Skip to content

telnet test returns login incorrect though logs show success #348

@mb-rack

Description

@mb-rack

When I try to test telnet to my honeypot, the terminal says login failed however cowrie logs a login success. Is this just a function of manually testing telnet or a bug?

$ telnet honeypot_ip 23
Trying honepot_ip...
Connected to honeypot_ip
Escape character is '^]'.
login: root
Password:
Login incorrect
login:
^]
telnet> quit
Connection closed.

/home/cowrie/cowrie/log/cowrie.log
2016-11-14 01:07:53+0000 [-] Log opened.
2016-11-14 01:07:53+0000 [-] twistd 16.0.0 (/usr/bin/python 2.7.12) starting up.
2016-11-14 01:07:53+0000 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2016-11-14 01:07:53+0000 [-] CowrieSSHFactory starting on 22
2016-11-14 01:07:53+0000 [-] Starting factory <cowrie.ssh.factory.CowrieSSHFactory instance at 0x7f1e18891a28>
2016-11-14 01:07:53+0000 [-] Ready to accept SSH connections
2016-11-14 01:07:53+0000 [-] HoneyPotTelnetFactory starting on 23
2016-11-14 01:07:53+0000 [-] Starting factory <cowrie.telnet.transport.HoneyPotTelnetFactory instance at 0x7f1e17b9b878>
2016-11-14 01:07:53+0000 [-] Ready to accept Telnet connections
2016-11-14 01:08:11+0000 [cowrie.telnet.transport.HoneyPotTelnetFactory] New connection: my_ip:51386 (honeypot_ip:23) [session: TT0]
2016-11-14 01:08:16+0000 [CowrieTelnetTransport,0,my_ip] login attempt [root/123456] succeeded
2016-11-14 01:08:16+0000 [CowrieTelnetTransport,0,my_ip] Opening TTY Log: log/tty/20161114-010816-None-0i.log
2016-11-14 01:08:22+0000 [CowrieTelnetTransport,0,my_ip] Closing TTY Log: log/tty/20161114-010816-None-0i.log after 5 seconds
2016-11-14 01:08:22+0000 [CowrieTelnetTransport,0,my_ip] avatar root logging out
2016-11-14 01:08:22+0000 [CowrieTelnetTransport,0,my_ip] Connection lost after 10 seconds

Activity

micheloosterhof

micheloosterhof commented on Nov 14, 2016

@micheloosterhof
Member

Yeah. This is somewhere in the Twisted code where you can't see the exception.

Try logging in with SSH to get more meaningful errors. Probably a missing dependency.

We recently added tftp support. I have a patch already that stops Cowrie sessions from crashing when one of the commands doesn't work. Will share later.

mb-rack

mb-rack commented on Nov 14, 2016

@mb-rack
Author

ssh has been working just fine. All I did was turn on telnet and authbind port 23

micheloosterhof

micheloosterhof commented on Nov 15, 2016

@micheloosterhof
Member

Hi! Could you confirm your are running the latest version? Try git pull to update your software.

micheloosterhof

micheloosterhof commented on Nov 15, 2016

@micheloosterhof
Member

Also, by default the password '123456' is not allowed for user root. What is the contents of your userdb.txt?

mb-rack

mb-rack commented on Nov 15, 2016

@mb-rack
Author
$ git pull
remote: Counting objects: 99, done.
remote: Compressing objects: 100% (92/92), done.
remote: Total 99 (delta 42), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (99/99), done.
From http://github.com/micheloosterhof/cowrie
 + 415e7da...e2964f3 develop    -> origin/develop  (forced update)
Already up-to-date.

$ cat userdb.txt 
root:x:123456
root:x:35592

I'm guessing the second user is one that an attacker created because that wasn't there before.

mb-rack

mb-rack commented on Nov 15, 2016

@mb-rack
Author

I deleted the second root and tried again with same results / error.

Escape character is '^]'.
login: root
Password: 
          Login incorrect
                         login: 


mb-rack

mb-rack commented on Nov 15, 2016

@mb-rack
Author

Now there are twisted errors in the logs, but this is also in every connection via telnet now since it's getting hit a lot harder from the outside.

2016-11-15 23:15:44+0000 [CowrieTelnetTransport,1,my_ip] login attempt [root/123456] succeeded
2016-11-15 23:15:44+0000 [CowrieTelnetTransport,1,my_ip] Opening TTY Log: log/tty/20161115-231544-None-1i.log
2016-11-15 23:15:46+0000 [-] Unhandled error in Deferred:
2016-11-15 23:15:46+0000 [-] Unhandled Error
    Traceback (most recent call last):
    Failure: twisted.conch.telnet.AlreadyNegotiating: twisted.conch.telnet.AlreadyNegotiating:'\x01'

2016-11-15 23:19:26+0000 [CowrieTelnetTransport,1,my_ip] Closing TTY Log: log/tty/20161115-231544-None-1i.log after 221 seconds
2016-11-15 23:19:26+0000 [CowrieTelnetTransport,1,my_ip] avatar root logging out
2016-11-15 23:19:26+0000 [CowrieTelnetTransport,1,my_ip] Connection lost after 227 seconds
micheloosterhof

micheloosterhof commented on Dec 11, 2016

@micheloosterhof
Member

Hi. The negotation error, is that from your Telnet client or someone on the internet?
What telnet client are you using? Do you see this blocking command entering?

austinheap

austinheap commented on Dec 13, 2016

@austinheap

I get the first error posted by @mb-rack (where it shows the login prompt again but log says login was successful) when using the default OS X telnet client (using iTerm and Terminal) and the Ubuntu telnet client.

I get the second one ('\x01' errors) from random clients on the Internet.

Interestingly it seems that some telnet clients are able to login and access it just fine.

micheloosterhof

micheloosterhof commented on Dec 13, 2016

@micheloosterhof
Member

I think I've got it. They are not disconnects. Try connecting with "nc" (netcat) to your telnet server.
You'll get the errors (because "nc" doesn't understand telnet negotiation), but you can still login.

I think the negotiation errors are not causing any disconnects, you simply see port scanning activity from a client that doesn't understand telnet. Then the client disconnects. It's not an error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @austinheap@micheloosterhof@mb-rack

        Issue actions

          telnet test returns login incorrect though logs show success · Issue #348 · cowrie/cowrie