Kippo Users Beware: Another fingerprinting trick
We all know that the ssh honeypot "kippo" is a great tool. But it is awful easy for an attacker to figure out that they are connected to a kippo honeypot. The latest trick I see people use is to run the "file" command, which is not impleneted in kippo. For example:
# file /sbin/init
bash: file: command not found
While on a real system, I would get
# file /sbin/init
/sbin/init: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x7aa29ded613e503fb09fb75d94026f3256f01e7a, stripped
This is a bit a tricky one to "fix" in that it requires more then just a static response as the attacker may try different files to test. So it would require something like a full database of possible files to try. Or (risky...) an implementation that would use actual output from the system kippo is running on.
Maybe I will have a patch for kippo latre today to implement either solution.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Anonymous
May 14th 2014
1 decade ago
To get a better banner, connect via telnet to any ssh server and see what comes back.
They could also look at the set of ciphers, but from what I can tell, kippo looks pretty "real" with the ciphers offered.
Anonymous
May 14th 2014
1 decade ago
-bash: file: command not found
Because I don't have the file-x.y.z package installed.
I use minimal installation images whenever possible.
That also means there are no unnecessary programs, such as 'wget', except on a few systems that do actually need it.
Maybe if more people use minimal installs.... any 'real' systems an intruder gains access to,
will be mistaken for a honeypot, and they'll just go away? :)
Anonymous
May 14th 2014
1 decade ago
Most of the attacks I've seen have been scripts downloading linux malware from 122.224.34.75:8188. These don't show up in the input record, they show up only in the playlog. I'll get 50 attacks a day but they all do the same thing. It's getting boring so I think I'll change the banner to some other Unix and see if the attack changes.
It also helps to have your system up long enough that Shodan publishes it. I noticed a spike in attacks after my ip showed up in Shodan.
Anonymous
May 15th 2014
1 decade ago
My working theory on the immediate disconnects isn't that it's necessarily attackers identifying the honeypot for what it is, but that the immediately disconnected sessions are from automated scanners and mass-compromises finding vulnerable systems for their masters. Whilst I have nothing but gut feeling to back this up, the fact that many logins with manual interactions source from IP addresses that have never connected to the vulnerable system before lend credence to the basis that advanced knowledge of the system and credentials came from somewhere.
Anonymous
May 15th 2014
1 decade ago
I'd advise caution attempting this though, I've watched too many logged sessions where the attacker has identified the honeypot and fired off a potentially spiteful 'rm -rf /' prior to disconnecting. Not sure I'd want to get a production system hosed due to being to cute with the obfuscation.
Definitely agree with the minimal install aspect though.
Anonymous
May 15th 2014
1 decade ago