pgsqlpot 2.0.0__py2.py3-none-any.whl

output_plugins/socketlog.py

@@ -0,0 +1,40 @@
+
+from __future__ import absolute_import
+
+from json import dumps
+from socket import socket, AF_INET, SOCK_STREAM
+
+from core import output
+from core.config import CONFIG
+from core.tools import encode
+
+
+class Output(output.Output):
+    """
+    socketlog output
+    """
+
+    def start(self):
+        timeout = CONFIG.getint('output_socketlog', 'timeout')
+        addr = CONFIG.get('output_socketlog', 'address')
+        host = addr.split(':')[0]
+        port = int(addr.split(':')[1])
+
+        self.sock = socket(AF_INET, SOCK_STREAM)
+        self.sock.settimeout(timeout)
+        self.sock.connect((host, port))
+
+    def stop(self):
+        self.sock.close()
+
+    def write(self, event):
+        message = dumps(event, sort_keys=True) + '\n'
+
+        try:
+            self.sock.sendall(encode(message))
+        except OSError as ex:
+            if ex.errno == 32:  # Broken pipe
+                self.start()
+                self.sock.sendall(encode(message))
+            else:
+                raise

output_plugins/sqlite.py

@@ -0,0 +1,141 @@
+
+from __future__ import absolute_import
+
+from core import output
+from core.config import CONFIG
+from core.tools import geolocate
+
+from geoip2.database import Reader
+from sqlite3 import OperationalError, IntegrityError
+
+from twisted.enterprise.adbapi import ConnectionPool
+from twisted.python.log import msg
+
+
+class Output(output.Output):
+
+    def start(self):
+        db_name = CONFIG.get('output_sqlite', 'db_file', fallback='data/pgsqlpot.db')
+        self.debug = CONFIG.getboolean('output_sqlite', 'debug', fallback=False)
+        self.geoip = CONFIG.getboolean('output_sqlite', 'geoip', fallback=True)
+
+        try:
+            self.db = ConnectionPool(
+                'sqlite3',
+                database=db_name,
+                check_same_thread=False
+            )
+        except OperationalError as e:
+            msg(e)
+
+        self.db.start()
+
+        if self.geoip:
+            geoipdb_city_path = CONFIG.get('output_sqlite', 'geoip_citydb', fallback='data/GeoLite2-City.mmdb')
+            geoipdb_asn_path = CONFIG.get('output_sqlite', 'geoip_asndb', fallback='data/GeoLite2-ASN.mmdb')
+
+            try:
+                self.reader_city = Reader(geoipdb_city_path)
+            except Exception:
+                self.reader_city = None
+                msg('Failed to open City GeoIP database {}'.format(geoipdb_city_path))
+            try:
+                self.reader_asn = Reader(geoipdb_asn_path)
+            except Exception:
+                self.reader_asn = None
+                msg('Failed to open ASN GeoIP database {}'.format(geoipdb_asn_path))
+
+    def stop(self):
+        if self.geoip:
+            if self.reader_city is not None:
+                self.reader_city.close()
+            if self.reader_asn is not None:
+                self.reader_asn.close()
+
+    def write(self, event):
+        self.db.runInteraction(self.connect_event, event)
+
+    def simple_query(self, txn, sql, args):
+        if self.debug:
+            if len(args):
+                msg('output_sqlite: SQLite3 query: {} {}'.format(sql, repr(args)))
+            else:
+                msg('output_sqlite: SQLite3 query: {}'.format(sql))
+        try:
+            if len(args):
+                txn.execute(sql, args)
+            else:
+                txn.execute(sql)
+            result = txn.fetchall()
+        except IntegrityError as e:
+            result = None
+        except Exception as e:
+            msg('output_sqlite: SQLite3 Error: {}'.format(e))
+            result = None
+        return result
+
+    def get_id(self, txn, table, column, entry):
+        r = self.simple_query(txn, "SELECT `id` FROM `{}` WHERE `{}` = ?".format(table, column), (entry, ))
+        if r:
+            id = r[0][0]
+        else:
+            self.simple_query(txn, "INSERT INTO `{}` (`{}`) VALUES (?)".format(table, column), (entry, ))
+            r = self.simple_query(txn, 'SELECT LAST_INSERT_ROWID()', ())
+            if r:
+                id = int(r[0][0])
+            else:
+                id = 0
+        return id
+
+    def connect_event(self, txn, event):
+        remote_ip = event['src_ip']
+
+        operation_id = self.get_id(txn, 'operations', 'op_name', event['operation'])
+        sensor_id = self.get_id(txn, 'sensors', 'name', event['sensor'])
+
+        self.simple_query(txn,
+            """
+            INSERT INTO `connections` (`session`, `timestamp`, `operation`, `ip`, `remote_port`, `local_host`, `local_port`, `sensor`)
+            VALUES (?, DATETIME(?, 'unixepoch', 'localtime'), ?, ?, ?, ?, ?, ?)
+            """,
+            (event['session'], event['unixtime'], operation_id, remote_ip, event['src_port'],
+             event['dst_ip'], event['dst_port'], sensor_id, ))
+        
+        if event['operation'].lower() == 'login':
+            usr_id = self.get_id(txn, 'usernames', 'username', event['username'])
+            pwd_id = self.get_id(txn, 'passwords', 'password', event['password'])
+            self.simple_query(txn,
+            """
+                INSERT INTO `credentials` (`session`, `username`, `password`) VALUES(?, ?, ?)
+            """,
+            (event['session'], usr_id, pwd_id, ))
+            if 'variables' in event:
+                for key, value in event['variables'].items():
+                    var_id = self.get_id(txn, 'vars', 'var_name', key)
+                    val_id = self.get_id(txn, 'var_values', 'var_value', value)
+                    self.simple_query(txn,
+                    """
+                        INSERT INTO `variables` (`session`, `var`, `val`) VALUES(?, ?, ?)
+                    """,
+                    (event['session'], var_id, val_id, ))
+
+        if self.geoip:
+            country, country_code, city, org, asn_num = geolocate(remote_ip, self.reader_city, self.reader_asn)
+            result = self.simple_query(txn,
+                """
+                INSERT INTO `geolocation` (`ip`, `country_name`, `country_iso_code`, `city_name`, `org`, `org_asn`)
+                VALUES (?, ?, ?, ?, ?, ?)
+                """,
+                (remote_ip, country, country_code, city, org, asn_num, ))
+            if result is None:
+                self.simple_query(txn,
+                    """
+                    UPDATE `geolocation` SET
+                        `country_name` = ?,
+                        `country_iso_code` = ?,
+                        `city_name` = ?,
+                        `org` = ?,
+                        `org_asn` = ?
+                    WHERE `ip` = ?
+                    """,
+                    (country, country_code, city, org, asn_num, remote_ip, ))

output_plugins/telegram.py

@@ -0,0 +1,141 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+# Simple Telegram Bot logger
+
+from __future__ import absolute_import
+
+from json import loads
+from time import gmtime, strftime, time
+
+from core import output
+from core.config import CONFIG
+from core.tools import decode, encode
+
+try:
+    from urllib import quote_plus
+except ImportError:
+    from urllib.parse import quote_plus
+
+from twisted.internet import reactor
+from twisted.internet.ssl import ClientContextFactory
+from twisted.internet.task import deferLater
+from twisted.python.log import msg
+from twisted.web.client import (
+    Agent,
+    HTTPConnectionPool,
+    _HTTP11ClientFactory,
+    readBody
+)
+from twisted.web.http_headers import Headers
+
+
+class WebClientContextFactory(ClientContextFactory):
+
+    def getContext(self, hostname, port):
+        return ClientContextFactory.getContext(self)
+
+
+class QuietHTTP11ClientFactory(_HTTP11ClientFactory):
+    noisy = False
+
+
+class Output(output.Output):
+    """
+    Telegram bot output plugin.
+    """
+
+    def start(self):
+        self.bot_token = CONFIG.get('output_telegram', 'bot_token')
+        self.chat_id = CONFIG.get('output_telegram', 'chat_id')
+        self.delay = CONFIG.getfloat('output_telegram', 'delay', fallback=2.0)
+
+        contextFactory = WebClientContextFactory()
+        pool = HTTPConnectionPool(reactor)
+        pool._factory = QuietHTTP11ClientFactory
+        self.agent = Agent(reactor, contextFactory=contextFactory, pool=pool)
+        self.last_sent = 0
+        self.requests_list = []
+
+    def stop(self):
+        pass
+
+    def write(self, event):
+        operation = event['operation'].lower()
+        message = '[{} UTC] [PGSQLPot on {} ({})]: {}'.format(
+            strftime('%Y-%m-%d %H:%M:%S', gmtime(event['unixtime'])),
+            event['sensor'], event['session'], operation.capitalize()
+        )
+        if operation == 'unknown':
+            message += ' operation: "{}"'.format(event['username'])
+        elif operation == 'command':
+            message += ' "{}'.format(event['command'])
+            if event['args']:
+                message += ' {}'.format(event['args'])
+            message += '"'
+        message += ' from {}:{}'.format(event['src_ip'], event['dst_port'])
+        if operation == 'login':
+            message += ', username: "{}", password: "{}"'.format(
+                event['username'], event['password']
+            )
+        message += '.'
+        self.requests_list.append(message)
+        self._drain()
+
+    def _drain(self):
+        """Send the next queued message if the rate-limit window has elapsed.
+        If messages remain, schedule another drain after self.delay seconds."""
+        if not self.requests_list:
+            return
+        now = time()
+        elapsed = now - self.last_sent
+        if elapsed < self.delay:
+            deferLater(reactor, self.delay - elapsed, self._drain)
+            return
+        self.last_sent = now
+        message = self.requests_list.pop(0)
+        d = self._send(message)
+        if self.requests_list:
+            deferLater(reactor, self.delay, self._drain)
+        return d
+
+    def _send(self, message):
+
+        def cbBody(body):
+            return processResult(body)
+
+        def cbPartial(failure):
+            """
+            Google HTTP Server does not set Content-Length. Twisted marks it as partial
+            """
+            failure.printTraceback()
+            return processResult(failure.value.response)
+
+        def cbResponse(response):
+            if response.code in [200, 201]:
+                return
+            msg('Telegram error: {} {}'.format(response.code, decode(response.phrase)))
+            d = readBody(response)
+            d.addCallback(cbBody)
+            d.addErrback(cbPartial)
+            return d
+
+        def cbError(failure):
+            failure.printTraceback()
+
+        def processResult(result):
+            try:
+                j = loads(result)
+                msg('Telegram response: {}'.format(j.get('description', '')))
+            except Exception:
+                pass
+
+        headers = Headers({
+            b'User-Agent': [b'PGSQLPot']
+        })
+        params = 'chat_id={}&parse_mode=HTML&text={}'.format(self.chat_id, quote_plus(message))
+        url = 'https://api.telegram.org/bot{}/sendMessage?{}'.format(self.bot_token, params)
+        d = self.agent.request(b'GET', encode(url), headers, None)
+        d.addCallback(cbResponse)
+        d.addErrback(cbError)
+        return d

output_plugins/textlog.py

@@ -0,0 +1,46 @@
+
+from __future__ import absolute_import
+
+from os import linesep
+from os.path import basename, dirname
+from time import gmtime, strftime
+
+from core import output
+from core.config import CONFIG
+from core.tools import mkdir
+from core.logfile import HoneypotDailyLogFile
+
+class Output(output.Output):
+
+    def start(self):
+        fn = CONFIG.get('output_textlog', 'logfile')
+        dirs = dirname(fn)
+        base = basename(fn)
+        mkdir(dirs)
+        self.outfile = HoneypotDailyLogFile(base, dirs, defaultMode=0o664)
+
+    def stop(self):
+        self.outfile.flush()
+
+    def write(self, event):
+        operation = event['operation'].lower()
+        message = '[{} UTC] [PGSQLPot on {} ({})]: {}'.format(
+            strftime('%Y-%m-%d %H:%M:%S', gmtime(event['unixtime'])),
+            event['sensor'], event['session'], operation.capitalize()
+        )
+        if operation == 'unknown':
+            message += ' operation: "{}"'.format(event['username'])
+        elif operation == 'command':
+            message += ' "{}'.format(event['command'])
+            if event['args']:
+                message += ' {}'.format(event['args'])
+            message += '"'
+        message += ' from {}:{}'.format(event['src_ip'], event['dst_port'])
+        if operation == 'login':
+            message += ', username: "{}", password: "{}"'.format(
+                event['username'], event['password']
+            )
+        message += '.' + linesep
+
+        self.outfile.write(message)
+        self.outfile.flush()

output_plugins/xmpp.py

@@ -0,0 +1,193 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XMPP output plugin
+"""
+
+from __future__ import absolute_import
+
+from sys import version_info
+from threading import Event, Thread
+from time import gmtime, strftime
+
+from core import output
+from core.config import CONFIG
+
+import xmpp.dispatcher
+import xmpp.simplexml
+import xmpp.transports
+from xmpp import Client
+from xmpp.protocol import JID, Message
+
+from twisted.python.log import msg
+
+
+# ---------------------------------------------------------------------------
+# Python 2.7 compatibility patches for xmpppy.
+#
+# xmpppy 0.7.3 has two functions with Python 3-only syntax that crash
+# on Python 2.7:
+#
+# 1. simplexml.ustr(): calls str(r, ENCODING) which is Python 3 bytes-to-str
+#    syntax. On Python 2.7 the equivalent is unicode(r).
+#
+# 2. dispatcher.Dispatcher.Process(): calls .with_traceback() unconditionally
+#    on exception objects, but that method only exists on Python 3.
+#
+# Both are patched below before any xmpppy code runs.
+# ---------------------------------------------------------------------------
+if version_info[0] < 3:
+    # Patch 1: simplexml.ustr
+    def _ustr(what):
+        if isinstance(what, str):
+            return what
+        try:
+            r = what.__str__()
+        except AttributeError:
+            r = str(what)
+        if not isinstance(r, str):
+            return r
+        return r
+
+    xmpp.simplexml.ustr = _ustr
+    xmpp.transports.ustr = _ustr
+    # xmpp.protocol also does 'from .simplexml import ustr' — patch it too
+    import xmpp.protocol as _xmpp_protocol
+    if hasattr(_xmpp_protocol, 'ustr'):
+        _xmpp_protocol.ustr = _ustr
+
+    # Patch 2: dispatcher.Dispatcher - must be named 'Dispatcher' so that
+    # PlugIn() registers it under the right key in owner.__dict__, and must
+    # define plugin/plugout explicitly so PlugIn()'s __class__.__dict__ check
+    # finds them (inherited methods are not in __class__.__dict__ on Py2
+    # old-style classes).
+    _OriginalDispatcher = xmpp.dispatcher.Dispatcher
+
+    class Dispatcher(_OriginalDispatcher):
+        def plugin(self, owner):
+            _OriginalDispatcher.plugin(self, owner)
+
+        def plugout(self):
+            _OriginalDispatcher.plugout(self)
+
+        def Process(self, timeout=0):
+            for handler in self._cycleHandlers:
+                handler(self)
+            if len(self._pendingExceptions) > 0:
+                _pendingException = self._pendingExceptions.pop()
+                ex = _pendingException[0](_pendingException[1])
+                if hasattr(ex, 'with_traceback'):
+                    ex = ex.with_traceback(_pendingException[2])
+                raise ex
+            if self._owner.Connection.pending_data(timeout):
+                try:
+                    data = self._owner.Connection.receive()
+                except IOError:
+                    return
+                self.Stream.Parse(data)
+                if len(self._pendingExceptions) > 0:
+                    _pendingException = self._pendingExceptions.pop()
+                    ex = _pendingException[0](_pendingException[1])
+                    if hasattr(ex, 'with_traceback'):
+                        ex = ex.with_traceback(_pendingException[2])
+                    raise ex
+                if data:
+                    return len(data)
+            return '0'
+
+    xmpp.dispatcher.Dispatcher = Dispatcher
+
+
+class Output(output.Output):
+    """
+    XMPP output plugin.
+    Sends honeypot events as plain-text messages to a configured JID.
+
+    xmpppy's Process(1) blocks for up to one second per call, so it runs
+    in a daemon thread rather than in Twisted's reactor thread.  write()
+    calls send() directly from the reactor thread; send() only writes to
+    the socket while Process() only reads, so there is no write-write race.
+    """
+
+    def start(self):
+        jabberid = CONFIG.get('output_xmpp', 'user')
+        password = CONFIG.get('output_xmpp', 'password', raw=True)
+        self.receiver = CONFIG.get('output_xmpp', 'muc')
+        self._stop_event = Event()
+        self._thread = None
+
+        jid = JID(jabberid)
+        self.connection = Client(server=jid.getDomain(), debug=[])
+
+        result = self.connection.connect()
+        if not result:
+            msg('output_xmpp: unable to connect to {}'.format(jid.getDomain()))
+            self.connection = None
+            return
+        msg('output_xmpp: connected ({})'.format(result))
+
+        if not self.connection.auth(user=jid.getNode(), password=password,
+                                    resource=jid.getResource()):
+            msg('output_xmpp: authentication failed for {}'.format(jabberid))
+            self.connection.disconnect()
+            self.connection = None
+            return
+        msg('output_xmpp: authenticated as {}'.format(jabberid))
+
+        self._thread = Thread(target=self._process_loop)
+        self._thread.daemon = True
+        self._thread.start()
+
+    def _process_loop(self):
+        while not self._stop_event.is_set():
+            try:
+                conn = self.connection
+                if conn is None:
+                    break
+                if not conn.Process(1):
+                    msg('output_xmpp: connection lost')
+                    self.connection = None
+                    break
+            except Exception as e:
+                msg('output_xmpp: error in Process loop: {}'.format(e))
+                self.connection = None
+                break
+
+    def stop(self):
+        self._stop_event.set()
+        if self._thread is not None:
+            self._thread.join(timeout=2)
+        if self.connection is not None:
+            self.connection.disconnect()
+            self.connection = None
+
+    def write(self, event):
+        if self.connection is None:
+            return
+
+        operation = event['operation'].lower()
+
+        message = '[{} UTC] [PGSQLPot on {} ({})]: {}'.format(
+            strftime('%Y-%m-%d %H:%M:%S', gmtime(event['unixtime'])),
+            event['sensor'], event['session'], operation.capitalize()
+        )
+        if operation == 'unknown':
+            message += ' operation: "{}"'.format(event['username'])
+        elif operation == 'command':
+            message += ' "{}'.format(event['command'])
+            if event['args']:
+                message += ' {}'.format(event['args'])
+            message += '"'
+        message += ' from {}:{}'.format(event['src_ip'], event['dst_port'])
+        if operation == 'login':
+            message += ', username: "{}", password: "{}"'.format(
+                event['username'], event['password']
+            )
+        message += '.'
+
+        try:
+            self.connection.send(Message(to=self.receiver, body=message))
+        except Exception as e:
+            msg('output_xmpp: send failed: {}'.format(e))
+            self.connection = None

pgsqlpot/__init__.py

@@ -0,0 +1,25 @@
+# pgsqlpot: the installable Python package for the pgsqlpot honeypot.
+#
+# After `pip install pgsqlpot`, use the `pgsqlpot` command:
+#
+#   pgsqlpot init    -- scaffold a working directory
+#   pgsqlpot run     -- start the honeypot in the foreground
+#   pgsqlpot start   -- start the honeypot in the background
+#   pgsqlpot stop    -- stop the background honeypot
+#   pgsqlpot restart -- restart the honeypot (stop and start the honeypot in
+#                       the background)
+#   pgsqlpot status  -- show running status
+#
+# NOTE: pgsqlpot/honeypot.py is generated at build time by the build_py
+# hook in setup.py - it is a copy of the top-level honeypot.py bundled so
+# that the `pgsqlpot run/start` entry point can locate and run it.
+# It is listed in .gitignore and should not be committed.
+#
+# Contents:
+#   cli.py        the `pgsqlpot` console entry point (init/run/start/stop/status)
+#   honeypot.py   the main honeypot script (copied from repo root at build time)
+#   data/         bundled read-only assets copied to the working directory
+#                 by `pgsqlpot init`:
+#     docs/       documentation and SQL schema files
+#     etc/        default configuration templates
+#     test/       test.py for verifying a running honeypot