From 9ffeba80ec1aa7b70b4c2ca95f67a1bda29c612f Mon Sep 17 00:00:00 2001 From: dmitriy-myz Date: Wed, 15 Jun 2016 13:38:14 +0400 Subject: [PATCH] forward mapping (#148) Sorry for the delay! Thanks for the patch! --- cowrie.cfg.dist | 26 ++++++++++++++++++-------- cowrie/ssh/forwarding.py | 31 +++++++++++++++++-------------- 2 files changed, 35 insertions(+), 22 deletions(-) diff --git a/cowrie.cfg.dist b/cowrie.cfg.dist index eede0f5..370989d 100644 --- a/cowrie.cfg.dist +++ b/cowrie.cfg.dist @@ -95,14 +95,6 @@ interact_enabled = false # (default: 5123) interact_port = 5123 -#SMTP forwarding. -# -#If you want to record SMTP traffic, install SMTP honeypoint. -# (e.g https://github.com/awhitehatter/mailoney) -# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525 -smtp_forwarding_enabled = false -smtp_forwarding_port = 12525 -smtp_forwarding_host = 127.0.0.1 # ============================================================================ # Network Specific Options @@ -370,3 +362,21 @@ logfile = log/cowrie.json #api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef # +# Port forward mapping. +# +# Mapped port will be realy forwarded to new address +# Useful for forwarding some protocols to other honeypots +# +[forward_mapping] +# Comma separated port list +ports = no +# ports = 80,443,25,587 +port_80 = 127.0.0.1:8080 +port_443 = 127.0.0.1:8443 +# If you want to record SMTP traffic, install SMTP honeypoint. +# (e.g https://github.com/awhitehatter/mailoney), run +# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525 +# uncomment +# ports = 25,587 +port_25 = 127.0.0.1:12525 +port_587 = 127.0.0.1:12525 diff --git a/cowrie/ssh/forwarding.py b/cowrie/ssh/forwarding.py index 37cdb49..575e13b 100644 --- a/cowrie/ssh/forwarding.py +++ b/cowrie/ssh/forwarding.py @@ -14,26 +14,29 @@ def CowrieOpenConnectForwardingClient(remoteWindow, remoteMaxPacket, data, avata """ """ cfg = avatar.cfg + if cfg.has_option('forward_mapping', 'ports') and \ + cfg.get('forward_mapping', 'ports').lower() not in \ + ('false', 'no'): + mappedPortsComma = cfg.get('forward_mapping', 'ports').split(',') + mappedPorts = [int(x.strip()) for x in mappedPortsComma] + else: + mappedPorts = [] remoteHP, origHP = twisted.conch.ssh.forwarding.unpackOpen_direct_tcpip(data) log.msg(eventid='cowrie.direct-tcpip.request', format='direct-tcp connection request to %(dst_ip)s:%(dst_port)s from %(src_ip)s:%(src_port)s', dst_ip=remoteHP[0], dst_port=remoteHP[1], src_ip=origHP[0], src_port=origHP[1]) - - if cfg.has_option('honeypot', 'smtp_forwarding_enabled') and \ - cfg.get('honeypot', 'smtp_forwarding_enabled').lower() in \ - ('yes', 'true', 'on'): - honey_smtp = True - honey_port = int(cfg.get('honeypot', 'smtp_forwarding_port')) - honey_host = cfg.get('honeypot', 'smtp_forwarding_host') - else: - honey_smtp = False - - if (remoteHP[1] == 25 or remoteHP[1] == 587) and honey_smtp: + portRule = 'port_{dst_port}'.format(dst_port=remoteHP[1]) + if remoteHP[1] in mappedPorts \ + and cfg.has_option('forward_mapping', portRule): + newAddr = cfg.get('forward_mapping', portRule) + newIp = newAddr.split(':')[0].strip() + newPort = int(newAddr.split(':')[1].strip()) + remoteHPNew = (newIp, newPort) log.msg(eventid='cowrie.direct-tcpip.request', - format='found smtp, forwarding to local honeypot') - remoteHPLocal = (honey_host, honey_port) - return forwarding.SSHConnectForwardingChannel(remoteHPLocal, + format='found custom port, forwarding to %(new_ip)s:%(new_port)s', + new_ip=newIp, new_port=newPort) + return forwarding.SSHConnectForwardingChannel(remoteHPNew, remoteWindow=remoteWindow, remoteMaxPacket=remoteMaxPacket, avatar=avatar)