Passwords of SSH Intruders Transferred to Text
Project description
Introduction
pshitt (for Passwords of SSH Intruders Transferred to Text) is a lightweight fake SSH server designed to collect authentication data sent by intruders. It basically collects username and password used by SSH bruteforce software and writes the extracted data to a file in JSON format.
pshitt is written in Python and use paramiko to implement the SSH layer.
Running pshitt
Go into the source directory and run
./pshitt -o passwords.json
This will run a fake SSH server listening on port 2200 to catch authentication data sent by the intruders. Information about SSH connection attempt will be stored in the passwords.json using JSON as format
{"username": "root", "src_ip": "116.10.191.184", "password": "P@ssword", \
"src_port": 41397, "timestamp": "2014-06-25T21:35:21.660303"}
Full options are available via ‘-h’ option
usage: pshitt [-h] [-o OUTPUT] [-k KEY] [-l LOG] [-p PORT] [-t THREADS] [-v]
[-D]
Passwords of SSH Intruders Transferred to Text
optional arguments:
-h, --help show this help message and exit
-o OUTPUT, --output OUTPUT
File to export collected data
-k KEY, --key KEY Host RSA key
-l LOG, --log LOG File to log info and debug
-p PORT, --port PORT TCP port to listen to
-t THREADS, --threads THREADS
Maximum number of client threads
-v, --verbose Show verbose output, use multiple times increase
verbosity
-D, --daemon Run as unix daemon
Using pshitt data
As the format is JSON, it is easy to use the data in data analysis software such as Splunk or Logstash.
Here’s a sample configuration for logstash
input {
file {
path => [ "/var/log/pshitt.log" ]
codec => json
type => "json-log"
}
}
filter {
# warn logstash that timestamp is the one to use
if [type] == "json-log" {
date {
match => [ "timestamp", "ISO8601" ]
}
}
# optional but geoip is interesting
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
output {
elasticsearch {
host => "localhost"
}
}
Basically, it is just enough to mention that the pshitt.log file is using JSON format.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pshitt-1.0.1.tar.gz.
File metadata
- Download URL: pshitt-1.0.1.tar.gz
- Upload date:
- Size: 5.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.46.0 CPython/3.7.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 740720a140f1bee73bb150a3243dcbd9e111019c230db2d601ad026162569432 |
|
| MD5 | 3883d640e2eee2fe7d4362b80992e285 |
|
| BLAKE2b-256 | eb21a0ff73dabebfe911d60b8508cc248a93f3b65d3e2a9922e1ca792b15fec0 |
File details
Details for the file pshitt-1.0.1-py3-none-any.whl.
File metadata
- Download URL: pshitt-1.0.1-py3-none-any.whl
- Upload date:
- Size: 17.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.46.0 CPython/3.7.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 37152129502975975ca55c886b026956852f9736821860b6e51bc8252b89486d |
|
| MD5 | a601c5092bec06cb2c313ade7077cd46 |
|
| BLAKE2b-256 | b0c7975b8f3d994c4b3c2cdeeb9964346f68a5f9d25dcd86ebaa140fe80dc6a0 |
