ftpot 2.0.0__py2.py3-none-any.whl

core/config.py

@@ -0,0 +1,50 @@
+
+from configparser import ConfigParser, ExtendedInterpolation
+
+from os import environ
+
+
+def to_environ_key(key):
+    return key.upper()
+
+
+class EnvironmentConfigParser(ConfigParser):
+
+    def has_option(self, section, option):
+        if to_environ_key('_'.join((section, option))) in environ:
+            return True
+        return super(EnvironmentConfigParser, self).has_option(section, option)
+
+    def get(self, section, option, **kwargs):
+        key = to_environ_key('_'.join((section, option)))
+        if key in environ:
+            return environ[key]
+        return super(EnvironmentConfigParser, self).get(section, option, **kwargs)
+
+
+def readConfigFile(cfgfile):
+    """
+    Read config files and return ConfigParser object
+
+    @param cfgfile: filename or array of filenames
+    @return: ConfigParser object
+    """
+    parser = EnvironmentConfigParser(
+        interpolation=ExtendedInterpolation(),
+        converters={'list': lambda x: [i.strip() for i in x.split(',')]}
+    )
+    parser.read(cfgfile)
+    return parser
+
+
+def _config_files():
+    # Import here (not at module top) to avoid any circular-import risk.
+    from core.paths import workdir_path, bundled
+    return [
+        bundled('etc', 'honeypot.cfg.base'),	# bundled read-only defaults
+        workdir_path('etc', 'honeypot.cfg'),	# site-local overrides
+        workdir_path('honeypot.cfg'),		# convenience root-level override
+    ]
+
+
+CONFIG = readConfigFile(_config_files())

core/logfile.py

@@ -0,0 +1,74 @@
+
+from sys import stdout
+from datetime import datetime
+
+from pytz import timezone
+
+from twisted.python import log, util
+from twisted.python.logfile import DailyLogFile
+
+
+class HoneypotDailyLogFile(DailyLogFile):
+    """
+    Overload original Twisted with improved date formatting
+    """
+
+    def suffix(self, tupledate):
+        """
+        Return the suffix given a (year, month, day) tuple or unixtime
+        """
+        try:
+            return "{:02d}-{:02d}-{:02d}".format(tupledate[0], tupledate[1], tupledate[2])
+        except Exception:
+            # try taking a float unixtime
+            return '_'.join(map(str, self.toDate(tupledate)))
+
+
+def myFLOemit(self, eventDict):
+    """
+    Format the given log event as text and write it to the output file.
+
+    @param eventDict: a log event
+    @type eventDict: L{dict} mapping L{str} (native string) to L{object}
+    """
+
+    # Custom emit for FileLogObserver
+    text = log.textFromEventDict(eventDict)
+    if text is None:
+        return
+    timeStr = self.formatTime(eventDict['time'])
+    fmtDict = {
+        'text': text.replace('\n', '\n\t')
+    }
+    msgStr = log._safeFormat('%(text)s\n', fmtDict)
+    util.untilConcludes(self.write, timeStr + ' ' + msgStr)
+    util.untilConcludes(self.flush)
+
+
+def myFLOformatTime(self, when):
+    """
+    Log time in UTC
+
+    By default it's formatted as an ISO8601-like string (ISO8601 date and
+    ISO8601 time separated by a space). It can be customized using the
+    C{timeFormat} attribute, which will be used as input for the underlying
+    L{datetime.datetime.strftime} call.
+
+    @type when: C{int}
+    @param when: POSIX (ie, UTC) timestamp.
+
+    @rtype: C{str}
+    """
+    timeFormatString = self.timeFormat
+    if timeFormatString is None:
+        timeFormatString = '[%Y-%m-%d %H:%M:%S.%fZ]'
+    return datetime.fromtimestamp(when, tz=timezone('UTC')).strftime(timeFormatString)
+
+
+def set_logger(cfg_options):
+    log.FileLogObserver.emit = myFLOemit
+    log.FileLogObserver.formatTime = myFLOformatTime
+    if cfg_options['logfile'] is None:
+        log.startLogging(stdout)
+    else:
+        log.startLogging(HoneypotDailyLogFile.fromFullPath(cfg_options['logfile']), setStdout=False)

core/output.py

@@ -0,0 +1,39 @@
+
+from socket import gethostname
+
+from core.config import CONFIG
+
+
+class Output(object):
+    """
+    Abstract base class intended to be inherited by output plugins.
+    """
+
+    def __init__(self, general_options):
+
+        self.cfg = general_options
+
+        if 'sensor' in self.cfg:
+            self.sensor = self.cfg['sensor']
+        else:
+            self.sensor = CONFIG.get('honeypot', 'sensor_name', fallback=gethostname())
+
+        self.start()
+
+    def start(self):
+        """
+        Abstract method to initialize output plugin
+        """
+        pass
+
+    def stop(self):
+        """
+        Abstract method to shut down output plugin
+        """
+        pass
+
+    def write(self, event):
+        """
+        Handle a general event within the output plugin
+        """
+        pass

core/paths.py

@@ -0,0 +1,53 @@
+"""
+paths.py - Single source of truth for runtime path resolution.
+
+The honeypot needs a "working directory" containing:
+  etc/          config files (honeypot-launch.cfg.base, honeypot.cfg.base)
+  data/         geolocation databases, SQLite db, etc.
+  log/          rotating log files (created on demand)
+
+Priority for locating the working directory:
+  1. FTPOT_WORKDIR environment variable
+  2. Current working directory
+
+The bundled read-only defaults (etc/honeypot.cfg.base) are installed inside the
+`ftpot` package and located via the package's own __file__ attribute, which
+works on all Python versions without requiring pkg_resources or
+importlib.resources.
+"""
+
+from __future__ import absolute_import
+
+
+from os import getcwd, environ
+from os.path import abspath, dirname, join
+
+
+def get_workdir():
+    """Return the absolute path to the runtime working directory."""
+    env = environ.get('FTPOT_WORKDIR', '').strip()
+    if env:
+        return abspath(env)
+    return getcwd()
+
+
+def workdir_path(*parts):
+    """Return an absolute path rooted at the working directory."""
+    return join(get_workdir(), *parts)
+
+
+def bundled(*parts):
+    """
+    Return the filesystem path to a file bundled inside the installed package.
+    Arguments are path components relative to the ftpot/data/ directory,
+    passed as separate strings (like os.path.join) to avoid hardcoded separators.
+
+    Uses the package's own __file__ to locate the data directory, which works
+    on all Python versions (2.7+) without requiring pkg_resources or
+    importlib.resources.
+    """
+    # ftpot/data/ lives alongside this module's package (core/ is a sibling
+    # of ftpot/), so we go up one level from core/ to find ftpot/data/.
+    here = dirname(abspath(__file__))
+    package_dir = join(dirname(here), 'ftpot')
+    return join(package_dir, 'data', *parts)

core/protocol.py

@@ -0,0 +1,284 @@
+
+from __future__ import absolute_import
+
+from ipaddress import ip_address, ip_network
+from sys import version_info
+from time import time
+from uuid import uuid4
+
+from core.tools import (
+    decode,
+    encode,
+    get_local_ip,
+    get_utc_time,
+    printable,
+    write_event
+)
+
+from twisted.internet.ssl import PrivateCertificate
+from twisted.internet.protocol import ServerFactory
+from twisted.protocols.basic import LineReceiver
+from twisted.python.log import msg
+
+
+if version_info[0] >= 3:
+    def unicode(x):
+        return x
+
+
+class MyFTPServer(LineReceiver):
+    def __init__(self, options):
+        self.cfg = options
+        self.userReceived = False
+        self.user = ''
+        self.is_fttps = False
+
+    def connectionMade(self):
+        self.session = uuid4().hex[:12]
+        self.report_event('connect')
+        self.send_line('220 ProFTPD 1.3.4b Server (TP-Share) [{}]'.format(self.cfg['public_ip']))
+
+    def lineReceived(self, line):
+        line = decode(line)
+        parts = line.split(None, 1)
+        if parts:
+            command = parts[0].upper()
+            args = parts[1] if len(parts) > 1 else ''
+            self.report_event('command', command, args)
+            self.process_command(command, args)
+
+    def connectionLost(self, reason):
+        self.report_event('disconnect', reason.value)
+        self.session = None
+        self.userReceived = False
+        self.user = ''
+        self.is_fttps = False
+
+    def report_event(self, operation, username=None, password=None):
+        operation = operation.lower()
+        unix_time = time()
+        peer = self.transport.getPeer()
+        ip = peer.host
+        for network in self.cfg['blacklist']:
+            if ip_address(unicode(ip)) in ip_network(unicode(network)):
+                return
+        port = peer.port
+        event = {
+            'eventid': 'ftpot.' + operation,
+            'operation': operation,
+            'timestamp': get_utc_time(unix_time),
+            'unixtime': unix_time,
+            'src_ip': ip,
+            'src_port': port,
+            'dst_port': self.cfg['port'],
+            'sensor': self.cfg['sensor'],
+            'dst_ip': self.cfg['public_ip'] if self.cfg['report_public_ip'] else get_local_ip(),
+            'session': self.session
+        }
+        if operation == 'login':
+            event['username'] = printable(username)
+            event['password'] = printable(password)
+            message = 'Login with username: "{}", password: "{}" from {}:{}.'.format(
+                event['username'],
+                event['password'],
+                ip,
+                port
+            )
+        elif operation == 'connect':
+            message = 'Connection made from {}:{}.'.format(ip, port)
+        elif operation == 'command':
+            command = printable(username)
+            event['command'] = command
+            if password:
+                event['args'] = printable(password)
+                command += ' ' + event['args']
+            else:
+                event['args'] = ''
+            message = 'Command "{}" from {}:{}.'.format(command, ip, port)
+        elif operation == 'disconnect':
+            message = '{}:{} disconnected. Reason: {}'.format(ip, port, username)
+        else:
+            command = printable(username)
+            event['command'] = command
+            if password:
+                event['args'] = printable(password)
+                command += ' ' + event['args']
+            message = 'Unknown operation "{}" from {}:{}.'.format(command, ip, port)
+        msg(message)
+        write_event(event, self.cfg)
+
+    def send_line(self, line):
+        self.transport.write(encode(line + '\r\n'))
+
+    def process_command(self, command, args):
+        needs_auth = [
+            'PASV', 'CWD', 'XCWD', 'CDUP', 'XCUP', 'SMNT',
+            'EPRT', 'EPSV', 'ALLO', 'RNFR', 'RNTO', 'DELE', 'MDTM',
+            'RMD', 'XRMD', 'MKD', 'XMKD', 'PWD', 'XPWD', 'SIZE',
+            'STRU', 'MODE', 'RETR', 'STOR', 'STOU', 'APPE', 'SITE',
+            'REST', 'ABOR', 'LIST', 'NLST', 'STAT', 'MLSD', 'MLST'
+        ]
+        help_msg = (
+            "214-The following commands are recognized (* =>'s unimplemented):\r\n"
+            ' CWD     XCWD    CDUP    XCUP    SMNT*   QUIT    PORT    PASV\r\n'
+            ' EPRT    EPSV    ALLO*   RNFR    RNTO    DELE    MDTM    RMD\r\n'
+            ' XRMD    MKD     XMKD    PWD     XPWD    SIZE    SYST    HELP\r\n'
+            ' NOOP    FEAT    OPTS    AUTH    CCC     CONF*   ENC*    MIC*\r\n'
+            ' PBSZ*   PROT*   TYPE    STRU    MODE    RETR    STOR    STOU\r\n'
+            ' APPE    REST    ABOR    USER    PASS    ACCT*   REIN*   LIST\r\n'
+            ' NLST    STAT    SITE    MLSD    MLST\r\n'
+            '214 Direct comments to root@0.0.0.0'
+        )
+        feat_msg = (
+            '211-Features:\r\n'
+            ' MDTM\r\n'
+            ' MFMT\r\n'
+            ' TVFS\r\n'
+            ' UTF8\r\n'
+            ' MFF modify;UNIX.group;UNIX.mode;\r\n'
+            ' MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;\r\n'
+            ' LANG en-US*\r\n'
+            ' REST STREAM\r\n'
+            ' SIZE\r\n'
+            '211 End'
+        )
+        if command == 'USER':
+            self.userReceived = True
+            self.user = args
+            self.send_line('331 Password required for {}.'.format(args))
+        elif command == 'PASS' and self.userReceived:
+            self.report_event('login', self.user, args)
+            self.send_line('530 Login incorrect.')
+            self.userReceived = False
+        elif command == 'OPTS':
+            if args:
+                self.send_line('200 UTF8 set to on')
+            else:
+                self.send_line('501 Invalid number of arguments')
+        elif command == 'NOOP':
+            self.send_line('200 NOOP command successful')
+        elif command == 'SYST':
+            self.send_line('215 UNIX Type: L8')
+        elif command == 'TYPE':
+            if args:
+                arg = args.split(None, 1)[0]
+                if arg.lower() in ['a', 'i', 'l']:
+                    self.send_line('200 Type set to {}'.format(arg.upper()))
+                else:
+                    self.send_line("500 'TYPE {}' not understood".format(arg))
+            else:
+                self.send_line("500 'TYPE' not understood")
+        elif command == 'HOST':
+            if args:
+                arg = args.split(None, 1)[0]
+                self.send_line('504 {}: Unknown hostname provided'.format(arg))
+            else:
+                self.send_line("500 'HOST' not understood")
+        elif command == 'AUTH':
+            if len(args) == 0:
+                self.send_line('504 AUTH requires at least one argument')
+            elif args.upper().strip() not in ['TLS', 'TLS-C', 'SSL', 'TLS-P']:
+                self.send_line('500 AUTH not understood')
+            elif self.is_fttps:
+                self.send_line('200 User is already authenticated.')
+            elif self.cfg['factory_options'] is not None:
+                self.send_line('234 AUTH TLS successful')
+                self.transport.startTLS(self.cfg['factory_options'])
+                self.is_fttps = True
+            else:
+                self.send_line('500 AUTH not understood')
+        elif command == 'CCC':
+            if not self.is_fttps:
+                self.send_line('533 Command channel is alredy cleared')
+            else:
+                self.send_line('200 Clear Command Channel OK')
+                self.transport.stopTLS()
+                self.is_fttps = False
+        elif command == 'HELP':
+            if args:
+                self.process_help(args)
+            else:
+                self.send_line(help_msg)
+        elif command == 'FEAT':
+            self.send_line(feat_msg)
+        elif command == 'QUIT':
+            self.send_line('221 Goodbye.')
+            self.transport.loseConnection()
+        elif command in needs_auth:
+            self.send_line('530 Please login with USER and PASS')
+        else:
+            self.send_line('500 {} not understood'.format(command))
+
+    def process_help(self, args):
+        required_path = [
+            'CWD', 'XCWD', 'RNFR', 'RNTO', 'DELE', 'MDTM', 'STOR',
+            'RMD', 'XRMD', 'MKD', 'XMKD', 'SIZE', 'RETR', 'APPE'
+        ]
+        optional_path = [
+            'LIST', 'STAT', 'MLSD', 'MLST'
+        ]
+        help_texts = {
+            'CDUP': '(up one directory)',
+            'XCUP': '(up one directory)',
+            'SMNT': 'is not implemented',
+            'QUIT': '(close control connection)',
+            'PORT': '<sp> h1,h2,h3,h4,p1,p2',
+            'PASV': '(returns address/port)',
+            'EPRT': '<sp> |proto|addr|port|',
+            'EPSV': '(returns port |||port|)',
+            'ALLO': 'is not implemented (ignored)',
+            'PWD': '(returns current working directory)',
+            'XPWD': '(returns current working directory)',
+            'SYST': '(returns system type)',
+            'HELP': '[<sp> command]',
+            'NOOP': '(no operation)',
+            'FEAT': '(returns feature list)',
+            'OPTS': '<sp> command [<sp> options]',
+            'AUTH': '<sp> base64-data',
+            'CCC': '(clears protection level)',
+            'CONF': '<sp> base64-data',
+            'ENC': '<sp> base64-data',
+            'MIC': '<sp> base64-data',
+            'PBSZ': '<sp> protection buffer size',
+            'PROT': '<sp> protection code',
+            'TYPE': '<sp> type-code (A, I, L 7, L 8)',
+            'STRU': 'is not implemented (always F)',
+            'MODE': 'is not implemented (always S)',
+            'STOU': '(store unique filename)',
+            'REST': '<sp> byte-count',
+            'ABOR': '(abort current operation)',
+            'USER': '<sp> username',
+            'PASS': '<sp> password',
+            'NLST': '[<sp> (pathname)]',
+            'ACCT': 'is not implemented',
+            'REIN': 'is not implemented',
+        }
+        command = args.split(None, 1)[0].upper()
+        if command in required_path:
+            self.send_line('214 Syntax: {} <sp> pathname'.format(command))
+        elif command in optional_path:
+            self.send_line('214 Syntax: {} [<sp> pathname]'.format(command))
+        elif command in help_texts:
+            self.send_line('214 Syntax: {} {}'.format(command, help_texts[command]))
+        elif command == 'SITE':
+            self.send_line('214-HELP\r\n CHGRP\r\n214 CHMOD')
+        else:
+            self.send_line("502 Unknown command '{}'".format(command))
+
+
+class MyFTPFactory(ServerFactory):
+    def __init__(self, cfg):
+        cfg['factory_options'] = None
+        if cfg['cert']:
+            cert_data = ''
+            try:
+                with open(cfg['cert']) as f:
+                    cert_data += f.read()
+            except OSError:
+                msg('Could not read the file "{}".'.format(cfg['cert']))
+            if cert_data:
+                cfg['factory_options'] = PrivateCertificate.loadPEM(cert_data).options()
+        self.cfg = cfg
+
+    def buildProtocol(self, addr):
+        return MyFTPServer(self.cfg)

core/tools.py

@@ -0,0 +1,170 @@
+
+from datetime import datetime
+from ipaddress import ip_address, ip_network
+from os import makedirs, path
+from string import printable as p
+from socket import socket, AF_INET, SOCK_DGRAM
+from sys import version_info
+
+from core.config import CONFIG
+
+from pytz import timezone
+
+from twisted.python.log import msg
+
+try:
+    from urllib.request import urlopen
+except ImportError:
+    from urllib import urlopen
+
+
+if version_info[0] >= 3:
+    def decode(x):
+        return x.decode('utf-8', errors='ignore')
+    def encode(x):
+        return x.encode()
+    def ord(x):
+        return x
+    def to_bytes(x):
+        return bytes(x, 'ascii')
+    def to_int(x):
+        return x
+    def unicode(x):
+        return x
+else:
+    def decode(x):
+        return x
+    def encode(x):
+        return x
+    def to_bytes(x):
+        return bytes(x)
+    def to_int(x):
+        return ord(x)
+
+
+def mkdir(dir_path):
+    if not dir_path:
+        return
+    if path.exists(dir_path) and path.isdir(dir_path):
+        return
+    makedirs(dir_path)
+
+
+def import_plugins(cfg):
+    # Load output modules (inspired by the Cowrie honeypot)
+    msg('Loading the plugins...')
+    output_plugins = []
+    general_options = cfg
+    for x in CONFIG.sections():
+        if not x.startswith('output_'):
+            continue
+        if CONFIG.getboolean(x, 'enabled') is False:
+            continue
+        engine = x.split('_')[1]
+        try:
+            output = __import__('output_plugins.{}'.format(engine),
+                                globals(), locals(), ['output'], 0).Output(general_options)
+            output_plugins.append(output)
+            msg('Loaded output engine: {}'.format(engine))
+        except ImportError as e:
+            msg('Failed to load output engine: {} due to ImportError: {}'.format(engine, e))
+        except Exception as e:
+            msg('Failed to load output engine: {} {}'.format(engine, e))
+    return output_plugins
+
+
+def stop_plugins(cfg):
+    msg('Stoping the plugins...')
+    for plugin in cfg['output_plugins']:
+        try:
+            plugin.stop()
+        except Exception as e:
+            msg(e)
+            continue
+
+
+def get_public_ip(ip_reporter):
+    try:
+        if version_info[0] < 3:
+            return urlopen(ip_reporter).read().decode('latin1', errors='replace').encode('utf-8')
+        else:
+            return decode(urlopen(ip_reporter).read())
+    except:
+        return None
+
+
+def get_local_ip():
+    s = socket(AF_INET, SOCK_DGRAM)
+    try:
+        s.connect(('10.255.255.255', 1))
+        ip = s.getsockname()[0]
+    except:
+        ip = '127.0.0.1'
+    finally:
+        s.close()
+    return ip
+
+
+def get_utc_time(unix_time):
+    return datetime.fromtimestamp(unix_time, tz=timezone('UTC')).isoformat() + 'Z'
+
+
+def printable(x):
+    x = encode(x)
+    if all(c in to_bytes(p) for c in x):
+        return decode(x)
+    else:
+        return ''.join('\\x{:02X}'.format(to_int(c)) for c in x)
+
+
+def write_event(event, cfg):
+    ip = event['src_ip']
+    for network in cfg['blacklist']:
+        if ip_address(unicode(ip)) in ip_network(unicode(network)):
+            return
+    output_plugins = cfg['output_plugins']
+    for plugin in output_plugins:
+        try:
+            plugin.write(event)
+        except Exception as e:
+            msg(e)
+            continue
+
+
+def geolocate(remote_ip, reader_city, reader_asn):
+    try:
+        response_city = reader_city.city(remote_ip)
+        city = response_city.city.name
+        if city is None:
+            city = ''
+        else:
+            city = decode(city.encode('utf-8'))
+        country = response_city.country.name
+        if country is None:
+            country = ''
+            country_code = ''
+        else:
+            country = decode(country.encode('utf-8'))
+            country_code = decode(response_city.country.iso_code.encode('utf-8'))
+    except Exception as e:
+        msg(e)
+        city = ''
+        country = ''
+        country_code = ''
+
+    try:
+        response_asn = reader_asn.asn(remote_ip)
+        if response_asn.autonomous_system_organization is None:
+            org = ''
+        else:
+            org = decode(response_asn.autonomous_system_organization.encode('utf-8'))
+
+        if response_asn.autonomous_system_number is not None:
+            asn_num = response_asn.autonomous_system_number
+        else:
+            asn_num = 0
+    except Exception as e:
+        msg(e)
+        org = ''
+        asn_num = 0
+    return country, country_code, city, org, asn_num