![Cowrie Error Report (1)](https://hackmd.io/_uploads/rk-jPNOxJg.svg) [toc] # Class 5 Deception - `Cowrie` error This is regarding the error shown when doing This is referring to `Page Number 25` from [`Official Class Doc`](https://docs.google.com/document/d/1cmrJVFO8KkT5TgSxJwDhTRbXVbXUUUiwgMChY8Lurec/edit?tab=t.0#heading=h.fz0khu42co6i) Note this is for mooc students attempting the excercise int he docker container # Encountering the error Whene executing the following line ```sh= bin/cowrie start ``` the followin is dumped to the terminal :::spoiler Click to see dump :point_left: ```ml= (cowrie-env) cowrie@hackerlab:~/cowrie$ bin/cowrie start Join the Cowrie community at: https://www.cowrie.org/slack/ Using activated Python virtual environment "/home/cowrie/cowrie/cowrie-env" Starting cowrie: [twistd --umask=0022 --pidfile=var/run/cowrie.pid --logger cowrie.python.logfile.logger cowrie ]... /home/cowrie/cowrie/cowrie-env/lib/python3.11/site-packages/twisted/conch/ssh/transport.py:105: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0. b"3des-cbc": (algorithms.TripleDES, 24, modes.CBC), /home/cowrie/cowrie/cowrie-env/lib/python3.11/site-packages/twisted/conch/ssh/transport.py:106: CryptographyDeprecationWarning: Blowfish has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.Blowfish and will be removed from this module in 45.0.0. b"blowfish-cbc": (algorithms.Blowfish, 16, modes.CBC), /home/cowrie/cowrie/cowrie-env/lib/python3.11/site-packages/twisted/conch/ssh/transport.py:110: CryptographyDeprecationWarning: CAST5 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.CAST5 and will be removed from this module in 45.0.0. b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC), /home/cowrie/cowrie/cowrie-env/lib/python3.11/site-packages/twisted/conch/ssh/transport.py:114: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0. b"3des-ctr": (algorithms.TripleDES, 24, modes.CTR), /home/cowrie/cowrie/cowrie-env/lib/python3.11/site-packages/twisted/conch/ssh/transport.py:115: CryptographyDeprecationWarning: Blowfish has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.Blowfish and will be removed from this module in 45.0.0. b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR), /home/cowrie/cowrie/cowrie-env/lib/python3.11/site-packages/twisted/conch/ssh/transport.py:116: CryptographyDeprecationWarning: CAST5 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.CAST5 and will be removed from this module in 45.0.0. b"cast128-ctr": (algorithms.CAST5, 16, modes.CTR), ``` ::: :::info These errors are related to the versions of python packages and do not indicate that the command has failed.`Cowrie` doesnt have have a `tty` session, show there isnt any visual indication that it failed. But this can be confirmed with the subsequent commands from the ::: ## Confirming that its running As stated in the document. ### With `netstat` ```sh= (cowrie-env) cowrie@hackerlab:~/cowrie$ netstat -anp ``` ```sh= (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.11:35671 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 274/python3 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN - udp 0 0 127.0.0.11:42457 0.0.0.0:* - Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 4 [ ] DGRAM CONNECTED 137325 - /dev/log unix 2 [ ] DGRAM CONNECTED 401644 - unix 2 [ ] DGRAM CONNECTED 137470 - ``` - `L6` - This line indicates that a program `274/python3` is active and listening on that port. **This is Cowrie** ### with `ps` ```shell= (cowrie-env) cowrie@hackerlab:~/cowrie$ ps afx ``` ```shell= PID TTY STAT TIME COMMAND 19 pts/0 Ss 0:00 bash 216 pts/0 S 0:00 \_ su - cowrie 217 pts/0 S 0:00 \_ -bash 283 pts/0 R+ 0:00 \_ ps afx 1 ? Ss 0:00 /bin/bash /root/.start-container.sh 8 ? Ssl 0:00 rsyslogd 10 ? S 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups 274 ? S 0:00 /home/cowrie/cowrie/cowrie-env/bin/python3 /home/cowrie/cowrie/cowrie-env/bin/twistd --umask=0022 --pidfile=va ``` - `L9` - This indicates that `cowrie` is indeed running # Playing with `cowrie` Now when we follow the rest of the document, it is indeed running ```shell= (cowrie-env) cowrie@hackerlab:~/cowrie$ ssh root@127.0.0.1 -p 2222 The authenticity of host '[127.0.0.1]:2222 ([127.0.0.1]:2222)' can't be established. ED25519 key fingerprint is SHA256:9haX0N98kMNCA0fPQpUHrUsSGPiwswdlpVrnlLVGjnc. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[127.0.0.1]:2222' (ED25519) to the list of known hosts. root@127.0.0.1's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@svr04:~# ls -al drwx------ 1 root root 4096 2013-04-05 12:25 . drwxr-xr-x 1 root root 4096 2013-04-05 12:03 .. drwx------ 1 root root 4096 2013-04-05 11:58 .aptitude -rw-r--r-- 1 root root 570 2013-04-05 11:52 .bashrc -rw-r--r-- 1 root root 140 2013-04-05 11:52 .profile drwx------ 1 root root 4096 2013-04-05 12:05 .ssh root@svr04:~# uname -an Linux svr04 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u1 x86_64 GNU/Linux root@svr04:~# ``` - The output above indicates that we have successfully logged in ## Testing the captured session Now examining the logs ```shell= cowrie@hackerlab:~/cowrie/var/log/cowrie$ cat cowrie.log 2024-10-24T20:37:54.526095Z [-] Python Version 3.11.2 (main, Aug 26 2024, 07:20:54) [GCC 12.2.0] 2024-10-24T20:37:54.526134Z [-] Twisted Version 24.7.0 2024-10-24T20:37:54.526148Z [-] Cowrie Version 2.5.0 2024-10-24T20:37:54.528332Z [-] Loaded output engine: jsonlog 2024-10-24T20:37:54.529349Z [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 24.7.0 (/home/cowrie/cowrie/cowrie-env/bin/python3 3.11.2) starting up. 2024-10-24T20:37:54.529449Z [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor. 2024-10-24T20:37:54.534026Z [-] CowrieSSHFactory starting on 2222 2024-10-24T20:37:54.534470Z [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory <cowrie.ssh.factory.CowrieSSHFactory object at 0x7a3255fd1410> 2024-10-24T20:37:54.534862Z [-] Generating new RSA keypair... 2024-10-24T20:37:54.643477Z [-] Generating new ECDSA keypair... 2024-10-24T20:37:54.644631Z [-] Generating new ed25519 keypair... 2024-10-24T20:37:54.650708Z [-] Ready to accept SSH connections 2024-10-24T20:50:49.482472Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: 127.0.0.1:50200 (127.0.0.1:2222) [session: cab38be1a07e] 2024-10-24T20:50:49.483153Z [HoneyPotSSHTransport,0,127.0.0.1] Remote SSH version: SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3 2024-10-24T20:50:49.484043Z [HoneyPotSSHTransport,0,127.0.0.1] SSH client hassh fingerprint: aae6b9604f6f3356543709a376d7f657 2024-10-24T20:50:49.485155Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519' 2024-10-24T20:50:49.485271Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] outgoing: b'aes128-ctr' b'hmac-sha2-256' b'none' 2024-10-24T20:50:49.485338Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] incoming: b'aes128-ctr' b'hmac-sha2-256' b'none' 2024-10-24T20:50:51.522744Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] NEW KEYS 2024-10-24T20:50:51.523265Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-userauth' 2024-10-24T20:50:51.523742Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'none' 2024-10-24T20:50:52.350286Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'password' 2024-10-24T20:50:52.350657Z [HoneyPotSSHTransport,0,127.0.0.1] Could not read etc/userdb.txt, default database activated 2024-10-24T20:50:52.350955Z [HoneyPotSSHTransport,0,127.0.0.1] login attempt [b'root'/b''] succeeded 2024-10-24T20:50:52.351593Z [HoneyPotSSHTransport,0,127.0.0.1] Initialized emulated server as architecture: linux-x64-lsb 2024-10-24T20:50:52.352318Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' authenticated with b'password' 2024-10-24T20:50:52.352491Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-connection' 2024-10-24T20:50:52.352867Z [cowrie.ssh.connection.CowrieSSHConnection#debug] got channel b'session' request 2024-10-24T20:50:52.353022Z [cowrie.ssh.session.HoneyPotSSHSession#info] channel open 2024-10-24T20:50:52.353121Z [cowrie.ssh.connection.CowrieSSHConnection#debug] got global b'no-more-sessions@openssh.com' request 2024-10-24T20:50:52.371921Z [twisted.conch.ssh.session#info] Handling pty request: b'xterm-256color' (23, 139, 0, 0) 2024-10-24T20:50:52.372037Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,0,127.0.0.1] Terminal Size: 139 23 2024-10-24T20:50:52.372481Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,0,127.0.0.1] request_env: LANG=en_US.UTF-8 2024-10-24T20:50:52.373112Z [twisted.conch.ssh.session#info] Getting shell 2024-10-24T20:50:54.466985Z [HoneyPotSSHTransport,0,127.0.0.1] CMD: ls -al 2024-10-24T20:50:54.467700Z [HoneyPotSSHTransport,0,127.0.0.1] Command found: ls -al 2024-10-24T20:51:20.677589Z [HoneyPotSSHTransport,0,127.0.0.1] CMD: uname -an 2024-10-24T20:51:20.678192Z [HoneyPotSSHTransport,0,127.0.0.1] Command found: uname -an 2024-10-24T20:52:07.319132Z [HoneyPotSSHTransport,0,127.0.0.1] CMD: ls 2024-10-24T20:52:07.319724Z [HoneyPotSSHTransport,0,127.0.0.1] Command found: ls 2024-10-24T20:52:41.746182Z [HoneyPotSSHTransport,0,127.0.0.1] CMD: echo "Session Capture..." > sesh.txt 2024-10-24T20:52:41.747249Z [HoneyPotSSHTransport,0,127.0.0.1] Command found: echo Session Capture... > sesh.txt 2024-10-24T20:52:46.453758Z [HoneyPotSSHTransport,0,127.0.0.1] CMD: cat sesh.txt 2024-10-24T20:52:46.454643Z [HoneyPotSSHTransport,0,127.0.0.1] Command found: cat sesh.txt ``` - `L33 onwards` - You can see the commands that have been entered inside - `L33 - L34` - Logs indicate a honey post session has been started - `L36 - L45` - My activity