Home > Honeypot, Kippo > Reviewing Kippo Logs

Reviewing Kippo Logs

When I first started running Kippo almost a year ago I had no difficulty getting motivated to log into the honeypot, check for new connections and generally get a feel for what my victims visitors have been up to. As time went by, sessions started to follow familiar patterns and some days would get no hits. Slowly I’d check the logs less frequently, and when I did I’d get an ever increasing backlog to review, decreasing my motivation further.

Recently I got annoyed with myself, my system was ticking along in the background but I was gaining no benefit from it. So in a moment of madness I dusted off my bash and built a quick script to provide a daily review of activity on my system. Essentially this does two things, lists session interaction and files downloaded within the last 24hours.

I’ve had the routine running daily for around a week; for days there was minmal activity on my system, either no logins at all, or logins with immediate disconnects. Today was different, and marked the first success of the script. Delivered to my morning inbox, along with the rest of my regular quick tasks and RSS feed as an interesting session. Malicious user connects, downloads a scanner (archive contents looks like gosh), an irc bot (looks like EnergyMech derivative); and when attempts to run toolkit fail, downloads and runs three (yes, three, paranoia is strong with this one) log cleaners.

Example (snipped) output:

:~$ /opt/kippo-svn/kippo-sessions.sh
***Sessions***
---START:/opt/kippo-svn/log/tty/20110519-220029-5503.log---
www-dev:~# w
 22:00:38 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    77.210.18.212     22:00    0.00s  0.00s  0.00s w
<SNIP>
***DOWNLOADS***
/opt/kippo-svn/dl/20110519220445_http___eduteam_home_ro_mech_gz: gzip compressed data, from Unix, last modified: Sun Oct  4 17:46:52 2009
<SNIP>

The script can be downloaded here, as usual it’s released under the Beerware License

–Andrew Waite

About these ads
Categories: Honeypot, Kippo
  1. 2011/05/23 at 11:34 | #1

    Fantastic, you have inspired me to check out my kippo pot tonight!

  2. Chris
    2011/07/27 at 16:32 | #2

    Thank you, found this script very useful. Not seeing any traffic on my recently hosted kippo pot but can now get daily updates :)

  3. Chris
    2011/08/04 at 16:21 | #4

    So I started out with a strong password to see what login combinations were being attempted in an effort to find some that would allow some access but not open the floodgates. I’ve got quite a few potential combinations which I’m going to set in the pass.db file.

    Before I did this I changed the hostname etc. to try and mask the honeypot as much as possible but am having difficulty reworking the filesystem. I run createfs.py as root and output an fs.pickle file but it appears identical to the default. I guess I’d like to rename things like the ‘richard’ home dir and leave some interesting files lying about.

    Have you done similar and did you encounter any problems in doing so?

  4. 2011/08/04 at 19:42 | #5

    Chris,

    I didn’t make many changes from the default Kippo install, only changed hostname and a couple of minor settings. Initially it didn’t make any difference, recieved plenty of hits and gained a good range of post exploit tools (scanners, exploits and irc bots mostly).

    I’ve said in a number of places that I’ve recently seen a decline in activity, I had thought that this was due to attackers ‘spotting’ the honeypot and moving on to real targets; but I’ve also spoken to others who fully customised their sensors who have also seen slow-down in activity . Common theory is that the IPs get identified and blacklisted amongst those who regularly scan systems. Could be something else, but we’ve not seen it yet.

    Hope this helps, let me/us know if you get any interesting results once you start seeing interaction on your sensor. I’ve not got around to upgrading to the latest Kippo version, so haven’t seen any of the new malware emulation features; if you get any interesting results with this I’d be interested to know, might give me the motivation I need to spend time rebuilding and upgrading my sensor.

  5. Chris
    2011/08/08 at 15:36 | #6

    Thanks, I see the activity as quite sporadic, very quiet for 24 hours and then some quite aggresive scripts. I have enabled 4 very weak account/password combinations in pass.db but as of yet none of them have hit gold. I will update if anything of interest comes up.

    (Also running Dionaea separately so got my hands full with just logging data! Out of interest port 139 looks very active on Dionaea)

  6. Ion
    2011/11/21 at 12:29 | #7

    Hello Andrew. I am working on honeypots for my bachelor thesis, so thanks for the useful script. I am too getting some of what they seem to be dictionary attacks on my SSH port but they disconnect after successful login. With your script I finally got news that a “real” person actually got into the honeypot and tried some commands. I think a script that generates some stats from the logs would be ultra useful as well (countries, IPs, user/pass combos, etc). Let me know what you think.

    • 2011/11/21 at 13:46 | #8

      Glad you found the script useful, that pretty much nails my initial use case to save you wading through mountains of bots and repetitive logs without missing out on the more interesting compromises.

      A script to generate more useful stats could definitely be useful, and was something that I had envisioned extending but real work and other projects keep getting in the way. If your interested in getting more detailed information it my be worth taking a look at the carniwwwhore interface that Markus originally built for Dionaea, but will also accept information from Kippo installations.

      Good luck with your thesis, let me know if you get any interesting results.

  7. Amezarak
    2012/08/10 at 13:32 | #9

    Hello Andrew,
    Great post. I just got done installing Kippo for myself at work. I did some quick tests and realize the log is not readable. lol So, I found your post. However, how do you run that .SH script? Do I need to be able to run bash? Problem is I cut corners to do this fast and used an extra windows laptop. All is running well, but I’m trying to run the .sh and I got cygwin to run the shell script. A little more messing around with it and I’m sure I’ll be good to go. But I guess that answer that would help more is, what is the script originally made in? Then perhaps I can figure out this cygwin program.

    Thanks,
    A

    • 2012/08/10 at 13:40 | #10

      Hi,

      yup, kippo-sessions.sh is a BASH script, if you’ve got a bash shell you should be able to run it with a standard ./kippo-sessions.sh command.

      However, the script was developed under Debian and most/all of the paths are hard-coded (I know….) so you may need to edit the scripts to find the right utilities depending on where things are installed on your CYGWIN setup.

      The logs are binary, but you should be able to view them with the /[path-to-kippo]/utils/playlog.py python script supplied with kippo. This is essentially all my kippo-sessions.sh script does, plus emailing the output to my inbox.

      hope this helps, happy honeypotting.

  1. 2011/06/20 at 18:32 | #1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: