anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

merge: testing → main (reconcile 2-week divergence)

Browse Source
This commit is contained in:
anti
2026-04-28 18:36:00 -04:00
parent 499836c9e4
commit 862e4dbb31
1235 changed files with 160255 additions and 7996 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
decnet/templates/rdp/Dockerfile Normal file
View File

@@ -0,0 +1,27 @@
ARG BASE_IMAGE=debian:bookworm-slim
FROM ${BASE_IMAGE}
RUN apt-get update && apt-get install -y --no-install-recommends \
python3 openssl \
&& rm -rf /var/lib/apt/lists/*
COPY syslog_bridge.py /opt/syslog_bridge.py
COPY instance_seed.py /opt/instance_seed.py
COPY ntlmssp.py /opt/ntlmssp.py
COPY server.py /opt/server.py
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
EXPOSE 3389
RUN useradd -r -s /bin/false -d /opt logrelay \
&& mkdir -p /opt/tls \
&& chown logrelay:logrelay /opt/tls \
&& apt-get update && apt-get install -y --no-install-recommends libcap2-bin \
&& rm -rf /var/lib/apt/lists/* \
&& (find /usr/bin/ -maxdepth 1 -name 'python3*' -type f -exec setcap 'cap_net_bind_service+eip' {} \; 2>/dev/null || true)
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD kill -0 1 || exit 1
USER logrelay
ENTRYPOINT ["/entrypoint.sh"]

20
decnet/templates/rdp/entrypoint.sh Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
set -e
# Generate a self-signed cert on first start when NLA is enabled.
# Used by the CredSSP path to terminate the TLS layer that wraps NTLMSSP.
if [ "${RDP_ENABLE_NLA:-}" = "true" ] || [ "${RDP_ENABLE_NLA:-}" = "1" ]; then
TLS_DIR="/opt/tls"
CERT="${TLS_CERT:-$TLS_DIR/cert.pem}"
KEY="${TLS_KEY:-$TLS_DIR/key.pem}"
if [ ! -f "$CERT" ] || [ ! -f "$KEY" ]; then
mkdir -p "$TLS_DIR"
CN="${TLS_CN:-${NODE_NAME:-localhost}}"
openssl req -x509 -newkey rsa:2048 -nodes \
-keyout "$KEY" -out "$CERT" \
-days 3650 -subj "/CN=$CN" \
2>/dev/null
fi
fi
exec python3 /opt/server.py

120
decnet/templates/rdp/instance_seed.py Normal file
View File

@@ -0,0 +1,120 @@
#!/usr/bin/env python3
"""
Per-instance stealth seeding for honeypot service templates.
The whole decoy fleet looks identical to a scanner unless each decky
diverges on the boring details: cluster UUIDs, auth salts, uptime, minor
version strings, etc. This module derives a stable per-instance seed
from NODE_NAME (+ optional INSTANCE_ID) and exposes helpers that return
deterministic-per-decky-but-different-across-the-fleet values.
Connection-time jitter is intentionally NOT seeded — two hits to the same
decky should not replay the same latency curve.
"""
from __future__ import annotations
import asyncio
import hashlib
import os
import random
import time
import uuid
from typing import Sequence, TypeVar
T = TypeVar("T")
_HOSTNAME = (
os.environ.get("NODE_NAME")
or os.environ.get("HOSTNAME")
or "decky"
)
_INSTANCE_ID = os.environ.get("INSTANCE_ID", "")
_SEED_MATERIAL = f"{_HOSTNAME}:{_INSTANCE_ID}".encode()
_SEED_INT = int.from_bytes(hashlib.sha256(_SEED_MATERIAL).digest()[:8], "big")
#: Deterministic RNG seeded per decky — use for *persistent* choices
#: (versions, UUIDs, stored credentials). Never use for timing.
rng = random.Random(_SEED_INT)
#: Process boot time — real uptime elapsed since container start.
_PROCESS_START = time.time()
#: Deterministic per-instance fake "has been up for this long at boot"
#: offset, so every decky pretends to have a different history.
_BOOT_OFFSET = rng.randint(3600, 45 * 86400)
def hostname() -> str:
return _HOSTNAME
def uptime_seconds() -> int:
"""Monotonically increasing, unique per instance."""
return int(_BOOT_OFFSET + (time.time() - _PROCESS_START))
def boot_epoch() -> int:
"""Fake wall-clock boot time for this instance (seconds since epoch)."""
return int(time.time() - uptime_seconds())
def instance_uuid(namespace: str = "") -> str:
"""Deterministic UUID4-looking value for this instance+namespace."""
ns = uuid.UUID("00000000-0000-0000-0000-000000000000")
return str(uuid.uuid5(ns, f"{_HOSTNAME}:{namespace}"))
def instance_hex(nbytes: int, namespace: str = "") -> str:
"""Deterministic hex token of given byte length."""
material = f"{_HOSTNAME}:{namespace}".encode()
digest = hashlib.sha256(material).digest()
while len(digest) < nbytes:
digest += hashlib.sha256(digest).digest()
return digest[:nbytes].hex()
def pick(choices: Sequence[T]) -> T:
"""Deterministic choice from a sequence."""
return rng.choice(list(choices))
def pick_weighted(choices: Sequence[tuple[T, float]]) -> T:
"""Deterministic weighted choice. Input: [(item, weight), ...]."""
total = sum(w for _, w in choices)
r = rng.uniform(0, total)
acc = 0.0
for item, w in choices:
acc += w
if r <= acc:
return item
return choices[-1][0]
def random_bytes(n: int, namespace: str = "") -> bytes:
"""Deterministic per-instance byte string of length n."""
out = bytearray()
i = 0
while len(out) < n:
out.extend(
hashlib.sha256(f"{_HOSTNAME}:{namespace}:{i}".encode()).digest()
)
i += 1
return bytes(out[:n])
def fresh_bytes(n: int) -> bytes:
"""Non-deterministic random bytes — for per-connection nonces/salts."""
return os.urandom(n)
async def jitter(min_ms: int = 5, max_ms: int = 120) -> None:
"""Async response-time jitter. Uses unseeded RNG so timing varies
across connections to the same decky — seeded jitter would leak
predictability."""
await asyncio.sleep(random.uniform(min_ms, max_ms) / 1000.0)
def jitter_sync(min_ms: int = 5, max_ms: int = 120) -> None:
"""Blocking jitter for non-asyncio servers."""
time.sleep(random.uniform(min_ms, max_ms) / 1000.0)

132
decnet/templates/rdp/ntlmssp.py Normal file
View File

@@ -0,0 +1,132 @@
"""NTLMSSP Type 3 (Authenticate) message parser.
Standalone module shared between any honeypot template that wants to
land NTLM credentials in the universal :class:`Credential` table.
Currently consumed by the SMB and RDP-NLA templates.
The parser is intentionally narrow: only :func:`parse_type3` is public,
and it reads a single Type 3 buffer (the bytes starting with the
``NTLMSSP\\0`` signature). Callers handle SPNEGO unwrapping, SMB
SessionSetup framing, RDP/CredSSP TSRequest parsing, etc.
Reference: MS-NLMP §2.2.1.3 (AUTHENTICATE_MESSAGE).
Cred-shape mapping for the universal Credential model:
- ``principal`` = ``"DOMAIN\\username"`` when domain present, else
bare username. Both decoded UTF-16-LE when NEGOTIATE_UNICODE is set
in the message flags (it always is in modern clients).
- ``secret_kind`` = ``"ntlmssp_v2"`` when the NtChallengeResponse is
≥ 24 bytes (NTLMv2 carries variable-length blob ≥ 16+8 bytes),
``"ntlmssp_v1"`` for the legacy 24-byte fixed response.
- ``secret_b64`` = base64 of the entire NtChallengeResponse bytes.
This is the canonical "hashcat -m 5600" (NTLMv2) or "-m 5500"
(NTLMv1) input.
"""
from __future__ import annotations
import base64
import struct
from typing import Optional
NTLMSSP_SIG = b"NTLMSSP\x00"
NEGOTIATE_UNICODE = 0x00000001
def find_ntlmssp(buf: bytes) -> int:
"""Return the offset of the NTLMSSP signature in ``buf`` or -1.
Useful for callers that have a SPNEGO-wrapped or SMB-embedded blob
and want to skip straight to the inner Type 1/2/3 message without
walking the outer ASN.1.
"""
return buf.find(NTLMSSP_SIG)
def _read_field(buf: bytes, off: int) -> tuple[int, int, int]:
"""Read an NTLMSSP field record: (Len, MaxLen, BufferOffset)."""
if off + 8 > len(buf):
return 0, 0, 0
f_len, f_max, f_off = struct.unpack_from("<HHI", buf, off)
return f_len, f_max, f_off
def _slice(buf: bytes, off: int, length: int) -> bytes:
end = off + length
if off < 0 or end > len(buf) or length < 0:
return b""
return buf[off:end]
def _decode_str(raw: bytes, unicode: bool) -> str:
if unicode:
return raw.decode("utf-16-le", errors="replace")
return raw.decode("ascii", errors="replace")
def parse_type3(blob: bytes) -> Optional[dict]:
"""Parse an NTLMSSP Type 3 (AUTHENTICATE_MESSAGE) buffer.
Returns a dict with the universal credential SD shape ready to
spread into a ``_log(...)`` call::
{
"username": "alice", # service-specific identity
"domain": "ACME", # domain (may be empty)
"principal": "ACME\\\\alice", # hoisted column
"secret_kind": "ntlmssp_v2", # or _v1
"secret_printable": "<hex>", # NT response in hex
"secret_b64": "<base64>", # NT response, lossless
}
Returns ``None`` when ``blob`` is malformed or not a Type 3.
"""
if len(blob) < 32 or not blob.startswith(NTLMSSP_SIG):
return None
msg_type = struct.unpack_from("<I", blob, 8)[0]
if msg_type != 3:
return None
# Field record layout (all from MS-NLMP §2.2.1.3):
# 12 LmChallengeResponseFields
# 20 NtChallengeResponseFields
# 28 DomainNameFields
# 36 UserNameFields
# 44 WorkstationFields
# 52 EncryptedRandomSessionKeyFields
# 60 NegotiateFlags
nt_len, _, nt_off = _read_field(blob, 20)
dom_len, _, dom_off = _read_field(blob, 28)
user_len, _, user_off = _read_field(blob, 36)
if len(blob) < 64:
return None
flags = struct.unpack_from("<I", blob, 60)[0]
unicode = bool(flags & NEGOTIATE_UNICODE)
nt_response = _slice(blob, nt_off, nt_len)
domain = _decode_str(_slice(blob, dom_off, dom_len), unicode)
username = _decode_str(_slice(blob, user_off, user_len), unicode)
if not nt_response:
# No NT response → anonymous bind or malformed; nothing to
# treat as a credential.
return None
# NTLMv2 NTChallengeResponseV2 has a 16-byte HMAC followed by a
# variable-length blob (≥ 28 bytes total in practice). NTLMv1 is
# exactly 24 bytes. Use length to discriminate; close enough for
# cred-classification purposes (the bytes go on hashcat regardless).
secret_kind = "ntlmssp_v1" if len(nt_response) == 24 else "ntlmssp_v2"
if domain:
principal = f"{domain}\\{username}"
else:
principal = username or None
return {
"username": username,
"domain": domain,
"principal": principal,
"secret_kind": secret_kind,
"secret_printable": nt_response.hex(),
"secret_b64": base64.b64encode(nt_response).decode("ascii"),
}

399
decnet/templates/rdp/server.py Normal file
View File

@@ -0,0 +1,399 @@
#!/usr/bin/env python3
"""Minimal honeypot RDP server.
Two operating modes share the same X.224 Connection Request parser:
1. **Default (basic).** Parse the X.224 CR, extract the ``mstshash``
routing cookie + ``rdpNegRequest.requestedProtocols`` flags, answer
with a Connection Confirm selecting ``PROTOCOL_RDP``, close.
Captures the username most attackers leak in plaintext.
2. **NLA (``RDP_ENABLE_NLA=true``).** Confirm ``PROTOCOL_HYBRID``,
upgrade the socket to TLS, then read inbound CredSSP TSRequest DER
blobs. We do not parse the ASN.1 — we just scan for the NTLMSSP
signature inside the TLS-decrypted plaintext (CredSSP wraps a
handful of NTLMSSP messages); when the inbound message is a
Type 3, ``parse_type3()`` produces the universal credential SD
block and we land an NTLMv2 hash in the Credential table. The
server responds to Type 1 with a hand-built TSRequest carrying an
NTLMSSP Type 2 challenge, then drops after Type 3.
References:
- MS-RDPBCGR §2.2.1.1 Client X.224 Connection Request PDU
- MS-RDPBCGR §2.2.1.2 Server X.224 Connection Confirm PDU
- MS-CSSP §2.2.1 TSRequest
- MS-NLMP §2.2.1.2 NTLMSSP CHALLENGE_MESSAGE
- RFC 1006 (TPKT) §6
"""
from __future__ import annotations
import asyncio
import os
import re
import ssl
import struct
import instance_seed
from ntlmssp import find_ntlmssp, parse_type3
from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
NODE_NAME = os.environ.get("NODE_NAME", "WORKSTATION")
SERVICE_NAME = "rdp"
LOG_TARGET = os.environ.get("LOG_TARGET", "")
ENABLE_NLA = os.environ.get("RDP_ENABLE_NLA", "").lower() in ("1", "true", "yes")
TLS_CERT = os.environ.get("TLS_CERT", "/opt/tls/cert.pem")
TLS_KEY = os.environ.get("TLS_KEY", "/opt/tls/key.pem")
LISTEN_HOST = "0.0.0.0" # nosec B104 — honeypot binds all interfaces by design
LISTEN_PORT = 3389
# Per-instance NTLM challenge: deterministic-per-decky-but-different-
# across-the-fleet (see instance_seed module docstring). A fixed
# challenge across the fleet would let scanners fingerprint us.
SERVER_CHALLENGE = instance_seed.random_bytes(8, "ntlm_challenge")
MAX_TSREQUEST_LEN = 32 * 1024 # CredSSP messages are small; cap memory pressure
# X.224 / TPKT constants
TPKT_VERSION = 0x03
X224_CR = 0xE0 # Connection Request
X224_CC = 0xD0 # Connection Confirm
# rdpNegRequest / Response (MS-RDPBCGR §2.2.1.1.1 / §2.2.1.2.1)
TYPE_RDP_NEG_REQ = 0x01
TYPE_RDP_NEG_RSP = 0x02
PROTOCOL_RDP = 0x00000000
PROTOCOL_SSL = 0x00000001
PROTOCOL_HYBRID = 0x00000002
MAX_TPKT_LEN = 8 * 1024 # CR PDUs are tiny; cap to avoid attacker memory pressure
_COOKIE_RE = re.compile(rb"Cookie:\s*mstshash=([^\r\n\x00]{1,256})\r\n", re.IGNORECASE)
def _log(event_type: str, severity: int = 6, **kwargs) -> None:
line = syslog_line(SERVICE_NAME, NODE_NAME, event_type, severity, **kwargs)
write_syslog_file(line)
forward_syslog(line, LOG_TARGET)
# ── PDU helpers ───────────────────────────────────────────────────────────────
def _parse_tpkt(buf: bytes) -> bytes | None:
"""Return the X.224 payload from a single TPKT, or None if malformed."""
if len(buf) < 4 or buf[0] != TPKT_VERSION:
return None
total_len = int.from_bytes(buf[2:4], "big")
if total_len < 7 or total_len > MAX_TPKT_LEN or total_len > len(buf):
return None
return buf[4:total_len]
def _parse_x224_cr(x224: bytes) -> tuple[str | None, int]:
"""Return (mstshash_cookie, requested_protocols).
Cookie is None when absent. requested_protocols is 0 when no
rdpNegRequest is included.
"""
if len(x224) < 7 or x224[1] != X224_CR:
return None, 0
# x224[0] = LI (length indicator), x224[1] = CR code (TPDU type)
# Variable part follows the fixed 7-byte header. Cookie is ASCII
# text terminated by CRLF; rdpNegRequest is the next 8 bytes.
var = x224[7:]
cookie_match = _COOKIE_RE.search(var)
cookie = None
if cookie_match:
try:
cookie = cookie_match.group(1).decode("ascii", errors="replace")
except Exception: # noqa: BLE001
cookie = None
# rdpNegRequest sits after the cookie's CRLF. Locate by signature
# rather than offset since cookie length varies.
requested = 0
neg = var
if cookie_match:
neg = var[cookie_match.end():]
if len(neg) >= 8 and neg[0] == TYPE_RDP_NEG_REQ:
# Type(1) Flags(1) Length(2 LE) RequestedProtocols(4 LE)
requested = int.from_bytes(neg[4:8], "little")
return cookie, requested
def _build_x224_cc(selected_protocol: int = PROTOCOL_RDP) -> bytes:
"""Build a TPKT-wrapped X.224 Connection Confirm with rdpNegRsp."""
# rdpNegResponse: Type(1)=0x02 Flags(1)=0x00 Length(2 LE)=0x0008
# SelectedProtocol(4 LE)
neg_rsp = bytes([TYPE_RDP_NEG_RSP, 0x00]) + (8).to_bytes(2, "little") + selected_protocol.to_bytes(4, "little")
# X.224 CC fixed header: LI=0x0E (14 bytes follow), CC=0xD0,
# DST_REF=0, SRC_REF=0x1234 (any), CLASS=0x00
x224 = bytes([0x0E, X224_CC, 0x00, 0x00, 0x12, 0x34, 0x00]) + neg_rsp
tpkt = bytes([TPKT_VERSION, 0x00]) + (4 + len(x224)).to_bytes(2, "big")
return tpkt + x224
# ── NLA / CredSSP helpers ────────────────────────────────────────────────────
def _der_len(n: int) -> bytes:
if n < 0x80:
return bytes([n])
body = n.to_bytes((n.bit_length() + 7) // 8, "big")
return bytes([0x80 | len(body)]) + body
def _der_read_len(buf: bytes, off: int) -> tuple[int, int]:
"""Return (length, new_offset) reading a DER length field."""
if off >= len(buf):
return 0, off
first = buf[off]
off += 1
if first < 0x80:
return first, off
n = first & 0x7F
if n == 0 or off + n > len(buf):
return 0, off
val = int.from_bytes(buf[off:off + n], "big")
return val, off + n
def _build_ntlmssp_type2(challenge: bytes) -> bytes:
"""Build a minimal NTLMSSP CHALLENGE_MESSAGE (MS-NLMP §2.2.1.2).
Mirrors the SMB framer's builder. Inlined here rather than shared so
that ``_shared/ntlmssp.py`` stays a pure parser module.
"""
target = "WORKGROUP".encode("utf-16-le")
av_name = "WORKGROUP".encode("utf-16-le")
target_info = struct.pack("<HH", 1, len(av_name)) + av_name + struct.pack("<HH", 0, 0)
flags = 0x00828201 # UNICODE | NTLM | TARGET_INFO | always_sign
target_off = 56
info_off = target_off + len(target)
return (
b"NTLMSSP\x00"
+ struct.pack("<I", 2)
+ struct.pack("<HHI", len(target), len(target), target_off)
+ struct.pack("<I", flags)
+ challenge
+ b"\x00" * 8
+ struct.pack("<HHI", len(target_info), len(target_info), info_off)
+ b"\x00" * 8
+ target + target_info
)
def _build_tsrequest_with_token(version: int, ntlm_blob: bytes) -> bytes:
"""Build a CredSSP TSRequest carrying a single negoToken (MS-CSSP §2.2.1).
Layout (DER, simplified — only fields we need on the response path):
TSRequest ::= SEQUENCE {
version [0] INTEGER,
negoTokens [1] SEQUENCE OF SEQUENCE { negoToken [0] OCTET STRING }
}
"""
# version [0] INTEGER
version_bytes = version.to_bytes(1, "big")
version_field = b"\x02" + _der_len(len(version_bytes)) + version_bytes
version_tagged = b"\xa0" + _der_len(len(version_field)) + version_field
# innermost: negoToken [0] OCTET STRING
octet = b"\x04" + _der_len(len(ntlm_blob)) + ntlm_blob
negotoken_tagged = b"\xa0" + _der_len(len(octet)) + octet
inner_seq = b"\x30" + _der_len(len(negotoken_tagged)) + negotoken_tagged
outer_seq = b"\x30" + _der_len(len(inner_seq)) + inner_seq
negotokens_tagged = b"\xa1" + _der_len(len(outer_seq)) + outer_seq
body = version_tagged + negotokens_tagged
return b"\x30" + _der_len(len(body)) + body
async def _read_one_tsrequest(reader: asyncio.StreamReader) -> bytes:
"""Read one DER-encoded TSRequest (outer SEQUENCE) from the stream.
A SEQUENCE starts with tag 0x30 followed by a DER length, then that
many content bytes. We bound the total to MAX_TSREQUEST_LEN.
"""
tag = await reader.readexactly(1)
if tag != b"\x30":
raise ValueError("not a SEQUENCE")
first_len = (await reader.readexactly(1))[0]
if first_len < 0x80:
body_len = first_len
len_bytes = bytes([first_len])
else:
n = first_len & 0x7F
if n == 0 or n > 4:
raise ValueError("bad DER length")
ext = await reader.readexactly(n)
body_len = int.from_bytes(ext, "big")
len_bytes = bytes([first_len]) + ext
if body_len > MAX_TSREQUEST_LEN:
raise ValueError("TSRequest too large")
body = await reader.readexactly(body_len)
return tag + len_bytes + body
async def _handle_nla(
reader: asyncio.StreamReader,
writer: asyncio.StreamWriter,
src_ip: str,
src_port: int,
) -> None:
"""Drive the CredSSP exchange post-TLS-handshake.
Reads up to 3 inbound TSRequests; on the one carrying an NTLMSSP
Type 3, emits the credential and closes.
"""
for round_no in range(3):
try:
ts_blob = await asyncio.wait_for(_read_one_tsrequest(reader), timeout=10.0)
except (asyncio.IncompleteReadError, asyncio.TimeoutError, ValueError):
return
off = find_ntlmssp(ts_blob)
if off < 0:
return
ntlm = ts_blob[off:]
# Message type at offset 8 (after the 8-byte signature)
if len(ntlm) < 12:
return
msg_type = struct.unpack_from("<I", ntlm, 8)[0]
if msg_type == 1:
# Type 1 → respond with TSRequest carrying Type 2 challenge
type2 = _build_ntlmssp_type2(SERVER_CHALLENGE)
resp = _build_tsrequest_with_token(version=6, ntlm_blob=type2)
writer.write(resp)
await writer.drain()
continue
if msg_type == 3:
# Type 3 → credential lands here
cred = parse_type3(ntlm)
if cred:
_log(
"auth_attempt",
src_ip=src_ip,
src_port=src_port,
auth_path="nla",
**cred,
)
return
# Unknown type → drop
return
# ── Connection handler ───────────────────────────────────────────────────────
def _build_tls_context() -> ssl.SSLContext | None:
"""Load the per-decky self-signed cert for the NLA path.
Returns None if the cert files aren't present yet (allows the
container to come up even before the entrypoint has generated
them; subsequent connections retry).
"""
if not (os.path.exists(TLS_CERT) and os.path.exists(TLS_KEY)):
return None
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ctx.load_cert_chain(certfile=TLS_CERT, keyfile=TLS_KEY)
# CredSSP clients negotiate down — accept whatever the client offers
ctx.set_ciphers("DEFAULT:@SECLEVEL=0")
return ctx
async def _upgrade_to_tls_and_capture(
reader: asyncio.StreamReader,
writer: asyncio.StreamWriter,
src_ip: str,
src_port: int,
) -> None:
"""Upgrade the underlying socket to TLS, then run the CredSSP loop."""
ctx = _build_tls_context()
if ctx is None:
_log("error", severity=4, src_ip=src_ip, msg="TLS cert missing; NLA path unavailable")
return
transport = writer.transport
loop = asyncio.get_running_loop()
try:
new_transport = await loop.start_tls(
transport,
transport.get_protocol(),
ctx,
server_side=True,
)
except (ssl.SSLError, OSError) as exc:
_log("tls_handshake_failed", severity=4, src_ip=src_ip, msg=str(exc))
return
# Rewrap the StreamReader/StreamWriter on top of the new TLS transport.
# We use the stdlib's protocol to bridge the upgraded transport back
# into a StreamReader/StreamWriter pair the rest of the handler can use.
new_reader = asyncio.StreamReader(loop=loop)
new_protocol = asyncio.StreamReaderProtocol(new_reader, loop=loop)
new_transport.set_protocol(new_protocol)
new_protocol.connection_made(new_transport)
new_writer = asyncio.StreamWriter(new_transport, new_protocol, new_reader, loop)
await _handle_nla(new_reader, new_writer, src_ip, src_port)
async def _handle_client(reader: asyncio.StreamReader, writer: asyncio.StreamWriter) -> None:
peer = writer.get_extra_info("peername") or ("?", 0)
src_ip, src_port = peer[0], peer[1]
_log("connection", src_ip=src_ip, src_port=src_port)
try:
# Read TPKT header (4 bytes), then the rest of the PDU
hdr = await asyncio.wait_for(reader.readexactly(4), timeout=5.0)
if hdr[0] != TPKT_VERSION:
return
total_len = int.from_bytes(hdr[2:4], "big")
if total_len < 7 or total_len > MAX_TPKT_LEN:
return
rest = await asyncio.wait_for(reader.readexactly(total_len - 4), timeout=5.0)
x224 = _parse_tpkt(hdr + rest)
if x224 is None:
return
cookie, requested = _parse_x224_cr(x224)
fields: dict = {
"src_ip": src_ip,
"src_port": src_port,
"requested_protocols": requested,
}
if cookie:
fields["username"] = cookie
fields["principal"] = cookie
_log("rdp_cookie", **fields)
else:
_log("connection_request", **fields)
nla_path = ENABLE_NLA and (requested & PROTOCOL_HYBRID)
selected = PROTOCOL_HYBRID if nla_path else PROTOCOL_RDP
writer.write(_build_x224_cc(selected))
await writer.drain()
if nla_path:
await _upgrade_to_tls_and_capture(reader, writer, src_ip, src_port)
except (asyncio.IncompleteReadError, asyncio.TimeoutError, ConnectionError):
pass
except Exception as exc: # noqa: BLE001 — honeypot must never crash the worker
_log("error", severity=4, src_ip=src_ip, msg=str(exc))
finally:
try:
writer.close()
await writer.wait_closed()
except Exception:
pass
_log("disconnect", src_ip=src_ip, src_port=src_port)
async def _main() -> None:
_log("startup", msg=f"RDP server starting as {NODE_NAME} on port {LISTEN_PORT}")
server = await asyncio.start_server(_handle_client, LISTEN_HOST, LISTEN_PORT)
async with server:
await server.serve_forever()
if __name__ == "__main__":
try:
asyncio.run(_main())
except KeyboardInterrupt:
_log("shutdown")

261
decnet/templates/rdp/syslog_bridge.py Normal file
View File

@@ -0,0 +1,261 @@
#!/usr/bin/env python3
"""
Shared RFC 5424 syslog helper used by service containers.
Services call syslog_line() to format an RFC 5424 message, then
write_syslog_file() to emit it to stdout — the container runtime
captures it, and the host-side collector streams it into the log file.
RFC 5424 structure:
<PRI>1 TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [SD-ELEMENT] MSG
Facility: local0 (16). SD element ID uses PEN 55555.
"""
import base64
import re
from datetime import datetime, timezone
from typing import Any, Optional
# ─── Constants ────────────────────────────────────────────────────────────────
_FACILITY_LOCAL0 = 16
_SD_ID = "relay@55555"
_NILVALUE = "-"
SEVERITY_EMERG = 0
SEVERITY_ALERT = 1
SEVERITY_CRIT = 2
SEVERITY_ERROR = 3
SEVERITY_WARNING = 4
SEVERITY_NOTICE = 5
SEVERITY_INFO = 6
SEVERITY_DEBUG = 7
_MAX_HOSTNAME = 255
_MAX_APPNAME = 48
_MAX_MSGID = 32
# ─── Formatter ────────────────────────────────────────────────────────────────
def _sd_escape(value: str) -> str:
"""Escape SD-PARAM-VALUE per RFC 5424 §6.3.3."""
return value.replace("\\", "\\\\").replace('"', '\\"').replace("]", "\\]")
def _sd_element(fields: dict[str, Any]) -> str:
if not fields:
return _NILVALUE
params = " ".join(f'{k}="{_sd_escape(str(v))}"' for k, v in fields.items())
return f"[{_SD_ID} {params}]"
def syslog_line(
service: str,
hostname: str,
event_type: str,
severity: int = SEVERITY_INFO,
timestamp: datetime | None = None,
msg: str | None = None,
**fields: Any,
) -> str:
"""
Return a single RFC 5424-compliant syslog line (no trailing newline).
Args:
service: APP-NAME (e.g. "http", "mysql")
hostname: HOSTNAME (node name)
event_type: MSGID (e.g. "request", "login_attempt")
severity: Syslog severity integer (default: INFO=6)
timestamp: UTC datetime; defaults to now
msg: Optional free-text MSG
**fields: Encoded as structured data params
"""
pri = f"<{_FACILITY_LOCAL0 * 8 + severity}>"
ts = (timestamp or datetime.now(timezone.utc)).isoformat()
host = (hostname or _NILVALUE)[:_MAX_HOSTNAME]
appname = (service or _NILVALUE)[:_MAX_APPNAME]
msgid = (event_type or _NILVALUE)[:_MAX_MSGID]
sd = _sd_element(fields)
message = f" {msg}" if msg else ""
return f"{pri}1 {ts} {host} {appname} {_NILVALUE} {msgid} {sd}{message}"
def encode_secret(secret: str) -> dict[str, str]:
"""Standardized credential-secret encoding for the universal SD-block shape.
Returns ``{'secret_printable': ..., 'secret_b64': ...}`` ready to spread
into a :func:`syslog_line` / ``_log`` call::
_log("auth_attempt", principal=user, **encode_secret(password))
``secret_printable`` mirrors auth-helper.c's sd_escape: bytes outside
``[0x20, 0x7f)`` collapse to ``'?'`` so the field is always parser-safe
RFC 5424 ASCII. ``secret_b64`` preserves the *original* utf-8 bytes —
NUL/0xff/control/non-utf8 sequences all survive losslessly, useful as
a fingerprinting signal even when the printable form sanitizes them.
The decnet web ingester's native-shape branch keys off ``secret_b64``
being present, so any service emitter calling this helper lands its
cred attempt directly in the :class:`Credential` table.
"""
raw = secret.encode("utf-8", errors="replace")
printable = "".join(chr(b) if 0x20 <= b < 0x7f else "?" for b in raw)
return {
"secret_printable": printable,
"secret_b64": base64.b64encode(raw).decode("ascii"),
}
_DIGEST_PARAM_RE = re.compile(r'(\w+)\s*=\s*"([^"]*)"|(\w+)\s*=\s*([^,\s]+)')
def classify_authorization(header_value: Optional[str]) -> Optional[dict[str, Any]]:
"""Parse an HTTP Authorization header value into Credential SD fields.
Returns a dict with the universal cred shape ready to spread into a
``_log(...)`` call::
auth = request.headers.get("Authorization")
cred = classify_authorization(auth)
if cred:
_log("auth_attempt", **cred)
Recognised schemes:
* Basic — base64(user:pw); decoded → ``principal=user`` +
``secret_kind="plaintext"`` + ``encode_secret(pw)``.
* Bearer / Token — opaque token; ``principal=None`` +
``secret_kind="http_bearer"`` + ``encode_secret(token)``.
* Digest — ``principal=username`` from header +
``secret_kind="http_digest_md5"`` + ``encode_secret(response)``.
Returns ``None`` for anything unrecognized (AWS4-HMAC-SHA256, NTLM,
Negotiate, …) — callers can still log the raw header value in the
ambient SD-block; we just don't know how to extract a hashable
secret from it.
"""
if not header_value or not isinstance(header_value, str):
return None
parts = header_value.strip().split(None, 1)
if len(parts) < 2:
return None
scheme, rest = parts[0].lower(), parts[1].strip()
if scheme == "basic":
try:
decoded = base64.b64decode(rest, validate=True).decode("utf-8", errors="replace")
except (ValueError, base64.binascii.Error):
return None
if ":" not in decoded:
return None
user, _, pw = decoded.partition(":")
return {
"principal": user,
"secret_kind": "plaintext",
**encode_secret(pw),
}
if scheme in ("bearer", "token"):
return {
"principal": None,
"secret_kind": "http_bearer",
**encode_secret(rest),
}
if scheme == "digest":
params: dict[str, str] = {}
for m in _DIGEST_PARAM_RE.finditer(rest):
k = m.group(1) or m.group(3)
v = m.group(2) if m.group(2) is not None else m.group(4)
if k:
params[k.lower()] = v
response = params.get("response")
if not response:
return None
return {
"principal": params.get("username"),
"secret_kind": "http_digest_md5",
**encode_secret(response),
}
return None
_FORM_PRINCIPAL_KEYS = (
"username", "user", "email", "login", "userid", "account",
"log", # wp-login.php
"user_login", # WordPress alt
"uname", # phpMyAdmin
"pma_username",
)
_FORM_SECRET_KEYS = (
"password", "pass", "pwd", "passwd", "passwort", "mot_de_passe",
"user_password", # WordPress alt
"pma_password", # phpMyAdmin
)
def extract_form_credentials(
body: Optional[str],
content_type: Optional[str],
) -> Optional[dict[str, Any]]:
"""Parse an `application/x-www-form-urlencoded` body for credentials.
Returns the universal cred SD shape ready to spread into a
``_log(...)`` call when both a principal-shaped key and a secret-
shaped key are present in the body. Otherwise returns ``None``.
Field-name detection is case-insensitive and covers the most common
login-form variants (WordPress wp-login.php, phpMyAdmin, Joomla,
etc.). Add more entries to ``_FORM_PRINCIPAL_KEYS`` /
``_FORM_SECRET_KEYS`` as new templates surface them.
"""
if not body or not isinstance(content_type, str):
return None
if not content_type.lower().startswith("application/x-www-form-urlencoded"):
return None
fields: dict[str, str] = {}
for pair in body.split("&"):
if "=" not in pair:
continue
k, _, v = pair.partition("=")
# urllib decode without importing urllib at module scope (the
# template emitters are import-cost-sensitive). Inline the
# tiny percent-decode + plus-decode.
try:
from urllib.parse import unquote_plus
key = unquote_plus(k).lower()
val = unquote_plus(v)
except Exception:
continue
# First-wins so duplicate-key forms don't get clobbered.
fields.setdefault(key, val)
principal: Optional[str] = None
for k in _FORM_PRINCIPAL_KEYS:
if k in fields:
principal = fields[k]
break
secret: Optional[str] = None
for k in _FORM_SECRET_KEYS:
if k in fields:
secret = fields[k]
break
if secret is None:
return None
return {
"principal": principal,
"secret_kind": "plaintext",
**encode_secret(secret),
}
def write_syslog_file(line: str) -> None:
"""Emit a syslog line to stdout for container log capture."""
print(line, flush=True)
def forward_syslog(line: str, log_target: str) -> None:
"""No-op stub. TCP forwarding is handled by rsyslog, not by service containers."""
pass