Kippo – SSH Honey Pot – Tutorial

So after a few nights playing with kippo here’s the deal. Kippo is an interactive SSH honey pot written in python.
The installation procedure is very simple.

Website link: http://code.google.com/p/kippo/

Visit the site check you have all dependancies met, the only thing I had to install extra were the python twisted librarys which ive included below.

sudo apt-get install python-twisted

wget http://kippo.googlecode.com/files/kippo-x.x.tar.gz

tar -xvzf kippo-x.x.tar.gz

cd kipp-x.x

and thats all there is to it.

Next you will need to configure the honeypot

Edit the file kippo.cfg here you can make changes to the way the honey pot runs ie. port/protocols/db/etc.

Next you will need to setup some default passwords … change in to the data/ directory and edit the file called userdb.txt

nano userdb.txt

The format for the usernames is as follows username:0:password

Add some commonly used usernames and passwords here. (eg. admin:0:admin)

CTRL+x to save and exit from the file.

Kippo is now configured you’re almost ready to execute the service.

NB. If you have a firewall running you will need to add a rule for kippo.
Kippos default port is 2222
If you are running ufw execute the following command.
If you’re running something like csf or using iptables you will need to edit the config to suit.

sudo ufw allow from any to any port 2222

When I run this I’m using a completely separate headless box isolated on my lab network. So I also have port 22 open and ssh server running.

I connect via ssh and run kippo.

Kippo must only be run as a single user account and not root. Kippo will not allow you to run as root or via sudo anyway.

To execute kippo you can run the following command:

./start.sh

The above command will start kippo as a background service but I much prefer to run kippo and view the real-time output on screen.

Make sure you are in the kippo directory and run …

twistd -y kippo.tac -n

Kippo should now be up and running and listening for connections from your local network.

You can now connect to the honeypot by ssh-ing in to port 2222 on your honey pot machine.

If you wish to grant access to the outside world, you will need to edit your firewall rules on your router unless your machine is directly connected via a modem.

Then you can sit back and either wait for someone to attempt to hack your machine, or let your friends know what you are doing and let them try and bruteforce / access it for themselves.

There are many modifications u can make to the standard honey pot settings to get it working how ever you like, custom commands file system setup and hostname etc.

One more feature I must talk about is the interactive shell this allows you to view the honeypot from the hackers perspective when someone connects to the honeypot you can see what they are trying to do in real time. (Something I didn’t try but read about in the documentation.)

Conclusion and thoughts:
A fun project and will help you learn greatly how someone is trying to attack your network, what information they know or are using to try and gain access and possibly what their intentions are. Kippos setup was relatively easy although getting it to run on port 22 requires root privileges you’re best off resolving this issue with port forwarding. When I stress tested it with some friends it seemed to hold out to a ddos we performed, there are bugs however. When accessing some commands (sudo iptables –help) or something similar the twisted daemon hung the session all the other users remained connected but the person who’d formed the mal command session got dropped. I should really report this to the developers at some point. Final word I would only attempt this project if you are 100% sure you know what you are doing poor configuration could lead to someone gaining complete access to your machine or network.

Thanks to the members of secfo for helping me test too :)

About these ads