SSH蜜罐:kippo的詳細介紹

發(fā)布時間：2012-10-25 15:04:53 作者：佚名

蜜罐好比是情報收集系統(tǒng)。蜜罐好像是故意讓人攻擊的目標，引誘黑客前來攻擊。所以攻擊者入侵后，你就可以知道他是如何得逞的

蜜網(wǎng)是指另外采用了技術(shù)的蜜罐，從而以合理方式記錄下黑客的行動，同時盡量減小或排除對因特網(wǎng)上其它系統(tǒng)造成的風險。建立在反向防火墻后面的蜜罐就是一個例子。防火墻的目的不是防止入站連接，而是防止蜜罐建立出站連接。不過，雖然這種方法使蜜罐不會破壞其它系統(tǒng)，但同時很容易被黑客發(fā)現(xiàn)。
數(shù)據(jù)收集是設(shè)置蜜罐的另一項技術(shù)挑戰(zhàn)。蜜罐監(jiān)控者只要記錄下進出系統(tǒng)的每個數(shù)據(jù)包，就能夠?qū)诳偷乃魉鶠橐磺宥?。蜜罐本身上面的日志文件也是很好的?shù)據(jù)來源。但日志文件很容易被攻擊者刪除，所以通常的辦法就是讓蜜罐向在同一網(wǎng)絡(luò)上但防御機制較完善的遠程系統(tǒng)日志服務(wù)器發(fā)送日志備份。（務(wù)必同時監(jiān)控日志服務(wù)器。如果攻擊者用新手法闖入了服務(wù)器，那么蜜罐無疑會證明其價值。）
蜜罐系統(tǒng)的優(yōu)點之一就是它們大大減少了所要分析的數(shù)據(jù)。對于通常的網(wǎng)站或郵件服務(wù)器，攻擊流量通常會被合法流量所淹沒。而蜜罐進出的數(shù)據(jù)大部分是攻擊流量。因而，瀏覽數(shù)據(jù)、查明攻擊者的實際行為也就容易多了。
自1999年啟動以來，蜜網(wǎng)計劃已經(jīng)收集到了大量信息。部分發(fā)現(xiàn)結(jié)果包括：攻擊率在過去一年增加了一倍；攻擊者越來越多地使用能夠堵住漏洞的自動點擊工具（如果發(fā)現(xiàn)新漏洞，工具很容易更新）；盡管虛張聲勢，但很少有黑客采用新的攻擊手法。
打開SERVER
安裝
root@ubuntu:~# mkdir kippo
root@ubuntu:~# apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted python-mysqldb
獲得源代碼
root@ubuntu:~# cd kippo/
root@ubuntu:~/kippo# svn checkout http://kippo.googlecode.com/svn/trunk/ .
添加一個獨立的用戶組給KIPPO
root@ubuntu:~/kippo# useradd -s /bin/bash -d /home/kippo -m kippo
添加一個獨立的MYSQL用戶給KIPPO
root@ubuntu:~/kippo# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 34
Server version: 5.1.61-0ubuntu0.10.10.1-log (Ubuntu)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> CREATE DATABASE kippo;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL ON kippo.* to 'kippo'@'localhost' identified by '123456';
Query OK, 0 rows affected (0.00 sec)
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| kippo              |
| mysql              |
| pentest            |
+--------------------+
4 rows in set (0.01 sec)
mysql>
帳號和數(shù)據(jù)庫一樣密碼123456
導(dǎo)入默認數(shù)據(jù)庫 #本文地址http://fuzzexp.org/ssh_honeypot_kippo.html
root@ubuntu:~/kippo# cd doc/sql/
root@ubuntu:~/kippo/doc/sql# ls
mysql.sql update2.sql update3.sql update4.sql update5.sql update6.sql
root@ubuntu:~/kippo/doc/sql# mysql -ukippo -p123456 kippo < mysql.sql
編輯配置
kippo.cfg.dist
root@ubuntu:~/kippo# mv kippo.cfg.dist kippo.cfg
編輯他我的如下：
root@ubuntu:~/kippo# cat kippo.cfg
#
# Kippo configuration file (kippo.cfg)
#
[honeypot]
# IP addresses to listen for incoming SSH connections.
#
# (default: 0.0.0.0) = any address
ssh_addr = 0.0.0.0
# Port to listen for incoming SSH connections.
#
# (default: 2222)
ssh_port = 2222
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment.
#
# (default: sales)
hostname = ubuntu
# Directory where to save log files in.
#http://fuzzexp.org/?p=5571
# (default: log)
log_path = log
# Directory where to save downloaded (malware) files in.
#
# (default: dl)
download_path = dl
# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
contents_path = honeyfs
# File in the python pickle format containing the virtual filesystem.
#
# This includes the filenames, paths, permissions for the whole filesystem,
# but not the file contents. This is created by the createfs.py utility from
# a real template linux installation.
#
# (default: fs.pickle)
filesystem_file = fs.pickle
# Directory for miscellaneous data files, such as the password database.
#
# (default: data_path)
data_path = data
# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
#   txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
#
# In addition to this, the file must exist in the virtual
# filesystem {filesystem_file}
# (default: txtcmds)
txtcmds_path = txtcmds
# Public and private SSH key files. If these don't exist, they are created
# automatically.
#
# (defaults: public.key and private.key)
public_key = public.key
private_key = private.key
# Initial root password. NO LONGER USED!
# Instead, see {data_path}/userdb.txt
password = 123456
# IP address to bind to when opening outgoing connections. Used exclusively by
# the wget command.
#
# (default: not specified)
out_addr = 0.0.0.0
# Sensor name use to identify this honeypot instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# connection as the sensor name.
#
# (default: not specified)
#sensor_name=myhostname
# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254
# Banner file to be displayed before the first login attempt.
#
# (default: not specified)
#banner_file =
# Session management interface.
#
# This is a telnet based service that can be used to interact with active
# sessions. Disabled by default.
#
# (default: false)
interact_enabled = false
# (default: 5123)
interact_port = 5123
# MySQL logging module
#
# Database structure for this module is supplied in doc/sql/mysql.sql
#
# To enable this module, remove the comments below, including the
# [database_mysql] line.
[database_mysql]
host = localhost
database = kippo
username = kippo
password = 123456
# XMPP Logging
#
# Log to an xmpp server.
# For a detailed explanation on how this works, see:
#
# To enable this module, remove the comments below, including the
# [database_xmpp] line.
#[database_xmpp]
#server = sensors.carnivore.it
#user = anonymous@sensors.carnivore.it
#password = anonymous
#muc = dionaea.sensors.carnivore.it
#signal_createsession = kippo-events
#signal_connectionlost = kippo-events
#signal_loginfailed = kippo-events
#signal_loginsucceeded = kippo-events
#signal_command = kippo-events
#signal_clientversion = kippo-events
#debug=true
root@ubuntu:~/kippo#
安裝監(jiān)聽工具
root@ubuntu:~/kippo# apt-get install authbind
配置
root@ubuntu:~/kippo# chown kippo:kippo /etc/authbind/byport/22
root@ubuntu:~/kippo# chmod 777 /etc/authbind/byport/22
root@ubuntu:~/kippo# chown -R kippo:kippo /root/kippo/
創(chuàng)建一個啟動腳本
root@ubuntu:~/kippo# echo "twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid" > 1.sh
root@ubuntu:~/kippo# cat 1.sh
twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
root@ubuntu:~/kippo#
移動工具位置
root@ubuntu:~# mv kippo/ /opt/
root@ubuntu:~# cd /opt/
root@ubuntu:/opt# ls
kippo
root@ubuntu:/opt# cd kippo/
更改下KIPPO用戶密碼切換到KIPPO
root@ubuntu:~/kippo# passwd kippo
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@ubuntu:~/kippo# su kippo
kippo@ubuntu:/root/kippo$ id
uid=1002(kippo) gid=1002(kippo) groups=1002(kippo)
kippo@ubuntu:/root/kippo$
啟動

kippo@ubuntu:/opt/kippo$ pwd
/opt/kippo
kippo@ubuntu:/opt/kippo$ ./start.sh
Starting kippo in background...Loading dblog engine: mysql
Generating RSA keypair...
done.
查看監(jiān)聽

kippo@ubuntu:/opt/kippo$ netstat -antp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      4615/python
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -
tcp        0      0 192.168.71.130:22       192.168.71.129:44874    ESTABLISHED -
tcp6       0      0 :::22                   :::*                    LISTEN      -
kippo@ubuntu:/opt/kippo$
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 4615/python
查找進程
kippo@ubuntu:/opt/kippo$ ps -ef | grep 4615
kippo     4615     1 0 13:47 ?        00:00:00 /usr/bin/python /usr/bin/twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
kippo     4626 4588 0 13:48 pts/0    00:00:00 grep --color=auto 4615
kippo@ubuntu:/opt/kippo$
掃描下UB kippo的配置文件端口定義為2222
root@Dis9Team:~# nmap -sV 192.168.71.130 -p 2222
Starting Nmap 5.51 ( http://nmap.org ) at 2012-10-11 22:51 PDT
Nmap scan report for 192.168.71.130
Host is up (0.00024s latency).
PORT     STATE SERVICE VERSION
2222/tcp open ssh     OpenSSH 5.1p1 Debian 5 (protocol 2.0)
MAC Address: 00:0C:29:9E:3F:14 (VMware)
Service Info: OS: Linux
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
root@Dis9Team:~#
OPENSSH服務(wù)出現(xiàn)了.
kippo的配置文件的密碼定義為123456 測試一下 #本文地址http://fuzzexp.org/ssh_honeypot_kippo.html
root@Dis9Team:~# ssh root@192.168.71.130 -p2222
The authenticity of host '[192.168.71.130]:2222 ([192.168.71.130]:2222)' can't be established.
RSA key fingerprint is d9:f0:74:99:58:5e:32:74:a1:7b:27:78:2e:b1:83:a8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.71.130]:2222' (RSA) to the list of known hosts.
Password:
Password:
ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)
ubuntu:~#
邪惡的操作
ubuntu:~# ls /
sys        bin        mnt        media      vmlinuz    opt        cdrom      selinux    tmp        proc       sbin
etc        dev        srv        initrd.img lib        home       var        usr        boot       root       lost+found
ubuntu:~# ls -la /
drwxr-xr-x 1 root root 4096 2012-10-12 13:53 .
drwxr-xr-x 1 root root 4096 2012-10-12 13:53 ..
drwxr-xr-x 1 root root     0 2009-11-20 16:19 sys
drwxr-xr-x 1 root root 4096 2009-11-08 23:42 bin
drwxr-xr-x 1 root root 4096 2009-11-06 19:08 mnt
drwxr-xr-x 1 root root 4096 2009-11-06 19:08 media
lrwxrwxrwx 1 root root    25 2009-11-06 19:16 vmlinuz -> /boot/vmlinuz-2.6.26-2-686
drwxr-xr-x 1 root root 4096 2009-11-06 19:09 opt
lrwxrwxrwx 1 root root    11 2009-11-06 19:08 cdrom -> /media/cdrom0
drwxr-xr-x 1 root root 4096 2009-11-06 19:08 selinux
drwxrwxrwx 1 root root 4096 2009-11-20 16:19 tmp
dr-xr-xr-x 1 root root     0 2009-11-20 16:19 proc
drwxr-xr-x 1 root root 4096 2009-11-08 23:41 sbin
drwxr-xr-x 1 root root 4096 2009-11-20 16:20 etc
drwxr-xr-x 1 root root 3200 2009-11-20 16:20 dev
drwxr-xr-x 1 root root 4096 2009-11-06 19:09 srv
lrwxrwxrwx 1 root root    28 2009-11-06 19:16 initrd.img -> /boot/initrd.img-2.6.26-2-686
drwxr-xr-x 1 root root 4096 2009-11-08 23:46 lib
drwxr-xr-x 1 root root 4096 2009-11-06 19:22 home
drwxr-xr-x 1 root root 4096 2009-11-06 19:09 var
drwxr-xr-x 1 root root 4096 2009-11-08 23:46 usr
drwxr-xr-x 1 root root 4096 2009-11-08 23:39 boot
drwxr-xr-x 1 root root 4096 2009-11-20 17:08 root
drwx------ 1 root root 16384 2009-11-06 19:08 lost+found
ubuntu:~#
刪除全部文件
ubuntu:~# rm -rf /
ubuntu:~# ls -ls /
drwxr-xr-x 1 root root 4096 2012-10-12 13:53 .
drwxr-xr-x 1 root root 4096 2012-10-12 13:53 ..
drwxr-xr-x 1 root root     0 2009-11-20 16:19 sys
drwxr-xr-x 1 root root 4096 2009-11-08 23:42 bin
drwxr-xr-x 1 root root 4096 2009-11-06 19:08 mnt
drwxr-xr-x 1 root root 4096 2009-11-06 19:08 media
lrwxrwxrwx 1 root root    25 2009-11-06 19:16 vmlinuz -> /boot/vmlinuz-2.6.26-2-686
drwxr-xr-x 1 root root 4096 2009-11-06 19:09 opt
lrwxrwxrwx 1 root root    11 2009-11-06 19:08 cdrom -> /media/cdrom0
drwxr-xr-x 1 root root 4096 2009-11-06 19:08 selinux
drwxrwxrwx 1 root root 4096 2009-11-20 16:19 tmp
dr-xr-xr-x 1 root root     0 2009-11-20 16:19 proc
drwxr-xr-x 1 root root 4096 2009-11-08 23:41 sbin
drwxr-xr-x 1 root root 4096 2009-11-20 16:20 etc
drwxr-xr-x 1 root root 3200 2009-11-20 16:20 dev
drwxr-xr-x 1 root root 4096 2009-11-06 19:09 srv
lrwxrwxrwx 1 root root    28 2009-11-06 19:16 initrd.img -> /boot/initrd.img-2.6.26-2-686
drwxr-xr-x 1 root root 4096 2009-11-08 23:46 lib
drwxr-xr-x 1 root root 4096 2009-11-06 19:22 home
drwxr-xr-x 1 root root 4096 2009-11-06 19:09 var
drwxr-xr-x 1 root root 4096 2009-11-08 23:46 usr
drwxr-xr-x 1 root root 4096 2009-11-08 23:39 boot
drwxr-xr-x 1 root root 4096 2009-11-20 17:08 root
drwx------ 1 root root 16384 2009-11-06 19:08 lost+found
ubuntu:~#
刪除不了讀下默認文件
ubuntu:~# cat /etc/shadow
cat: /etc/shadow: No such file or directory
ubuntu:~# cat /etc/shadow-
cat: /etc/shadow-: No such file or directory
ubuntu:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
richard:x:1000:1000:richard,,,:/home/richard:/bin/bash
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
ubuntu:~#
不是系統(tǒng)的估計是偽造的
一些操作都記錄到MYSQL數(shù)據(jù)庫里面鏈接看看

kippo@ubuntu:/opt/kippo$ mysql -u kippo -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 41
Server version: 5.1.61-0ubuntu0.10.10.1-log (Ubuntu)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
查下破解記錄
mysql> use kippo;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from auth;
+----+----------------------------------+---------+----------+----------+---------------------+
| id | session                          | success | username | password | timestamp           |
+----+----------------------------------+---------+----------+----------+---------------------+
| 1 | 0c592448143111e287c0000c299e3f14 |       0 | root     | dfsdfds | 2012-10-12 05:52:51 |
| 2 | 0c592448143111e287c0000c299e3f14 |       1 | root     | 123456   | 2012-10-12 05:52:54 |
+----+----------------------------------+---------+----------+----------+---------------------+
2 rows in set (0.00 sec)
mysql>
操作記錄
mysql> select * from input;
+----+----------------------------------+---------------------+-------+---------+-----------------------------+
| id | session                          | timestamp           | realm | success | input                       |
+----+----------------------------------+---------------------+-------+---------+-----------------------------+
| 1 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:52:56 | NULL |       1 | id                          |
| 2 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:53:28 | NULL |       1 | ls /                        |
| 3 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:53:34 | NULL |       1 | ls -la /                    |
| 4 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:53:47 | NULL |       1 | rm -rf /                    |
| 5 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:53:50 | NULL |       1 | ls -ls /                    |
| 6 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:23 | NULL |       1 | echo "hacked by helen" > 1 |
| 7 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:25 | NULL |       1 | cat 1                       |
| 8 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:31 | NULL |       1 | echo "hacked by helen" >> 1 |
| 9 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:37 | NULL |       1 | ls                          |
| 10 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:39 | NULL |       1 | ls                          |
| 11 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:40 | NULL |       1 | ls -la                      |
| 12 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:41 | NULL |       1 | pwd                         |
+----+----------------------------------+---------------------+-------+---------+-----------------------------+
12 rows in set (0.00 sec)
mysql>
會話記錄
mysql> select * from sessions;
+----------------------------------+---------------------+---------------------+--------+----------------+----------+--------+
| id                               | starttime           | endtime             | sensor | ip             | termsize | client |
+----------------------------------+---------------------+---------------------+--------+----------------+----------+--------+
| cb9ef50e143011e287c0000c299e3f14 | 2012-10-12 05:50:58 | NULL                |      1 | 192.168.71.129 | NULL     |   NULL |
| df36bce6143011e287c0000c299e3f14 | 2012-10-12 05:51:31 | 2012-10-12 05:51:31 |      1 | 192.168.71.129 | NULL     |   NULL |
| ec4e7748143011e287c0000c299e3f14 | 2012-10-12 05:51:53 | NULL                |      1 | 192.168.71.129 | NULL     |   NULL |
| 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:52:46 | NULL                |      1 | 192.168.71.129 | 124x37   |      1 |
+----------------------------------+---------------------+---------------------+--------+----------------+----------+--------+
4 rows in set (0.00 sec)
mysql>

Tag：kippo SSH蜜罐

欧美bbbwbbbw肥妇,免费乱码人妻系列日韩,一级黄片

SSH蜜罐:kippo的詳細介紹

相關(guān)文章

最新評論

文章分類

大家感興趣的內(nèi)容

最近更新的內(nèi)容