During the last months i have been playing around with a medium interaction SSH honeypot called Kippo. “Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.”
Kippo can easily be installed on a wide range of operating system (Debian, CentOS, FreeBSD and Windows 7). Kippo can be downloaded here and its a no-fuzz-procedure to get it up and running. Its Python based, so there are a few dependencies you most probably have to install as well. Once installed and your gateway has been configured to accept incoming connections on TCP port 22, you will soon see some activity and even a full compromise.
Kippo comes with a pseudo file system, there are a few real files, but the rest of the system only exists virtually. What i have noticed is that when first deployed, the honeypot will receive something in the range of 100 to 35000 probes a day. After a while, when the honeypot has been compromised a couple of times and the attaker(s) have been poking around a bit, the number of probes drops to 0 – 50 a day.
This honeypot comes with a pretty nice set of Python tools. One of these tools, playlog.py, lets you replay the interaction between the attacker and the honeypot. The attacker usually starts off with running ‘who’, ‘w’ or ‘cat /proc/cpu’ commands and usually followed adding a new user account and/or downloading some type of root kit or network scanning tool. Some of them leave straight away after doing this, but some stay to poke around some more.
The pseudo file system will look real if they run ‘ls’, but if they attempt to read a file that only exists in the pseudo file system:
cat: /etc/passwd: No such file or directory
Brute force attacks are low hanging fruit, but that does not mean that the attackers are idiots. Once they see this type of response for a file that should exist on the system they bail out and the attacks against the honeypot decrease rapidly.
Kippo´s tool box comes to the rescue with createfs.py.
This tool allows you make a pseudo filesystem of any host you have root access to. Log in as root on the host, make sure you have Python installed and run this simple command:
# python createfs.py > fs.pickle
It takes a minute or two before its done generating the fs.pickle file, once that’s generated, simply move it to the kippo directory on your honeypot – voila! You have your self a new pseudo file system…but this will not fool the attackers any less than the old pseudo file system…and there is another issue with this as well.
When the you run createfs.py it makes a note of every file that exists on the system – every file – including the createfs.py and the fs.pickle files. These two files will show up when the attacker lists the files. I´ll say it again: The attackers are not stupid (…okay, some of them are pretty darn stupid, but you know what i´m saying…). Its pretty easy to get around this tho, simply rename the createfs.py to something less suspicious and put it into a directory where it would look “normal”, same thing with the name of the output file.
Example:
Rename the createfs.py to ‘/usr/bin/rlogin’ (you don´t really want that binary on your system at all, now do you?) and redirect the output to ‘/home/bob/Desktop/Funny_Links.txt’ and execute the command as root
# python /usr/bin/rlogin > /home/bob/Desktop/Funny_Links.txt
After you have moved the Funny_Links.txt to the honeypot kippo directory, simply rename it to fs.pickle.
Now, to remedy the “small” issue with the non existing files of the pseudo file system. I´ts entirely up to you and how far you want to take this suggestion, but real files make a pretty damn good substitution for the ‘No such file or directory’ message.
From the honeypot system, use ‘scp’ to copy the entire file system of the host you just cloned into the fs.pickle file
$ scp -r root@ip.of.cloned.system:/ /path/to/kippo/honeyfs
We want the honeypot to look as real and attractive to the attacker as possible. If the attacker gains access to a system that don’t appear to be in use they lose interest pretty quick and leave, but if they find a virtual “pot of gold” we might be able to keep them hanging around a bit longer. Before you use createfs.py and copy the file system into the honeyfs directory, i would suggest you to pause and ask yourself a couple of questions.
What kind of system to i want to mimic?
Could the administrator of this system be of the careless type, maye he left notes, plain text passwords or other artefacts the attacker would be interested in?
Have the users been leaving personal information behind, like the login credentials to another system? (that also is a honeypot of course ;))
Simply try to imagine this type of careless mistakes we humans make that can potentially cause further compromise or disclosure of sensitive information. What i´m speaking about here is called honeytokens. I recommend Symantec´s article “Honeytokens: The Other Honeypot“, if the concept of honeytokens is new to you.
The Kippo honeypot can, as i said, run as a stand alone honeypot. It’s not very pretty, with the default distribution you are left with parsing log files to see the action happening – not very sexy in my opinion.
The team over at BruteForce Lab´s have made a nice web base front end that uses PHP and MySQL to generate nice graphs, statistics and even let you analyse the downloaded malware trough the browser. This entire setup for Kippo comes pre-installed on BruteForce Lab´s honeypot distro, called HoneyDrive.
“HoneyDrive is a virtual appliance (OVA) with Xubuntu Desktop 12.04 32-bit edition installed. It contains various honeypot software packages such as Kippo SSH honeypot, Dionaea malware honeypot, Honeyd low-interaction honeypot, Glastopf web honeypot along with Wordpot, Thug honeyclient and more. Additionally it includes useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, and much more. Lastly, many other helpful security, forensics and malware related tools are also present in the distribution.”
Happy hunting! 🙂
Honeypot Development 