Kippo honeypot on Cubieboard Ubuntu

homecircuitsposts

Kippo is an SSH honeypot written in Python. Kippo is used to log brute force attacks and the entire shell interaction performed by an attacker so I have installed it on my cubieboard2 Lubuntu version. According to wiki a honeypot is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.

So lets start to install and test my first honeypot.

Preparation for the kippo installation

update repositories:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get clean

and install python prerequisites for kippo

sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted

I had problems since my repository was not longer supported so I need to changes repository source. For more info visit the following forums:

 

 

Install Kippo honeypot

Create user kippo:

sudo adduser --disabled-login kippo

This will create a user called ‘kippo’ with no rights to login (like via SSH). A home directory will be created for him: /home/kippo/.

login as kippo and download kippo source from git (also svn and file is available on internet)

sudo su kippo
cd ~
git clone https://github.com/desaster/kippo.git
cd kippo

Inside this folder are some interesting other folders:

 

  • dl: downloaded files will be stored here
  • txtcmds: when the attacker enters a command it will just cat the content to his session
  • doc: contains readme files, read them! And contains a MySQL file to be imported to your database
  • honeyfs: contains existent files, all files which exist here can be viewed by the attacker
  • kippo: contains Kippo itself, the Python scripts
  • log: contains the kippo.log and in subfolder tty/ the tty logs of attackers
  • utils: contains usefull Python scripts
  • data: contains userdb.txt where login data for the honeypot is stored

 

Start kippo

To use default configuration (port 2222) just clone kippo.cfg.dist file to kippo.cfg file that will be used for the later kippo configuration and then just start kippo honeypot with kippo user

cp kippo.cfg.dist kippo.cfg

./start.sh
To check if kippo is listening on port 2222, execute netstat from a home user (with sudo privileges)

sudo netstat -antp | grep 2222

 

To see the connections tries:

 cat ./kippo/log/kippo.log

The default password for kippo is 123456.

simple add new user with passwords in kippo/data/userdb.txt file

To stop kippo, just execute:

bash ./stop.sh

To test file download try wget and the downloaded file is in kippo/dl directory.
Connect to kippo from localhost with:

ssh -p 2222 tomas@localhost

 

Log files in a mem disk (not in NAND flash)

To not use NAND storage I have move logs and storage of downloaded files to memory disk, more in this ubuntu-data-in-memory-disk post. I have also set the limit of the storage to 5MB so the intruder will not harm my cubieboard storage (hopefully).

As user kippo

mkdir -p /home/kippo/kippo/memlog
mkdir -p /home/kippo/kippo/memdl

As user linaro (my home user with sudo rights)

sudo mount -t tmpfs -o size=5M,mode=0777 tmpfs /home/kippo/kippo/memlog
sudo chown kippo:kippo /home/kippo/kippo/memlog
mkdir /home/kippo/kippo/memlog/tty
sudo chown kippo:kippo /home/kippo/kippo/memlog/tty
sudo mount -t tmpfs -o size=5M,mode=0777 tmpfs /home/kippo/kippo/memdl

sudo chown kippo:kippo /home/kippo/kippo/memdl

Change  kippo.cfg and  start.sh configuration with new log files directories. Start.sh example of changed line:

twistd -y kippo.tac -l memlog/kippo.log --pidfile kippo.pid

Be careful to copy log files from the memory storage before the system restart or you lost them.

Make you kippo honeypot visible to the world!

Configure your router to forward 22 internet port to your cubieboard (ubuntu) 2222 port. In my router like this (my cubiboard IP is 192.168.1.11) and in other configruation it is configured as static IP in my local network:

 

Change login banner

I wanted to be a little creative so I’ve added a banner to login screen. By using this text to ASCII tool I’ve created a new file called banner in kippo folder. In kippo.cfg uncomment line:

banner_file = banner

The result that is shown to the attacker is depicted on the screen bellow (although many robots will not recognize it).

Remarks

If you do not have or want to use git try this tutorial: http://www.unixmen.com/kippo-ssh-honeypot-monitor-brute-force-attacks-debian-7-ubuntu-13-10/

with wget http://kippo.googlecode.com/files/kippo-0.8.tar.gz

Other resources:
http://bruteforce.gr/installing-kippo-ssh-honeypot-on-ubuntu.html
https://capsop.com/kippo
http://resources.infosecinstitute.com/tracking-attackers-honeypot-part-2-kippo/
http://bruteforce.gr/kippo-graph
https://lvdeijk.wordpress.com/2012/12/24/kippo-ssh-honeypot-over-the-years/
http://www.micheloosterhof.com/cowrie/
https://github.com/g0tmi1k/os-scripts

TODO:

  • auto start
  • connect kippo to central repository
  • add more files to the kippo file system

Related Posts

Cubieboard2 – Lubuntu installation

I wanted to install Lubuntu on my new Cubieboard2 so I decided to go for this v1.06 Lubuntu 12.10 image. You have option to have NAND or SD card and I’ve decided to go for[…]

Continue reading ...

Ubuntu – data stored in RAM filesystem – TMPFS

In my Cubieboard2 I use Lubuntu. Since I have connected barometer and arduino to my cubieboard, I read data from that devices and store it to cubieboard2 filesystem. Since NAND memory is not quite suitable for such[…]

Continue reading ...

Lubuntu ssh: Read from socket failed – solved

SSH to my fresh lubuntu on cubieboard2 was not working. I tried it also from the lubuntu itself with the error: $ ssh localhostRead from socket failed: Connection reset by peer I went through many[…]

Continue reading ...