-
-
Notifications
You must be signed in to change notification settings - Fork 953
Description
When I try to test telnet to my honeypot, the terminal says login failed however cowrie logs a login success. Is this just a function of manually testing telnet or a bug?
$ telnet honeypot_ip 23
Trying honepot_ip...
Connected to honeypot_ip
Escape character is '^]'.
login: root
Password:
Login incorrect
login:
^]
telnet> quit
Connection closed.
/home/cowrie/cowrie/log/cowrie.log
2016-11-14 01:07:53+0000 [-] Log opened.
2016-11-14 01:07:53+0000 [-] twistd 16.0.0 (/usr/bin/python 2.7.12) starting up.
2016-11-14 01:07:53+0000 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2016-11-14 01:07:53+0000 [-] CowrieSSHFactory starting on 22
2016-11-14 01:07:53+0000 [-] Starting factory <cowrie.ssh.factory.CowrieSSHFactory instance at 0x7f1e18891a28>
2016-11-14 01:07:53+0000 [-] Ready to accept SSH connections
2016-11-14 01:07:53+0000 [-] HoneyPotTelnetFactory starting on 23
2016-11-14 01:07:53+0000 [-] Starting factory <cowrie.telnet.transport.HoneyPotTelnetFactory instance at 0x7f1e17b9b878>
2016-11-14 01:07:53+0000 [-] Ready to accept Telnet connections
2016-11-14 01:08:11+0000 [cowrie.telnet.transport.HoneyPotTelnetFactory] New connection: my_ip:51386 (honeypot_ip:23) [session: TT0]
2016-11-14 01:08:16+0000 [CowrieTelnetTransport,0,my_ip] login attempt [root/123456] succeeded
2016-11-14 01:08:16+0000 [CowrieTelnetTransport,0,my_ip] Opening TTY Log: log/tty/20161114-010816-None-0i.log
2016-11-14 01:08:22+0000 [CowrieTelnetTransport,0,my_ip] Closing TTY Log: log/tty/20161114-010816-None-0i.log after 5 seconds
2016-11-14 01:08:22+0000 [CowrieTelnetTransport,0,my_ip] avatar root logging out
2016-11-14 01:08:22+0000 [CowrieTelnetTransport,0,my_ip] Connection lost after 10 seconds
Activity
micheloosterhof commentedon Nov 14, 2016
Yeah. This is somewhere in the Twisted code where you can't see the exception.
Try logging in with SSH to get more meaningful errors. Probably a missing dependency.
We recently added tftp support. I have a patch already that stops Cowrie sessions from crashing when one of the commands doesn't work. Will share later.
mb-rack commentedon Nov 14, 2016
ssh has been working just fine. All I did was turn on telnet and authbind port 23
micheloosterhof commentedon Nov 15, 2016
Hi! Could you confirm your are running the latest version? Try
git pull
to update your software.micheloosterhof commentedon Nov 15, 2016
Also, by default the password '123456' is not allowed for user root. What is the contents of your userdb.txt?
mb-rack commentedon Nov 15, 2016
I'm guessing the second user is one that an attacker created because that wasn't there before.
mb-rack commentedon Nov 15, 2016
I deleted the second root and tried again with same results / error.
mb-rack commentedon Nov 15, 2016
Now there are twisted errors in the logs, but this is also in every connection via telnet now since it's getting hit a lot harder from the outside.
micheloosterhof commentedon Dec 11, 2016
Hi. The negotation error, is that from your Telnet client or someone on the internet?
What telnet client are you using? Do you see this blocking command entering?
austinheap commentedon Dec 13, 2016
I get the first error posted by @mb-rack (where it shows the login prompt again but log says login was successful) when using the default OS X telnet client (using iTerm and Terminal) and the Ubuntu telnet client.
I get the second one ('\x01' errors) from random clients on the Internet.
Interestingly it seems that some telnet clients are able to login and access it just fine.
micheloosterhof commentedon Dec 13, 2016
I think I've got it. They are not disconnects. Try connecting with "nc" (netcat) to your telnet server.
You'll get the errors (because "nc" doesn't understand telnet negotiation), but you can still login.
I think the negotiation errors are not causing any disconnects, you simply see port scanning activity from a client that doesn't understand telnet. Then the client disconnects. It's not an error.