Cowrie is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.Cowrie is directly based on Kippo by Upi Tamminen. Features
Some interesting features:Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included Possibility of adding fake file contents so the attacker can ‘cat’ files such as /etc/passwd. Only minimal file contents are included Session logs stored in an UML Compatible format for easy replay with original timings Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection
Additional functionality over standard kippo:SFTP and SCP support for file upload Support for SSH exec commands Logging of direct-tcp connection attempts (ssh proxying) Logging in JSON format for easy processing in log management solutions Many, many additional commands
Software required:An operating system (tested on Debian, CentOS, FreeBSD and Windows 7) Python 2.5+ Twisted 8.0+ PyCrypto pyasn1 Zope Interface
Files of interest:dl/ – files downloaded with wget are stored here log/cowrie.log – log/debug output log/cowrie.json – transaction output in JSON format log/tty/ – session logs utils/playlog.py – utility to replay session logs utils/createfs.py [...]
Weevely is a command line web shell dinamically extended over the network at runtime used for administration and pen testing of remote web accesses. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments.
The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.
Weevely 3.2.0 Released: Weaponized web shellThe modular framework
Weevely modules extend the terminal providing a layer to interact to the remote target.
The modules feature:Shell/PHP telnet-like network terminal Common server misconfigurations auditing SQL console pivoting on target HTTP traffic proxying through target Mount target file system to local mount point Run scans pivoting on target File upload and download Spawn reverse and direct TCP shells Zip, gz, bz2 and tar handling
The backdoor agent
The remote agent is a very low footprint agent that receives the dynamically injected code from the client, extending the client functionalities over the network at run-time. The agent code is polymorphic and hardly detectable by AV and HIDS. The [...]
OpenVPN supports two very different means for interconnecting networks: routing and bridging.
Routing refers to the interconnection of separate and independent “sub-networks” (subnets) which have non-overlapping ranges of IP addresses. Upon receiving a packet sent to it, a network “router” examines the destination IP address to determine which of several connected networks should receive it, after which that packet is forwarded to the proper network.
Bridging, by comparison, is much simpler. A network “bridge” is simply an electrical interconnection between separate physical networks that are all carrying the same ranges of IP addresses. Standard dumb network “hubs” and “switches” are examples of network bridges. With a hub, packets arriving at any port are “bridged” and sent out to every other port. A switch is a bit smarter, since it is able to adaptively learn which network interface cards (NICs) are attached to which ports. But a switch is still interconnecting network segments carrying the same ranges of IP addresses.
Making the choice for OpenVPN
Although “routed” connections are the most common and straightforward to configure, they suffer from significant [...]