search

thinkst / opencanary

Modular and decentralised honeypot
http://opencanary.org
BSD 3-Clause "New" or "Revised" License
2.21k stars 353 forks source link

[BUG] Putty and Powershell ssh client not able to recognize this fake ssh service #319

Closed prashantvidja closed 8 months ago

prashantvidja commented 8 months ago

Describe the bug The service working fine as usual, But when I test it using the Windows Powershell command line or Putty I am not able to connect SSH. Getting connection timed out error. But when I connect it with another Linux server it is working fine.

To Reproduce Steps to reproduce the behavior:

  1. Test service with PowerShell command line or putty.

Expected behavior It should show connection via ssh. User doesn't log in that's fine at least it should recognize it.

Screenshots image

Testing environment

VM information

nickrohrbs commented 8 months ago

Hi @prashantvidja,

We've run a couple tests from our side, and things seem to work as expected:

{"dst_host": "192.168.14.33", "dst_port": 22, "local_time": "2023-10-30 13:16:15.393892", "local_time_adjusted": "2023-10-30 15:16:15.395601", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "PASSWORD": "testingpassword", "REMOTEVERSION": "SSH-2.0-OpenSSH_for_Windows_9.2", "USERNAME": "testinguser"}, "logtype": 4002, "node_id": "opencanary-1", "src_host": "192.168.14.20", "src_port": 49880, "utc_time": "2023-10-30 13:16:15.395084"}

We tested this from powershell's ssh on Windows 8 and Windows 11.

Are you able to confirm which port ssh is using? From my local testing, I was using the default of 22:

$ grep ssh /etc/opencanaryd/opencanary.conf
    "ssh.enabled": true,
    "ssh.port": 22,
    "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",

Additionally, if you add the -v flag to the ssh command, we should be able to get some more details about why the connection is failing.

prashantvidja commented 8 months ago

Hi @nickrohrbs

Thanks for your reply.

Okay, it may be possible to have some SSH client configuration issues but I'm not sure. I am sure that I am using the default 22 port.

image

Check the below output after enabling verbose on my host machine. image

Also, I have tested with another machine test windows server in the same network.

image

nickrohrbs commented 8 months ago

Hi @prashantvidja,

Could you confirm that enabling other services work as expected when connecting from the Windows machines? You could enable http and maybe a tcpbanner and confirm that you can successfully connect to remove some unknowns from the equation. It'll help us narrow down the cause.

Nick

prashantvidja commented 8 months ago

Thanks @nickrohrbs. It was not a bug. There is some problem with my VirtualBox network driver. I fixed it now.