Over a year with Kippo

UPDATE: After posting @ikoniaris of Honeydrive and Bruteforce fame recommended running these. Here are the results of kippo-stats.pl created by Tomasz Miklas and Miguel jacq.
As many of you know from previous posts, I am a big fan of honeypots, particularly Kippo. My main Kippo instance sitting in AWS has been online for over a year now. Let's take a look at what we have captured and learned over this past year. If you want to validate any of these statistics I have made the raw logs available for download.
General Stats:
Unique values (135526 connections):
*Map Generated with JCSOCAL's GIPC
Top 11 Countries
China: 699
United States: 654
Brazil: 76
Russian Federation: 69
Germany: 65
Korea, Republic of: 57
Romania: 56
Egypt: 52
Japan: 50
India: 41
Indonesia: 41
Unique Usernames: 8600 (Username list)
Unique Passwords: 75780 (wordlist)
Unique Sources: 1985 (list of IPs)
Passwords:
One of my favorite uses of kippo data is to generate wordlists from login attempts. I wrote a quick script to parse the kippo logs and pull out all passwords and unique them into a wordlist. Feel free to grab. Additionally I made the wordlists available for download.
Using Pipal I performed analysis of all the login attempts over this year:
remnux@remnux:~/custom_tools/pipal$ ./pipal.rb ../TekDefense/wordlist.txt | |
Generating stats, hit CTRL-C to finish early and dump stats on words already processed. | |
Basic Results | |
Total entries = 203400 | |
Total unique entries = 75627 | |
Top 10 passwords | |
123456 = 3561 (1.75%) | |
12345 = 1550 (0.76%) | |
password = 1539 (0.76%) | |
changeme = 1303 (0.64%) | |
1234 = 1231 (0.61%) | |
test = 1165 (0.57%) | |
abc123 = 1000 (0.49%) | |
123 = 766 (0.38%) | |
qwerty = 586 (0.29%) | |
root = 529 (0.26%) | |
Top 10 base words | |
root = 2256 (1.11%) | |
password = 2178 (1.07%) | |
test = 1853 (0.91%) | |
admin = 1538 (0.76%) | |
changeme = 1391 (0.68%) | |
qwerty = 1114 (0.55%) | |
oracle = 802 (0.39%) | |
p@ssw0rd = 709 (0.35%) | |
qaz2wsx = 708 (0.35%) | |
qwer = 591 (0.29%) | |
Password length (length ordered) | |
1 = 2247 (1.1%) | |
2 = 1539 (0.76%) | |
3 = 5589 (2.75%) | |
4 = 15420 (7.58%) | |
5 = 17910 (8.81%) | |
6 = 38125 (18.74%) | |
7 = 23075 (11.34%) | |
8 = 33164 (16.3%) | |
9 = 18631 (9.16%) | |
10 = 14059 (6.91%) | |
11 = 8525 (4.19%) | |
12 = 8627 (4.24%) | |
13 = 3759 (1.85%) | |
14 = 2617 (1.29%) | |
15 = 2025 (1.0%) | |
16 = 1786 (0.88%) | |
17 = 826 (0.41%) | |
18 = 1256 (0.62%) | |
19 = 520 (0.26%) | |
20 = 892 (0.44%) | |
21 = 275 (0.14%) | |
22 = 190 (0.09%) | |
23 = 303 (0.15%) | |
24 = 386 (0.19%) | |
25 = 172 (0.08%) | |
26 = 181 (0.09%) | |
27 = 56 (0.03%) | |
28 = 77 (0.04%) | |
29 = 47 (0.02%) | |
30 = 67 (0.03%) | |
31 = 111 (0.05%) | |
32 = 261 (0.13%) | |
33 = 96 (0.05%) | |
34 = 90 (0.04%) | |
35 = 117 (0.06%) | |
36 = 75 (0.04%) | |
37 = 19 (0.01%) | |
38 = 22 (0.01%) | |
39 = 30 (0.01%) | |
40 = 9 (0.0%) | |
41 = 73 (0.04%) | |
42 = 7 (0.0%) | |
43 = 3 (0.0%) | |
44 = 12 (0.01%) | |
45 = 16 (0.01%) | |
46 = 15 (0.01%) | |
47 = 9 (0.0%) | |
48 = 9 (0.0%) | |
49 = 20 (0.01%) | |
50 = 5 (0.0%) | |
51 = 7 (0.0%) | |
52 = 8 (0.0%) | |
54 = 2 (0.0%) | |
56 = 22 (0.01%) | |
57 = 1 (0.0%) | |
60 = 1 (0.0%) | |
62 = 3 (0.0%) | |
63 = 1 (0.0%) | |
64 = 4 (0.0%) | |
66 = 1 (0.0%) | |
69 = 2 (0.0%) | |
71 = 3 (0.0%) | |
Password length (count ordered) | |
6 = 38125 (18.74%) | |
8 = 33164 (16.3%) | |
7 = 23075 (11.34%) | |
9 = 18631 (9.16%) | |
5 = 17910 (8.81%) | |
4 = 15420 (7.58%) | |
10 = 14059 (6.91%) | |
12 = 8627 (4.24%) | |
11 = 8525 (4.19%) | |
3 = 5589 (2.75%) | |
13 = 3759 (1.85%) | |
14 = 2617 (1.29%) | |
1 = 2247 (1.1%) | |
15 = 2025 (1.0%) | |
16 = 1786 (0.88%) | |
2 = 1539 (0.76%) | |
18 = 1256 (0.62%) | |
20 = 892 (0.44%) | |
17 = 826 (0.41%) | |
19 = 520 (0.26%) | |
24 = 386 (0.19%) | |
23 = 303 (0.15%) | |
21 = 275 (0.14%) | |
32 = 261 (0.13%) | |
22 = 190 (0.09%) | |
26 = 181 (0.09%) | |
25 = 172 (0.08%) | |
35 = 117 (0.06%) | |
31 = 111 (0.05%) | |
33 = 96 (0.05%) | |
34 = 90 (0.04%) | |
28 = 77 (0.04%) | |
36 = 75 (0.04%) | |
41 = 73 (0.04%) | |
30 = 67 (0.03%) | |
27 = 56 (0.03%) | |
29 = 47 (0.02%) | |
39 = 30 (0.01%) | |
38 = 22 (0.01%) | |
56 = 22 (0.01%) | |
49 = 20 (0.01%) | |
37 = 19 (0.01%) | |
45 = 16 (0.01%) | |
46 = 15 (0.01%) | |
44 = 12 (0.01%) | |
47 = 9 (0.0%) | |
40 = 9 (0.0%) | |
48 = 9 (0.0%) | |
52 = 8 (0.0%) | |
51 = 7 (0.0%) | |
42 = 7 (0.0%) | |
50 = 5 (0.0%) | |
64 = 4 (0.0%) | |
43 = 3 (0.0%) | |
62 = 3 (0.0%) | |
71 = 3 (0.0%) | |
54 = 2 (0.0%) | |
69 = 2 (0.0%) | |
63 = 1 (0.0%) | |
66 = 1 (0.0%) | |
60 = 1 (0.0%) | |
57 = 1 (0.0%) | |
| | |
| | |
| | | |
| | | |
| | | |
| | | |
||| | |
||| | |
||||| | |
|||||| | |
||||||| | |
||||||| | |
||||||||| | |
|||||||||| | |
|||||||||||| | |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| | |
000000000011111111112222222222333333333344444444445555555555666666666677 | |
012345678901234567890123456789012345678901234567890123456789012345678901 | |
One to six characters = 80830 (39.74%) | |
One to eight characters = 137069 (67.39'%) | |
More than eight characters = 66331 (32.61%) | |
Only lowercase alpha = 83305 (40.96%) | |
Only uppercase alpha = 659 (0.32%) | |
Only alpha = 83964 (41.28%) | |
Only numeric = 23069 (11.34%) | |
First capital last symbol = 1318 (0.65%) | |
First capital last number = 4224 (2.08%) | |
Single digit on the end = 10990 (5.4%) | |
Two digits on the end = 5787 (2.85%) | |
Three digits on the end = 19356 (9.52%) | |
Last number | |
0 = 5035 (2.48%) | |
1 = 9472 (4.66%) | |
2 = 5868 (2.88%) | |
3 = 21244 (10.44%) | |
4 = 6911 (3.4%) | |
5 = 5498 (2.7%) | |
6 = 8139 (4.0%) | |
7 = 3273 (1.61%) | |
8 = 3836 (1.89%) | |
9 = 3934 (1.93%) | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
| | | | |
| || | | |
|||||| | |
||||||| | |
|||||||||| | |
|||||||||| | |
|||||||||| | |
0123456789 | |
Last digit | |
3 = 21244 (10.44%) | |
1 = 9472 (4.66%) | |
6 = 8139 (4.0%) | |
4 = 6911 (3.4%) | |
2 = 5868 (2.88%) | |
5 = 5498 (2.7%) | |
0 = 5035 (2.48%) | |
9 = 3934 (1.93%) | |
8 = 3836 (1.89%) | |
7 = 3273 (1.61%) | |
Last 2 digits (Top 10) | |
23 = 17068 (8.39%) | |
56 = 5973 (2.94%) | |
34 = 3792 (1.86%) | |
45 = 2980 (1.47%) | |
12 = 2109 (1.04%) | |
21 = 2072 (1.02%) | |
11 = 1976 (0.97%) | |
89 = 1578 (0.78%) | |
00 = 1135 (0.56%) | |
10 = 1016 (0.5%) | |
Last 3 digits (Top 10) | |
123 = 16664 (8.19%) | |
456 = 5829 (2.87%) | |
234 = 3705 (1.82%) | |
345 = 2588 (1.27%) | |
321 = 1513 (0.74%) | |
111 = 1189 (0.58%) | |
789 = 1168 (0.57%) | |
678 = 758 (0.37%) | |
000 = 703 (0.35%) | |
567 = 672 (0.33%) | |
Last 4 digits (Top 10) | |
3456 = 5452 (2.68%) | |
1234 = 3635 (1.79%) | |
2345 = 2578 (1.27%) | |
1111 = 980 (0.48%) | |
6789 = 858 (0.42%) | |
5678 = 737 (0.36%) | |
4321 = 656 (0.32%) | |
4567 = 649 (0.32%) | |
3123 = 643 (0.32%) | |
7890 = 496 (0.24%) | |
Last 5 digits (Top 10) | |
23456 = 5439 (2.67%) | |
12345 = 2571 (1.26%) | |
56789 = 852 (0.42%) | |
11111 = 842 (0.41%) | |
45678 = 710 (0.35%) | |
34567 = 643 (0.32%) | |
23123 = 607 (0.3%) | |
54321 = 508 (0.25%) | |
67890 = 483 (0.24%) | |
00000 = 302 (0.15%) | |
Character sets | |
loweralpha: 83305 (40.96%) | |
loweralphanum: 53690 (26.4%) | |
numeric: 23069 (11.34%) | |
mixedalphanum: 8112 (3.99%) | |
loweralphaspecialnum: 7073 (3.48%) | |
loweralphaspecial: 5802 (2.85%) | |
mixedalphaspecialnum: 4159 (2.04%) | |
mixedalpha: 3041 (1.5%) | |
specialnum: 1849 (0.91%) | |
special: 1738 (0.85%) | |
upperalphanum: 1117 (0.55%) | |
mixedalphaspecial: 1017 (0.5%) | |
upperalphaspecial: 749 (0.37%) | |
upperalpha: 659 (0.32%) | |
upperalphaspecialnum: 364 (0.18%) | |
Character set ordering | |
allstring: 87005 (42.78%) | |
stringdigit: 35764 (17.58%) | |
othermask: 35359 (17.38%) | |
alldigit: 23069 (11.34%) | |
stringdigitstring: 6280 (3.09%) | |
digitstring: 4939 (2.43%) | |
stringspecialstring: 2298 (1.13%) | |
stringspecial: 2217 (1.09%) | |
stringspecialdigit: 1809 (0.89%) | |
digitstringdigit: 1756 (0.86%) | |
allspecial: 1738 (0.85%) | |
specialstring: 831 (0.41%) | |
specialstringspecial: 335 (0.16%) |
Two items of note here are that over 60% of password attempts were 1-8 characters. 40% of attempts were for lowercase alpha characters only. The most used password was 123456. This is the default pass for Kippo.
If a user attempts to create an account or change the root password in a Kippo session those passwords are captured and added to the allowed credentials list. The following credentials were created:
root:0:albertinoalbert123root:0:fgashyeq77dhshfaroot:0:florian12euroot:0:hgd177q891999wwwwwe1.dONroot:0:iphone5root:0:kokotroot:0:noperoot:0:picvinaroot:0:scorpi123root:0:testroot:0:xiaozheroot:0:12345root:0:bnn318da9031kdamfaihheq1faroot:0:lsroot:0:neonhostt1root:0:wget123
Downloads:
20131030113401_http___198_2_192_204_22_disknyp20131103183232_http___61_132_227_111_8080_meimei20131104045744_http___198_2_192_204_22_disknyp20131114214017_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz20131116130541_http___198_2_192_204_22_disknyp20131129165151_http___dl_dropboxusercontent_com_s_1bxj9ak8m1octmk_ktx_c20131129165438_http___dl_dropboxusercontent_com_s_66gpt66lvut4gdu_ktx20131202040921_http___198_2_192_204_22_disknyp20131207123419_http___packetstorm_wowhacker_com_DoS_juno_c20131216143108_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz20131216143208_http___X_hackersoft_org_scanner_gosh_jpg20131216143226_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe20131217163423_http___ha_ckers_org_slowloris_slowloris_pl20131217163456_http___www_lemarinel_net_perl20131222084315_http___maxhub_com_auto_bill_pipe_bot20140103142644_http___ftp_gnu_org_gnu_autoconf_autoconf_2_69_tar_gz20140109170001_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_linux_x86_tar_gz20140120152204_http___111_39_43_54_5555_dos3220140122202342_http___layer1_cpanel_net_latest20140122202549_http___linux_duke_edu_projects_yum_download_2_0_yum_2_0_7_tar_gz20140122202751_http___www_ehcp_net_ehcp_latest_tgz20140201131804_http___www_suplementar_com_br_images_stories_goon_pooler_cpuminer_2_3_2_tar_gz20140201152307_http___nemo_rdsor_ro_darwin_jpg20140208081358_http___www_youtube_com_watch_v_6hVQs5ll06420140208184835_http___sharplase_ru_x_txt20140215141909_http___tenet_dl_sourceforge_net_project_cpuminer_pooler_cpuminer_2_3_2_tar_gz20140215142830_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_tar_gz20140219072721_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz20140328031725_http___dl_dropboxusercontent_com_u_133538399_multi_py20140409053322_http___www_c99php_com_shell_c99_rar20140409053728_http___github_com_downloads_orbweb_PHP_SHELL_WSO_wso2_5_1_php20140413130110_http___www_iphobos_com_hb_unixcod_rar20140416194008_http___linux_help_bugs3_com_Camel_mail_txt20140419143734_http___www_activestate_com_activeperl_downloads_thank_you_dl_http___downloads_activestate_com_ActivePerl_releases_5_18_2_1802_ActivePerl_5_18_2_1802_x86_64_linux_glibc_2_5_298023_tar_gz20140419144043_http___ha_ckers_org_slowloris_slowloris_pl20140420104056_http___downloads_metasploit_com_data_releases_archive_metasploit_4_9_2_linux_x64_installer_run20140420104325_http___nmap_org_dist_nmap_6_46_1_i386_rpm20140505073503_http___116_255_239_180_888_00720140505093229_http___119_148_161_25_805_sd3220140505111511_http___112_117_223_10_280_120140515091557_http___112_117_223_10_280__bash_6_phpmysql20140519193800_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz20140523120411_http___lemonjuice_tk_netcat_sh20140610174516_http___59_63_183_193_280__etc_Test888820140614200901_http___kismetismy_name_ktx20140625032113_http___ftp_mirrorservice_org_sites_ftp_wiretapped_net_pub_security_packet_construction_netcat_gnu_netcat_netcat_0_7_1_tar_gz20140720005010_http___www_bl4ck_viper_persiangig_com_p8_localroots_2_6_x_cw7_3
TTY Replay Sessions:
AWSWeb:~# adduseradduser: Only one or two names allowed.AWSWeb:~# useraddadduser: Only one or two names allowed.AWSWeb:~# lsAWSWeb:~# pwdrootAWSWeb:~# cd /[1D[1P[1D[1P[1D[1P[1D[1Pcat /etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/shlp:x:7:7:lp:/var/spool/lpd:/bin/shmail:x:8:8:mail:/var/mail:/bin/shnews:x:9:9:news:/var/spool/news:/bin/shuucp:x:10:10:uucp:/var/spool/uucp:/bin/shproxy:x:13:13:proxy:/bin:/bin/shwww-data:x:33:33:www-data:/var/www:/bin/shbackup:x:34:34:backup:/var/backups:/bin/shlist:x:38:38:Mailing List Manager:/var/list:/bin/shirc:x:39:39:ircd:/var/run/ircd:/bin/shgnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/shnobody:x:65534:65534:nobody:/nonexistent:/bin/shlibuuid:x:100:101::/var/lib/libuuid:/bin/shrichard:x:1000:1000:richard,,,:/home/richard:/bin/bashsshd:x:101:65534::/var/run/sshd:/usr/sbin/nologinAWSWeb:~# userbash: user: command not foundAWSWeb:~# adduser obzAdding user `obz' ...Adding new group `obz' (1001) ...Adding new user `obz' (1001) with group `obz' ...Creating home directory `/home/obz' ...Copying files from `/etc/skel' ...Password:Password again:Changing the user information for obzEnter the new value, or press ENTER for the defaultUsername []:Must enter a value!Username []: obzFull Name []: l[1D[1Padmin obzRoom Number []: 1Work Phone []: 1234567890Home Phone []:Must enter a value!Home Phone []: 0Mobile Phone []: 0Country []: cnCity []: xangLanguage []: mandFavorite movie []: 1Other []: 1Is the information correct? [Y/n] yERROR: Some of the information you entered is invalidDeleting user `obz' ...Deleting group `obz' (1001) ...Deleting home directory `/home/obz' ...Try again? [Y/n] yChanging the user information for obzEnter the new value, or press ENTER for the defaultUsername []: obxFull Name []: obx toorRoom Number []: 1Work Phone []: 1[1D[1P9089543121Home Phone []: 9089342135Mobile Phone []: 9089439012Country []: cnCity []: xangLanguage []: man[1D[1P[1D[1P[1D[1PenglishFavorite movie []: oneOther []: two[1D[1P[1D[1P[1D[1PfourIs the information correct? [Y/n] yERROR: Some of the information you entered is invalidDeleting user `obz' ...Deleting group `obz' (1001) ...Deleting home directory `/home/obz' ...Try again? [Y/n] nAWSWeb:~# cat adduser obz user cat /etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/shlp:x:7:7:lp:/var/spool/lpd:/bin/shmail:x:8:8:mail:/var/mail:/bin/shnews:x:9:9:news:/var/spool/news:/bin/shuucp:x:10:10:uucp:/var/spool/uucp:/bin/shproxy:x:13:13:proxy:/bin:/bin/shwww-data:x:33:33:www-data:/var/www:/bin/shbackup:x:34:34:backup:/var/backups:/bin/shlist:x:38:38:Mailing List Manager:/var/list:/bin/shirc:x:39:39:ircd:/var/run/ircd:/bin/shgnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/shnobody:x:65534:65534:nobody:/nonexistent:/bin/shlibuuid:x:100:101::/var/lib/libuuid:/bin/shrichard:x:1000:1000:richard,,,:/home/richard:/bin/bashsshd:x:101:65534::/var/run/sshd:/usr/sbin/nologinAWSWeb:~# cat /etc/shadowcat: /etc/shadow: No such file or directoryAWSWeb:~# /etc/init.d\[1D[1P[1D[1PD/ssh startbash: /etc/init.D/ssh: command not foundAWSWeb:~# [K/etc/init.D/ssh start[1D[1D[1D[1D[1D[1D[1D[1D[1D[1D[1D[1Pdbash: /etc/init.d/ssh: command not foundAWSWeb:~#AWSWeb:~#AWSWeb:~#AWSWeb:~#AWSWeb:~#AWSWeb:~#AWSWeb:~#AWSWeb:~#AWSWeb:~#AWSWeb:~# exitcConnection to server closed.localhost:~# exitConnection to server closed.localhost:~# byebash: bye: command not foundlocalhost:~# exitConnection to server closed.localhost:~# adminbash: admin: command not foundlocalhost:~# sulocalhost:~# ls -ldrwxr-xr-x 1 root root 4096 2013-02-03 17:11 .drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags-rw------- 1 root root 5515 2009-11-20 09:08 .viminfodrwx------ 1 root root 4096 2009-11-06 11:13 .aptitude-rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile-rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrclocalhost:~# pwd/rootlocalhost:~# cd /localhost:/# ls -ldrwxr-xr-x 1 root root 4096 2013-02-03 17:11 .drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..drwxr-xr-x 1 root root 0 2009-11-20 08:19 sysdrwxr-xr-x 1 root root 4096 2009-11-08 15:42 bindrwxr-xr-x 1 root root 4096 2009-11-06 11:08 mntdrwxr-xr-x 1 root root 4096 2009-11-06 11:08 medialrwxrwxrwx 1 root root 25 2009-11-06 11:16 vmlinuz -> /boot/vmlinuz-2.6.26-2-686drwxr-xr-x 1 root root 4096 2009-11-06 11:09 optlrwxrwxrwx 1 root root 11 2009-11-06 11:08 cdrom -> /media/cdrom0drwxr-xr-x 1 root root 4096 2009-11-06 11:08 selinuxdrwxrwxrwx 1 root root 4096 2009-11-20 08:19 tmpdr-xr-xr-x 1 root root 0 2009-11-20 08:19 procdrwxr-xr-x 1 root root 4096 2009-11-08 15:41 sbindrwxr-xr-x 1 root root 4096 2009-11-20 08:20 etcdrwxr-xr-x 1 root root 3200 2009-11-20 08:20 devdrwxr-xr-x 1 root root 4096 2009-11-06 11:09 srvlrwxrwxrwx 1 root root 28 2009-11-06 11:16 initrd.img -> /boot/initrd.img-2.6.26-2-686drwxr-xr-x 1 root root 4096 2009-11-08 15:46 libdrwxr-xr-x 1 root root 4096 2009-11-06 11:22 homedrwxr-xr-x 1 root root 4096 2009-11-06 11:09 vardrwxr-xr-x 1 root root 4096 2009-11-08 15:46 usrdrwxr-xr-x 1 root root 4096 2009-11-08 15:39 bootdrwxr-xr-x 1 root root 4096 2009-11-20 09:08 rootdrwx------ 1 root root 16384 2009-11-06 11:08 lost+foundlocalhost:/# cd /homelocalhost:/home# ls -lldrwxr-xr-x 1 root root 4096 2013-02-03 17:11 .drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richardlocalhost:/home# exitConnection to server closed.localhost:~#localhost:~#localhost:~#localhost:~#localhost:~#localhost:~#localhost:~# ssh -D root@http://60.250.65.112/ 1337The authenticity of host '60.250.65.112 (60.250.65.112)' can't be established.RSA key fingerprint is 9d:30:97:8a:9e:48:0d:de:04:8d:76:3a:7b:4b:30:f8.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '60.250.65.112' (RSA) to the list of known hosts.root@60.250.65.112's password:Linux localhost 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686Last login: Sat Feb 2 07:07:11 2013 from 192.168.9.4localhost:~# uname -aLinux localhost 2.6.24-2-generic #1 SMP Thu Dec 20 17:36:12 GMT 2007 i686 GNU/Linuxlocalhost:~# pwd/rootlocalhost:~# cd /localhost:/# ls -ldrwxr-xr-x 1 root root 4096 2013-02-03 17:19 .drwxr-xr-x 1 root root 4096 2013-02-03 17:19 ..drwxr-xr-x 1 root root 0 2009-11-20 08:19 sysdrwxr-xr-x 1 root root 4096 2009-11-08 15:42 bindrwxr-xr-x 1 root root 4096 2009-11-06 11:08 mntdrwxr-xr-x 1 root root 4096 2009-11-06 11:08 medialrwxrwxrwx 1 root root 25 2009-11-06 11:16 vmlinuz -> /boot/vmlinuz-2.6.26-2-686drwxr-xr-x 1 root root 4096 2009-11-06 11:09 optlrwxrwxrwx 1 root root 11 2009-11-06 11:08 cdrom -> /media/cdrom0drwxr-xr-x 1 root root 4096 2009-11-06 11:08 selinuxdrwxrwxrwx 1 root root 4096 2009-11-20 08:19 tmpdr-xr-xr-x 1 root root 0 2009-11-20 08:19 procdrwxr-xr-x 1 root root 4096 2009-11-08 15:41 sbindrwxr-xr-x 1 root root 4096 2009-11-20 08:20 etcdrwxr-xr-x 1 root root 3200 2009-11-20 08:20 devdrwxr-xr-x 1 root root 4096 2009-11-06 11:09 srvlrwxrwxrwx 1 root root 28 2009-11-06 11:16 initrd.img -> /boot/initrd.img-2.6.26-2-686drwxr-xr-x 1 root root 4096 2009-11-08 15:46 libdrwxr-xr-x 1 root root 4096 2009-11-06 11:22 homedrwxr-xr-x 1 root root 4096 2009-11-06 11:09 vardrwxr-xr-x 1 root root 4096 2009-11-08 15:46 usrdrwxr-xr-x 1 root root 4096 2009-11-08 15:39 bootdrwxr-xr-x 1 root root 4096 2009-11-20 09:08 rootdrwx------ 1 root root 16384 2009-11-06 11:08 lost+foundlocalhost:/# cd /rootlocalhost:~# ls -lldrwxr-xr-x 1 root root 4096 2013-02-03 17:19 .drwxr-xr-x 1 root root 4096 2013-02-03 17:19 ..drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags-rw------- 1 root root 5515 2009-11-20 09:08 .viminfodrwx------ 1 root root 4096 2009-11-06 11:13 .aptitude-rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile-rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrclocalhost:~# cd /ho[1D[1P[1D[1P[1D[1P[1D[1P[1D[1P[1D[1Pcd /home/localhost:/home# ls -ldrwxr-xr-x 1 root root 4096 2013-02-03 17:20 .drwxr-xr-x 1 root root 4096 2013-02-03 17:20 ..drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richardlocalhost:/home# exitConnection to server closed.localhost:~# exitConnection to server closed.localhost:~#
Conclusion:
After a year with Kippo, I have learned a lot about what these basic attackers do when connecting to seemingly open ssh hosts. There is plenty more to learn though. I have some plans on building out a larger honeypot infrastructure, and automating some of the data collection and parsing. Additionally I would like to spend more time analyzing the sessions and malware for further trends. I'll keep you all posted!
*Big thanks to Bruteforce Labs for their tools and expertise in honeypots.