#!/bin/sh version=0.0.3 tools_dir=`dirname $0` function show_compression { cat $1 | grep "$2" | awk '{ print tolower($6" "$7) }' | sort | uniq -c | sort -r -g echo echo Total `cat $1 | grep "$2" | awk '{ print tolower($6" "$7) }' | wc -l` } function show_authorized { cat $1 | grep -i "$2" | awk '{ print $6 }' | sort | uniq -c | sort -r -g echo echo Total `cat $1 | grep "$2" | awk '{ print $6 }' | wc -l` } function show_clientsoftware { cat $1 | grep "$2" | awk '{ print $6" "$7" "$8" "$9" "$10" "$11" "$12" "$13" "$14 }' | sort | uniq -c | sort -r -g echo echo Total `cat $1 | grep "$2" | awk '{ print $6" "$7" "$8" "$9" "$10" "$11" "$12" "$13" "$14 }' | wc -l` } function show_password { cat $1 | grep "$2" | awk '{ print $8 }' | sort | uniq -c | sort -r -g echo echo Total `cat $1 | grep "$2" | awk '{ print $8 }' | wc -l` } function show_authenticated { cat $1 | grep "$2" | awk '{ print $8 }' | sort | uniq -c | sort -r -g echo echo Total `cat $1 | grep "$2" | awk '{ print $8 }' | wc -l` } function show_unauthenticated { cat $1 | grep "$2" | awk '{ print $5 }' | sort | uniq -c | sort -r -g echo echo Total `cat $1 | grep "$2" | awk '{ print $5 }' | wc -l` } function show_total { echo Total `cat $1 | grep "$2" | wc -l` } function show_commands { cat $1 | egrep '(COMMAND IS|executing command)' | awk '{ print $15" "$16" "$17" "$18" "$19" "$20" "$21" "$22" "$23" "$24" "$25" "$26 }' \ | sort | uniq -c | sort -r -g echo echo Total `cat $1 | grep 'COMMAND IS|executing command)' | \ awk '{ print $15" "$16" "$17" "$18" "$19" "$20" "$21" "$22" "$23" "$24" "$25" "$26" "$27 }' | wc -l` } function show_ip_address { ips=`cat $1 | grep 'kex alg, key alg' | grep SSHServerTransport | awk '{ print $4 }' |awk -F, '{ print $3 }' | \ awk -F] '{ print $1 }' | sort | uniq | sort -r -g` i=0 for ip in $ips do i=`expr $i + 1` if [ $3 -eq 0 ]; then if [ $4 -eq 0 ]; then if [ $5 -eq 1 ]; then country=`$tools_dir/kip2country $ip` echo -e " $i\t$ip - $country" else echo -e " $i\t$ip - `cat $1 | grep $ip | grep 'server->client' | wc -l ` conexion(es)" fi fi fi if [ $3 -eq 1 ]; then echo $i - Trace route to $ip ... echo "***********************************************************************************" echo traceroute $ip echo fi if [ $4 -eq 1 ]; then echo $i - Scanning $ip ... echo "***********************************************************************************" echo nmap -vv -P0 -O $ip echo fi done echo echo Total $i } function show_usage { echo "Koret Honeypot general report generator $version" echo "Copyright (c) 2005 Jose Antonio Coret" echo echo -e "Usage: $0 file " echo echo Options: echo echo -e " Print the route packets take to network host" echo -e " Value must be 0 (disabled) or 1 (enabled)" echo -e " Print nmap output take to network host" echo -e " Value must be 0 (disabled) or 1 (enabled)" echo -e " Resolve intruder's country" echo -e " Value must be 0 (disabled) or 1 (enabled)" echo echo exit 0 } if [ $# -eq 0 ]; then show_usage fi echo Kojoney Honeypot Report echo ----------------------- echo echo Date: `date +%c` echo Log lines: `cat $1 | wc -l` echo Log size: `du -h $1` echo echo Client authorized. echo --------------------------------------- echo show_authorized $1 'isAuthorized' echo echo Client compression used. echo --------------------------------------- echo show_compression $1 'incomingCompressionType' echo echo SSH Client software used. echo --------------------------------------- echo show_clientsoftware $1 'clientVersionString' echo echo Authenticated users. Successfull logons echo --------------------------------------- echo show_authenticated $1 'authenticated with password' echo echo Unauthenticated users. Failed logons echo ------------------------------------ echo show_unauthenticated $1 'failed auth password' echo echo User/Password used echo ------------------- show_password $1 'as password' echo echo Users successfully authenticateds with publickey echo ------------------------------------------------ echo show_authenticated $1 'authenticated with publickey' echo echo Users unsuccessfully authenticateds with publickey echo -------------------------------------------------- echo show_unauthenticated $1 'failed auth publickey' echo echo Logons with null passwords echo -------------------------- echo show_authenticated $1 'trying auth none' echo echo Logons with or without password echo ------------------------------- echo show_authenticated $1 'trying auth' echo echo Number of times a remote shell was opened echo ----------------------------------------- echo show_total $1 'getting shell' echo echo X11 forward requests echo -------------------- echo show_total $1 'request for x11' echo echo Executed different commands echo --------------------------- echo show_commands $1 echo echo Number of times the intruder tries to change the terminal window size echo --------------------------------------------------------------------- echo show_total $1 'error changing window size' echo echo IP Addresses and conexion\(es\) echo ----------------------------- echo show_ip_address $1 'SSHServerTransport' 0 0 0 echo if [ $# -gt 1 ]; then if [ $2 -eq 1 ]; then echo Traceroute to intruders hosts echo ------------------------------ echo show_ip_address $1 'SSHServerTransport' 1 0 0 echo fi fi if [ $# -gt 2 ]; then if [ $3 -eq 1 ]; then echo NMap scan against intruders hosts echo ---------------------------------- echo show_ip_address $1 'SSHServerTransport' 0 1 0 echo fi fi if [ $# -gt 3 ]; then if [ $4 -eq 1 ]; then echo IP Addresses and countries echo -------------------------- echo show_ip_address $1 'SSHServerTransport' 0 0 1 echo fi fi echo Sessions opened by humans echo ------------------------- echo $tools_dir/kojhumans $1 --by-session echo echo Humans detecteds by IP echo ---------------------- $tools_dir/kojhumans $1 --by-ip echo echo Internal Honeypot Errors echo ------------------------ echo show_total $1 '' echo