Top
Sponsor

Search

Recent Articles

Security Videos
OWASP MobiSec
In this video kevin talk about Mobisec and this full video is all about OWASP Mobisec. The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing mobile environments, including devices, applications, and supporting infrastructure. The purpose is to provide attackers and defenders the ability to test their mobile environments to identify design weaknesses and vulnerabilities. The MobiSec Live Environment provides a single environment for testers to leverage the best of all available open source mobile testing tools, as well as the ability to install additional tools and platforms, that will aid the penetration tester through the testing process as the environment is structured and organized based on an industry­‐proven testing framework. Using a live environment provides penetration testers the ability to boot the MobiSec Live Environment on any Intel-­based system from a DVD or USB flash drive, or run the test environment within a virtual machine. https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_MobiSec
Read More →
Securing Android Applications with GoatDroid
In this video you will learn how to secure Android Application using GoatDroid Using This tool we will also look at on Memory Analysis, Intercepting Layer 7 Traffic, Reverse Engineering Android Application and SQlite Database Analysis etc .. About GoatDroid : https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Read More →
Finding the Rogue DHCP server With Wireshark
In this video you will learn how to detect a Rogue DHCP Server using Wireshark server. Rogue DHCP server are becoming more common these days and DHCP Rogue is easy to create and compromise a network.
Read More →
nullcon Delhi 2012: How secure is internet banking in India - By Ajit Hatti
This Research covers 7 Major areas to evaluate the security of internet banking provided by banks in India 1. Access Control 2. Security of Data in Motion 3. System Design 4. Security on Hostile Platform 5. Enforcement of best practices 6. Handling Hostility or DDOS attacks 7. Security as a Responsibility
Read More →
Upload Shell via SQLi Injection
This video is all about Web Application hacking and you will learn how to upload a shell using SQL Injection.
Read More →

Entries in ssh (7)

Sunday
Jul202014

Over a year with Kippo

DateSunday, July 20, 2014 at 8:31PM

UPDATE: After posting @ikoniaris of Honeydrive and Bruteforce fame recommended running these. Here are the results of kippo-stats.pl created by Tomasz Miklas and Miguel jacq.

As many of you know from previous posts, I am a big fan of honeypots, particularly Kippo. My main Kippo instance sitting in AWS has been online for over a year now. Let's take a look at what we have captured and learned over this past year. If you want to validate any of these statistics I have made the raw logs available for download.

General Stats:

Unique values (135526 connections):

*csv with geo location

*Map Generated with JCSOCAL's GIPC

Top 11 Countries

China: 699

United States: 654

Brazil: 76

Russian Federation: 69

Germany: 65

Korea, Republic of: 57

Romania: 56

Egypt: 52

Japan: 50

India: 41

Indonesia: 41

Unique Usernames: 8600 (Username list)

 Unique Passwords: 75780 (wordlist)

Unique Sources: 1985 (list of IPs)

Passwords:

One of my favorite uses of kippo data is to generate wordlists from login attempts. I wrote a quick script to parse the kippo logs and pull out all passwords and unique them into a wordlist. Feel free to grab. Additionally I made the wordlists available for download.

Using Pipal I performed analysis of all the login attempts over this year:

remnux@remnux:~/custom_tools/pipal$ ./pipal.rb ../TekDefense/wordlist.txt
Generating stats, hit CTRL-C to finish early and dump stats on words already processed.
Basic Results
Total entries = 203400
Total unique entries = 75627
Top 10 passwords
123456 = 3561 (1.75%)
12345 = 1550 (0.76%)
password = 1539 (0.76%)
changeme = 1303 (0.64%)
1234 = 1231 (0.61%)
test = 1165 (0.57%)
abc123 = 1000 (0.49%)
123 = 766 (0.38%)
qwerty = 586 (0.29%)
root = 529 (0.26%)
Top 10 base words
root = 2256 (1.11%)
password = 2178 (1.07%)
test = 1853 (0.91%)
admin = 1538 (0.76%)
changeme = 1391 (0.68%)
qwerty = 1114 (0.55%)
oracle = 802 (0.39%)
p@ssw0rd = 709 (0.35%)
qaz2wsx = 708 (0.35%)
qwer = 591 (0.29%)
Password length (length ordered)
1 = 2247 (1.1%)
2 = 1539 (0.76%)
3 = 5589 (2.75%)
4 = 15420 (7.58%)
5 = 17910 (8.81%)
6 = 38125 (18.74%)
7 = 23075 (11.34%)
8 = 33164 (16.3%)
9 = 18631 (9.16%)
10 = 14059 (6.91%)
11 = 8525 (4.19%)
12 = 8627 (4.24%)
13 = 3759 (1.85%)
14 = 2617 (1.29%)
15 = 2025 (1.0%)
16 = 1786 (0.88%)
17 = 826 (0.41%)
18 = 1256 (0.62%)
19 = 520 (0.26%)
20 = 892 (0.44%)
21 = 275 (0.14%)
22 = 190 (0.09%)
23 = 303 (0.15%)
24 = 386 (0.19%)
25 = 172 (0.08%)
26 = 181 (0.09%)
27 = 56 (0.03%)
28 = 77 (0.04%)
29 = 47 (0.02%)
30 = 67 (0.03%)
31 = 111 (0.05%)
32 = 261 (0.13%)
33 = 96 (0.05%)
34 = 90 (0.04%)
35 = 117 (0.06%)
36 = 75 (0.04%)
37 = 19 (0.01%)
38 = 22 (0.01%)
39 = 30 (0.01%)
40 = 9 (0.0%)
41 = 73 (0.04%)
42 = 7 (0.0%)
43 = 3 (0.0%)
44 = 12 (0.01%)
45 = 16 (0.01%)
46 = 15 (0.01%)
47 = 9 (0.0%)
48 = 9 (0.0%)
49 = 20 (0.01%)
50 = 5 (0.0%)
51 = 7 (0.0%)
52 = 8 (0.0%)
54 = 2 (0.0%)
56 = 22 (0.01%)
57 = 1 (0.0%)
60 = 1 (0.0%)
62 = 3 (0.0%)
63 = 1 (0.0%)
64 = 4 (0.0%)
66 = 1 (0.0%)
69 = 2 (0.0%)
71 = 3 (0.0%)
Password length (count ordered)
6 = 38125 (18.74%)
8 = 33164 (16.3%)
7 = 23075 (11.34%)
9 = 18631 (9.16%)
5 = 17910 (8.81%)
4 = 15420 (7.58%)
10 = 14059 (6.91%)
12 = 8627 (4.24%)
11 = 8525 (4.19%)
3 = 5589 (2.75%)
13 = 3759 (1.85%)
14 = 2617 (1.29%)
1 = 2247 (1.1%)
15 = 2025 (1.0%)
16 = 1786 (0.88%)
2 = 1539 (0.76%)
18 = 1256 (0.62%)
20 = 892 (0.44%)
17 = 826 (0.41%)
19 = 520 (0.26%)
24 = 386 (0.19%)
23 = 303 (0.15%)
21 = 275 (0.14%)
32 = 261 (0.13%)
22 = 190 (0.09%)
26 = 181 (0.09%)
25 = 172 (0.08%)
35 = 117 (0.06%)
31 = 111 (0.05%)
33 = 96 (0.05%)
34 = 90 (0.04%)
28 = 77 (0.04%)
36 = 75 (0.04%)
41 = 73 (0.04%)
30 = 67 (0.03%)
27 = 56 (0.03%)
29 = 47 (0.02%)
39 = 30 (0.01%)
38 = 22 (0.01%)
56 = 22 (0.01%)
49 = 20 (0.01%)
37 = 19 (0.01%)
45 = 16 (0.01%)
46 = 15 (0.01%)
44 = 12 (0.01%)
47 = 9 (0.0%)
40 = 9 (0.0%)
48 = 9 (0.0%)
52 = 8 (0.0%)
51 = 7 (0.0%)
42 = 7 (0.0%)
50 = 5 (0.0%)
64 = 4 (0.0%)
43 = 3 (0.0%)
62 = 3 (0.0%)
71 = 3 (0.0%)
54 = 2 (0.0%)
69 = 2 (0.0%)
63 = 1 (0.0%)
66 = 1 (0.0%)
60 = 1 (0.0%)
57 = 1 (0.0%)
|
|
| |
| |
| |
| |
|||
|||
|||||
||||||
|||||||
|||||||
|||||||||
||||||||||
||||||||||||
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
000000000011111111112222222222333333333344444444445555555555666666666677
012345678901234567890123456789012345678901234567890123456789012345678901
One to six characters = 80830 (39.74%)
One to eight characters = 137069 (67.39'%)
More than eight characters = 66331 (32.61%)
Only lowercase alpha = 83305 (40.96%)
Only uppercase alpha = 659 (0.32%)
Only alpha = 83964 (41.28%)
Only numeric = 23069 (11.34%)
First capital last symbol = 1318 (0.65%)
First capital last number = 4224 (2.08%)
Single digit on the end = 10990 (5.4%)
Two digits on the end = 5787 (2.85%)
Three digits on the end = 19356 (9.52%)
Last number
0 = 5035 (2.48%)
1 = 9472 (4.66%)
2 = 5868 (2.88%)
3 = 21244 (10.44%)
4 = 6911 (3.4%)
5 = 5498 (2.7%)
6 = 8139 (4.0%)
7 = 3273 (1.61%)
8 = 3836 (1.89%)
9 = 3934 (1.93%)
|
|
|
|
|
|
|
|
| |
| | |
| || |
||||||
|||||||
||||||||||
||||||||||
||||||||||
0123456789
Last digit
3 = 21244 (10.44%)
1 = 9472 (4.66%)
6 = 8139 (4.0%)
4 = 6911 (3.4%)
2 = 5868 (2.88%)
5 = 5498 (2.7%)
0 = 5035 (2.48%)
9 = 3934 (1.93%)
8 = 3836 (1.89%)
7 = 3273 (1.61%)
Last 2 digits (Top 10)
23 = 17068 (8.39%)
56 = 5973 (2.94%)
34 = 3792 (1.86%)
45 = 2980 (1.47%)
12 = 2109 (1.04%)
21 = 2072 (1.02%)
11 = 1976 (0.97%)
89 = 1578 (0.78%)
00 = 1135 (0.56%)
10 = 1016 (0.5%)
Last 3 digits (Top 10)
123 = 16664 (8.19%)
456 = 5829 (2.87%)
234 = 3705 (1.82%)
345 = 2588 (1.27%)
321 = 1513 (0.74%)
111 = 1189 (0.58%)
789 = 1168 (0.57%)
678 = 758 (0.37%)
000 = 703 (0.35%)
567 = 672 (0.33%)
Last 4 digits (Top 10)
3456 = 5452 (2.68%)
1234 = 3635 (1.79%)
2345 = 2578 (1.27%)
1111 = 980 (0.48%)
6789 = 858 (0.42%)
5678 = 737 (0.36%)
4321 = 656 (0.32%)
4567 = 649 (0.32%)
3123 = 643 (0.32%)
7890 = 496 (0.24%)
Last 5 digits (Top 10)
23456 = 5439 (2.67%)
12345 = 2571 (1.26%)
56789 = 852 (0.42%)
11111 = 842 (0.41%)
45678 = 710 (0.35%)
34567 = 643 (0.32%)
23123 = 607 (0.3%)
54321 = 508 (0.25%)
67890 = 483 (0.24%)
00000 = 302 (0.15%)
Character sets
loweralpha: 83305 (40.96%)
loweralphanum: 53690 (26.4%)
numeric: 23069 (11.34%)
mixedalphanum: 8112 (3.99%)
loweralphaspecialnum: 7073 (3.48%)
loweralphaspecial: 5802 (2.85%)
mixedalphaspecialnum: 4159 (2.04%)
mixedalpha: 3041 (1.5%)
specialnum: 1849 (0.91%)
special: 1738 (0.85%)
upperalphanum: 1117 (0.55%)
mixedalphaspecial: 1017 (0.5%)
upperalphaspecial: 749 (0.37%)
upperalpha: 659 (0.32%)
upperalphaspecialnum: 364 (0.18%)
Character set ordering
allstring: 87005 (42.78%)
stringdigit: 35764 (17.58%)
othermask: 35359 (17.38%)
alldigit: 23069 (11.34%)
stringdigitstring: 6280 (3.09%)
digitstring: 4939 (2.43%)
stringspecialstring: 2298 (1.13%)
stringspecial: 2217 (1.09%)
stringspecialdigit: 1809 (0.89%)
digitstringdigit: 1756 (0.86%)
allspecial: 1738 (0.85%)
specialstring: 831 (0.41%)
specialstringspecial: 335 (0.16%)
view raw Password Statistics from Kippo Honeypot using Pipal hosted with ❤ by GitHub

Two items of note here are that over 60% of password attempts were 1-8 characters. 40% of attempts were for lowercase alpha characters only. The most used password was 123456. This is the default pass for Kippo.

If a user attempts to create an account or change the root password in a Kippo session those passwords are captured and added to the allowed credentials list. The following credentials were created:

root:0:albertinoalbert123
root:0:fgashyeq77dhshfa
root:0:florian12eu
root:0:hgd177q891999wwwwwe1.dON
root:0:iphone5
root:0:kokot
root:0:nope
root:0:picvina
root:0:scorpi123
root:0:test
root:0:xiaozhe
root:0:12345
root:0:bnn318da9031kdamfaihheq1fa
root:0:ls
root:0:neonhostt1
root:0:wget123

Downloads:

When an attacker attempts to download a tool via wget, within Kippo we allow that file to be downloaded, although they cannot interact with it. With this we are able to get a copy of whatever is being downloaded. In most cases these are IRC bots, but not all. I have made them all available for download.
Here is a listing of all the files:
*Duplicates and obviously legitimate files have been removed from the list.
20131030113401_http___198_2_192_204_22_disknyp
20131103183232_http___61_132_227_111_8080_meimei
20131104045744_http___198_2_192_204_22_disknyp
20131114214017_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz
20131116130541_http___198_2_192_204_22_disknyp
20131129165151_http___dl_dropboxusercontent_com_s_1bxj9ak8m1octmk_ktx_c
20131129165438_http___dl_dropboxusercontent_com_s_66gpt66lvut4gdu_ktx
20131202040921_http___198_2_192_204_22_disknyp
20131207123419_http___packetstorm_wowhacker_com_DoS_juno_c
20131216143108_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz
20131216143208_http___X_hackersoft_org_scanner_gosh_jpg
20131216143226_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
20131217163423_http___ha_ckers_org_slowloris_slowloris_pl
20131217163456_http___www_lemarinel_net_perl
20131222084315_http___maxhub_com_auto_bill_pipe_bot
20140103142644_http___ftp_gnu_org_gnu_autoconf_autoconf_2_69_tar_gz
20140109170001_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_linux_x86_tar_gz
20140120152204_http___111_39_43_54_5555_dos32
20140122202342_http___layer1_cpanel_net_latest
20140122202549_http___linux_duke_edu_projects_yum_download_2_0_yum_2_0_7_tar_gz
20140122202751_http___www_ehcp_net_ehcp_latest_tgz
20140201131804_http___www_suplementar_com_br_images_stories_goon_pooler_cpuminer_2_3_2_tar_gz
20140201152307_http___nemo_rdsor_ro_darwin_jpg
20140208081358_http___www_youtube_com_watch_v_6hVQs5ll064
20140208184835_http___sharplase_ru_x_txt
20140215141909_http___tenet_dl_sourceforge_net_project_cpuminer_pooler_cpuminer_2_3_2_tar_gz
20140215142830_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_tar_gz
20140219072721_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz
20140328031725_http___dl_dropboxusercontent_com_u_133538399_multi_py
20140409053322_http___www_c99php_com_shell_c99_rar
20140409053728_http___github_com_downloads_orbweb_PHP_SHELL_WSO_wso2_5_1_php
20140413130110_http___www_iphobos_com_hb_unixcod_rar
20140416194008_http___linux_help_bugs3_com_Camel_mail_txt
20140419143734_http___www_activestate_com_activeperl_downloads_thank_you_dl_http___downloads_activestate_com_ActivePerl_releases_5_18_2_1802_ActivePerl_5_18_2_1802_x86_64_linux_glibc_2_5_298023_tar_gz
20140419144043_http___ha_ckers_org_slowloris_slowloris_pl
20140420104056_http___downloads_metasploit_com_data_releases_archive_metasploit_4_9_2_linux_x64_installer_run
20140420104325_http___nmap_org_dist_nmap_6_46_1_i386_rpm
20140505073503_http___116_255_239_180_888_007
20140505093229_http___119_148_161_25_805_sd32
20140505111511_http___112_117_223_10_280_1
20140515091557_http___112_117_223_10_280__bash_6_phpmysql
20140519193800_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz
20140523120411_http___lemonjuice_tk_netcat_sh
20140610174516_http___59_63_183_193_280__etc_Test8888
20140614200901_http___kismetismy_name_ktx
20140625032113_http___ftp_mirrorservice_org_sites_ftp_wiretapped_net_pub_security_packet_construction_netcat_gnu_netcat_netcat_0_7_1_tar_gz
20140720005010_http___www_bl4ck_viper_persiangig_com_p8_localroots_2_6_x_cw7_3
To see the full source for some of the scripts downloaded by the attackers you can go to this Github Repo. A couple of my favorite ones.

TTY Replay Sessions:

My absolute favorite feature of Kippo is the ability to replay interactive sessions of attacker activity. Watching these replays gives us an idea of what attackers do once inside a session. For instance almost every session begins with a "w" which shows logged in users and uptime, and then a "uname -a" to show them system details. I made a Youtube series called The Kippo Kronicles a while back to showcase some of these sessions. While I don't have the time necessary to continue putting up videos for each session I have put the output of each session up at this Github Repo.
Here is a fun example:
AWSWeb:~# adduser
adduser: Only one or two names allowed.
AWSWeb:~# useradd
adduser: Only one or two names allowed.
AWSWeb:~# ls
AWSWeb:~# pwd
root
AWSWeb:~# cd /cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
richard:x:1000:1000:richard,,,:/home/richard:/bin/bash
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
AWSWeb:~# user
bash: user: command not found
AWSWeb:~# adduser obz
Adding user `obz' ...
Adding new group `obz' (1001) ...
Adding new user `obz' (1001) with group `obz' ...
Creating home directory `/home/obz' ...
Copying files from `/etc/skel' ...
Password: 
Password again: 
Changing the user information for obz
Enter the new value, or press ENTER for the default
        Username []: 
Must enter a value!
        Username []: obz
        Full Name []: ladmin obz
        Room Number []: 1
        Work Phone []: 1234567890
        Home Phone []: 
Must enter a value!
        Home Phone []: 0
        Mobile Phone []: 0
        Country []: cn
        City []: xang
        Language []: mand
        Favorite movie []: 1
        Other []: 1
Is the information correct? [Y/n] y
ERROR: Some of the information you entered is invalid
Deleting user `obz' ...
Deleting group `obz' (1001) ...
Deleting home directory `/home/obz' ...
Try again? [Y/n] y
Changing the user information for obz
Enter the new value, or press ENTER for the default
        Username []: obx
        Full Name []: obx toor
        Room Number []: 1
        Work Phone []: 19089543121
        Home Phone []: 9089342135
        Mobile Phone []: 9089439012
        Country []: cn
        City []: xang
        Language []: manenglish
        Favorite movie []: one
        Other []: twofour
Is the information correct? [Y/n] y
ERROR: Some of the information you entered is invalid
Deleting user `obz' ...
Deleting group `obz' (1001) ...
Deleting home directory `/home/obz' ...
Try again? [Y/n] n
AWSWeb:~# cat adduser obz user cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
richard:x:1000:1000:richard,,,:/home/richard:/bin/bash
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
AWSWeb:~# cat /etc/shadow
cat: /etc/shadow: No such file or directory
AWSWeb:~# /etc/init.d\D/ssh start
bash: /etc/init.D/ssh: command not found
AWSWeb:~# /etc/init.D/ssh startd
bash: /etc/init.d/ssh: command not found
AWSWeb:~# 
AWSWeb:~# 
AWSWeb:~# 
AWSWeb:~# 
AWSWeb:~# 
AWSWeb:~# 
AWSWeb:~# 
AWSWeb:~# 
AWSWeb:~# 
AWSWeb:~# exit
cConnection to server closed.
localhost:~# exit
Connection to server closed.
localhost:~# bye
bash: bye: command not found
localhost:~# exit
Connection to server closed.
localhost:~# admin
bash: admin: command not found
localhost:~# su
localhost:~# ls -l
drwxr-xr-x 1 root root 4096 2013-02-03 17:11 .
drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..
drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags
-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo
drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude
-rw-r--r-- 1 root root  140 2009-11-06 11:09 .profile
-rw-r--r-- 1 root root  412 2009-11-06 11:09 .bashrc
localhost:~# pwd
/root
localhost:~# cd /
localhost:/# ls -l
drwxr-xr-x 1 root root  4096 2013-02-03 17:11 .
drwxr-xr-x 1 root root  4096 2013-02-03 17:11 ..
drwxr-xr-x 1 root root     0 2009-11-20 08:19 sys
drwxr-xr-x 1 root root  4096 2009-11-08 15:42 bin
drwxr-xr-x 1 root root  4096 2009-11-06 11:08 mnt
drwxr-xr-x 1 root root  4096 2009-11-06 11:08 media
lrwxrwxrwx 1 root root    25 2009-11-06 11:16 vmlinuz -> /boot/vmlinuz-2.6.26-2-686
drwxr-xr-x 1 root root  4096 2009-11-06 11:09 opt
lrwxrwxrwx 1 root root    11 2009-11-06 11:08 cdrom -> /media/cdrom0
drwxr-xr-x 1 root root  4096 2009-11-06 11:08 selinux
drwxrwxrwx 1 root root  4096 2009-11-20 08:19 tmp
dr-xr-xr-x 1 root root     0 2009-11-20 08:19 proc
drwxr-xr-x 1 root root  4096 2009-11-08 15:41 sbin
drwxr-xr-x 1 root root  4096 2009-11-20 08:20 etc
drwxr-xr-x 1 root root  3200 2009-11-20 08:20 dev
drwxr-xr-x 1 root root  4096 2009-11-06 11:09 srv
lrwxrwxrwx 1 root root    28 2009-11-06 11:16 initrd.img -> /boot/initrd.img-2.6.26-2-686
drwxr-xr-x 1 root root  4096 2009-11-08 15:46 lib
drwxr-xr-x 1 root root  4096 2009-11-06 11:22 home
drwxr-xr-x 1 root root  4096 2009-11-06 11:09 var
drwxr-xr-x 1 root root  4096 2009-11-08 15:46 usr
drwxr-xr-x 1 root root  4096 2009-11-08 15:39 boot
drwxr-xr-x 1 root root  4096 2009-11-20 09:08 root
drwx------ 1 root root 16384 2009-11-06 11:08 lost+found
localhost:/# cd /home
localhost:/home# ls -l
ldrwxr-xr-x 1 root root 4096 2013-02-03 17:11 .
drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..
drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richard
localhost:/home# exit
Connection to server closed.
localhost:~# 
localhost:~# 
localhost:~# 
localhost:~# 
localhost:~# 
localhost:~# 
localhost:~# ssh -D root@http://60.250.65.112/ 1337
The authenticity of host '60.250.65.112 (60.250.65.112)' can't be established.
RSA key fingerprint is 9d:30:97:8a:9e:48:0d:de:04:8d:76:3a:7b:4b:30:f8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '60.250.65.112' (RSA) to the list of known hosts.
root@60.250.65.112's password: 
Linux localhost 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686
Last login: Sat Feb  2 07:07:11 2013 from 192.168.9.4
localhost:~# uname -a
Linux localhost 2.6.24-2-generic #1 SMP Thu Dec 20 17:36:12 GMT 2007 i686 GNU/Linux
localhost:~# pwd
/root
localhost:~# cd /
localhost:/# ls -l
drwxr-xr-x 1 root root  4096 2013-02-03 17:19 .
drwxr-xr-x 1 root root  4096 2013-02-03 17:19 ..
drwxr-xr-x 1 root root     0 2009-11-20 08:19 sys
drwxr-xr-x 1 root root  4096 2009-11-08 15:42 bin
drwxr-xr-x 1 root root  4096 2009-11-06 11:08 mnt
drwxr-xr-x 1 root root  4096 2009-11-06 11:08 media
lrwxrwxrwx 1 root root    25 2009-11-06 11:16 vmlinuz -> /boot/vmlinuz-2.6.26-2-686
drwxr-xr-x 1 root root  4096 2009-11-06 11:09 opt
lrwxrwxrwx 1 root root    11 2009-11-06 11:08 cdrom -> /media/cdrom0
drwxr-xr-x 1 root root  4096 2009-11-06 11:08 selinux
drwxrwxrwx 1 root root  4096 2009-11-20 08:19 tmp
dr-xr-xr-x 1 root root     0 2009-11-20 08:19 proc
drwxr-xr-x 1 root root  4096 2009-11-08 15:41 sbin
drwxr-xr-x 1 root root  4096 2009-11-20 08:20 etc
drwxr-xr-x 1 root root  3200 2009-11-20 08:20 dev
drwxr-xr-x 1 root root  4096 2009-11-06 11:09 srv
lrwxrwxrwx 1 root root    28 2009-11-06 11:16 initrd.img -> /boot/initrd.img-2.6.26-2-686
drwxr-xr-x 1 root root  4096 2009-11-08 15:46 lib
drwxr-xr-x 1 root root  4096 2009-11-06 11:22 home
drwxr-xr-x 1 root root  4096 2009-11-06 11:09 var
drwxr-xr-x 1 root root  4096 2009-11-08 15:46 usr
drwxr-xr-x 1 root root  4096 2009-11-08 15:39 boot
drwxr-xr-x 1 root root  4096 2009-11-20 09:08 root
drwx------ 1 root root 16384 2009-11-06 11:08 lost+found
localhost:/# cd /root
localhost:~# ls -l
ldrwxr-xr-x 1 root root 4096 2013-02-03 17:19 .
drwxr-xr-x 1 root root 4096 2013-02-03 17:19 ..
drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags
-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo
drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude
-rw-r--r-- 1 root root  140 2009-11-06 11:09 .profile
-rw-r--r-- 1 root root  412 2009-11-06 11:09 .bashrc
localhost:~# cd /hocd /home/
localhost:/home# ls -l
drwxr-xr-x 1 root root 4096 2013-02-03 17:20 .
drwxr-xr-x 1 root root 4096 2013-02-03 17:20 ..
drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richard
localhost:/home# exit
Connection to server closed.
localhost:~# exit
Connection to server closed.
localhost:~# 

 Conclusion:

After a year with Kippo, I have learned a lot about what these basic attackers do when connecting to seemingly open ssh hosts. There is plenty more to learn though. I have some plans on building out a larger honeypot infrastructure, and automating some of the data collection and parsing. Additionally I would like to spend more time analyzing the sessions and malware for further trends. I'll keep you all posted!

*Big thanks to Bruteforce Labs for their tools and expertise in honeypots.

AuthorAdmin | Comment1 Comment |
tagged , , , , in
Tuesday
Mar052013

The Kippo Kronicles - Ep3 Orly?

DateTuesday, March 5, 2013 at 11:38AM
In this episode of the Kippo Kronicles our attacker attempts to install metasploit on our honeypot. He is very persistant, and does not realize he is in a honeypot even after getting the ORLY Owl.
If you want to see the logs from my Kippo instance, checkout the Downloads section. For those who do not want to watch the video, the full code output is below:
kippo@MyAWSHoneypot:~/kippo/log/tty$ ~/kippo/utils/playlog.py 20130225-042834-4525.log
AWSWeb:~# ls -la
drwxr-xr-x 1 root root 4096 2013-02-25 04:29 .
drwxr-xr-x 1 root root 4096 2013-02-25 04:29 ..
drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags
-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo
drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude
-rw-r--r-- 1 root root  140 2009-11-06 11:09 .profile
-rw-r--r-- 1 root root  412 2009-11-06 11:09 .bashrc
AWSWeb:~# ls -la
drwxr-xr-x 1 root root 4096 2013-02-25 04:29 .
drwxr-xr-x 1 root root 4096 2013-02-25 04:29 ..
drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags
-rw------- 1 root root 5515 2009-11-20 09:08 .viminfo
drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude
-rw-r--r-- 1 root root  140 2009-11-06 11:09 .profile
-rw-r--r-- 1 root root  412 2009-11-06 11:09 .bashrc
AWSWeb:~# pwd
/root
AWSWeb:~# uname -a
Linux AWSWeb 2.6.24-2-generic #1 SMP Thu Dec 20 17:36:12 GMT 2007 i686 GNU/Linux
AWSWeb:~# wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.run
--2013-02-25 04:33:42--  http://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.run
Connecting to downloads.metasploit.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 208374041 (198M) [text/plain]
Saving to: `metasploit-latest-linux-installer.run
100%[======================================>] 208,374,041  10270K/s  eta 0s
2013-02-25 04:34:02 (10270 KB/s) - `metasploit-latest-linux-installer.run' saved [208374041/208374041]
AWSWeb:~# sh metasploit-latest-linux-installer.run
AWSWeb:~# ./metasploit-latest-linux-installer.run
bash: ./metasploit-latest-linux-installer.run: command not found
AWSWeb:~# dir
bash: dir: command not found
AWSWeb:~# ls -la
drwxr-xr-x 1 root root      4096 2013-02-25 04:34 .
drwxr-xr-x 1 root root      4096 2013-02-25 04:34 ..
drwxr-xr-x 1 root root      4096 2009-11-06 11:16 .debtags
-rw------- 1 root root      5515 2009-11-20 09:08 .viminfo
drwx------ 1 root root      4096 2009-11-06 11:13 .aptitude
-rw-r--r-- 1 root root       140 2009-11-06 11:09 .profile
-rw-r--r-- 1 root root       412 2009-11-06 11:09 .bashrc
-rw-r--r-- 1 root root 208374041 2013-02-25 04:34 metasploit-latest-linux-installer.run
AWSWeb:~# sh metasploit-latest-linux-installer.run
AWSWeb:~# sh
AWSWeb:~# run metasploit-latest-linux-installer.run
bash: run: command not found
AWSWeb:~# ./metasploit-latest-linux-installer.run
bash: ./metasploit-latest-linux-installer.run: command not found
AWSWeb:~# metasploit-latest-linux-installer.run
bash: metasploit-latest-linux-installer.run: command not found
AWSWeb:~# ls -la
drwxr-xr-x 1 root root      4096 2013-02-25 04:35 .
drwxr-xr-x 1 root root      4096 2013-02-25 04:35 ..
drwxr-xr-x 1 root root      4096 2009-11-06 11:16 .debtags
-rw------- 1 root root      5515 2009-11-20 09:08 .viminfo
drwx------ 1 root root      4096 2009-11-06 11:13 .aptitude
-rw-r--r-- 1 root root       140 2009-11-06 11:09 .profile
-rw-r--r-- 1 root root       412 2009-11-06 11:09 .bashrc
-rw-r--r-- 1 root root 208374041 2013-02-25 04:34 metasploit-latest-linux-installer.run
AWSWeb:~# chmod 777 metasploit-latest-linux-installer.run
AWSWeb:~# sh metasploit-latest-linux-installer.run
AWSWeb:~# clear
AWSWeb:~# wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run
--2013-02-25 04:36:03--  http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run
Connecting to downloads.metasploit.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 208792036 (199M) [text/plain]
Saving to: `metasploit-latest-linux-x64-installer.run
100%[======================================>] 208,792,036  6647K/s  eta 0s
2013-02-25 04:36:34 (6647 KB/s) - `metasploit-latest-linux-x64-installer.run' saved [208792036/208792036]
AWSWeb:~# sh metasploit-latest-linux-x64-installer.run
AWSWeb:~# chmod +x metasploit-latest-linux-installer.run
AWSWeb:~# sudo ./metasploit-latest-linux-installer.ru
bash: sudo: command not found
AWSWeb:~# sudo ./metasploit-latest-linux-installer.run
bash: sudo: command not found
AWSWeb:~# sh metasploit-latest-linux-installer.run
AWSWeb:~# sudo apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby
bash: sudo: command not found
AWSWeb:~# sudo apt-get install ruby libopenssl-ruby libyaml-ruby libdl-rubylibiconv-ruby libreadline-ruby irb ri rubygems
bash: sudo: command not found
AWSWeb:~# install rpm sh
bash: install: command not found
AWSWeb:~# rpm -ivh sh
bash: rpm: command not found
AWSWeb:~# apt-get update
E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
E: Unable to lock the list directory
AWSWeb:~# id
uid=0(root) gid=0(root) groups=0(root)
AWSWeb:~# rpmbuild -ts httpd-2.4.x.tar.bz2
bash: rpmbuild: command not found
AWSWeb:~# wget -O /etc/yum.repos.d/epel-erlang.repo http://repos.fedorapeople.org/repos/peter/erlang/epel-erlang.repo
--2013-02-25 04:58:51--  http:///etc/yum.repos.d/epel-erlang.repo
Connecting to :80... connected.
HTTP request sent, awaiting response... Connection was refused by other side: 111: Connection refused.
AWSWeb:~# yum install erlang
bash: yum: command not found
AWSWeb:~# rpm --import http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
bash: rpm: command not found
AWSWeb:~# yum install rabbitmq-server-3.0.2-1.noarch.rpm
bash: yum: command not found
AWSWeb:~# sudo apt-get install alien
bash: sudo: command not found
AWSWeb:~# sudo apt-get install alien dpkg-dev debhelper build-essential
bash: sudo: command not found
AWSWeb:~# yum apt-get install alien dpkg-dev debhelper build-essential
bash: yum: command not found
AWSWeb:~# yum install sudo
bash: yum: command not found
AWSWeb:~# wget http://linux.duke.edu/projects/yum/download/2.0/yum-2.0.7.tar.gz
--2013-02-25 05:10:07--  http://linux.duke.edu/projects/yum/download/2.0/yum-2.0.7.tar.gz
Connecting to linux.duke.edu:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 174080 (170K) [application/x-gzip]
Saving to: `yum-2.0.7.tar.gz
100%[======================================>] 174,080      76K/s  eta 1s
2013-02-25 05:10:09 (76 KB/s) - `yum-2.0.7.tar.gz' saved [174080/174080]
AWSWeb:~# tar -xvzf yum-2.0.7.tar.gz
yum-2.0.7
yum-2.0.7/callback.py
yum-2.0.7/nevral.py
yum-2.0.7/configure
yum-2.0.7/translate.py
yum-2.0.7/py-compile
yum-2.0.7/COPYING
yum-2.0.7/etc
yum-2.0.7/etc/yum.cron
yum-2.0.7/etc/yum.logrotate
yum-2.0.7/etc/Makefile.in
yum-2.0.7/etc/yum.conf
yum-2.0.7/etc/yum.init
yum-2.0.7/pkgaction.py
yum-2.0.7/archwork.py
yum-2.0.7/mkinstalldirs
yum-2.0.7/failover.py
yum-2.0.7/lilo.py
yum-2.0.7/logger.py
yum-2.0.7/i18n.py
yum-2.0.7/progress_meter.py
yum-2.0.7/configure.in
yum-2.0.7/yum.spec
yum-2.0.7/docs
yum-2.0.7/docs/yum.conf.5
yum-2.0.7/docs/Makefile.in
yum-2.0.7/docs/yum.8
yum-2.0.7/docs/yum-arch.8
yum-2.0.7/checkbootloader.py
yum-2.0.7/yumlock.py
yum-2.0.7/bin
yum-2.0.7/bin/yum-arch
yum-2.0.7/bin/Makefile.in
yum-2.0.7/bin/yum
yum-2.0.7/up2datetheft.py
yum-2.0.7/urlgrabber.py
yum-2.0.7/install-sh
yum-2.0.7/bootloadercfg.py
yum-2.0.7/grubcfg.py
yum-2.0.7/Makefile.in
yum-2.0.7/INSTALL
yum-2.0.7/serverStuff.py
yum-2.0.7/po
yum-2.0.7/po/uk.po
yum-2.0.7/po/pygettext.py
yum-2.0.7/po/cs.po
yum-2.0.7/po/ru.po
yum-2.0.7/po/es.po
yum-2.0.7/po/Makefile.in
yum-2.0.7/po/yum.pot
yum-2.0.7/rpmUtils.py
yum-2.0.7/pullheaders.py
yum-2.0.7/README
yum-2.0.7/keepalive.py
yum-2.0.7/ChangeLog
yum-2.0.7/yummain.py
yum-2.0.7/comps.py
yum-2.0.7/iutil.py
yum-2.0.7/clientStuff.py
yum-2.0.7/yumcomps.py
yum-2.0.7/config.py
yum-2.0.7/AUTHORS
yum-2.0.7/lilocfg.py
yum-2.0.7/TODO
AWSWeb:~# cd yum-2.0.7
AWSWeb:~/yum-2.0.7# ./configure
Shall we play a game? yes
A strange game. The only winning move is not to play.  How about a nice game of chess?
AWSWeb:~/yum-2.0.7# ./configure
Shall we play a game? no
A strange game. The only winning move is not to play.  How about a nice game of chess?
AWSWeb:~/yum-2.0.7# ./configure
Shall we play a game?
A strange game. The only winning move is not to play.  How about a nice game of chess?
AWSWeb:~/yum-2.0.7# make
bash: make: command not found
AWSWeb:~/yum-2.0.7# make install
bash: make: command not found
AWSWeb:~/yum-2.0.7# dir
bash: dir: command not found
AWSWeb:~/yum-2.0.7# ls -la
drwxr-xr-x 1 root root  4096 2013-02-25 05:11 .
drwxr-xr-x 1 root root  4096 2013-02-25 05:11 ..
-rw-rw-r-- 1 root root  3527 2004-05-07 04:58 callback.py
-rw-rw-r-- 1 root root 22517 2004-05-07 04:58 nevral.py
-rwxrwxr-x 1 root root 69467 2004-05-07 04:58 configure
-rw-rw-r-- 1 root root  8309 2004-05-07 04:58 translate.py
-rwxrwxr-x 1 root root  1478 2004-05-07 04:58 py-compile
-rw-rw-r-- 1 root root 17976 2004-05-07 04:58 COPYING
drwxrwxr-x 1 root root  4096 2004-05-07 04:58 etc
-rw-rw-r-- 1 root root 25478 2004-05-07 04:58 pkgaction.py
-rw-rw-r-- 1 root root  3045 2004-05-07 04:58 archwork.py
-rwxrwxr-x 1 root root   729 2004-05-07 04:58 mkinstalldirs
-rw-rw-r-- 1 root root  3588 2004-05-07 04:58 failover.py
-rw-rw-r-- 1 root root  9784 2004-05-07 04:58 lilo.py
-rw-rw-r-- 1 root root 15812 2004-05-07 04:58 logger.py
-rw-r--r-- 1 root root   690 2004-05-07 04:58 i18n.py
-rw-rw-r-- 1 root root  5528 2004-05-07 04:58 progress_meter.py
-rw-rw-r-- 1 root root   636 2004-05-07 04:58 configure.in
-rw-rw-r-- 1 root root  3636 2004-05-07 04:58 yum.spec
drwxrwxr-x 1 root root  4096 2004-05-07 04:58 docs
-rw-rw-r-- 1 root root  4607 2004-05-07 04:58 checkbootloader.py
-rw-rw-r-- 1 root root   541 2004-05-07 04:58 yumlock.py
drwxrwxr-x 1 root root  4096 2004-05-07 04:58 bin
-rw-rw-r-- 1 root root  1206 2004-05-07 04:58 up2datetheft.py
-rw-rw-r-- 1 root root 19254 2004-05-07 04:58 urlgrabber.py
-rwxrwxr-x 1 root root  5598 2004-05-07 04:58 install-sh
-rw-rw-r-- 1 root root  1331 2004-05-07 04:58 bootloadercfg.py
-rw-rw-r-- 1 root root  2188 2004-05-07 04:58 grubcfg.py
-rw-rw-r-- 1 root root  4611 2004-05-07 04:58 Makefile.in
-rw-rw-r-- 1 root root   320 2004-05-07 04:58 INSTALL
-rw-rw-r-- 1 root root  3723 2004-05-07 04:58 serverStuff.py
drwxrwxr-x 1 root root  4096 2004-05-07 04:58 po
-rw-r--r-- 1 root root 12223 2004-05-07 04:58 rpmUtils.py
-rw-rw-r-- 1 root root 11884 2004-05-07 04:58 pullheaders.py
-rw-rw-r-- 1 root root  1655 2004-05-07 04:58 README
-rw-rw-r-- 1 root root 14083 2004-05-07 04:58 keepalive.py
-rw-rw-r-- 1 root root 39484 2004-05-07 04:58 ChangeLog
-rwxr-xr-x 1 root root 14959 2004-05-07 04:58 yummain.py
-rwxrwxr-x 1 root root 11923 2004-05-07 04:58 comps.py
-rw-rw-r-- 1 root root  7709 2004-05-07 04:58 iutil.py
-rwxr-xr-x 1 root root 54626 2004-05-07 04:58 clientStuff.py
-rwxrwxr-x 1 root root 13876 2004-05-07 04:58 yumcomps.py
-rw-rw-r-- 1 root root 15758 2004-05-07 04:58 config.py
-rw-rw-r-- 1 root root   888 2004-05-07 04:58 AUTHORS
-rw-rw-r-- 1 root root 13304 2004-05-07 04:58 lilocfg.py
-rw-rw-r-- 1 root root    76 2004-05-07 04:58 TODO
AWSWeb:~/yum-2.0.7# ./INSTALL
  ___
 {o,o}
 |)__)
 -"-"-
O RLY?
  ___
 {o,o}
 |)__)
 -"-"-
O RLY? yes
  ___
 {o,o}
 (__(|
 -"-"-
NO WAI!
AWSWeb:~/yum-2.0.7# INSTALL
bash: INSTALL: command not found
AWSWeb:~/yum-2.0.7# ./INSTALL
  ___
 {o,o}
 |)__)
 -"-"-
O RLY? y
  ___
 {o,o}
 (__(|
 -"-"-
NO WAI!
AWSWeb:~/yum-2.0.7# ./INSTALL
  ___
 {o,o}
 |)__)
 -"-"-
O RLY? n
  ___
 {o,o}
 |)__)
 -"-"-
O RLY? n
  ___
 {o,o}
 |)__)
 -"-"-
O RLY? ./configure
  ___
 {o,o}
 |)__)
 -"-"-
O RLY?
  ___
 {o,o}
 |)__)
 -"-"-
O RLY? y
  ___
 {o,o}
 (__(|
 -"-"-
NO WAI!
AWSWeb:~/yum-2.0.7# ./configure
Shall we play a game? y
A strange game. The only winning move is not to play.  How about a nice game of chess?
AWSWeb:~/yum-2.0.7# ./mkinstalldirs
Shall we play a game?
A strange game. The only winning move is not to play.  How about a nice game of chess?
AWSWeb:~/yum-2.0.7# mkdir setups
AWSWeb:~/yum-2.0.7# cd setups
AWSWeb:~/yum-2.0.7/setups# wget http://linux.duke.edu/projects/yum/download/2.0/yum-2.0.7.tar.gz
--2013-02-25 05:15:07--  http://linux.duke.edu/projects/yum/download/2.0/yum-2.0.7.tar.gz
Connecting to linux.duke.edu:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 174080 (170K) [application/x-gzip]
Saving to: `yum-2.0.7.tar.gz
100%[======================================>] 174,080      91K/s  eta 0s
2013-02-25 05:15:09 (91 KB/s) - `yum-2.0.7.tar.gz' saved [174080/174080]
AWSWeb:~/yum-2.0.7/setups# tar -xvzf yum-2.0.7.tar.gz
yum-2.0.7
yum-2.0.7/callback.py
yum-2.0.7/nevral.py
yum-2.0.7/configure
yum-2.0.7/translate.py
yum-2.0.7/py-compile
yum-2.0.7/COPYING
yum-2.0.7/etc
yum-2.0.7/etc/yum.cron
yum-2.0.7/etc/yum.logrotate
yum-2.0.7/etc/Makefile.in
yum-2.0.7/etc/yum.conf
yum-2.0.7/etc/yum.init
yum-2.0.7/pkgaction.py
yum-2.0.7/archwork.py
yum-2.0.7/mkinstalldirs
yum-2.0.7/failover.py
yum-2.0.7/lilo.py
yum-2.0.7/logger.py
yum-2.0.7/i18n.py
yum-2.0.7/progress_meter.py
yum-2.0.7/configure.in
yum-2.0.7/yum.spec
yum-2.0.7/docs
yum-2.0.7/docs/yum.conf.5
yum-2.0.7/docs/Makefile.in
yum-2.0.7/docs/yum.8
yum-2.0.7/docs/yum-arch.8
yum-2.0.7/checkbootloader.py
yum-2.0.7/yumlock.py
yum-2.0.7/bin
yum-2.0.7/bin/yum-arch
yum-2.0.7/bin/Makefile.in
yum-2.0.7/bin/yum
yum-2.0.7/up2datetheft.py
yum-2.0.7/urlgrabber.py
yum-2.0.7/install-sh
yum-2.0.7/bootloadercfg.py
yum-2.0.7/grubcfg.py
yum-2.0.7/Makefile.in
yum-2.0.7/INSTALL
yum-2.0.7/serverStuff.py
yum-2.0.7/po
yum-2.0.7/po/uk.po
yum-2.0.7/po/pygettext.py
yum-2.0.7/po/cs.po
yum-2.0.7/po/ru.po
yum-2.0.7/po/es.po
yum-2.0.7/po/Makefile.in
yum-2.0.7/po/yum.pot
yum-2.0.7/rpmUtils.py
yum-2.0.7/pullheaders.py
yum-2.0.7/README
yum-2.0.7/keepalive.py
yum-2.0.7/ChangeLog
yum-2.0.7/yummain.py
yum-2.0.7/comps.py
yum-2.0.7/iutil.py
yum-2.0.7/clientStuff.py
yum-2.0.7/yumcomps.py
yum-2.0.7/config.py
yum-2.0.7/AUTHORS
yum-2.0.7/lilocfg.py
yum-2.0.7/TODO
AWSWeb:~/yum-2.0.7/setups# cd yum-2.0.7
AWSWeb:~/yum-2.0.7/setups/yum-2.0.7# ./configure
Shall we play a game? y
A strange game. The only winning move is not to play.  How about a nice game of chess?
AWSWeb:~/yum-2.0.7/setups/yum-2.0.7# make
bash: make: command not found
AWSWeb:~/yum-2.0.7/setups/yum-2.0.7# make install
bash: make: command not found
AWSWeb:~/yum-2.0.7/setups/yum-2.0.7# yum update
bash: yum: command not found
AWSWeb:~/yum-2.0.7/setups/yum-2.0.7# cd ..
AWSWeb:~/yum-2.0.7/setups# cd..
bash: cd..: command not found
AWSWeb:~/yum-2.0.7/setups# cd ..
AWSWeb:~/yum-2.0.7# cd ..
AWSWeb:~# dir
bash: dir: command not found
AWSWeb:~# ls -la
drwxr-xr-x 1 root root      4096 2013-02-25 05:16 .
drwxr-xr-x 1 root root      4096 2013-02-25 05:16 ..
drwxr-xr-x 1 root root      4096 2009-11-06 11:16 .debtags
-rw------- 1 root root      5515 2009-11-20 09:08 .viminfo
drwx------ 1 root root      4096 2009-11-06 11:13 .aptitude
-rw-r--r-- 1 root root       140 2009-11-06 11:09 .profile
-rw-r--r-- 1 root root       412 2009-11-06 11:09 .bashrc
-rw-r--r-- 1 root root 208374041 2013-02-25 04:34 metasploit-latest-linux-installer.run
-rw-r--r-- 1 root root 208792036 2013-02-25 04:36 metasploit-latest-linux-x64-installer.run
-rw-r--r-- 1 root root    174080 2013-02-25 05:10 yum-2.0.7.tar.gz
drwxrwxr-x 1 root root      4096 2004-05-07 04:58 yum-2.0.7
AWSWeb:~# rpm -e yum
bash: rpm: command not found
AWSWeb:~# wget ftp://rpmfind.net/linux/fedora/core/4/i386/os/Fedora/RPMS/yum-2.3.2-7.noarch.rpm
ftp://rpmfind.net/linux/fedora/core/4/i386/os/Fedora/RPMS/yum-2.3.2-7.noarch.rpm: Unsupported scheme.
AuthorAdmin | CommentPost a Comment |
tagged , , , in
Sunday
Feb102013

Tektip ep21 - Drive Traffic to your Honeypot 

DateSunday, February 10, 2013 at 12:28PM


In this episode of TekTip, I am going to show a unique method to drive traffic to your Honeypot.  While I use Kippo as the example this approach will work for any Honeypot.

*If you do not know what Kippo is, shame on you. Watch this, this, and this to get caught up.

Now let's get to it.  The first thing we need to do is prep our Kippo Instance so that we can measure the results of the approach. Log into your Kippo Honeypot, probably on HoneyDrive.  Once logged in go to your kippo install directory and navigate to the data folder.

If using Honeydrive it will look something like this:

cd /opt/kippo/data

Now use the cat command to see what you currently have as allowable credentials in your userdb.txt.

cat userdb.txt
root:0:123456
root:0:abc123
root:0:p@ssw0rd

This is what I have.  As you can see I allow 3 of the top 10 most used passwords.  Now we want to add credentials that will be unique enough that they should not be attempted by your average attacker. Open userdb.txt in your favorite text editor and add a new line with the credentials you want to use. I added one for root:0:IamSo1337!. Running "cat userdb.txt" again shows the following:

cat userdb.txt

root:0:123456
root:0:abc123
root:0:p@ssw0rd
root:0:IamSo1337!

That takes care of the prep. Now if you are doing this with something other than Kippo, those previous steps won't apply. If whatever Honeypot you are using has the ability to let attackers authenticate you will want to set up a unique set of credentials for the experiment.  If not, press on.

We will now use Social Networks against are attackers.  To put it simply we are going to post login information for our Honeypot on a public site like pastebin, and then alert attackers to the information by posting a link to the paste file on social networks like Twitter.

You may want to keep the rest of the activity as anonymous as possible, so fire up Tor Browser or use proxychains to hide your IP information. Once anonymized go to pastebin.com.

The trick to getting this to work properly is to utilize keywords that attackers may have PasteLerts set up for. For instance you will want to include keywords such as ssh, login, username, password, root, and many others.  Make sure you use some of these keywords in the title as well.  Here is a sample one I put together:

Submit this and get your pastebin url.  Now this will be enough to bring in a few extra hits already, from people who are monitoring pastebin. To get even more folks to see this though we will need to take it a step further.

While still anonymizing your activity create a throwaway twitter account. As many people as there are that monitor pastebin, there are even more that monitor twitter (at least I am guessing so). In particular there are certain twitter users and list that people follow to get password dumps as they occur. My favorite of these is @PastebinDorks.

With your new twitter account create a tweet that mentions @PastebinDorks or another account like that.  Have it say something along the lines of, "Check out this one! http://pastebin.com/qi7wzp8h".  Now anyone that follows @PastebinDorks will see your post.  You may get lucky enough to have someone retweet it a few times.

Now you can just sit back and wait for the conenctions to roll in.  While I used twitter and pastebin in my example, this can be done with any like tools. The point is to get the data out there in the public and then use social networks to increase exposure.

To monitor your kippo logs to see when attackers use the user/pass combination you specified in the userdb.txt. navigate to your kippo logs directory and and do the following:

 

honeydrive@honeydrive:/opt/kippo/log$ cat kippo.log | grep 'login attempt'

2013-02-10 13:04:46+0000 [SSHService ssh-userauth on HoneyPotTransport,9237,193.200.88.100] login attempt [root/abcd1234] failed

2013-02-10 13:04:48+0000 [SSHService ssh-userauth on HoneyPotTransport,9238,193.200.88.100] login attempt [root/1234] failed

2013-02-10 13:04:53+0000 [SSHService ssh-userauth on HoneyPotTransport,9239,193.200.88.100] login attempt [root/redhat] failed

2013-02-10 13:04:59+0000 [SSHService ssh-userauth on HoneyPotTransport,9240,193.200.88.100] login attempt [oracle/oracle] failed

2013-02-10 13:05:02+0000 [SSHService ssh-userauth on HoneyPotTransport,9241,193.200.88.100] login attempt [test/test] failed

2013-02-10 13:05:04+0000 [SSHService ssh-userauth on HoneyPotTransport,9242,193.200.88.100] login attempt [root/1] failed

2013-02-10 13:05:07+0000 [SSHService ssh-userauth on HoneyPotTransport,9243,193.200.88.100] login attempt [root/123] failed

2013-02-10 13:05:09+0000 [SSHService ssh-userauth on HoneyPotTransport,9244,193.200.88.100] login attempt [root/123456789] failed

2013-02-10 13:05:12+0000 [SSHService ssh-userauth on HoneyPotTransport,9245,193.200.88.100] login attempt [root/12345678] failed

2013-02-10 13:05:14+0000 [SSHService ssh-userauth on HoneyPotTransport,9246,193.200.88.100] login attempt [root/1234567] failed

2013-02-10 13:05:17+0000 [SSHService ssh-userauth on HoneyPotTransport,9247,193.200.88.100] login attempt [root/12345] failed

2013-02-10 13:05:20+0000 [SSHService ssh-userauth on HoneyPotTransport,9248,193.200.88.100] login attempt [teamspeak/teamspeak] failed

2013-02-10 13:05:22+0000 [SSHService ssh-userauth on HoneyPotTransport,9249,193.200.88.100] login attempt [teamspeak/ts3] failed

2013-02-10 13:05:25+0000 [SSHService ssh-userauth on HoneyPotTransport,9250,193.200.88.100] login attempt [nagios/nagios] failed

2013-02-10 13:05:28+0000 [SSHService ssh-userauth on HoneyPotTransport,9251,193.200.88.100] login attempt [postgres/postgres] failed

2013-02-10 13:05:30+0000 [SSHService ssh-userauth on HoneyPotTransport,9252,193.200.88.100] login attempt [root/qwe] failed

2013-02-10 13:05:33+0000 [SSHService ssh-userauth on HoneyPotTransport,9253,193.200.88.100] login attempt [root/1q2w3e] failed

2013-02-10 13:05:40+0000 [SSHService ssh-userauth on HoneyPotTransport,9254,193.200.88.100] login attempt [root/1q2w3e4r] failed

2013-02-10 13:05:43+0000 [SSHService ssh-userauth on HoneyPotTransport,9255,193.200.88.100] login attempt [root/qweqwe123] failed

2013-02-10 13:05:45+0000 [SSHService ssh-userauth on HoneyPotTransport,9256,193.200.88.100] login attempt [root/qazwsxedc] failed

2013-02-10 13:05:48+0000 [SSHService ssh-userauth on HoneyPotTransport,9257,193.200.88.100] login attempt [root/1qa2ws3ed] failed

2013-02-10 13:05:57+0000 [SSHService ssh-userauth on HoneyPotTransport,9258,193.200.88.100] login attempt [root/123123] failed

2013-02-10 13:06:00+0000 [SSHService ssh-userauth on HoneyPotTransport,9259,193.200.88.100] login attempt [root/abcd1234] failed

2013-02-10 13:06:03+0000 [SSHService ssh-userauth on HoneyPotTransport,9260,193.200.88.100] login attempt [root/qazwsx123] failed

2013-02-10 13:06:05+0000 [SSHService ssh-userauth on HoneyPotTransport,9261,193.200.88.100] login attempt [root/abc123] succeeded

2013-02-10 13:06:22+0000 [SSHService ssh-userauth on HoneyPotTransport,9262,193.200.88.100] login attempt [root/toor] failed

2013-02-10 13:015:24+0000 [SSHService ssh-userauth on HoneyPotTransport,9263,64.185.229.236] login attempt [root/IamSo1337!] succeeded

If you have any other tips or tricks like this, let me know by leaving a comment or sending me an email at 1aN0rmus@TekDefense.com 

AuthorAdmin | CommentPost a Comment |
tagged , , , in
Friday
Feb082013

The Kippo Kronicles - Ep2 OMG APT

DateFriday, February 8, 2013 at 3:02PM

In this episode of the Kippo Kroicles we replay the attack of the most advanced of all attackers, the APT Attacker.  Okay, not quite.  In fact calling this guy (or maybe gal) an APT'er is like calling your chubby friend slim.  I get typing dir in once on accident, but to repeatedly try to type dir in linux, come on now.  Anyways, I have a ton of logs stored up and ready to videotize.  More to come.

AuthorAdmin | CommentPost a Comment |
tagged , , , , in
Tuesday
Jan222013

The Kippo Kronicles - Ep1

DateTuesday, January 22, 2013 at 9:43AM

Welcome to the first of many Kippo Kronicles.  In this series I will use the replay function of Kippo to show what attackers have attempted to do on my honeypot.  I hope you enjoy.

AuthorAdmin | CommentPost a Comment |
tagged , , , in
Page 1 2 Next 5 Entries »