Dec 15 2011

Kippo-Graph 0.1 released

Kippo-Graph is a simple script I wrote today to visualize statistics from a Kippo SSH honeypot.

It uses the Libchart PHP chart drawing library by Jean-Marc Trémeaux.

Kippo-Graph currently shows 7 charts: top 10 passwords, top 10 usernames, top 10 username/password combos, success ratio, connections per IP, probes per day, ssh clients.

You can download the initial version (0.1) here: kippo-graph-0.1

For comments, suggestions, fixes, please use the Kippo-Graph page:

Dec 13 2011

The big post of Kippo scripts, front-ends, bash one-liners and SQL queries

Continuing on the previous posts about Kippo, and assuming you have already setup, configured it and logged some probes or intrusions, let’s take a look at some of the scripts, front-ends, commands, and other useful 3rd party stuff available in our disposal to get a better understading of what’s going on with our honeypots.

Read the rest of this entry »

Dec 08 2011

Logging Kippo events using MySQL DB

Continuing on the previous post about Kippo SSH honeypot, let’s see how we can make our lives easier and log its events in a MySQL database instead of the difficult to read text-based log files (located at kippo-dir/log by default). This post assumes that you have already followed the procedure and successfully installed Kippo on your Ubuntu Server (plus all the other things like adding a new user etc, as described in the previous post).

1. We login as root in our box and install the required software packages:

apt-get install python-mysqldb mysql-server

MySQL server will ask for a root password, enter something a bit complex.

2. We setup the database for Kippo logging:

mysql -u root -p
> GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'Kippo-DB-pass';
> exit

3. We go to Kippo’s directory (normally /home/kippo/kippo/ if you followed the previous post) and load the table structures into the database:

mysql -u kippo -p
> USE kippo;
> source ./doc/sql/mysql.sql;
> exit

At this stage re-login as ‘kippo’ user into the system.

4. If Kippo is running we will have to kill it in order to change its configuration and start it again.

ps x

Look for a line like this: 10650 ? Sl  0:00 /usr/bin/python /usr/bin/twistd -y kippo.tac -l log/kippo.log -pidfile

The first column shows the process ID, and you will use this number to kill it:

kill 10650

5. We are ready to make the necessary changes to Kippo’s config file:

vi kippo.cfg

Here we un-comment the following lines and type the corrent data:

host = localhost
database = kippo
username = kippo
password = Kippo-DB-pass

5. We are now ready to start Kippo again:


Check that Kippo is running:

netstat -antp

where you should see a line like this: tcp 0  0*  LISTEN  10650/python

We are now ready! To see the logging events in the database, you can use simple SQL commands like:

$ mysql -u kippo -p
> USE kippo;
> SELECT * FROM auth;

6. (OPTIONAL) In order to make things even easier we can install phpmyadmin, a web GUI for our mysql server:

sudo apt-get install phpmyadmin

it will be located at: http://server-ip/phpmyadmin and you can login as root (with MYSQL’s root password that you entered above) or better yet as kippo user (using kippo’s password, in our example “Kippo-DB-pass”).

Dec 05 2011

Installing Kippo SSH Honeypot on Ubuntu

I decided to setup a simple ssh honeypot in a small VPS (192MB RAM) to see if they actually record attacks. The honeypot that I chose was Kippo , a simple SSH honeypot written in Python with several possibilities. Here is a guide for the installation and configuration of Kippo, in accordance with the procedure I personally followed. The setup applies to Ubuntu Server 11.04 (32-bit) distro (but the procedure on any other Ubuntu/Debian-based system should be the same).

1. First we login as root in our box and proceed to update and upgrade the system:

apt-get update && apt-get upgrade

2. Kippo “listens” on port 2222 by default, which is fine for testing purposes, but it actually reduces the chances to record any attacks (because the usual automated tools that hackers run target the default SSH port 22). Thus, it would be good to make Kippo listen to port 22. To do this you must first change the port your ssh server uses, in order to be able to connect back to the system properly. So we change the configuration file of the ssh server (sshd):

vi /etc/ssh/sshd_config

We change the option Port 22, choosing another, eg 2222. We then restart the ssh server:

/etc/init.d/ssh restart

At this point it would be good to disconnect from the system and then reconnect using the new port.

3. We continue installing the required software packages for Kippo:

apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted

We can download the latest stable version of Kippo (0.5) but it is better to use the latest development version directly from the SVN server. For this reason we need subversion:

apt-get install subversion

Another issue about port 22 that we want to use, is the problem that in Linux only the root user is allowed to use ports below port 1024 and we should not run Kippo as root for safety reasons. Kippo’s website offers several solutions on how to run a honeypot on port 22, but the simplest one is using the application authbind:

apt-get install authbind

4. Before you go any further, create a new non-root user to run Kippo as:

adduser kippo

and add him to the list of users that can use the sudo command:


where we add the line:


under the “root” user.

We finish the required steps for using port 22:

touch /etc/authbind/byport/22
chown kippo:kippo /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22

At this point we enter the system as ‘kippo’ user and go to the /home directory.

5. Download the latest Kippo version from SVN:

svn checkout ./kippo

Change the port in Kippo’s configuration file from 2222 to 22:

mv kippo.cfg.dist kippo.cfg
vi kippo.cfg

6. Finally, edit the Kippo start script:


changing the following command from

twistd -y kippo.tac -l log/kippo.log --pidfile


authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile

so that it uses authbind to “listen” on port 22, and run the honeypot:


7. We check that our port has actually opened and Kippo is “listening”:

sudo netstat -antp

where there should be a line like this:

tcp 0 0* LISTEN 22627/python

We are ready. Now any attempt to connect to port 22 of the system will be recorded by Kippo and log files will be stored in the corresponding folder.

Nov 24 2011

Έλληνες σε Security Conferences

Κάνοντας μια μικρή αναζήτηση για να δω αν έχουν υπάρξει Έλληνες ομιλητές σε διάφορα γνωστά Security Conferences, ανακάλυψα με χαρά δύο ερευνητές που έχουν κάνει παρουσιάσεις σε δύο από τα μεγαλύτερα συνέδρια ασφάλειας υπολογιστών.

Πρώτος ο κύριος Θανάσης Γιαννέτσος ο οποίος συμμετείχε στο Black Hat Europe 2010 στη Βαρκελώνη και Black Hat USA 2011 στο Las Vegas. Το βιογραφικό του όπως αναρτήθηκε στην επίσημη σελίδα του συνεδρίου:

Η ομιλία του “Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks” βρίσκεται εδώ:

και οι διαφάνειες είναι διαθέσιμες εδώ.

Δεύτερος ο κύριος Δημήτριος Πετρόπουλος ο οποίος συμμετείχε στο HackInTheBox 2009 στην Μαλαισία και 2010 στο Ντουμπάι (με το ίδιο θέμα). Το βιογραφικό του όπως αναρτήθηκε στην επίσημη σελίδα του συνεδρίου:

Η ομιλία του “Having fun with ATMs & HSMs” βρίσκεται εδώ:

και οι διαφάνειες είναι διαθέσιμες εδώ.

Page 27 of 29« First...1020...2526272829