Kippo蜜罐指南
0x00 前言
測試了一下kippo這個ssh蜜罐,算是一篇總結吧
0x01 測試環境
CentOS release 6.2 (Final)
Linux www.centos.com 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
0x02:搭建
#!bash
cd /home/
wget https://codeload.github.com/desaster/kippo/zip/master
unzip master
yum install twisted python-zope-interface python-pyasn1
mv kippo-master kippo
useradd kippo
chown -R kippo:kippo
cd kippo
cp kippo.cfg.dist kippo.cfg
監聽本地的2222埠 提前修改正常ssh的埠,加一條防火牆規則,把22埠轉到2222
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2222
日誌存放到資料庫
#!bash
yum install mysql mysql-server
/etc/init.d/mysqld start
mysql -uroot
create database kippo;
GRANT ALL ON kippo.* to 'kippo'@'localhost' identified by 'kippo';
修改配置檔案kippo.cfg
[database_mysql]
host = localhost
database = kippo
username = kippo
password = kippo
port = 3306
mysql -ukippo -p -Dkippo < /home/kippo/doc/sql/mysql.sql
安裝python-mysql
#!bash
yum -y install python-devel mysql-devel
wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz
tar -zxvf setuptools-0.6c11.tar.gz
cd setuptools-0.6c11
python2.6 setup.py build
python2.6 setup.py install
wget https://pypi.python.org/packages/source/M/MySQL-python/MySQL-python-1.2.5.zip
Unzip MySQL-python-1.2.5.zip
Cd MySQL-python
修改site.cfg的mysql_config一行取消註釋
mysql_config = /usr/lib64/mysql/mysql_config
python2.6 setup.py build
python2.6 setup.py install
0x03 圖形化
yum install httpd php php-mysql php-gd php-curl
1.3的php版本要求高,要自己編譯,還是用yum的,裝個低版本的
#!bash
wget http://bruteforce.gr/wp-content/uploads/kippo-graph-1.2.tar.gz
tar -zxf kippo-graph-1.2.tar.gz
mv kippo-graph-1.2 /var/www/html/kippo
cd /var/www/html/kippo
cp config.php.dist config.php
vim config.php
寫入內容
#!php
define('DIR_ROOT', '/var/www/html/kippo');
define('DB_HOST', 'localhost');
define('DB_USER', 'kippo');
define('DB_PASS', 'kippo');
define('DB_NAME', 'kippo');
define('DB_PORT', '3306');
執行命令
#!bash
chmod 777 /var/www/html/kippo/generated-graphs/
/etc/init.d/http start
su - kippo
./start.sh
訪問http://ip/kippo
0x04 結構
data: 存放ssh key,lastlog.txt和userdb.txt lastlog.txt:last命令的輸出,即儲存了登陸蜜罐的資訊,也可以偽造 userdb.txt:可以登陸的使用者,可以給一個使用者設定多個密碼,一個使用者一行 格式為username:uid:password
honeyfs: etc目錄中存在group hostname hosts issue passwd resolv.conf shadow這些 檔案,cat /etc/filename目錄中對應的檔案時會顯示這些文字檔案中的內容. proc目錄中存在cpuinfo meminfo version這些檔案,cat /proc/filename目錄中對應的檔案時會顯示這些文字檔案中的內容.
log: 存放日誌檔案的地方,該目錄包含一個kippo.log檔案和tty目錄 kippo.log:是存放啟動記錄,那些IP連線等資訊 tty目錄是每一個ssh過來後操作的記錄,可以使用strings filename直接看到裡面的內容
txtcmds: 存放命令的地方,這些命令都是文字檔案,執行相關命令的時候直接顯示檔案內容
kippo: 核心檔案,模擬一些互動式的命令等等
dl: wget等等下載的檔案存放的地方
utils: convert32.py:把tty的日誌轉換為標準32位的小數格式,其實直接strings檢視就可以了 createfs.py:可以用來模擬真實系統的一些檔案目錄之類的,不過需要設定一下
需要重定向儲存輸出,然後去替換fs.pickle檔案,這樣就可以模擬真實系統了.
fsctl.py:用來修改已經生成的fs.pickle的檔案,help有命令的幫助
passdb.py:是來新增賬戶密碼的,但是直接編輯data/userdb.txt就可以新增新的賬戶了,pass.db也沒有找到在哪.........
playloh.py:對log/tty/下的日誌進行回放的
0x05 配置檔案
kippo.cfg:
==========================================================
[honeypot]
# IP addresses to listen for incoming SSH connections.
#
# (default: 0.0.0.0) = any address
#ssh監聽的地址,可以設定多個監聽ip,每個ip之間用空格隔開
#ssh_addr = 0.0.0.0
# Port to listen for incoming SSH connections.
#
# (default: 2222)
#監聽的埠,預設是2222,需要kippo執行在普通使用者下,是不能夠使用22埠,需要用iptables做一個簡單的埠轉發,轉發到22埠
#只能監聽一個埠
ssh_port = 2222
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment.
#
# (default: svr03)
#主機名
hostname = svr03
# Directory where to save log files in.
#
# (default: log)
#存放日誌的路徑
log_path = log
# Directory where to save downloaded (malware) files in.
#
# (default: dl)
#蜜罐中執行下載命令預設下載檔案儲存的目錄
download_path = dl
# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
# A value of 0 means no limit. If the file size is known to be too big from the start,
# the file will not be stored on disk at all.
#
#限制下載檔案的大小,預設是0,不限制
# (default: 0)
#download_limit_size = 10485760
# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
#配置檔案的存放的地方,預設下面有etc和proc兩個
contents_path = honeyfs
# File in the python pickle format containing the virtual filesystem.
#
# This includes the filenames, paths, permissions for the whole filesystem,
# but not the file contents. This is created by the createfs.py utility from
# a real template linux installation.
#
# (default: fs.pickle)
#記錄一些檔案,路徑和許可權的配置檔案,用來模擬linux環境
filesystem_file = fs.pickle
# Directory for miscellaneous data files, such as the password database.
#
# (default: data_path)
#一些資料存放的地方,例如lastlog,ssh的key和允許登陸的賬戶和密碼修改過的root密碼
data_path = data
# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
# txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
# In addition to this, the file must exist in the virtual
# filesystem {filesystem_file}
#
# (default: txtcmds)
#一些簡單的命令,純文字組成,只是用來做簡單的輸出
txtcmds_path = txtcmds
# Public and private SSH key files. If these don't exist, they are created
# automatically.
#ssh認證key存放的地方
rsa_public_key = data/ssh_host_rsa_key.pub
rsa_private_key = data/ssh_host_rsa_key
dsa_public_key = data/ssh_host_dsa_key.pub
dsa_private_key = data/ssh_host_dsa_key
# Enables passing commands using ssh execCommand
# e.g. ssh [email protected] <command>
#
# (default: false)
#是否支援 ssh [email protected] <command>這種命令的執行,預設是false的
exec_enabled = true
# IP address to bind to when opening outgoing connections. Used exclusively by
# the wget command.
#
# (default: not specified)
#ssh資料包發出去的地址
#out_addr = 0.0.0.0
# Sensor name use to identify this honeypot instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# connection as the sensor name.
#
# (default: not specified)
#sensor_name=myhostname
# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254
# SSH Version String
#
# Use this to disguise your honeypot from a simple SSH version scan
# frequent Examples: (found experimentally by scanning ISPs)
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-1.99-OpenSSH_4.3
# SSH-1.99-OpenSSH_4.7
# SSH-1.99-Sun_SSH_1.1
# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
# SSH-2.0-OpenSSH_4.3
# SSH-2.0-OpenSSH_4.6
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
# SSH-2.0-OpenSSH_5.5p1 Debian-6
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
# SSH-2.0-OpenSSH_5.9
#
# (default: "SSH-2.0-OpenSSH_5.1p1 Debian-5")
#ssh的banner資訊
ssh_version_string = SSH-2.0-OpenSSH_5.1p1 Debian-5
# Banner file to be displayed before the first login attempt.
#
# (default: not specified)
#第一次登陸上後,顯示的banner資訊,預設是不指定
#banner_file =
# Session management interface.
#
# This is a telnet based service that can be used to interact with active
# sessions. Disabled by default.
#
# (default: false)
interact_enabled = false
# (default: 5123)
interact_port = 5123
#mysql的支援模組,sql檔案在doc/sql/mysql.sql
# MySQL logging module
#
# Database structure for this module is supplied in doc/sql/mysql.sql
#
# To enable this module, remove the comments below, including the
# [database_mysql] line.
#資料庫的配置檔案
#[database_mysql]
#host = localhost
#database = kippo
#username = kippo
#password = secret
#port = 3306
#XMPP 的日誌檔案
# XMPP Logging
#
# Log to an xmpp server.
# For a detailed explanation on how this works, see: <add url here>
#
# To enable this module, remove the comments below, including the
# [database_xmpp] line.
#[database_xmpp]
#server = sensors.carnivore.it
#user = [email protected]
#password = anonymous
#muc = dionaea.sensors.carnivore.it
#signal_createsession = kippo-events
#signal_connectionlost = kippo-events
#signal_loginfailed = kippo-events
#signal_loginsucceeded = kippo-events
#signal_command = kippo-events
#signal_clientversion = kippo-events
#debug=true
#預設日誌以簡單的文字方式存放
# Text based logging module
#
# While this is a database logging module, it actually just creates a simple
# text based log. This may not have much purpose, if you're fine with the
# default text based logs generated by kippo in log/
#
# To enable this module, remove the comments below, including the
# [database_textlog] line.
#[database_textlog]
#logfile = kippo-textlog.log
0x06 debug
時間顯示存在問題 使用了0時區的時間,這裡是東8區
vim /home/kippo/kippo/core/dblog.py
寫入
#!python
def nowUnix(self):
"""return the current UTC time as an UNIX timestamp"""
#原系統用的時區是0時區的
#return int(time.mktime(time.gmtime()[:-1] + (-1,)))
#return int(time.mktime(time.gmtime()[:-1] + (-1,))) + 28800
return int(time.time())
0x07 缺點
功能有限
使用exit或者ctrl+d退出的時候是無法退出的,顯示退出,其實還沒有完全退出,需要強制的關閉終端,才能完全退出
命令太少,對真實環境的模擬比較差
新增使用者這個過程,太複雜,還容易新增失敗
0x08 後記
[email protected],放了半個月,以下是收集到的一些資料
有少量的惡意程式,收集到了少量的惡意程式,有興趣的可以私信我啊~~~
最後給team的部落格打個廣告,大家手下留情........
http://www.sigma.ws/
參考:
http://bruteforce.gr/kippo-graph
http://www.google.com/
相關文章
- Dionaea蜜罐指南2020-08-19
- 蜜罐網路2020-08-19
- 一個小蜜罐2018-09-05
- 淺析蜜罐技術2022-09-28
- 虛擬蜜罐:從資訊模擬到實現虛擬蜜罐技術2022-10-18
- 網路安全中什麼是蜜罐技術?蜜罐的分類有哪些?2023-01-03
- 以太坊蜜罐智慧合約分析2018-08-24
- 新型蜜罐有哪些?未來方向如何?2022-10-11
- 用DecoyMini部署業務系統蜜罐2022-04-14
- Dionaea低互動式蜜罐部署詳解2020-08-19
- 報告稱忠誠度計劃是“黑客的蜜罐”2019-05-15黑客
- 320個蜜罐其中80%在一天內淪陷2021-11-25
- 分析“蜜罐NS”上的查詢,提升DNS日誌的質量2020-08-19DNS
- 網路安全中蜜罐是什麼意思?有什麼特點?2022-06-14
- 如何設定自己的Dionaea蜜罐來收集惡意軟體樣本2018-07-31
- 草船借箭:透過ssh蜜罐來獲取常用密碼本2024-06-22密碼
- 部署個SSH蜜罐玩玩,既能增強安全性,又能當電子蛐蛐2024-11-04
- 誰是魚誰是餌?紅隊視角下蜜罐識別方式彙總2022-06-23
- 網路安全中蜜罐、蜜餌、蜜標、蜜網分別是什麼意思?2022-06-21
- 如何搭建一套自己的蜜罐系統來收集惡意軟體樣本2018-07-16
- 猿人學web端爬蟲攻防大賽賽題第16題——js逆向 - window蜜罐2024-11-02Web爬蟲JS
- 技術分享 | 基於windows作業系統的錦行蜜罐新節點技術2021-05-31Windows作業系統
- Sysrv-hello殭屍網路又有什麼新“招式”?深信服雲蜜罐捕獲最新變種2021-08-01
- Go 指南2018-06-07Go
- pymysql指南2019-07-24MySql
- FileChannel指南2019-05-25
- Scrum指南2018-12-24Scrum
- 字串指南2024-09-19字串
- java安全編碼指南之:方法編寫指南2020-10-08Java
- 22年11月-23年10月全球主要國家攻擊SSH蜜罐裝置比例(附原資料表) 2024-02-19
- 22年11月-23年10月全球主要國家攻擊Telnet蜜罐裝置比例(附原資料表) 2024-02-19
- Pureftpd操作指南2019-03-01FTP
- Python Logging 指南2018-07-11Python
- ObjectBox 整合指南2018-06-09Object
- MakeDown操作指南2024-05-09
- OAuth 安全指南2020-08-19OAuth
- “駁”學指南2018-12-24
- Lombok @Locked指南2024-10-16Lombok