Hello World ! Today, I look the auth.log file from my VPS and I see a lot of bruteforce attempt. I decided to make a python Script called HackBack.
This script will get the ip who failed to log in your server and do a passive recon with the shodan api.
Here is the script :
#!/usr/bin/python3.4
import re
import urllib.request
import json
log_path = "/var/log/auth.log"
hosts = []
key = "{YOUR_API_KEY}"
#GET FAILED PASSWORD ATTEMPT
def get_host(test):
for line in text.split('\n'):
if line.find("Failed password for invalid ") != -1:
if get_ip(line) not in hosts:
hosts.append(get_ip(line))
return hosts
#GET USERNAME
def get_username(line):
username_word = line.split("Failed password for invalid user ")
username = (username_word[1]).split(" ")
return username[0]
#LOCATE IP WITH GEOIP
def geoip(host):
response = urllib.request.urlopen("http://freegeoip.net/json/"+host)
geoip = response.read().decode("utf-8")
geoip = json.loads(geoip)
print("\n[+] Tracking ip {}".format(geoip['ip']))
print("-------------------------------")
print('\tCountry : {}\n\ttimezone : {}\n\tlatitude : {}\n\tlongitude : {}'.format(geoip['country_name'],geoip['time_zone'],geoip['latitude'],geoip['longitude']))
def passive_recon(host,key):
url = "https://api.shodan.io/shodan/host/{}?key={}&minify=true".format(host,key)
try:
response = urllib.request.urlopen(url)
result = response.read().decode('utf-8')
result = json.loads(result)
print("[+] Passive Recon using shodan.io")
print("-------------------------------")
print("\tPort : {}\n\tOrganisation {}".format(result['ports'],result['org']))
for x in range(len(result['ports'])):
print("Banner {}".format(result['data'][x]['data']))
except:
print("[+] Passive Recon using shodan.io")
print("-------------------------------")
print("\tCan't retrieve information")
pass
if __name__ == "__main__":
with open(log_path, 'rt') as log:
text = log.read()
get_host(text)
for host in hosts:
geoip(host)
passive_recon(host,key)
What the script does ?
Here are all the functions explained :
def get_host(test):
for line in text.split('\n'):
if line.find("Failed password for invalid ") != -1:
if get_ip(line) not in hosts:
hosts.append(get_ip(line))
return hosts
def get_username(line):
username_word = line.split("Failed password for invalid user ")
username = (username_word[1]).split(" ")
return username[0]
These functions will get the ip and username tested from the auth.log file
To locate the ip, I use freegeoip.net to get some ip location ( but you could use shodan.io api ) , this function just parse the json output to a pretty text ouput.
def geoip(host):
response = urllib.request.urlopen("http://freegeoip.net/json/"+host)
geoip = response.read().decode("utf-8")
geoip = json.loads(geoip)
print("\n[+] Tracking ip {}".format(geoip['ip']))
print("-------------------------------")
print('\tCountry : {}\n\ttimezone : {}\n\tlatitude : {}\n\tlongitude : {}'.format(geoip['country_name'],geoip['time_zone'],geoip['latitude'],geoip['longitude']))
Here we’re doing passive recon with shodan :
def passive_recon(host,key):
url = "https://api.shodan.io/shodan/host/{}?key={}&minify=true".format(host,key)
try:
response = urllib.request.urlopen(url)
result = response.read().decode('utf-8')
result = json.loads(result)
print("[+] Passive Recon using shodan.io")
print("-------------------------------")
print("\tPort : {}\n\tOrganisation {}".format(result['ports'],result['org']))
for x in range(len(result['ports'])):
print("Banner {}".format(result['data'][x]['data']))
#If we don't get a 200 response code print 'Can't retrive information
except:
print("[+] Passive Recon using shodan.io")
print("-------------------------------")
print("\tCan't retrieve information")
pass
To get information about the hackers :
./hackBack.py
Enjoy
Update
Thank a lot for your feedback I have some idea now for a new version of HackBack, maybe a honeyPot kind of thing I’ll post the code on github and make a new post for the update
Preview