Home > Honeypot, Kippo, Tool-Kit > Kippo SVN build

Kippo SVN build

2010/07/25

This morning I cause myself a problem. Annoyingly it was foreseeable and avoidable, this is my excuse (not great, but I’ll stick to it). But as every problem is merely an opportunity in disguise whist I’m re-building systems I might as well document the process. The original InfoSanity guide for installing Kippo was based off of the latest stable version, but I rapidly migrated to the development SVN on learning of the MySQL logging capabilities, so this guide covers that.

Packages

As I’m using a Debian system a lot of the system pre-requisites are packaged, this aren’t all needed immediately but we might as well grab them all at once.

apt-get install subversion #for svn
apt-get install python-twisted python-mysqldb # Python and required modules
apt-get install mysql-server #

Basic Kippo setup

Grab Kippo direct from svn, at time of writing I got version 160. (latest instructions):

svn checkout http://kippo.googlecode.com/svn/trunk/ /opt/kippo-svn

Now we can start the honeypot system:

./start.sh

That’s it, all that is required to get the system running. To confirm you can ssh locally with ssh -p2222 root@127.0.0.1, unless you’ve jumped ahead and edited the config, password will be 123456.

MySQL

Log into MySQL via commanline, assuming you’ve not modified the kippo.cfg database directives build the database:

create database kippo;
grant all on kippo.* to ‘kippo’@’localhost’ identified by ‘secret’;

Next edit the kippo.cfg accordingly you database/user/password and uncomment the [database] configuration directives. REMEBER to uncomment ;[database] line not just the parameters, that has now caught me out twice.

Finally, build the database structure with the script that can be found in <kippo>/doc/sql/:

doc/sql/# mysql -ukippo -psecret kippo < mysql.sql

Restart your Kippo process and you should be good; re-test access to the shell and view the database tables to confirm that logs are being written to the database.

Happy Honeypotting

–Andrew Waite

    Advertisements
    Categories: Honeypot, Kippo, Tool-Kit
    1. 2010/07/25 at 12:56

      Oh… and when editing kippo.cfg don’t forget to uncomment ‘[database]’ – I’ve lost 25 sessions… that’s what you get when you fall asleep working :/

      • 2011/03/17 at 04:55

        Thanks! i was trying to figure out why it wasn’t working… it was the [database] commented issue.

        • 2011/03/17 at 06:42

          Seems it catches most people out. Glad you got it running.

          Let us know if you get any interesting results.

    2. 2011/03/18 at 00:58

      I’ve actually had this running for a little under 2 days and have already had two people try and connect! one was really funny to watch, they wget some tools, and i had a laugh watching them try to make a user and have to put in a “favorite movie”.

      The second person connected and then disconnected right after, but got stuck in the fake localhost prompt, and then quit out… awesome stuff haha!

      I got the ajaxterm up and running on my webserver (as the same limited user that runs the honeypot) and i created a basic php script that automatically lists the logs on my server.. check it out http://daveeddy.com/kippologs/

      • 2011/03/18 at 09:13

        Nice work! Just watched the first capture, always good for a laugh.

        Couldn’t see anything on your blog, any chance you could write-up process for get the ajaxterm running? It’s been on my to-do list for a while (and know others who are looking at the same thing), a decent install guide would be useful.

      • 2011/03/28 at 08:28

        Nice work Dave, just had a read through and sounds nice and easy. Now know what I’ll be doing next time I get some free lab time 😉

        Cheers for sharing with the rest of us.

    3. Ion
      2011/12/09 at 13:32

      Another thing to note (as per https://code.google.com/p/kippo/wiki/FAQ – last comment) is the size of max_allowed_packet in the MySQL configuration. Mine (mysql-server package at ubuntu server 11.04 32 bit) was at 16mb by default though (cat /etc/mysql/my.cnf | grep max_allowed_packet)

    1. No trackbacks yet.
    Comments are closed.
    %d bloggers like this: