Kippo: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „=Before we begin= Change standard ssh Port =Install some packets *apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted git authbind…“)
 
 
(7 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 2: Zeile 2:
 
Change standard ssh Port  
 
Change standard ssh Port  
 
=Install some packets
 
=Install some packets
*apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted git authbind
+
*apt-get install python-dev openssl python-openssl python-pyasn1 git authbind
 +
 
 
=Adduser and change visudo that kippo can list users=
 
=Adduser and change visudo that kippo can list users=
 
*adduser kippo
 
*adduser kippo
Zeile 13: Zeile 14:
 
*chown kippo:kippo /etc/authbind/byport/22
 
*chown kippo:kippo /etc/authbind/byport/22
 
*chmod 777 /etc/authbind/byport/22
 
*chmod 777 /etc/authbind/byport/22
=Download the latest Kippo version from GitHub=
+
=We have to install an older version of  Python Twisted=
git clone https://github.com/desaster/kippo.git
+
manually because of issues with the current version of Twisted and Kippo.  I can’t recall the error at the moment, but I’ll see if I can find it in the logs later.
=c
+
*apt-get install python-dev
+
*cd /tmp
cp kippo.cfg.dist kippo.cfg
+
*wget https://github.com/twisted/twisted/archive/twisted-14.0.2.tar.gz
nano kippo.cfg
+
*tar -zxvf twisted-14.0.2.tar.gz
 +
*cd twisted-twisted-14.0.2/
 +
*./setup.py install
  
    Finally, edit the Kippo start script:
+
=At this point we enter the system as ‘kippo’ user and go to the /home directory.=
 +
*sudo - kippo
  
1
+
=Download the latest Kippo version from GitHub=
+
*git clone https://github.com/desaster/kippo.git
nano start.sh
+
=change port=
 
+
*cd kippo
changing the following command from
+
*sed -e "/ssh_port =/s/2222/22/" kippo.cfg.dist > kippo.cfg
1
+
=Finally, change the Kippo start script=
+
*sed -i.bak -e "/kippo.tac/s/twistd/authbind --deep &/" start.sh
twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
+
=start=
 
+
*./start.sh
to
+
=log=
1
+
*tail -f log/kippo.log
+
<pre>
authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
+
2016-08-27 17:51:55+0200 [-] Log opened.
 
+
2016-08-27 17:51:55+0200 [-] twistd 14.0.2 (/usr/bin/python 2.7.12) starting up.
so that it uses authbind to “listen” on port 22, and run the honeypot:
+
2016-08-27 17:51:55+0200 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
1
+
2016-08-27 17:51:55+0200 [-] HoneyPotSSHFactory starting on 22
+
2016-08-27 17:51:55+0200 [-] Starting factory <kippo.core.ssh.HoneyPotSSHFactory instance at 0x7f2d3e6b1f38>
./start.sh
+
2016-08-27 17:54:04+0200 [kippo.core.ssh.HoneyPotSSHFactory] New connection: 87.128.42.65:58374 (136.243.187.69:22) [session: 0]
 
+
2016-08-27 17:54:04+0200 [HoneyPotTransport,0,87.128.42.65] Remote SSH version: SSH-2.0-OpenSSH_6.2
    We check that our port has actually opened and Kippo is “listening”:
+
2016-08-27 17:54:04+0200 [HoneyPotTransport,0,87.128.42.65] kex alg, key alg: diffie-hellman-group-exchange-sha1 ssh-rsa
 +
2016-08-27 17:54:04+0200 [HoneyPotTransport,0,87.128.42.65] outgoing: aes128-ctr hmac-md5 none
 +
2016-08-27 17:54:04+0200 [HoneyPotTransport,0,87.128.42.65] incoming: aes128-ctr hmac-md5 none
 +
2016-08-27 17:54:10+0200 [HoneyPotTransport,0,87.128.42.65] NEW KEYS
 +
2016-08-27 17:54:10+0200 [HoneyPotTransport,0,87.128.42.65] starting service ssh-userauth
 +
2016-08-27 17:54:10+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] boeserbube trying auth none
 +
2016-08-27 17:54:10+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] boeserbube trying auth keyboard-interactive
 +
2016-08-27 17:54:21+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] login attempt [boeserbube/gehiem] failed
 +
2016-08-27 17:54:21+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] boeserbube failed auth keyboard-interactive
 +
2016-08-27 17:54:21+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] unauthorized login:
 +
2016-08-27 17:54:21+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] boeserbube trying auth keyboard-interactive
 +
</pre>
  
1
 
 
sudo netstat -antp
 
  
where there should be a line like this:
+
=netstat=
1
+
*netstat -lntp
+
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 22627/python
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 22627/python
 
  
 +
=Links=
 
*https://bruteforce.gr/installing-kippo-ssh-honeypot-on-ubuntu.html
 
*https://bruteforce.gr/installing-kippo-ssh-honeypot-on-ubuntu.html
 +
*https://thelosingedgeblog.wordpress.com/2016/02/15/kippo-kali-pi/

Aktuelle Version vom 27. August 2016, 16:17 Uhr

Before we begin

Change standard ssh Port =Install some packets

  • apt-get install python-dev openssl python-openssl python-pyasn1 git authbind

Adduser and change visudo that kippo can list users

  • adduser kippo
  • visudo

add 

kippo ALL=(ALL:ALL) ALL

under the “root” user. =create fil and change some rights?

  • touch /etc/authbind/byport/22
  • chown kippo:kippo /etc/authbind/byport/22
  • chmod 777 /etc/authbind/byport/22

We have to install an older version of Python Twisted

manually because of issues with the current version of Twisted and Kippo. I can’t recall the error at the moment, but I’ll see if I can find it in the logs later.

At this point we enter the system as ‘kippo’ user and go to the /home directory.

  • sudo - kippo

Download the latest Kippo version from GitHub

change port

  • cd kippo
  • sed -e "/ssh_port =/s/2222/22/" kippo.cfg.dist > kippo.cfg

Finally, change the Kippo start script

  • sed -i.bak -e "/kippo.tac/s/twistd/authbind --deep &/" start.sh

start

  • ./start.sh

log

  • tail -f log/kippo.log
2016-08-27 17:51:55+0200 [-] Log opened.
2016-08-27 17:51:55+0200 [-] twistd 14.0.2 (/usr/bin/python 2.7.12) starting up.
2016-08-27 17:51:55+0200 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2016-08-27 17:51:55+0200 [-] HoneyPotSSHFactory starting on 22
2016-08-27 17:51:55+0200 [-] Starting factory <kippo.core.ssh.HoneyPotSSHFactory instance at 0x7f2d3e6b1f38>
2016-08-27 17:54:04+0200 [kippo.core.ssh.HoneyPotSSHFactory] New connection: 87.128.42.65:58374 (136.243.187.69:22) [session: 0]
2016-08-27 17:54:04+0200 [HoneyPotTransport,0,87.128.42.65] Remote SSH version: SSH-2.0-OpenSSH_6.2
2016-08-27 17:54:04+0200 [HoneyPotTransport,0,87.128.42.65] kex alg, key alg: diffie-hellman-group-exchange-sha1 ssh-rsa
2016-08-27 17:54:04+0200 [HoneyPotTransport,0,87.128.42.65] outgoing: aes128-ctr hmac-md5 none
2016-08-27 17:54:04+0200 [HoneyPotTransport,0,87.128.42.65] incoming: aes128-ctr hmac-md5 none
2016-08-27 17:54:10+0200 [HoneyPotTransport,0,87.128.42.65] NEW KEYS
2016-08-27 17:54:10+0200 [HoneyPotTransport,0,87.128.42.65] starting service ssh-userauth
2016-08-27 17:54:10+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] boeserbube trying auth none
2016-08-27 17:54:10+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] boeserbube trying auth keyboard-interactive
2016-08-27 17:54:21+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] login attempt [boeserbube/gehiem] failed
2016-08-27 17:54:21+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] boeserbube failed auth keyboard-interactive
2016-08-27 17:54:21+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] unauthorized login:
2016-08-27 17:54:21+0200 [SSHService ssh-userauth on HoneyPotTransport,0,87.128.42.65] boeserbube trying auth keyboard-interactive


netstat

  • netstat -lntp
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 22627/python

Links

Abgerufen von „http://wiki.ixheim.de/index.php?title=Kippo&oldid=10287