TekDefense

Entries in Kippo (10)

Tuesday

Jan222013

The Kippo Kronicles - Ep1

Tuesday, January 22, 2013 at 9:43AM

Welcome to the first of many Kippo Kronicles. In this series I will use the replay function of Kippo to show what attackers have attempted to do on my honeypot. I hope you enjoy.

Admin |

Tektip ep20 - kippo2Wordlist

Sunday, January 13, 2013 at 2:28PM

In this episode of Tektip we review a tool we created kippo2Wordlist.

Description: kippo2Wordlist is a python program that reads logs from kippo to create a wordlist that can be used for anything a standard wordlist is used for such as pipal analysis, cracking passwords, and the like.

Installation: You can download the script from github. You can also clone the git repository if you have git installed. Place in any directory you like. I put it at:

/opt/kipp2Wordlist/

If you are using honeydrive and haven't changed where the logs for kippo go you are all set. Just run the script and it will function as designed.

honeydrive@honeydrive:/opt/kippo2Wordlist$ python kippo2Wordlist.py

If you are not using honeydrive or have modified log paths, open kippo2Wordlist in your favorite text editor and modify the variables as needed:


# variables for the kippo logs, if your path is not the default from honeydrive, modify logPath.
# if your log files are not named kippo.log or kippor.log.x please modify logPre.
logPre = 'kippo.log'
logPath = '/opt/kippo/log/'

Once the variables are set appropriatley you can simply run the script as shown above. When the script completes it will outup the wordlist to:

outputFile = '/opt/kippo/log/wordlist.txt'

*Feel free to change this variable as well if you would like to output to a different directory or file name.

Now you can view the wordlist to ensure that the script has done what is supposed to.

honeydrive@honeydrive:/opt/kippo2Wordlist$ cat /opt/kippo/log/wordlist.txt

As a sample here are a few of the passwords from the tail of my wordlist:

ortega.123#TradeLinuxKi!l|iN6#Th3Ph03$%nix@NdR3b!irD

0p9o8i

1111111

asdfghjk

temp

myftpserver

daudebautlaovi

root12

mathsacL1nuX

qwerty12345

gu3st

rootroot

education

eric

p0o9i8u7y6t5r4

boot

germaine

5393923

autt123

muieladusmanii

00000

qazwsx

!@#123

jifennet.com

zxcdsa

t35t

aceraspire

tomcat

samsung

libroot123

.sfl@zk^

system9876..

C0rb1n1-DNS

z9fasuWR

backontrack

123654re

Admin |

Tektip ep19 - Using Regex with Notepad++

Sunday, January 6, 2013 at 10:08AM

After last weeks long episode on Honeydrive, I figured I would follow up this week with a shorter episode. In this we will look at how to carve out text in Notepad++ using our old friend Regex.

Notepad++: From their own about page,

Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages. Running in the MS Windows environment, its use is governed by GPL License.

Based on the powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which ensures a higher execution speed and smaller program size. By optimizing as many routines as possible without losing user friendliness, Notepad++ is trying to reduce the world carbon dioxide emissions. When using less CPU power, the PC can throttle down and reduce power consumption, resulting in a greener environment.

While most of us probably live in the linux world where their are already built in text editors that allow for much of the functionality I will speak to today, there are many that use Windows as their primary box. In some cases our employers push Windows on us, as they don't trust open source.

Either way we all probably have a windows box somewhere, even if it is just for malware analysis, or dare I say gaming. Notepad++ is THE text editor to use in these situations. With a large community building plugins, the features are limitless. Today though we will be focusing on the Regex capabilities.

To review for those of you who did not watch my Regex Tektip, Regex or Regular Expressions are method to match patterns in strings using a flexible syntax. I recommend you watch the Regex Tektip if you have not already.

To begin we are going to get a log of my latest Kippo hits from my honeydrive instance, which we will then try to manipulate. Here is a small sample:

honeydrive@honeydrive:/opt/kippo/log$ cat kippo.log | grep 'login attempt' > kippologins.txt

2013-01-06 05:35:50+0000 [SSHService ssh-userauth on HoneyPotTransport,516,210.14.71.201] login attempt [root/masinadescule] failed

2013-01-06 05:35:54+0000 [SSHService ssh-userauth on HoneyPotTransport,517,210.14.71.201] login attempt [admin/.sfl@zk^] failed

2013-01-06 05:35:58+0000 [SSHService ssh-userauth on HoneyPotTransport,518,210.14.71.201] login attempt [root/zaq123] failed

2013-01-06 05:36:02+0000 [SSHService ssh-userauth on HoneyPotTransport,519,210.14.71.201] login attempt [root/==============down=================] failed

2013-01-06 05:36:06+0000 [SSHService ssh-userauth on HoneyPotTransport,520,210.14.71.201] login attempt [bin/!!(@(*#*))MNNNBHSA{{":**(@] failed

2013-01-06 05:36:11+0000 [SSHService ssh-userauth on HoneyPotTransport,521,210.14.71.201] login attempt [bin/2#%#@%$] failed

2013-01-06 05:36:14+0000 [SSHService ssh-userauth on HoneyPotTransport,522,210.14.71.201] login attempt [bin/510326mazda] failed

2013-01-06 05:36:18+0000 [SSHService ssh-userauth on HoneyPotTransport,523,210.14.71.201] login attempt [bin/FSDwef8529637531598273k1d123kid871kid872tralalalovedolce] failed

2013-01-06 05:36:22+0000 [SSHService ssh-userauth on HoneyPotTransport,524,210.14.71.201] login attempt [bin/alupigus] failed

2013-01-06 05:36:26+0000 [SSHService ssh-userauth on HoneyPotTransport,525,210.14.71.201] login attempt [bin/diana4ever] failed

2013-01-06 05:36:30+0000 [SSHService ssh-userauth on HoneyPotTransport,526,210.14.71.201] login attempt [bin/worlddomination] failed

2013-01-06 05:36:33+0000 [SSHService ssh-userauth on HoneyPotTransport,527,210.14.71.201] login attempt [bin/BUNdAS@#$RT%GQ~EQW#%^QW] failed

2013-01-06 05:36:37+0000 [SSHService ssh-userauth on HoneyPotTransport,528,210.14.71.201] login attempt [kylix/alexxutzu1$@121] failed

2013-01-06 05:36:41+0000 [SSHService ssh-userauth on HoneyPotTransport,529,210.14.71.201] login attempt [mov/masinadescule] failed

2013-01-06 05:36:45+0000 [SSHService ssh-userauth on HoneyPotTransport,530,210.14.71.201] login attempt [be/pufos1234] failed

2013-01-06 05:36:48+0000 [SSHService ssh-userauth on HoneyPotTransport,531,210.14.71.201] login attempt [richard/78274283] failed

2013-01-06 05:36:52+0000 [SSHService ssh-userauth on HoneyPotTransport,532,210.14.71.201] login attempt [root/love123] failed

2013-01-06 05:36:56+0000 [SSHService ssh-userauth on HoneyPotTransport,533,210.14.71.201] login attempt [root/Spm!0you] failed

2013-01-06 05:37:00+0000 [SSHService ssh-userauth on HoneyPotTransport,534,210.14.71.201] login attempt [root/loveandsex4ever] failed

2013-01-06 05:37:03+0000 [SSHService ssh-userauth on HoneyPotTransport,535,210.14.71.201] login attempt [root/freot87bgrtblktgb9mgh5kh] failed

2013-01-06 05:37:09+0000 [SSHService ssh-userauth on HoneyPotTransport,537,210.14.71.201] login attempt [root/=6rj8Icn=O1<Y+&=] failed

2013-01-06 05:37:13+0000 [SSHService ssh-userauth on HoneyPotTransport,538,210.14.71.201] login attempt [root/soledad] failed

2013-01-06 05:37:16+0000 [SSHService ssh-userauth on HoneyPotTransport,539,210.14.71.201] login attempt [root/system9876..] failed

2013-01-06 05:37:20+0000 [SSHService ssh-userauth on HoneyPotTransport,540,210.14.71.201] login attempt [root/cba@horitech##!$] failed

2013-01-06 05:37:24+0000 [SSHService ssh-userauth on HoneyPotTransport,541,210.14.71.201] login attempt [root/shadow@@@ubyta336331jum] failed

2013-01-06 05:37:30+0000 [SSHService ssh-userauth on HoneyPotTransport,542,210.14.71.201] login attempt [root/17tp95] failed

2013-01-06 05:37:34+0000 [SSHService ssh-userauth on HoneyPotTransport,543,210.14.71.201] login attempt [root/72fsd9320] failed

2013-01-06 05:37:38+0000 [SSHService ssh-userauth on HoneyPotTransport,544,210.14.71.201] login attempt [root/sistemas] failed

2013-01-06 05:37:42+0000 [SSHService ssh-userauth on HoneyPotTransport,545,210.14.71.201] login attempt [root/1qazXSW@] failed

2013-01-06 05:37:46+0000 [SSHService ssh-userauth on HoneyPotTransport,546,210.14.71.201] login attempt [root/ahmad750785] failed

2013-01-06 05:37:50+0000 [SSHService ssh-userauth on HoneyPotTransport,547,210.14.71.201] login attempt [root/1q2z3w4x] failed

2013-01-06 05:37:54+0000 [SSHService ssh-userauth on HoneyPotTransport,548,210.14.71.201] login attempt [root/shadow@@@ubyta] failed

2013-01-06 05:37:57+0000 [SSHService ssh-userauth on HoneyPotTransport,549,210.14.71.201] login attempt [root/68N4VpcUgoBFs11TE.] failed

2013-01-06 05:38:01+0000 [SSHService ssh-userauth on HoneyPotTransport,550,210.14.71.201] login attempt [root/mailadmin] failed

2013-01-06 05:38:04+0000 [SSHService ssh-userauth on HoneyPotTransport,551,210.14.71.201] login attempt [root/ktmyzf] failed

2013-01-06 05:38:08+0000 [SSHService ssh-userauth on HoneyPotTransport,552,210.14.71.201] login attempt [root/oracle1] failed

2013-01-06 05:38:12+0000 [SSHService ssh-userauth on HoneyPotTransport,553,210.14.71.201] login attempt [root/NB16hrah55E2.] failed

2013-01-06 05:38:16+0000 [SSHService ssh-userauth on HoneyPotTransport,554,210.14.71.201] login attempt [root/valentinaqwe] failed

2013-01-06 05:38:19+0000 [SSHService ssh-userauth on HoneyPotTransport,555,210.14.71.201] login attempt [root/Sabyn.users.undernet.org] failed

2013-01-06 05:38:23+0000 [SSHService ssh-userauth on HoneyPotTransport,556,210.14.71.201] login attempt [root/ldqsz,bpmcs.] failed

2013-01-06 05:38:31+0000 [SSHService ssh-userauth on HoneyPotTransport,557,210.14.71.201] login attempt [root/b2y3j@my1930] failed

2013-01-06 05:38:35+0000 [SSHService ssh-userauth on HoneyPotTransport,558,210.14.71.201] login attempt [root/egg98<ZsuxG%] failed

2013-01-06 05:38:40+0000 [SSHService ssh-userauth on HoneyPotTransport,559,210.14.71.201] login attempt [root/loler1q] failed

2013-01-06 05:38:43+0000 [SSHService ssh-userauth on HoneyPotTransport,560,210.14.71.201] login attempt [root/n4k4mur41sh3r3] failed

2013-01-06 05:38:47+0000 [SSHService ssh-userauth on HoneyPotTransport,561,210.14.71.201] login attempt [root/gnome-session] failed

2013-01-06 05:38:51+0000 [SSHService ssh-userauth on HoneyPotTransport,562,210.14.71.201] login attempt [root/E9832UIRF2J3IFJ23] failed

2013-01-06 05:38:55+0000 [SSHService ssh-userauth on HoneyPotTransport,563,210.14.71.201] login attempt [root/metiko] failed

2013-01-06 05:39:00+0000 [SSHService ssh-userauth on HoneyPotTransport,564,210.14.71.201] login attempt [root/ilrOm15] failed

2013-01-06 05:39:03+0000 [SSHService ssh-userauth on HoneyPotTransport,565,210.14.71.201] login attempt [root/1111132329993] failed

2013-01-06 05:39:07+0000 [SSHService ssh-userauth on HoneyPotTransport,566,210.14.71.201] login attempt [root/1111132329993aq] failed

2013-01-06 05:39:11+0000 [SSHService ssh-userauth on HoneyPotTransport,567,210.14.71.201] login attempt [root/111111] failed

2013-01-06 05:39:15+0000 [SSHService ssh-userauth on HoneyPotTransport,568,210.14.71.201] login attempt [root/pcservlinux] failed

2013-01-06 05:39:19+0000 [SSHService ssh-userauth on HoneyPotTransport,569,210.14.71.201] login attempt [root/slain22446688] failed

2013-01-06 05:39:22+0000 [SSHService ssh-userauth on HoneyPotTransport,570,210.14.71.201] login attempt [root/server2009] failed

2013-01-06 05:39:26+0000 [SSHService ssh-userauth on HoneyPotTransport,571,210.14.71.201] login attempt [root/coadadebalena] failed

2013-01-06 05:39:30+0000 [SSHService ssh-userauth on HoneyPotTransport,572,210.14.71.201] login attempt [root/muie202020] failed

2013-01-06 05:39:33+0000 [SSHService ssh-userauth on HoneyPotTransport,573,210.14.71.201] login attempt [root/linx123] failed

2013-01-06 05:39:37+0000 [SSHService ssh-userauth on HoneyPotTransport,574,210.14.71.201] login attempt [root/miguelc] failed

2013-01-06 05:39:41+0000 [SSHService ssh-userauth on HoneyPotTransport,575,210.14.71.201] login attempt [root/demined7mc] failed

2013-01-06 05:39:46+0000 [SSHService ssh-userauth on HoneyPotTransport,576,210.14.71.201] login attempt [root/rootpollos] failed

2013-01-06 05:39:49+0000 [SSHService ssh-userauth on HoneyPotTransport,577,210.14.71.201] login attempt [root/215people4477] failed

2013-01-06 05:39:53+0000 [SSHService ssh-userauth on HoneyPotTransport,578,210.14.71.201] login attempt [root/rfhs1229] failed

2013-01-06 05:39:57+0000 [SSHService ssh-userauth on HoneyPotTransport,579,210.14.71.201] login attempt [root/L1n$ux@c@vu#m] failed

2013-01-06 05:40:01+0000 [SSHService ssh-userauth on HoneyPotTransport,580,210.14.71.201] login attempt [root/lam3r3] failed

2013-01-06 05:40:04+0000 [SSHService ssh-userauth on HoneyPotTransport,581,210.14.71.201] login attempt [root/planetbr] failed

2013-01-06 05:40:08+0000 [SSHService ssh-userauth on HoneyPotTransport,582,210.14.71.201] login attempt [root/VHCsoft@admin123] failed

2013-01-06 05:40:12+0000 [SSHService ssh-userauth on HoneyPotTransport,583,210.14.71.201] login attempt [root/tractordelemn] failed

2013-01-06 05:40:16+0000 [SSHService ssh-userauth on HoneyPotTransport,584,210.14.71.201] login attempt [root/dragos3443gff@665$G455454dragos2sd] failed

2013-01-06 05:40:19+0000 [SSHService ssh-userauth on HoneyPotTransport,585,210.14.71.201] login attempt [root/Kr3at0r@I5Th3B3st0F!#$$#!] failed

2013-01-06 05:40:23+0000 [SSHService ssh-userauth on HoneyPotTransport,586,210.14.71.201] login attempt [root/ortega.123#TradeLinuxKi!l|iN6#Th3Ph03$%nix@NdR3b!irD] failed

2013-01-06 05:40:27+0000 [SSHService ssh-userauth on HoneyPotTransport,587,210.14.71.201] login attempt [root/linuxsex123] failed

2013-01-06 05:40:30+0000 [SSHService ssh-userauth on HoneyPotTransport,588,210.14.71.201] login attempt [root/tarenatarena412414] failed

2013-01-06 05:40:34+0000 [SSHService ssh-userauth on HoneyPotTransport,589,210.14.71.201] login attempt [root/qkm@!(%.)=*^&fhE] failed

2013-01-06 05:40:40+0000 [SSHService ssh-userauth on HoneyPotTransport,590,210.14.71.201] login attempt [root/vazador108] failed

2013-01-06 05:40:46+0000 [SSHService ssh-userauth on HoneyPotTransport,591,210.14.71.201] login attempt [root/!#m@mut&#!] failed

2013-01-06 05:40:51+0000 [SSHService ssh-userauth on HoneyPotTransport,592,210.14.71.201] login attempt [root/codecmpeg4codecmpeg4] failed

2013-01-06 05:40:55+0000 [SSHService ssh-userauth on HoneyPotTransport,593,210.14.71.201] login attempt [root/UTCfs2202] failed

2013-01-06 05:40:59+0000 [SSHService ssh-userauth on HoneyPotTransport,594,210.14.71.201] login attempt [root/asroma1927] failed

2013-01-06 05:41:04+0000 [SSHService ssh-userauth on HoneyPotTransport,595,210.14.71.201] login attempt [root/P@ssw0rd] failed

2013-01-06 05:41:09+0000 [SSHService ssh-userauth on HoneyPotTransport,596,210.14.71.201] login attempt [root/ncc1701d] failed

2013-01-06 05:41:12+0000 [SSHService ssh-userauth on HoneyPotTransport,597,210.14.71.201] login attempt [root/welcome1] failed

2013-01-06 05:41:16+0000 [SSHService ssh-userauth on HoneyPotTransport,598,210.14.71.201] login attempt [root/s1rolexcom] failed

2013-01-06 05:41:20+0000 [SSHService ssh-userauth on HoneyPotTransport,599,210.14.71.201] login attempt [root/iamh4ckst4rf0r3ver] failed

2013-01-06 05:41:23+0000 [SSHService ssh-userauth on HoneyPotTransport,600,210.14.71.201] login attempt [root/wvhlyf] failed

2013-01-06 05:41:28+0000 [SSHService ssh-userauth on HoneyPotTransport,601,210.14.71.201] login attempt [root/nti-support] failed

2013-01-06 05:41:32+0000 [SSHService ssh-userauth on HoneyPotTransport,602,210.14.71.201] login attempt [root/sanja123hack] failed

2013-01-06 05:41:36+0000 [SSHService ssh-userauth on HoneyPotTransport,603,210.14.71.201] login attempt [root/zaq12wsx] failed

2013-01-06 05:41:40+0000 [SSHService ssh-userauth on HoneyPotTransport,604,210.14.71.201] login attempt [root/welcome@9] failed

2013-01-06 05:41:43+0000 [SSHService ssh-userauth on HoneyPotTransport,605,210.14.71.201] login attempt [root/clear!@#55896261] failed

2013-01-06 05:41:47+0000 [SSHService ssh-userauth on HoneyPotTransport,606,210.14.71.201] login attempt [root/dltkrhd!240!] failed

2013-01-06 05:41:50+0000 [SSHService ssh-userauth on HoneyPotTransport,607,210.14.71.201] login attempt [root/2010Root1q2w3e] failed

2013-01-06 05:41:57+0000 [SSHService ssh-userauth on HoneyPotTransport,608,210.14.71.201] login attempt [root/Pf0t3nw3g] failed

2013-01-06 05:42:01+0000 [SSHService ssh-userauth on HoneyPotTransport,609,210.14.71.201] login attempt [root/karoca gre!] failed

2013-01-06 05:42:04+0000 [SSHService ssh-userauth on HoneyPotTransport,610,210.14.71.201] login attempt [root/system1234..] failed

2013-01-06 05:42:08+0000 [SSHService ssh-userauth on HoneyPotTransport,611,210.14.71.201] login attempt [root/!msoft1956] failed

2013-01-06 05:42:12+0000 [SSHService ssh-userauth on HoneyPotTransport,612,210.14.71.201] login attempt [root/Lsr4Mny$] failed

2013-01-06 05:42:16+0000 [SSHService ssh-userauth on HoneyPotTransport,613,210.14.71.201] login attempt [root/sercon] failed

2013-01-06 05:42:19+0000 [SSHService ssh-userauth on HoneyPotTransport,614,210.14.71.201] login attempt [root/!you#ming%shun&] failed

2013-01-06 05:42:23+0000 [SSHService ssh-userauth on HoneyPotTransport,615,210.14.71.201] login attempt [root/R3lisysfanta] failed

2013-01-06 06:03:38+0000 [SSHService ssh-userauth on HoneyPotTransport,617,64.191.21.190] login attempt [173.252.237.117/cacutza] failed

2013-01-06 06:03:39+0000 [SSHService ssh-userauth on HoneyPotTransport,617,64.191.21.190] login attempt [173.252.237.117/173.252.237.115] failed

2013-01-06 07:58:11+0000 [SSHService ssh-userauth on HoneyPotTransport,618,64.191.21.190] login attempt [173.252.237.118/cacutza] failed

2013-01-06 07:58:12+0000 [SSHService ssh-userauth on HoneyPotTransport,618,64.191.21.190] login attempt [173.252.237.118/173.252.237.119] failed

Now lets say we just wanted the passwords from this log. As this is just a small sampling, you can imagine doing this manually would not be a fun task. Luckily, Notepad++ has a solution for this. Open Notepad++ and paste the logs I put above in if you would like to follow along. With Notepad++ open, hit ctrl+f to bring up the search function.

The Find function has a lot of options. We will start in the Find Tab for now, and then move to the Replace. By having the Regular expression radio button selected in the bottom left we are telling Notepad++ we will be using Regex. There are some other options but we will focus on this for now.

Now we need to build our regex that will wind the password. As their is nothing unique specifically about the passwords that we can pull for this we will have to use a pattern and select what we want from that pattern using (). I hate to mention this again, but if you have not already watched my regex tutorial, now is the time to do so.

Looking at the log, we can quickly identify where the password is. The username and password are always between [] and always separated by a /. The Regex for what I just described is this:

\[\w+\/.+\]

To break it down for you we are looking for "[" which is the "\[", then we are looking for any number of word characters which is covered by "\w+", then a "/" which is covered with "\/", then any number of any characters which is covered by ".+" and lastly a "]" which is covered by "\]".

Now with that regex in the find box click find all in current document which should give you something like this:

Great! Now we have a regex string that matches what we are looking for, but how do you get the data out of that log? That is what I had a little trouble with at first. I feel like I should be able to ctrl+c and ctrl+v like there is no tomorrow, but that is not the case. We have to instead use the replace feature. That is why we need to wrap () around where the password is in our regex. So lets switch to the replace tab, and add our modified regex which should now look like this:

\[\w+\/(.+)\]

Now add \1 to the replace field. What this means is replace with the pattern specified in the first set of (), in our case (.+) which is where the password is in the pattern. Now hit replace a couple times to see what it is doing. So as you can probably tell, we are closer to what we want but not quite there. This is replacing the [username/password] with password but the rest of the line is still there.

I know what you are saying at this point, "Dang 1aN0rmus, why should I bother I could probably have done this manually by now". I understand your frustration, but trust me, after you do this a few times you'll be eating up logs like it's no ones business. Don't fret, we will get through this.

So, how do we get the rest of the line? It's very simple, we just have to build a regex that will capture the entire line but pull out what we need. This is easier than you are thinking. This can almost always be done by adding a ".+" before and after the regex string you already built. Giving us the following:

.+\[\w+\/(.+)\].+

Now we can when we hit replace lets see what happens.

Perfect! Just what we wanted. Click Replace All and you are done. The file is perfectly formatted for Pipal

This methodology will help you tremendously, but remember you will need to change up your regex and even your replacement text to fit each new situation. This will work fin for pulling passwords from all Kippo logs, but if your mission changes and you would like usernames and passwords you would need to modify this to suit your needs. Hopefully you have the tools to accomplish this now though.

To show you a more complex example, in the same log a find string of:

.+\[(\w+)\/(.+)\].+

With a replace string of:

username:\1\r\npassword:\2

will produce:

Admin |

2 Comments |

tagged

Honeydirve,

Kippo,

Notepad++,

password,

regex in

TekTip

Thursday

Dec272012

HoneyDrive - Review

Thursday, December 27, 2012 at 3:47PM

Our friends over at BruteForce Labs decided to give us all a little present this holiday season. As I have spoke about on TekTip episodes in the past, BruteForce Labs has been working on a distro that combines many of the different honeypot projects and their addon modules. As Backtrack is to offense, and The Security Onion is to defense, HoneyDrive is the premiere honeypot distro.

HoneyDrive includes and is configured to run the following honeypots out of the box:

Kippo: Medium interaction SSH honeypot. Includes Kippo-Graph and Kippo2MySQL.
Honeyd: Low interaction flexible honeypot. Includes Honeyd2MySQL and Honeyd-Viz
Dionaea: Honeypot designed to collect malware and exploits.
Misc Honeypots: Sticky honeypot, Tiny honeypot, IIS Emulator (for Honeyd), InetSim, and SimH.

In addition to the honeypot software Honeydrive also includes a suite of tools for analysis, forensics, monitoring, and reverse engineering. Included in this list is our own tool Automater!. Some of the other tools are:

ntop
p0f
EtherApe
nmap
DFF
Wireshark
ClamAV
ettercap
Automater
UPX
pdftk
Flasm
pdf-parser
Pyew
dex2ja

As if this wasn't enough HoneyDrive also includes a few extra tools, utilities, and addons, and scripts that will assist users with maintaining the system.

While I will not go over each tool, at least not in this post I will hit up the major features.

Installation: Ease of use, and configuration is so important when bringing highly technical tools like this into one arsenal. Many of you have probably already attempted to create your own honeypot using some of this software before. If your experiences were anything like mine there was most likely a bit of cursing and frustration involved. Especially as you introduce addons and extensions for these tools. HoneyDrive is very simple to install and works mostly without any extra configuration. To install simply download the .ova from the HoneyDrive Sourceforge page. If you are using Virtualbox, simply doubleclick the .ova once downloaded to launch the virtual machine importer for HoneyDrive. The VM should import without issue.

*I should note that I had to change the network settings when I imported to utilize a different interface than the default.

After the import simply startup the VM and you will be able to login with the credentials provided in the readme.

Using Kippo:

As I have already done a TekTip episode on Kippo I will spare you all the gory details of the product and instead point you to the video. I will be skipping the replay functionality mostly. Kippo is one of the most automated honeypots in the distro. It requires very little interaction to get it working.

It is important to know where all the files reside in this distro in relation to Kippo. From the readme:

[Kippo]

Start: /opt/kippo/start.sh

Downloads: /opt/kippo/dl/

TTY logs: /opt/kippo/log/tty/

Credentials: /opt/kippo/data/userdb.txt

MySQL database: kippo

MySQL user/password: root/honeydrive

[Kippo-Graph]

Location: /var/www/kippo-graph/

Config: /var/www/kippo-graph/config.php

URL: http://local-or-remote-IP-address/kippo-graph/

MySQL database: kippo

MySQL user/password: root/honeydrive

[Kippo2MySQL]

Location: /opt/kippo2mysql/

MySQL database: kippo2mysql

MySQL user/password: root/honeydrive

To start kippo, open a terminal and navigate to /opt/kippo/ and run start.sh

cd /opt/kippo/

./start.sh

That is it! You are now running an SSH honeypot. Again I am skipping a lot of details on what Kippo is but you can go to my video to see the full info.

Now before showing the visualization features, I need to generate some SSH traffic to that honeypot. I did this manually, from a few other machines.

*Remember the default password is 123456 for Kippo.

Once some traffic has occurred either via actual connections to your honeypot or simulated ones from yourself open a web browser and navigate to http://localhost/kippo-graph/ on your VM. Here you will need to click on the text that states "GENERATE_THE_KIPPO_GRAPHS". This will manually pull the data that was already imported into mysql from your kippo logs and display them in graphs that help tell a visual story of connections.

These graphs will show statistics on passwords, usernames, inputs, connections, and many other details. This distro would be will worth the time spent on it just to have Kippo pre-installed and configured to work with Kippo-Graph, but that is only one feature.

Using Honeyd:

Honeyd is a flexible low interaction honeypot. Created by Niels Provos (currently employed by Google), honeyd can be used to emulate a myraid of services and machines. With Honeyd you can create templates of behaviors for machines and then deploy numerous instances of these templates on a single machine effectively emulating a full network.

Honeyd takes a little more work than Kippo to get running properly on this distro, but it is still much better than getting it functioning on your own. Like Kippo it is best to start off with where the important files reside:

[Honeyd]

Bin: /usr/bin/honeyd, + /usr/bin/honeydstats

Config: /etc/honeypot/

Scripts: /usr/share/honeyd/scripts/

Logs: /var/log/honeypot/

[Honeyd2MySQL]

Location: /opt/honeyd2mysql/

MySQL database: honey2mysql

MySQL user/password: root/honeydrive

[Honeyd-Viz]

Location: /var/www/honeyd-viz/

Config: /var/www/honeyd-viz/config.php

URL: http://local-or-remote-IP-address/honeyd-viz/

MySQL database: honeyd2mysql

MySQL user/password: root/honeydrive

[Honeyd-Scripts]

Location: /opt/honeyd-scripts/

+ honeyd-geoip

+ honeyd-geoip-cymru

The first step to getting honeyd up and running is with the configuration file. Here is where you will want to setup your templates and bindings. By default the config will bind to 10.x.x.x addresses. That may work for some of you, but I wanted it to leverage DHCP. To do this, you have to ensure that you have the template machine bind with a MAC that is not the same as the Honeydrive box. Here is my basic config:

create default

set default default tcp action block

set default default UDP action block

set default default ICMP action block

create windows

set windows personality "Microsoft Windows XP Professional SP1"

set default tcp action reset

set windows ethernet "73:D5:DF:84:5A:17"

add windows tcp port 135 open

add windows tcp port 139 open

add windows tcp port 445 open

add windows tcp port 21 open

dhcp windows on eth0

Once you have the config set the way you want run honeyd:

sudo honeyd -d -f /etc/honeypot.conf -l /var/log/honeypot/honeyd.log

Be sure you log to that exact path and file. If you do not you will need to modify the honeyd2mysql.pl script to look at where you have the logs going. I used the -d above inorder to be able to troubleshoot, if you leave the -d out honeyd will run in the background.

Now that honeyd is up and running, generate some scan activty so the log has something in it. An nmap scan will work fine.

While Kippo transfers the logs to MySQL automatically, honeyd does not, as far as I can tell (perhaps I am doing something wrong). So we must run the honeyd2mysql script.

cd /opt/honeyd2mysql/

./honeyd2mysql.pl

Now we can generate graphs just as we did with kippo.

Open a web browser and connect to http://localhost/Honeyd-viz/index.php. Click on the link that states "GENERATE_THEHONEYD_GRAPHS". This will now create graphs from the data we imported into MySQL.

Dionaea:

Dionaea is a honeypot designed to collect malware and exploits. It does this by emulating services and collecting what the attacker or malicious software sends their way. The Malware Analyst's Cookbook does a great write up on this honeypot that you should check out if you haven't already. As with the others lets check out the useful files:

[Dionaea]

Location: /opt/dionaea/

Bin: /opt/dionaea/bin/dionaea

Config: /opt/dionaea/etc/dionaea/dionaea.conf

Logs: /opt/dionaea/var/log/

SQLite database: /opt/dionaea/var/dionaea/logsql.sqlite

Malware samples: /opt/dionaea/var/dionaea/binaries/

+ phpLiteAdmin: /var/www/phpliteadmin,

+ password: honeydrive,

+ URL: http://localhost/phpliteadmin/phpliteadmin.php

[Dionaea-Scripts]

Location: /opt/dionaea-scripts/

+ mimic-nepstats

+ dionaea-sqlquery

Like with the other honeypots, you need to take a look at the config and ensure it meets your needs. The default worked for me. Once the config is ready simply run dionaea. If you want to test that it is working just fire up Metasploit on another OS and send some exploits at dionaea. Phplite is included and configured by default.

LaBrea:

Labrea is part IDS and part sticky honeypot. Now some of you are probably asking, "What the heck is a sticky honeypot?". So a sticky honeypot or tarpit is used to slow down attackers as they reach the honeypot. To learn more about how it works and why to use it checkout http://labrea.sourceforge.net/Intro-History.html

[LaBrea]

Bin: /usr/sbin/labrea

Config: /etc/labrea/labrea.conf

Before running Labrea be sure to read the Labrea readme. Labrea has the potential to cause issues on your network if it is not configured and run properly. For those who just want to rush in though, the following command from the Labrea FAQ will get you started. Be warned though.

labrea -z -s -o -b -p 10000 -i eth1

Tiny Honeypot:

Tiny Honeypot will listen on all TCP ports not currently in use and provide very limited responses back to attackers. The responses should be enough to trick most automated attack tools.

[Tiny Honeypot]

Bin: /usr/sbin/thpot

Config: /etc/thpot/thp.conf

Examples: /usr/share/doc/tinyhoneypot/examples/

Logs: /var/log/thpot/

In the config file you can modify what interface is used, and control what some of the responses are. To run Tiny Honeypot for a single service simple navigate to /usr/sbin and run the following:

sudo ./thpot ftp

Of course you can replace FTP with whatever service you want to put in. There is a lot more that can be done with Tiny Honeypot. Look in the examples directory and of course checkout the readme to find out more.

INetSim:

INetSim is a tool for simulating some common services. Back in one of the first TekTip video I showed INetSim and its use for malware analysis. For instance if we wanted malware to think it was talking to it's CnC (C2) server we could forward that traffic via some DNS (ApateDNS) manipulation to INetSim which would respond with enough data to hopefully fool our malware. The important files can be found at:

[INetSim]

Bin: /usr/bin/inetsim

Config: /etc/inetsim/inetsim.conf

Logs: /var/log/inetsim/

You can manipulate the config to fit your needs of course but INetSim will run with default configs just fine. Navigate to /usr/bin and run inetsim.

sudo ./inetsim

Example output once it is running is as such:

INetSim 1.2.3 (2012-10-01) by Matthias Eckert & Thomas Hungenberg

Main logfile '/var/log/inetsim/main.log' does not exist. Trying to create it...

Main logfile '/var/log/inetsim/main.log' successfully created.

Sub logfile '/var/log/inetsim/service.log' does not exist. Trying to create it...

Sub logfile '/var/log/inetsim/service.log' successfully created.

Debug logfile '/var/log/inetsim/debug.log' does not exist. Trying to create it...

Debug logfile '/var/log/inetsim/debug.log' successfully created.

Using log directory: /var/log/inetsim/

Using data directory: /var/lib/inetsim/

Using report directory: /var/log/inetsim/report/

Using configuration file: /etc/inetsim/inetsim.conf

Parsing configuration file.

Configuration file parsed successfully.

=== INetSim main process started (PID 2732) ===

Session ID: 2732

Listening on: 127.0.0.1

Real Date/Time: Fri Dec 28 21:38:19 2012

Fake Date/Time: Fri Dec 28 21:38:19 2012 (Delta: 0 seconds)

Forking services...

Couldn't create TCP socket: Address already in use at /usr/lib/perl5/Net/DNS/Nameserver.pm line 90

Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr', 127.0.0.1, 'LocalPort', 53, 'ReplyHandler', 'CODE(0xa91215c)', 'Verbose', 0, ...) called at /usr/share/perl5/INetSim/DNS.pm line 37

INetSim::DNS::dns called at /usr/share/perl5/INetSim.pm line 74

INetSim::fork_services() called at /usr/share/perl5/INetSim.pm line 396

INetSim::main() called at ./inetsim line 22

Couldn't create UDP socket: Address already in use at /usr/lib/perl5/Net/DNS/Nameserver.pm line 109

Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr', 127.0.0.1, 'LocalPort', 53, 'ReplyHandler', 'CODE(0xa91215c)', 'Verbose', 0, ...) called at /usr/share/perl5/INetSim/DNS.pm line 37

INetSim::DNS::dns called at /usr/share/perl5/INetSim.pm line 74

INetSim::fork_services() called at /usr/share/perl5/INetSim.pm line 396

INetSim::main() called at ./inetsim line 22

* dns_53_tcp_udp - failed!

* irc_6667_tcp - started (PID 2744)

* ntp_123_udp - started (PID 2745)

* ident_113_tcp - started (PID 2747)

* finger_79_tcp - started (PID 2746)

* tftp_69_udp - started (PID 2743)

* syslog_514_udp - started (PID 2748)

* echo_7_tcp - started (PID 2753)

* echo_7_udp - started (PID 2754)

* time_37_tcp - started (PID 2749)

* discard_9_udp - started (PID 2756)

* time_37_udp - started (PID 2750)

* chargen_19_tcp - started (PID 2759)

* daytime_13_tcp - started (PID 2751)

* pop3s_995_tcp - started (PID 2740)

* smtps_465_tcp - started (PID 2738)

* dummy_1_udp - started (PID 2762)

* smtp_25_tcp - started (PID 2737)

* discard_9_tcp - started (PID 2755)

* daytime_13_udp - started (PID 2752)

* quotd_17_tcp - started (PID 2757)

* chargen_19_udp - started (PID 2760)

* https_443_tcp - started (PID 2736)

* dummy_1_tcp - started (PID 2761)

* ftps_990_tcp - started (PID 2742)

* pop3_110_tcp - started (PID 2739)

* quotd_17_udp - started (PID 2758)

* http_80_tcp - failed!

* ftp_21_tcp - started (PID 2741)

done.

Simulation running.

Misc Tools:

As I mentioned previously in addition to the honeypots, there are many other tools included. Automater is of course one of those tools but there are many more. From the readme:

[Security/Forensics/Anti-Malware Tools]

EtherApe

PuTTY SSH Client

nmap, + Zenmap, Umit Network Scanner

Wireshark, + tshark

Vidalia

DNS Query Tool

ClamAV, + ClamTk

ettercap

htop

ntop, + "admin"

ngrep

p0f

Flawfinder

Automater

Netcat

VBinDiff

UPX

ssdeep

md5deep

pdftk

Flasm

dex2jar

DFF (Digital Forensics Framework)

DNSpenTest

pdf-parser

NASM

Dissy

HT Editor

shellcode2exe

Pyew, + Bokken GUI

[Firefox Add-ons]

Firebug

NoScript

Adblock Plus

JavaScript Deobfuscator

[Extra Software]

Furius ISO Mount

GParted

gedit

Parcellite

Shutter

Terminator

VYM - View Your Mind

WebHTTrack Website Copier

UNetbootin

RecordMyDesktop

VLC media player

gURLChecker

Xpdf

Conclusion:

Honeydrive 0.1 is a great start to a promising distro. It includes most of the major honeypot software. The suite of tools should allow users a very flexible solution that can adapt to fit home, lab, and even production networks. Adding a few more tools and automating the startup of the rest will help a lot with users who have not dealt with these tools in the past. As the community for this distro grows I would expect documentation on the software to grow which of course will help us all. Expect to see a video format of this review on this Sundays edition of TekTip.

-1aN0rmus (1aN0rmus@TekDefense.com)

Admin |

1 Comment |

tagged

IDS,

Kippo,

Labrea,

Malware,

Tiny Honeypot,

honeyd,

honeypot,

kippo-graph in

News

Saturday

Oct132012

TekTip ep11 - Kippo SSH Honeypot

Saturday, October 13, 2012 at 11:30PM

http://code.google.com/p/kippo/

Description: Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker

Uses: Alert to potiential threats, watch how hackers operate, gather exploits and malware

Installation:

Follow steps @ http://bruteforce.gr/installing-kippo-ssh-honeypot-on-ubuntu.html

http://bruteforce.gr/honeybox Honeybox is a distro that contains numerous honeypot software, all on a single box. Additionally, the distro preconfigures the honeypot to utilize some of the many enhancements Brutforce Labs have created for these honeypots.

*If at home, to make this accessible from the internet you will need to enable port forwarding at your modem, and potientially your Virtual Machine software.

Usage:

kippo/kippo.cfg : Main configuration file

kippo/honeyfs : This is the fake filesystem that wll be presented to the user.

kippo/data/userdb.txt : This file allows us to modify the username and password combinations that will work when attackers attempt to log into the honeypot.

kippo/log/tty/ : In this directory you will find the logs for each session established by attackers.