Jan 03 2012

Kippo reveals itself with ‘w’ and ‘uptime’ commands

It occurred to me suddenly today that in every TTY session I see online if the attacker runs the ‘w’ command a uptime value of ~14 days is shown. I checked it and it’s true. Kippo has the following output for the ‘w’ command hardcoded into its source code: up 14 days, 3:53. The same thing applies to ‘who’ and ‘uptime’ commands as well.

As you can imagine this is a serious flaw that makes identification of a Kippo honeypot pretty easy. As you may have noted, ‘w’ is usually the first command an attacker will run after getting access to a honeypot system.

I have submitted the above issue here and hopefully a fix will be released in the next revision/version of Kippo. Until then it would be wise to fix this yourself by changing the output of ‘w’ and ‘uptime’ commands.

The file in question resides inside $INSTALL_DIR/kippo/commands directory and is named “base.py“. You will have to edit the following code block (lines 17-33), and more specifically lines 19 and 25 in base.py (shown as 3 and 9 below):

class command_uptime(HoneyPotCommand):
    def call(self):
        self.writeln(' %s up 14 days,  3:53,  0 users,  load average: 0.08, 0.02, 0.01' % \
commands['/usr/bin/uptime'] = command_uptime
class command_w(HoneyPotCommand):
    def call(self):
        self.writeln(' %s up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01' % \
        self.writeln('USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT')
        self.writeln('%-8s pts/0    %s %s    0.00s  0.00s  0.00s w' % \
            time.strftime('%H:%M', time.localtime(self.honeypot.logintime))))
commands['/usr/bin/w'] = command_w
commands['/usr/bin/who'] = command_w

Change the “14 days, 3:53” string to something else, but make sure you use identical values in both lines. This change will affect the ‘w’, ‘who’ and ‘uptime’ commands. Restart Kippo (kill it and run start.sh again) for the changes to take effect.

A better idea would be to use a random number generator for these values but this is something the developer of Kippo will ultimately decide.

  • http://bruteforce.gr Ion

    Just to note that somebody reported this to OSVDB: http://osvdb.org/show/osvdb/78099

    Don’t know who did it, but thanks anyway… It’s good to keep track of these things.

  • Pingback: Kojoney SSH Honeypot, installation (CentOS) and configuration » BruteForce Lab's Blog()

  • Pingback: Kippo is being detected by Metasploit » BruteForce Lab's Blog()

  • Sup

    Hey, yea I had to fix this on my one.
    Kippo also reveals itself (and is consequently fingerprinted as such by nmap) by its SSL key exchange (its a python module issue iirc, not kippos fault).

    Telnet to port 22 of kippo, then telnet to your real ssh server. You will see

    I tried to follow it up with a few people who bugreported about it but never got far, and moved on since…

    Good luck! I smashed my custom kippo in the wild for a few weeks about 5 months ago, got loads of interesting shit, (most interesting was actually the attackers themselves and their targetted password sets 😉 all binaries and whatnot captured were runof the mill ssh bruters and other terribad programs….

    Also btw i managed to get real “command output” for attackers to see when they run binaries, (instead of static command output) by copying the binary to an openvz vserver instance and copying the output over. It had no inet connectivity and was sufficiently managed to destroy the container etc etc
    It made for a very confusing time for the attackers lollol

    Additionally I noticed a large number of attackers testing for kippo using the pipe symbol (and appropriate responses from using it, including would-be errors)
    Eg: echo 1 > test

    Kippo doesn’t respond normally to these things so it’s something you will have to fix

    What else…. Oh yea also you should implement “| grep” functionality in your kippo, they test for that too 😉

    Lastly I implemented a different password mechanism for kippo, basically the honeypot waits for a decent password over 6 digits containing numbers/letters etc, it also runs a 1/5 chance of accepting that password, then once it wins that condition, it then accepts this password and ‘locks’ the honeypot to this password permanently (until you reset it). What this means is you no longer have to set the password for kippo. Attackers just glance over honeypots with default looking shit passwords. It means your honeypot will accept a password like “temporary123456” and (wait a few days for the attacker to view his results) he will think he struck gold! (a legitimate result)

    The most dodgy attackers are the ones testing for only 5-6 obscure weird but somehow related passwords then moving on. Setup IP’s in vastly different ip blocks and be amazed how they are actually scanning the whole inet for these machines (usually a company default password or some shit)
    Also there appears to be an increasing number of attackers testing for “backdoor passwords”… Passwords that have been used in various sshd backdoors and also backdoor passwords made by use of the “passwd” command by the very brute forces themselves.
    Not sure how much luck they are having though because those lists are extreemely long. Also when your honeypot locks itself to one of these backdoor passwords (that look like an md5 string for example) I find they never log into it anyway?

    Anywayyyyyy enough —-hope this helped
    Some aussie guy -
    Happy hunting

    • http://bruteforce.gr Ion

      Hello! :)

      Thanks a lot for taking the time to write your thorough comment and present these great suggestions!! I think you should also forward them to the developer of Kippo through the official page at Google Code hosting.

      Also, it would be cool if you’d like to share some results from your honeypots using Kippo-Graph 😉

  • http://murawski.ch Stefan M.

    Please have a look here:

    This file writes out actual numbers and no fixed stuff.


More in Honeypots
Kippo2MySQL v0.1.1 update
Kippo-Graph and Kippo2MySQL update
Kippo2MySQL v0.1, populate a MySQL DB with data from Kippo logs!
Kippo-Graph 0.6 released!
Kippo-Graph 0.5.1 released.