I have a lot of honeypots configured around the Internet. I use these honeypots to gather intelligence on what bad guys are up to. One honeypot used by myself and many others is "Kippo".
Kippo is a medium-interaction SSH honeypot written in Python. Kippo uses the
twisted library (as well as a few others) to create a very realistic-looking SSH service. Discussing the functionality and applicability of Kippo is a blog post in and of itself but trust me, it kicks ass.
The other day I was brainstorming some of the ways bad guys could improve their operational security. One idea was to fingerprint all services for known honeypot frameworks before performing any attacks as a counterintelligence tactic.
Getting our hands dirty
There are a number of dead giveaways from inside the Kippo shell such as the following janky regex for ping:
$ ssh [email protected] Password: [email protected]:~# ping 999.999.999.999 PING 999.999.999.999 (999.999.999.999) 56(84) bytes of data. 64 bytes from 999.999.999.999 (999.999.999.999): icmp_seq=1 ttl=50 time=45.4 ms 64 bytes from 999.999.999.999 (999.999.999.999): icmp_seq=2 ttl=50 time=40.3 ms ...
I set out to find some methods to fingerprint Kippo without authenticating, which lead me to this blog post.
The author of that blog post wrote about how telnetting to a Kippo instance and sending a few carriage returns will cause Kippo to throw an error. The error itself isn't important- what's important is that OpenSSH throws a different error.
The following is a quick proof-of-concept using Fabrizio's method:
$ printf "\n\n\n\n\n\n\n\n" | nc -w3 22.214.171.124 22 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 Protocol mismatch. $
$ printf "\n\n\n\n\n\n\n\n" | nc -w3 126.96.36.199 22 SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5 bad packet length 168430090 $
The responses are different. OpenSSH throws a
Protocol mismatch error as soon as it receives a carriage return, whereas Kippo responds with
bad packet length.
Using this information, we can whip up a quick Python script to check if an SSH server is running Kippo.
#!/usr/bin/python # import the libraries we want to use import socket import sys # check for the presence of a command line argument, exit if it doesn't exist if len(sys.argv) != 2: print '[+] Usage: python %s 188.8.131.52' % sys.argv exit() # set our variables host = sys.argv port = 22 # construct the tcp socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # connect to the host s.connect((host,port)) # receive the SSH banner banner = s.recv(1024) # send eight carriage returns s.send('\n\n\n\n\n\n\n\n') # get response from the server, store in a variable response = s.recv(1024) # close the socket s.close() # check to see if the response from the server contains the number we're looking for if "168430090" in response: print '[!] Kippo honeypot detected!'
It's ugly, but it get's the job done.
...or does it?
So, Fabrizio's method worked like a charm on all versions of Kippo, until the author patched the code to mimic OpenSSH and return the same error.
$ printf "\n\n\n\n\n\n\n\n" | nc -w3 127.0.0.1 22 SSH-2.0-OpenSSH_5.1p1 Debian-5 Protocol mismatch
Rats. Looks like we're out of luck.
...or are we?
Sneakin around ya patches
Let's take a look at the fix implemented by the Kippo developer:
if not 'bad packet length' in desc: # With python >= 3 we can use super? transport.SSHServerTransport.sendDisconnect(self, reason, desc) else: self.transport.write('Protocol mismatch.\n') log.msg('Disconnecting with error, code %s\nreason: %s' % \ (reason, desc)) self.transport.loseConnection()
Looks like this code might leave Kippo still fingerprintable. Can we find a way to seduce a Kippo instance into throwing this generic
Protocol mismatch error, but using a request that OpenSSH would allow?
After a little bit of hard work and determination, I figured out a method to invoke this generic error message in Kippo whilst preserving regular behavior in OpenSSH.
It turns out echoing the SSH server banner back at the server will freak Kippo out and cause it to throw the
Protocol mismatch error, but OpenSSH and other SSH servers will not. Bingo
$ nc -w localhost 2222 SSH-2.0-OpenSSH_5.1p1 Debian-5 SSH-2.0-OpenSSH_5.1p1 Debian-5 Protocol mismatch.
$ nc -w3 localhost 22 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 ����8�����2��[email protected].. ...
Using both of these methods, we can successfully detect patched and unpatched versions of Kippo without ever authenticating. To demonstrate, I wrote up a really basic and kind of depressing Metasploit auxiliary module which is currently going through the process of being integrated into the framework.
msf > use auxiliary/scanner/ssh/detect_kippo msf auxiliary(detect_kippo) > show options Module options (auxiliary/scanner/ssh/detect_kippo): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.98.132 yes The target address range or CIDR identifier RPORT 2222 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(detect_kippo) > run [*] 192.168.98.132:2222 - Kippo honeypot detected! [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Thanks to Fabrizio and HD Moore for the awesome research, wvu at Rapid7 for holding my hand through the Metasploit module process, and the developers of Kippo for building such an awesome honeypot.
As always, shoot me an email or find me on Twitter if you have any questions or feedback.
P.S. I know the module is pretty sad. I had to google every line of it since I've never coded Ruby before.
After I published this blog post, Thomas Nicholson almost immediately developed a fix for his SSH honeypot, HonSSH. Very shortly after that, Michel Oosterhof developed a fix to implement in Kippo. Although this method (and related Metasploit module) still works in the main Kippo version maintained by Desaster, it has been remediated in the more up-to-date version maintained by Michel. Thanks guys for all of your great work!