cf:dd:ee:bd:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "TOS": "0x00", "TTL": "59", "URGP": "0", "WINDOW": "1024"}, "logtype": 5005, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": "35116"}

XmasTree探测触发方式

sudo nmap -sX 192.168.1.7

日志格式

{"dst_host": "192.168.1.7", "dst_port": "139", "local_time": "2019-01-06 16:48:46.225539", "logdata": {"FIN": "", "ID": "19984", "IN": "eth1", "LEN": "40", "MAC": "08:00:27:da:4c:e2:6c:96:cf:dd:ee:bd:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "PSH": "", "RES": "0x00", "TOS": "0x00", "TTL": "56", "URG": "", "URGP": "0", "WINDOW": "1024"}, "logtype": 5004, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": "50913"}

Null探测触发方式

sudo nmap -sN 192.168.1.7

日志格式

{"dst_host": "192.168.1.7", "dst_port": "5060", "local_time": "2019-01-06 16:51:07.789903", "logdata": {"ID": "26441", "IN": "eth1", "LEN": "40", "MAC": "08:00:27:da:4c:e2:6c:96:cf:dd:ee:bd:08:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "TOS": "0x00", "TTL": "50", "URGP": "0", "WINDOW": "1024"}, "logtype": 5003, "node_id": "opencanary-1", "src_host": "192.168.1.6", "src_port": "58015"}

MSSQL

mssql登录sql账户认证

SQLPro for MSSQL

日志格式

{"dst_host": "172.18.200.58", "dst_port": 1433, "local_time": "2019-01-07 09:04:58.690137", "logdata": {"AppName": "SQLPro for MSSQL (hankinsoft.com)", "CltIntName": "DB-Library", "Database": "test", "HostName": "Piroguehost", "Language": "us_english", "Password": "sa123456", "ServerName": "172.18.200.58:1433", "UserName": "sa"}, "logtype": 9001, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 64344}

mssql登录win身份认证

SQLPro for MSSQL

日志格式

{"dst_host": "172.18.200.58", "dst_port": 1433, "local_time": "2019-01-07 09:13:28.669829", "logdata": {"PASSWORD": "", "USERNAME": ""}, "logtype": 9002, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 64499}

HTTPPROXY

触发方式

可以通过浏览器配置一个带有认证的http代理，随便访问一个链接。

日志格式

{"dst_host": "172.18.200.58", "dst_port": 8080, "local_time": "2019-01-07 13:26:47.761297", "logdata": {"PASSWORD": "passsquid", "USERNAME": "squidadmin"}, "logtype": 7001, "node_id": "opencanary-1", "src_host": "172.18.205.14", "src_port": 53798}

SMB

暂时不搞了，因为要依赖系统真实的smb服务。