splunk/DECEIVE
1
0
Fork 0
mirror of https://github.com/splunk/DECEIVE.git synced 2025-07-02 00:57:26 -04:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: splunk:ssh-execute-arg
Branches Tags
splunk:main splunk:conversation-history splunk:temperature splunk:command-line-options splunk:wildcard-passwords splunk:ssh-execute-arg splunk:multiplatform-compat splunk:config-files splunk:user-system-prompt
splunk:deceive-1.1 splunk:deceive-1.0
...
compare: splunk:deceive-1.0
Branches Tags
splunk:main splunk:conversation-history splunk:temperature splunk:command-line-options splunk:wildcard-passwords splunk:ssh-execute-arg splunk:multiplatform-compat splunk:config-files splunk:user-system-prompt
splunk:deceive-1.1 splunk:deceive-1.0

3 Commits
ssh-execut ... deceive-1.

Author SHA1 Message Date
DavidJBianco
fd0d8a78fc Update README.md 
Added more info about the `details` and `interactive` fields to logging section.
 2025-02-05 06:41:16 -05:00
David J. Bianco
dba537c58f removed debug statements 2025-02-04 16:11:48 -05:00
David J. Bianco
b222940de2 Wildcard password support 
Setting a password to be "*" in the config file will cause the server to accept any password the client provides for that account, including an empty password.
 2025-02-04 16:05:23 -05:00
3 changed files with 8 additions and 5 deletions
Expand all files Collapse all files

6
README.md
View File

@ -93,8 +93,8 @@ Things to note:
* `Session summary` * `Session summary`
* `SSH connection closed` * `SSH connection closed`
* Several of these message types also feature a `details` field with additional information * Several of these message types also feature a `details` field with additional information
* `User input` messages contain a base64-encoded copy of the entire user input * `User input` messages contain a base64-encoded copy of the entire user input in the `details` field, as well as an `interactive` field (true/false) that tells you whether this was an interactive or non-interactive command (i.e., whether they logged in with a terminal session or provided a command on the SSH command-line).
* `LLM response` messages contain a base64-encoded copy of the entire simulated response * `LLM response` messages contain a base64-encoded copy of the entire simulated response in the `details` field.
* `Session summary` messages contain not only a summary of the commands, but also a guess as to what they might have been intended to accomplish. There will also be a `judgement` field that contains one of "BENIGN", "SUSPICIOUS", or "MALICIOUS" * `Session summary` messages contain not only a summary of the commands, but also a guess as to what they might have been intended to accomplish. There will also be a `judgement` field that contains one of "BENIGN", "SUSPICIOUS", or "MALICIOUS"
* Since this is a honeypot and not intended for use by real users, IT WILL LOG USERNAMES AND PASSWORDS! These are found in the `Authentication success` messages, in the `username` and `password` fields. * Since this is a honeypot and not intended for use by real users, IT WILL LOG USERNAMES AND PASSWORDS! These are found in the `Authentication success` messages, in the `username` and `password` fields.
@ -102,4 +102,4 @@ Things to note:
Contributions are welcome! Please submit pull requests or open issues to discuss any changes or improvements. Contributions are welcome! Please submit pull requests or open issues to discuss any changes or improvements.
### License ### License
This project is licensed under the MIT License. See the LICENSE file for details. This project is licensed under the MIT License. See the LICENSE file for details.

5
SSH/config.ini.TEMPLATE
View File

@ -75,9 +75,12 @@ system_prompt = Interpret all inputs as though they were SSH commands and provid
# The valid user accounts and passwords for the SSH server, in the # The valid user accounts and passwords for the SSH server, in the
# form "username = password". Note that you can enable login without # form "username = password". Note that you can enable login without
# a password by leaving that field blank (e.g., "guest =" on a line by # a password by leaving that field blank (e.g., "guest =" on a line by
# itself) # itself). You can set an account to accept ANY password, including an empty
# password, by setting the password to "*"
[user_accounts] [user_accounts]
guest = guest =
user1 = secretpw user1 = secretpw
user2 = password123 user2 = password123
root = *

2
SSH/ssh_server.py
View File

@ -105,7 +105,7 @@ class MySSHServer(asyncssh.SSHServer):
def validate_password(self, username: str, password: str) -> bool: def validate_password(self, username: str, password: str) -> bool:
pw = accounts.get(username, '*') pw = accounts.get(username, '*')
if ((pw != '*') and (password == pw)): if pw == '*' or (pw != '*' and password == pw):
logger.info("Authentication success", extra={"username": username, "password": password}) logger.info("Authentication success", extra={"username": username, "password": password})
return True return True
else: else: