| die letzten Änderungen * Seitenstruktur * Stichwortsuche :


logo_puschin.jpg

Startseite

Knowledge base



Kontakt

Impressum

Knowledge base - IDS

Knowledge base

6 Benutzer online Druckversion




zurück



IDS
Honeypot mit netcat


# honeypot.sh

export BUSYBOX=/var/tmp/busybox

while true
do
     $BUSYBOX nc -l -p 23 -e in.honeypot
     sleep 3
done     




#!/bin/sh

###
##
#     telnet HONEYPOT for AVM Fritz!Box
##
###

LOGFILE=honeypot.$$

# 1. PROMPT
echo ""
echo -ne "HP-UX shpsrv01 B.11.00 U 9000/800 625319311 unlimited-user license\n\r"
echo ""
echo -ne "Press [RETURN] to continue.\n\r"
read INPUT

# 2. DATEN SAMMELN
REMOTE_HOST=`netstat -n | grep :23 | $BUSYBOX awk '{ print $5; }' | $BUSYBOX cut -d":" -f1 | $BUSYBOX tail -n1`
REMOTE_DNS=`$BUSYBOX nslookup $REMOTE_HOST`

# 3. LOGGING
echo "`date` : telnet-Connection from host $REMOTE_HOST" > $LOGFILE
echo "`date` : $REMOTE_DNS" >> $LOGFILE

# 4. ENDLOS-SCHLEIFE
while true
do
     # EINGABE ZULASSEN
     echo -n "root@shpsrv01 > "
     read INPUT

     # CLEANUP I
     INPUT=`echo ${INPUT} | $BUSYBOX awk '{ print substr($0,0,length($0)-1) }'`
     
     # LOGGING
     echo "`date` : $INPUT" >> $LOGFILE
     
     # CLEANUP II
     INPUT=`echo $INPUT | $BUSYBOX awk '{ print $1 }'`

     # CASES
     case $INPUT in

     exit)
          break
          ;;

     ps)
          echo -ne "PID     TTY     TIME CMD\n\r"
          echo -ne "2325     pts/4     00:00:00 su\n\r"
          echo -ne "2327     pts/4     00:00:00 bash\n\r"
          echo -ne "13452     pts/4     00:00:00 ps\n\r"
          ;;

     ls|ll)
          echo -ne "-rw-r--r--    1 root     root         1661 16. Aug 15:38 passwd\n\r"
          ;;

     cat|more|less)
          echo -ne "root:x:0:0:ruth:/ruth:/bin/bash\n\r"
          echo -ne "bin:x:1:1:bin:/bin:/sbin/nologin\n\r"
          echo -ne "daemon:x:2:2:daemon:/sbin:/sbin/nologin\n\r"
          echo -ne "adm:x:3:4:adm:/var/adm:/sbin/nologin\n\r"
          echo -ne "lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\n\r"
          echo -ne "sync:x:5:0:sync:/sbin:/bin/sync\n\r"
          echo -ne "shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\n\r"
          echo -ne "gopher:x:13:30:gopher:/var/gopher:/sbin/nologin\n\r"
          echo -ne "ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\n\r"
          echo -ne "nobody:x:99:99:Nobody:/:/sbin/nologin\n\r"
          echo -ne "rpm:x:37:37::/var/lib/rpm:/sbin/nologin\n\r"
          echo -ne "vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\n\r"
          echo -ne "nscd:x:28:28:NSCD Daemon:/:/sbin/nologin\n\r"
          echo -ne "sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\n\r"
          echo -ne "smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin\n\r"
          echo -ne "pcap:x:77:77::/var/arpwatch:/sbin/nologin\n\r"
          echo -ne "xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin\n\r"
          echo -ne "ntp:x:38:38::/etc/ntp:/sbin/nologin\n\r"
          echo -ne "desktop:x:80:80:desktop:/var/lib/menu/kde:/sbin/nologin\n\r"
          echo -ne "apache:x:48:48:Apache:/var/www:/sbin/nologin\n\r"
          break
          ;;

     who|w)
           echo -ne "21:42:32  up 51 days, 21:45,  1 users,  load average: 5.28, 4.82, 4.49\n\r"
           echo -ne "USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT\n\r"
           echo -ne "root    pts/0    a81-14-154-107.n  7:45pm 12.00s  0.25s  0.06s  sshd: root [priv]\n\r"
          ;;

     uptime)
          echo -ne " 21:43:58  up 51 days, 21:47,  4 users,  load average: 4.81, 4.78, 4.50\n\r"
          ;;

     pwd)     
          echo -ne "/root\n\r"
          ;;

     cd)     
          ;;
     uname)     
          echo -ne "HP-UX shpsrv01 B.11.00 U 9000/800 625319311 unlimited-user license\n\r"
          ;;

     "")     ;;

     *)
          echo -ne "-bash: $INPUT: command not found\n\r"
          ;;

     esac
done

# 5. LOGGING
echo "`date` : logout" >> $LOGFILE

# 6. SIGNALE ABFANGEN
echo "helo
mail from:
rcpt to:
data
Subject: Honeypot-Logfile
`cat $LOGFILE`
.
quit


zurück



Knowledge base wurde zuletzt bearbeitet am 12.07.13 durch Frank

www.puschin.de
login

<body bgcolor='#FFFFFF' link='#000000' vlink='#000000' alink='#000000' text='#000000'><font face='Verdana' size='2'><strong>www.puschin.de</strong><br>Die Webseite http://www.puschin.de bietet eine interessante Webseite zu vielen Themen aus dem Bereich Linux und Windows. Man findet hier Tipps und Tricks zu cms php apache postfix openxchange tomcat windows linux firewall <br><br><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=191'>Startseite</a><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=63'>Knowledge base</a><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=57'>Kontakt</a><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=9'>Impressum</a></body>