anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Implement ICS/SCADA and IMAP Bait features

Browse Source
This commit is contained in:
anti
2026-04-10 01:50:08 -04:00
parent 63fb477e1f
commit 08242a4d84
112 changed files with 3239 additions and 764 deletions
Download Patch File Download Diff File Expand all files Collapse all files

170
templates/imap/decnet_logging.py
View File

@@ -2,10 +2,9 @@
"""
Shared RFC 5424 syslog helper for DECNET service templates.
Provides two functions consumed by every service's server.py:
- syslog_line(service, hostname, event_type, severity, **fields) -> str
- write_syslog_file(line: str) -> None
- forward_syslog(line: str, log_target: str) -> None
Services call syslog_line() to format an RFC 5424 message, then
write_syslog_file() to emit it to stdout — Docker captures it, and the
host-side collector streams it into the log file.
RFC 5424 structure:
<PRI>1 TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [SD-ELEMENT] MSG
@@ -13,12 +12,7 @@ RFC 5424 structure:
Facility: local0 (16), PEN for SD element ID: decnet@55555
"""
import logging
import logging.handlers
import os
import socket
from datetime import datetime, timezone
from pathlib import Path
from typing import Any
# ─── Constants ────────────────────────────────────────────────────────────────
@@ -40,11 +34,6 @@ _MAX_HOSTNAME = 255
_MAX_APPNAME = 48
_MAX_MSGID = 32
_LOG_FILE_ENV = "DECNET_LOG_FILE"
_DEFAULT_LOG_FILE = "/var/log/decnet/decnet.log"
_MAX_BYTES = 10 * 1024 * 1024 # 10 MB
_BACKUP_COUNT = 5
# ─── Formatter ────────────────────────────────────────────────────────────────
def _sd_escape(value: str) -> str:
@@ -90,156 +79,11 @@ def syslog_line(
return f"{pri}1 {ts} {host} {appname} {_NILVALUE} {msgid} {sd}{message}"
# ─── File handler ─────────────────────────────────────────────────────────────
_file_logger: logging.Logger | None = None
def _get_file_logger() -> logging.Logger:
global _file_logger
if _file_logger is not None:
return _file_logger
log_path = Path(os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE))
try:
log_path.parent.mkdir(parents=True, exist_ok=True)
handler = logging.handlers.RotatingFileHandler(
log_path,
maxBytes=_MAX_BYTES,
backupCount=_BACKUP_COUNT,
encoding="utf-8",
)
except OSError:
handler = logging.StreamHandler()
handler.setFormatter(logging.Formatter("%(message)s"))
_file_logger = logging.getLogger("decnet.syslog")
_file_logger.setLevel(logging.DEBUG)
_file_logger.propagate = False
_file_logger.addHandler(handler)
return _file_logger
_json_logger: logging.Logger | None = None
def _get_json_logger() -> logging.Logger:
global _json_logger
if _json_logger is not None:
return _json_logger
log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
json_path = Path(log_path_str).with_suffix(".json")
try:
json_path.parent.mkdir(parents=True, exist_ok=True)
handler = logging.handlers.RotatingFileHandler(
json_path,
maxBytes=_MAX_BYTES,
backupCount=_BACKUP_COUNT,
encoding="utf-8",
)
except OSError:
handler = logging.StreamHandler()
handler.setFormatter(logging.Formatter("%(message)s"))
_json_logger = logging.getLogger("decnet.json")
_json_logger.setLevel(logging.DEBUG)
_json_logger.propagate = False
_json_logger.addHandler(handler)
return _json_logger
def write_syslog_file(line: str) -> None:
"""Append a syslog line to the rotating log file."""
try:
_get_file_logger().info(line)
# Also parse and write JSON log
import json
import re
from datetime import datetime
from typing import Optional, Any
_RFC5424_RE: re.Pattern = re.compile(
r"^<\d+>1 "
r"(\S+) " # 1: TIMESTAMP
r"(\S+) " # 2: HOSTNAME (decky name)
r"(\S+) " # 3: APP-NAME (service)
r"- " # PROCID always NILVALUE
r"(\S+) " # 4: MSGID (event_type)
r"(.+)$", # 5: SD element + optional MSG
)
_SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
_PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
_IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
_m: Optional[re.Match] = _RFC5424_RE.match(line)
if _m:
_ts_raw: str
_decky: str
_service: str
_event_type: str
_sd_rest: str
_ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
_fields: dict[str, str] = {}
_msg: str = ""
if _sd_rest.startswith("-"):
_msg = _sd_rest[1:].lstrip()
elif _sd_rest.startswith("["):
_block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
if _block:
for _k, _v in _PARAM_RE.findall(_block.group(1)):
_fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
# extract msg after the block
_msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
if _msg_match:
_msg = _msg_match.group(1).strip()
else:
_msg = _sd_rest
_attacker_ip: str = "Unknown"
for _fname in _IP_FIELDS:
if _fname in _fields:
_attacker_ip = _fields[_fname]
break
# Parse timestamp to normalize it
_ts_formatted: str
try:
_ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
except ValueError:
_ts_formatted = _ts_raw
_payload: dict[str, Any] = {
"timestamp": _ts_formatted,
"decky": _decky,
"service": _service,
"event_type": _event_type,
"attacker_ip": _attacker_ip,
"fields": json.dumps(_fields),
"msg": _msg,
"raw_line": line
}
_get_json_logger().info(json.dumps(_payload))
except Exception:
pass
"""Emit a syslog line to stdout for Docker log capture."""
print(line, flush=True)
# ─── TCP forwarding ───────────────────────────────────────────────────────────
def forward_syslog(line: str, log_target: str) -> None:
"""Forward a syslog line over TCP to log_target (ip:port)."""
if not log_target:
return
try:
host, port = log_target.rsplit(":", 1)
with socket.create_connection((host, int(port)), timeout=3) as s:
s.sendall((line + "\n").encode())
except Exception:
pass
"""No-op stub. TCP forwarding is now handled by rsyslog, not by service containers."""
pass

84
templates/imap/server.py
View File

@@ -1,8 +1,10 @@
#!/usr/bin/env python3
"""
IMAPserver.
Presents an IMAP4rev1 banner, captures LOGIN credentials (plaintext and
AUTHENTICATE), then returns a NO response. Logs all commands as JSON.
IMAP server (port 143/993).
Presents an IMAP4rev1 banner, captures LOGIN credentials.
Implements a basic IMAP state machine (NOT_AUTHENTICATED -> AUTHENTICATED -> SELECTED).
Provides hardcoded bait emails containing AWS API keys to attackers.
Logs commands as JSON.
"""
import asyncio
@@ -12,10 +14,14 @@ from decnet_logging import syslog_line, write_syslog_file, forward_syslog
NODE_NAME = os.environ.get("NODE_NAME", "mailserver")
SERVICE_NAME = "imap"
LOG_TARGET = os.environ.get("LOG_TARGET", "")
BANNER = f"* OK [{NODE_NAME}] IMAP4rev1 Service Ready\r\n"
IMAP_BANNER = os.environ.get("IMAP_BANNER", f"* OK [{NODE_NAME}] Dovecot ready.\r\n")
IMAP_USERS = os.environ.get("IMAP_USERS", "admin:admin123,root:toor")
_BAIT_EMAILS = [
(1, "Date: Tue, 01 Nov 2023 10:00:00 +0000\r\nFrom: sysadmin@company.com\r\nSubject: AWS Credentials\r\n\r\nHere are the new AWS keys:\r\nAKIAIOSFODNN7EXAMPLE\r\nwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\r\n"),
(2, "Date: Wed, 02 Nov 2023 11:30:00 +0000\r\nFrom: devops@company.com\r\nSubject: DB Password Reset\r\n\r\nThe production database password has been temporarily set to:\r\nProdDB_temp_2023!!\r\n"),
]
def _log(event_type: str, severity: int = 6, **kwargs) -> None:
line = syslog_line(SERVICE_NAME, NODE_NAME, event_type, severity, **kwargs)
@@ -23,18 +29,24 @@ def _log(event_type: str, severity: int = 6, **kwargs) -> None:
write_syslog_file(line)
forward_syslog(line, LOG_TARGET)
class IMAPProtocol(asyncio.Protocol):
def __init__(self):
self._transport = None
self._peer = None
self._buf = b""
self._state = "NOT_AUTHENTICATED"
self._valid_users = dict(u.split(":", 1) for u in IMAP_USERS.split(",") if ":" in u)
def connection_made(self, transport):
self._transport = transport
self._peer = transport.get_extra_info("peername", ("?", 0))
_log("connect", src=self._peer[0], src_port=self._peer[1])
transport.write(BANNER.encode())
if IMAP_BANNER:
if not IMAP_BANNER.endswith("\r\n"):
padded_banner = IMAP_BANNER + "\r\n"
else:
padded_banner = IMAP_BANNER
transport.write(padded_banner.encode())
def data_received(self, data):
self._buf += data
@@ -50,22 +62,60 @@ class IMAPProtocol(asyncio.Protocol):
cmd = parts[1].upper() if len(parts) > 1 else ""
args = parts[2] if len(parts) > 2 else ""
if cmd == "LOGIN":
_log("command", src=self._peer[0], cmd=line[:128], state=self._state)
if cmd == "CAPABILITY":
self._transport.write(b"* CAPABILITY IMAP4rev1 AUTH=PLAIN AUTH=LOGIN\r\n")
self._transport.write(f"{tag} OK CAPABILITY completed\r\n".encode())
elif cmd == "LOGIN":
if self._state != "NOT_AUTHENTICATED":
self._transport.write(f"{tag} BAD Already authenticated\r\n".encode())
return
creds = args.split(None, 1)
username = creds[0].strip('"') if creds else ""
password = creds[1].strip('"') if len(creds) > 1 else ""
_log("auth", src=self._peer[0], username=username, password=password)
self._transport.write(f"{tag} NO [AUTHENTICATIONFAILED] Invalid credentials\r\n".encode())
elif cmd == "CAPABILITY":
self._transport.write(b"* CAPABILITY IMAP4rev1 AUTH=PLAIN AUTH=LOGIN\r\n")
self._transport.write(f"{tag} OK CAPABILITY completed\r\n".encode())
if username in self._valid_users and self._valid_users[username] == password:
self._state = "AUTHENTICATED"
_log("auth", src=self._peer[0], username=username, password=password, status="success")
self._transport.write(f"{tag} OK [CAPABILITY IMAP4rev1] Logged in\r\n".encode())
else:
_log("auth", src=self._peer[0], username=username, password=password, status="failed")
self._transport.write(f"{tag} NO [AUTHENTICATIONFAILED] Authentication failed.\r\n".encode())
elif cmd == "SELECT" or cmd == "EXAMINE":
if self._state == "NOT_AUTHENTICATED":
self._transport.write(f"{tag} BAD Not authenticated\r\n".encode())
return
self._state = "SELECTED"
count = len(_BAIT_EMAILS)
self._transport.write(f"* {count} EXISTS\r\n* 0 RECENT\r\n* OK [UIDVALIDITY 1] UIDs valid\r\n".encode())
self._transport.write(f"{tag} OK [READ-WRITE] Select completed.\r\n".encode())
elif cmd == "FETCH":
if self._state != "SELECTED":
self._transport.write(f"{tag} BAD Not selected\r\n".encode())
return
# rudimentary fetch match simply returning all if any match
# an attacker usually sends "FETCH 1:* (BODY[])" or similar
if "RFC822" in args.upper() or "BODY" in args.upper():
for uid, content in _BAIT_EMAILS:
content_encoded = content.encode()
self._transport.write(f"* {uid} FETCH (RFC822 {{{len(content_encoded)}}}\r\n".encode())
self._transport.write(content_encoded)
self._transport.write(b")\r\n")
self._transport.write(f"{tag} OK Fetch completed.\r\n".encode())
elif cmd == "LOGOUT":
self._transport.write(b"* BYE IMAP4rev1 Server logging out\r\n")
self._transport.write(f"{tag} OK LOGOUT completed\r\n".encode())
self._transport.write(b"* BYE Logging out\r\n")
self._transport.write(f"{tag} OK Logout completed.\r\n".encode())
self._transport.close()
else:
_log("command", src=self._peer[0], cmd=line[:128])
self._transport.write(f"{tag} BAD Command not recognized\r\n".encode())
self._transport.write(f"{tag} BAD Command not recognized or unsupported\r\n".encode())
def connection_lost(self, exc):
_log("disconnect", src=self._peer[0] if self._peer else "?")