cowrie/wardenfiler: Store credentials for both successful and unsuccessful attempts

Format used is [{"Username": "pavel", "Password": "pass"}]. There is an additional "Type": ["AcceptedByServer"] property, used for credentials which the honeypot allowed.

All attempted credentials are first stored in a session. Then, when the session is closed, they are stored in the aggregation under the AID key (the aggregation ID (AID) "src_ip,dst_ip"). The credentials are flushed from the aggregation when the aggregation window expires. They are included in the Attempt.Login event.

With the successful login (event type Intrusion.UserCompromise), only the accepted pair of username/password is sent with that event.

cowrie/wardenfiler.py

@@ -87,6 +87,8 @@ class Output(cowrie.core.output.Output):
     drop_malware = True
     win_start = None
     attackers = {}
+    # aggregated credentials from failed attempts per IP
+    attackers_creds = {}
     sessions = {}
     port_xlat = {}
 
@@ -175,7 +177,7 @@ class Output(cowrie.core.output.Output):
         if entry.get("dst_port") and self.reported_ssh_port:
             entry["dst_port"] = self.reported_ssh_port
 
-        if entry["eventid"] == 'cowrie.session.connect':           
+        if entry["eventid"] == 'cowrie.session.connect':
             # Do not track a session for a source
             # which is not globally routable
             if not ip_address(entry["src_ip"]).is_global:
@@ -198,14 +200,21 @@ class Output(cowrie.core.output.Output):
             )
 
             entry["loggedin"] = False
+            entry["credentials"] = []
+            # AID - aggregation ID
+            entry["aid"] = aid = ','.join((entry["src_ip"], entry["dst_ip"]))
             self.sessions[entry["session"]] = entry
             ws = self.win_start or time()
-            aid = ','.join((entry["src_ip"], entry["dst_ip"]))
             cnt = self.attackers.get(aid, 0)
+            # aggregated credentials from attempts
+            if not self.attackers_creds.get(aid):
+                self.attackers_creds[aid] = []
 
             if (time() - ws < self.aggr_win):
                 self.attackers[aid] = cnt + 1
             else:
+                # This flushes out ALL the aggregated events!
+                # NOTE: The AID, and its values, are no longer relevant for this part of code!
                 event["Node"][0]["AggrWin"] = strftime("%H:%M:%S", gmtime(float(self.aggr_win)))
                 event["WinStartTime"] = datetime.utcfromtimestamp(ws).isoformat() + 'Z'
                 event["WinEndTime"] = datetime.utcfromtimestamp(ws + self.aggr_win).isoformat() + 'Z'
@@ -214,6 +223,7 @@ class Output(cowrie.core.output.Output):
                 for i, c in self.attackers.items():
                     a_src_ip, a_dst_ip = i.split(',')
                     a_af = "IP4" if not ':' in a_src_ip else "IP6"
+                    a_creds = self.attackers_creds.get(i, [])
                     event["ID"] = str(uuid4())
                     event["DetectTime"] = event["WinEndTime"]
                     event["ConnCount"] = c
@@ -221,10 +231,16 @@ class Output(cowrie.core.output.Output):
                     event["Target"] = [{"Proto": ["tcp", "ssh"], a_af: [a_dst_ip]}]
                     if (self.anon_mask_4 < 32 and a_af == "IP4") or (self.anon_mask_6 < 128):
                         event["Target"][0]["Anonymised"] = True
+                    if a_creds:
+                        event["Credentials"] = a_creds
+                    else:
+                        event.pop("Credentials", None)
                     self.save_event(event)
                 self.attackers = {}
+                self.attackers_creds = {}
                 ws = time()
                 self.attackers[aid] = 1
+                self.attackers_creds[aid] = []
             self.win_start = ws
 
         elif entry["session"] not in self.sessions:
@@ -234,10 +250,18 @@ class Output(cowrie.core.output.Output):
             return()
 
         elif entry["eventid"] == 'cowrie.login.success':
+            u, p = entry["username"], entry["password"]
             s = entry["session"]
             if s in self.sessions:
                 self.sessions[s]["input"] = []
                 self.sessions[s]["loggedin"] = True
+                self.sessions[s]["credentials"].append({"Username": u, "Password": p, "Type": ["AcceptedByServer"]})
+
+        elif entry["eventid"] == "cowrie.login.failed":
+            u, p = entry["username"], entry["password"]
+            s = entry["session"]
+            if s in self.sessions:
+                self.sessions[s]["credentials"].append({"Username": u, "Password": p})
 
         elif entry["eventid"] == 'cowrie.command.input':
             s = entry["session"]
@@ -380,5 +404,14 @@ class Output(cowrie.core.output.Output):
                     if not plain:
                         attach["ContentEncoding"] = "base64"
                     event["Attach"] = [attach]
+                if self.sessions[s]["credentials"]:
+                    accepted_creds = [ c for c in self.sessions[s]["credentials"] if "Type" in c and "AcceptedByServer" in c["Type"] ]
+                    event["Credentials"] = list(accepted_creds)
                 self.save_event(event)
+            
+            if s in self.sessions:
+                # Store attempted credentials (all) to the aggregation cache
+                aid = self.sessions[s]["aid"]
+                self.attackers_creds[aid].extend(self.sessions[s]["credentials"])
+            # Discard the session
             self.sessions.pop(s, None)