From 0b44d1c83f78d2a99f59fc8bb20c634ceec145ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Sun, 15 Feb 2026 18:01:42 +0100 Subject: [PATCH] docs: detail fake exec output approach in PLAN.md 4.4.1 Regex-based output assembly: scan exec commands for known patterns and return plausible fake values rather than interpreting shell pipelines. Waiting on more real-world bot examples before implementing. Co-Authored-By: Claude Opus 4.6 --- PLAN.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/PLAN.md b/PLAN.md index cf61d3a..9607755 100644 --- a/PLAN.md +++ b/PLAN.md @@ -212,4 +212,26 @@ Many bots send a command directly via `ssh user@host ` (an SSH "exec" r - Surface exec commands in the web UI (session detail view) #### 4.4.1 Fake Exec Output -Return plausible fake output for common exec commands (e.g. `uname`, `id`, `cat /etc/passwd`) to encourage bots to interact further. Implement after collecting data on what bots commonly try to run. +Return plausible fake output for exec commands to encourage bots to interact further. + +**Approach: regex-based output assembly.** Bots typically send a single long command that chains recon commands and then echoes a summary (e.g. `echo "UNAME:$uname"`). Rather than interpreting arbitrary shell pipelines, we scan the command string for known patterns and assemble fake output. + +Implementation: +- A map of common command/variable patterns to fake output strings, e.g.: + - `uname -a` / `uname -s -v -n -m` → `"Linux ubuntu-server 5.15.0-91-generic #101-Ubuntu SMP Tue Jan 2 15:13:10 UTC 2024 x86_64"` + - `uname -m` / `arch` → `"x86_64"` + - `cat /proc/uptime` → `"86432.71 172801.55"` + - `nproc` / `grep -c "^processor" /proc/cpuinfo` → `"2"` + - `cat /proc/cpuinfo` → fake cpuinfo block + - `lspci` → empty (no GPU — discourages cryptominer targeting) + - `id` → `"uid=0(root) gid=0(root) groups=0(root)"` + - `cat /etc/passwd` → minimal fake passwd file + - `last` → fake login entries + - `cat --help`, `ls --help` → canned GNU coreutils help text +- Scan the exec command for `echo "KEY:$var"` patterns; for each key, look up the corresponding fake value from the variable assignment earlier in the command +- If we recognise echo patterns, assemble and return the expected output +- If we don't recognise the command at all, return empty output with exit 0 (current behaviour) +- Values should draw from the existing shell config where possible (hostname, fake_user) for consistency +- New package `internal/execfake` or a file in `internal/server/` — keep it simple + +Gather more real-world bot examples before implementing to ensure good coverage of common recon patterns.