Unable to connect to honeypot VM through proxy

[katsonka]

Hello,

I am trying to deploy cowrie in proxy mode with the following settings:

backend = proxy

# Guest details (for a generic x86-64 guest, like Ubuntu)
guest_hypervisor = qemu

backend = pool
backend_ssh_host = localhost
backend_ssh_port = 2022

pool_max_vms = 4
pool = local

# Endpoint to listen on for incoming SSH connections.
listen_endpoints = tcp:9090:interface=0.0.0.0

Everything excluded is set to default value, except for the real backend credentials. Iptables are configured to redirect port 22 to port 9090.

Successfully logging to the honeypot through Putty does not redirect me to VM, instead it shows the following error message:

This is how it looks in logs:

2022-11-15T14:40:02.714110Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: x.x.x.x:x (10.0.0.4:9090) [session: 11699cf73924]
2022-11-15T14:40:02.724076Z [FrontendSSHTransport,520,x.x.x.x] Remote SSH version: SSH-2.0-PuTTY_Release_0.76
2022-11-15T14:40:02.733713Z [backend_pool.pool_server.PoolServerFactory] Received connection from 127.0.0.1:41042
2022-11-15T14:40:02.734290Z [Uninitialized] Connected to backend pool
2022-11-15T14:40:02.734577Z [PoolServer,521,127.0.0.1] Requesting a VM for attacker @ x.x.x.x
2022-11-15T14:40:02.734771Z [PoolServer,521,127.0.0.1] Providing VM id 0
2022-11-15T14:40:02.735102Z [PoolClient,client] Got backend data from pool: 192.168.150.217:22
2022-11-15T14:40:02.735196Z [PoolClient,client] Snapshot file: /home/cowrie/cowrie/var/lib/cowrie/snapshots/snapshot-ubuntu18.04-75999260d50340aa9098062da1650500.qcow2
2022-11-15T14:40:02.735334Z [cowrie.ssh_proxy.client_transport.BackendSSHFactory#info] Starting factory <cowrie.ssh_proxy.client_transport.BackendSSHFactory object at 0x7f8a9c87f370>
2022-11-15T14:40:02.782461Z [FrontendSSHTransport,520,x.x.x.x] SSH client hassh fingerprint: 5b7713a9ef2d162b16ea018fa8d40f02
2022-11-15T14:40:02.783927Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519'
2022-11-15T14:40:02.784027Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha1' b'none'
2022-11-15T14:40:02.784101Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha1' b'none'
2022-11-15T14:40:02.850464Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] NEW KEYS
2022-11-15T14:40:02.850962Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] starting service b'ssh-userauth'
2022-11-15T14:40:04.530477Z [Uninitialized] Connected to SSH backend at b'192.168.150.217'
2022-11-15T14:40:04.530869Z [Uninitialized] Connected to honeypot backend
2022-11-15T14:40:05.694227Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'student' trying auth b'none'
2022-11-15T14:40:10.343627Z [FrontendSSHTransport,520,x.x.x.x] Connection to backend not ready, buffering packet from frontend
2022-11-15T14:40:10.344638Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'student' trying auth b'password'
2022-11-15T14:40:10.345534Z [FrontendSSHTransport,520,x.x.x.x] login attempt [b'student'/b'student'] succeeded
2022-11-15T14:40:10.362593Z [FrontendSSHTransport,520,x.x.x.x] Initialized emulated server as architecture: linux-x64-lsb
2022-11-15T14:40:10.419995Z [FrontendSSHTransport,520,x.x.x.x] Connection to backend not ready, buffering packet from frontend
# this might be the point, where the error shows up
2022-11-15T14:40:33.175725Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ecdsa-sha2-nistp256'
2022-11-15T14:40:33.176223Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha2-512' b'none'
2022-11-15T14:40:33.176309Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha2-512' b'none'
2022-11-15T14:40:41.233811Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] NEW KEYS
2022-11-15T14:40:41.234285Z [BackendSSHTransport,client] Backend Connection Secured
2022-11-15T14:40:41.251355Z [BackendSSHTransport,client] Will auth with backend: x/x
2022-11-15T14:40:41.251870Z [BackendSSHTransport,client] got channel b'session' request
2022-11-15T14:40:54.764575Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost
2022-11-15T14:40:54.765091Z [FrontendSSHTransport,520,x.x.x.x] Connection lost after 50 seconds
2022-11-15T14:40:54.774787Z [BackendSSHTransport,client] Lost connection with the pool backend: id 0
2022-11-15T14:40:54.775126Z [cowrie.ssh_proxy.client_transport.BackendSSHFactory#info] Stopping factory <cowrie.ssh_proxy.client_transport.BackendSSHFactory object at 0x7f8a9c87f370>
2022-11-15T14:40:54.775420Z [PoolServer,521,127.0.0.1] Freeing VM 0

Sometimes there's different logged events after successful login attempt:

2022-11-15T01:00:45.902697Z [BackendSSHTransport,client] [SSH] Detected Public Key Auth - Disabling!
2022-11-15T01:00:53.399529Z [FrontendSSHTransport,57,x.x.x.x] Unhandled Error
        Traceback (most recent call last):
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/log.py", line 96, in callWithLogger
            return callWithContext({"system": lp}, func, *args, **kw)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/log.py", line 80, in callWithContext
            return context.call({ILogContext: newCtx}, func, *args, **kw)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/context.py", line 117, in callWithContext
            return self.currentContext().callWithContext(ctx, func, *args, **kw)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/context.py", line 82, in callWithContext
            return func(*args, **kw)
        --- <exception caught here> ---
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/posixbase.py", line 487, in _doReadOrWrite
            why = selectable.doRead()
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/tcp.py", line 248, in doRead
            return self._dataReceived(data)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/tcp.py", line 253, in _dataReceived
            rval = self.protocol.dataReceived(data)
          File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 244, in dataReceived
            self.dispatchMessage(message_num, packet[1:])
          File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 261, in dispatchMessage
            self.packet_buffer(message_num, payload)
          File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 434, in packet_buffer
            self.sshParse.parse_num_packet("[SERVER]", message_num, payload)
          File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/protocols/ssh.py", line 330, in parse_num_packet
            channel = self.get_channel(self.extract_int(4), parent)
          File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/protocols/ssh.py", line 406, in get_channel
            if channel[search] == channel_num:
        builtins.KeyError: 'clientID'

2022-11-15T01:00:53.401422Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost

I tried using terminal to log in instead, this however produces different, but still unsuccessful results:

Error message:

dispatch_protocol_error: type 7 seq 7
Connection to x closed by remote host.
Connection to x closed.

Logged events are the same.

Expected behavior
After successful authentication cowrie connects attacker with the VM.

Server (please complete the following information):

• OS: Linux cowrie 5.15.0-1022-azure 27~20.04.1-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux
• Python: Python 3.8.10

[cyb3rjerry]

Same here

[BeanzOnT0ast]

You seem to be using Python 3.8 which is old software. You might need 3.10, 3.11, or 3.12