A How-To Guide on Setting Up a Kippo SSH Honeypot Using Kali Linux and a Raspberry Pi 2
Disclaimer: Continue at your own risk. This is just a guide. Please do your own research.
I have been interested in the Raspberry Pi because of the performance/cost ratio, large user-base, and general ease-of-use. I had a Raspberry Pi 2 laying around that I had installed RetroPie on. I was starting to play around with Hydra and brute-forcing FTP and SSH in my home lab and I wanted to expand my username/password list for future scans. I found some password lists online The Top 500 Worst Passwords of All Time. What better than real world examples for a username and password list?
I started doing some research and found some other how to guides for Raspberry Pi and Kippo. But most were out-dated and I couldn’t find anything recent. To prevent your real struggle with this installation, I thought I would document my steps for you, internet stranger. May your struggle be less real than mine was.
In this guide we will setup Kali 2 on a Raspberry Pi 2 and install Kippo SSH Honeypot and Kippo-graph Web Server.
Guide
Things you need:
- Raspberry Pi
- Raspberry Pi power supply
- Micro SD card
- USB Keyboard/mouse
- HDMI compatible monitor/tv
1. Download the RaspberryPi 2 Kali 2 image from Offensive Security’s site.
2. Extract using 7zip on Windows or thearchiver on Mac.
3. Use Win32DiskImager to write the image to disk on Windows or use the dd command on Mac.
Pro Tip: Don’t accidentally format the wrong drive.
diskutil -l
sudo dd if=kali-2.1-rpi2.img of=/dev/disk2s1 bs=512k
4. Insert SD card in to your Pi and power on. Default credentials are root/toor.
5. Change the root password using the passwd command.
6. Install some of the pre-reqs
sudo apt-get install python-mysqldb apache2
6. We have to install an older version of Python Twisted manually because of issues with the current version of Twisted and Kippo. I can’t recall the error at the moment, but I’ll see if I can find it in the logs later.
apt-get install python-dev
cd /tmp
wget https://github.com/twisted/twisted/archive/twisted-14.0.2.tar.gz
tar -zxvf twisted-14.0.2.tar.gz
cd twisted-twisted-14.0.2/
./setup.py install
7. Install MySQL
apt-get install mysql-server
apt-get install mysql-client
8. Create the database and a user named Kippo with all privileges.
service mysql start
mysql -h localhost -u root -p
Hit enter when it prompts for password.(You should set a password, but this is what I did. I’m planning on going to back and setting)
create database kippo;
GRANT ALL ON kippo.* TO ‘kippo’@’localhost’ IDENTIFIED BY ‘<kippopassword>’;
exit
9. Clone Kippo repo
cd /opt/
git clone https://github.com/desaster/kippo
10. Using the user we just created edit the tables
cd /opt/kippo/doc/sql
mysql -u kippo -p <kippopassword>
use kippo;
source mysql.sql;
show tables;
exit
11. Edit the kippo.cfg
cd /opt/kippo/
cp kippo.cfg.dist kippo.cfg
nano kippo.cfg
change the necessary info for mysql
host = localhost
database = kippo
username = kippo
password = <kippopassword>
12. Create an unprivileged user to start Kippo and give him access to the folder.
useradd -d /home/kippo -s /bin/bash -m kippo -g sudo
chown -R kippo /opt/kippo
13. Install the packages required for Kippo-Graph
Don’t run this yet, I’m not sure if it will mess with the python-twisted installation. I will add the apt-get command that will force the version soon. sudo apt-get update && apt-get upgrade -y
sudo apt-get install libapache2-mod-php5 php5-cli php5-common php5-cgi php5-mysql php5-gd
14. Install Kippo-Graph from https://bruteforce.gr/kippo-graph
cd /tmp
wget http://bruteforce.gr/wp-content/uploads/kippo-graph-1.5.1.tar.gz
mv kippo-graph-1.5.1.tar.gz /var/www/html
cd /var/www/html
tar zxvf kippo-graph-1.5.1.tar.gz
mv kippo-graph-1.5.1 kippo-graph
cd kippo-graph
chmod 777 generated-graphs
cp config.php.dist config.php
nano config.php #enter the authentication for mysql
15. Make sure mysql is running
service mysql status
16. Make sure appache running
/etc/init.d/apache2 start
17. Start Kippo
cd /opt/kippo
su kippo
./start.sh
18. Setup port forwarding on your router to forward incoming port 22 traffic destined to port 2222 of your raspberrypi.
19. Browse to your Pi’s IP http://localhost/kippo-graph
20. Attempt login using an SSH client and port 2222 of your Raspberry Pi
- Coming soon: integrating with Splunk, malware analysis with Pi, honeydocs, and more.
Notable Features
- Typing C-d doesn’t actually disconnect from the honeypot. It pretends to disconnect and changes the shell prompt to say “localhost.”
- Replaying the commands from the captured sessions.
- All of the features of Kippo-graph.
- Changing the honeypot hostname.
- Changing the SSH banner.
- Honeypot user management data/userdb.txt.
Screenshots
Virus Total Analysis of the IP port 25002
Virus Total Analysis of the IP port 25002
Sources
https://www.offensive-security.com/kali-linux-arm-images/
https://bruteforce.gr/kippo-graph
http://www.behindthefirewalls.com/2014/02/ssh-honeynet-kippo-kali-and-raspberry-pi.html
https://sourceforge.net/projects/honeydrive/ http://www.edgis-security.org/honeypot/kippo/
