The config template specified the default server version string as "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3" but the SSH module automatically prepends "SSH-2.0-" to the beginning. This gave the version string returned to the client a potential fingerprint that could be used to easily identify DECEIVE honeypots. Updated the default value and added comments to document this behavior.
* 'sensor_name` is an arbitrary string that identifies the specific honeypot sensor that generated the log. Set it in the config.ini file. If not set, it will default to the honeypot system's hostname.
* 'sensor_protocol' identifies the specific protocol this honeypot sensor uses. For SSH, it's always "ssh" but as other protocols are added to DECEIVE in the future, this will have different values for their logs.
Setting a password to be "*" in the config file will cause the server to accept any password the client provides for that account, including an empty password.
SSH servers can take user commands from an interactive session as normal, but users can also include commands on the ssh client command line which are executed on the server (e.g., "ssh <hostname> 'uname -a'"). We now execute these non-interactive commands properly as well.
Also added a new "interactive" flag to all user commands (true/false) to show which type of command execution this was.
For whatever reason, MacOS returns 4 values from conn.get_extra_info('peername') and conn.get_extra_info('sockname'), but Linux systems only return 2. On the Mac, it's only the first two that we need anyway. Now we retrieve them all, no matter how many there are, and just use the first two so it will work on both platforms.
* --prompt-file to specify a file from which to read the prompt.
* --prompt to specify a prompt string on the command line
* --config to specify an alternate config file
The config file now contains a new "system_prompt" value in the [llm] section. This would be the same for all DECEIVE instances, and configures how the emulation itself will act. The honeypot administrator should mostly keep this intact. The prompt.txt file now focuses more on what type of system to emulate, and optional details such as valid users, contents to stage on the system, etc.
* Project is now called DECEIVE, so the README.md has been updated to reflect this
* Added more details about installation, configuration, host platform support, and logging to the README.md
* All logging is now in JSON lines format!
* Fixed a bug where the session summary was generated twice for the same session
* Fixed a reversion in the exit handling when the user logged out gracefully.
* Session summaries now occur both at normal session termination (e.g., the user gracefully logs out) or abnormal termination, such as if the client disconnects suddenly.
* Now encode the AI results as UTF-8 instead of ASCII, because it would ocassionally send back non-ASCII characters which caused the server to throw errors
Rather than explicitly checking to see if the user
was typing a shell exit command, the LLM is now
instructed to provide a specific token starting
("XXX-END-OF-SESSION-XXX") to indicate that the
session should be closed. This allows the user to
exit the shell in any way they see fit, and the
LLM will still know when to end the session. It
also means that typing 'exit' or similar commands
to subshells or command interpreters (e.g. Python)
are less likely to cause the session to end.
