pwnSpoof (from Punk Security) generates realistic spoofed log files for common web servers with customizable attack scenarios.
Every log bundle is unique and completely customisable, making it perfect for generating CTF scenarios and for training serials.
Can you find the attacker session and build the incident picture?
About The Project
pwnSpoof was created on the back of a threat hunting training exercise Punk Security delivered for a customer. The training exercise was to use a log analytic tool such as Splunk (other log analysing tools are available) and IIS logs to find login brute-force attacks and command injections.
The idea behind the pwnSpoof application is to;
Once you have created a set of logs, the idea is to load them in to Splunk and use various techniques to answer the following questions;
The following will explain how to get started with pwnSpoof
pwnSpoof is written in python and is tested with python3. No extra modules are needed, we only use the standard library.
If you get the following error message, please specifiy python3 when running pwnSpoof. Python2 is not supported.
File “pwnspoof.py”, line 176
print(“{:6.2f}% “.format(y * x), end=”\r”, flush=True)
^
SyntaxError: invalid syntax
Installation
git clone https://github.com/punk-security/pwnspoof
change directory to pwnSpoof
cd pwnspoof
Run pwnSpoof
python pwnspoof.py –help
Usage
positional arguments:
{banking,wordpress,generic}
App to emulate
optional arguments:
-h, –help show this help message and exit
–out OUT Output file (default: pwnspoof.log)
–iocs Do you want to know the attackers iocs for easier searching? (default: False)
log generator settings:
–log-start-date LOG_START_DATE
Initial start of logs, in the format YYYYMMDD i.e. “20210727”
–log-end-date LOG_END_DATE
End date for logs, in the format YYYYMMDD i.e. “20210727”
–session-count SESSION_COUNT
Number of legitimate sessions to spoof (default: 2000)
–max-sessions-per-user MAX_SESSIONS_PER_USER
Max number of legitimate sessions per user (default: 3)
–server-fqdn SERVER_FQDN
Override the emulated web apps default fqdn
–server-ip SERVER_IP
Override the emulated web apps randomised IP
–server-type {IIS,NGINX,CLF}
Server to spoof (default: IIS)
–uri-file URI_FILE File containing web uris to override defaults, do not include extensions
–noise-file NOISE_FILE
File containing noise uris to override defaults, include extensions
attack settings:
–spoofed-attacks SPOOFED_ATTACKS
Number of attacker sequences to spoof (default: 1)
–attack-type {bruteforce,command_injection}
Number of attacker sequences to spoof (default: bruteforce)
–attacker-geo ATTACKER_GEO
Set the attackers geo by 2 letter region. Use RD for random (default: RD)
–attacker-user-agent ATTACKER_USER_AGENT
Set the attackers user-agent. Use RD for random (default: RD)
Examples
The following example will create a set of IIS logs for bruteforce against pwnedbank.co.uk.
python pwnspoof.py banking –server-fqdn pwnedbank.co.uk –attack-type bruteforce –server-type IIS –out iis-output.log
The following example will create a set of NGINX logs for command_injection against pwnedbank.co.uk.
python pwnspoof.py banking –server-fqdn pwnedbank.co.uk –attack-type command_injection –server-type NGINX
The following example will create a set of logs with 5000 routine sessions and 3 attack sessions
python pwnspoof.py banking –session-count 5000 –spoofed-attacks 3
The following example will create a set of logs and output the attackers IP addresses
python pwnspoof.py banking –spoofed-attacks 3 –iocs
The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…
Introduction In digital investigations, images often hold more information than meets the eye. With the…
The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…
What is a Port? A port in networking acts like a gateway that directs data…
The ls command is fundamental for anyone working with Linux. It’s used to display the files and…
The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…