docs: detail fake exec output approach in PLAN.md 4.4.1
Regex-based output assembly: scan exec commands for known patterns and return plausible fake values rather than interpreting shell pipelines. Waiting on more real-world bot examples before implementing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
24
PLAN.md
24
PLAN.md
@@ -212,4 +212,26 @@ Many bots send a command directly via `ssh user@host <command>` (an SSH "exec" r
|
|||||||
- Surface exec commands in the web UI (session detail view)
|
- Surface exec commands in the web UI (session detail view)
|
||||||
|
|
||||||
#### 4.4.1 Fake Exec Output
|
#### 4.4.1 Fake Exec Output
|
||||||
Return plausible fake output for common exec commands (e.g. `uname`, `id`, `cat /etc/passwd`) to encourage bots to interact further. Implement after collecting data on what bots commonly try to run.
|
Return plausible fake output for exec commands to encourage bots to interact further.
|
||||||
|
|
||||||
|
**Approach: regex-based output assembly.** Bots typically send a single long command that chains recon commands and then echoes a summary (e.g. `echo "UNAME:$uname"`). Rather than interpreting arbitrary shell pipelines, we scan the command string for known patterns and assemble fake output.
|
||||||
|
|
||||||
|
Implementation:
|
||||||
|
- A map of common command/variable patterns to fake output strings, e.g.:
|
||||||
|
- `uname -a` / `uname -s -v -n -m` → `"Linux ubuntu-server 5.15.0-91-generic #101-Ubuntu SMP Tue Jan 2 15:13:10 UTC 2024 x86_64"`
|
||||||
|
- `uname -m` / `arch` → `"x86_64"`
|
||||||
|
- `cat /proc/uptime` → `"86432.71 172801.55"`
|
||||||
|
- `nproc` / `grep -c "^processor" /proc/cpuinfo` → `"2"`
|
||||||
|
- `cat /proc/cpuinfo` → fake cpuinfo block
|
||||||
|
- `lspci` → empty (no GPU — discourages cryptominer targeting)
|
||||||
|
- `id` → `"uid=0(root) gid=0(root) groups=0(root)"`
|
||||||
|
- `cat /etc/passwd` → minimal fake passwd file
|
||||||
|
- `last` → fake login entries
|
||||||
|
- `cat --help`, `ls --help` → canned GNU coreutils help text
|
||||||
|
- Scan the exec command for `echo "KEY:$var"` patterns; for each key, look up the corresponding fake value from the variable assignment earlier in the command
|
||||||
|
- If we recognise echo patterns, assemble and return the expected output
|
||||||
|
- If we don't recognise the command at all, return empty output with exit 0 (current behaviour)
|
||||||
|
- Values should draw from the existing shell config where possible (hostname, fake_user) for consistency
|
||||||
|
- New package `internal/execfake` or a file in `internal/server/` — keep it simple
|
||||||
|
|
||||||
|
Gather more real-world bot examples before implementing to ensure good coverage of common recon patterns.
|
||||||
|
|||||||
Reference in New Issue
Block a user