Jan 05 2012

Starting with Dionaea malware honeypot

Since Kippo is doing fine and there are some other interesting things out there apart from SSH dictionary attacks, I decided to run Dionaea as well in order to get a better understanding of malware distribution.

So, I found myself on the official Dionaea website ready to proceed. The amount of information there and the manual compilations made me think that I will surely run into much trouble but hopefully this was not the case. If you follow the instructions (and you deploy the honeypot on a Ubuntu machine) you will have no problem with the installation. I still encountered some problems later though.

My first and only trouble during install was with libnl which doesn’t seem to be located at git.kernel.org anymore as written on the guide but rather at: git://git.infradead.org/users/tgr/libnl.git. Another thing to note is that Ubuntu doesn’t need udns, so don’t install it and remove the two related parameters when running ./configure for Dionaea itself. Other than that installation was fine.

I started Dionaea with:

./dionaea -D -r /opt/dionaea -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -l all,-debug -L '*'

-D makes it run as a daemon in the background. Dionaea has a rather detailed configuration file and there are a lot of options to play with. I left the default values and just changed the logging function to automatically exclude debugging information (same with the -l all,-debug parameter above). I still need to make use of the privilege dropping feature for better security, if you have any tips on that let me know.

The honeypot was running and in only a matter of minutes I got my first connections! Dionaea keeps text-based logs but saves the data in a SQLite database as well (thank god). Roughly all of them were on port 445. One thing I noticed though was that connections were being dropped constantly by my system. Thanks to the #Nepenthes IRC channel where I had to resort, I realised that my system was not actually recheable and I had to change the listen configuration to manual mode and choose my “public” network interface as Dionaea was binding only on loopback addresses. Something like addrs = { eth0 = [“”] } did the trick.

As always, I took a look at the related Infosanity’s posts for various updates and tips. I saw that Andrew has already written a script to generate some statistics. Here is what I got after ~4 hours:

python mimic-nepstats.py

Statistics engine written by Andrew Waite - www.infosanity.co.uk

Number of submissions: 20
Number of unique samples: 18
Number of unique source IPs: 18

First sample seen: 2012-01-04 22:50:12.268572
Last sample seen: 2012-01-05 02:51:15.270853
System Uptime: 4:01:03.002281

Most recent submissions:
2012-01-05 02:51:15.270853,,, d987a9af709bfd188071aa3f5e027aac
2012-01-05 02:40:36.996795,,, 628209663f62c35b996ca17850ed7862
2012-01-05 02:29:58.125629,,, a61bb611ab77e5bb2d3cab672392a928
2012-01-05 02:27:21.690987,,, 1892721678e9b975c66a8cbb6ed1f340
2012-01-05 02:21:40.608644,,, e1855fbe6cf64738bffb9dc195e38ed1

I don’t know what else to expect at this stage. For time being I will let the system run and collect some interesting (hopefully) data. I haven’t studied everything related to Dionaea yet, and I’m sure there are a lot of useful configurations and add-ons since it’s being actively developed as I’m told. If you know something that I can add to Dionaea or teach me something new about it let me know, I would appreciate it alot.

Jan 03 2012

Kippo-Graph 0.6.2 released.

Another update for Kippo-Graph, after the 0.6 “milestone”, reaching version 0.6.2 (as you may noticed I might have abused the versioning system a little, so from now on there will be small increments better reflecting the work done).

It includes two new features for the Kippo-Geo component: hostname resolution for the top 10 IPs and lookup using the robtex website (the so-called Swiss Army Knife Internet Tool).

Download it from here: kippo-graph-0.6.2

MD5 Checksum: 02CFE61CFEEDEB6B50E4E46A24D84A58
SHA-1 Checksum: 49AE513ADDBE10343EA2673C163F13A8E6E62A5A


Version 0.6.2:
+ Added hostname resolution for IPs.
+ Added robtex IP lookup feature.

For comments, suggestions, fixes, please use the Kippo-Graph page: http://bruteforcelab.com/kippo-graph

Jan 03 2012

Kippo reveals itself with ‘w’ and ‘uptime’ commands

It occurred to me suddenly today that in every TTY session I see online if the attacker runs the ‘w’ command a uptime value of ~14 days is shown. I checked it and it’s true. Kippo has the following output for the ‘w’ command hardcoded into its source code: up 14 days, 3:53. The same thing applies to ‘who’ and ‘uptime’ commands as well.

As you can imagine this is a serious flaw that makes identification of a Kippo honeypot pretty easy. As you may have noted, ‘w’ is usually the first command an attacker will run after getting access to a honeypot system.

I have submitted the above issue here and hopefully a fix will be released in the next revision/version of Kippo. Until then it would be wise to fix this yourself by changing the output of ‘w’ and ‘uptime’ commands.

The file in question resides inside $INSTALL_DIR/kippo/commands directory and is named “base.py“. You will have to edit the following code block (lines 17-33), and more specifically lines 19 and 25 in base.py (shown as 3 and 9 below):

class command_uptime(HoneyPotCommand):
    def call(self):
        self.writeln(' %s up 14 days,  3:53,  0 users,  load average: 0.08, 0.02, 0.01' % \
commands['/usr/bin/uptime'] = command_uptime

class command_w(HoneyPotCommand):
    def call(self):
        self.writeln(' %s up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01' % \
        self.writeln('USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT')
        self.writeln('%-8s pts/0    %s %s    0.00s  0.00s  0.00s w' % \
            time.strftime('%H:%M', time.localtime(self.honeypot.logintime))))
commands['/usr/bin/w'] = command_w
commands['/usr/bin/who'] = command_w

Change the “14 days, 3:53” string to something else, but make sure you use identical values in both lines. This change will affect the ‘w’, ‘who’ and ‘uptime’ commands. Restart Kippo (kill it and run start.sh again) for the changes to take effect.

A better idea would be to use a random number generator for these values but this is something the developer of Kippo will ultimately decide.

Jan 01 2012

Kippo2MySQL v0.1.1 update

Due to the move of the blog to this domain, I have updated Kippo2MySQL with the latest information and contact details.

Download Kippo2MySQL v0.1.1 here: kippo2mysql-0.1.1

MD5 Checksum: 1D1C664902B20BDA941538B86DA2DAEE
SHA-1 Checksum: 47F0544AADC5FC3362E317C5BB586A90CF0E0138

Jan 01 2012

Kippo-Graph and Kippo2MySQL update

Due to the move of the blog to this domain, I have updated Kippo-Graph with the latest information and contact details.

Download Kippo-Graph v0.6.1 here: kippo-graph-0.6.1

MD5 Checksum: 4FD2389B223DFD699E855E66094E65F3
SHA-1 Checksum: 1DAD2618F6B756CD3645096971D17776950640EA

Dec 31 2011

Kippo2MySQL v0.1, populate a MySQL DB with data from Kippo logs!

This is yet another simple piece of software that simply extracts some VERY BASIC stats from Kippo’s text-based log files (a mess to analyze!) and inserts them in a MySQL database.

Then you can run some queries and of course visualize the data if you want to.

This is the initial version (0.1) so many things are hardcoded or ugly or dead simple, but it does the job. The file is a modified version of “kippo-stats” perl script originally writen by Tomasz Miklas and modified by mig5. Later on I might update Kippo-Graph or write a new tool specifically for Kippo2MySQL to generate some graphs from this type of data.

You will have to change the script and enter the correct paths, your MySQL credentials, have a database and a db user created beforehand, etc. It’s pretty straightforward though.

Download the perl script from here: kippo2mysql

For comments, suggestions, fixes, please use the Kippo2MySQL page: http://bruteforcelab.com/kippo2mysql

Dec 30 2011

Kippo-Graph 0.6 released!

New version of Kippo-Graph with more graphs (currently 18 in total!) and additional features including IP lookup and malicious file scanning.

Download it from here: kippo-graph-0.6

MD5 Checksum: 889D40D2CA34A649708C0DAAF439ACAE
SHA-1 Checksum: 4E92EC316FA55E9E3E1966E1DB9310074B56D177


Version 0.6:
+ Added human activity per day graph (Kippo-Input) – updated gallery.
+ Added probes per week graph – updated gallery.
+ Added break-ins from same IP graph – updated gallery.
+ Added IP Void lookup feature (Kippo-Geo).
+ Added NoVirusThanks scan feature (Kippo-Input).
+ Fixed SSH clients graph: shows top 10, ordered by volume.
– Removed favicon.

For comments, suggestions, fixes, please use the Kippo-Graph page: http://bruteforcelab.com/kippo-graph