协议支持列表
22 ssh : a Secure Shell server which alerts on login attempts 21 ftp - a File Transfer Protocol server which on login attempts git - a Git protocol which alerts on repo cloning 80 http - an HTTP web server that alerts on login attempts httpproxy - an HTTP web proxy that alerts when there is an attempt to proxy to another page 1433 mssql - an MS SQL server that alerts on login attempts 3306 mysql - a MYSQL server that alerts on login attempts 23 telnet - a Telnet server that alerts on login attempts 25 snmp - an SNMP server which alerts on oid requests sip - a SIP server which alerts on sip requests 5900 vnc - a VNC server which alerts on login attempts redis - a Redis server which alerts on actions tftp - a tftp server which alerts on requests ntp - an NTP server which alerts on ntp requests. tcpbanner - a TCPbanner service which alerts on connection and subsequent data recieved events. ignorelist - comma separated ips or CIDRs that will ignore alerting on.
安装在docker中
使用官方的办法始终无法在docker中运行起来,只能看到
Attaching to opencanary
opencanary exited with code 0
我去找了一个改改就能用的mrbelieve128/Docker-OpenCanary: Simple Docker image for OpenCanary in Ubuntu
试用
日志保存在/var/tmp/opencanary.log
80端口
{"dst_host": "", "dst_port": -1, "local_time": "2021-04-22 08:24:33.054025", "local_time_adjusted": "2021-04-22 08:24:33.054043", "logdata": {"msg": {"logdata": "Canary running!!!"}}, "logtype": 1001, "node_id": "opencanary_device01", "src_host": "", "src_port": -1, "utc_time": "2021-04-22 08:24:33.054037"}
{"dst_host": "172.17.0.2", "dst_port": 80, "local_time": "2021-04-22 08:33:59.434581", "local_time_adjusted": "2021-04-22 08:33:59.434644", "logdata": {"HOSTNAME": "localhost", "PATH": "/index.html", "SKIN": "nasLogin", "USERAGENT": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42"}, "logtype": 3000, "node_id": "opencanary_device01", "src_host": "172.17.0.1", "src_port": 55736, "utc_time": "2021-04-22 08:33:59.434633"}
{"dst_host": "172.17.0.2", "dst_port": 80, "local_time": "2021-04-22 08:35:34.959679", "local_time_adjusted": "2021-04-22 08:35:34.959764", "logdata": {"HOSTNAME": "localhost", "PASSWORD": "admin1", "PATH": "/index.html", "SKIN": "nasLogin", "USERAGENT": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42", "USERNAME": "admin"}, "logtype": 3001, "node_id": "opencanary_device01", "src_host": "172.17.0.1", "src_port": 55752, "utc_time": "2021-04-22 08:35:34.959754"}
{"dst_host": "172.17.0.2", "dst_port": 80, "local_time": "2021-04-22 08:35:40.035831", "local_time_adjusted": "2021-04-22 08:35:40.035866", "logdata": {"HOSTNAME": "localhost", "PASSWORD": "admin", "PATH": "/index.html", "SKIN": "nasLogin", "USERAGENT": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42", "USERNAME": "admin"}, "logtype": 3001, "node_id": "opencanary_device01", "src_host": "172.17.0.1", "src_port": 55772, "utc_time": "2021-04-22 08:35:40.035860"}
21端口
{"dst_host": "172.17.0.2", "dst_port": 21, "local_time": "2021-04-22 08:52:34.745897", "local_time_adjusted": "2021-04-22 08:52:34.745986", "logdata": {"PASSWORD": "admin1", "USERNAME": "admin"}, "logtype": 2000, "node_id": "opencanary_device01", "src_host": "172.17.0.1", "src_port": 57076, "utc_time": "2021-04-22 08:52:34.745964"}
{"dst_host": "172.17.0.2", "dst_port": 21, "local_time": "2021-04-22 08:52:34.751212", "local_time_adjusted": "2021-04-22 08:52:34.751331", "logdata": {"PASSWORD": "admin1", "USERNAME": "admin"}, "logtype": 2000, "node_id": "opencanary_device01", "src_host": "172.17.0.1", "src_port": 57078, "utc_time": "2021-04-22 08:52:34.751236"}
{"dst_host": "172.17.0.2", "dst_port": 21, "local_time": "2021-04-22 08:53:02.559717", "local_time_adjusted": "2021-04-22 08:53:02.559749", "logdata": {"PASSWORD": "admin1", "USERNAME": "admin"}, "logtype": 2000, "node_id": "opencanary_device01", "src_host": "172.17.0.1", "src_port": 57086, "utc_time": "2021-04-22 08:53:02.559741"}
{"dst_host": "172.17.0.2", "dst_port": 21, "local_time": "2021-04-22 08:53:02.560316", "local_time_adjusted": "2021-04-22 08:53:02.560336", "logdata": {"PASSWORD": "admin1", "USERNAME": "admin"}, "logtype": 2000, "node_id": "opencanary_device01", "src_host": "172.17.0.1", "src_port": 57084, "utc_time": "2021-04-22 08:53:02.560332"}
{"dst_host": "172.17.0.2", "dst_port": 21, "local_time": "2021-04-22 08:53:04.350338", "local_time_adjusted": "2021-04-22 08:53:04.350379", "logdata": {"PASSWORD": "admin", "USERNAME": "admin"}, "logtype": 2000, "node_id": "opencanary_device01", "src_host": "172.17.0.1", "src_port": 57090, "utc_time": "2021-04-22 08:53:04.350363"}
{"dst_host": "172.17.0.2", "dst_port": 21, "local_time": "2021-04-22 08:53:04.350905", "local_time_adjusted": "2021-04-22 08:53:04.350921", "logdata": {"PASSWORD": "admin", "USERNAME": "admin"}, "logtype": 2000, "node_id": "opencanary_device01", "src_host": "172.17.0.1", "src_port": 57094, "utc_time": "2021-04-22 08:53:04.350917"}
r
监控文件修改/使用hpfeed等直接发送json都可以,也可以通过设置邮件提醒
源码理解
modules
这里的绝大部分都使用了twisted框架 绝大部分都复用了twisted框架下的服务代码
ssh
使用的kippo/ssh.py的代码。主要区别是HoneyPotAvatar类中的函数,去掉了打开shell执行命令的代码。
高交互的ssh蜜罐可以看cowrie/cowrie: Cowrie SSH/Telnet Honeypot
ftp
类LoggingFTP
复用了twisted框架的FTP绝大部分代码,只是重写了ftp_PASS函数
diff比较之后,唯一的差别就是
logdata = {'USERNAME': self._user, 'PASSWORD': password}
self.factory.canaryservice.log(logdata, transport=self.transport)
这里会传递用户名和密码,然后调用__init__.py里的canaryservice.log来获取源、目标端口地址。
类CanaryFTP
功能:设置banner,端口,地址,然后设置服务
这里如果修改Portal的第二个参数,写成允许登录的话估计就可以进一步拓展变成高交互蜜罐了,但是文件交互这个又是个大坑0.0
http
BasicLogin负责记录Get的登录信息,Post的登录信息,以及渲染登录界面
调用流程:
初始化CanaryHTTP类,先去.opencanary.conf获取http的皮、设置端口、banner,然后设置默认重定向到index.html。首页为index.html。
添加自定义http皮方法
http的皮放置在\opencanary\modules\data\http\skin里,有403.html,404.html和index.html。
放置后在
"http.banner": "Apache/2.2.22 (Ubuntu)",
"http.enabled": true,
"http.port": 80,
"http.skin": "nasLogin",
"http.skin.list": [
{
"desc": "Plain HTML Login",
"name": "basicLogin"
},
{
"desc": "Synology NAS Login",
"name": "nasLogin"
}
],
添加desc,name,以及http.skin中配置上选用的皮
httpproxy
PROFILES里默认设置了ms-isa和squid的
ToDo
init
ToDo
Config
函数__init__
功能:负责读取三个位置的配置文件
函数moduleEnabled
功能:判断模组是否启用
函数getVal
功能:获取配置的某个值
函数setVaules
功能:设置所有有效的值和返回错误值
……
honeycred
Todo: 搞清楚honeycreds 是干啥的
函数buildHoneyCredHook
功能:设置钩子方法,验证蜜罐凭证(?)
iphelper
转换和验证ip
logger
类LoggerBase
功能:定义报错类型和规范log输出格式
类PyLogger
功能:继承LoggerBase,配置日志记录工具logging
实现:使用了 logging -– Python 的日志记录工具
类SocketJSONHandler
功能:通过TCP发送json信息
实现:使用 logging.handlers
类HpfeedsHandler
功能:发送hpfeeds/hpfeeds: Honeynet Project generic authenticated datafeed protocol协议的数据包
类SlackHandler
功能:我猜是把信息发送到slack这个类似钉钉的办公软件上
类TeamsHandler
功能:报警信息发送到teams这个软件上
「真诚赞赏,手留余香」
Mr.Be1ieVe's Treasure
真诚赞赏,手留余香
使用微信扫描二维码完成支付
