Kippo:an SSH honeypot (Ubuntu)

Some months ago,a friend of mine asked me to show him how coulg i log anything he did when he “injected” my server and rooted it,while I let him believe that the total control was on him.Actually,the only thing i had installed,was a custom SSH honeypot.For beginners,either in programming,either in hacking/sys-administrating, there are plenty of ready-to-use honeypots,like Kippo.

Kippo it is a great medium interaction SSH honeypot designed to log brute force attacks written in python.

This tutorial/how-to is gonna present how can you configure kippo to log all SSH attacks in your Ubuntu server.
First of all,install some dependencies required,to activate kippo and connect it with MySQL database,for logging issues:

sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted python-mysqldb

Next, download kippo and decompress, is important NOT to use the root use:

$ wget http://kippo.googlecode.com/files/kippo-0.8.tar.gz

$ tar xzvf kippo-0.8.tar.gz
$ cd kippo-0.8

Now you should edit the config file kippo.cfg, changing all options as you like.

It is interesting to integrate kippo with a mysql database,so that you can easily log and view any wannabe-hacker and haxor trying to log into your computer:

$ sudo apt-get install mysql-server
$ mysql -u root -p
> CREATE DATABASE kippo;
> GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'somedifficultpassword';
exit

After cd in kippo directory,

$ mysql -u kippo -p
> USE kippo;
> source ./doc/sql/mysql.sql;
> exit

Now in kippo.cfg file uncomment the latest lines and put the correct cofiguration data,in order to connect kippo honeypot with your MySQL db:

[database_mysql]
host = localhost
database = kippo
username = kippo
password = somedifficultpassword

Now we can start our honeypot, very important, don’t use root account:

$ ./start.sh
Starting kippo in background...Loading dblog engine: mysql

We check that the ssh honeypot it’s running in my case in port 2222:

$ sudo netstat -atnp | grep 2222
tcp 0 0 0.0.0.0:2222 0.0.0.0:* ESCUCHAR 3104/python

If browsing from another computer we try to launch an Nmap scan to 2222 port:

nmap -PN -sV -p 2222 10.10.0.8

Now, the fake SSH server is ready,

Nmap scan report for 10.10.0.8
Host is up (0.00046s latency).
PORT STATE SERVICE VERSION
2222/tcp open ssh OpenSSH 5.1p1 Debian 6 (protocol 2.0)
Service Info: OS: Linux

Thus try to connect with a good pass (like 123456):

ssh -l root -p 2222 192.168.1.1
Password:
sales#

Aaaand you’re in! You think that you are genius!! You can interact with the fake system!!
sales#

Ok, now in the honeypot machine we check our database with all the ssh connections attemps:

$ mysql -u kippo -p
> use kippo;
> select * from auth;

+—-+———————————-+———+———-+———-+—————-+
| id | session | success | username | password | timestamp |
+—-+———————————-+———+———-+———-+—————-+
| 1 | 6eb05042605211e0b00c000c29fc1cf3 | 0 | root | sdfasdf | 2012-07-23 13:33:19 |
| 2 | 6eb05042605211e0b00c000c29fc1cf3 | 0 | root | quit | 2012-07-23 13:34:42 |
+—-+———————————-+———+———-+———-+—————-+

You can see all the attemps fails and successful. You can explore all other data logged:

 show tables;
+-----------------+
| Tables_in_kippo |
+-----------------+
| auth |
| clients |
| input |
| sensors |
| sessions |
| ttylog |
+-----------------+

All this runs Kippo under port 2222.In case you wanna run it under port 22,you may do the following:

$ sudo apt-get install authbind
sudo -i
# touch /etc/authbind/byport/22
# chown user:user /etc/authbind/byport/22

where user is the user that you use to run kippo (NOT the root user).

# chmod 777 /etc/authbind/byport/22

Now with the kippo’s user we need to change the start.sh file, from:

twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

to:

authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

It is important in kippo.cfg file to change the value of ssh_port to 22. Now run ./start.sh, and check it:

# netstat -atnp | grep 22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 22627/python

Your SSH honeypot runs under port 22,and now you can log anyone who tries to hack into your ssh!

*This post in a part of the unpublished BlackHack Duology Project.

15 thoughts on “Kippo:an SSH honeypot (Ubuntu)”

  1. corrected:
    GRANT ALL ON kippo. TO ‘kippo’@’localhost’ IDENTIFIED BY ‘somedifficultpassword’;

    to:
    GRANT ALL ON kippo.* TO ‘kippo’@’localhost’ IDENTIFIED BY ‘somedifficultpassword”;

  2. Hey this is kinda of off topic but I was wondering if blogs use WYSIWYG editors or if you have to
    manually code with HTML. I’m starting a blog soon but have no coding expertise so I wanted to get advice from someone with experience. Any help would be greatly appreciated!

    1. hello!

      please mail me at koslibpro [at] klivieratos [dot] info for information about your issue,so that we keep this thread’s comments on-topic:)

      happy to help in any case:)

    1. Hello! As far as i know,there are not any plugins “against hackers” for kippo,but you can extend its functionality by the time it is written in Python and you can add extra “etc” files and commands :)

  3. I just like the helpful info you supply to your articles.
    I’ll bookmark your weblog and check again here
    regularly. I am fairly sure I will learn many new stuff right right here!

    Best of luck for the next!

Leave a Reply

Your email address will not be published. Required fields are marked *


+ 4 = thirteen

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>