Setting up a HoneyPot with Kippo and Kippo-Graph

Aug 17, 2017 17:00 · 964 words · 5 minutes read honeypot kippo linux ubuntu security

What is a HoneyPot?

In computer terminology, a HoneyPot is defined as a system that is set up to act as a decoy. This decoy can serve various purposes such as detecting, deflecting, studying, or even countering any unauthorised access to a network.

Usually it consists of a virtual system containing bogus data and applications that try to mimic the behaviour of a real system, in order to lure potential attackers into it.

The HoneyPot is thoroughly monitored and all communications with it are considered hostile, as there’s no reason for legitimate users to access a it. The activity logged by the system may provide an interesting insight about the type of attacks being directed at the network infrastructure, while distracting the attackers from valuable targets and information.



Kippo and Kippo-Graph

Kippo: A SSH medium interaction HoneyPot designed to log Brute Force attacks and their interaction with the console.

Kippo-Graph: A visualization API for ease of access to the information logged by Kippo, capable of showing geo-locations, unique IPs, user/pass combinations all in easy to read graphics.



Setup

Requirements

  • Any Linux distro (Almost anything goes)


Step By Step - Kippo

1 - Installing pre-requisites

sudo apt-get install python-mysqldb apache2

2 - Installing python-dev

apt-get install python-dev

3 - Twisted 14.0.2 is required as more recent versions (current one is 17.5.0) will not work here

cd /tmp

wget https://github.com/twisted/twisted/archive/twisted-14.0.2.tar.gz

tar -zxvf twisted-14.0.2.tar.gz

cd twisted-twisted-14.0.2/

./setup.py install

4 - Installing MySQL

apt-get install mysql-server

apt-get install mysql-client

5 - Setting up MySQL

service mysql start

mysql -h localhost -u root -p

You should not be prompted to insert a password. If you’ve set one when installing MySQL, enter it here. Otherwise, press Enter.

create database kippo;

GRANT ALL ON kippo.* TO ‘kippo’@’localhost’ IDENTIFIED BY ‘yourkippopasswordhere’;

exit

Swap yourkippopasswordhere with your chosen password for the kippo MySQL user.

6 - Clone the latest Kippo version

cd /opt/
git clone https://github.com/desaster/kippo

7 - Creating the database and tables for Kippo

Login to the kippo user

cd /opt/kippo/doc/sql

mysql -u kippo -p yourkippopasswordhere	

Create the kippo DB with use kippo;

You will now import Kippo’s table template with source mysql.sql;

Verify everything is OK using show tables;

You should see 7 entries (auth, clients, downloads, input, sensors, sessions and ttylog).

You can now exit

8 - Setting up Kippo’s configuration

cd /opt/kippo/

cp kippo.cfg.dist kippo.cfg

nano kippo.cfg

Inside this file you should find something like this:

# MySQL logging module
#
# Database structure for this module is supplied in doc/sql/mysql.sql
#
# To enable this module, remove the comments below, including the
# [database_mysql] line.
	
#[database_mysql]
#host = localhost
#database = kippo
#username = kippo
#password = secret
#port = 3306

Edit the information and do not forget to uncomment the #[database_mysql] line!

You should end up with something like this

[database_mysql]
host = localhost
database = kippo
username = kippo
password = yourkippopasswordhere
port = 3306

I will not go in depth about the configuration file but you should check it out after you’ve finished setting everything up. There are a lot of interesting options here you might want to take a look at.

9 - Create a new unprivileged user to run Kippo

useradd -d /home/kippo -s /bin/bash -m kippo -g sudo

10 - Give the new user ownership of the folder/contents

chown -R kippo /opt/kippo



Step By Step - Kippo-Graph

You are now ready to install Kippo-Graph so you can actually get visual information out of Kippo’s logs.

1 - Installing pre-requisites

sudo apt-get install libapache2-mod-php5 php5-cli php5-common php5-cgi php5-mysql php5-gd

2 - Installing Kippo-Graph’s latest version

cd /var/www/html
	
wget http://bruteforcelab.com/wp-content/uploads/kippo-graph-1.5.1.tar.gz
	
tar zxvf kippo-graph-1.5.1.tar.gz
	
rm kippo-graph-1.5.1.tar.gz
	
mv kippo-graph-1.5.1 kippo-graph
	
cd kippo-graph
	

3 - Give full permissions to the generated-graphs folder

chmod 777 generated-graphs

4 - Edit Kippo-Graph’s configuration

cp config.php.dist config.php
	
nano config.php

This is the part which you want to edit

define('DB_HOST', '127.0.0.1');
define('DB_USER', 'username');
define('DB_PASS', 'password');
define('DB_NAME', 'database');
define('DB_PORT', '3306');

You should end up with something like this

define('DB_HOST', '127.0.0.1');
define('DB_USER', 'kippo');
define('DB_PASS', 'yourkippopasswordhere');
define('DB_NAME', 'kippo');
define('DB_PORT', '3306');

5 - Check if all the services are running

Mysql: service mysql status

Apache: /etc/init.d/apache2 start

6 - Start Kippo with the kippo user

cd /opt/kippo
	
su kippo
	
./start.sh



Final Steps - Port Forwarding

Kippo is listening on port 2222 but most bruteforce tools will target port 22 (default SSH port).

Redirect port 22 (default ssh port) to port 2222 on your router.

If you don’t know how to do this, check portforward’s guide here. All you have to do is pick your router’s make and model from the list.

BEWARE - If you are doing this is a remote machine, you should first setup your SSH to run in a port other than 22. That way you will be able to access the HoneyPot using port 22 (which will be redirected to 2222) and access the machine using the new port you set up for your real SSH access. Change the port by editing the /etc/ssh/sshd_config file and restarting the service with service sshd restart.



Bonus - Dynamic DNS

You can setup a Dynamic DNS so that instead of having your HoneyPot accessible by your router’s public IP address (which can chance periodically), you will have a simple domain name like thisismyhoneypot.ddns.net

This is a free service offered by NO-IP



Final Notes

Your HoneyPot should now be accessible through your router’s public IP address (or hostname if you’re using a dynamic DNS service) and port 22. Try it out!

To access Kippo-Graph, simply go to http://yourpublicip/kippo-graph (or, once again, http://yourhostname/kippo-graph if using a dynamic DNS service).

These are some stats from a HoneyPot that was active for only 5 days.


Top 10 Usernames

Top 10 Usernames


Top 10 Passwords

Top 10 Passwords


Probes per day

Probes per day


Top 10 Input

Top 10 Input


Connections per IP + Country Codes

Connections per IP + Country Codes


Top 10 SSH Clients

Top 10 SSH Clients


Username/Password Combinations

Username/Password Combinations