SSH Honeypot with Kippo

Kippo on Linux

Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
Kippo is inspired, but not based on Kojoney.

I’ve tested Kippo on a CentOS 5.6, and the installation is quite easy.

Here my machine current release :

 
#cat /etc/redhat-release 
CentOS release 5.6 (Final)

My python version :

 
#python -V
Python 2.4.3

NOTE :Kippo only working on latest python (Python 2.6)

URL for download Python 2.6 :

http://www.geekymedia.com/tech-articles/rhel5-centos-5-python-2-62-rpms/

(or wherever you prefer).

What we need is :
Twisted
Zope Interface
Pycrypto
pyasn1

Step-by-Step Solution :

Add geekymedia repo for install Python 2.6

 
#cd /etc/yum.repos.d
#wget http://mirrors.geekymedia.com/centos/geekymedia.repo
#yum install python26
#yum install python26-devel

Call your Python 2.6

 #python26 -V
Python 2.6

Seems it’s working! and get ready to compile Kippo’s dependencies ;)

Go to :

#cd /usr/local/src

Install Twisted :

#wget http://pypi.python.org/packages/source/T/Twisted/Twisted-11.0.0.tar.bz2
md5=d7f94a1609a1b8f3b8c8d0146d4cfe54
#tar -xvf Twisted-11.0.0.tar.bz2
#cd Twisted-11.0.0
#python26 setup.py install

Install Zope Interface :

#wget http://www.zope.org/Products/ZopeInterface/3.3.0/zope.interface-3.3.0.tar.gz
#tar -xvf zope.interface-3.3.0.tar.gz
#cd zope.interface-3.3.0
#python26 setup.py install

Install Pycrypto

#wget http://www.amk.ca/files/python/crypto/pycrypto-2.0.1.tar.gz
#tar -xvf pycrypto-2.0.1.tar.gz
#cd pycrypto-2.0.1
#python26 setup.py install

Install pyasn1

#wget http://sourceforge.net/projects/pyasn1/files/pyasn1-devel/0.0.13b/pyasn1-0.0.13b.tar.gz
#tar -xvf pyasn1-0.0.13b.tar.gz 
#cd pyasn1-0.0.13b
#python26 setup.py install

NOTE: Remember to use python26 as the binary when calling setup.py.

Kippo doesnt run under root user! So we must create a regular user.

 
useradd kippouser

Download Kippo Source Package

 
#su - kippouser
#wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz
#tar -xvf kippo-0.5.tar.gz
#cd kippo-0.5

Configure Kippo

 
vi kippo.cfg
 
#
# Kippo configuration file (kippo.cfg)
#
[honeypot]
# IP addresses to listen for incoming SSH connections.
#
# (default: 0.0.0.0) = any address
#ssh_addr = 0.0.0.0
# Port to listen for incoming SSH connections.
#
# (default: 2222)
ssh_port = 2222
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment.
#
# (default: sales)
hostname = sales
# Directory where to save log files in.
#
# (default: log)
log_path = log
# Directory where to save downloaded (malware) files in.
#
# (default: dl)
download_path = dl
# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
contents_path = honeyfs
# File in the python pickle format containing the virtual filesystem. 
#
# This includes the filenames, paths, permissions for the whole filesystem,
# but not the file contents. This is created by the createfs.py utility from
# a real template linux installation.
#
# (default: fs.pickle)
filesystem_file = fs.pickle
# Directory for miscellaneous data files, such as the password database.
#
# (default: data_path)
data_path = data
# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
#   txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
#
# In addition to this, the file must exist in the virtual
# filesystem {filesystem_file}
#
# (default: txtcmds)
txtcmds_path = txtcmds
# Public and private SSH key files. If these don't exist, they are created
# automatically.
#
# (defaults: public.key and private.key)
public_key = public.key
private_key = private.key
# Initial root password. Future passwords will be stored in
# {data_path}/pass.db
#
# (default: 123456)
password = 123456
# IP address to bind to when opening outgoing connections. Used exclusively by
# the wget command.
#
# (default: not specified)
#out_addr = 0.0.0.0
# Sensor name use to identify this honeypot instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# connection as the sensor name.
#
# (default: not specified)
#sensor_name=myhostname
# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254
# MySQL logging module
#
# Database structure for this module is supplied in doc/sql/mysql.sql
#
# To enable this module, remove the comments below, including the
# [database_mysql] line.
#[database_mysql]
#host = localhost
#database = kippo
#username = kippo
#password = secret

Start Kippo

 
#./start.sh 

Log File

 
To see the Kippo logging data use the following command:
#tail -f log/kippo.log 

Make Kippo Accessible To The World
By default,Kippo is running on port 2222. If its running on Windows, port 22 is usually free and it’s ok to run kippo on that port. On linux, port 22 is restricted for root only, except if you do this (quote from #twisted):

 
iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port 2222

Testing
Connect to the Kippo server on port 2222 by using root as username and 123456 as password.

 
ssh 127.0.0.1 -p 2222 -l root

You must see the following banner after successful login:

 
sales:~#

Links
The Honeynet Project: http://www.honeynet.org/
Honeypot: http://en.wikipedia.org/wiki/Honeypot_(computing)
Kippo Project: http://kippo.googlecode.com/
Iran Honeynet Project: http://www.honeynet.ir/
CentOS: http://www.centos.org/

Leave a Reply

Protected by WP Anti Spam