Kippo medium interactive honeypot

March 3rd, 2011

I spent the last few minutes working on setting up Kippo. Kippo is a medium interactive ssh honeypot. Basically what Kippo does is start up a ssh daemon and then monitor ssh brute force attempts and then if the attacker is successful in gaining access, it logs all of the commands that are run on it, and captures all the tools that are downloaded to it. It was fairly simple to set up on a Ubuntu 10.10 machine so here we go:

First we want to go ahead and take care of a simple dependency


metacortex@ubuntu:~/SecTools/kippo$ sudo aptitude install python-twisted-conch python-twisted-web

Once we have conch installed, go ahead and download kippo and extract it


metacortex@ubuntu:~/SecTools/kippo$ wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz
metacortex@ubuntu:~/SecTools/kippo$ tar -zxvf kippo-0.5.tar.gz
metacortex@ubuntu:~/SecTools/kippo$ cd kippo-0.5

You will now see the following files


metacortex@ubuntu:~/SecTools/kippo/kippo-0.5$ ls
data dl doc fs.pickle honeyfs kippo kippo.cfg kippo.tac log start.sh txtcmds utils

From here we want to go ahead and edit the config file (kippo.cfg). There are a few special lines you may want to change.


ssh_port = 2222

Please note that you can not run Kippo as root so you are going to want to choose a port number to listen on that does not require root privileges. I would like to have Kippo open on 22 so what I have done is forward port 22 to port 2222 on my firewall.


hostname = sales

This is the hostname that you will see once you successfully log in.


password = 123456

This will be the password for root and will allow access.

Once we get the config all ready we want to go ahead and start kippo. Remember we are not using root


metacortex@ubuntu:~/SecTools/kippo/kippo-0.5$ ./start.sh
Starting kippo in background…/home/dan/SecTools/kippo/kippo-0.5/kippo/commands/ping.py:6: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import time, re, random, md5
Generating RSA keypair…
done.

You will see the deprecation warning but you can safefully ignore that. Now that we see it generated the SSH keys, we can go ahead and log into it.


metacortex@ubuntu:~/SecTools/kippo/kippo-0.5$ ssh root@127.0.0.1 -p 2222
The authenticity of host ‘[127.0.0.1]:2222 ([127.0.0.1]:2222)’ can’t be established.
RSA key fingerprint is eb:de:07:eb:8f:e0:e4:c4:1e:1d:d3:eb:02:20:53:f1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[127.0.0.1]:2222′ (RSA) to the list of known hosts.
Password:
sales:~# ls
sales:~# pwd
/root
sales:~# id
uid=0(root) gid=0(root) groups=0(root)
sales:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
richard:x:1000:1000:richard,,,:/home/richard:/bin/bash
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin

Here you can see that we were able to sucessfully log in using the password 123456. Now if we want to go ahead and look at the logs located in the log directory


metacortex@ubuntu:~/SecTools/kippo/kippo-0.5$ cd log/
metacortex@ubuntu:~/SecTools/kippo/kippo-0.5$ cat kippo.log
2011-01-31 13:41:34-0800 [-] Log opened.
2011-01-31 13:41:34-0800 [-] twistd 10.1.0 (/usr/bin/python 2.6.6) starting up.
2011-01-31 13:41:34-0800 [-] reactor class: twisted.internet.selectreactor.SelectReactor.
2011-01-31 13:41:34-0800 [-] kippo.core.honeypot.HoneyPotSSHFactory starting on 2222
2011-01-31 13:41:34-0800 [-] Starting factory
2011-01-31 13:44:43-0800 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 127.0.0.1:44261 (127.0.0.1:2222) [session: 0]
2011-01-31 13:44:43-0800 [HoneyPotTransport,0,127.0.0.1] Remote SSH version: SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5
2011-01-31 13:44:43-0800 [HoneyPotTransport,0,127.0.0.1] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2011-01-31 13:44:43-0800 [HoneyPotTransport,0,127.0.0.1] outgoing: aes128-ctr hmac-md5 none
2011-01-31 13:44:43-0800 [HoneyPotTransport,0,127.0.0.1] incoming: aes128-ctr hmac-md5 none
2011-01-31 13:44:43-0800 [HoneyPotTransport,0,127.0.0.1] connection lost
2011-01-31 13:45:10-0800 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 127.0.0.1:44262 (127.0.0.1:2222) [session: 1]
2011-01-31 13:45:10-0800 [HoneyPotTransport,1,127.0.0.1] Remote SSH version: SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5
2011-01-31 13:45:10-0800 [HoneyPotTransport,1,127.0.0.1] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2011-01-31 13:45:10-0800 [HoneyPotTransport,1,127.0.0.1] outgoing: aes128-ctr hmac-md5 none
2011-01-31 13:45:10-0800 [HoneyPotTransport,1,127.0.0.1] incoming: aes128-ctr hmac-md5 none
2011-01-31 13:45:12-0800 [HoneyPotTransport,1,127.0.0.1] NEW KEYS
2011-01-31 13:45:12-0800 [HoneyPotTransport,1,127.0.0.1] starting service ssh-userauth
2011-01-31 13:45:12-0800 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] root trying auth none
2011-01-31 13:45:12-0800 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] root trying auth keyboard-interactive
2011-01-31 13:45:15-0800 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] login attempt [root/123456] succeeded
2011-01-31 13:45:15-0800 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] root authenticated with keyboard-interactive
2011-01-31 13:45:15-0800 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] starting service ssh-connection
2011-01-31 13:45:15-0800 [SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] got channel session request
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] channel open
2011-01-31 13:45:15-0800 [SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] got global no-more-sessions@openssh.com request
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] pty request: xterm (24, 138, 0, 0)
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Terminal size: 24 138
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] unhandled request for env
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] getting shell
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Opening TTY log: log/tty/20110131-134515-8373.log
2011-01-31 13:45:20-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] CMD: ls
2011-01-31 13:45:20-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Command found: ls
2011-01-31 13:45:21-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] CMD: pwd
2011-01-31 13:45:21-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Command found: pwd
2011-01-31 13:45:22-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] CMD: id
2011-01-31 13:45:22-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Command found: id
2011-01-31 13:45:33-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] CMD: cat /etc/passwd
2011-01-31 13:45:33-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Command found: cat /etc/passwd
2011-01-31 13:45:33-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Updating realfile to honeyfs//etc/passwd

Now you have all you need for your honeypot. Go ahead and put it out on the internet and see what you get.

Comments are closed.

 
     
); ?http://www.statcounter.com/free_hit_counter.html