torjus/oubliette
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: detail fake exec output approach in PLAN.md 4.4.1

Browse Source 
Regex-based output assembly: scan exec commands for known patterns
and return plausible fake values rather than interpreting shell
pipelines. Waiting on more real-world bot examples before implementing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-15 18:01:42 +01:00
parent 0133d956a5
commit 0b44d1c83f
1 changed files with 23 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
PLAN.md
View File

@@ -212,4 +212,26 @@ Many bots send a command directly via `ssh user@host <command>` (an SSH "exec" r
- Surface exec commands in the web UI (session detail view)
#### 4.4.1 Fake Exec Output
Return plausible fake output for common exec commands (e.g. `uname`, `id`, `cat /etc/passwd`) to encourage bots to interact further. Implement after collecting data on what bots commonly try to run.
Return plausible fake output for exec commands to encourage bots to interact further.
**Approach: regex-based output assembly.** Bots typically send a single long command that chains recon commands and then echoes a summary (e.g. `echo "UNAME:$uname"`). Rather than interpreting arbitrary shell pipelines, we scan the command string for known patterns and assemble fake output.
Implementation:
- A map of common command/variable patterns to fake output strings, e.g.:
- `uname -a` / `uname -s -v -n -m``"Linux ubuntu-server 5.15.0-91-generic #101-Ubuntu SMP Tue Jan 2 15:13:10 UTC 2024 x86_64"`
- `uname -m` / `arch``"x86_64"`
- `cat /proc/uptime``"86432.71 172801.55"`
- `nproc` / `grep -c "^processor" /proc/cpuinfo``"2"`
- `cat /proc/cpuinfo` → fake cpuinfo block
- `lspci` → empty (no GPU — discourages cryptominer targeting)
- `id``"uid=0(root) gid=0(root) groups=0(root)"`
- `cat /etc/passwd` → minimal fake passwd file
- `last` → fake login entries
- `cat --help`, `ls --help` → canned GNU coreutils help text
- Scan the exec command for `echo "KEY:$var"` patterns; for each key, look up the corresponding fake value from the variable assignment earlier in the command
- If we recognise echo patterns, assemble and return the expected output
- If we don't recognise the command at all, return empty output with exit 0 (current behaviour)
- Values should draw from the existing shell config where possible (hostname, fake_user) for consistency
- New package `internal/execfake` or a file in `internal/server/` — keep it simple
Gather more real-world bot examples before implementing to ensure good coverage of common recon patterns.