mushorg / glutton

Generic Low Interaction Honeypot
MIT License
245 stars 58 forks source link

Telnet (partially FTP) fails to handle TCP connection #158

Open t3chn0m4g3 opened 8 months ago

t3chn0m4g3 commented 8 months ago

@glaslos The telnet, ftp handlers have issues. I can connect and ftp even logs, however telnet fails once the connection is closed. Testing was done with linux telnet and ftp clients.

{"time":"2024-03-15T16:57:53.820415172Z","level":"INFO","msg":"[smtp    ] Payload : \"HELO\"","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d"}
{"time":"2024-03-15T16:59:30.364890717Z","level":"INFO","msg":"[smtp    ] Payload : \"ehlo v\"","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d"}
{"time":"2024-03-15T16:59:30.391354919Z","level":"INFO","msg":"[smtp    ] Payload : \"Helo v\"","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d"}
{"time":"2024-03-15T16:59:30.419873864Z","level":"INFO","msg":"[smtp    ] Payload : \"Quit\"","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d"}
{"time":"2024-03-15T17:00:28.062610668Z","level":"ERROR","msg":"failed to handle TCP connection","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","error":"EOF","handler":"telnet"}
{"time":"2024-03-15T17:02:58.173663048Z","level":"ERROR","msg":"failed to handle TCP connection","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","error":"EOF","handler":"telnet"}
{"time":"2024-03-15T17:04:13.161281036Z","level":"ERROR","msg":"failed to handle TCP connection","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","error":"EOF","handler":"telnet"}
{"time":"2024-03-15T17:04:21.834132543Z","level":"ERROR","msg":"failed to handle TCP connection","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","error":"EOF","handler":"telnet"}
{"time":"2024-03-15T17:06:38.580027398Z","level":"INFO","msg":"ftp payload received","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","dest_port":"21","src_ip":"172.20.254.127","src_port":"59750","message":"\"USER test\\r\\n\"","handler":"ftp"}
{"time":"2024-03-15T17:06:39.769239203Z","level":"INFO","msg":"ftp payload received","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","dest_port":"21","src_ip":"172.20.254.127","src_port":"59750","message":"\"PASS test\\r\\n\"","handler":"ftp"}
{"time":"2024-03-15T17:06:39.774005479Z","level":"INFO","msg":"ftp payload received","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","dest_port":"21","src_ip":"172.20.254.127","src_port":"59750","message":"\"SYST\\r\\n\"","handler":"ftp"}
{"time":"2024-03-15T17:06:39.777393885Z","level":"INFO","msg":"ftp payload received","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","dest_port":"21","src_ip":"172.20.254.127","src_port":"59750","message":"\"FEAT\\r\\n\"","handler":"ftp"}
{"time":"2024-03-15T17:06:41.58332548Z","level":"INFO","msg":"ftp payload received","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","dest_port":"21","src_ip":"172.20.254.127","src_port":"59750","message":"\"QUIT\\r\\n\"","handler":"ftp"}
{"time":"2024-03-15T17:06:41.589578584Z","level":"ERROR","msg":"failed to handle TCP connection","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","error":"EOF","handler":"ftp"}

I can see the following iptables rules added to PREROUTING:

:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i enp0s5 -p udp -m state ! --state RELATED,ESTABLISHED -m udp ! --dport 22 -j TPROXY --on-port 0 --on-ip 127.0.0.1 --tproxy-mark 0x0/0x0
-A PREROUTING -i enp0s5 -p tcp -m state ! --state RELATED,ESTABLISHED -m tcp ! --dport 22 -j TPROXY --on-port 5000 --on-ip 127.0.0.1 --tproxy-mark 0x0/0x0
-A PREROUTING -i enp0s5 -p udp -m state ! --state RELATED,ESTABLISHED -m udp ! --dport 22 -j TPROXY --on-port 5001 --on-ip 127.0.0.1 --tproxy-mark 0x0/0x0

my Dockerfile ( system.go overwrite only to get rid of open files info ):

FROM golang:1.21-alpine as builder
#
# Include dist
COPY dist/ /root/dist/
# 
# Setup apk
RUN apk -U --no-cache add \
        build-base \
        git \
                g++ \
        iptables-dev \
        libpcap-dev && \
#
# Setup go, glutton
    export GO111MODULE=on && \
    mkdir -p /opt/ && \
    cd /opt/ && \
    git clone https://github.com/mushorg/glutton && \
    cd /opt/glutton/ && \
    git checkout c1204c65ce32bfdc0e08fb2a9abe89b3b8eeed62 && \
    cp /root/dist/system.go . && \
    go mod download && \
    make build
#
FROM alpine:3.19
#
COPY --from=builder /opt/glutton/bin /opt/glutton/bin
COPY --from=builder /opt/glutton/config /opt/glutton/config
COPY --from=builder /opt/glutton/rules /opt/glutton/rules
#
RUN apk -U --no-cache add \
        iptables \
        iptables-dev \
        libnetfilter_queue-dev \
        libcap \
        libpcap-dev && \
        setcap cap_net_admin,cap_net_raw=+ep /opt/glutton/bin/server && \
        setcap cap_net_admin,cap_net_raw=+ep /sbin/xtables-nft-multi && \
        mkdir -p /var/log/glutton \
                 /opt/glutton/payloads && \
#
# Setup user, groups and configs
    addgroup -g 2000 glutton && \
    adduser -S -s /bin/ash -u 2000 -D -g 2000 glutton && \
#
# Clean up
    rm -rf /var/cache/apk/* \
           /root/*
#
# Start glutton 
WORKDIR /opt/glutton
USER glutton:glutton
CMD exec bin/server -d true -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }') -l /var/log/glutton/glutton.log > /dev/null 2>&1

my docker-compose.yml:

version: '2.3'

services:

# glutton service
  glutton:
    build: .
    container_name: glutton
    restart: always
    tmpfs:
     - /var/lib/glutton:uid=2000,gid=2000
     - /run:uid=2000,gid=2000
    network_mode: "host"
    cap_add:
     - NET_ADMIN
     - NET_RAW
    image: "dtagdevsec/glutton:alpha"
    read_only: true
    volumes:
     - $HOME/tpotce/data/glutton/log:/var/log/glutton
     - $HOME/tpotce/data/glutton/payloads:/opt/glutton/payloads
glaslos commented 6 months ago

Can you link to the Dockerfile? It can be a little updated since the requirements changed. Also there shouldn't be a TPROXY --on-port 0 rule I think :thinking:

t3chn0m4g3 commented 6 months ago

Sure.

glaslos commented 6 months ago

I don't think updating your Docker image will resolve the problem. But we are both at last using very similar images and I can attempt to reproduce.

t3chn0m4g3 commented 6 months ago

Thanks, can review this in Copenhagen. Looking forward seeing your IRL again!