Image may be NSFW.
Clik here to view.
In this tutorial series, I will be demonstrating how to install Kippo and the capability of it.
Kippo is a medium interaction SSH honeypot designed to log brute force attacks and the entire shell interaction performed by the attacker.
Kippo is very similar to Kojoney; they serve the same purpose. In my personal opinion, Kippo is a better SSH honeypot than Kojoney. Kippo have a higher sticky factor and better logging system, and Kojoney is no longer being maintained.
In this episode, I will be demonstrating how to get Kippo up and running.
My Setup
Image may be NSFW.
Clik here to view.
I’m using a fresh installation of a Kubuntu 12.10 machine. It’s a machine that I use for the Computing Society at Royal Holloway, University of London, thus the username – “compsoc”.
Resolving Dependencies
Image may be NSFW.
Clik here to view.
Apache is needed for Kippo-Graph (which we will be covering in the later episodes).
Now, grab the Kippo codes using subversion. I’m at revision 246 in my setup.
Image may be NSFW.
Clik here to view.
Database Configuration
To utilise the database logging feature of Kippo, we need to configure the MySQL database we just installed.
Image may be NSFW.
Clik here to view.
Use the SQL script to create the tables used for logging.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
If you already have MySQL database installed and could not remember your password, check out StackOverflow: MySQL – Error 1045 – Access denied.
Basic Configuration
Before we run Kippo, we need to do some basic configuration.
Image may be NSFW.
Clik here to view.
Take note of the port number Kippo will be listening on. By default Kippo listens for SSH connections on port 2222. Changing it to 22 as it requires root privileges, use port forwarding instead.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Configure your database setting to your environment.
Image may be NSFW.
Clik here to view.
In the configuration file, you will also find where essential logs and files are located at
- Directory where log files are saved in: log
- Directory where downloaded (malwar) files are saved in: dl
- Directory where virtual file contents are kept in: honeyfs
- File in the Python pickle format containing the virtual file system (this is created by the createfs.py utility): fs.pickle
- Directory for miscellaneous data files, such as the password database: data
- Directory for creating simple commands that only output text: txtcmds
Running Kippo
With everything set, let’s start running Kippo!
Image may be NSFW.
Clik here to view.
Now let’s look at how Kippo logs some of my unsuccessful brute force attempt using my Microsoft Windows 7 machine (192.168.161.1).
The two SSH sessions:
Image may be NSFW.
Clik here to view.
And the list of passwords I tried:
Image may be NSFW.
Clik here to view.
By default, the only root password is “123456”. Additional root passwords can be added to data/userdb.txt by using the passwd command within the honeypot. It’s a good idea to only have one easy password set, as multiple successful logins by the same scanner might look suspicious.
–
That’s it for now; I will be demonstrating more capabilities of Kippo in the next episode. Image may be NSFW.
Clik here to view.
- Part 01: Getting Started
- Part 02: User & Password Management
- Part 03: A Sticky Honeypot
- Part 04: Kippo-Graph