It occurred to me suddenly today that in every TTY session I see online if the attacker runs the ‘w’ command a uptime value of ~14 days is shown. I checked it and it’s true. Kippo has the following output for the ‘w’ command hardcoded into its source code: up 14 days, 3:53. The same thing applies to ‘who’ and ‘uptime’ commands as well.
As you can imagine this is a serious flaw that makes identification of a Kippo honeypot pretty easy. As you may have noted, ‘w’ is usually the first command an attacker will run after getting access to a honeypot system.
I have submitted the above issue here and hopefully a fix will be released in the next revision/version of Kippo. Until then it would be wise to fix this yourself by changing the output of ‘w’ and ‘uptime’ commands.
The file in question resides inside $INSTALL_DIR/kippo/commands directory and is named “base.py“. You will have to edit the following code block (lines 17-33), and more specifically lines 19 and 25 in base.py (shown as 3 and 9 below):
class command_uptime(HoneyPotCommand):
def call(self):
self.writeln(' %s up 14 days, 3:53, 0 users, load average: 0.08, 0.02, 0.01' % \
time.strftime('%H:%M:%S'))
commands['/usr/bin/uptime'] = command_uptime
class command_w(HoneyPotCommand):
def call(self):
self.writeln(' %s up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01' % \
time.strftime('%H:%M:%S'))
self.writeln('USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT')
self.writeln('%-8s pts/0 %s %s 0.00s 0.00s 0.00s w' % \
(self.honeypot.user.username,
self.honeypot.clientIP[:17].ljust(17),
time.strftime('%H:%M', time.localtime(self.honeypot.logintime))))
commands['/usr/bin/w'] = command_w
commands['/usr/bin/who'] = command_w
Change the “14 days, 3:53” string to something else, but make sure you use identical values in both lines. This change will affect the ‘w’, ‘who’ and ‘uptime’ commands. Restart Kippo (kill it and run start.sh again) for the changes to take effect.
A better idea would be to use a random number generator for these values but this is something the developer of Kippo will ultimately decide.
Related posts:
1 comment
2 pings
Ion
January 7, 2012 at 3:41 AM (UTC 0) Link to this comment
Just to note that somebody reported this to OSVDB: http://osvdb.org/show/osvdb/78099
Don’t know who did it, but thanks anyway… It’s good to keep track of these things.
Kojoney SSH Honeypot, installation (CentOS) and configuration » BruteForce Lab's Blog
January 10, 2012 at 11:51 PM (UTC 0) Link to this comment
[...] Kojoney has some problems like Kippo. The responses for various commands are hardcoded and you might need to change them. You can alter [...]
Kippo is being detected by Metasploit » BruteForce Lab's Blog
February 13, 2012 at 3:08 PM (UTC 0) Link to this comment
[...] seems that Kippo is not recognizable by a human attacker, see: (Kippo reveals itself with ‘w’ and ‘uptime’ commands), but also without actually hacking into [...]