New version of Kippo-Graph: 0.6.5

This is the release of a new version of Kippo-Graph, fixing some issues with certain charts when you have large Kippo databases. See the CHANGES for more. Updating is recommended!

Thanks to Mohab (@0xAli) and Leon (@lvdeijk) for troubleshooting and suggestions.

Download it from here: kippo-graph-0.6.5

MD5 Checksum: A898A05CE0BB1EACBCFD103538138B65
SHA-1 Checksum: 5AF2A3F70A40640459F433ED55CA0E8BE83AA821


Version 0.6.5:
+ Fixed “http://” in file links (Kippo-Input).
+ Added installation instructions and Google Map note in README.txt
+ Fixed successful logins from same IP chart: Top 20.
+ Fixed successes per day chart: Top 20.
+ Fixed probes per day chart: display only 25 distinct date values.

For comments, suggestions, fixes, please use the Kippo-Graph page:

Adrian Wiesmann – You hack, we laugh: Watch 31337 h4x0r5 at work

New version of Kippo-Graph: 0.6.4

This is the release of a new version of Kippo-Graph, fixing some issues. Updating is recommended.

There was some errors on some of the charts concerning the date values. The SQL query I’ve been using didn’t work correctly with the coming of a new year, plus the custom function I’ve been using for parsing had another bug registering the correct day, perhaps because 2012 is a leap year.

The above issues are now fixed, plus there are some other small fixes. Also, a new chart has been added: successes per week.

Download it from here: kippo-graph-0.6.4

MD5 Checksum: 15D2FD7D243DFFB749C9F0FB6B143734
SHA-1 Checksum: 4FA6DFA240EB59211FEF3B13A71DA5A86F1E8EA8

PS. As soon as I tidy up the code a bit, Kippo-Graph will be moved to a project hosting environment so updating can be easier using SVN/git.


Version 0.6.4:
– Removed dayofyear2date(), has a bug that adds +1 day in all 2012 dates (leap year?).
+ Changed SQL queries to timestamp values and date() parses the results – fixed graphs.
+ Added successes per week graph – updated gallery.
+ Small fixes.

For comments, suggestions, fixes, please use the Kippo-Graph page:

Kippo is being detected by Metasploit

So… I saw a new issue today in Kippo’s website that was posted some days ago.

It seems that Kippo is not only recognizable by a human attacker (see: Kippo reveals itself with ‘w’ and ‘uptime’ commands), but also without actually hacking into it.

Apparently, a Metasploit Framework‘s module can detect a Kippo installation. The Ruby script in question is located at msf3/modules/auxiliary/scanner/ssh/ and is called ssh_version.rb.

At first I thought that this could be due to yet another hardcoded string inside the code, but the version returned above is not anything out of the ordinary. So, I looked into it a bit and after some Google-Fu I found this presentation from a developer of metasploit: Detecting Medium Interaction Honeypots.

Inside he describes how Kippo can be recognized. More specifically, Kippo does not follow the correct key exchange sequence of an SSH server. Here are two examples of Wireshark captures from a real OpenSSH server and an emulated one (honeypot):

As you see above, in a normal connection attempt, the Server returns its protocol/version, then the Client responds with its own and requests a key exchange, to which the Server replies back and the keys are then exchanged using the Diffie-Helman protocol, and an encrypted connection is established.

While in Kippo, the Server prematurely sends a Key Exchange Init packet, thus messing up the sequence. This can be checked, and thus Kippo can be recognized. Here is the exact snippet that does the job:

The solution? Unfortunately I’m not sure at this time as I haven’t been able to invest some time in it.
Perhaps the developer of Kippo will try to fix it, as an issue/bug (num. 48) has been filed already.

Defcon 18 – You spent all that money and you still got owned – Joseph McCray

The Last HOPE: Ghetto IDS and Honeypots for the Home User

New version of Kippo-Graph: 0.6.3

I’m pleased to release yet another updated version of Kippo-Graph: 0.6.3.

It includes:
New data for the Kippo-Input component: passwd, executed scripts and interesting commands tables.
Two more graphs (successes per day and human activity bar chart) and fixes to others.

Download it from here: kippo-graph-0.6.3

MD5 Checksum: 3B40524D0AC157C82661582014AB5BE0
SHA-1 Checksum: 31D0A2872BD346529E2D5535266822F7861E0C1E


Version 0.6.3:
+ Added passwd, executed scripts and interesting commands tables.
+ Added successes per day graph – updated gallery.
+ Added human activity per day vertical bar chart – updated gallery.
+ Fixed successful logins from same IP graph.
+ Changed top 10 SSH clients graph to horizontal.
+ Small UI fixes, etc.

For comments, suggestions, fixes, please use the Kippo-Graph page: