2018-04-27 23:10:45 +00:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
import os
|
2018-06-05 12:14:41 +00:00
|
|
|
import time
|
2018-04-27 23:10:45 +00:00
|
|
|
import socket
|
|
|
|
|
import logging
|
|
|
|
|
logging.basicConfig(format='%(message)s')
|
|
|
|
|
import threading
|
|
|
|
|
from io import BytesIO
|
|
|
|
|
from xml.etree import ElementTree
|
|
|
|
|
from http.server import HTTPServer
|
|
|
|
|
from socketserver import ThreadingMixIn
|
|
|
|
|
from http.server import SimpleHTTPRequestHandler
|
|
|
|
|
import ike_server
|
2018-06-05 12:14:41 +00:00
|
|
|
import datetime
|
2018-04-27 23:10:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class NonBlockingHTTPServer(ThreadingMixIn, HTTPServer):
|
|
|
|
|
pass
|
|
|
|
|
|
2018-06-05 12:14:41 +00:00
|
|
|
class hpflogger:
|
|
|
|
|
def __init__(self, hpfserver, hpfport, hpfident, hpfsecret, hpfchannel, serverid, verbose):
|
|
|
|
|
self.hpfserver=hpfserver
|
|
|
|
|
self.hpfport=hpfport
|
|
|
|
|
self.hpfident=hpfident
|
|
|
|
|
self.hpfsecret=hpfsecret
|
|
|
|
|
self.hpfchannel=hpfchannel
|
|
|
|
|
self.serverid=serverid
|
|
|
|
|
self.hpc=None
|
|
|
|
|
self.verbose=verbose
|
|
|
|
|
if (self.hpfserver and self.hpfport and self.hpfident and self.hpfport and self.hpfchannel and self.serverid):
|
|
|
|
|
import hpfeeds
|
|
|
|
|
try:
|
|
|
|
|
self.hpc = hpfeeds.new(self.hpfserver, self.hpfport, self.hpfident, self.hpfsecret)
|
|
|
|
|
logger.debug("Logging to hpfeeds using server: {0}, channel {1}.".format(self.hpfserver, self.hpfchannel))
|
|
|
|
|
except (hpfeeds.FeedException, socket.error, hpfeeds.Disconnect):
|
|
|
|
|
logger.critical("hpfeeds connection not successful")
|
|
|
|
|
|
|
|
|
|
def log(self, level, message):
|
|
|
|
|
if self.hpc:
|
|
|
|
|
if level in ['debug', 'info'] and not self.verbose:
|
|
|
|
|
return
|
|
|
|
|
self.hpc.publish(self.hpfchannel, "["+self.serverid+"] ["+level+"] ["+datetime.datetime.now().isoformat() +"] " + str(message))
|
|
|
|
|
|
2018-04-27 23:10:45 +00:00
|
|
|
|
|
|
|
|
def header_split(h):
|
|
|
|
|
return [list(map(str.strip, l.split(': ', 1))) for l in h.strip().splitlines()]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class WebLogicHandler(SimpleHTTPRequestHandler):
|
|
|
|
|
logger = None
|
2018-06-05 12:14:41 +00:00
|
|
|
hpfl = None
|
2018-04-27 23:10:45 +00:00
|
|
|
|
|
|
|
|
protocol_version = "HTTP/1.1"
|
|
|
|
|
|
|
|
|
|
EXPLOIT_STRING = b"host-scan-reply"
|
|
|
|
|
RESPONSE = b"""<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<config-auth client="vpn" type="complete">
|
|
|
|
|
<version who="sg">9.0(1)</version>
|
|
|
|
|
<error id="98" param1="" param2="">VPN Server could not parse request.</error>
|
|
|
|
|
</config-auth>"""
|
|
|
|
|
|
|
|
|
|
basepath = os.path.dirname(os.path.abspath(__file__))
|
|
|
|
|
|
|
|
|
|
alert_function = None
|
|
|
|
|
|
|
|
|
|
def setup(self):
|
|
|
|
|
SimpleHTTPRequestHandler.setup(self)
|
|
|
|
|
self.request.settimeout(3)
|
|
|
|
|
|
|
|
|
|
def send_header(self, keyword, value):
|
|
|
|
|
if keyword.lower() == 'server':
|
|
|
|
|
return
|
|
|
|
|
SimpleHTTPRequestHandler.send_header(self, keyword, value)
|
|
|
|
|
|
|
|
|
|
def send_head(self):
|
|
|
|
|
# send_head will return a file object that do_HEAD/GET will use
|
|
|
|
|
# do_GET/HEAD are already implemented by SimpleHTTPRequestHandler
|
|
|
|
|
filename = os.path.basename(self.path.rstrip('/').split('?', 1)[0])
|
|
|
|
|
|
|
|
|
|
if self.path == '/':
|
|
|
|
|
self.send_response(200)
|
|
|
|
|
for k, v in header_split("""
|
|
|
|
|
Content-Type: text/html
|
|
|
|
|
Cache-Control: no-cache
|
|
|
|
|
Pragma: no-cache
|
|
|
|
|
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
|
|
|
|
|
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
|
|
|
|
|
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
|
|
|
|
|
Set-Cookie: webvpn_portal=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
|
|
|
|
|
Set-Cookie: webvpnSharePoint=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
|
|
|
|
|
Set-Cookie: webvpnlogin=1; path=/; secure
|
|
|
|
|
Set-Cookie: sdesktop=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
|
|
|
|
|
"""):
|
|
|
|
|
self.send_header(k, v)
|
|
|
|
|
self.end_headers()
|
|
|
|
|
return BytesIO(b'<html><script>document.location.replace("/+CSCOE+/logon.html")</script></html>\n')
|
|
|
|
|
elif filename == 'asa': # don't allow dir listing
|
|
|
|
|
return self.send_file('wrong_url.html', 403)
|
|
|
|
|
else:
|
|
|
|
|
return self.send_file(filename)
|
|
|
|
|
|
|
|
|
|
def redirect(self, loc):
|
|
|
|
|
self.send_response(302)
|
|
|
|
|
for k, v in header_split("""
|
|
|
|
|
Content-Type: text/html
|
|
|
|
|
Content-Length: 0
|
|
|
|
|
Cache-Control: no-cache
|
|
|
|
|
Pragma: no-cache
|
|
|
|
|
Location: %s
|
|
|
|
|
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
|
|
|
|
|
""" % (loc,)):
|
|
|
|
|
self.send_header(k, v)
|
|
|
|
|
self.end_headers()
|
|
|
|
|
|
|
|
|
|
def do_GET(self):
|
|
|
|
|
if self.path == '/+CSCOE+/logon.html':
|
|
|
|
|
self.redirect('/+CSCOE+/logon.html?fcadbadd=1')
|
|
|
|
|
return
|
|
|
|
|
elif self.path.startswith('/+CSCOE+/logon.html?') and 'reason=1' in self.path:
|
|
|
|
|
self.wfile.write(self.send_file('logon_failure').getvalue())
|
|
|
|
|
return
|
|
|
|
|
SimpleHTTPRequestHandler.do_GET(self)
|
|
|
|
|
|
|
|
|
|
def do_POST(self):
|
|
|
|
|
data_len = int(self.headers.get('Content-length', 0))
|
|
|
|
|
data = self.rfile.read(data_len) if data_len else b''
|
|
|
|
|
body = self.RESPONSE
|
|
|
|
|
if self.EXPLOIT_STRING in data:
|
|
|
|
|
xml = ElementTree.fromstring(data)
|
|
|
|
|
payloads = []
|
|
|
|
|
for x in xml.iter('host-scan-reply'):
|
|
|
|
|
payloads.append(x.text)
|
|
|
|
|
|
|
|
|
|
self.alert_function(self.client_address[0], self.client_address[1], payloads)
|
|
|
|
|
|
|
|
|
|
elif self.path == '/':
|
|
|
|
|
self.redirect('/+webvpn+/index.html')
|
|
|
|
|
return
|
|
|
|
|
elif self.path == '/+CSCOE+/logon.html':
|
|
|
|
|
self.redirect('/+CSCOE+/logon.html?fcadbadd=1')
|
|
|
|
|
return
|
|
|
|
|
elif self.path.split('?', 1)[0] == '/+webvpn+/index.html':
|
|
|
|
|
with open(os.path.join(self.basepath, 'asa', "logon_redir.html"), 'rb') as fh:
|
|
|
|
|
body = fh.read()
|
|
|
|
|
|
|
|
|
|
self.send_response(200)
|
|
|
|
|
self.send_header('Content-Length', int(len(body)))
|
|
|
|
|
self.send_header('Content-Type', 'text/html; charset=UTF-8')
|
|
|
|
|
self.end_headers()
|
|
|
|
|
self.wfile.write(body)
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
def send_file(self, filename, status_code=200, headers=[]):
|
|
|
|
|
try:
|
|
|
|
|
with open(os.path.join(self.basepath, 'asa', filename), 'rb') as fh:
|
|
|
|
|
body = fh.read()
|
|
|
|
|
self.send_response(status_code)
|
|
|
|
|
for k, v in headers:
|
|
|
|
|
self.send_header(k, v)
|
|
|
|
|
if status_code == 200:
|
|
|
|
|
for k, v in header_split("""
|
|
|
|
|
Cache-Control: max-age=0
|
|
|
|
|
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
|
|
|
|
|
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
|
|
|
|
|
Set-Cookie: webvpnlogin=1; secure
|
|
|
|
|
X-Transcend-Version: 1
|
|
|
|
|
"""):
|
|
|
|
|
self.send_header(k, v)
|
|
|
|
|
self.send_header('Content-Length', int(len(body)))
|
|
|
|
|
self.send_header('Content-Type', 'text/html')
|
|
|
|
|
self.end_headers()
|
|
|
|
|
return BytesIO(body)
|
|
|
|
|
except IOError:
|
|
|
|
|
return self.send_file('wrong_url.html', 404)
|
|
|
|
|
|
|
|
|
|
def log_message(self, format, *args):
|
|
|
|
|
self.logger.debug("{'timestamp': '%s', 'src_ip': '%s', 'payload_printable': '%s'}" %
|
2018-05-09 14:29:06 +00:00
|
|
|
(datetime.datetime.now().isoformat(),
|
2018-04-27 23:10:45 +00:00
|
|
|
self.client_address[0],
|
|
|
|
|
format % args))
|
2018-06-05 12:14:41 +00:00
|
|
|
self.hpfl.log('debug', "%s - - [%s] %s" %
|
|
|
|
|
(self.client_address[0],
|
|
|
|
|
self.log_date_time_string(),
|
|
|
|
|
format % args))
|
2018-04-27 23:10:45 +00:00
|
|
|
|
|
|
|
|
def handle_one_request(self):
|
|
|
|
|
"""Handle a single HTTP request.
|
|
|
|
|
Overriden to not send 501 errors
|
|
|
|
|
"""
|
|
|
|
|
self.close_connection = True
|
|
|
|
|
try:
|
|
|
|
|
self.raw_requestline = self.rfile.readline(65537)
|
|
|
|
|
if len(self.raw_requestline) > 65536:
|
|
|
|
|
self.requestline = ''
|
|
|
|
|
self.request_version = ''
|
|
|
|
|
self.command = ''
|
|
|
|
|
self.close_connection = 1
|
|
|
|
|
return
|
|
|
|
|
if not self.raw_requestline:
|
|
|
|
|
self.close_connection = 1
|
|
|
|
|
return
|
|
|
|
|
if not self.parse_request():
|
|
|
|
|
# An error code has been sent, just exit
|
|
|
|
|
return
|
|
|
|
|
mname = 'do_' + self.command
|
|
|
|
|
if not hasattr(self, mname):
|
|
|
|
|
self.log_request()
|
|
|
|
|
self.close_connection = True
|
|
|
|
|
return
|
|
|
|
|
method = getattr(self, mname)
|
|
|
|
|
method()
|
|
|
|
|
self.wfile.flush() # actually send the response if not already done.
|
|
|
|
|
except socket.timeout as e:
|
|
|
|
|
# a read or a write timed out. Discard this connection
|
|
|
|
|
self.log_error("Request timed out: %r", e)
|
|
|
|
|
self.close_connection = 1
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
import click
|
|
|
|
|
|
|
|
|
|
logging.basicConfig(level=logging.INFO)
|
|
|
|
|
logger = logging.getLogger()
|
|
|
|
|
logger.info('info')
|
|
|
|
|
|
|
|
|
|
@click.command()
|
|
|
|
|
@click.option('-h', '--host', default='0.0.0.0', help='Host to listen')
|
|
|
|
|
@click.option('-p', '--port', default=8443, help='Port to listen', type=click.INT)
|
|
|
|
|
@click.option('-i', '--ike-port', default=5000, help='Port to listen for IKE', type=click.INT)
|
|
|
|
|
@click.option('-s', '--enable_ssl', default=False, help='Enable SSL', is_flag=True)
|
|
|
|
|
@click.option('-c', '--cert', default=None, help='Certificate File Path (will generate self signed '
|
|
|
|
|
'cert if not supplied)')
|
|
|
|
|
@click.option('-v', '--verbose', default=False, help='Verbose logging', is_flag=True)
|
2018-06-05 12:14:41 +00:00
|
|
|
|
|
|
|
|
# hpfeeds options
|
|
|
|
|
@click.option('--hpfserver', default=os.environ.get('HPFEEDS_SERVER'), help='HPFeeds Server')
|
|
|
|
|
@click.option('--hpfport', default=os.environ.get('HPFEEDS_PORT'), help='HPFeeds Port', type=click.INT)
|
|
|
|
|
@click.option('--hpfident', default=os.environ.get('HPFEEDS_IDENT'), help='HPFeeds Ident')
|
|
|
|
|
@click.option('--hpfsecret', default=os.environ.get('HPFEEDS_SECRET'), help='HPFeeds Secret')
|
|
|
|
|
@click.option('--hpfchannel', default=os.environ.get('HPFEEDS_CHANNEL'), help='HPFeeds Channel')
|
|
|
|
|
@click.option('--serverid', default=os.environ.get('SERVERID'), help='Verbose logging')
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def start(host, port, ike_port, enable_ssl, cert, verbose, hpfserver, hpfport, hpfident, hpfsecret, hpfchannel, serverid):
|
2018-04-27 23:10:45 +00:00
|
|
|
"""
|
|
|
|
|
A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101,
|
|
|
|
|
a DoS and remote code execution vulnerability
|
|
|
|
|
"""
|
2018-06-05 12:14:41 +00:00
|
|
|
|
|
|
|
|
hpfl=hpflogger(hpfserver, hpfport, hpfident, hpfsecret, hpfchannel, serverid, verbose)
|
|
|
|
|
|
2018-04-27 23:10:45 +00:00
|
|
|
def alert(cls, host, port, payloads):
|
|
|
|
|
logger.critical({
|
2018-06-05 12:14:41 +00:00
|
|
|
'timestamp': datetime.datetime.utcnow().isoformat(),
|
|
|
|
|
'src_ip': host,
|
|
|
|
|
'src_port': port,
|
|
|
|
|
'payload_printable': payloads,
|
2018-04-27 23:10:45 +00:00
|
|
|
})
|
2018-06-05 12:14:41 +00:00
|
|
|
#log to hpfeeds
|
|
|
|
|
hpfl.log("critical", {
|
|
|
|
|
'src': host,
|
|
|
|
|
'spt': port,
|
|
|
|
|
'data': payloads,
|
|
|
|
|
})
|
2018-04-27 23:10:45 +00:00
|
|
|
|
|
|
|
|
if verbose:
|
|
|
|
|
logger.setLevel(logging.DEBUG)
|
|
|
|
|
|
|
|
|
|
requestHandler = WebLogicHandler
|
|
|
|
|
requestHandler.alert_function = alert
|
|
|
|
|
requestHandler.logger = logger
|
2018-06-05 12:14:41 +00:00
|
|
|
requestHandler.hpfl = hpfl
|
2018-04-27 23:10:45 +00:00
|
|
|
|
|
|
|
|
def log_date_time_string():
|
|
|
|
|
"""Return the current time formatted for logging."""
|
2018-06-05 12:14:41 +00:00
|
|
|
now = datetime.datetime.now().isoformat()
|
2018-04-27 23:10:45 +00:00
|
|
|
return now
|
|
|
|
|
|
|
|
|
|
def ike():
|
2018-06-05 12:14:41 +00:00
|
|
|
ike_server.start(host, ike_port, alert, logger, hpfl)
|
2018-04-27 23:10:45 +00:00
|
|
|
t = threading.Thread(target=ike)
|
|
|
|
|
t.daemon = True
|
|
|
|
|
t.start()
|
|
|
|
|
|
|
|
|
|
httpd = HTTPServer((host, port), requestHandler)
|
|
|
|
|
if enable_ssl:
|
|
|
|
|
import ssl
|
|
|
|
|
if not cert:
|
|
|
|
|
import gencert
|
|
|
|
|
cert = gencert.gencert()
|
|
|
|
|
httpd.socket = ssl.wrap_socket(httpd.socket, certfile=cert, server_side=True)
|
|
|
|
|
|
|
|
|
|
logger.info('Starting server on port {:d}/tcp, use <Ctrl-C> to stop'.format(port))
|
2018-06-05 12:14:41 +00:00
|
|
|
hpfl.log('info', 'Starting server on port {:d}/tcp, use <Ctrl-C> to stop'.format(port))
|
|
|
|
|
|
2018-04-27 23:10:45 +00:00
|
|
|
try:
|
|
|
|
|
httpd.serve_forever()
|
|
|
|
|
except KeyboardInterrupt:
|
|
|
|
|
pass
|
|
|
|
|
logger.info('Stopping server.')
|
2018-06-05 12:14:41 +00:00
|
|
|
hpfl.log('info', 'Stopping server.')
|
|
|
|
|
|
2018-04-27 23:10:45 +00:00
|
|
|
httpd.server_close()
|
|
|
|
|
|
|
|
|
|
start()
|
