So… I saw a new issue today in Kippo’s website that was posted some days ago.
It seems that Kippo is not only recognizable by a human attacker (see: Kippo reveals itself with ‘w’ and ‘uptime’ commands), but also without actually hacking into it.
Apparently, a Metasploit Framework‘s module can detect a Kippo installation. The Ruby script in question is located at msf3/modules/auxiliary/scanner/ssh/ and is called ssh_version.rb.
At first I thought that this could be due to yet another hardcoded string inside the code, but the version returned above is not anything out of the ordinary. So, I looked into it a bit and after some Google-Fu I found this presentation from a developer of metasploit: Detecting Medium Interaction Honeypots.
Inside he describes how Kippo can be recognized. More specifically, Kippo does not follow the correct key exchange sequence of an SSH server. Here are two examples of Wireshark captures from a real OpenSSH server and an emulated one (honeypot):
As you see above, in a normal connection attempt, the Server returns its protocol/version, then the Client responds with its own and requests a key exchange, to which the Server replies back and the keys are then exchanged using the Diffie-Helman protocol, and an encrypted connection is established.
While in Kippo, the Server prematurely sends a Key Exchange Init packet, thus messing up the sequence. This can be checked, and thus Kippo can be recognized. Here is the exact snippet that does the job:
The solution? Unfortunately I’m not sure at this time as I haven’t been able to invest some time in it.
Perhaps the developer of Kippo will try to fix it, as an issue/bug (num. 48) has been filed already.