mirror of
https://github.com/splunk/DECEIVE.git
synced 2025-07-02 00:57:26 -04:00
Compare commits
3 Commits
ssh-execut
...
deceive-1.
Author | SHA1 | Date | |
---|---|---|---|
fd0d8a78fc | |||
dba537c58f | |||
b222940de2 |
@ -93,8 +93,8 @@ Things to note:
|
|||||||
* `Session summary`
|
* `Session summary`
|
||||||
* `SSH connection closed`
|
* `SSH connection closed`
|
||||||
* Several of these message types also feature a `details` field with additional information
|
* Several of these message types also feature a `details` field with additional information
|
||||||
* `User input` messages contain a base64-encoded copy of the entire user input
|
* `User input` messages contain a base64-encoded copy of the entire user input in the `details` field, as well as an `interactive` field (true/false) that tells you whether this was an interactive or non-interactive command (i.e., whether they logged in with a terminal session or provided a command on the SSH command-line).
|
||||||
* `LLM response` messages contain a base64-encoded copy of the entire simulated response
|
* `LLM response` messages contain a base64-encoded copy of the entire simulated response in the `details` field.
|
||||||
* `Session summary` messages contain not only a summary of the commands, but also a guess as to what they might have been intended to accomplish. There will also be a `judgement` field that contains one of "BENIGN", "SUSPICIOUS", or "MALICIOUS"
|
* `Session summary` messages contain not only a summary of the commands, but also a guess as to what they might have been intended to accomplish. There will also be a `judgement` field that contains one of "BENIGN", "SUSPICIOUS", or "MALICIOUS"
|
||||||
* Since this is a honeypot and not intended for use by real users, IT WILL LOG USERNAMES AND PASSWORDS! These are found in the `Authentication success` messages, in the `username` and `password` fields.
|
* Since this is a honeypot and not intended for use by real users, IT WILL LOG USERNAMES AND PASSWORDS! These are found in the `Authentication success` messages, in the `username` and `password` fields.
|
||||||
|
|
||||||
|
@ -75,9 +75,12 @@ system_prompt = Interpret all inputs as though they were SSH commands and provid
|
|||||||
# The valid user accounts and passwords for the SSH server, in the
|
# The valid user accounts and passwords for the SSH server, in the
|
||||||
# form "username = password". Note that you can enable login without
|
# form "username = password". Note that you can enable login without
|
||||||
# a password by leaving that field blank (e.g., "guest =" on a line by
|
# a password by leaving that field blank (e.g., "guest =" on a line by
|
||||||
# itself)
|
# itself). You can set an account to accept ANY password, including an empty
|
||||||
|
# password, by setting the password to "*"
|
||||||
[user_accounts]
|
[user_accounts]
|
||||||
guest =
|
guest =
|
||||||
user1 = secretpw
|
user1 = secretpw
|
||||||
user2 = password123
|
user2 = password123
|
||||||
|
root = *
|
||||||
|
|
||||||
|
|
||||||
|
@ -105,7 +105,7 @@ class MySSHServer(asyncssh.SSHServer):
|
|||||||
def validate_password(self, username: str, password: str) -> bool:
|
def validate_password(self, username: str, password: str) -> bool:
|
||||||
pw = accounts.get(username, '*')
|
pw = accounts.get(username, '*')
|
||||||
|
|
||||||
if ((pw != '*') and (password == pw)):
|
if pw == '*' or (pw != '*' and password == pw):
|
||||||
logger.info("Authentication success", extra={"username": username, "password": password})
|
logger.info("Authentication success", extra={"username": username, "password": password})
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
|
Reference in New Issue
Block a user