Feb 13 2012

Kippo is being detected by Metasploit

So… I saw a new issue today in Kippo’s website that was posted some days ago.

It seems that Kippo is not only recognizable by a human attacker (see: Kippo reveals itself with ‘w’ and ‘uptime’ commands), but also without actually hacking into it.

Apparently, a Metasploit Framework‘s module can detect a Kippo installation. The Ruby script in question is located at msf3/modules/auxiliary/scanner/ssh/ and is called ssh_version.rb.

At first I thought that this could be due to yet another hardcoded string inside the code, but the version returned above is not anything out of the ordinary. So, I looked into it a bit and after some Google-Fu I found this presentation from a developer of metasploit: Detecting Medium Interaction Honeypots.

Inside he describes how Kippo can be recognized. More specifically, Kippo does not follow the correct key exchange sequence of an SSH server. Here are two examples of Wireshark captures from a real OpenSSH server and an emulated one (honeypot):

As you see above, in a normal connection attempt, the Server returns its protocol/version, then the Client responds with its own and requests a key exchange, to which the Server replies back and the keys are then exchanged using the Diffie-Helman protocol, and an encrypted connection is established.

While in Kippo, the Server prematurely sends a Key Exchange Init packet, thus messing up the sequence. This can be checked, and thus Kippo can be recognized. Here is the exact snippet that does the job:

The solution? Unfortunately I’m not sure at this time as I haven’t been able to invest some time in it.
Perhaps the developer of Kippo will try to fix it, as an issue/bug (num. 48) has been filed already.


2 pings

  1. jordan


    User came up with a potential solution. It’s a problem with the Twisted Framework.

  2. Ion

    Fix released 🙂


  1. Kippo: We wants shellz… | Ethical Hacking: Manu Carus

    […] 0.5 aus November 2010) wurde ein Verhalten beim SSH Key Exchange entdeckt, der den Honeypot enttarnt. Selbst Metasploit umfasst ein Modul zur Identifikation von Kippo-Honeypots […]

  2. Honeypot Kippo 0.8 – Instalação e utilização | Máfia Linux

    […] Veja: Kippo is being detected by Metasploit – BruteForce Lab’s Blog  […]

Leave a Reply

More in Honeypots
The Last HOPE: Ghetto IDS and Honeypots for the Home User
New version of Kippo-Graph: 0.6.3
Some Kojoney results
Kojoney SSH Honeypot, installation (CentOS) and configuration
Some Dionaea statistics