«

»

Feb 13 2012

Kippo is being detected by Metasploit

So… I saw a new issue today in Kippo’s website that was posted some days ago.

It seems that Kippo is not only recognizable by a human attacker (see: Kippo reveals itself with ‘w’ and ‘uptime’ commands), but also without actually hacking into it.

Apparently, a Metasploit Framework‘s module can detect a Kippo installation. The Ruby script in question is located at msf3/modules/auxiliary/scanner/ssh/ and is called ssh_version.rb.

msf3 ssh version run 300x34 Kippo is being detected by Metasploit

At first I thought that this could be due to yet another hardcoded string inside the code, but the version returned above is not anything out of the ordinary. So, I looked into it a bit and after some Google-Fu I found this presentation from a developer of metasploit: Detecting Medium Interaction Honeypots.

Inside he describes how Kippo can be recognized. More specifically, Kippo does not follow the correct key exchange sequence of an SSH server. Here are two examples of Wireshark captures from a real OpenSSH server and an emulated one (honeypot):

SSH server REAL 300x143 Kippo is being detected by Metasploit

SSH server Kippo 300x143 Kippo is being detected by Metasploit

As you see above, in a normal connection attempt, the Server returns its protocol/version, then the Client responds with its own and requests a key exchange, to which the Server replies back and the keys are then exchanged using the Diffie-Helman protocol, and an encrypted connection is established.

While in Kippo, the Server prematurely sends a Key Exchange Init packet, thus messing up the sequence. This can be checked, and thus Kippo can be recognized. Here is the exact snippet that does the job:

msf3 module ssh version.rb  300x163 Kippo is being detected by Metasploit

The solution? Unfortunately I’m not sure at this time as I haven’t been able to invest some time in it.
Perhaps the developer of Kippo will try to fix it, as an issue/bug (num. 48) has been filed already.

More in Honeypots
The Last HOPE: Ghetto IDS and Honeypots for the Home User
New version of Kippo-Graph: 0.6.3
Some Kojoney results
Kojoney SSH Honeypot, installation (CentOS) and configuration
Some Dionaea statistics
Close