pgsqlpot 2.0.0__py2.py3-none-any.whl

core/config.py

@@ -0,0 +1,50 @@
+
+from configparser import ConfigParser, ExtendedInterpolation
+
+from os import environ
+
+
+def to_environ_key(key):
+    return key.upper()
+
+
+class EnvironmentConfigParser(ConfigParser):
+
+    def has_option(self, section, option):
+        if to_environ_key('_'.join((section, option))) in environ:
+            return True
+        return super(EnvironmentConfigParser, self).has_option(section, option)
+
+    def get(self, section, option, **kwargs):
+        key = to_environ_key('_'.join((section, option)))
+        if key in environ:
+            return environ[key]
+        return super(EnvironmentConfigParser, self).get(section, option, **kwargs)
+
+
+def readConfigFile(cfgfile):
+    """
+    Read config files and return ConfigParser object
+
+    @param cfgfile: filename or array of filenames
+    @return: ConfigParser object
+    """
+    parser = EnvironmentConfigParser(
+        interpolation=ExtendedInterpolation(),
+        converters={'list': lambda x: [i.strip() for i in x.split(',')]}
+    )
+    parser.read(cfgfile)
+    return parser
+
+
+def _config_files():
+    # Import here (not at module top) to avoid any circular-import risk.
+    from core.paths import workdir_path, bundled
+    return [
+        bundled('etc', 'honeypot.cfg.base'),	# bundled read-only defaults
+        workdir_path('etc', 'honeypot.cfg'),	# site-local overrides
+        workdir_path('honeypot.cfg'),		# convenience root-level override
+    ]
+
+
+CONFIG = readConfigFile(_config_files())

core/logfile.py

@@ -0,0 +1,74 @@
+
+from sys import stdout
+from datetime import datetime
+
+from pytz import timezone
+
+from twisted.python import log, util
+from twisted.python.logfile import DailyLogFile
+
+
+class HoneypotDailyLogFile(DailyLogFile):
+    """
+    Overload original Twisted with improved date formatting
+    """
+
+    def suffix(self, tupledate):
+        """
+        Return the suffix given a (year, month, day) tuple or unixtime
+        """
+        try:
+            return "{:02d}-{:02d}-{:02d}".format(tupledate[0], tupledate[1], tupledate[2])
+        except Exception:
+            # try taking a float unixtime
+            return '_'.join(map(str, self.toDate(tupledate)))
+
+
+def myFLOemit(self, eventDict):
+    """
+    Format the given log event as text and write it to the output file.
+
+    @param eventDict: a log event
+    @type eventDict: L{dict} mapping L{str} (native string) to L{object}
+    """
+
+    # Custom emit for FileLogObserver
+    text = log.textFromEventDict(eventDict)
+    if text is None:
+        return
+    timeStr = self.formatTime(eventDict['time'])
+    fmtDict = {
+        'text': text.replace('\n', '\n\t')
+    }
+    msgStr = log._safeFormat('%(text)s\n', fmtDict)
+    util.untilConcludes(self.write, timeStr + ' ' + msgStr)
+    util.untilConcludes(self.flush)
+
+
+def myFLOformatTime(self, when):
+    """
+    Log time in UTC
+
+    By default it's formatted as an ISO8601-like string (ISO8601 date and
+    ISO8601 time separated by a space). It can be customized using the
+    C{timeFormat} attribute, which will be used as input for the underlying
+    L{datetime.datetime.strftime} call.
+
+    @type when: C{int}
+    @param when: POSIX (ie, UTC) timestamp.
+
+    @rtype: C{str}
+    """
+    timeFormatString = self.timeFormat
+    if timeFormatString is None:
+        timeFormatString = '[%Y-%m-%d %H:%M:%S.%fZ]'
+    return datetime.fromtimestamp(when, tz=timezone('UTC')).strftime(timeFormatString)
+
+
+def set_logger(cfg_options):
+    log.FileLogObserver.emit = myFLOemit
+    log.FileLogObserver.formatTime = myFLOformatTime
+    if cfg_options['logfile'] is None:
+        log.startLogging(stdout)
+    else:
+        log.startLogging(HoneypotDailyLogFile.fromFullPath(cfg_options['logfile']), setStdout=False)

core/output.py

@@ -0,0 +1,39 @@
+
+from socket import gethostname
+
+from core.config import CONFIG
+
+
+class Output(object):
+    """
+    Abstract base class intended to be inherited by output plugins.
+    """
+
+    def __init__(self, general_options):
+
+        self.cfg = general_options
+
+        if 'sensor' in self.cfg:
+            self.sensor = self.cfg['sensor']
+        else:
+            self.sensor = CONFIG.get('honeypot', 'sensor_name', fallback=gethostname())
+
+        self.start()
+
+    def start(self):
+        """
+        Abstract method to initialize output plugin
+        """
+        pass
+
+    def stop(self):
+        """
+        Abstract method to shut down output plugin
+        """
+        pass
+
+    def write(self, event):
+        """
+        Handle a general event within the output plugin
+        """
+        pass

core/paths.py

@@ -0,0 +1,53 @@
+"""
+paths.py - Single source of truth for runtime path resolution.
+
+The honeypot needs a "working directory" containing:
+  data/         geolocation databases, SQLite db, etc.
+  etc/          config file (honeypot.cfg.base)
+  log/          rotating log files (created on demand)
+
+Priority for locating the working directory:
+  1. PGSLQPOT_WORKDIR environment variable
+  2. Current working directory
+
+The bundled read-only defaults (etc/*.cfg.base, responses/*.json)
+are installed inside the `pgsqlpot` package and located via the package's
+own __file__ attribute, which works on all Python versions without
+requiring pkg_resources or importlib.resources.
+"""
+
+from __future__ import absolute_import
+
+
+from os import getcwd, environ
+from os.path import abspath, dirname, join
+
+
+def get_workdir():
+    """Return the absolute path to the runtime working directory."""
+    env = environ.get('PGSLQPOT_WORKDIR', '').strip()
+    if env:
+        return abspath(env)
+    return getcwd()
+
+
+def workdir_path(*parts):
+    """Return an absolute path rooted at the working directory."""
+    return join(get_workdir(), *parts)
+
+
+def bundled(*parts):
+    """
+    Return the filesystem path to a file bundled inside the installed package.
+    Arguments are path components relative to the pgsqlpot/data/ directory,
+    passed as separate strings (like os.path.join) to avoid hardcoded separators.
+
+    Uses the package's own __file__ to locate the data directory, which works
+    on all Python versions (2.7+) without requiring pkg_resources or
+    importlib.resources.
+    """
+    # pgsqlpot/data/ lives alongside this module's package (core/ is a sibling
+    # of pgsqlpot/), so we go up one level from core/ to find pgsqlpot/data/.
+    here = dirname(abspath(__file__))
+    package_dir = join(dirname(here), 'pgsqlpot')
+    return join(package_dir, 'data', *parts)

core/protocol.py

@@ -0,0 +1,161 @@
+
+from __future__ import absolute_import
+
+
+from ipaddress import ip_address, ip_network
+from sys import version_info
+from time import time
+from uuid import uuid4
+
+from core.tools import (
+    decode,
+    encode,
+    get_local_ip,
+    get_utc_time,
+    printable,
+    to_int,
+    write_event
+)
+
+from twisted.internet.protocol import Factory, Protocol
+from twisted.python.log import msg
+
+
+if version_info[0] >= 3:
+    def unicode(x):
+        return x
+
+
+class PostgresServer(Protocol):
+    def __init__(self, options):
+        self.cfg = options
+        self._variables = {}
+        self._state = None
+
+    def connectionMade(self):
+        self._state = 1
+        self._variables = {}
+        self.session = uuid4().hex[:12]
+        self.report_event('connect')
+
+    def connectionLost(self, reason):
+        if self._state == 3:
+            username = self._variables['user'] if 'user' in self._variables else ''
+            self.report_event('login', username, '')
+        self.report_event('disconnect', reason.value)
+        self._state = 1
+        self._variables = {}
+
+    def dataReceived(self, data):
+        if self._state == 1:
+            # Client: I'd like to log in
+            # '\x00\x00\x00\x08\x04\xD2\x16\x2F'
+            self._state = 2
+            # Server: Sure, go ahead
+            self.transport.write(b'N')
+        elif self._state == 2:
+            # Client: OK, logging in
+            # '\x00\x00\x00\x36\x00\x03\x00\x00'
+            # Here's the user name, 'foo'
+            # 'user\x00foo\x00'
+            # the database I need access to, 'bar'
+            # 'database\x00bar\x00'
+            # and some other stuff ('application': 'pgcli')
+            # 'application_name\x00pgcli\x00'
+            # End-of-stuff
+            # '\x00'
+            self.read_data_custom(data)
+            self._state = 3
+            # Server: M'kay, send password
+            self.transport.write(b'R\x00\x00\x00\x08\x00\x00\x00\x03')
+        elif self._state == 3:
+            message_type = to_int(data[0])
+            if message_type == 0x70 and 'user' in self._variables:
+                # Client: Here's the password
+                # '\x70\x00\x00\x00\x08'
+                # 'secret\x00'
+                self.read_password_custom(data)
+                self._state = 4
+                username = self._variables['user']
+                password = self._variables['password']
+                self.report_event('login', username, password)
+                # Server: Wrong credentials
+                self.transport.write(
+                    b'E\x00\x00\x00\x64' +
+                    b'SFATAL\x00' +
+                    b'VFATAL\x00' +
+                    b'C28P01\x00' +
+                    b'Mpassword authentication failed for user "' + encode(username) + b'"\x00' +
+                    b'Fauth.c\x00' +
+                    b'L323\x00' +
+                    b'Rauth_failed\x00' +
+                    b'\x00'
+                )
+            # Server: Try again with the correct one
+            self.transport.write(b'R\x00\x00\x00\x08\x00\x00\x00\x03')
+
+    def read_data_custom(self, data):
+        data = decode(data)
+        encoded_list = data[8:-1].split('\x00')
+        self._variables = dict(zip(*([iter(encoded_list)] * 2)))
+
+    def read_password_custom(self, data):
+        data = decode(data)
+        self._variables['password'] = data[5:].split('\x00')[0]
+
+    def report_event(self, operation, username=None, password=None):
+        operation = operation.lower()
+        unix_time = time()
+        peer = self.transport.getPeer()
+        ip = peer.host
+        for network in self.cfg['blacklist']:
+            if ip_address(unicode(ip)) in ip_network(unicode(network)):
+                return
+        port = peer.port
+        event = {
+            'eventid': 'pgsqlpot.' + operation,
+            'operation': operation,
+            'timestamp': get_utc_time(unix_time),
+            'unixtime': unix_time,
+            'src_ip': ip,
+            'src_port': port,
+            'dst_port': self.cfg['port'],
+            'sensor': self.cfg['sensor'],
+            'dst_ip': self.cfg['public_ip'] if self.cfg['report_public_ip'] else get_local_ip(),
+            'session': self.session
+        }
+        if operation == 'login':
+            event['username'] = printable(username)
+            event['password'] = printable(password)
+            self._variables = {
+                printable(key): printable(value)
+                for key, value in self._variables.items()
+                if key not in ['user', 'password']
+            }
+            if self._variables:
+                event['variables'] = self._variables
+            message = 'Login with username: "{}", password: "{}" from {}:{}.'.format(
+                event['username'],
+                event['password'],
+                ip,
+                port
+            )
+        elif operation == 'connect':
+            message = 'Connection made from {}:{}.'.format(ip, port)
+        elif operation == 'disconnect':
+            message = '{}:{} disconnected. Reason: {}'.format(ip, port, username)
+        else:
+            command = printable(username)
+            if password:
+                command += ' ' + printable(password)
+            message = 'Unknown operation "{}" from {}:{}.'.format(command, ip, port)
+        msg(message)
+        write_event(event, self.cfg)
+
+
+class PostgresFactory(Factory):
+    def __init__(self, cfg):
+        self.cfg = cfg
+
+    def buildProtocol(self, addr):
+        return PostgresServer(self.cfg)

core/tools.py

@@ -0,0 +1,170 @@
+
+from datetime import datetime
+from ipaddress import ip_address, ip_network
+from os import makedirs, path
+from string import printable as p
+from socket import socket, AF_INET, SOCK_DGRAM
+from sys import version_info
+
+from core.config import CONFIG
+
+from pytz import timezone
+
+from twisted.python.log import msg
+
+try:
+    from urllib.request import urlopen
+except ImportError:
+    from urllib import urlopen
+
+
+if version_info[0] >= 3:
+    def decode(x):
+        return x.decode('utf-8', errors='ignore')
+    def encode(x):
+        return x.encode()
+    def ord(x):
+        return x
+    def to_bytes(x):
+        return bytes(x, 'ascii')
+    def to_int(x):
+        return x
+    def unicode(x):
+        return x
+else:
+    def decode(x):
+        return x
+    def encode(x):
+        return x
+    def to_bytes(x):
+        return bytes(x)
+    def to_int(x):
+        return ord(x)
+
+
+def mkdir(dir_path):
+    if not dir_path:
+        return
+    if path.exists(dir_path) and path.isdir(dir_path):
+        return
+    makedirs(dir_path)
+
+
+def import_plugins(cfg):
+    # Load output modules (inspired by the Cowrie honeypot)
+    msg('Loading the plugins...')
+    output_plugins = []
+    general_options = cfg
+    for x in CONFIG.sections():
+        if not x.startswith('output_'):
+            continue
+        if CONFIG.getboolean(x, 'enabled') is False:
+            continue
+        engine = x.split('_')[1]
+        try:
+            output = __import__('output_plugins.{}'.format(engine),
+                                globals(), locals(), ['output'], 0).Output(general_options)
+            output_plugins.append(output)
+            msg('Loaded output engine: {}'.format(engine))
+        except ImportError as e:
+            msg('Failed to load output engine: {} due to ImportError: {}'.format(engine, e))
+        except Exception as e:
+            msg('Failed to load output engine: {} {}'.format(engine, e))
+    return output_plugins
+
+
+def stop_plugins(cfg):
+    msg('Stoping the plugins...')
+    for plugin in cfg['output_plugins']:
+        try:
+            plugin.stop()
+        except Exception as e:
+            msg(e)
+            continue
+
+
+def get_public_ip(ip_reporter):
+    try:
+        if version_info[0] < 3:
+            return urlopen(ip_reporter).read().decode('latin1', errors='replace').encode('utf-8')
+        else:
+            return decode(urlopen(ip_reporter).read())
+    except:
+        return None
+
+
+def get_local_ip():
+    s = socket(AF_INET, SOCK_DGRAM)
+    try:
+        s.connect(('10.255.255.255', 1))
+        ip = s.getsockname()[0]
+    except:
+        ip = '127.0.0.1'
+    finally:
+        s.close()
+    return ip
+
+
+def get_utc_time(unix_time):
+    return datetime.fromtimestamp(unix_time, tz=timezone('UTC')).isoformat() + 'Z'
+
+
+def printable(x):
+    x = encode(x)
+    if all(c in to_bytes(p) for c in x):
+        return decode(x)
+    else:
+        return ''.join('\\x{:02X}'.format(to_int(c)) for c in x)
+
+
+def write_event(event, cfg):
+    ip = event['src_ip']
+    for network in cfg['blacklist']:
+        if ip_address(unicode(ip)) in ip_network(unicode(network)):
+            return
+    output_plugins = cfg['output_plugins']
+    for plugin in output_plugins:
+        try:
+            plugin.write(event)
+        except Exception as e:
+            msg(e)
+            continue
+
+
+def geolocate(remote_ip, reader_city, reader_asn):
+    try:
+        response_city = reader_city.city(remote_ip)
+        city = response_city.city.name
+        if city is None:
+            city = ''
+        else:
+            city = decode(city.encode('utf-8'))
+        country = response_city.country.name
+        if country is None:
+            country = ''
+            country_code = ''
+        else:
+            country = decode(country.encode('utf-8'))
+            country_code = decode(response_city.country.iso_code.encode('utf-8'))
+    except Exception as e:
+        msg(e)
+        city = ''
+        country = ''
+        country_code = ''
+
+    try:
+        response_asn = reader_asn.asn(remote_ip)
+        if response_asn.autonomous_system_organization is None:
+            org = ''
+        else:
+            org = decode(response_asn.autonomous_system_organization.encode('utf-8'))
+
+        if response_asn.autonomous_system_number is not None:
+            asn_num = response_asn.autonomous_system_number
+        else:
+            asn_num = 0
+    except Exception as e:
+        msg(e)
+        org = ''
+        asn_num = 0
+    return country, country_code, city, org, asn_num

output_plugins/couch.py

@@ -0,0 +1,68 @@
+
+from __future__ import absolute_import
+
+from core import output
+from core.config import CONFIG
+from core.tools import geolocate
+
+from couchdb import Server
+from geoip2.database import Reader
+
+from twisted.python.log import msg
+
+class Output(output.Output):
+
+    def start(self):
+        host = CONFIG.get('output_couch', 'host', fallback='localhost')
+        port = CONFIG.getint('output_couch', 'port', fallback=5984)
+        username = CONFIG.get('output_couch', 'username', fallback='pgsqlpot', raw=True)
+        password = CONFIG.get('output_couch', 'password', fallback='', raw=True)
+        db_name = CONFIG.get('output_couch', 'database', fallback='pgsqlpot')
+
+        try:
+            couchserver = Server('http://{}:{}@{}:{}'.format(username, password, host, port))
+
+            if db_name in couchserver:
+                self.couch_db = couchserver[db_name]
+            else:
+                self.couch_db = couchserver.create(db_name)
+        except Exception as e:
+            msg('output_couch: Error: {}'.format(e))
+
+        self.geoip = CONFIG.getboolean('output_couch', 'geoip', fallback=True)
+
+        if self.geoip:
+            geoipdb_city_path = CONFIG.get('output_couch', 'geoip_citydb', fallback='data/GeoLite2-City.mmdb')
+            geoipdb_asn_path = CONFIG.get('output_couch', 'geoip_asndb', fallback='data/GeoLite2-ASN.mmdb')
+            try:
+                self.reader_city = Reader(geoipdb_city_path)
+            except:
+                self.reader_city = None
+                msg('Failed to open City GeoIP database {}'.format(geoipdb_city_path))
+
+            try:
+                self.reader_asn = Reader(geoipdb_asn_path)
+            except:
+                self.reader_asn = None
+                msg('Failed to open ASN GeoIP database {}'.format(geoipdb_asn_path))
+
+    def stop(self):
+        if self.geoip:
+            if self.reader_city is not None:
+                self.reader_city.close()
+            if self.reader_asn is not None:
+                self.reader_asn.close()
+
+    def write(self, event):
+        if self.geoip:
+            country, country_code, city, org, asn_num = geolocate(event['src_ip'], self.reader_city, self.reader_asn)
+            event['country'] = country
+            event['country_code'] = country_code
+            event['city'] = city
+            event['org'] = org
+            event['asn'] = asn_num
+
+        try:
+            self.couch_db.save(event)
+        except Exception as e:
+            msg('output_couch: Error: {}'.format(e))

output_plugins/datadog.py

@@ -0,0 +1,74 @@
+"""
+Simple Datadog HTTP logger.
+"""
+
+from __future__ import absolute_import
+
+from io import BytesIO
+from json import dumps
+from platform import node
+
+from core import output
+from core.config import CONFIG
+from core.tools import to_bytes
+
+from twisted.internet import reactor
+from twisted.python.log import msg
+from twisted.web import client, http_headers
+from twisted.web.client import FileBodyProducer
+from twisted.internet.ssl import ClientContextFactory
+
+
+class WebClientContextFactory(ClientContextFactory):
+    def getContext(self, hostname, port):
+        return ClientContextFactory.getContext(self)
+
+
+class QuietHTTP11ClientFactory(client._HTTP11ClientFactory):
+    noisy = False
+
+
+class Output(output.Output):
+    def start(self):
+        self.url = CONFIG.get('output_datadog', 'url')
+        self.api_key = CONFIG.get('output_datadog', 'api_key', fallback='')
+        if len(self.api_key) == 0:
+            msg('Datadog output module: API key is not defined.')
+        self.ddsource = CONFIG.get('output_datadog', 'ddsource', fallback='pgsqlpot')
+        self.ddtags = CONFIG.get('output_datadog', 'ddtags', fallback='env:dev')
+        self.service = CONFIG.get('output_datadog', 'service', fallback='honeypot')
+        self.hostname = CONFIG.get('output_datadog', 'hostname', fallback=node())
+
+        contextFactory = WebClientContextFactory()
+        myQuietPool = client.HTTPConnectionPool(reactor)
+        myQuietPool._factory = QuietHTTP11ClientFactory
+        self.agent = client.Agent(reactor, contextFactory=contextFactory, pool=myQuietPool)
+
+    def stop(self):
+        pass
+
+    def write(self, event):
+        messg = '{} INFO [MS-SQL Pot on {} ({})] {} from {}:{}'.format(
+            event['timestamp'], event['sensor'], event['session'],
+            event['operation'].capitalize(), event['src_ip'], event['dst_port']
+        )
+        if event['operation'].lower() == 'login':
+            messg += ', username: "{}", password: "{}"'.format(event['username'], event['password'])
+        messg += '.'
+        event['message'] = messg
+        event['ddsource'] = self.ddsource
+        event['ddtags'] = self.ddtags
+        event['hostname'] = self.hostname
+        event['service'] = self.service
+        self.postentry(event)
+
+    def postentry(self, entry):
+        base_headers = {
+            b'Accept': [b'application/json'],
+            b'Content-Type': [b'application/json'],
+            b'DD-API-KEY': [to_bytes(self.api_key)],
+        }
+        headers = http_headers.Headers(base_headers)
+        body = FileBodyProducer(BytesIO(to_bytes(dumps(entry, sort_keys=True))))
+        self.agent.request(b'POST', to_bytes(self.url), headers, body)
+