Kippo installing
Create a honeypot trap for SSH

Well, I had a post on my own blog describing how to install Kippo as a own honeypot. Due the data loss this post also disappeared. I am writing it again now. So this can be still used as somehow a guide to create own SSH honeypots.

Wait what? Kippo? Yes, Kippo is a, Python driven, honeypot to mimic SSH behavior. An attacker might think he is on the “real” system and tries to “hack” it. Nice to catch logs of it and all downloaded files.

I will use Debian Wheezy as OS, so please be aware that packages and commands may vary if you are using a different OS. Just search for the correct packages by your OS.

First of all, we will need Python and some Python extensions. To install these on your Debian based machine do this:

    sudo apt-get install build-essential python-dev libmysqlclient-dev python-pip git python-twisted

The wiki of Kippo says that you might use virtualenv, well that is your decision, I am using Kippo on cheap low budget VPS, so if anything goes wrong, I just wipe them and install it new. You will have to install the extensions for Python:

    sudo pip install twisted; sudo pip install pyasn1; sudo pip install pycrypto; sudo pip install MySQL-python

I am running Kippo as a own user, so add the user:

    sudo adduser --disabled-login kippo

This will create a user called ‘kippo’ with no rights to login (like via SSH). A home directory will be created for him: /home/kippo/. Now run:

    sudo su kippo
    cd ~
    git clone https://github.com/desaster/kippo.git
    cd kippo

Inside this folder are some interesting other folders:

As I said previous, Kippo mimics a SSH session with environment. As for it, the file-system itself is also simulated. To do this Kippo uses a file with just a list of folders and files. The default file for that is fs.pickle in the Kippo root directory. You have to create your own for a proper looking environment. It will “reflect” your machine the script is running on. Files in fs.pickle are not stored there, they are just listed. Due that an attacker cannot view it contents. To view a files contains it has to be stored in the same path in the directory honeyfs/. When you want an attacker be able to view /home/user/coolscript.sh you have to store coolscript.sh in honeyfs/home/user/. As you see, you are able to create a really fancy looking file-system environment. Best results you get when creating a Debian instance (if you want to mimic Debian) and install some services on it, for a kiddo style server for example gameservers, Teamspeak, user accounts. So they will be included when running createfs.py. For that walkthrough we will just run createfs.py as root:

    cd utils
    sudo ./createfs.py > fs.pickle

This will take a while and after that you have a new fs.pickle file. We have to edit it, deleting the user folder of kippo:

    [05:10] [email protected]:$ ./fsctl.py fs.pickle
    fs.pickle

    Kippo file system interactive editor
    Donovan Hubbard, Douglas Hubbard, March 2013
    Type 'help' for help

    fs.pickle:/$ cd /home
    fs.pickle:/home$ ls
    user/
    kippo/
    fs.pickle:/home$ rm -r kippo
    lsDeleted /home/kippo
    fs.pickle:/home$ ls
    user/
    fs.pickle:/home$ exit

As described earlier, files will be only readable when they are present in honeyfs/ and listed in your fs.pickle. So let’s create some interesting files:

    cd ../honeyfs
    sudo cat /etc/passwd > etc/passwd
    sudo cat /etc/hostname > etc/hostname
    sudo cat /etc/hosts > etc/hosts
    sudo cat /proc/cpuinfo > proc/cpuinfo
    sudo cat /proc/meminfo > proc/meminfo
    sudo cat /proc/version > proc/version
    sudo cat /etc/shadow > etc/shadow

After that, make sure to delete the entries for user kippo from passwd and shadow. Many attackers will cat cpuinfo to get known if the standard Kippo one is present. Now, let’s go to the txtcmds and edit a few files:

    cd ../txtcmds
    df > bin/df
    dmesg > bin/dmesg
    mount > bin/mount
    ulimit > bin/ulimit
    perl -v > bin/perl
    sudo ifconfig > sbin/ifconfig

You can even create more files. You might have to to mimic a system in a good way, so be creative.

It’s time to create the configuration file of Kippo itself. In the directory kippo is a file present which is named kippo.cfg.dist. Do this in folder kippo/

    cp kippo.cfg.dist kippo.cfg

Now open your kippo.cfg in your favorite text editor.

Edit the variable hostname to suit the content of the file hostname and hosts. Uncomment download_limit_size and set it to a value which suits your system. Otherwise your hole machine can be wasted with downloading some Terabyte of files in your Kippo instance (as noted before, all downloaded files will be stored in dl/) There are more settings like the SSH version string, just read the file, most of it is self explaining.

As described before, the login data is stored in userdb.txt in the data folder. You can edit it to add passwords. Here you have to make sure what you want to attract. If you want to attract real humans don’t pick a password like 123456, this would be too obvious. If you want to attract just brute forcing bots 123456 might fit. If an attacker uses passwd the password will be also stored here.

To make it reachable via port :22 there are different ways, like port forwarding, using iptables etc. I will explain how to use setcap to make it reachable via :22. Please be noted, I am hardly assuming you won’t have running your real SSH instance on :22!

Install the Debian package for setcap:

    sudo apt-get install libcap2-bin

Kippo runs in the interpreter Python, so you will have to allow Python to use :22. To do that, make sure where your Python binary is:

    [05:45] [email protected] > ~/kippo :$ whereis python
    python: /usr/bin/python /usr/bin/python2.7 /usr/bin/python2.7-config /usr/bin/python2.6 /etc/python /etc/python2.7 /etc/python2.6 /usr/lib/python2.7 /usr/lib/python2.6 /usr/bin/X11/python /usr/bin/X11/python2.7 /usr/bin/X11/python2.7-config /usr/bin/X11/python2.6 /usr/local/lib/python2.7 /usr/local/lib/python2.6 /usr/include/python2.7 /usr/include/python2.6 /usr/share/python /usr/share/man/man1/python.1.gz

/usr/bin/python is just a softlink, Python will run per default with python2.7, so we do:

    sudo setcap 'cap_net_bind_service=+ep' /usr/bin/python2.7

Now we are able to start Kippo on :22!

Run Kippo:

    [06:02] [email protected] > ~/kippo :$ ./start.sh
    twistd (the Twisted daemon) 12.0.0
    Copyright (c) 2001-2012 Twisted Matrix Laboratories.
    See LICENSE for details.
    Starting kippo in the background...
    Generating new RSA keypair...
    Done.
    Generating new DSA keypair...
    Done.

Yay, Kippo is running. Now let’s test it with opening a connection to :22:

    [06:05] [email protected] > ~/kippo :$ ssh [email protected] -p 22
    The authenticity of host 'localhost (127.0.0.1)' can't be established.
    RSA key fingerprint is 9d:2a:99:ec:02:ef:20:eb:14:d4:ba:96:4c:9e:6e:3b.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
    Password:
    [email protected]:~# ls
    [email protected]:~# cat /etc/hostname
    debian
    [email protected]:~# ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:4c:a8<img class='emoji' title='ab' alt='ab' src='https://github.global.ssl.fastly.net/images/icons/emoji/ab.png' height='20' width='20' align='absmiddle' >32:f4
              inet addr:10.98.55.4  Bcast:10.98.55.255  Mask:255.255.255.0
              inet6 addr: fe80::21f:c6ac:fd44:24d7/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:84045991 errors:0 dropped:0 overruns:0 frame:0
              TX packets:103776307 errors:0 dropped:0 overruns:0 carrier:2
              collisions:0 txqueuelen:1000
              RX bytes:50588302699 (47.1 GiB)  TX bytes:97318807157 (90.6 GiB)

    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:308297 errors:0 dropped:0 overruns:0 frame:0
              TX packets:308297 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:355278106 (338.8 MiB)  TX bytes:355278106 (338.8 MiB)
    [email protected]:~# passwd
    Enter new UNIX password:
    Retype new UNIX password:
    passwd: password updated successfully
    [email protected]:~# exit
    Connection to server closed.

Horray, we mimic a SSH environment!

Kippo-Graph

There is some really handy tool for Kippo: Kippo-Graph. It is a webinterface to get some nice statistics of your Kippo instances, like used passwords, login combinations and more. It even has a TTY log player! To use it you have to edit your kippo.cfg and add the data for your MySQL Server. Read the instructions of Kippo-Graph on how you do this. I am using it to gather all data from all my honeypots to one system, so I have a good system to view with one click all my data.

*****
Written by wirehack7 on 26 November 2014