hontel.py

#!/usr/bin/env python

# Copyright (c) 2015 Miroslav Stampar (@stamparm)
# See the file 'LICENSE' for copying permission

import fcntl
import hashlib
import os
import posixpath
import re
import shutil
import signal
import socket
import SocketServer
import stat
import subprocess
import sys
import threading
import time
import urllib
import urlparse

sys.dont_write_bytecode = True

from thirdparty.telnetsrv.threaded import TelnetHandler, command

AUTH_USERNAME = "root"
AUTH_PASSWORD = "123456"
MAX_AUTH_ATTEMPTS = 3
TELNET_ISSUE = "\nTELNET session now in ESTABLISHED state\n"
WELCOME = None
LOG_PATH = "/var/log/%s.log" % os.path.split(__file__)[-1].split('.')[0]
SAMPLES_DIR = "/var/log/%s/" % os.path.split(__file__)[-1].split('.')[0]
READ_SIZE = 1024
CHECK_CHROOT = False
THREAD_DATA = threading.local()
LOG_FILE_PERMISSIONS = stat.S_IREAD | stat.S_IWRITE | stat.S_IRGRP | stat.S_IROTH
LOG_HANDLE_FLAGS = os.O_APPEND | os.O_CREAT | os.O_WRONLY
TIME_FORMAT = "%Y-%m-%d %H:%M:%S"
USE_BUSYBOX = True
LISTEN_ADDRESS = "0.0.0.0"
LISTEN_PORT = 23
HOSTNAME = socket.gethostname()
REPLACEMENTS = {}
BUSYBOX_FAKE_BANNER = "BusyBox v1.18.4 (2012-04-17 18:58:31 CST)"
FAKE_HOSTNAME = "prodigy"
FAKE_ARCHITECTURE = "MIPS"
RUN_ATTACKERS_COMMANDS = True  # set to False to prevent execution of attacker's commands

class HoneyTelnetHandler(TelnetHandler):
    WELCOME = WELCOME
    PROMPT = "# "

    PROMPT_USER = "%s login: " % HOSTNAME
    PROMPT_PASS = "Password: "

    authNeedUser = AUTH_USERNAME is not None
    authNeedPass = AUTH_PASSWORD is not None
    process = None

    def write(self, text):
        for key, value in REPLACEMENTS.items():
            text = text.replace(key, value)
        TelnetHandler.write(self, text)

    def _readline_echo(self, char, echo):
        if "^C ABORT" in char:
            char = "^C\n"
            if self.process:
                os.killpg(self.process.pid, signal.SIGINT)
        if self._readline_do_echo(echo):
            self.write(char)

    def _log(self, logtype, msg=None):
        line = '[%s] [%s:%s] %s%s\n' % (time.strftime(TIME_FORMAT, time.localtime(time.time())), self.client_address[0], self.client_address[1], logtype, ": %s" % msg if msg is not None else "")
        os.write(self._getLogHandle(), line)

    def _getLogHandle(self):
        if LOG_PATH != getattr(THREAD_DATA, "logPath", None):
            if not os.path.exists(LOG_PATH):
                open(LOG_PATH, "w+").close()
                os.chmod(LOG_PATH, LOG_FILE_PERMISSIONS)
            THREAD_DATA.logPath = LOG_PATH
            THREAD_DATA.logHandle = os.open(THREAD_DATA.logPath, LOG_HANDLE_FLAGS)
        return THREAD_DATA.logHandle

    def _retrieve_url(self, url, filename=None):
        try:
            filename, _ = urllib.urlretrieve(url, filename)
        except:
            filename = None
        return filename

    def _md5(self, filename):
        md5 = hashlib.md5()
        with open(filename, "rb") as f:
            for chunk in iter(lambda: f.read(4096), b""):
                md5.update(chunk)
        return md5.hexdigest()

    def _processRead(self):
        result = ""
        while self.process.poll() is None:
            try:
                buf = os.read(self.process.stdout.fileno(), READ_SIZE)
                buf = re.sub(r"%s: line \d+: " % SHELL, "", buf)
                result += buf
            except OSError:
                break
        return result

    def handleException(self, exc_type, exc_param, exc_tb):
        return False

    def session_start(self):
        self._log("SESSION_START")
        self.process = subprocess.Popen(SHELL, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, preexec_fn=os.setsid)

        flags = fcntl.fcntl(self.process.stdout, fcntl.F_GETFL)
        fcntl.fcntl(self.process.stdout, fcntl.F_SETFL, flags | os.O_NONBLOCK)

    def session_end(self):
        self._log("SESSION_END")

        # Reference: https://github.com/ianepperson/telnetsrvlib/blob/master/telnetsrv/telnetsrvlib.py#L534-L546
        #            https://stackoverflow.com/a/598759
        self.sock.close()

    def handle(self):
        if TELNET_ISSUE:
            self.writeline(TELNET_ISSUE)

        authenticated = False
        for attempt in xrange(MAX_AUTH_ATTEMPTS):
            authenticated = self.authentication_ok()
            if authenticated:
                break
        if not authenticated:
            return

        if self.DOECHO and self.WELCOME:
            self.writeline(self.WELCOME)

        self.session_start()

        while self.RUNSHELL and self.process.poll() is None:
            line = self.input_reader(self, self.readline(prompt=self.PROMPT).strip())
            raw = line.raw
            cmd = line.cmd
            params = line.params

            self._log("CMD", raw)

            if cmd in ("QUIT",):
                try:
                    self.COMMANDS[cmd](params)
                    continue
                except:
                    pass

            try:
                match = re.search(r"(?i)(wget|curl).+(http[^ >;\"']+)", raw)
                if match:
                    url = match.group(2)
                    original = posixpath.split(urlparse.urlsplit(url).path)[-1]
                    filename = self._retrieve_url(url)
                    if filename:
                        destination = os.path.join(SAMPLES_DIR, "%s_%s" % (original, self._md5(filename)))
                        shutil.move(filename, destination)
                        self._log("SAMPLE", destination)
            except:
                pass

            try:
                if RUN_ATTACKERS_COMMANDS:
                    self.process.stdin.write(raw.strip() + "\n")
                else:
                    self.process.stdin.write("\n")
            except IOError, ex:
                raise
            finally:
                time.sleep(0.1)

            self.write(self._processRead())

    def authCallback(self, username, password):
        if username is not None and password is not None:
            self._log("AUTH", "%s:%s" % (username, password))

        if not(username == AUTH_USERNAME and password == AUTH_PASSWORD):
            raise Exception("[x] wrong credentials ('%s':'%s')" % (username, password))

class TelnetServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
    allow_reuse_address = True

def main():
    global SHELL

    REPLACEMENTS[HOSTNAME] = FAKE_HOSTNAME
    REPLACEMENTS["Ubuntu"] = "Debian"

    for arch in ("i386", "i686", "x86_64 x86_64 x86_64", "x86_64 x86_64", "x86_64", "amd64"):
        REPLACEMENTS[arch] = FAKE_ARCHITECTURE

    if CHECK_CHROOT:
        chrooted = False
        try:
            output = subprocess.check_output("ls -di /", shell=True)
            if int(output.split()[0]) != 2:
                chrooted = True
        except:
            pass
        finally:
            if not chrooted:
                exit("[!] run inside the chroot environment")

    if USE_BUSYBOX:
        try:
            SHELL = "/bin/busybox sh"

            _ = subprocess.check_output("/bin/busybox")
            _ = _.split("\n")[0]
            match = re.search(r".+\)", _)
            if match:
                REPLACEMENTS[match.group(0)] = BUSYBOX_FAKE_BANNER
                REPLACEMENTS[re.sub(r" \(.+\)", "", match.group(0))] = re.sub(r" \(.+\)", "", BUSYBOX_FAKE_BANNER)
                _ = "%s built-in shell (ash)" % match.group(0)
            WELCOME = "\n%s\nEnter 'help' for a list of built-in commands.\n" % _
        except OSError:
            exit("[!] please install busybox (e.g. 'apt-get install busybox')")
    else:
        SHELL = "/bin/bash"

    if not os.path.isdir(SAMPLES_DIR):
        try:
            os.mkdir(SAMPLES_DIR)
        except:
            exit("[!] unable to create sample directory '%s'" % SAMPLES_DIR)

    try:
        server = TelnetServer((LISTEN_ADDRESS, LISTEN_PORT), HoneyTelnetHandler)
    except socket.error, ex:
        if "Permission denied" in str(ex):
            exit("[!] not enough permissions to listen on '%s:%s'" % (LISTEN_ADDRESS, LISTEN_PORT))
        else:
            raise

    try:
        server.serve_forever()
    except KeyboardInterrupt:
        os._exit(1)

if __name__ == "__main__":
    main()