It occurred to me suddenly today that in every TTY session I see online if the attacker runs the ‘w’ command a uptime value of ~14 days is shown. I checked it and it’s true. Kippo has the following output for the ‘w’ command hardcoded into its source code: up 14 days, 3:53. The same thing applies to ‘who’ and ‘uptime’ commands as well.
As you can imagine this is a serious flaw that makes identification of a Kippo honeypot pretty easy. As you may have noted, ‘w’ is usually the first command an attacker will run after getting access to a honeypot system.
I have submitted the above issue here and hopefully a fix will be released in the next revision/version of Kippo. Until then it would be wise to fix this yourself by changing the output of ‘w’ and ‘uptime’ commands.
The file in question resides inside $INSTALL_DIR/kippo/commands directory and is named “base.py“. You will have to edit the following code block (lines 17-33), and more specifically lines 19 and 25 in base.py (shown as 3 and 9 below):
class command_uptime(HoneyPotCommand): def call(self): self.writeln(' %s up 14 days, 3:53, 0 users, load average: 0.08, 0.02, 0.01' % \ time.strftime('%H:%M:%S')) commands['/usr/bin/uptime'] = command_uptime class command_w(HoneyPotCommand): def call(self): self.writeln(' %s up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01' % \ time.strftime('%H:%M:%S')) self.writeln('USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT') self.writeln('%-8s pts/0 %s %s 0.00s 0.00s 0.00s w' % \ (self.honeypot.user.username, self.honeypot.clientIP[:17].ljust(17), time.strftime('%H:%M', time.localtime(self.honeypot.logintime)))) commands['/usr/bin/w'] = command_w commands['/usr/bin/who'] = command_w
Change the “14 days, 3:53” string to something else, but make sure you use identical values in both lines. This change will affect the ‘w’, ‘who’ and ‘uptime’ commands. Restart Kippo (kill it and run start.sh again) for the changes to take effect.
A better idea would be to use a random number generator for these values but this is something the developer of Kippo will ultimately decide.
Pingback: Kojoney SSH Honeypot, installation (CentOS) and configuration » BruteForce Lab's Blog()
Pingback: Kippo is being detected by Metasploit » BruteForce Lab's Blog()