Daily Archives: 11th July 2013

Scanning the scanners … coding counter measures

When I was playing about with kippo the other night I had this idea to counter attack people who were scanning / trying to access my server. If someone connected to port 2222 without permission could I use the logs to automate a counter attack / perform some recon. After a quick look at the log files I decided that coding counter measures for a SSH honey pot would be pretty useless as the honey pot isn’t providing / holding any important information. I then turned my attention to another server that hosts some statistical data for other sites I contribute to.

Initially I wanted to look at any 404 errors because I could see people looking for default program paths and directories to exploit. This would be a good approach but there were also legitimate 404 errors where things like the favicon.ico or just simple stuff like unintentionally malformed URLs. I looked at the log files again and noticed everytime someone nmaps port 80 they leave a really obvious finger print.

debian.home:80 xxx.xxx.xxx.xxx – – [09/Jul/2013:15:45:13 +0100] “OPTIONS / HTTP/1.1” 200 188 “-” “Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)”

Present on every nmap scan I can see logged to the server. (There must be a param to disable/change this somewhere in nmap)
I came up with the script below which when executed will nmap anyone who has nmapped port 80 and save it all to a file 🙂

# fire all the lasers
# bash apache counter recon tool

echo ‘Gathering logfile data n’
cat /var/log/apache2/*.log | grep nmap | awk ‘{ print $2 }’ > nmappers.txt
cat nmappers.txt

echo ‘Filtering unique ips …n’
sort nmappers.txt | uniq > ips.txt

echo ‘Scanning the scanners …n’
nmap -v -T4 -A -iL ips.txt > recon.txt

echo ‘Cleaning up …n’
rm ips.txt
rm nmappers.txt

echo ‘Results …n’
cat recon.txt

Conclusion and thoughts:
This is just the beginning, really enjoyed coding this script will look to expand on it soon. Possibly combining this with kali linux & metasploit. Lots of room for improvement as this could also be used to look at failed login attempts on other services / ports … the nmap finger print could greatly be expanded on too using failed exploits from the log file. (Geolocation / Automatic notification to isps that their users are up to no good? etc.)

EDIT : big update coming to this script tehe 😀

Kippo – SSH Honey Pot – Tutorial

So after a few nights playing with kippo here’s the deal. Kippo is an interactive SSH honey pot written in python.
The installation procedure is very simple.

Website link: http://code.google.com/p/kippo/

Visit the site check you have all dependancies met, the only thing I had to install extra were the python twisted librarys which ive included below.

sudo apt-get install python-twisted

wget http://kippo.googlecode.com/files/kippo-x.x.tar.gz

tar -xvzf kippo-x.x.tar.gz

cd kipp-x.x

and thats all there is to it.

Next you will need to configure the honeypot

Edit the file kippo.cfg here you can make changes to the way the honey pot runs ie. port/protocols/db/etc.

Next you will need to setup some default passwords … change in to the data/ directory and edit the file called userdb.txt

nano userdb.txt

The format for the usernames is as follows username:0:password

Add some commonly used usernames and passwords here. (eg. admin:0:admin)

CTRL+x to save and exit from the file.

Kippo is now configured you’re almost ready to execute the service.

NB. If you have a firewall running you will need to add a rule for kippo.
Kippos default port is 2222
If you are running ufw execute the following command.
If you’re running something like csf or using iptables you will need to edit the config to suit.

sudo ufw allow from any to any port 2222

When I run this I’m using a completely separate headless box isolated on my lab network. So I also have port 22 open and ssh server running.

I connect via ssh and run kippo.

Kippo must only be run as a single user account and not root. Kippo will not allow you to run as root or via sudo anyway.

To execute kippo you can run the following command:


The above command will start kippo as a background service but I much prefer to run kippo and view the real-time output on screen.

Make sure you are in the kippo directory and run …

twistd -y kippo.tac -n

Kippo should now be up and running and listening for connections from your local network.

You can now connect to the honeypot by ssh-ing in to port 2222 on your honey pot machine.

If you wish to grant access to the outside world, you will need to edit your firewall rules on your router unless your machine is directly connected via a modem.

Then you can sit back and either wait for someone to attempt to hack your machine, or let your friends know what you are doing and let them try and bruteforce / access it for themselves.

There are many modifications u can make to the standard honey pot settings to get it working how ever you like, custom commands file system setup and hostname etc.

One more feature I must talk about is the interactive shell this allows you to view the honeypot from the hackers perspective when someone connects to the honeypot you can see what they are trying to do in real time. (Something I didn’t try but read about in the documentation.)

Conclusion and thoughts:
A fun project and will help you learn greatly how someone is trying to attack your network, what information they know or are using to try and gain access and possibly what their intentions are. Kippos setup was relatively easy although getting it to run on port 22 requires root privileges you’re best off resolving this issue with port forwarding. When I stress tested it with some friends it seemed to hold out to a ddos we performed, there are bugs however. When accessing some commands (sudo iptables –help) or something similar the twisted daemon hung the session all the other users remained connected but the person who’d formed the mal command session got dropped. I should really report this to the developers at some point. Final word I would only attempt this project if you are 100% sure you know what you are doing poor configuration could lead to someone gaining complete access to your machine or network.

Thanks to the members of secfo for helping me test too 🙂