diff --git a/protocols/helpers/helpers.go b/protocols/helpers/helpers.go index 79e9939..8344ef8 100644 --- a/protocols/helpers/helpers.go +++ b/protocols/helpers/helpers.go @@ -36,3 +36,8 @@ func StorePayload(data []byte) (string, error) { } return sha256Hash, nil } + +func HashData(data []byte) string { + hash := sha256.Sum256(data) + return hex.EncodeToString(hash[:]) +} diff --git a/protocols/protocols.go b/protocols/protocols.go index 31e9087..6d03c5a 100644 --- a/protocols/protocols.go +++ b/protocols/protocols.go @@ -3,8 +3,10 @@ package protocols import ( "bytes" "context" + "errors" "net" "strings" + "time" "github.com/mushorg/glutton/connection" "github.com/mushorg/glutton/producer" @@ -66,13 +68,25 @@ func MapTCPProtocolHandlers(log interfaces.Logger, h interfaces.Honeypot) map[st return tcp.HandleADB(ctx, conn, md, log, h) } protocolHandlers["tcp"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error { + if err := conn.SetReadDeadline(time.Now().Add(500 * time.Millisecond)); err != nil { + log.Error("failed to set read deadline", producer.ErrAttr(err)) + } snip, bufConn, err := Peek(conn, 4) - if err != nil { - if err := conn.Close(); err != nil { - log.Error("failed to close connection", producer.ErrAttr(err)) + var netErr net.Error + if errors.As(err, &netErr) && netErr.Timeout() { + if err := tcp.SendBanner(md.TargetPort, conn, md, log, h); err != nil { + log.Info("Failed to send service banner", producer.ErrAttr(err)) + } + if err := conn.SetReadDeadline(time.Time{}); err != nil { + log.Error("failed to reset read deadline", producer.ErrAttr(err)) } + return tcp.HandleTCP(ctx, conn, md, log, h) + } + if err := conn.SetReadDeadline(time.Time{}); err != nil { + log.Error("failed to reset read deadline", producer.ErrAttr(err)) + } + if err != nil { log.Debug("failed to peek connection", producer.ErrAttr(err)) - return nil } // poor mans check for HTTP request httpMap := map[string]bool{"GET ": true, "POST": true, "HEAD": true, "OPTI": true, "CONN": true} diff --git a/protocols/protocols_test.go b/protocols/protocols_test.go index aedcd63..b916991 100644 --- a/protocols/protocols_test.go +++ b/protocols/protocols_test.go @@ -44,6 +44,10 @@ func TestMapTCPProtocolHandlers(t *testing.T) { h := &mocks.MockHoneypot{} l := &mocks.MockLogger{} l.EXPECT().Debug(mock.Anything, mock.Anything).Return().Maybe() + l.EXPECT().Info(mock.Anything, mock.Anything).Return().Maybe() + + h.EXPECT().UpdateConnectionTimeout(mock.Anything, mock.Anything).Return(nil).Maybe() + h.EXPECT().ProduceTCP(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil).Maybe() m := MapTCPProtocolHandlers(l, h) require.NotEmpty(t, m, "should get a non-empty map") diff --git a/protocols/tcp/banners.go b/protocols/tcp/banners.go new file mode 100644 index 0000000..b2a3b04 --- /dev/null +++ b/protocols/tcp/banners.go @@ -0,0 +1,38 @@ +package tcp + +import ( + "embed" + "fmt" + "io" + "log/slog" + "net" + + "github.com/mushorg/glutton/connection" + "github.com/mushorg/glutton/producer" + "github.com/mushorg/glutton/protocols/interfaces" +) + +//go:embed banners/* +var bannerFiles embed.FS + +// SendBanner retrieves and sends service banner for the specified port. +func SendBanner(port uint16, conn net.Conn, md connection.Metadata, logger interfaces.Logger, h interfaces.Honeypot) error { + bannerPath := fmt.Sprintf("banners/%d_tcp", port) + banner, err := bannerFiles.Open(bannerPath) + if err != nil { + return fmt.Errorf("failed to get banner: %w", err) + } + defer banner.Close() + + bannerData, err := io.ReadAll(banner) + if err != nil { + return fmt.Errorf("failed to read banner content: %w", err) + } + if _, err := conn.Write(bannerData); err != nil { + return fmt.Errorf("failed to write banner: %w", err) + } + if err = h.ProduceTCP("banner", conn, md, bannerData, nil); err != nil { + logger.Error("Failed to produce message", producer.ErrAttr(err), slog.String("handler", "banner")) + } + return nil +} diff --git a/protocols/tcp/banners/110_tcp b/protocols/tcp/banners/110_tcp new file mode 100644 index 0000000..4f60b24 --- /dev/null +++ b/protocols/tcp/banners/110_tcp @@ -0,0 +1 @@ ++OK diff --git a/protocols/tcp/banners/135_tcp b/protocols/tcp/banners/135_tcp new file mode 100644 index 0000000..874699b Binary files /dev/null and b/protocols/tcp/banners/135_tcp differ diff --git a/protocols/tcp/banners/139_tcp b/protocols/tcp/banners/139_tcp new file mode 100644 index 0000000..7fdc1a7 Binary files /dev/null and b/protocols/tcp/banners/139_tcp differ diff --git a/protocols/tcp/banners/1433_tcp b/protocols/tcp/banners/1433_tcp new file mode 100644 index 0000000..5f87095 Binary files /dev/null and b/protocols/tcp/banners/1433_tcp differ diff --git a/protocols/tcp/banners/21000_tcp b/protocols/tcp/banners/21000_tcp new file mode 100644 index 0000000..433f1db --- /dev/null +++ b/protocols/tcp/banners/21000_tcp @@ -0,0 +1,4 @@ +Microsoft Windows XP [Version 5.1.2600] +(C) Copyright 1985-2001 Microsoft Corp. + +C:\WINDOWS\system32> \ No newline at end of file diff --git a/protocols/tcp/banners/21_tcp b/protocols/tcp/banners/21_tcp new file mode 100644 index 0000000..bb61546 --- /dev/null +++ b/protocols/tcp/banners/21_tcp @@ -0,0 +1 @@ +220 Welcome to localhost diff --git a/protocols/tcp/banners/25_tcp b/protocols/tcp/banners/25_tcp new file mode 100644 index 0000000..1a8bb06 --- /dev/null +++ b/protocols/tcp/banners/25_tcp @@ -0,0 +1 @@ +250 localhost ESMTP Postfix diff --git a/protocols/tcp/banners/3306_tcp b/protocols/tcp/banners/3306_tcp new file mode 100644 index 0000000..15cf52d Binary files /dev/null and b/protocols/tcp/banners/3306_tcp differ diff --git a/protocols/tcp/banners/4444_tcp b/protocols/tcp/banners/4444_tcp new file mode 100644 index 0000000..433f1db --- /dev/null +++ b/protocols/tcp/banners/4444_tcp @@ -0,0 +1,4 @@ +Microsoft Windows XP [Version 5.1.2600] +(C) Copyright 1985-2001 Microsoft Corp. + +C:\WINDOWS\system32> \ No newline at end of file diff --git a/protocols/tcp/banners/445_tcp b/protocols/tcp/banners/445_tcp new file mode 100644 index 0000000..69c83a3 Binary files /dev/null and b/protocols/tcp/banners/445_tcp differ diff --git a/protocols/tcp/banners/4899_tcp b/protocols/tcp/banners/4899_tcp new file mode 100644 index 0000000..3f57ead Binary files /dev/null and b/protocols/tcp/banners/4899_tcp differ diff --git a/protocols/tcp/banners/5060_tcp b/protocols/tcp/banners/5060_tcp new file mode 100644 index 0000000..b43a35a --- /dev/null +++ b/protocols/tcp/banners/5060_tcp @@ -0,0 +1,26 @@ +SIP/2.0 200 OK +Via: SIP/2.0/TCP 127.0.0.1:5060;branch=1234567890 +From: sip:1234567890@127.0.0.1;tag=bad-012345 +To: ;tag=bad-012345 +Call-ID: 1348979872-797979222304855 +Cseq: 15 INVITE +Contact: sip:0987654321@127.0.0.1 +Content-Length: 401 +Content-Type: application/sdp + +v=0 +Anonymous 1234567890 9876543210 IN IP4 127.0.0.1 +s=SIGMA is the best +s=gotcha +c=IN IP4 127.0.0.1 +t=0 0 +m=audio 36952 RTP/AVP 107 119 100 106 6 0 97 105 98 8 18 3 5 101 +a=rtpmap:107 BV32/16000 +a=rtpmap:119 BV32-FEC/16000 +a=rtpmap:100 SPEEX/16000 +a=rtpmap:106 SPEEX-FEC/16000 +a=rtpmap:97 SPEEX/8000 +a=rtpmap:105 SPEEX-FEC/8000 +a=rtpmap:98 iLBC/8000 +a=rtpmap:101 telephone-event/8000 +a=fmtp:101 0-11 diff --git a/protocols/tcp/banners/5900_tcp b/protocols/tcp/banners/5900_tcp new file mode 100644 index 0000000..da549fe --- /dev/null +++ b/protocols/tcp/banners/5900_tcp @@ -0,0 +1 @@ +RFB 003.008 diff --git a/protocols/tcp/banners/8009_tcp b/protocols/tcp/banners/8009_tcp new file mode 100644 index 0000000..5ff6c53 Binary files /dev/null and b/protocols/tcp/banners/8009_tcp differ diff --git a/protocols/tcp/banners/80_tcp b/protocols/tcp/banners/80_tcp new file mode 100644 index 0000000..9cb49c5 --- /dev/null +++ b/protocols/tcp/banners/80_tcp @@ -0,0 +1,15 @@ +HTTP/1.1 200 OK +Connection: close +Date: Sun, 27 Nov 2005 13:07:34 GMT +Server: Microsoft-IIS/6.0 +X-Powered-By: ASP.NET +X-AspNet-Version: 2.0.50727 +Accept-Ranges: bytes +Content-Length: 30 +Cache-Control: private +Content-Type: text/html; charset=utf-8 + + + + + diff --git a/protocols/tcp/banners/README.md b/protocols/tcp/banners/README.md new file mode 100644 index 0000000..d54fd21 --- /dev/null +++ b/protocols/tcp/banners/README.md @@ -0,0 +1 @@ +Service banners are sourced from: https://github.com/armedpot/honeytrap/tree/master/etc/responses. \ No newline at end of file diff --git a/protocols/tcp/responses/110_tcp b/protocols/tcp/responses/110_tcp new file mode 100644 index 0000000..4f60b24 --- /dev/null +++ b/protocols/tcp/responses/110_tcp @@ -0,0 +1 @@ ++OK diff --git a/protocols/tcp/responses/135_tcp b/protocols/tcp/responses/135_tcp new file mode 100644 index 0000000..874699b Binary files /dev/null and b/protocols/tcp/responses/135_tcp differ diff --git a/protocols/tcp/responses/139_tcp b/protocols/tcp/responses/139_tcp new file mode 100644 index 0000000..7fdc1a7 Binary files /dev/null and b/protocols/tcp/responses/139_tcp differ diff --git a/protocols/tcp/responses/1433_tcp b/protocols/tcp/responses/1433_tcp new file mode 100644 index 0000000..5f87095 Binary files /dev/null and b/protocols/tcp/responses/1433_tcp differ diff --git a/protocols/tcp/responses/21000_tcp b/protocols/tcp/responses/21000_tcp new file mode 100644 index 0000000..433f1db --- /dev/null +++ b/protocols/tcp/responses/21000_tcp @@ -0,0 +1,4 @@ +Microsoft Windows XP [Version 5.1.2600] +(C) Copyright 1985-2001 Microsoft Corp. + +C:\WINDOWS\system32> \ No newline at end of file diff --git a/protocols/tcp/responses/21_tcp b/protocols/tcp/responses/21_tcp new file mode 100644 index 0000000..bb61546 --- /dev/null +++ b/protocols/tcp/responses/21_tcp @@ -0,0 +1 @@ +220 Welcome to localhost diff --git a/protocols/tcp/responses/25_tcp b/protocols/tcp/responses/25_tcp new file mode 100644 index 0000000..1a8bb06 --- /dev/null +++ b/protocols/tcp/responses/25_tcp @@ -0,0 +1 @@ +250 localhost ESMTP Postfix diff --git a/protocols/tcp/responses/3306_tcp b/protocols/tcp/responses/3306_tcp new file mode 100644 index 0000000..15cf52d Binary files /dev/null and b/protocols/tcp/responses/3306_tcp differ diff --git a/protocols/tcp/responses/4444_tcp b/protocols/tcp/responses/4444_tcp new file mode 100644 index 0000000..433f1db --- /dev/null +++ b/protocols/tcp/responses/4444_tcp @@ -0,0 +1,4 @@ +Microsoft Windows XP [Version 5.1.2600] +(C) Copyright 1985-2001 Microsoft Corp. + +C:\WINDOWS\system32> \ No newline at end of file diff --git a/protocols/tcp/responses/445_tcp b/protocols/tcp/responses/445_tcp new file mode 100644 index 0000000..69c83a3 Binary files /dev/null and b/protocols/tcp/responses/445_tcp differ diff --git a/protocols/tcp/responses/4899_tcp b/protocols/tcp/responses/4899_tcp new file mode 100644 index 0000000..3f57ead Binary files /dev/null and b/protocols/tcp/responses/4899_tcp differ diff --git a/protocols/tcp/responses/5060_tcp b/protocols/tcp/responses/5060_tcp new file mode 100644 index 0000000..b43a35a --- /dev/null +++ b/protocols/tcp/responses/5060_tcp @@ -0,0 +1,26 @@ +SIP/2.0 200 OK +Via: SIP/2.0/TCP 127.0.0.1:5060;branch=1234567890 +From: sip:1234567890@127.0.0.1;tag=bad-012345 +To: ;tag=bad-012345 +Call-ID: 1348979872-797979222304855 +Cseq: 15 INVITE +Contact: sip:0987654321@127.0.0.1 +Content-Length: 401 +Content-Type: application/sdp + +v=0 +Anonymous 1234567890 9876543210 IN IP4 127.0.0.1 +s=SIGMA is the best +s=gotcha +c=IN IP4 127.0.0.1 +t=0 0 +m=audio 36952 RTP/AVP 107 119 100 106 6 0 97 105 98 8 18 3 5 101 +a=rtpmap:107 BV32/16000 +a=rtpmap:119 BV32-FEC/16000 +a=rtpmap:100 SPEEX/16000 +a=rtpmap:106 SPEEX-FEC/16000 +a=rtpmap:97 SPEEX/8000 +a=rtpmap:105 SPEEX-FEC/8000 +a=rtpmap:98 iLBC/8000 +a=rtpmap:101 telephone-event/8000 +a=fmtp:101 0-11 diff --git a/protocols/tcp/responses/5900_tcp b/protocols/tcp/responses/5900_tcp new file mode 100644 index 0000000..da549fe --- /dev/null +++ b/protocols/tcp/responses/5900_tcp @@ -0,0 +1 @@ +RFB 003.008 diff --git a/protocols/tcp/responses/8009_tcp b/protocols/tcp/responses/8009_tcp new file mode 100644 index 0000000..5ff6c53 Binary files /dev/null and b/protocols/tcp/responses/8009_tcp differ diff --git a/protocols/tcp/responses/80_tcp b/protocols/tcp/responses/80_tcp new file mode 100644 index 0000000..9cb49c5 --- /dev/null +++ b/protocols/tcp/responses/80_tcp @@ -0,0 +1,15 @@ +HTTP/1.1 200 OK +Connection: close +Date: Sun, 27 Nov 2005 13:07:34 GMT +Server: Microsoft-IIS/6.0 +X-Powered-By: ASP.NET +X-AspNet-Version: 2.0.50727 +Accept-Ranges: bytes +Content-Length: 30 +Cache-Control: private +Content-Type: text/html; charset=utf-8 + + + + +