Kippo-Graph 0.6.2 released.

Another update for Kippo-Graph, after the 0.6 “milestone”, reaching version 0.6.2 (as you may noticed I might have abused the versioning system a little, so from now on there will be small increments better reflecting the work done).

It includes two new features for the Kippo-Geo component: hostname resolution for the top 10 IPs and lookup using the robtex website (the so-called Swiss Army Knife Internet Tool).

Download it from here: kippo-graph-0.6.2

MD5 Checksum: 02CFE61CFEEDEB6B50E4E46A24D84A58
SHA-1 Checksum: 49AE513ADDBE10343EA2673C163F13A8E6E62A5A


Version 0.6.2:
+ Added hostname resolution for IPs.
+ Added robtex IP lookup feature.

For comments, suggestions, fixes, please use the Kippo-Graph page:

Kippo reveals itself with ‘w’ and ‘uptime’ commands

It occurred to me suddenly today that in every TTY session I see online if the attacker runs the ‘w’ command a uptime value of ~14 days is shown. I checked it and it’s true. Kippo has the following output for the ‘w’ command hardcoded into its source code: up 14 days, 3:53. The same thing applies to ‘who’ and ‘uptime’ commands as well.

As you can imagine this is a serious flaw that makes identification of a Kippo honeypot pretty easy. As you may have noted, ‘w’ is usually the first command an attacker will run after getting access to a honeypot system.

I have submitted the above issue here and hopefully a fix will be released in the next revision/version of Kippo. Until then it would be wise to fix this yourself by changing the output of ‘w’ and ‘uptime’ commands.

The file in question resides inside $INSTALL_DIR/kippo/commands directory and is named ““. You will have to edit the following code block (lines 17-33), and more specifically lines 19 and 25 in (shown as 3 and 9 below):

class command_uptime(HoneyPotCommand):
    def call(self):
        self.writeln(' %s up 14 days,  3:53,  0 users,  load average: 0.08, 0.02, 0.01' % \
commands['/usr/bin/uptime'] = command_uptime

class command_w(HoneyPotCommand):
    def call(self):
        self.writeln(' %s up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01' % \
        self.writeln('USER     TTY      FROM              [email protected]   IDLE   JCPU   PCPU WHAT')
        self.writeln('%-8s pts/0    %s %s    0.00s  0.00s  0.00s w' % \
            time.strftime('%H:%M', time.localtime(self.honeypot.logintime))))
commands['/usr/bin/w'] = command_w
commands['/usr/bin/who'] = command_w

Change the “14 days, 3:53” string to something else, but make sure you use identical values in both lines. This change will affect the ‘w’, ‘who’ and ‘uptime’ commands. Restart Kippo (kill it and run again) for the changes to take effect.

A better idea would be to use a random number generator for these values but this is something the developer of Kippo will ultimately decide.

Kippo2MySQL v0.1.1 update

Due to the move of the blog to this domain, I have updated Kippo2MySQL with the latest information and contact details.

Download Kippo2MySQL v0.1.1 here: kippo2mysql-0.1.1

MD5 Checksum: 1D1C664902B20BDA941538B86DA2DAEE
SHA-1 Checksum: 47F0544AADC5FC3362E317C5BB586A90CF0E0138

Kippo-Graph and Kippo2MySQL update

Due to the move of the blog to this domain, I have updated Kippo-Graph with the latest information and contact details.

Download Kippo-Graph v0.6.1 here: kippo-graph-0.6.1

MD5 Checksum: 4FD2389B223DFD699E855E66094E65F3
SHA-1 Checksum: 1DAD2618F6B756CD3645096971D17776950640EA

Kippo2MySQL v0.1, populate a MySQL DB with data from Kippo logs!

This is yet another simple piece of software that simply extracts some VERY BASIC stats from Kippo’s text-based log files (a mess to analyze!) and inserts them in a MySQL database.

Then you can run some queries and of course visualize the data if you want to.

This is the initial version (0.1) so many things are hardcoded or ugly or dead simple, but it does the job. The file is a modified version of “kippo-stats” perl script originally writen by Tomasz Miklas and modified by mig5. Later on I might update Kippo-Graph or write a new tool specifically for Kippo2MySQL to generate some graphs from this type of data.

You will have to change the script and enter the correct paths, your MySQL credentials, have a database and a db user created beforehand, etc. It’s pretty straightforward though.

Download the perl script from here: kippo2mysql

For comments, suggestions, fixes, please use the Kippo2MySQL page:

Kippo-Graph 0.6 released!

New version of Kippo-Graph with more graphs (currently 18 in total!) and additional features including IP lookup and malicious file scanning.

Download it from here: kippo-graph-0.6

MD5 Checksum: 889D40D2CA34A649708C0DAAF439ACAE
SHA-1 Checksum: 4E92EC316FA55E9E3E1966E1DB9310074B56D177


Version 0.6:
+ Added human activity per day graph (Kippo-Input) – updated gallery.
+ Added probes per week graph – updated gallery.
+ Added break-ins from same IP graph – updated gallery.
+ Added IP Void lookup feature (Kippo-Geo).
+ Added NoVirusThanks scan feature (Kippo-Input).
+ Fixed SSH clients graph: shows top 10, ordered by volume.
– Removed favicon.

For comments, suggestions, fixes, please use the Kippo-Graph page:

Kippo-Graph 0.5.1 released.

As you may have noticed I have included a version checking function, so you can get a text msg on the index page if there is a new version of Kippo-Graph. In order to do that your system has to get the contents of which is a text file with the current/latest version number and compare it against a ‘version’ definition declared in Kippo-Graph. This works nice in theory, but someone raised the concern of privacy, because the honeypot’s IP gets logged.

For this reason I’m releasing a “fixed” version of Kippo-Graph, leaving the feature in place, but including a UPDATE_CHECK YES/NO directive inside config.php (default: NO) along with a warning detailing the choice, and if the user wants to have the feature enabled then he can change that to YES.

Kippo-Graph 0.5.1 is finally released under GPLv3 as well. Details at LICENSE.txt.

Starting from this version CHECKSUMS for the .tar file will be posted along with the archive for verification purposes.

Download the “fixed” Kippo-Graph, version 0.5.1 here: kippo-graph-0.5.1

MD5 Checksum: 4F017814F53F5EF47018A62BF80C04F9
SHA-1 Checksum: 652EC2A3B225BF5EC9CE3A086C440C79F489EF98