Kippo ssh honeypot

[peterw]

hwdsl2 wrote about kippo and I now add a howto to this tool.

1. Change your ssh port to another one: "vi /etc/ssh/sshd_config" and change "Port" to another number
2. Install dependencies: "apt-get install python-twisted"
3. Create use for kippo: "adduser honeypot"
4. Change to user: "su honeypot"
5. Download kippo: "wget https://kippo.googlecode.com/files/kippo-0.8.tar.gz"
   
6. Unzip: "tar xzf kippo-0.8.tar.gz && cd kippo-0.8 && ls"
   
   ls
   data dl doc fs.pickle honeyfs kippo kippo.cfg kippo.tac log start.sh txtcmds utils
   
   dl: default directory to which kippo will store all downloaded files
   honeyfs: fake filesystem
   kippo.cfg: configuration file
   log: logs of shell interactions
   start.sh: shell script to start kippo
   
7. Configuration
   
   #
   # Kippo configuration file (kippo.cfg)
   #
   
   [honeypot]
   
   # IP addresses to listen for incoming SSH connections.
   #
   # (default: 0.0.0.0) = any address
   #ssh_addr = 127.0.0.1
   
   # Port to listen for incoming SSH connections.
   #
   # (default: 2222)
   ssh_port = 2222
   
   # Hostname for the honeypot. Displayed by the shell prompt of the virtual
   # environment.
   #
   # (default: nas3)
   hostname = serverla
   
   Don't run kippo on port 22 because it needs root access for this!
   
8. iptables for port 22 forwarding: "sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222"
   
9. Prepare honeypot
   The default fake filesystem is old but you can update it with: "sudo utils/createfs.py > fs.pickle"
   And add file contents to the filesystem: "sudo tar cvpzf /tmp/backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/mnt --exclude=/sys --exclude=/tmp/backup.tgz /" and copy this to your vps and extract the tar file to the honeyfs directory.
   
   And set a correct operating system: "echo "Debian GNU/Linux 7 \n \l" > honeyfs/etc/issue"
   And set passwords for the root account in "honeyfs/etc/passwd": "utils/passdb.py data/pass.db add 12345"
   And fake some commands for a better honeypot: "df -h > txtcmds/bin/df" and others.
10. Start kippo with: "su honeypot && cd ~/kippo-0.8 && ./start.sh"
11. Test kippo with "ssh [email protected]"
12. Check logs to see what they tried to do: "tail -n 100 log/kippo.log"

2014-03-25 13:18:34+0100 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] honeypot trying auth password
2014-03-25 13:18:34+0100 [SSHService ssh-userauth on HoneyPotTransport,1,127.0.0.1] login attempt [honeypot/] failed
2014-03-25 13:18:35+0100 [-] honeypot failed auth password
2014-03-25 13:18:35+0100 [-] unauthorized login:
2014-03-25 13:18:35+0100 [HoneyPotTransport,1,127.0.0.1] connection lost
2014-03-25 13:18:40+0100 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 127.0.0.1:59639 (127.0.0.1:2222) [session: 2]
2014-03-25 13:18:40+0100 [HoneyPotTransport,2,127.0.0.1] Remote SSH version: SSH-2.0-OpenSSH_6.0p1 Debian-4
2014-03-25 13:18:40+0100 [HoneyPotTransport,2,127.0.0.1] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2014-03-25 13:18:40+0100 [HoneyPotTransport,2,127.0.0.1] outgoing: aes128-ctr hmac-md5 none
2014-03-25 13:18:40+0100 [HoneyPotTransport,2,127.0.0.1] incoming: aes128-ctr hmac-md5 none
2014-03-25 13:18:40+0100 [HoneyPotTransport,2,127.0.0.1] NEW KEYS
2014-03-25 13:18:40+0100 [HoneyPotTransport,2,127.0.0.1] starting service ssh-userauth
2014-03-25 13:18:40+0100 [SSHService ssh-userauth on HoneyPotTransport,2,127.0.0.1] root trying auth none
2014-03-25 13:18:40+0100 [SSHService ssh-userauth on HoneyPotTransport,2,127.0.0.1] root trying auth keyboard-interactive
2014-03-25 13:18:42+0100 [SSHService ssh-userauth on HoneyPotTransport,2,127.0.0.1] login attempt [root/123456] succeeded
2014-03-25 13:18:42+0100 [SSHService ssh-userauth on HoneyPotTransport,2,127.0.0.1] root authenticated with keyboard-interactive
2014-03-25 13:18:42+0100 [SSHService ssh-userauth on HoneyPotTransport,2,127.0.0.1] starting service ssh-connection
2014-03-25 13:18:42+0100 [SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] got channel session request
2014-03-25 13:18:42+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] channel open
2014-03-25 13:18:42+0100 [SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] got global [email protected] request
2014-03-25 13:18:42+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] pty request: xterm (32, 132, 0, 0)
2014-03-25 13:18:42+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] Terminal size: 32 132
2014-03-25 13:18:42+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] request_env: '\x00\x00\x00\x04LANG\x00\x00\x00\x0ben_US.UTF-8'
2014-03-25 13:18:42+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] getting shell
2014-03-25 13:18:42+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] Opening TTY log: log/tty/20140325-131842-5731.log
2014-03-25 13:18:44+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] /etc/motd resolved into /etc/motd
2014-03-25 13:18:46+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] CMD: ls
2014-03-25 13:18:46+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] Command found: ls
2014-03-25 13:18:51+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] CMD: ls -al
2014-03-25 13:18:51+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] Command found: ls -al
2014-03-25 13:19:03+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] CMD: cat /etc/passwd
2014-03-25 13:19:03+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] Command found: cat /etc/passwd
2014-03-25 13:19:03+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] /etc/passwd resolved into /etc/passwd
2014-03-25 13:19:03+0100 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,2,127.0.0.1] Updating realfile to honeyfs//etc/passwd

It is working good on my BlueVM server. A lot of people try to do bad stuff with my server. It is funny to watch them with "tail -f -n 50 /home/honeypot/kippo-08/log/kippo.log". Everytime some hacker is testing the enviroment I create additional commands to keep them longer on the honeypot. I use a basic system with no personal data to create a honeypot vps with kippo. I don't know if I am brave enough to run this on a productive server. But servers are cheap and I want to keep uptodate.

 

[BlueVM]

Glad to see your VPS is being put to an interesting use... Feel free to zip up the results and PM them to me when you're done so we can see if there's anything we need to watch for

 

[MannDude]

Great tutorial. When I read the other post I was hoping to see a tutorial be created as well, glad one was created.

May have a weekend project for some idle VMs.

 

[wlanboy]

Thank you for writing this down.

One note to the point #9 Prepare honeypot:

sudo tar cvpzf /tmp/backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/mnt --exclude=/sys --exclude=/tmp/backup.tgz /

Run the tar command only on fresh vps because it will include the home directories.

The honeypot would be too real, because it would include your personal information.