rdphoneypot 2.0.0__py2.py3-none-any.whl

core/config.py

@@ -0,0 +1,37 @@
+
+from configparser import ConfigParser, ExtendedInterpolation
+
+from os import environ
+
+
+def to_environ_key(key):
+    return key.upper()
+
+
+class EnvironmentConfigParser(ConfigParser):
+
+    def has_option(self, section, option):
+        if to_environ_key('_'.join((section, option))) in environ:
+            return True
+        return super(EnvironmentConfigParser, self).has_option(section, option)
+
+    def get(self, section, option, **kwargs):
+        key = to_environ_key('_'.join((section, option)))
+        if key in environ:
+            return environ[key]
+        return super(EnvironmentConfigParser, self).get(section, option, **kwargs)
+
+
+def readConfigFile(cfgfile):
+    """
+    Read config files and return ConfigParser object
+
+    @param cfgfile: filename or array of filenames
+    @return: ConfigParser object
+    """
+    parser = EnvironmentConfigParser(interpolation=ExtendedInterpolation())
+    parser.read(cfgfile)
+    return parser
+
+
+CONFIG = readConfigFile(('etc/honeypot.cfg.base', 'etc/honeypot.cfg', 'honeypot.cfg'))

core/httpclient.py

@@ -0,0 +1,71 @@
+from __future__ import absolute_import
+
+from io import open
+
+from twisted.internet.ssl import Certificate, trustRootFromCertificates
+from twisted.python.log import msg
+from twisted.web.client import Agent, BrowserLikePolicyForHTTPS
+
+
+class _LegacyWebClientContextFactory(object):
+    @staticmethod
+    def build():
+        from twisted.internet.ssl import ClientContextFactory
+
+        class WebClientContextFactory(ClientContextFactory):
+            def getContext(self, hostname, port):
+                return ClientContextFactory.getContext(self)
+
+        return WebClientContextFactory()
+
+
+def _load_trust_root_from_pem_bundle(pem_path):
+    with open(pem_path, 'r', encoding='utf-8') as fh:
+        content = fh.read()
+    certs = []
+    end_marker = '-----END CERTIFICATE-----'
+    for chunk in content.split(end_marker):
+        chunk = chunk.strip()
+        if not chunk:
+            continue
+        pem = chunk + '\n' + end_marker + '\n'
+        certs.append(Certificate.loadPEM(pem))
+    if not certs:
+        return None
+    return trustRootFromCertificates(certs)
+
+
+def _trust_root(ca_certs):
+    if ca_certs:
+        try:
+            return _load_trust_root_from_pem_bundle(ca_certs)
+        except Exception as e:
+            msg('Failed to load CA bundle {}: {}'.format(ca_certs, e))
+            return None
+
+    try:
+        import certifi
+        return _load_trust_root_from_pem_bundle(certifi.where())
+    except Exception:
+        return None
+
+
+def create_http_agent(reactor, pool, plugin_name, verify_tls=True, ca_certs=None):
+    """
+    Build a Twisted Agent with sane HTTPS defaults.
+    verify_tls=True uses BrowserLikePolicyForHTTPS for cert + hostname checks.
+    verify_tls=False falls back to a legacy context factory for compatibility.
+    """
+    if verify_tls:
+        return Agent(
+            reactor,
+            contextFactory=BrowserLikePolicyForHTTPS(trustRoot=_trust_root(ca_certs)),
+            pool=pool
+        )
+
+    msg('{}: TLS certificate verification is disabled.'.format(plugin_name))
+    return Agent(
+        reactor,
+        contextFactory=_LegacyWebClientContextFactory.build(),
+        pool=pool
+    )

core/logfile.py

@@ -0,0 +1,75 @@
+
+from datetime import datetime
+from sys import stdout
+
+from pytz import timezone
+
+from twisted.python.log import textFromEventDict, _safeFormat, FileLogObserver, startLogging
+from twisted.python.util import untilConcludes
+from twisted.python.logfile import DailyLogFile
+
+
+class HoneypotDailyLogFile(DailyLogFile):
+    """
+    Overload original Twisted with improved date formatting
+    """
+
+    def suffix(self, tupledate):
+        """
+        Return the suffix given a (year, month, day) tuple or unixtime
+        """
+        try:
+            return '{:02d}-{:02d}-{:02d}'.format(tupledate[0], tupledate[1], tupledate[2])
+        except Exception:
+            # try taking a float unixtime
+            return '_'.join(map(str, self.toDate(tupledate)))
+
+
+def myFLOemit(self, eventDict):
+    """
+    Format the given log event as text and write it to the output file.
+
+    @param eventDict: a log event
+    @type eventDict: L{dict} mapping L{str} (native string) to L{object}
+    """
+
+    # Custom emit for FileLogObserver
+    text = textFromEventDict(eventDict)
+    if text is None:
+        return
+    timeStr = self.formatTime(eventDict['time'])
+    fmtDict = {
+        'text': text.replace('\n', '\n\t')
+    }
+    msgStr = _safeFormat('%(text)s\n', fmtDict)
+    untilConcludes(self.write, timeStr + ' ' + msgStr)
+    untilConcludes(self.flush)
+
+
+def myFLOformatTime(self, when):
+    """
+    Log time in UTC
+
+    By default it's formatted as an ISO8601-like string (ISO8601 date and
+    ISO8601 time separated by a space). It can be customized using the
+    C{timeFormat} attribute, which will be used as input for the underlying
+    L{datetime.datetime.strftime} call.
+
+    @type when: C{int}
+    @param when: POSIX (ie, UTC) timestamp.
+
+    @rtype: C{str}
+    """
+    timeFormatString = self.timeFormat
+    if timeFormatString is None:
+        timeFormatString = '[%Y-%m-%d %H:%M:%S.%fZ]'
+    return datetime.fromtimestamp(when, tz=timezone('UTC')).strftime(timeFormatString)
+
+
+def set_logger(cfg_options):
+    FileLogObserver.emit = myFLOemit
+    FileLogObserver.formatTime = myFLOformatTime
+    if cfg_options['logfile'] is None:
+        startLogging(stdout)
+    else:
+        startLogging(HoneypotDailyLogFile.fromFullPath(cfg_options['logfile']), setStdout=False)

core/output.py

@@ -0,0 +1,41 @@
+
+from __future__ import absolute_import
+
+from socket import gethostname
+
+from core.config import CONFIG
+
+
+class Output(object):
+    """
+    Abstract base class intended to be inherited by output plugins.
+    """
+
+    def __init__(self, general_options):
+
+        self.cfg = general_options
+
+        if not 'sensor' in self.cfg:
+            self.sensor = CONFIG.get('honeypot', 'sensor_name', fallback=gethostname())
+        else:
+            self.sensor = self.cfg['sensor']
+
+        self.start()
+
+    def start(self):
+        """
+        Abstract method to initialize output plugin
+        """
+        pass
+
+    def stop(self):
+        """
+        Abstract method to shut down output plugin
+        """
+        pass
+
+    def write(self, event):
+        """
+        Handle a general event within the output plugin
+        """
+        pass

core/paths.py

@@ -0,0 +1,54 @@
+"""
+paths.py - Single source of truth for runtime path resolution.
+
+The honeypot needs a "working directory" containing:
+  etc/          config files (honeypot-launch.cfg.base, honeypot.cfg.base)
+  data/         geolocation databases, SQLite db, etc.
+  log/          rotating log files (created on demand)
+  rss/          RDP scenario files
+
+Priority for locating the working directory:
+  1. RDPHONEYPOT_WORKDIR environment variable
+  2. Current working directory
+
+The bundled read-only defaults (etc/*.cfg.base, rss/*.rss)
+are installed inside the `rdphoneypot` package and located via the package's
+own __file__ attribute, which works on all Python versions without
+requiring pkg_resources or importlib.resources.
+"""
+
+from __future__ import absolute_import
+
+
+from os import getcwd, environ
+from os.path import abspath, dirname, join
+
+
+def get_workdir():
+    """Return the absolute path to the runtime working directory."""
+    env = environ.get('RDPHONEYPOT_WORKDIR', '').strip()
+    if env:
+        return abspath(env)
+    return getcwd()
+
+
+def workdir_path(*parts):
+    """Return an absolute path rooted at the working directory."""
+    return join(get_workdir(), *parts)
+
+
+def bundled(*parts):
+    """
+    Return the filesystem path to a file bundled inside the installed package.
+    Arguments are path components relative to the rdphoneypot/data/ directory,
+    passed as separate strings (like os.path.join) to avoid hardcoded separators.
+
+    Uses the package's own __file__ to locate the data directory, which works
+    on all Python versions (2.7+) without requiring pkg_resources or
+    importlib.resources.
+    """
+    # rdphoneypot/data/ lives alongside this module's package (core/ is a sibling
+    # of rdphoneypot/), so we go up one level from core/ to find rdphoneypot/data/.
+    here = dirname(abspath(__file__))
+    package_dir = join(dirname(here), 'rdphoneypot')
+    return join(package_dir, 'data', *parts)

core/protocol.py

@@ -0,0 +1,318 @@
+
+from __future__ import absolute_import
+
+from binascii import hexlify
+from os import urandom
+from time import time
+
+from core.tools import decode, getlocalip, getutctime, write_event
+
+from rdpy.core.rss import createReader, EventType, UpdateFormat
+from rdpy.protocol.rdp.rdp import RDPServerObserver, ServerFactory
+
+from twisted.internet.reactor import callLater
+from twisted.python.log import msg
+
+
+class HoneyPotServer(RDPServerObserver):
+    def __init__(self, controller, rssFileSizeList, cfg):
+        """
+        @param controller: {RDPServerController}
+        @param rssFileSizeList: {Tuple} Tuple(Tuple(width, height), rssFilePath)
+        """
+        RDPServerObserver.__init__(self, controller)
+        self._rssFileSizeList = rssFileSizeList
+        self._dx, self._dy = 0, 0
+        self._rssFile = None
+        self.cfg = cfg
+        self._login_logged = False   # guard: log credentials only once per session
+
+    # ------------------------------------------------------------------
+    # Shared login-event helper
+    # ------------------------------------------------------------------
+
+    def _log_login_event(self, domain, username, password, nt_hash,
+                         auth_method, hostname):
+        """
+        Write the rdphoneypot.login event.  The _login_logged guard ensures
+        this fires at most once per session even when both the NLA credentials
+        hook and onReady fire for the same connection.
+        """
+        if self._login_logged:
+            return
+        self._login_logged = True
+
+        unix_time = time()
+        cred_label = 'nt_hash' if auth_method == 'NLA' else 'password'
+        cred_value = nt_hash   if auth_method == 'NLA' else password
+        event = {
+            'eventid': 'rdphoneypot.login',
+            'message': "Login from {}:{}, hostname: '{}' to domain: '{}', "
+                       "username: '{}', {}: '{}'.".format(
+                self.cfg['src_addr'], self.cfg['src_port'],
+                hostname, domain, username, cred_label, cred_value),
+            'session':     self.cfg['session'],
+            'timestamp':   getutctime(unix_time),
+            'unixtime':    unix_time,
+            'sensor':      self.cfg['sensor'],
+            'src_ip':      self.cfg['src_addr'],
+            'src_port':    self.cfg['src_port'],
+            'dst_port':    self.cfg['port'],
+            'domain':      domain,
+            'username':    username,
+            'password':    password,
+            'nt_hash':     nt_hash,
+            'auth_method': auth_method,
+            'hostname':    hostname,
+        }
+        write_event(event, self.cfg)
+
+    # ------------------------------------------------------------------
+    # NLA credentials hook
+    # ------------------------------------------------------------------
+
+    def onNLACredentials(self, nla_server):
+        """
+        Called by NLAServer immediately after the NTLMSSP_AUTHENTICATE message
+        is parsed — before we send the (dummy) pubKeyAuth reply.  This fires
+        even when Windows disconnects after our dummy reply, guaranteeing that
+        credentials are always logged for NLA connections.
+
+        Hostname is empty here because the MCS layer (which carries the client
+        name) has not yet connected.  The _login_logged guard prevents onReady
+        from logging again if the connection does proceed to RDP.
+        """
+        msg("NLA credentials: domain={!r} username={!r}".format(
+            nla_server.nla_domain, nla_server.nla_username))
+        self._log_login_event(
+            domain      = nla_server.nla_domain,
+            username    = nla_server.nla_username,
+            password    = '',
+            nt_hash     = nla_server.nla_nt_hash,
+            auth_method = 'NLA',
+            hostname    = '',
+        )
+
+    # ------------------------------------------------------------------
+    # Standard RDP observer events
+    # ------------------------------------------------------------------
+
+    def onReady(self):
+        """
+        @summary:  Event use to inform state of server stack
+                    First time this event is called is when human client is connected
+                    Second time is after color depth nego, because color depth nego
+                    restart a connection sequence
+        @see: RDPServerObserver.onReady
+        """
+        first_connect = (self._rssFile is None)
+
+        if first_connect:
+            #compute which RSS file to keep
+            width, height = self._controller.getScreen()
+            size = width * height
+            rssFilePath = sorted(
+                self._rssFileSizeList,
+                key=lambda x: abs(x[0][0] * x[0][1] - size)
+            )[0][1]
+            msg('select file ({}, {}) -> {}'.format(width, height, rssFilePath))
+            self._rssFile = createReader(rssFilePath)
+
+            domain, username, password = self._controller.getCredentials()
+            hostname = self._controller.getHostname()
+
+            nla = getattr(self._controller._x224Layer, '_nlaServer', None)
+            if nla and nla.nla_username:
+                auth_method = 'NLA'
+                nt_hash  = nla.nla_nt_hash
+                password = ''
+            else:
+                auth_method = 'RDP'
+                nt_hash  = ''
+
+            # Suppress logging if all credential fields are empty — this
+            # happens on Windows SSL-retry connections that follow a failed
+            # NLA attempt: the Info packet has empty domain/user/password.
+            if username or domain or password or nt_hash:
+                self._log_login_event(
+                    domain      = domain,
+                    username    = username,
+                    password    = password,
+                    nt_hash     = nt_hash,
+                    auth_method = auth_method,
+                    hostname    = hostname,
+                )
+
+        self.start()
+
+    def onClose(self):
+        """ HoneyPot """
+        unix_time = time()
+        duration = int(round(unix_time - self.cfg['start']))
+        event = {
+            'eventid': 'rdphoneypot.session.closed',
+            'message': 'Closed connection from {}:{} [session: {}] after {} seconds.'.format(
+                self.cfg['src_addr'], self.cfg['src_port'],
+                self.cfg['session'], duration
+            ),
+            'session':   self.cfg['session'],
+            'timestamp': getutctime(unix_time),
+            'unixtime':  unix_time,
+            'sensor':    self.cfg['sensor'],
+            'src_ip':    self.cfg['src_addr'],
+            'src_port':  self.cfg['src_port'],
+            'dst_port':  self.cfg['port'],
+            'duration':  duration,
+        }
+        write_event(event, self.cfg)
+
+    def onKeyEventScancode(self, code, isPressed, isExtended):
+        """ HoneyPot """
+        if not self.cfg['log_scancodes']:
+            return
+        unix_time = time()
+        event = {
+            'eventid': 'rdphoneypot.scancode',
+            'message': 'Scancode: {}, isPressed: {}, isExtended: {}.'.format(
+                code, isPressed, isExtended
+            ),
+            'session':     self.cfg['session'],
+            'timestamp':   getutctime(unix_time),
+            'unixtime':    unix_time,
+            'sensor':      self.cfg['sensor'],
+            'src_ip':      self.cfg['src_addr'],
+            'src_port':    self.cfg['src_port'],
+            'dst_port':    self.cfg['port'],
+            'code':        code,
+            'is_pressed':  isPressed,
+            'is_extended': isExtended,
+        }
+        write_event(event, self.cfg)
+
+    def onKeyEventUnicode(self, code, isPressed):
+        """ HoneyPot """
+        if not self.cfg['log_scancodes']:
+            return
+        unix_time = time()
+        event = {
+            'eventid': 'rdphoneypot.unicode',
+            'message': 'Unicode: {}, isPressed: {}.'.format(code, isPressed),
+            'session':    self.cfg['session'],
+            'timestamp':  getutctime(unix_time),
+            'unixtime':   unix_time,
+            'sensor':     self.cfg['sensor'],
+            'src_ip':     self.cfg['src_addr'],
+            'src_port':   self.cfg['src_port'],
+            'dst_port':   self.cfg['port'],
+            'code':       code,
+            'is_pressed': isPressed,
+        }
+        write_event(event, self.cfg)
+
+    def onPointerEvent(self, x, y, button, isPressed):
+        """ HoneyPot """
+        if not self.cfg['log_pointers']:
+            return
+        unix_time = time()
+        event = {
+            'eventid': 'rdphoneypot.pointer',
+            'message': 'Pointer event: X: {}, Y: {}, button: {}, isPressed: {}.'.format(
+                x, y, button, isPressed
+            ),
+            'session':    self.cfg['session'],
+            'timestamp':  getutctime(unix_time),
+            'unixtime':   unix_time,
+            'sensor':     self.cfg['sensor'],
+            'src_ip':     self.cfg['src_addr'],
+            'src_port':   self.cfg['src_port'],
+            'dst_port':   self.cfg['port'],
+            'x':          x,
+            'y':          y,
+            'button':     button,
+            'is_pressed': isPressed,
+        }
+        write_event(event, self.cfg)
+
+    def start(self):
+        self.loopScenario(self._rssFile.nextEvent())
+
+    def loopScenario(self, nextEvent):
+        """
+        @summary: main loop event
+        """
+        if nextEvent.type.value == EventType.UPDATE:
+            self._controller.sendUpdate(
+                nextEvent.event.destLeft.value   + self._dx,
+                nextEvent.event.destTop.value    + self._dy,
+                nextEvent.event.destRight.value  + self._dx,
+                nextEvent.event.destBottom.value + self._dy,
+                nextEvent.event.width.value,
+                nextEvent.event.height.value,
+                nextEvent.event.bpp.value,
+                nextEvent.event.format.value == UpdateFormat.BMP,
+                nextEvent.event.data.value)
+
+        elif nextEvent.type.value == EventType.CLOSE:
+            self._controller.close()
+            return
+
+        elif nextEvent.type.value == EventType.SCREEN:
+            self._controller.setColorDepth(nextEvent.event.colorDepth.value)
+            clientSize = nextEvent.event.width.value, nextEvent.event.height.value
+            serverSize = self._controller.getScreen()
+            self._dx = max(0, serverSize[0] - clientSize[0]) // 2
+            self._dy = max(0, serverSize[1] - clientSize[1]) // 2
+            return
+
+        e = self._rssFile.nextEvent()
+        callLater(float(e.timestamp.value) / 1000.0,   # pylint: disable=no-member
+                  lambda: self.loopScenario(e))
+
+
+class HoneyPotServerFactory(ServerFactory):
+    """
+    @summary: Factory on listening events
+    """
+    def __init__(self, rssFileSizeList, cfg):
+        """
+        @param rssFileSizeList: {Tuple} Tuple(Tuple(width, height), rssFilePath)
+        @param privateKeyFilePath: {str} file contain server private key (if none -> back to standard RDP security)
+        @param certificateFilePath: {str} file contain server certificate (if none -> back to standard RDP security)
+        """
+        ServerFactory.__init__(self, 16, cfg['key'], cfg['cert'])
+        self._rssFileSizeList = rssFileSizeList
+        self.cfg = cfg
+
+    def buildObserver(self, controller, addr):
+        """
+        @param controller: {RDPServerController}
+        @param addr: destination address
+        @see: ServerFactory.buildObserver
+        """
+        self.cfg['session'] = decode(hexlify(urandom(6)))
+        self.cfg['src_addr'] = addr.host
+        self.cfg['src_port'] = addr.port
+        unix_time = time()
+        self.cfg['start'] = unix_time
+        event = {
+            'eventid':   'rdphoneypot.session.connect',
+            'message':   'Connection from {}:{} [session: {}].'.format(
+                addr.host, addr.port, self.cfg['session']),
+            'session':   self.cfg['session'],
+            'timestamp': getutctime(unix_time),
+            'unixtime':  unix_time,
+            'src_ip':    addr.host,
+            'src_port':  addr.port,
+            'dst_ip':    getlocalip(),
+            'dst_port':  self.cfg['port'],
+            'sensor':    self.cfg['sensor'],
+        }
+        write_event(event, self.cfg)
+
+        observer = HoneyPotServer(controller, self._rssFileSizeList, self.cfg)
+
+        # Register the NLA hook so credentials are logged the moment
+        # NTLMSSP_AUTHENTICATE arrives, before the pubKeyAuth round-trip.
+        controller.setNLACredentialsHook(observer.onNLACredentials)
+
+        return observer