mssqlpot 2.0.0__py2.py3-none-any.whl

core/config.py

@@ -0,0 +1,50 @@
+
+from configparser import ConfigParser, ExtendedInterpolation
+
+from os import environ
+
+
+def to_environ_key(key):
+    return key.upper()
+
+
+class EnvironmentConfigParser(ConfigParser):
+
+    def has_option(self, section, option):
+        if to_environ_key('_'.join((section, option))) in environ:
+            return True
+        return super(EnvironmentConfigParser, self).has_option(section, option)
+
+    def get(self, section, option, **kwargs):
+        key = to_environ_key('_'.join((section, option)))
+        if key in environ:
+            return environ[key]
+        return super(EnvironmentConfigParser, self).get(section, option, **kwargs)
+
+
+def readConfigFile(cfgfile):
+    """
+    Read config files and return ConfigParser object
+
+    @param cfgfile: filename or array of filenames
+    @return: ConfigParser object
+    """
+    parser = EnvironmentConfigParser(
+        interpolation=ExtendedInterpolation(),
+        converters={'list': lambda x: [i.strip() for i in x.split(',')]}
+    )
+    parser.read(cfgfile)
+    return parser
+
+
+def _config_files():
+    # Import here (not at module top) to avoid any circular-import risk.
+    from core.paths import workdir_path, bundled
+    return [
+        bundled('etc', 'honeypot.cfg.base'),	# bundled read-only defaults
+        workdir_path('etc', 'honeypot.cfg'),	# site-local overrides
+        workdir_path('honeypot.cfg'),		# convenience root-level override
+    ]
+
+
+CONFIG = readConfigFile(_config_files())

core/logfile.py

@@ -0,0 +1,74 @@
+
+from sys import stdout
+from datetime import datetime
+
+from pytz import timezone
+
+from twisted.python import log, util
+from twisted.python.logfile import DailyLogFile
+
+
+class HoneypotDailyLogFile(DailyLogFile):
+    """
+    Overload original Twisted with improved date formatting
+    """
+
+    def suffix(self, tupledate):
+        """
+        Return the suffix given a (year, month, day) tuple or unixtime
+        """
+        try:
+            return "{:02d}-{:02d}-{:02d}".format(tupledate[0], tupledate[1], tupledate[2])
+        except Exception:
+            # try taking a float unixtime
+            return '_'.join(map(str, self.toDate(tupledate)))
+
+
+def myFLOemit(self, eventDict):
+    """
+    Format the given log event as text and write it to the output file.
+
+    @param eventDict: a log event
+    @type eventDict: L{dict} mapping L{str} (native string) to L{object}
+    """
+
+    # Custom emit for FileLogObserver
+    text = log.textFromEventDict(eventDict)
+    if text is None:
+        return
+    timeStr = self.formatTime(eventDict['time'])
+    fmtDict = {
+        'text': text.replace('\n', '\n\t')
+    }
+    msgStr = log._safeFormat('%(text)s\n', fmtDict)
+    util.untilConcludes(self.write, timeStr + ' ' + msgStr)
+    util.untilConcludes(self.flush)
+
+
+def myFLOformatTime(self, when):
+    """
+    Log time in UTC
+
+    By default it's formatted as an ISO8601-like string (ISO8601 date and
+    ISO8601 time separated by a space). It can be customized using the
+    C{timeFormat} attribute, which will be used as input for the underlying
+    L{datetime.datetime.strftime} call.
+
+    @type when: C{int}
+    @param when: POSIX (ie, UTC) timestamp.
+
+    @rtype: C{str}
+    """
+    timeFormatString = self.timeFormat
+    if timeFormatString is None:
+        timeFormatString = '[%Y-%m-%d %H:%M:%S.%fZ]'
+    return datetime.fromtimestamp(when, tz=timezone('UTC')).strftime(timeFormatString)
+
+
+def set_logger(cfg_options):
+    log.FileLogObserver.emit = myFLOemit
+    log.FileLogObserver.formatTime = myFLOformatTime
+    if cfg_options['logfile'] is None:
+        log.startLogging(stdout)
+    else:
+        log.startLogging(HoneypotDailyLogFile.fromFullPath(cfg_options['logfile']), setStdout=False)

core/output.py

@@ -0,0 +1,39 @@
+
+from socket import gethostname
+
+from core.config import CONFIG
+
+
+class Output(object):
+    """
+    Abstract base class intended to be inherited by output plugins.
+    """
+
+    def __init__(self, general_options):
+
+        self.cfg = general_options
+
+        if 'sensor' in self.cfg:
+            self.sensor = self.cfg['sensor']
+        else:
+            self.sensor = CONFIG.get('honeypot', 'sensor_name', fallback=gethostname())
+
+        self.start()
+
+    def start(self):
+        """
+        Abstract method to initialize output plugin
+        """
+        pass
+
+    def stop(self):
+        """
+        Abstract method to shut down output plugin
+        """
+        pass
+
+    def write(self, event):
+        """
+        Handle a general event within the output plugin
+        """
+        pass

core/paths.py

@@ -0,0 +1,53 @@
+"""
+paths.py - Single source of truth for runtime path resolution.
+
+The honeypot needs a "working directory" containing:
+  data/         geolocation databases, SQLite db, etc.
+  etc/          config file (honeypot.cfg.base)
+  log/          rotating log files (created on demand)
+
+Priority for locating the working directory:
+  1. MSSQLPOT_WORKDIR environment variable
+  2. Current working directory
+
+The bundled read-only defaults (etc/*.cfg.base, responses/*.json)
+are installed inside the `mssqlpot` package and located via the package's
+own __file__ attribute, which works on all Python versions without
+requiring pkg_resources or importlib.resources.
+"""
+
+from __future__ import absolute_import
+
+
+from os import getcwd, environ
+from os.path import abspath, dirname, join
+
+
+def get_workdir():
+    """Return the absolute path to the runtime working directory."""
+    env = environ.get('MSSQLPOT_WORKDIR', '').strip()
+    if env:
+        return abspath(env)
+    return getcwd()
+
+
+def workdir_path(*parts):
+    """Return an absolute path rooted at the working directory."""
+    return join(get_workdir(), *parts)
+
+
+def bundled(*parts):
+    """
+    Return the filesystem path to a file bundled inside the installed package.
+    Arguments are path components relative to the mssqlpot/data/ directory,
+    passed as separate strings (like os.path.join) to avoid hardcoded separators.
+
+    Uses the package's own __file__ to locate the data directory, which works
+    on all Python versions (2.7+) without requiring pkg_resources or
+    importlib.resources.
+    """
+    # mssqlpot/data/ lives alongside this module's package (core/ is a sibling
+    # of mssqlpot/), so we go up one level from core/ to find mssqlpot/data/.
+    here = dirname(abspath(__file__))
+    package_dir = join(dirname(here), 'mssqlpot')
+    return join(package_dir, 'data', *parts)

core/protocol.py

@@ -0,0 +1,143 @@
+
+from __future__ import absolute_import
+
+from binascii import hexlify, unhexlify
+from ipaddress import ip_address, ip_network
+from struct import pack, unpack
+from sys import version_info
+from time import time
+from uuid import uuid4
+
+from core.tools import (
+    decode,
+    get_local_ip,
+    get_utc_time,
+    write_event
+)
+
+from twisted.internet.protocol import Factory, Protocol
+from twisted.python.log import msg
+
+
+if version_info[0] >= 3:
+    def unicode(x):
+        return x
+    def ord(x):
+        return x
+
+
+class PacketType:
+    login = 0x10
+    pre_login = 0x12
+
+
+class MSSQLServer(Protocol):
+    def __init__(self, options):
+        self.cfg = options
+        self.state = None
+
+    def dataReceived(self, data):
+        if self.state == 1:
+            version = '11000000'
+            packet_type = ord(data[0])
+            if packet_type == PacketType.pre_login:
+                self.transport.write(
+                    unhexlify(
+                        '0401002500000100000015000601001b000102'
+                        '001c000103001d0000ff' + version + '00000200'
+                    )
+                )
+            elif packet_type == PacketType.login:
+                self.handle_login(data)
+            else:
+                self.transport.loseConnection()
+
+    def connectionMade(self):
+        self.state = 1
+        self.session = uuid4().hex[:12]
+        peer = self.transport.getPeer()
+        self.report_event(self.session, 'connect', peer.host, peer.port)
+
+    def connectionLost(self, reason):
+        peer = self.transport.getPeer()
+        self.report_event(self.session, 'disconnect', peer.host, peer.port, reason.value)
+        self.state = None
+        self.session = None
+
+    def handle_login(self, data):
+        value_start, value_length = unpack('=HH', data[48:52])
+        username = decode(data[8 + value_start : 8 + value_start + (value_length * 2)].replace(b'\x00', b''))
+        value_start, value_length = unpack('=HH', data[52:56])
+        password = data[8 + value_start : 8 + value_start + (value_length * 2)]
+        password = password.replace(b'\x00', b'').replace(b'\xa5', b'')
+        password_decrypted = ''
+        for x in password:
+            password_decrypted += chr(((ord(x) ^ 0xA5) & 0x0F) << 4 | ((ord(x) ^ 0xA5) & 0xF0) >> 4)
+        peer = self.transport.getPeer()
+        self.report_event(self.session, 'login', peer.host, peer.port, username, password_decrypted)
+        payload = self.create_payload(server_name=self.cfg['server_name'], token_error_msg='Login Failed', error_code=18456)
+        self.transport.write(payload)
+
+    def create_payload(self, server_name='', token_error_msg='', error_code=2):
+        if token_error_msg == '':
+            token_error_msg = 'An error has occurred while establishing a connection to the server.'
+        server_name_hex_len = hexlify(pack('b', len(server_name)))
+        token_error_msg_hex_len = hexlify(pack('<H', len(token_error_msg)))
+        error_code_hex = hexlify(pack('<I', error_code))
+        token_error_hex = (
+            error_code_hex
+            + b'010e'
+            + token_error_msg_hex_len
+            + hexlify(token_error_msg.encode('utf-16-le'))
+            + server_name_hex_len
+            + hexlify(server_name.encode('utf-16-le'))
+            + b'0001000000'
+        )
+        token_done_hex = b'fd020000000000000000000000'
+        token_error_len = hexlify(pack('<H', len(unhexlify(token_error_hex))))
+        data_stream = (
+            b'0401007600350100aa'
+            + token_error_len
+            + token_error_hex
+            + token_done_hex
+        )
+        data_len = hexlify(pack('>H', len(unhexlify(data_stream))))
+        return unhexlify(data_stream[0:4] + data_len + data_stream[8:])
+
+    def report_event(self, session, operation, ip, port, username=None, password=None):
+        for network in self.cfg['blacklist']:
+            if ip_address(unicode(ip)) in ip_network(unicode(network)):
+                return
+        event = {}
+        event['session'] = session
+        unix_time = time()
+        operation = operation.lower()
+        if operation == 'login':
+            event['username'] = username
+            event['password'] = password
+            message = 'Login with username: "{}", password: "{}" from {}:{}.'.format(username, password, ip, port)
+        elif operation == 'connect':
+            message = 'Connection made from {}:{}.'.format(ip, port)
+        elif operation == 'disconnect':
+            message = '{}:{} disconnected. Reason: {}'.format(ip, port, username)
+        else:
+            message = 'Error: Unknown operation "{}".'.format(operation)
+        event['eventid'] = 'mssqlpot.' + operation
+        event['operation'] = operation
+        event['timestamp'] = get_utc_time(unix_time)
+        event['unixtime'] = unix_time
+        event['src_ip'] = ip
+        event['src_port'] = port
+        event['dst_port'] = self.cfg['port']
+        event['sensor'] = self.cfg['sensor']
+        event['dst_ip'] = self.cfg['public_ip'] if self.cfg['report_public_ip'] else get_local_ip()
+        msg(message)
+        write_event(event, self.cfg)
+
+
+class MSSQLFactory(Factory):
+    def __init__(self, options):
+        self.cfg = options
+
+    def buildProtocol(self, addr):
+        return MSSQLServer(self.cfg)

core/tools.py

@@ -0,0 +1,157 @@
+
+from datetime import datetime
+from ipaddress import ip_address, ip_network
+from os import makedirs, path
+from socket import socket, AF_INET, SOCK_DGRAM
+from sys import version_info
+
+from core.config import CONFIG
+
+from pytz import timezone
+
+from twisted.python.log import msg
+
+try:
+    from urllib.request import urlopen
+except ImportError:
+    from urllib import urlopen
+
+
+if version_info[0] >= 3:
+    def decode(x):
+        return x.decode('utf-8', errors='ignore')
+    def encode(x):
+        return x.encode()
+    def ord(x):
+        return x
+    def to_bytes(x):
+        return bytes(x, 'ascii')
+    def unicode(x):
+        return x
+else:
+    def decode(x):
+        return x
+    def encode(x):
+        return x
+    def to_bytes(x):
+        return bytes(x)
+
+
+def mkdir(dir_path):
+    if not dir_path:
+        return
+    if path.exists(dir_path) and path.isdir(dir_path):
+        return
+    makedirs(dir_path)
+
+
+def import_plugins(cfg):
+    # Load output modules (inspired by the Cowrie honeypot)
+    msg('Loading the plugins...')
+    output_plugins = []
+    general_options = cfg
+    for x in CONFIG.sections():
+        if not x.startswith('output_'):
+            continue
+        if CONFIG.getboolean(x, 'enabled') is False:
+            continue
+        engine = x.split('_')[1]
+        try:
+            output = __import__('output_plugins.{}'.format(engine),
+                                globals(), locals(), ['output'], 0).Output(general_options)
+            output_plugins.append(output)
+            msg('Loaded output engine: {}'.format(engine))
+        except ImportError as e:
+            msg('Failed to load output engine: {} due to ImportError: {}'.format(engine, e))
+        except Exception as e:
+            msg('Failed to load output engine: {} {}'.format(engine, e))
+    return output_plugins
+
+
+def stop_plugins(cfg):
+    msg('Stoping the plugins...')
+    for plugin in cfg['output_plugins']:
+        try:
+            plugin.stop()
+        except Exception as e:
+            msg(e)
+            continue
+
+
+def get_public_ip(ip_reporter):
+    try:
+        if version_info[0] < 3:
+            return urlopen(ip_reporter).read().decode('latin1', errors='replace').encode('utf-8')
+        else:
+            return decode(urlopen(ip_reporter).read())
+    except:
+        return None
+
+
+def get_local_ip():
+    s = socket(AF_INET, SOCK_DGRAM)
+    try:
+        s.connect(('10.255.255.255', 1))
+        ip = s.getsockname()[0]
+    except:
+        ip = '127.0.0.1'
+    finally:
+        s.close()
+    return ip
+
+
+def get_utc_time(unix_time):
+    return datetime.fromtimestamp(unix_time, tz=timezone('UTC')).isoformat() + 'Z'
+
+
+def write_event(event, cfg):
+    ip = event['src_ip']
+    for network in cfg['blacklist']:
+        if ip_address(unicode(ip)) in ip_network(unicode(network)):
+            return
+    output_plugins = cfg['output_plugins']
+    for plugin in output_plugins:
+        try:
+            plugin.write(event)
+        except Exception as e:
+            msg(e)
+            continue
+
+
+def geolocate(remote_ip, reader_city, reader_asn):
+    try:
+        response_city = reader_city.city(remote_ip)
+        city = response_city.city.name
+        if city is None:
+            city = ''
+        else:
+            city = decode(city.encode('utf-8'))
+        country = response_city.country.name
+        if country is None:
+            country = ''
+            country_code = ''
+        else:
+            country = decode(country.encode('utf-8'))
+            country_code = decode(response_city.country.iso_code.encode('utf-8'))
+    except Exception as e:
+        msg(e)
+        city = ''
+        country = ''
+        country_code = ''
+
+    try:
+        response_asn = reader_asn.asn(remote_ip)
+        if response_asn.autonomous_system_organization is None:
+            org = ''
+        else:
+            org = decode(response_asn.autonomous_system_organization.encode('utf-8'))
+
+        if response_asn.autonomous_system_number is not None:
+            asn_num = response_asn.autonomous_system_number
+        else:
+            asn_num = 0
+    except Exception as e:
+        msg(e)
+        org = ''
+        asn_num = 0
+    return country, country_code, city, org, asn_num

mssqlpot/__init__.py

@@ -0,0 +1,25 @@
+# mssqlpot: the installable Python package for the mssqlpot honeypot.
+#
+# After `pip install mssqlpot`, use the `mssqlpot` command:
+#
+#   mssqlpot init    -- scaffold a working directory
+#   mssqlpot run     -- start the honeypot in the foreground
+#   mssqlpot start   -- start the honeypot in the background
+#   mssqlpot stop    -- stop the background honeypot
+#   mssqlpot restart -- restart the honeypot (stop and start the honeypot in
+#                       the background)
+#   mssqlpot status  -- show running status
+#
+# NOTE: mssqlpot/honeypot.py is generated at build time by the build_py
+# hook in setup.py - it is a copy of the top-level honeypot.py bundled so
+# that the `mssqlpot run/start` entry point can locate and run it.
+# It is listed in .gitignore and should not be committed.
+#
+# Contents:
+#   cli.py        the `mssqlpot` console entry point (init/run/start/stop/status)
+#   honeypot.py   the main honeypot script (copied from repo root at build time)
+#   data/         bundled read-only assets copied to the working directory
+#                 by `mssqlpot init`:
+#     docs/       documentation and SQL schema files
+#     etc/        default configuration templates
+#     test/       test.py for verifying a running honeypot