search

thinkst / opencanary

Modular and decentralised honeypot
http://opencanary.org
BSD 3-Clause "New" or "Revised" License
2.27k stars 355 forks source link

question: Where to see the login( credentials) details? #248

Closed e101sg closed 1 year ago

e101sg commented 1 year ago

Not sure this is the right place to ask this question. I am running the Opencanary Honeypot as part of the T-pot. It is running well as fake disk station. If understand correctly, it is collecting the all the user name and password credentials and store some where in the log. I have checked the log in data/opencanary/log, can see the other details. but not user name /passwords entered by users. Any thoughts..highly useful. Thanks :)

=======

honeypot_opencanary

HybridAU commented 1 year ago

Where your OpenCanary logs to will depend on how you have configured the logging but the default logging is to the console (you will see this output if you run docker compose up latest for example) and also to /var/tmp/opencanary.log on the OpenCanary (or inside the docker container if that's how you're running it).

As far as the username and password used to try to log in, it should be there, these are the logs I see when I start up OpenCanary and attempt to log in to the http service.

{"dst_host": "", "dst_port": -1, "local_time": "2023-05-13 09:02:31.765100", "local_time_adjusted": "2023-05-13 09:02:31.765131", "logdata": {"msg": {"logdata": "Added service from class CanaryHTTP in opencanary.modules.http to fake"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1, "utc_time": "2023-05-13 09:02:31.765124"}
{"dst_host": "", "dst_port": -1, "local_time": "2023-05-13 09:02:32.055554", "local_time_adjusted": "2023-05-13 09:02:32.055578", "logdata": {"msg": {"logdata": "Canary running!!!"}}, "logtype": 1001, "node_id": "opencanary-1", "src_host": "", "src_port": -1, "utc_time": "2023-05-13 09:02:32.055572"}
{"dst_host": "172.26.0.2", "dst_port": 80, "local_time": "2023-05-13 09:02:41.215911", "local_time_adjusted": "2023-05-13 09:02:41.215955", "logdata": {"HOSTNAME": "localhost", "PATH": "/index.html", "SKIN": "nasLogin", "USERAGENT": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0"}, "logtype": 3000, "node_id": "opencanary-1", "src_host": "172.26.0.1", "src_port": 39912, "utc_time": "2023-05-13 09:02:41.215947"}
{"dst_host": "172.26.0.2", "dst_port": 80, "local_time": "2023-05-13 09:03:19.317381", "local_time_adjusted": "2023-05-13 09:03:19.317420", "logdata": {"HOSTNAME": "localhost", "PASSWORD": "password123", "PATH": "/index.html", "SKIN": "nasLogin", "USERAGENT": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0", "USERNAME": "admin"}, "logtype": 3001, "node_id": "opencanary-1", "src_host": "172.26.0.1", "src_port": 39934, "utc_time": "2023-05-13 09:03:19.317412"}

In that last line in has "USERNAME": "admin" and "PASSWORD": "password123"

Is that similar to what you see in data/opencanary/log?

e101sg commented 1 year ago

Yes, now able to see the User login details in /data/opencanary/log

Looks like this. {"dst_host": "172.16.2.238", "dst_port": 80, "local_time": "2023-05-15 10:31:55.671727", "local_time_adjusted": "2023-05-15 18:31:55.671763", "logdata": {"HOSTNAME": "172.16.2.238", "PASSWORD": "Password", "PATH": "/index.html", "SKIN": "nasLogin", "USERAGENT": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.35", "USERNAME": "Admin10"}, "logtype": 3001, "node_id": "opencanary-1", "src_host": "172.16.2.206", "src_port": 11489, "utc_time": "2023-05-15 10:31:55.671756"} Thanks!