forked from robertdavidgraham/telnetlogger
-
Notifications
You must be signed in to change notification settings - Fork 0
/
telnetlogger.8
83 lines (80 loc) · 2.6 KB
/
telnetlogger.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "TELNETLOGGER" "8" "November 2016" "" ""
.
.SH "NAME"
\fBtelnetlogger\fR \- Tiny telnet honeypot
.
.SH "SYNOPSIS"
telnetlogger \fIoptions\fR
.
.SH "DESCRIPTION"
\fBtelnetlogger\fR is a small daemon that accepts incomiong Telnet connections and logs the username/password attempts\. Specifically, it is designed to log attempts from the Mirai IoT worm\.
.
.P
There are three output formats: just the passwords, just the IP addresses, or a CSV output containing both\.
.
.P
The way I run this is on a Raspberry Pi with the following parameters:
.
.IP "" 4
.
.nf
telnetlogger \-c telnet\.csv \-p null \-i null \-l 2323
.
.fi
.
.IP "" 0
.
.P
I then use the firewall to redirect incoming port 23 to my network to the Raspberry Pi on port 2323\.
.
.SH "OPTIONS"
.
.IP "\(bu" 4
\fB\-c <filename>\fR: An output file in CSV format containing the time, IP address, username, and password for each attempt\. A filename of \fB\-\fR means \fIstdout\fR, a filename of \fBnull\fR means no output\.
.
.IP "\(bu" 4
\fB\-i <filename>\fR: An output file for the IPv4/IPv6 addresses logged by the daemon\. A filename of \fB\-\fR means \fIstdout\fR, a filename of \fBnull\fR means no output\. If no filename given, the passwords will be printed to the command\-line\.
.
.IP "\(bu" 4
\fB\-p <filename>\fR: An output file for the passwords logged by the daemon\. A filename of \fB\-\fR means \fIstdout\fR, a filename of \fBnull\fR means no output\. If no filename given, the passwords will be printed to the command\-line\.
.
.IP "\(bu" 4
\fB\-l <port>\fR: A port number to listen on\. Often, people will setup the service to listen on a high\-numbered port, such as 2323, then use firewall rules to redirect the Telnet port 23 to this high\-numbered port\. If not specified, by default port 23 will be used\. This may require root priveleges to run on low\-numbered ports\.
.
.IP "" 0
.
.SH "OUTPUT FORMAT"
The internet addresses are output in either IPv4 or IPv6 format as appropriate\. Usernames and passwords are filter non\-printable characters and some punctuation, replacing them with the standard \exXX format\.
.
.P
The CSV format has the columns:
.
.IP "" 4
.
.nf
time_t, timestamp, address, username, password
.
.fi
.
.IP "" 0
.
.P
An example line is:
.
.IP "" 4
.
.nf
1478398395,2016\-11\-06 02:13:15,127\.0\.0\.1,foo,bar
.
.fi
.
.IP "" 0
.
.SH "COMPATIBILITY"
The tool runs on Windows and Linux, but should run on most other systems as well\.
.
.SH "AUTHORS"
This tool was written by Robert Graham\. The source code is available at https://github\.com/robertdavidgraham/telnetlogger\.