Kippo SSH HoneyPOT

Posted: 25 January, 2012 in infrastructure tutorials

Lama dah update blog ni. nak buat macam, sibuk sikit.. hehehe. Ok, entry kali ni aku nak kongsi pasal setup SSH HoneyPot guna Kippo.

Ok, mari kita tengok apa itu HoneyPot
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
Sumber : http://en.wikipedia.org/wiki/Honeypot_(computing)

Jadi kita dapat paham, honeyPot adalah satu ‘sistem’ yang disetkan sebagai perangkap untuk mengundang para attackers agar attack sistem tersebut.

Apa tujuannya?
1. Untuk tujuan pengumpulan data(statistik dan pattern).
2. Untuk mempelajari teknik baru yang digunakan oleh attacker.
3. Dan macam-macam lagi la 🙂

Cuba kita nengok diagram architechture honeyPot kat bawah ni.

Caption : Architecture Kippo HoneyPot

By default port Kippo adalah 2222, so kita perlu buat portforwarding dari port 22(standard ssh port) kepada port 2222. Dan kita perlukan satu lagi port pada server ni, untuk tujuan management. Attacker dari luar akan melihat port 22 ini dibuka, dan mereka akan cuba untuk ‘masuk’. Dalam kes ini, kita setkan kippo server berada pada DMZ Zone.

Attacker akan membuat port scan terhadap server ini dan mendapati port 22(ssh) dibuka. Dan attacker akan mulakan aktiviti ‘nger00t’ hehehe.

Architecture Kippo HoneyPot

Ok, sekarang ni kita tengok macam mana nak setup kippo HoneyPot ni. Aku gunakan Ubuntu Server. Pertama sekali login dalam ubuntu server korang dan jalankan command berikut :

sudo mkdir /opt/kippo
sudo apt-get install subversion
sudo apt-get install mysql-server
sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted python mysql-db

cd /opt/kippo/
sudo svn checkout http://kippo.googlecode.com/svn/trunk/

Kemudian kita setkan user baru dengan nama kippo(atau apa-apa nama). (kita taknak run honeyPot ni sebagai user root).

Kita buat sikit konfigurasi pada mysql server. Korang leh gunakan command kat bawah ni.

mysql -u root -p
mysql>CREATE DATABASE kippo;
GRANT ALL ON kippo.* to 'kippo'@'localhost' identified by 'katalaluan';
exit

cd /opt/kippo/doc/sql
mysql -u kippo -p kippo < mysql.sql
exit

Anda perlu mengubah konfigurasi pada fail kippo.cfg. Masukkan nama database, katanama, katalaluan.
Kemudian korang kena setkan pada iptables untuk tujuan port forward.

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 2222

Kita boleh mula runkan kippo honeyPot ni dengan command berikut :

su kippo
bash
/opt/kippo/start.sh

Kat bawah ni ada script yang aku buat untuk tujuan paparan data yang diperolehi dari kippo 🙂

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="refresh" content="300;url=main.php">
<title>SSH HoneyPot Viewer by Hussein b. Mohamed a.k.a gh1mau</title>
<style type="text/css">
body,td,th {
font-family: Arial, Helvetica, sans-serif;
font-size: 12px;
}
body {
background-image: url(DSCRT-15-7.jpg);
background-repeat: repeat;
}

.tbl_header {
color: #FFF;
}
#left-table, #right-table {
float:left;
}
#left-table {
margin-right:1px;
}
#new-table {
float:inherit
}

</style>
</head>

<body>
<?php
//setting untuk connection dengan db kippo
$host = "localhost";
$user = "root"; //username
$pass = ""; //password
$db_name = "kippo"; //nama database

$link = mysql_connect($host, $user, $pass);
mysql_select_db($db_name);

//query utk 10 most common username
$sqlusername = "select count(username), username from auth where username <> '' group by
username order by count(username) desc limit 10";
$resultusername = mysql_query ($sqlusername);

//query utk 10 most common password
$sqlpassword = "select count(password), password from auth where password <> '' group by
password order by count(password) desc limit 10";
$resultpassword = mysql_query ($sqlpassword);

//query utk success ratio
$sqlsuccess = "select count(success), success from auth group by success order by success";
$resultsuccess = mysql_query ($sqlsuccess);

//query utk 10 unique ip
$sqlip = "select count(ip), ip from sessions group by ip order by count(ip) desc limit 10";
$resultip = mysql_query ($sqlip);

?>
<h3><strong><u>SSH HoneyPot Viewer</u></strong></h3>
<p>
<?php
//paparkan data dalam table - username
echo '<table width="25%" id="left-table">
<td colspan="2" align="center" bgcolor="#990000"><strong><font color=white>Top 10 most common              username attempted   </font></strong></td>
<tr>
<td align="center" bgcolor="#990000"><font color = white><b>count(username)</b></font></td>
<td align="center" bgcolor="#990000"><font color = white><b>username</b></font></td>
</tr>';

//dapatkan data menggunkan gelung while
$bg = '#0066FF';
while ($rowusername = mysql_fetch_array($resultusername, MYSQL_ASSOC)){
$bg = ($bg == '#FFFF99' ? '#FF8888' : '#FFFF99');
echo '<tr  bgcolor="' . $bg . '">
<td align="center"><strong>' . $rowusername['count(username)'] . '</strong></td>
<td align="left"><strong>' . $rowusername['username'] . '</strong></td>
</tr>';

}

echo '</table>';
mysql_free_result($resultusername);

//paparkan data dalam table - password
echo '<table width="25%" id="right-table">
<td colspan="2" align="center" bgcolor="#990000"><strong><font color=white>Top 10 most common              password attempted   </font></strong></td>
<tr>
<td align="center" bgcolor="#990000"><font color = white><b>count(password)</b></font></td>
<td align="center" bgcolor="#990000"><font color = white><b>password</b></font></td>
</tr>';

//dapatkan data menggunkan gelung while
$bg = '#0066FF';
while ($rowpassword = mysql_fetch_array($resultpassword, MYSQL_ASSOC)){
$bg = ($bg == '#FFFF99' ? '#FF8888' : '#FFFF99');
echo '<tr  bgcolor="' . $bg . '">
<td align="center"><strong>' . $rowpassword['count(password)'] . '</strong></td>
<td align="left"><strong>' . $rowpassword['password'] . '</strong></td>
</tr>';

}

echo '</table>';
mysql_free_result($resultpassword);

//paparkan data dalam table - success ratio
echo '<table width="25%" id="right-table">
<td colspan="2" align="center" bgcolor="#990000"><strong><font color=white>Top 10 unique IP     connections </font></strong></td>
<tr>
<td align="center" bgcolor="#990000"><font color = white><b>count(ip)</b></font></td>
<td align="center" bgcolor="#990000"><font color = white><b>ip</b></font></td>

</tr>';

//dapatkan data menggunkan gelung while
$bg = '#0066FF';
while ($rowip = mysql_fetch_array($resultip, MYSQL_ASSOC)){
$bg = ($bg == '#FFFF99' ? '#FF8888' : '#FFFF99');
echo '<tr  bgcolor="' . $bg . '">
<td align="center"><strong>' . $rowip['count(ip)'] . '</strong></td>
<td align="left"><strong>' . $rowip['ip'] . '</strong></td>
</tr>';

}

echo '</table>';
mysql_free_result($resultip);

//paparkan data dalam table - unique ip
echo '<table width="25%" id="right-table">
<td colspan="2" align="center" bgcolor="#990000"><strong><font color=white>Success Ratio     </font></strong></td>
<tr>
<td align="center" bgcolor="#990000"><font color = white><b>count(success)</b></font></td>
<td align="center" bgcolor="#990000"><font color = white><b>success</b></font></td>

</tr>';

//dapatkan data menggunkan gelung while
$bg = '#0066FF';
while ($rowsuccess = mysql_fetch_array($resultsuccess, MYSQL_ASSOC)){
$bg = ($bg == '#FFFF99' ? '#FF8888' : '#FFFF99');
echo '<tr  bgcolor="' . $bg . '">
<td align="center"><strong>' . $rowsuccess['count(success)'] . '</strong></td>
<td align="left"><strong>' . $rowsuccess['success'] . '</strong></td>
</tr>';

}

echo '</table>';
mysql_free_result($resultsuccess);
mysql_close();
?>
<p>

<table width="100%" border="0" id="right-table">
<tr><td>&nbsp;</td></tr>
<tr><td>by Hussein b. Mohamed a.k.a gh1mau Version 1.0.0</td></tr>
</table>
</body>
</html>

Caption : Kippo HoneyPot viewer

Dan jenguk-jenguk la folder /opt/kippo/log/tty. Kat sana kita leh nengok apa yang attacker buat lepas dapat ‘masuk’ ke dalam server ni.

Gunakan utilities playlog.py (dlm folder /opt/kippo/utils). Macam-macam ada.. heheheh 🙂
Nanti insya ALLAH aku update log-log menarik yang berjaya di’tangkap’

p/s : Posting pasal rsync untuk tujuan web apache auto mirror tu aku hold dulu. Nanti ada masa aku buat la posting pasal tu 🙂

Happy h4ckin dari pokcik gh1mau 🙂

Advertisements
Comments
  1. Anonymous says:

    nice article bro pasal honeypot..teruskan mengupdate laju2 bro..hehehe

  2. Anonymous says:

    thanks bro..hehe

  3. zam says:

    abg hussein, kalo tak silap sy,
    command abg kat “sudo apt-get install python mysql-db” tu mcm salah je.
    maybe typo kot.
    command yang betul “sudo apt-get install python-mysqldb” kan?
    maaf kalo sy slh.

  4. unnamed says:

    wow! super!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s