Kippo

Kippo Kali Pi

~ TheLosingEdge ~ Leave a comment

 

A How-To Guide on Setting Up a Kippo SSH Honeypot Using Kali Linux and a Raspberry Pi 2

 

Disclaimer: Continue at your own risk.  This is just a guide.  Please do your own research.

I have been interested in the Raspberry Pi because of the performance/cost ratio, large user-base, and general ease-of-use.  I had a Raspberry Pi 2 laying around that I had installed RetroPie on.  I was starting to play around with Hydra and brute-forcing FTP and SSH in my home lab and I wanted to expand my username/password list for future scans.  I found some password lists online The Top 500 Worst Passwords of All Time.  What better than real world examples for a username and password list?

I started doing some research and found some other how to guides for Raspberry Pi and Kippo.  But most were out-dated and I couldn’t find anything recent.  To prevent your real struggle with this installation, I thought I would document my steps for you, internet stranger.  May your struggle be less real than mine was.

In this guide we will setup Kali 2 on a Raspberry Pi 2 and install Kippo SSH Honeypot and Kippo-graph Web Server.

Guide

Things you need:

  • Raspberry Pi
  • Raspberry Pi power supply
  • Micro SD card
  • USB Keyboard/mouse
  • HDMI compatible monitor/tv

1. Download the RaspberryPi 2 Kali 2 image from Offensive Security’s site.

2. Extract using 7zip on Windows or thearchiver on Mac.

3. Use Win32DiskImager to write the image to disk on Windows or use the dd command on Mac.

Win32DiskImage

 

 

 

 

 

Pro Tip: Don’t accidentally format the wrong drive.

diskutil -l

sudo dd if=kali-2.1-rpi2.img of=/dev/disk2s1 bs=512k

4. Insert SD card in to your Pi and power on.  Default credentials are root/toor.

5. Change the root password using the passwd command.

6. Install some of  the pre-reqs

sudo apt-get install python-mysqldb apache2

6. We have to install an older version of  Python Twisted manually because of issues with the current version of Twisted and Kippo.  I can’t recall the error at the moment, but I’ll see if I can find it in the logs later.

apt-get install python-dev

cd /tmp

wget https://github.com/twisted/twisted/archive/twisted-14.0.2.tar.gz

tar -zxvf twisted-14.0.2.tar.gz

cd twisted-twisted-14.0.2/

./setup.py install

7. Install MySQL

apt-get install mysql-server

apt-get install mysql-client

8. Create the database and a user named Kippo with all privileges.

service mysql start

mysql -h localhost -u root -p

Hit enter when it prompts for password.(You should set a password, but this is what I did.  I’m planning on going to back and setting)

create database kippo;

GRANT ALL ON kippo.* TO ‘kippo’@’localhost’ IDENTIFIED BY ‘<kippopassword>’;

exit

9. Clone Kippo repo

cd /opt/

git clone https://github.com/desaster/kippo

10. Using the user we just created edit the tables

cd /opt/kippo/doc/sql

mysql -u kippo -p <kippopassword>

use kippo;

source mysql.sql;

show tables;

kippo_mysql

exit

11. Edit the kippo.cfg

cd /opt/kippo/

cp kippo.cfg.dist kippo.cfg

nano kippo.cfg

change the necessary info for mysql

host = localhost

database = kippo

username = kippo

password = <kippopassword>

12. Create an unprivileged user to start Kippo and give him access to the folder.

useradd -d /home/kippo -s /bin/bash -m kippo -g sudo

chown -R kippo /opt/kippo

13. Install the packages required for Kippo-Graph

Don’t run this yet, I’m not sure if it will mess with the python-twisted installation.  I will add the apt-get command that will force the version soon.  sudo apt-get update && apt-get upgrade -y

sudo apt-get install libapache2-mod-php5 php5-cli php5-common php5-cgi php5-mysql php5-gd

14. Install Kippo-Graph from https://bruteforce.gr/kippo-graph

cd /tmp

wget http://bruteforce.gr/wp-content/uploads/kippo-graph-1.5.1.tar.gz

mv kippo-graph-1.5.1.tar.gz /var/www/html

cd /var/www/html

tar zxvf kippo-graph-1.5.1.tar.gz

mv kippo-graph-1.5.1 kippo-graph

cd kippo-graph

chmod 777 generated-graphs

cp config.php.dist config.php

nano config.php #enter the authentication for mysql

15. Make sure mysql is running

service mysql status

16. Make sure appache running

/etc/init.d/apache2 start

17. Start Kippo

cd /opt/kippo

su kippo

./start.sh

18. Setup port forwarding on your router to forward incoming port 22 traffic destined to port 2222 of your raspberrypi.

19. Browse to your Pi’s IP http://localhost/kippo-graph

20. Attempt login using an SSH client and port 2222 of your Raspberry Pi

  • Coming soon: integrating with Splunk, malware analysis with Pi, honeydocs, and more.

 

Notable Features

 

  • Typing C-d doesn’t actually disconnect from the honeypot. It pretends to disconnect and changes the shell prompt to say “localhost.”
  • Replaying the commands from the captured sessions.
  • All of the features of Kippo-graph.
  • Changing the honeypot hostname.
  • Changing the SSH banner.
  • Honeypot user management data/userdb.txt.

Screenshots

Kipp_Example - Copy
Commands run by a automated script

Virus Total Analysis of the IP port 25002

Virus Total Analysis of the IP port 25002

kippo_login
What the fake file system looks like

kippo_geo

 

Capture

Capture2

 

kippo_graphs_1kippo_graphs_2kippo_graphs_3kippo_graphs_4kippo_graphs_5kippo_graphs_6kippo_graphs_7kippo_inputkippo_playlog

Sources

 

https://www.offensive-security.com/kali-linux-arm-images/
https://bruteforce.gr/kippo-graph
http://www.behindthefirewalls.com/2014/02/ssh-honeynet-kippo-kali-and-raspberry-pi.html
https://sourceforge.net/projects/honeydrive/

http://www.edgis-security.org/honeypot/kippo/