Secure Honey

SSH honeypot written in C

Welcome to SecureHoney.net

Friday 11th October 2013 17:20

This website will be used to document the progress of my final year project; building an SSH honeypot in C. For more details see the about page.

I'm currently learning the programming language C as I progress with this project, so the code might not be perfect. I've previously programmed in Java and PHP - which inherit a lot of their syntax from C.

My aim is to document all the challenges I'm presented with as the project unfolds and eventually I'd like to log and analyse attacks on the honeypot.

Why build a honeypot?

I took a module in my second year called Computer Networks. I was gripped by this module, partly because I previously worked in web development, but mainly because the topic of network security and cyber attacks fascinates me.

When it came to choosing a final year project; it was a no brainer for me. The prospect of creating a honeypot to analyse cyber-attack techniques fills me with genuine excitement!

To gain a better understanding of what malicious software is; over the summer I studied a course at Coursera.org entitled Malicious Software and its Underground Economy: Two Sides to Every Story (run by Royal Holloway, University of London), which I highly recommend. The course covers how various types of malware work including analysis of their coding. A lot of this analysis is done on C and machine code.

So there are two main reasons that I want to build a honeypot:

  1. To explore and analyse cyber-attacks
  2. To learn C and to understand networking in C

The programming begins...

So, this week I started writing the code. I started simple, with a C server which allows a single connection from a client and just echo's back any text received from the client. The code can be seen below:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <errno.h>
#include <unistd.h>

#define DEFAULT_PORT    (1234)
#define MAX_LINE        (1000)
#define LISTENQ         (1024)

int Readline(int fd, void *vptr, int maxlen);
int Writeline(int fc, const void *vptr, int maxlen);

int main(int argc, char *argv[]) {
  
  int welcomeSocket;
  int clientSocket;
  char *client_input;
  short unsigned int port;
  char buffer[MAX_LINE];
  struct sockaddr_in servaddr;
  char *endptr;

  /* set port from supplied argument otherwise use default */
  if (argc == 2) {
    port = strtol(argv[1], &endptr, 0);
    if (*endptr) {
      printf("ERROR: invalid port number.\n");
      exit(EXIT_FAILURE);
    }
  } else if (argc < 2 ){
    port = DEFAULT_PORT;
  } else {
    printf("ERROR: invalid arguments.\n");
    exit(EXIT_FAILURE);
  }

  if( (welcomeSocket = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
    printf("ERROR: can't create welcome socket.\n");
    exit(EXIT_FAILURE);
  }

  memset(&servaddr, 0, sizeof(servaddr));
  servaddr.sin_family = AF_INET;
  servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
  servaddr.sin_port = htons(port);

  if( bind(welcomeSocket, (struct sockaddr *) &servaddr, sizeof(servaddr)) < 0){
    printf("ERROR: can't call bind().\n");
    exit(EXIT_FAILURE);
  }

  if( listen(welcomeSocket, LISTENQ) < 0) {
    printf("ERROR: can't call listen().\n");
    exit(EXIT_FAILURE);
  }

  while(1) {
    memset(&buffer, 0, sizeof(buffer));
    if ( (clientSocket = accept(welcomeSocket, NULL, NULL)) < 0) {
      printf("ERROR: can't call accept().\n");
      exit(EXIT_FAILURE);
    }

    int rl;
    while((rl = Readline(clientSocket, buffer, MAX_LINE-1)) > 0){
      printf("Received: (%d chars) %s",rl-1,buffer);
      if(strstr(buffer,"wget") != NULL){
        printf("This is the url to get: %.*s", sizeof(buffer)-5, buffer + 5);
      }
      Writeline(clientSocket, buffer, strlen(buffer));
      memset(&buffer, 0, sizeof(buffer));
    }
  }
  
  if( close(clientSocket) < 0) {
    printf("ERROR: can't close socket");
    exit(EXIT_FAILURE);
  }

  return 0;

}

int Readline(int sockd, void *vptr, int maxlen) {
    int n, rc;
    char    c, *buffer;

    buffer = vptr;

    for ( n = 1; n < maxlen; n++ ) {
        
        if ( (rc = read(sockd, &c, 1)) == 1 ) {
            *buffer++ = c;
            if ( c == '\n' )
                break;
        }
        else if ( rc == 0 ) {
            if ( n == 1 )
                return 0;
            else
                break;
        }
        else {
            if ( errno == EINTR )
                continue;
            return -1;
        }
    }

    *buffer = 0;
    return n;
}

int Writeline(int sockd, const void *vptr, int n) {
    int      nleft;
    int     nwritten;
    const char *buffer;

    buffer = vptr;
    nleft  = n;

    while ( nleft > 0 ) {
        if ( (nwritten = write(sockd, buffer, nleft)) <= 0 ) {
            if ( errno == EINTR )
                nwritten = 0;
            else
                return -1;
        }
        nleft  -= nwritten;
        buffer += nwritten;
    }

    return n;
}

// references: http://www.paulgriffiths.net/program/c/srcs/echoservsrc.html

The code for this project will be stored on GitHub, so feel free to browse through the code, make any comments or suggestions etc.

The current server.c works using a general insecure socket. My task for this week is to create a secure socket so I can start using as SSH client to connect to the server.

Image credit: "Honey jar" by Nic McPhee, flickr.com/photos/nicmcphee/411317929

Comments

There are no comments for this blog post yet

Add Comment

Name

Email (won't be displayed)

Website (optional)

Comments

Live Stats (see full stats)

Attempted logins

date range # attempts
today393
yesterday194
past 7 days4,426
past 30 days17,357
all time4,114,040

Top 5 passwords

password # attempts
12345618,562
admin8,503
password6,536
-6,393
root4,833

Top 5 usernames

username # attempts
root3,927,129
admin78,772
test4,046
oracle3,356
nagios2,648

Stats represent data collected from SSH login attempts on multiple honeypots. Parts of some stats may be filtered to maintain anonymity.

Updated: Tue, 07 Jun 2016 16:33:48 +0100

Live Password Cloud

12qwaszx 963852741 1234%^ POIUYT 12344321 zxcvbn 111 zaqxsw 888888 111111 asdfghjkl a123456 windows qwer1234 q1w2e3 Passw0rd zxcv support 1111 server iloveyou welcome123 user !@ abcdef a cisco 123abc qwer qwerty123 q123456 manager 54321 alpine qq123456 huawei 11223344 password zaqxswcde qazwsx default 1 qwe123 test okokok 88888888 ubnt dragon 159753 147852369 12345678 passwd qwertyuiop 23456 power qwaszx huawei123 changeme123 123123123 5201314 Aa123456 qwe 1qazxsw2 nagios redhat zaqxswcdevfr q1w2e3r4 1234qwer 1qaz2wsx3edc monitor 12345 pass root1234 password123 123qweasd 000000 z1x2c3v4 qaz qazwsx123 f**kyou admin123!@# Pass123 121212 p@ssword 1a2s3d4f 1qaz2wsx Admin123456 woaini zaq1xsw2 linux adminadmin _ system 1qaz@WSX P@ssw0rd1 sapp a1b2c3d4 654321 qazwsxedc 1234 sqlpp qazxsw asdf sysadmin qqpp abc123 idc2008 123123 666666 123456 123qwe 987654321 admin123 admin@123 zhang 789789 11111111 idcidc qwerty123456 secret Huawei@123 !@#$%^ changeme 1q2w3e 147258369 superman 147258 admin1 mnbvcxz admin welcome 225588 !qaz1QAZ 123 p0o9i8u7 apple aaa !QAZ2wsx administrator zzzzzz oracle qwerty china 0000 rootpass 7890pp letmein abcd1234 1122334455 raspberry abc1234 a1s2d3f4 rootroot P@ssw0rd qwert public adminpp 1q2w3e4r5t root 1234567890 qweasd guest asdfgh test123 zxcvbnm caonima - !QAZ@WSX 112233 147147 123654 q1w2e3r4t5 1234567 1q2w3e4r password1 root123 123456789 12345qwert qweasdzxc 110110 159357