Kippo-Graph 1.4.2 released!

Three releases in one day? Why not!

So, this is the release of another version of Kippo-Graph, reaching 1.4.2.

Kippo-Graph 1.4.2 brings various fixes and improvements.

Download: kippo-graph-1.4.2 or clone/pull from GitHub:

MD5 Checksum: 1e18f38369900b51a7f551c9820acf3d
SHA-1 Checksum: 91ef88a8d38e76d819f7fbdef63ea7d561c06513


Version 1.4.2:
+ Fixed Kippo-Playlog’s results and added sorting to the table.
+ Added geo method selection in play.php.
+ Various small fixes.

For comments, suggestions, fixes, please use the Kippo-Graph page:

Kippo-Graph 1.4.1 released!

This is the release of another version of Kippo-Graph, reaching 1.4.1, the 2nd for today, heh!

Kippo-Graph 1.4.1 adds a check to Kippo-IP for Tor exit nodes.

Download: kippo-graph-1.4.1 or clone/pull from GitHub:

MD5 Checksum: a34ad6c008aab1339dee47115b2f0fdc
SHA-1 Checksum: 2d3023755623895c0165305eec578fe55d093918


Version 1.4.1:
+ Added check for Tor exit nodes.

For comments, suggestions, fixes, please use the Kippo-Graph page:

Kippo-Graph 1.4 released!

This is the release of another version of Kippo-Graph, reaching 1.4!

Kippo-Graph 1.4 brings MaxMind geolocation to Kippo-Geo. You can now select your GEO_METHOD of choice in config.php: either MaxMind which uses a local database and is very fast, or the previously used web service.

Download: kippo-graph-1.4 or clone/pull from GitHub:

MD5 Checksum: 9AEE0875F1ABBA17C54F69CC96EF457D
SHA-1 Checksum: 6D639C9425389114ADB17FF1455A12E3A3C0519F


Version 1.4:
+ Added support for local MaxMind geolocation instead of
+ Various small fixes.
+ Added favicon.ico.
– Removed README.txt.

For comments, suggestions, fixes, please use the Kippo-Graph page:

2015 Honeynet Project Annual Workshop – Stavanger, Norway – Save the date!

New tool:

I’m copying an interesting email from SANS’ mailing list, by Jim Clausing. Jim has developed a new tool as a replacement for Kippo2MySQL. The new tools is called and you can download it here (local copy).

I’ve been running kippo for several years now on a couple of honeypots that I have around and when I started I was just logging to the text logs that kippo can create.  Since then, kippo now supports logging directly to a MySQL database and some other folks (especially Ioannis “Ion” Koniaris at have created some nice tools to generate reports from kippo data.  These tools expect the data to be in the kippo MySQL database schema.  Having logged several years worth of stuff to the text log files, I didn’t want to lose all that data, but I did want to be able to take advantage of some of the neat tools that Ion has developed, so I needed a way to get that data from the text logs to the supported db schema.  Now Ion had created a script that he called Kippo2MySQL, but that converted things to his own schema and lost some data in the process.  Using that as inspiration, however, I have created a script that will read the kippo text logs and populate a kippo database (using the same schema that kippo can now log to directly).  The only hitch that I discovered is that when kippo is logging to text logs and restarts, it doesn’t maintain unique session ids, it starts over again from 1.  This caused me have to make a small change to the sessions table.  I had to change the primary key from ID to (ID,STARTTIME).  Fortunately, I haven’t had an collisions where multiple sessions with the same id actually had ttylogs which is where things might get a bit sketchy.  This was accomplished with

mysql> alter table sessions drop primary key, add primary key(id,starttime);


mysql> show create table sessions\G
*************************** 1. row ***************************
       Table: sessions
Create Table: CREATE TABLE `sessions` (
  `id` char(32) NOT NULL,
  `starttime` datetime NOT NULL,
  `endtime` datetime DEFAULT NULL,
  `sensor` int(4) NOT NULL,
  `ip` varchar(15) NOT NULL DEFAULT '',
  `termsize` varchar(7) DEFAULT NULL,
  `client` int(4) DEFAULT NULL,
  PRIMARY KEY (`id`,`starttime`),
  KEY `starttime` (`starttime`,`sensor`)
1 row in set (0.01 sec)

I’ve imported about 800K login attempts and can now play with kippo-graph or (soon, I haven’t had the chance yet) kippo2elasticsearch.  The script can be found here though I have one small issue that I’ll try to fix shortly, I think it is printing out too many #’s, I set it to print out 1 every 10,000 lines it reads from the log files and it seems like I’m getting way more than that, but that is a minor annoyance, maybe I’ll just add a switch to turn that off later.  In the meantime, enjoy and if you find any problems or have ideas for improvement, let me know either in the comments or by e-mail at my address below.


Jim Clausing, GIAC GSE #26
jclausing –at– isc [dot] sans (dot) edu

Run HoneyDrive 3 on Hyper-V server

Todd from Computer and Network Security Services, LLC has published a great blog post about running HoneyDrive 3 on a Microsoft Hyper-V server. I’m reposting it below:

Having a Honeypot in your network can help to alert you to malicious traffic. However, installing and maintaining one can be a bit troublesome, particularly if you haven’t done it before. The complexity only increases if you aren’t familiar with Linux operating systems. I have written a previous blog on the results I received from a Honeypot I set up on my home network which was accessible to the Internet. What I didn’t write about was how long it took me to get it going. I used Dionaea and had it setup in its own subnet. I also had a firewall between it and my network, “just in case.” I turned the Honeypot off after a couple months and got busy with other things. I wanted to get back to it but I didn’t want to go through all the hassle again.

 Enter HoneyDrive3 from Ioannis Koniaris at He has built a Linux Distro with honeypots already built and ready to run. I first learned of the tool in the October issue of the ISSA journal written by Russ McRee.

Rather than covering the tool in detail I would like to document the steps I took to get it up and running on a Hyper-V server. Ioannis has it configured to download in an .ova file format which can be imported to VirtualBox. The hard disk itself is in the .vmdk (VMWare) format. Hyper-V uses the .vhd format. Converting the file is straight forward but there are a couple hurdles. (It would be nice if everybody supported a standard format, but I digress).

There are two blogs that got me headed in the right direction. The first is, Here, they go into a lot of detail about the problems of converting a guest Linux OS from a .vmdk to a .vhd. I won’t say much about it since they give a very detailed description but the tool they used successfully, Starwind V2V, didn’t work on HoneyDrive3. The second site I won’t point to because there is a current XSS attack on the page, according to my browser.

A little background on the conversion process of a .vmdk to a .vhd. Hyper-V has built-in tools that will do the conversion very nicely as long as the guest operating system is a Windows machine. I have used it to convert other servers successfully. The Starwind V2V tool is free and I have used it successfully in the past but when I tried it on HoneyDrive3 I got the following error:

Invalid file format (10) [0]

D:\HoneyDrive_3_Royal_Jelly\HoneyDrive_3_Royal_Jelly-disk1.vmdk – Invalid format. EOS marker not found

I found the necessary steps on the second website. We will use the VirtualBox command line tools to do the conversion. It is only one command but there are some pre-requisites.

 You can download HoneyDrive here,

 Here are the specs of my systems.

Hyper-V Server 2008 R2 running on an HP ProLiant server as the host.

For VirtualBox I have an I7 laptop with 8Gb of memory. I also have a second box running HoneyDrive on an Intel core2duo box. The required specs are really low.

You will need to have VirtualBox installed on a separate computer.

  1. Download the .ova file and import it into VirtualBox. Then start up the machine. As an aside, you can extract files from .ova by changing the file extension to .tar and using 7-zip to extract them.
  2. The VirtualBox Guest Additions are installed already. It needs to be uninstalled. The following steps are performed inside HoneyDrive
    1. Insert the Guest Additions cd by clicking Device and selecting Insert Guest additions CD.
    2. Open Terminator in HoneyDrive
    3. Type ls /media to see the version of Guest Additions. My version is 4.3.8_92456.
    4. sudo sh /media/VBOXADDITIONS_4.3.8_92456/ uninstall
  3. Shut down the machine normally and close VirtualBox manager. I did not have any snapshots on mine.
  4. You need to have the VirtualBox Manager opened as an administrator. When I tried it the first time I right-clicked it and selected run as administrator. It didn’t work and it threw and error. I then opened its properties and selected the box to run as admininstrator. This worked. Go figure.
  5. Open VirtualBox Manager as Administrator. It must be open when you run the command below.
  6. Open a command prompt, also as administrator, and navigate to the VirtualBox installation location.
  7. In my set up, I copied the HoneyDrive.vmdk to the VirtualBox installation directory so I didn’t have to path to it.
  8. Use this command for the conversion:  VBoxManage clonehd –format vhd honeydrive filename.vmdk> < new name.vhd>
  9. I had errors with this command before I was running as admin
  10. The conversion took less than 10 minutes and came out to about 9Gb
  11. Copy the file to your Hyper-V  server.
  12. Depending on your network, you might want to order a pizza
  13. After you are done eating the pizza your file is probably copied
  14. On the Hyper-V server create a new VM but when you get the part where it asks you to create a new hard disk select the newly converted hard drive. I am assuming the reader has a basic knowledge of Hyper-V. If you have questions let me know.
  15. Finish the wizard and start up the VM.

Contrary to previous IT experiences this worked the first time I tried it.

Now go to for some good reading. If you have a subscription to the ISSA Journal you can use the Toolsmith article in the October issue for a great getting started guide.

Happy hunting, or perhaps, trapping.

s06 Bringing PWNED To You Interesting Honeypot Trends Elliott Brink