Kippo

Erreur dans le widget Twitter Search: unable to write file /home/gbp4dt5/zones/bricosoft.com/www/extensions/Widgets/compiled_templates/wrt6938f804ed7c36_96124335

Erreur dans le widget Twitter: unable to write file /home/gbp4dt5/zones/bricosoft.com/www/extensions/Widgets/compiled_templates/wrt6938f80500c878_23194849

kippo est un honeypot ssh écrit en python

install

prérequis subversion :

$ sudo apt-get install python-twisted python-mysqldb

Les fichiers :

$ mkdir sec;cd sec
$ svn checkout http://kippo.googlecode.com/svn/trunk/ kippo

mise en place de la DB :

$ cd kippo/doc/sql

sec/kippo/doc/sql$ mysql -u root -p
mysql> create database kippo;
mysql> GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY '1234';
mysql> source mysql.sql
mysql> show tables;

+-----------------+
| Tables_in_kippo |
+-----------------+
| auth            |
| clients         |
| downloads       |
| input           |
| sensors         |
| sessions        |
| ttylog          |
+-----------------+
7 rows in set (0.00 sec)

Retour dans kippo pour modifier la config

$ cd ../../
sec/kippo$ cp kippo.cfg.dist kippo.cfg

décommentez, modifiez la section [database_mysql]

sec/kippo$ vim kippo.cfg
host = localhost
database = kippo
username = kippo
password = 1234
port = 3306

Lancez kippo :

sec/kippo$ ./start.sh

Il doit apparaitre ;

$ ps fauxw |grep kippo
toto  21761  0.0  2.9 301812 58728 ?        Sl   11:17   0:02 /usr/bin/python /usr/bin/twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

et des logs sont générés :

tail -f log/kippo.log

2013-05-14 12:44:46+0200 [-] Log opened.
2013-05-14 12:44:46+0200 [-] twistd 11.1.0 (/usr/bin/python 2.7.3) starting up.
2013-05-14 12:44:46+0200 [-] reactor class: twisted.internet.pollreactor.PollReactor.
2013-05-14 12:44:46+0200 [-] HoneyPotSSHFactory starting on 9222
2013-05-14 12:44:46+0200 [-] Starting factory <kippo.core.honeypot.HoneyPotSSHFactory instance at 0x1e88bd8>

tests

88.88.88.88 est l'ip du serveur avec le honeypot :

$ ssh -p 2222 root@88.88.88.88

The authenticity of host '[88.88.88.88]:2222 ([88.88.88.88]:2222)' can't be established.
RSA key fingerprint is fe:[...]..15.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[88.88.88.88]:2222' (RSA) to the list of known hosts.
Password:
nas3:~# ls -lha
drwxr-xr-x 1 root root 4096 2013-05-14 12:56 .
drwxr-xr-x 1 root root 4096 2013-05-14 12:56 ..
-rw-r--r-- 1 root root  140 2013-04-05 13:52 .profile
drwx------ 1 root root 4096 2013-04-05 14:05 .ssh
drwx------ 1 root root 4096 2013-04-05 13:58 .aptitude
-rw-r--r-- 1 root root  570 2013-04-05 13:52 .bashrc
nas3:~# cat .profile 
cat: /root/.profile: No such file or directory
nas3:~#

dans les logs :

2013-05-14 12:55:53+0200 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 88.88.88.88:42712 (88.88.88.88:2222) [session: 7]
2013-05-14 12:55:53+0200 [HoneyPotTransport,7,88.88.88.88] Remote SSH version: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
2013-05-14 12:55:53+0200 [HoneyPotTransport,7,88.88.88.88] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2013-05-14 12:55:53+0200 [HoneyPotTransport,7,88.88.88.88] outgoing: aes128-ctr hmac-md5 none
2013-05-14 12:55:53+0200 [HoneyPotTransport,7,88.88.88.88] incoming: aes128-ctr hmac-md5 none
2013-05-14 12:55:55+0200 [HoneyPotTransport,7,88.88.88.88] NEW KEYS
2013-05-14 12:55:55+0200 [HoneyPotTransport,7,88.88.88.88] starting service ssh-userauth
2013-05-14 12:55:55+0200 [SSHService ssh-userauth on HoneyPotTransport,7,88.88.88.88] root trying auth none
2013-05-14 12:55:55+0200 [SSHService ssh-userauth on HoneyPotTransport,7,88.88.88.88] root trying auth keyboard-interactive
2013-05-14 12:56:02+0200 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 85.25.109.217:51843 (88.88.88.88:2222) [session: 8]
2013-05-14 12:56:02+0200 [SSHService ssh-userauth on HoneyPotTransport,7,88.88.88.88] login attempt [root/123456] succeeded
2013-05-14 12:56:02+0200 [SSHService ssh-userauth on HoneyPotTransport,7,88.88.88.88] root authenticated with keyboard-interactive
2013-05-14 12:56:02+0200 [SSHService ssh-userauth on HoneyPotTransport,7,88.88.88.88] starting service ssh-connection
2013-05-14 12:56:02+0200 [SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] got channel session request
2013-05-14 12:56:02+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] channel open
2013-05-14 12:56:02+0200 [SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] got global no-more-sessions@openssh.com request
2013-05-14 12:56:02+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] pty request: xterm (24, 297, 0, 0)
2013-05-14 12:56:02+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] Terminal size: 24 297
2013-05-14 12:56:02+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] request_env: '\x00\x00\x00\x04LANG\x00\x00\x00\x0bfr_FR.UTF-8'
2013-05-14 12:56:02+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] getting shell
2013-05-14 12:56:02+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] Opening TTY log: log/tty/20130514-125602-7699.log
2013-05-14 12:56:03+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] /etc/motd resolved into /etc/motd
2013-05-14 12:56:07+0200 [HoneyPotTransport,8,85.25.109.217] connection lost
2013-05-14 12:56:07+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] CMD: ls -lha
2013-05-14 12:56:07+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] Command found: ls -lha
2013-05-14 12:56:12+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] CMD: cat .profile 
2013-05-14 12:56:12+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] Command found: cat .profile
2013-05-14 12:56:12+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] /root/.profile resolved into /root/.profile
2013-05-14 12:56:29+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] CMD: exit
2013-05-14 12:56:29+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] Command found: exit
2013-05-14 12:56:31+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] CMD: 
2013-05-14 12:56:31+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,7,88.88.88.88] CMD:

mise en production

Le port de ssh est 22, redirigez le vers 2222

$ sudo apt-get aptitude iptables
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
# iptables-save > /etc/iptables.rules

Test en prod :

login : root, mdp : 123456

$ ssh root@b.13h.be

plugin de graphs

prérequis : mysql-server et apache2

$ wget http://bruteforce.gr/wp-content/uploads/kippo-graph-0.7.6.tar
$ tar xvf kippo-graph-0.7.6.tar
$ cd kippo-graph

Modifier le config.php afin de refleter votre jeu login/password/database :

define('DB_HOST', 'localhost');
define('DB_USER', 'kippo');
define('DB_PASS', 'mot_de_passe');
define('DB_NAME', 'kippo');
define('DB_PORT', '3306');

$ sudo chmod 777 generated-graphs

Puis dans le dossier de votre virtual host Apache :

$ cd ~/sites/13h.be/www
$ ln -s ~/sec/kippo/kippo-graph kippo

Visitez ensuite l'url :

http://13h.be/kippo/

Liens

http://code.google.com/p/kippo/

Kippo

Sommaire

install

tests

mise en production

plugin de graphs

Liens

Menu de navigation

Kippo

install

tests

mise en production

plugin de graphs

Liens

Menu de navigation

Rechercher