Add per-service customization, stealth hardening, and BYOS support

- HTTP: configurable server_header, response_code, fake_app presets (apache/nginx/wordpress/phpmyadmin/iis), extra_headers, custom_body, static files directory mount - SSH/Cowrie: configurable kernel_version, hardware_platform, ssh_banner, and users/passwords via COWRIE_USERDB_ENTRIES; switched to build mode so cowrie.cfg.j2 persona fields and userdb.txt generation work - SMTP: configurable banner and MTA hostname - MySQL: configurable version string in protocol greeting - Redis: configurable redis_version and os string in INFO response - BYOS: [custom-*] INI sections define bring-your-own Docker services - Stealth: rename all *_honeypot.py → server.py; replace HONEYPOT_NAME env var with NODE_NAME across all 22+ service templates and plugins; strip "honeypot" from all in-container file content - Config: DeckyConfig.service_config dict; INI [decky-N.svc] subsections; composer passes service_cfg to compose_fragment - 350 tests passing (100%) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-04 04:08:27 -03:00
parent 07c06e3c0a
commit cf1e00af28
102 changed files with 974 additions and 309 deletions
--- a/templates/mysql/server.py
+++ b/templates/mysql/server.py
@@ -0,0 +1,122 @@
+#!/usr/bin/env python3
+"""
+MySQLserver.
+Sends a realistic MySQL 5.7 server handshake, reads the client login
+packet, extracts username, then closes with Access Denied. Logs auth
+attempts as JSON.
+"""
+
+import asyncio
+import json
+import os
+import socket
+import struct
+from datetime import datetime, timezone
+
+NODE_NAME     = os.environ.get("NODE_NAME", "dbserver")
+LOG_TARGET    = os.environ.get("LOG_TARGET", "")
+_MYSQL_VER    = os.environ.get("MYSQL_VERSION", "5.7.38-log")
+
+# Minimal MySQL server greeting (protocol v10) — version string is configurable
+_GREETING = (
+    b"\x0a"                              # protocol version 10
+    + _MYSQL_VER.encode() + b"\x00"     # server version + NUL
+    + b"\x01\x00\x00\x00"               # connection id = 1
+    + b"\x70\x76\x21\x6d\x61\x67\x69\x63"  # auth-plugin-data part 1
+    + b"\x00"                            # filler
+    + b"\xff\xf7"                        # capability flags low
+    + b"\x21"                            # charset utf8
+    + b"\x02\x00"                        # status flags
+    + b"\xff\x81"                        # capability flags high
+    + b"\x15"                            # auth plugin data length
+    + b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  # reserved (10 bytes)
+    + b"\x21\x4f\x7d\x25\x3e\x55\x4d\x7c\x67\x75\x5e\x31\x00"  # auth part 2
+    + b"mysql_native_password\x00"       # auth plugin name
+)
+
+
+def _make_packet(payload: bytes, seq: int = 0) -> bytes:
+    length = len(payload)
+    return struct.pack("<I", length)[:3] + bytes([seq]) + payload
+
+
+def _forward(event: dict) -> None:
+    if not LOG_TARGET:
+        return
+    try:
+        host, port = LOG_TARGET.rsplit(":", 1)
+        with socket.create_connection((host, int(port)), timeout=3) as s:
+            s.sendall((json.dumps(event) + "\n").encode())
+    except Exception:
+        pass
+
+
+def _log(event_type: str, **kwargs) -> None:
+    event = {
+        "ts": datetime.now(timezone.utc).isoformat(),
+        "service": "mysql",
+        "host": NODE_NAME,
+        "event": event_type,
+        **kwargs,
+    }
+    print(json.dumps(event), flush=True)
+    _forward(event)
+
+
+class MySQLProtocol(asyncio.Protocol):
+    def __init__(self):
+        self._transport = None
+        self._peer = None
+        self._buf = b""
+        self._greeted = False
+
+    def connection_made(self, transport):
+        self._transport = transport
+        self._peer = transport.get_extra_info("peername", ("?", 0))
+        _log("connect", src=self._peer[0], src_port=self._peer[1])
+        transport.write(_make_packet(_GREETING, seq=0))
+        self._greeted = True
+
+    def data_received(self, data):
+        self._buf += data
+        # MySQL packets: 3-byte length + 1-byte seq + payload
+        while len(self._buf) >= 4:
+            length = struct.unpack("<I", self._buf[:3] + b"\x00")[0]
+            if len(self._buf) < 4 + length:
+                break
+            payload = self._buf[4:4 + length]
+            self._buf = self._buf[4 + length:]
+            self._handle_packet(payload)
+
+    def _handle_packet(self, payload: bytes):
+        if not payload:
+            return
+        # Login packet: capability flags (4), max_packet (4), charset (1), reserved (23), username (NUL-terminated)
+        if len(payload) > 32:
+            try:
+                # skip capability(4) + max_pkt(4) + charset(1) + reserved(23) = 32 bytes
+                username_start = 32
+                nul = payload.index(b"\x00", username_start)
+                username = payload[username_start:nul].decode(errors="replace")
+            except (ValueError, IndexError):
+                username = "<parse_error>"
+            _log("auth", src=self._peer[0], username=username)
+        # Send Access Denied error
+        err = b"\xff" + struct.pack("<H", 1045) + b"#28000Access denied for user\x00"
+        self._transport.write(_make_packet(err, seq=2))
+        self._transport.close()
+
+    def connection_lost(self, exc):
+        _log("disconnect", src=self._peer[0] if self._peer else "?")
+
+
+async def main():
+    _log("startup", msg=f"MySQL server starting as {NODE_NAME}")
+    loop = asyncio.get_running_loop()
+    server = await loop.create_server(MySQLProtocol, "0.0.0.0", 3306)
+    async with server:
+        await server.serve_forever()
+
+
+if __name__ == "__main__":
+    asyncio.run(main())