You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Go to file
Sainnhe Park 3712acfc39
Impl epoll
1 month ago
.github Devops (#1811) 2 months ago
bin Fixes2 (#1802) 3 months ago
docker arm64 builds (#1805) 3 months ago
docs Fixes2 (#1802) 3 months ago
etc Impl epoll 1 month ago
honeyfs Csirtg (#1564) 2 years ago
share Pip check (#1576) 2 years ago
src Impl epoll 1 month ago
var Add a pool of backends for the proxy (#1181) 4 years ago
.dockerignore Integrated docker (#1646) 1 year ago
.gitattributes cowrie rename 8 years ago
.gitignore Move client.json to client.json.example 1 month ago
.pre-commit-config.yaml Fixes2 (#1802) 3 months ago
.pyre_configuration Gh action tox (#1536) 2 years ago
.readthedocs.yml Pip check (#1576) 2 years ago
.tool-versions Add .tool-versions 1 month ago
.yamllint.yml Pip check (#1576) 2 years ago
CHANGELOG.rst Release 2.5.0 (#1808) 3 months ago
CONTRIBUTING.rst Fixes2 (#1802) 3 months ago
INSTALL.rst Fixes2 (#1802) 3 months ago
LICENSE.rst 26apr (#1552) 2 years ago Setup (#996) 4 years ago
Makefile Devops (#1811) 2 months ago
README.rst Update README 1 month ago
pyproject.toml Devops (#1811) 2 months ago
pyrightconfig.json Add pyright config 1 month ago
requirements-dev.txt Devops (#1811) 2 months ago
requirements-output.txt stuff (#1798) 3 months ago
requirements.txt Impl epoll 1 month ago
setup.cfg Devops (#1811) 2 months ago Devops (#1811) 2 months ago
tox.ini Devops (#1811) 2 months ago


To get started::

    cp etc/cowrie.cfg.dist etc/cowrie.cfg
    cp etc/userdb.example etc/userdb.txt
    cp etc/client.json.example etc/client.json
    # edit configs in etc directory
    python -m venv venv
    source venv/bin/activate
    pip install -r ./requirements.txt
    python src/marl/
    ./bin/cowrie start
    telnet 2223


Welcome to the Cowrie GitHub repository

This is the official repository for the Cowrie SSH and Telnet
Honeypot effort.

What is Cowrie

Cowrie is a medium to high interaction SSH and Telnet honeypot
designed to log brute force attacks and the shell interaction
performed by the attacker. In medium interaction mode (shell) it
emulates a UNIX system in Python, in high interaction mode (proxy)
it functions as an SSH and telnet proxy to observe attacker behavior
to another system.

`Cowrie <>`_ is maintained by Michel Oosterhof.


The Documentation can be found `here <>`_.


You can join the Cowrie community at the following `Slack workspace <>`_.


* Choose to run as an emulated shell (default):
   * Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
   * Possibility of adding fake file contents so the attacker can `cat` files such as `/etc/passwd`. Only minimal file contents are included
   * Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection

* Or proxy SSH and telnet to another system
   * Run as a pure telnet and ssh proxy with monitoring
   * Or let Cowrie manage a pool of QEMU emulated servers to provide the systems to login to

For both settings:

* Session logs are stored in an `UML Compatible <>`_  format for easy replay with the `bin/playlog` utility.
* SFTP and SCP support for file upload
* Support for SSH exec commands
* Logging of direct-tcp connection attempts (ssh proxying)
* Forward SMTP connections to SMTP Honeypot (e.g. `mailoney <>`_)
* JSON logging for easy processing in log management solutions


Docker versions are available.

* To get started quickly and give Cowrie a try, run::

    $ docker run -p 2222:2222 cowrie/cowrie:latest
    $ ssh -p 2222 root@localhost

* On Docker Hub:

* Configuring Cowrie in Docker

Cowrie in Docker can be configured using environment variables. The
variables start with COWRIE_ then have the section name in capitals,
followed by the stanza in capitals. An example is below to enable
telnet support::


Alternatively, Cowrie in Docker can use an `etc` volume to store
configuration data.  Create `cowrie.cfg` inside the etc volume
with the following contents to enable telnet in your Cowrie Honeypot
in Docker::

    enabled = yes


Software required to run locally:

* Python 3.8+
* python-virtualenv

For Python dependencies, see `requirements.txt <>`_.

Files of interest:

* `etc/cowrie.cfg` - Cowrie's configuration file. Default values can be found in `etc/cowrie.cfg.dist <>`_.
* `share/cowrie/fs.pickle` - fake filesystem
* `etc/userdb.txt` - credentials to access the honeypot
* `honeyfs/ <>`_ - file contents for the fake filesystem - feel free to copy a real system here or use `bin/fsctl`
* `honeyfs/etc/` - pre-login banner
* `honeyfs/etc/motd <>`_ - post-login banner
* `var/log/cowrie/cowrie.json` - transaction output in JSON format
* `var/log/cowrie/cowrie.log` - log/debug output
* `var/lib/cowrie/tty/` - session logs, replayable with the `bin/playlog` utility.
* `var/lib/cowrie/downloads/` - files transferred from the attacker to the honeypot are stored here
* `share/cowrie/txtcmds/ <>`_ - file contents for simple fake commands
* `bin/createfs <>`_ - used to create the fake filesystem
* `bin/playlog <>`_ - utility to replay session logs


Many people have contributed to Cowrie over the years. Special thanks to:

* Upi Tamminen (desaster) for all his work developing Kippo on which Cowrie was based
* Dave Germiquet (davegermiquet) for TFTP support, unit tests, new process handling
* Olivier Bilodeau (obilodeau) for Telnet support
* Ivan Korolev (fe7ch) for many improvements over the years.
* Florian Pelgrim (craneworks) for his work on code cleanup and Docker.
* Guilherme Borges (sgtpepperpt) for SSH and telnet proxy (GSoC 2019)
* And many many others.