splunk/DECEIVE
1
0
Fork 0
mirror of https://github.com/splunk/DECEIVE.git synced 2025-07-02 00:57:26 -04:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: splunk:ssh-execute-arg
Branches Tags
splunk:main splunk:conversation-history splunk:temperature splunk:command-line-options splunk:wildcard-passwords splunk:ssh-execute-arg splunk:multiplatform-compat splunk:config-files splunk:user-system-prompt
splunk:deceive-1.1 splunk:deceive-1.0
...
compare: splunk:deceive-1.0
Branches Tags
splunk:main splunk:conversation-history splunk:temperature splunk:command-line-options splunk:wildcard-passwords splunk:ssh-execute-arg splunk:multiplatform-compat splunk:config-files splunk:user-system-prompt
splunk:deceive-1.1 splunk:deceive-1.0

3 Commits
ssh-execut ... deceive-1.

Author SHA1 Message Date
DavidJBianco
fd0d8a78fc Update README.md 
Added more info about the `details` and `interactive` fields to logging section.
 2025-02-05 06:41:16 -05:00
David J. Bianco
dba537c58f removed debug statements 2025-02-04 16:11:48 -05:00
David J. Bianco
b222940de2 Wildcard password support 
Setting a password to be "*" in the config file will cause the server to accept any password the client provides for that account, including an empty password.
 2025-02-04 16:05:23 -05:00
3 changed files with 8 additions and 5 deletions
Expand all files Collapse all files

6
README.md
View File

@ -93,8 +93,8 @@ Things to note:
* `Session summary`
* `SSH connection closed`
* Several of these message types also feature a `details` field with additional information
* `User input` messages contain a base64-encoded copy of the entire user input
* `LLM response` messages contain a base64-encoded copy of the entire simulated response
* `User input` messages contain a base64-encoded copy of the entire user input in the `details` field, as well as an `interactive` field (true/false) that tells you whether this was an interactive or non-interactive command (i.e., whether they logged in with a terminal session or provided a command on the SSH command-line).
* `LLM response` messages contain a base64-encoded copy of the entire simulated response in the `details` field.
* `Session summary` messages contain not only a summary of the commands, but also a guess as to what they might have been intended to accomplish. There will also be a `judgement` field that contains one of "BENIGN", "SUSPICIOUS", or "MALICIOUS"
* Since this is a honeypot and not intended for use by real users, IT WILL LOG USERNAMES AND PASSWORDS! These are found in the `Authentication success` messages, in the `username` and `password` fields.
@ -102,4 +102,4 @@ Things to note:
Contributions are welcome! Please submit pull requests or open issues to discuss any changes or improvements.
### License
This project is licensed under the MIT License. See the LICENSE file for details.
This project is licensed under the MIT License. See the LICENSE file for details.

5
SSH/config.ini.TEMPLATE
View File

@ -75,9 +75,12 @@ system_prompt = Interpret all inputs as though they were SSH commands and provid
# The valid user accounts and passwords for the SSH server, in the
# form "username = password". Note that you can enable login without
# a password by leaving that field blank (e.g., "guest =" on a line by
# itself)
# itself). You can set an account to accept ANY password, including an empty
# password, by setting the password to "*"
[user_accounts]
guest =
user1 = secretpw
user2 = password123
root = *

2
SSH/ssh_server.py
View File

@ -105,7 +105,7 @@ class MySSHServer(asyncssh.SSHServer):
def validate_password(self, username: str, password: str) -> bool:
pw = accounts.get(username, '*')
if ((pw != '*') and (password == pw)):
if pw == '*' or (pw != '*' and password == pw):
logger.info("Authentication success", extra={"username": username, "password": password})
return True
else: