Last active
November 16, 2023 07:20
-
-
Save olliencc/60cc7f7a5e81cdafa28f3d1ec9f0bfc7 to your computer and use it in GitHub Desktop.
A Thinkst canary user module which listens on HTTPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
INCIDENT_NAME = "NCCGROUPHTTPS" | |
VERSION = "0.1" | |
MODULE_DESCRIPTION = "NCCGROUPHTTPS" | |
AUTHOR = "Ollie Whitehouse" | |
AUTHOR_EMAIL = "ollie.whitehouse@nccgroup.com" | |
CERT_FILE = "/tmp/selfsigned.crt" | |
KEY_FILE = "/tmp/private.key" | |
from opencanary.modules import CanaryService | |
from twisted.internet import ssl,reactor, protocol | |
from twisted.internet.protocol import Protocol | |
from twisted.internet.protocol import Factory | |
from twisted.application import internet | |
from OpenSSL import crypto, SSL | |
from socket import gethostname | |
from pprint import pprint | |
from time import gmtime, mktime | |
# Protocol implementation class | |
class Echo(Protocol): | |
def dataReceived(self, data): | |
self.transport.write(data) | |
# Key generation class | |
class GenerateKey(): | |
def __init__(self): | |
# create a key pair | |
k = crypto.PKey() | |
k.generate_key(crypto.TYPE_RSA, 1024) | |
# create a self-signed cert | |
cert = crypto.X509() | |
cert.get_subject().C = "GB" | |
cert.get_subject().ST = "N/A" | |
cert.get_subject().L = "N/A" | |
cert.get_subject().O = "NCC Group RIFT" | |
cert.get_subject().OU = "NCC Group RIFT" | |
cert.get_subject().CN = "i-byte.example.local" | |
cert.set_serial_number(1000) | |
cert.gmtime_adj_notBefore(0) | |
cert.gmtime_adj_notAfter(10*365*24*60*60) | |
cert.set_issuer(cert.get_subject()) | |
cert.set_pubkey(k) | |
cert.sign(k, 'sha256') | |
# write out to /tmp | |
open(CERT_FILE, "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) | |
open(KEY_FILE, "wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) | |
# Main class used as the entry point | |
class NCCGROUPHTTPS(Factory, CanaryService): | |
NAME = 'nccgrouphttps' | |
# Constructor | |
def __init__(self, config=None, logger=None): | |
CanaryService.__init__(self, config=config, logger=logger) | |
# Generate our SSL certificate | |
tls = GenerateKey() | |
# What port we should listen on | |
self.port = config.getVal('nccgroupsa3.port', 8443) | |
self.listen_addr = config.getVal('device.listen_addr', default='') | |
# Log type | |
self.logtype = logger.LOG_USER_2 | |
# This returns the service it wants | |
def getService(self): | |
# Setup the SSL Context | |
context = ssl.DefaultOpenSSLContextFactory(KEY_FILE, CERT_FILE) | |
# Build our protocol factory | |
f = protocol.ServerFactory() | |
f.canaryservice=self | |
f.logger=self.logger | |
f.protocol=Echo # this is our protocol handler | |
# Return the server object | |
return internet.SSLServer(self.port, f, context, interface=self.listen_addr) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment