Detecting Kippo SSH honeypots, bypassing patches, and all that jazz

Background

I have a lot of honeypots configured around the Internet. I use these honeypots to gather intelligence on what bad guys are up to. One honeypot used by myself and many others is "Kippo".

Kippo is a medium-interaction SSH honeypot written in Python. Kippo uses the twisted library (as well as a few others) to create a very realistic-looking SSH service. Discussing the functionality and applicability of Kippo is a blog post in and of itself but trust me, it kicks ass.

The other day I was brainstorming some of the ways bad guys could improve their operational security. One idea was to fingerprint all services for known honeypot frameworks before performing any attacks as a counterintelligence tactic.

Getting our hands dirty

There are a number of dead giveaways from inside the Kippo shell such as the following janky regex for ping:

$ ssh [email protected]
Password:  
[email protected]:~# ping 999.999.999.999  
PING 999.999.999.999 (999.999.999.999) 56(84) bytes of data.  
64 bytes from 999.999.999.999 (999.999.999.999): icmp_seq=1 ttl=50 time=45.4 ms  
64 bytes from 999.999.999.999 (999.999.999.999): icmp_seq=2 ttl=50 time=40.3 ms  
...

I set out to find some methods to fingerprint Kippo without authenticating, which lead me to this blog post.

The author of that blog post wrote about how telnetting to a Kippo instance and sending a few carriage returns will cause Kippo to throw an error. The error itself isn't important- what's important is that OpenSSH throws a different error.

The following is a quick proof-of-concept using Fabrizio's method:

OpenSSH

$ printf "\n\n\n\n\n\n\n\n" | nc -w3 2.2.2.2 22
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2  
Protocol mismatch.  
$

Kippo

$ printf "\n\n\n\n\n\n\n\n" | nc -w3 1.1.1.1 22
SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5  
bad packet length 168430090  
$

The responses are different. OpenSSH throws a Protocol mismatch error as soon as it receives a carriage return, whereas Kippo responds with bad packet length.

Using this information, we can whip up a quick Python script to check if an SSH server is running Kippo.

#!/usr/bin/python

# import the libraries we want to use
import socket  
import sys

# check for the presence of a command line argument, exit if it doesn't exist
if len(sys.argv) != 2:  
    print '[+] Usage: python %s 1.1.1.1' % sys.argv[0]
    exit()

# set our variables
host = sys.argv[1]  
port = 22

# construct the tcp socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect to the host
s.connect((host,port))

# receive the SSH banner
banner = s.recv(1024)

# send eight carriage returns
s.send('\n\n\n\n\n\n\n\n')

# get response from the server, store in a variable
response = s.recv(1024)

# close the socket
s.close()

# check to see if the response from the server contains the number we're looking for
if "168430090" in response:  
    print '[!] Kippo honeypot detected!'

It's ugly, but it get's the job done.

...or does it?

Kippo Patch

So, Fabrizio's method worked like a charm on all versions of Kippo, until the author patched the code to mimic OpenSSH and return the same error.

$ printf "\n\n\n\n\n\n\n\n" | nc -w3 127.0.0.1 22
SSH-2.0-OpenSSH_5.1p1 Debian-5  
Protocol mismatch  

Rats. Looks like we're out of luck.

...or are we?

Sneakin around ya patches

Let's take a look at the fix implemented by the Kippo developer:

if not 'bad packet length' in desc:  
  # With python >= 3 we can use super?
  transport.SSHServerTransport.sendDisconnect(self, reason, desc)
else:  
  self.transport.write('Protocol mismatch.\n')
  log.msg('Disconnecting with error, code %s\nreason: %s' % \ (reason, desc))
  self.transport.loseConnection()

Looks like this code might leave Kippo still fingerprintable. Can we find a way to seduce a Kippo instance into throwing this generic Protocol mismatch error, but using a request that OpenSSH would allow?

After a little bit of hard work and determination, I figured out a method to invoke this generic error message in Kippo whilst preserving regular behavior in OpenSSH.

...and by "hard work and determination", I really mean wvu at Rapid7 found this hilariously convenient comment left by HD Moore on Fabrizio's blog.

It turns out echoing the SSH server banner back at the server will freak Kippo out and cause it to throw the Protocol mismatch error, but OpenSSH and other SSH servers will not. Bingo

Kippo

$ nc -w localhost 2222
SSH-2.0-OpenSSH_5.1p1 Debian-5  
SSH-2.0-OpenSSH_5.1p1 Debian-5








Protocol mismatch.  

OpenSSH

$ nc -w3 localhost 22
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2  
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2  
����8�����2��[email protected]
...

Fin

Using both of these methods, we can successfully detect patched and unpatched versions of Kippo without ever authenticating. To demonstrate, I wrote up a really basic and kind of depressing Metasploit auxiliary module which is currently going through the process of being integrated into the framework.

msf > use auxiliary/scanner/ssh/detect_kippo  
msf auxiliary(detect_kippo) > show options

Module options (auxiliary/scanner/ssh/detect_kippo):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.98.132   yes       The target address range or CIDR identifier
   RPORT    2222             yes       The target port
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(detect_kippo) > run

[*] 192.168.98.132:2222 - Kippo honeypot detected!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Thanks to Fabrizio and HD Moore for the awesome research, wvu at Rapid7 for holding my hand through the Metasploit module process, and the developers of Kippo for building such an awesome honeypot.

As always, shoot me an email or find me on Twitter if you have any questions or feedback.

--Andrew

email - [email protected]
twitter - @andrew___morris
github - andrew-morris

P.S. I know the module is pretty sad. I had to google every line of it since I've never coded Ruby before.

NOTE 02/26/2015

After I published this blog post, Thomas Nicholson almost immediately developed a fix for his SSH honeypot, HonSSH. Very shortly after that, Michel Oosterhof developed a fix to implement in Kippo. Although this method (and related Metasploit module) still works in the main Kippo version maintained by Desaster, it has been remediated in the more up-to-date version maintained by Michel. Thanks guys for all of your great work!