TekDefense

Entries in Kippo (10)

Monday

Jun012015

BSidesNola 2015 Presentation on Honeypots

Monday, June 1, 2015 at 6:57PM

Wow, it has been a long time since I have posted. I plan to rectify my posting frequency problems, starting now. Last weekend @p4r4n0y1ng and I (@TekDefense) gave a presentation on Honeypots called "Catch More Honeys when you are fly" at BSidesNola. See the slides below:

I will be publishing a more detailed article on SSHPsychos soon!

Admin |

Post a Comment |

tagged

Dionaea,

ELK,

Kippo,

SSHPsychos,

honeypot in

News

Sunday

Jul202014

Over a year with Kippo

Sunday, July 20, 2014 at 8:31PM

UPDATE: After posting @ikoniaris of Honeydrive and Bruteforce fame recommended running these. Here are the results of kippo-stats.pl created by Tomasz Miklas and Miguel jacq.

As many of you know from previous posts, I am a big fan of honeypots, particularly Kippo. My main Kippo instance sitting in AWS has been online for over a year now. Let's take a look at what we have captured and learned over this past year. If you want to validate any of these statistics I have made the raw logs available for download.

General Stats:

Unique values (135526 connections):

*csv with geo location

*Map Generated with JCSOCAL's GIPC

Top 11 Countries

China: 699

United States: 654

Brazil: 76

Russian Federation: 69

Germany: 65

Korea, Republic of: 57

Romania: 56

Egypt: 52

Japan: 50

India: 41

Indonesia: 41

Unique Usernames: 8600 (Username list)

Unique Passwords: 75780 (wordlist)

Unique Sources: 1985 (list of IPs)

Passwords:

One of my favorite uses of kippo data is to generate wordlists from login attempts. I wrote a quick script to parse the kippo logs and pull out all passwords and unique them into a wordlist. Feel free to grab. Additionally I made the wordlists available for download.

Using Pipal I performed analysis of all the login attempts over this year:

Two items of note here are that over 60% of password attempts were 1-8 characters. 40% of attempts were for lowercase alpha characters only. The most used password was 123456. This is the default pass for Kippo.

If a user attempts to create an account or change the root password in a Kippo session those passwords are captured and added to the allowed credentials list. The following credentials were created:

root:0:albertinoalbert123

root:0:fgashyeq77dhshfa

root:0:florian12eu

root:0:hgd177q891999wwwwwe1.dON

root:0:iphone5

root:0:kokot

root:0:nope

root:0:picvina

root:0:scorpi123

root:0:test

root:0:xiaozhe

root:0:12345

root:0:bnn318da9031kdamfaihheq1fa

root:0:ls

root:0:neonhostt1

root:0:wget123

Downloads:

When an attacker attempts to download a tool via wget, within Kippo we allow that file to be downloaded, although they cannot interact with it. With this we are able to get a copy of whatever is being downloaded. In most cases these are IRC bots, but not all. I have made them all available for download.

Here is a listing of all the files:

*Duplicates and obviously legitimate files have been removed from the list.

20131030113401_http___198_2_192_204_22_disknyp

20131103183232_http___61_132_227_111_8080_meimei

20131104045744_http___198_2_192_204_22_disknyp

20131114214017_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz

20131116130541_http___198_2_192_204_22_disknyp

20131129165151_http___dl_dropboxusercontent_com_s_1bxj9ak8m1octmk_ktx_c

20131129165438_http___dl_dropboxusercontent_com_s_66gpt66lvut4gdu_ktx

20131202040921_http___198_2_192_204_22_disknyp

20131207123419_http___packetstorm_wowhacker_com_DoS_juno_c

20131216143108_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz

20131216143208_http___X_hackersoft_org_scanner_gosh_jpg

20131216143226_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe

20131217163423_http___ha_ckers_org_slowloris_slowloris_pl

20131217163456_http___www_lemarinel_net_perl

20131222084315_http___maxhub_com_auto_bill_pipe_bot

20140103142644_http___ftp_gnu_org_gnu_autoconf_autoconf_2_69_tar_gz

20140109170001_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_linux_x86_tar_gz

20140120152204_http___111_39_43_54_5555_dos32

20140122202342_http___layer1_cpanel_net_latest

20140122202549_http___linux_duke_edu_projects_yum_download_2_0_yum_2_0_7_tar_gz

20140122202751_http___www_ehcp_net_ehcp_latest_tgz

20140201131804_http___www_suplementar_com_br_images_stories_goon_pooler_cpuminer_2_3_2_tar_gz

20140201152307_http___nemo_rdsor_ro_darwin_jpg

20140208081358_http___www_youtube_com_watch_v_6hVQs5ll064

20140208184835_http___sharplase_ru_x_txt

20140215141909_http___tenet_dl_sourceforge_net_project_cpuminer_pooler_cpuminer_2_3_2_tar_gz

20140215142830_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_tar_gz

20140219072721_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz

20140328031725_http___dl_dropboxusercontent_com_u_133538399_multi_py

20140409053322_http___www_c99php_com_shell_c99_rar

20140409053728_http___github_com_downloads_orbweb_PHP_SHELL_WSO_wso2_5_1_php

20140413130110_http___www_iphobos_com_hb_unixcod_rar

20140416194008_http___linux_help_bugs3_com_Camel_mail_txt

20140419143734_http___www_activestate_com_activeperl_downloads_thank_you_dl_http___downloads_activestate_com_ActivePerl_releases_5_18_2_1802_ActivePerl_5_18_2_1802_x86_64_linux_glibc_2_5_298023_tar_gz

20140419144043_http___ha_ckers_org_slowloris_slowloris_pl

20140420104056_http___downloads_metasploit_com_data_releases_archive_metasploit_4_9_2_linux_x64_installer_run

20140420104325_http___nmap_org_dist_nmap_6_46_1_i386_rpm

20140505073503_http___116_255_239_180_888_007

20140505093229_http___119_148_161_25_805_sd32

20140505111511_http___112_117_223_10_280_1

20140515091557_http___112_117_223_10_280__bash_6_phpmysql

20140519193800_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz

20140523120411_http___lemonjuice_tk_netcat_sh

20140610174516_http___59_63_183_193_280__etc_Test8888

20140614200901_http___kismetismy_name_ktx

20140625032113_http___ftp_mirrorservice_org_sites_ftp_wiretapped_net_pub_security_packet_construction_netcat_gnu_netcat_netcat_0_7_1_tar_gz

20140720005010_http___www_bl4ck_viper_persiangig_com_p8_localroots_2_6_x_cw7_3

To see the full source for some of the scripts downloaded by the attackers you can go to this Github Repo. A couple of my favorite ones.

TTY Replay Sessions:

My absolute favorite feature of Kippo is the ability to replay interactive sessions of attacker activity. Watching these replays gives us an idea of what attackers do once inside a session. For instance almost every session begins with a "w" which shows logged in users and uptime, and then a "uname -a" to show them system details. I made a Youtube series called The Kippo Kronicles a while back to showcase some of these sessions. While I don't have the time necessary to continue putting up videos for each session I have put the output of each session up at this Github Repo.

Here is a fun example:

AWSWeb:~# adduser

adduser: Only one or two names allowed.

AWSWeb:~# useradd

adduser: Only one or two names allowed.

AWSWeb:~# ls

AWSWeb:~# pwd

root

AWSWeb:~# cd /[1D[1P[1D[1P[1D[1P[1D[1Pcat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

libuuid:x:100:101::/var/lib/libuuid:/bin/sh

richard:x:1000:1000:richard,,,:/home/richard:/bin/bash

sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin

AWSWeb:~# user

bash: user: command not found

AWSWeb:~# adduser obz

Adding user `obz' ...

Adding new group `obz' (1001) ...

Adding new user `obz' (1001) with group `obz' ...

Creating home directory `/home/obz' ...

Copying files from `/etc/skel' ...

Password:

Password again:

Changing the user information for obz

Enter the new value, or press ENTER for the default

Username []:

Must enter a value!

Username []: obz

Full Name []: l[1D[1Padmin obz

Room Number []: 1

Work Phone []: 1234567890

Home Phone []:

Must enter a value!

Home Phone []: 0

Mobile Phone []: 0

Country []: cn

City []: xang

Language []: mand

Favorite movie []: 1

Other []: 1

Is the information correct? [Y/n] y

ERROR: Some of the information you entered is invalid

Deleting user `obz' ...

Deleting group `obz' (1001) ...

Deleting home directory `/home/obz' ...

Try again? [Y/n] y

Changing the user information for obz

Enter the new value, or press ENTER for the default

Username []: obx

Full Name []: obx toor

Room Number []: 1

Work Phone []: 1[1D[1P9089543121

Home Phone []: 9089342135

Mobile Phone []: 9089439012

Country []: cn

City []: xang

Language []: man[1D[1P[1D[1P[1D[1Penglish

Favorite movie []: one

Other []: two[1D[1P[1D[1P[1D[1Pfour

Is the information correct? [Y/n] y

ERROR: Some of the information you entered is invalid

Deleting user `obz' ...

Deleting group `obz' (1001) ...

Deleting home directory `/home/obz' ...

Try again? [Y/n] n

AWSWeb:~# cat adduser obz user cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

libuuid:x:100:101::/var/lib/libuuid:/bin/sh

richard:x:1000:1000:richard,,,:/home/richard:/bin/bash

sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin

AWSWeb:~# cat /etc/shadow

cat: /etc/shadow: No such file or directory

AWSWeb:~# /etc/init.d\[1D[1P[1D[1PD/ssh start

bash: /etc/init.D/ssh: command not found

AWSWeb:~# [K/etc/init.D/ssh start[1D[1D[1D[1D[1D[1D[1D[1D[1D[1D[1D[1Pd

bash: /etc/init.d/ssh: command not found

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~#

AWSWeb:~# exit

cConnection to server closed.

localhost:~# exit

Connection to server closed.

localhost:~# bye

bash: bye: command not found

localhost:~# exit

Connection to server closed.

localhost:~# admin

bash: admin: command not found

localhost:~# su

localhost:~# ls -l

drwxr-xr-x 1 root root 4096 2013-02-03 17:11 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..

drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags

-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo

drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude

-rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile

-rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrc

localhost:~# pwd

/root

localhost:~# cd /

localhost:/# ls -l

drwxr-xr-x 1 root root 4096 2013-02-03 17:11 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..

drwxr-xr-x 1 root root 0 2009-11-20 08:19 sys

drwxr-xr-x 1 root root 4096 2009-11-08 15:42 bin

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 mnt

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 media

lrwxrwxrwx 1 root root 25 2009-11-06 11:16 vmlinuz -> /boot/vmlinuz-2.6.26-2-686

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 opt

lrwxrwxrwx 1 root root 11 2009-11-06 11:08 cdrom -> /media/cdrom0

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 selinux

drwxrwxrwx 1 root root 4096 2009-11-20 08:19 tmp

dr-xr-xr-x 1 root root 0 2009-11-20 08:19 proc

drwxr-xr-x 1 root root 4096 2009-11-08 15:41 sbin

drwxr-xr-x 1 root root 4096 2009-11-20 08:20 etc

drwxr-xr-x 1 root root 3200 2009-11-20 08:20 dev

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 srv

lrwxrwxrwx 1 root root 28 2009-11-06 11:16 initrd.img -> /boot/initrd.img-2.6.26-2-686

drwxr-xr-x 1 root root 4096 2009-11-08 15:46 lib

drwxr-xr-x 1 root root 4096 2009-11-06 11:22 home

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 var

drwxr-xr-x 1 root root 4096 2009-11-08 15:46 usr

drwxr-xr-x 1 root root 4096 2009-11-08 15:39 boot

drwxr-xr-x 1 root root 4096 2009-11-20 09:08 root

drwx------ 1 root root 16384 2009-11-06 11:08 lost+found

localhost:/# cd /home

localhost:/home# ls -l

ldrwxr-xr-x 1 root root 4096 2013-02-03 17:11 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..

drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richard

localhost:/home# exit

Connection to server closed.

localhost:~#

localhost:~#

localhost:~#

localhost:~#

localhost:~#

localhost:~#

localhost:~# ssh -D root@http://60.250.65.112/ 1337

The authenticity of host '60.250.65.112 (60.250.65.112)' can't be established.

RSA key fingerprint is 9d:30:97:8a:9e:48:0d:de:04:8d:76:3a:7b:4b:30:f8.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '60.250.65.112' (RSA) to the list of known hosts.

root@60.250.65.112's password:

Linux localhost 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686

Last login: Sat Feb 2 07:07:11 2013 from 192.168.9.4

localhost:~# uname -a

Linux localhost 2.6.24-2-generic #1 SMP Thu Dec 20 17:36:12 GMT 2007 i686 GNU/Linux

localhost:~# pwd

/root

localhost:~# cd /

localhost:/# ls -l

drwxr-xr-x 1 root root 4096 2013-02-03 17:19 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:19 ..

drwxr-xr-x 1 root root 0 2009-11-20 08:19 sys

drwxr-xr-x 1 root root 4096 2009-11-08 15:42 bin

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 mnt

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 media

lrwxrwxrwx 1 root root 25 2009-11-06 11:16 vmlinuz -> /boot/vmlinuz-2.6.26-2-686

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 opt

lrwxrwxrwx 1 root root 11 2009-11-06 11:08 cdrom -> /media/cdrom0

drwxr-xr-x 1 root root 4096 2009-11-06 11:08 selinux

drwxrwxrwx 1 root root 4096 2009-11-20 08:19 tmp

dr-xr-xr-x 1 root root 0 2009-11-20 08:19 proc

drwxr-xr-x 1 root root 4096 2009-11-08 15:41 sbin

drwxr-xr-x 1 root root 4096 2009-11-20 08:20 etc

drwxr-xr-x 1 root root 3200 2009-11-20 08:20 dev

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 srv

lrwxrwxrwx 1 root root 28 2009-11-06 11:16 initrd.img -> /boot/initrd.img-2.6.26-2-686

drwxr-xr-x 1 root root 4096 2009-11-08 15:46 lib

drwxr-xr-x 1 root root 4096 2009-11-06 11:22 home

drwxr-xr-x 1 root root 4096 2009-11-06 11:09 var

drwxr-xr-x 1 root root 4096 2009-11-08 15:46 usr

drwxr-xr-x 1 root root 4096 2009-11-08 15:39 boot

drwxr-xr-x 1 root root 4096 2009-11-20 09:08 root

drwx------ 1 root root 16384 2009-11-06 11:08 lost+found

localhost:/# cd /root

localhost:~# ls -l

ldrwxr-xr-x 1 root root 4096 2013-02-03 17:19 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:19 ..

drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags

-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo

drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude

-rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile

-rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrc

localhost:~# cd /ho[1D[1P[1D[1P[1D[1P[1D[1P[1D[1P[1D[1Pcd /home/

localhost:/home# ls -l

drwxr-xr-x 1 root root 4096 2013-02-03 17:20 .

drwxr-xr-x 1 root root 4096 2013-02-03 17:20 ..

drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richard

localhost:/home# exit

Connection to server closed.

localhost:~# exit

Connection to server closed.

localhost:~#

Conclusion:

After a year with Kippo, I have learned a lot about what these basic attackers do when connecting to seemingly open ssh hosts. There is plenty more to learn though. I have some plans on building out a larger honeypot infrastructure, and automating some of the data collection and parsing. Additionally I would like to spend more time analyzing the sessions and malware for further trends. I'll keep you all posted!

*Big thanks to Bruteforce Labs for their tools and expertise in honeypots.

Admin |

1 Comment |

tagged

Kippo,

Pipal,

honeypot,

python,

ssh in

News

Tuesday

Mar052013

The Kippo Kronicles - Ep3 Orly?

Tuesday, March 5, 2013 at 11:38AM

In this episode of the Kippo Kronicles our attacker attempts to install metasploit on our honeypot. He is very persistant, and does not realize he is in a honeypot even after getting the ORLY Owl.

If you want to see the logs from my Kippo instance, checkout the Downloads section. For those who do not want to watch the video, the full code output is below:

kippo@MyAWSHoneypot:~/kippo/log/tty$ ~/kippo/utils/playlog.py 20130225-042834-4525.log

AWSWeb:~# ls -la

drwxr-xr-x 1 root root 4096 2013-02-25 04:29 .

drwxr-xr-x 1 root root 4096 2013-02-25 04:29 ..

drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags

-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo

drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude

-rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile

-rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrc

AWSWeb:~# ls -la

drwxr-xr-x 1 root root 4096 2013-02-25 04:29 .

drwxr-xr-x 1 root root 4096 2013-02-25 04:29 ..

drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags

-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo

drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude

-rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile

-rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrc

AWSWeb:~# pwd

/root

AWSWeb:~# uname -a

Linux AWSWeb 2.6.24-2-generic #1 SMP Thu Dec 20 17:36:12 GMT 2007 i686 GNU/Linux

AWSWeb:~# wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.run

--2013-02-25 04:33:42-- http://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.run

Connecting to downloads.metasploit.com:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 208374041 (198M) [text/plain]

Saving to: `metasploit-latest-linux-installer.run

100%[======================================>] 208,374,041 10270K/s eta 0s

2013-02-25 04:34:02 (10270 KB/s) - `metasploit-latest-linux-installer.run' saved [208374041/208374041]

AWSWeb:~# sh metasploit-latest-linux-installer.run

AWSWeb:~# ./metasploit-latest-linux-installer.run

bash: ./metasploit-latest-linux-installer.run: command not found

AWSWeb:~# dir

bash: dir: command not found

AWSWeb:~# ls -la

drwxr-xr-x 1 root root 4096 2013-02-25 04:34 .

drwxr-xr-x 1 root root 4096 2013-02-25 04:34 ..

drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags

-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo

drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude

-rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile

-rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrc

-rw-r--r-- 1 root root 208374041 2013-02-25 04:34 metasploit-latest-linux-installer.run

AWSWeb:~# sh metasploit-latest-linux-installer.run

AWSWeb:~# sh

AWSWeb:~# run metasploit-latest-linux-installer.run

bash: run: command not found

AWSWeb:~# ./metasploit-latest-linux-installer.run

bash: ./metasploit-latest-linux-installer.run: command not found

AWSWeb:~# metasploit-latest-linux-installer.run

bash: metasploit-latest-linux-installer.run: command not found

AWSWeb:~# ls -la

drwxr-xr-x 1 root root 4096 2013-02-25 04:35 .

drwxr-xr-x 1 root root 4096 2013-02-25 04:35 ..

drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags

-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo

drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude

-rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile

-rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrc

-rw-r--r-- 1 root root 208374041 2013-02-25 04:34 metasploit-latest-linux-installer.run

AWSWeb:~# chmod 777 metasploit-latest-linux-installer.run

AWSWeb:~# sh metasploit-latest-linux-installer.run

AWSWeb:~# clear

AWSWeb:~# wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run

--2013-02-25 04:36:03-- http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run

Connecting to downloads.metasploit.com:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 208792036 (199M) [text/plain]

Saving to: `metasploit-latest-linux-x64-installer.run

100%[======================================>] 208,792,036 6647K/s eta 0s

2013-02-25 04:36:34 (6647 KB/s) - `metasploit-latest-linux-x64-installer.run' saved [208792036/208792036]

AWSWeb:~# sh metasploit-latest-linux-x64-installer.run

AWSWeb:~# chmod +x metasploit-latest-linux-installer.run

AWSWeb:~# sudo ./metasploit-latest-linux-installer.ru

bash: sudo: command not found

AWSWeb:~# sudo ./metasploit-latest-linux-installer.run

bash: sudo: command not found

AWSWeb:~# sh metasploit-latest-linux-installer.run

AWSWeb:~# sudo apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby

bash: sudo: command not found

AWSWeb:~# sudo apt-get install ruby libopenssl-ruby libyaml-ruby libdl-rubylibiconv-ruby libreadline-ruby irb ri rubygems

bash: sudo: command not found

AWSWeb:~# install rpm sh

bash: install: command not found

AWSWeb:~# rpm -ivh sh

bash: rpm: command not found

AWSWeb:~# apt-get update

E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)

E: Unable to lock the list directory

AWSWeb:~# id

uid=0(root) gid=0(root) groups=0(root)

AWSWeb:~# rpmbuild -ts httpd-2.4.x.tar.bz2

bash: rpmbuild: command not found

AWSWeb:~# wget -O /etc/yum.repos.d/epel-erlang.repo http://repos.fedorapeople.org/repos/peter/erlang/epel-erlang.repo

--2013-02-25 04:58:51-- http:///etc/yum.repos.d/epel-erlang.repo

Connecting to :80... connected.

HTTP request sent, awaiting response... Connection was refused by other side: 111: Connection refused.

AWSWeb:~# yum install erlang

bash: yum: command not found

AWSWeb:~# rpm --import http://www.rabbitmq.com/rabbitmq-signing-key-public.asc

bash: rpm: command not found

AWSWeb:~# yum install rabbitmq-server-3.0.2-1.noarch.rpm

bash: yum: command not found

AWSWeb:~# sudo apt-get install alien

bash: sudo: command not found

AWSWeb:~# sudo apt-get install alien dpkg-dev debhelper build-essential

bash: sudo: command not found

AWSWeb:~# yum apt-get install alien dpkg-dev debhelper build-essential

bash: yum: command not found

AWSWeb:~# yum install sudo

bash: yum: command not found

AWSWeb:~# wget http://linux.duke.edu/projects/yum/download/2.0/yum-2.0.7.tar.gz

--2013-02-25 05:10:07-- http://linux.duke.edu/projects/yum/download/2.0/yum-2.0.7.tar.gz

Connecting to linux.duke.edu:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 174080 (170K) [application/x-gzip]

Saving to: `yum-2.0.7.tar.gz

100%[======================================>] 174,080 76K/s eta 1s

2013-02-25 05:10:09 (76 KB/s) - `yum-2.0.7.tar.gz' saved [174080/174080]

AWSWeb:~# tar -xvzf yum-2.0.7.tar.gz

yum-2.0.7

yum-2.0.7/callback.py

yum-2.0.7/nevral.py

yum-2.0.7/configure

yum-2.0.7/translate.py

yum-2.0.7/py-compile

yum-2.0.7/COPYING

yum-2.0.7/etc

yum-2.0.7/etc/yum.cron

yum-2.0.7/etc/yum.logrotate

yum-2.0.7/etc/Makefile.in

yum-2.0.7/etc/yum.conf

yum-2.0.7/etc/yum.init

yum-2.0.7/pkgaction.py

yum-2.0.7/archwork.py

yum-2.0.7/mkinstalldirs

yum-2.0.7/failover.py

yum-2.0.7/lilo.py

yum-2.0.7/logger.py

yum-2.0.7/i18n.py

yum-2.0.7/progress_meter.py

yum-2.0.7/configure.in

yum-2.0.7/yum.spec

yum-2.0.7/docs

yum-2.0.7/docs/yum.conf.5

yum-2.0.7/docs/Makefile.in

yum-2.0.7/docs/yum.8

yum-2.0.7/docs/yum-arch.8

yum-2.0.7/checkbootloader.py

yum-2.0.7/yumlock.py

yum-2.0.7/bin

yum-2.0.7/bin/yum-arch

yum-2.0.7/bin/Makefile.in

yum-2.0.7/bin/yum

yum-2.0.7/up2datetheft.py

yum-2.0.7/urlgrabber.py

yum-2.0.7/install-sh

yum-2.0.7/bootloadercfg.py

yum-2.0.7/grubcfg.py

yum-2.0.7/Makefile.in

yum-2.0.7/INSTALL

yum-2.0.7/serverStuff.py

yum-2.0.7/po

yum-2.0.7/po/uk.po

yum-2.0.7/po/pygettext.py

yum-2.0.7/po/cs.po

yum-2.0.7/po/ru.po

yum-2.0.7/po/es.po

yum-2.0.7/po/Makefile.in

yum-2.0.7/po/yum.pot

yum-2.0.7/rpmUtils.py

yum-2.0.7/pullheaders.py

yum-2.0.7/README

yum-2.0.7/keepalive.py

yum-2.0.7/ChangeLog

yum-2.0.7/yummain.py

yum-2.0.7/comps.py

yum-2.0.7/iutil.py

yum-2.0.7/clientStuff.py

yum-2.0.7/yumcomps.py

yum-2.0.7/config.py

yum-2.0.7/AUTHORS

yum-2.0.7/lilocfg.py

yum-2.0.7/TODO

AWSWeb:~# cd yum-2.0.7

AWSWeb:~/yum-2.0.7# ./configure

Shall we play a game? yes

A strange game. The only winning move is not to play. How about a nice game of chess?

AWSWeb:~/yum-2.0.7# ./configure

Shall we play a game? no

A strange game. The only winning move is not to play. How about a nice game of chess?

AWSWeb:~/yum-2.0.7# ./configure

Shall we play a game?

A strange game. The only winning move is not to play. How about a nice game of chess?

AWSWeb:~/yum-2.0.7# make

bash: make: command not found

AWSWeb:~/yum-2.0.7# make install

bash: make: command not found

AWSWeb:~/yum-2.0.7# dir

bash: dir: command not found

AWSWeb:~/yum-2.0.7# ls -la

drwxr-xr-x 1 root root 4096 2013-02-25 05:11 .

drwxr-xr-x 1 root root 4096 2013-02-25 05:11 ..

-rw-rw-r-- 1 root root 3527 2004-05-07 04:58 callback.py

-rw-rw-r-- 1 root root 22517 2004-05-07 04:58 nevral.py

-rwxrwxr-x 1 root root 69467 2004-05-07 04:58 configure

-rw-rw-r-- 1 root root 8309 2004-05-07 04:58 translate.py

-rwxrwxr-x 1 root root 1478 2004-05-07 04:58 py-compile

-rw-rw-r-- 1 root root 17976 2004-05-07 04:58 COPYING

drwxrwxr-x 1 root root 4096 2004-05-07 04:58 etc

-rw-rw-r-- 1 root root 25478 2004-05-07 04:58 pkgaction.py

-rw-rw-r-- 1 root root 3045 2004-05-07 04:58 archwork.py

-rwxrwxr-x 1 root root 729 2004-05-07 04:58 mkinstalldirs

-rw-rw-r-- 1 root root 3588 2004-05-07 04:58 failover.py

-rw-rw-r-- 1 root root 9784 2004-05-07 04:58 lilo.py

-rw-rw-r-- 1 root root 15812 2004-05-07 04:58 logger.py

-rw-r--r-- 1 root root 690 2004-05-07 04:58 i18n.py

-rw-rw-r-- 1 root root 5528 2004-05-07 04:58 progress_meter.py

-rw-rw-r-- 1 root root 636 2004-05-07 04:58 configure.in

-rw-rw-r-- 1 root root 3636 2004-05-07 04:58 yum.spec

drwxrwxr-x 1 root root 4096 2004-05-07 04:58 docs

-rw-rw-r-- 1 root root 4607 2004-05-07 04:58 checkbootloader.py

-rw-rw-r-- 1 root root 541 2004-05-07 04:58 yumlock.py

drwxrwxr-x 1 root root 4096 2004-05-07 04:58 bin

-rw-rw-r-- 1 root root 1206 2004-05-07 04:58 up2datetheft.py

-rw-rw-r-- 1 root root 19254 2004-05-07 04:58 urlgrabber.py

-rwxrwxr-x 1 root root 5598 2004-05-07 04:58 install-sh

-rw-rw-r-- 1 root root 1331 2004-05-07 04:58 bootloadercfg.py

-rw-rw-r-- 1 root root 2188 2004-05-07 04:58 grubcfg.py

-rw-rw-r-- 1 root root 4611 2004-05-07 04:58 Makefile.in

-rw-rw-r-- 1 root root 320 2004-05-07 04:58 INSTALL

-rw-rw-r-- 1 root root 3723 2004-05-07 04:58 serverStuff.py

drwxrwxr-x 1 root root 4096 2004-05-07 04:58 po

-rw-r--r-- 1 root root 12223 2004-05-07 04:58 rpmUtils.py

-rw-rw-r-- 1 root root 11884 2004-05-07 04:58 pullheaders.py

-rw-rw-r-- 1 root root 1655 2004-05-07 04:58 README

-rw-rw-r-- 1 root root 14083 2004-05-07 04:58 keepalive.py

-rw-rw-r-- 1 root root 39484 2004-05-07 04:58 ChangeLog

-rwxr-xr-x 1 root root 14959 2004-05-07 04:58 yummain.py

-rwxrwxr-x 1 root root 11923 2004-05-07 04:58 comps.py

-rw-rw-r-- 1 root root 7709 2004-05-07 04:58 iutil.py

-rwxr-xr-x 1 root root 54626 2004-05-07 04:58 clientStuff.py

-rwxrwxr-x 1 root root 13876 2004-05-07 04:58 yumcomps.py

-rw-rw-r-- 1 root root 15758 2004-05-07 04:58 config.py

-rw-rw-r-- 1 root root 888 2004-05-07 04:58 AUTHORS

-rw-rw-r-- 1 root root 13304 2004-05-07 04:58 lilocfg.py

-rw-rw-r-- 1 root root 76 2004-05-07 04:58 TODO

AWSWeb:~/yum-2.0.7# ./INSTALL

___

{o,o}

|)__)

-"-"-

O RLY?

___

{o,o}

|)__)

-"-"-

O RLY? yes

___

{o,o}

(__(|

-"-"-

NO WAI!

AWSWeb:~/yum-2.0.7# INSTALL

bash: INSTALL: command not found

AWSWeb:~/yum-2.0.7# ./INSTALL

___

{o,o}

|)__)

-"-"-

O RLY? y

___

{o,o}

(__(|

-"-"-

NO WAI!

AWSWeb:~/yum-2.0.7# ./INSTALL

___

{o,o}

|)__)

-"-"-

O RLY? n

___

{o,o}

|)__)

-"-"-

O RLY? n

___

{o,o}

|)__)

-"-"-

O RLY? ./configure

___

{o,o}

|)__)

-"-"-

O RLY?

___

{o,o}

|)__)

-"-"-

O RLY? y

___

{o,o}

(__(|

-"-"-

NO WAI!

AWSWeb:~/yum-2.0.7# ./configure

Shall we play a game? y

A strange game. The only winning move is not to play. How about a nice game of chess?

AWSWeb:~/yum-2.0.7# ./mkinstalldirs

Shall we play a game?

A strange game. The only winning move is not to play. How about a nice game of chess?

AWSWeb:~/yum-2.0.7# mkdir setups

AWSWeb:~/yum-2.0.7# cd setups

AWSWeb:~/yum-2.0.7/setups# wget http://linux.duke.edu/projects/yum/download/2.0/yum-2.0.7.tar.gz

--2013-02-25 05:15:07-- http://linux.duke.edu/projects/yum/download/2.0/yum-2.0.7.tar.gz

Connecting to linux.duke.edu:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 174080 (170K) [application/x-gzip]

Saving to: `yum-2.0.7.tar.gz

100%[======================================>] 174,080 91K/s eta 0s

2013-02-25 05:15:09 (91 KB/s) - `yum-2.0.7.tar.gz' saved [174080/174080]

AWSWeb:~/yum-2.0.7/setups# tar -xvzf yum-2.0.7.tar.gz

yum-2.0.7

yum-2.0.7/callback.py

yum-2.0.7/nevral.py

yum-2.0.7/configure

yum-2.0.7/translate.py

yum-2.0.7/py-compile

yum-2.0.7/COPYING

yum-2.0.7/etc

yum-2.0.7/etc/yum.cron

yum-2.0.7/etc/yum.logrotate

yum-2.0.7/etc/Makefile.in

yum-2.0.7/etc/yum.conf

yum-2.0.7/etc/yum.init

yum-2.0.7/pkgaction.py

yum-2.0.7/archwork.py

yum-2.0.7/mkinstalldirs

yum-2.0.7/failover.py

yum-2.0.7/lilo.py

yum-2.0.7/logger.py

yum-2.0.7/i18n.py

yum-2.0.7/progress_meter.py

yum-2.0.7/configure.in

yum-2.0.7/yum.spec

yum-2.0.7/docs

yum-2.0.7/docs/yum.conf.5

yum-2.0.7/docs/Makefile.in

yum-2.0.7/docs/yum.8

yum-2.0.7/docs/yum-arch.8

yum-2.0.7/checkbootloader.py

yum-2.0.7/yumlock.py

yum-2.0.7/bin

yum-2.0.7/bin/yum-arch

yum-2.0.7/bin/Makefile.in

yum-2.0.7/bin/yum

yum-2.0.7/up2datetheft.py

yum-2.0.7/urlgrabber.py

yum-2.0.7/install-sh

yum-2.0.7/bootloadercfg.py

yum-2.0.7/grubcfg.py

yum-2.0.7/Makefile.in

yum-2.0.7/INSTALL

yum-2.0.7/serverStuff.py

yum-2.0.7/po

yum-2.0.7/po/uk.po

yum-2.0.7/po/pygettext.py

yum-2.0.7/po/cs.po

yum-2.0.7/po/ru.po

yum-2.0.7/po/es.po

yum-2.0.7/po/Makefile.in

yum-2.0.7/po/yum.pot

yum-2.0.7/rpmUtils.py

yum-2.0.7/pullheaders.py

yum-2.0.7/README

yum-2.0.7/keepalive.py

yum-2.0.7/ChangeLog

yum-2.0.7/yummain.py

yum-2.0.7/comps.py

yum-2.0.7/iutil.py

yum-2.0.7/clientStuff.py

yum-2.0.7/yumcomps.py

yum-2.0.7/config.py

yum-2.0.7/AUTHORS

yum-2.0.7/lilocfg.py

yum-2.0.7/TODO

AWSWeb:~/yum-2.0.7/setups# cd yum-2.0.7

AWSWeb:~/yum-2.0.7/setups/yum-2.0.7# ./configure

Shall we play a game? y

A strange game. The only winning move is not to play. How about a nice game of chess?

AWSWeb:~/yum-2.0.7/setups/yum-2.0.7# make

bash: make: command not found

AWSWeb:~/yum-2.0.7/setups/yum-2.0.7# make install

bash: make: command not found

AWSWeb:~/yum-2.0.7/setups/yum-2.0.7# yum update

bash: yum: command not found

AWSWeb:~/yum-2.0.7/setups/yum-2.0.7# cd ..

AWSWeb:~/yum-2.0.7/setups# cd..

bash: cd..: command not found

AWSWeb:~/yum-2.0.7/setups# cd ..

AWSWeb:~/yum-2.0.7# cd ..

AWSWeb:~# dir

bash: dir: command not found

AWSWeb:~# ls -la

drwxr-xr-x 1 root root 4096 2013-02-25 05:16 .

drwxr-xr-x 1 root root 4096 2013-02-25 05:16 ..

drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags

-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo

drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude

-rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile

-rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrc

-rw-r--r-- 1 root root 208374041 2013-02-25 04:34 metasploit-latest-linux-installer.run

-rw-r--r-- 1 root root 208792036 2013-02-25 04:36 metasploit-latest-linux-x64-installer.run

-rw-r--r-- 1 root root 174080 2013-02-25 05:10 yum-2.0.7.tar.gz

drwxrwxr-x 1 root root 4096 2004-05-07 04:58 yum-2.0.7

AWSWeb:~# rpm -e yum

bash: rpm: command not found

AWSWeb:~# wget ftp://rpmfind.net/linux/fedora/core/4/i386/os/Fedora/RPMS/yum-2.3.2-7.noarch.rpm

ftp://rpmfind.net/linux/fedora/core/4/i386/os/Fedora/RPMS/yum-2.3.2-7.noarch.rpm: Unsupported scheme.

Admin |

Post a Comment |

tagged

Kippo,

honeypot,

metasploit,

ssh in

News

Sunday

Feb102013

Tektip ep21 - Drive Traffic to your Honeypot

Sunday, February 10, 2013 at 12:28PM

In this episode of TekTip, I am going to show a unique method to drive traffic to your Honeypot. While I use Kippo as the example this approach will work for any Honeypot.

*If you do not know what Kippo is, shame on you. Watch this, this, and this to get caught up.

Now let's get to it. The first thing we need to do is prep our Kippo Instance so that we can measure the results of the approach. Log into your Kippo Honeypot, probably on HoneyDrive. Once logged in go to your kippo install directory and navigate to the data folder.

If using Honeydrive it will look something like this:

cd /opt/kippo/data

Now use the cat command to see what you currently have as allowable credentials in your userdb.txt.

cat userdb.txt

root:0:123456

root:0:abc123

root:0:p@ssw0rd

This is what I have. As you can see I allow 3 of the top 10 most used passwords. Now we want to add credentials that will be unique enough that they should not be attempted by your average attacker. Open userdb.txt in your favorite text editor and add a new line with the credentials you want to use. I added one for root:0:IamSo1337!. Running "cat userdb.txt" again shows the following:

cat userdb.txt

root:0:123456

root:0:abc123

root:0:p@ssw0rd

root:0:IamSo1337!

That takes care of the prep. Now if you are doing this with something other than Kippo, those previous steps won't apply. If whatever Honeypot you are using has the ability to let attackers authenticate you will want to set up a unique set of credentials for the experiment. If not, press on.

We will now use Social Networks against are attackers. To put it simply we are going to post login information for our Honeypot on a public site like pastebin, and then alert attackers to the information by posting a link to the paste file on social networks like Twitter.

You may want to keep the rest of the activity as anonymous as possible, so fire up Tor Browser or use proxychains to hide your IP information. Once anonymized go to pastebin.com.

The trick to getting this to work properly is to utilize keywords that attackers may have PasteLerts set up for. For instance you will want to include keywords such as ssh, login, username, password, root, and many others. Make sure you use some of these keywords in the title as well. Here is a sample one I put together:

Submit this and get your pastebin url. Now this will be enough to bring in a few extra hits already, from people who are monitoring pastebin. To get even more folks to see this though we will need to take it a step further.

While still anonymizing your activity create a throwaway twitter account. As many people as there are that monitor pastebin, there are even more that monitor twitter (at least I am guessing so). In particular there are certain twitter users and list that people follow to get password dumps as they occur. My favorite of these is @PastebinDorks.

With your new twitter account create a tweet that mentions @PastebinDorks or another account like that. Have it say something along the lines of, "Check out this one! http://pastebin.com/qi7wzp8h". Now anyone that follows @PastebinDorks will see your post. You may get lucky enough to have someone retweet it a few times.

Now you can just sit back and wait for the conenctions to roll in. While I used twitter and pastebin in my example, this can be done with any like tools. The point is to get the data out there in the public and then use social networks to increase exposure.

To monitor your kippo logs to see when attackers use the user/pass combination you specified in the userdb.txt. navigate to your kippo logs directory and and do the following:

honeydrive@honeydrive:/opt/kippo/log$ cat kippo.log | grep 'login attempt'

2013-02-10 13:04:46+0000 [SSHService ssh-userauth on HoneyPotTransport,9237,193.200.88.100] login attempt [root/abcd1234] failed

2013-02-10 13:04:48+0000 [SSHService ssh-userauth on HoneyPotTransport,9238,193.200.88.100] login attempt [root/1234] failed

2013-02-10 13:04:53+0000 [SSHService ssh-userauth on HoneyPotTransport,9239,193.200.88.100] login attempt [root/redhat] failed

2013-02-10 13:04:59+0000 [SSHService ssh-userauth on HoneyPotTransport,9240,193.200.88.100] login attempt [oracle/oracle] failed

2013-02-10 13:05:02+0000 [SSHService ssh-userauth on HoneyPotTransport,9241,193.200.88.100] login attempt [test/test] failed

2013-02-10 13:05:04+0000 [SSHService ssh-userauth on HoneyPotTransport,9242,193.200.88.100] login attempt [root/1] failed

2013-02-10 13:05:07+0000 [SSHService ssh-userauth on HoneyPotTransport,9243,193.200.88.100] login attempt [root/123] failed

2013-02-10 13:05:09+0000 [SSHService ssh-userauth on HoneyPotTransport,9244,193.200.88.100] login attempt [root/123456789] failed

2013-02-10 13:05:12+0000 [SSHService ssh-userauth on HoneyPotTransport,9245,193.200.88.100] login attempt [root/12345678] failed

2013-02-10 13:05:14+0000 [SSHService ssh-userauth on HoneyPotTransport,9246,193.200.88.100] login attempt [root/1234567] failed

2013-02-10 13:05:17+0000 [SSHService ssh-userauth on HoneyPotTransport,9247,193.200.88.100] login attempt [root/12345] failed

2013-02-10 13:05:20+0000 [SSHService ssh-userauth on HoneyPotTransport,9248,193.200.88.100] login attempt [teamspeak/teamspeak] failed

2013-02-10 13:05:22+0000 [SSHService ssh-userauth on HoneyPotTransport,9249,193.200.88.100] login attempt [teamspeak/ts3] failed

2013-02-10 13:05:25+0000 [SSHService ssh-userauth on HoneyPotTransport,9250,193.200.88.100] login attempt [nagios/nagios] failed

2013-02-10 13:05:28+0000 [SSHService ssh-userauth on HoneyPotTransport,9251,193.200.88.100] login attempt [postgres/postgres] failed

2013-02-10 13:05:30+0000 [SSHService ssh-userauth on HoneyPotTransport,9252,193.200.88.100] login attempt [root/qwe] failed

2013-02-10 13:05:33+0000 [SSHService ssh-userauth on HoneyPotTransport,9253,193.200.88.100] login attempt [root/1q2w3e] failed

2013-02-10 13:05:40+0000 [SSHService ssh-userauth on HoneyPotTransport,9254,193.200.88.100] login attempt [root/1q2w3e4r] failed

2013-02-10 13:05:43+0000 [SSHService ssh-userauth on HoneyPotTransport,9255,193.200.88.100] login attempt [root/qweqwe123] failed

2013-02-10 13:05:45+0000 [SSHService ssh-userauth on HoneyPotTransport,9256,193.200.88.100] login attempt [root/qazwsxedc] failed

2013-02-10 13:05:48+0000 [SSHService ssh-userauth on HoneyPotTransport,9257,193.200.88.100] login attempt [root/1qa2ws3ed] failed

2013-02-10 13:05:57+0000 [SSHService ssh-userauth on HoneyPotTransport,9258,193.200.88.100] login attempt [root/123123] failed

2013-02-10 13:06:00+0000 [SSHService ssh-userauth on HoneyPotTransport,9259,193.200.88.100] login attempt [root/abcd1234] failed

2013-02-10 13:06:03+0000 [SSHService ssh-userauth on HoneyPotTransport,9260,193.200.88.100] login attempt [root/qazwsx123] failed

2013-02-10 13:06:05+0000 [SSHService ssh-userauth on HoneyPotTransport,9261,193.200.88.100] login attempt [root/abc123] succeeded

2013-02-10 13:06:22+0000 [SSHService ssh-userauth on HoneyPotTransport,9262,193.200.88.100] login attempt [root/toor] failed

2013-02-10 13:015:24+0000 [SSHService ssh-userauth on HoneyPotTransport,9263,64.185.229.236] login attempt [root/IamSo1337!] succeeded

If you have any other tips or tricks like this, let me know by leaving a comment or sending me an email at 1aN0rmus@TekDefense.com

Admin |

Post a Comment |

tagged

Honeydrive,

Kippo,

honeypot,

ssh in

TekTip

Friday

Feb082013

The Kippo Kronicles - Ep2 OMG APT

Friday, February 8, 2013 at 3:02PM

In this episode of the Kippo Kroicles we replay the attack of the most advanced of all attackers, the APT Attacker. Okay, not quite. In fact calling this guy (or maybe gal) an APT'er is like calling your chubby friend slim. I get typing dir in once on accident, but to repeatedly try to type dir in linux, come on now. Anyways, I have a ton of logs stored up and ready to videotize. More to come.