本文共 7075 字,大约阅读时间需要 23 分钟。
I have a lot of honeypots configured around the Internet. I use these honeypots to gather intelligence on what bad guys are up to. One honeypot used by myself and many others is "Kippo".
is a medium-interaction SSH honeypot written in Python. Kippo uses the twisted library (as well as a few others) to create a very realistic-looking SSH service. Discussing the functionality and applicability of Kippo is a blog post in and of itself but trust me, it kicks ass.
The other day I was brainstorming some of the ways bad guys could improve their operational security. One idea was to fingerprint all services for known honeypot frameworks before performing any attacks as a counterintelligence tactic.
There are a number of dead giveaways from inside the Kippo shell such as the following janky regex for ping:
$ ssh root@1.1.1.1Password: root@devops008:~# ping 999.999.999.999 PING 999.999.999.999 (999.999.999.999) 56(84) bytes of data. 64 bytes from 999.999.999.999 (999.999.999.999): icmp_seq=1 ttl=50 time=45.4 ms 64 bytes from 999.999.999.999 (999.999.999.999): icmp_seq=2 ttl=50 time=40.3 ms ...
I set out to find some methods to fingerprint Kippo without authenticating, which lead me to .
The of that blog post wrote about how telnetting to a Kippo instance and sending a few carriage returns will cause Kippo to throw an error. The error itself isn't important- what's important is that OpenSSH throws a different error.
The following is a quick proof-of-concept using Fabrizio's method:
OpenSSH
$ printf "\n\n\n\n\n\n\n\n" | nc -w3 2.2.2.2 22SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 Protocol mismatch. $
Kippo
$ printf "\n\n\n\n\n\n\n\n" | nc -w3 1.1.1.1 22SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5 bad packet length 168430090 $
The responses are different. OpenSSH throws a Protocol mismatch error as soon as it receives a carriage return, whereas Kippo responds with bad packet length.
Using this information, we can whip up a to check if an SSH server is running Kippo.
#!/usr/bin/python# import the libraries we want to useimport socket import sys# check for the presence of a command line argument, exit if it doesn't existif len(sys.argv) != 2: print '[+] Usage: python %s 1.1.1.1' % sys.argv[0] exit()# set our variableshost = sys.argv[1] port = 22# construct the tcp sockets = socket.socket(socket.AF_INET, socket.SOCK_STREAM)# connect to the hosts.connect((host,port))# receive the SSH bannerbanner = s.recv(1024)# send eight carriage returnss.send('\n\n\n\n\n\n\n\n')# get response from the server, store in a variableresponse = s.recv(1024)# close the sockets.close()# check to see if the response from the server contains the number we're looking forif "168430090" in response: print '[!] Kippo honeypot detected!' It's ugly, but it get's the job done.
...or does it?
So, Fabrizio's method worked like a charm on all versions of Kippo, until the author to mimic OpenSSH and return the same error.
$ printf "\n\n\n\n\n\n\n\n" | nc -w3 127.0.0.1 22SSH-2.0-OpenSSH_5.1p1 Debian-5 Protocol mismatch
Rats. Looks like we're out of luck.
...or are we?
Let's take a look at the implemented by the Kippo developer:
if not 'bad packet length' in desc: # With python >= 3 we can use super? transport.SSHServerTransport.sendDisconnect(self, reason, desc)else: self.transport.write('Protocol mismatch.\n') log.msg('Disconnecting with error, code %s\nreason: %s' % \ (reason, desc)) self.transport.loseConnection() Looks like this code might leave Kippo still fingerprintable. Can we find a way to seduce a Kippo instance into throwing this generic Protocol mismatch error, but using a request that OpenSSH would allow?
After a little bit of hard work and determination, I figured out a method to invoke this generic error message in Kippo whilst preserving regular behavior in OpenSSH.
...and by "hard work and determination", I really mean at Rapid7 found this on Fabrizio's blog.
It turns out echoing the SSH server banner back at the server will freak Kippo out and cause it to throw theProtocol mismatch error, but OpenSSH and other SSH servers will not.
Kippo
$ nc -w localhost 2222SSH-2.0-OpenSSH_5.1p1 Debian-5 SSH-2.0-OpenSSH_5.1p1 Debian-5Protocol mismatch.
OpenSSH
$ nc -w3 localhost 22SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 ����8�����2��curve25519-sha256@libssh.org......
Using both of these methods, we can successfully detect patched and unpatched versions of Kippo without ever authenticating. To demonstrate, I wrote up a really basic and kind of depressing which is currently going through the process of being integrated into the framework.
msf > use auxiliary/scanner/ssh/detect_kippo msf auxiliary(detect_kippo) > show optionsModule options (auxiliary/scanner/ssh/detect_kippo): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.98.132 yes The target address range or CIDR identifier RPORT 2222 yes The target port THREADS 1 yes The number of concurrent threadsmsf auxiliary(detect_kippo) > run[*] 192.168.98.132:2222 - Kippo honeypot detected![*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
Thanks to Fabrizio and HD Moore for the awesome research, wvu at Rapid7 for holding my hand through the Metasploit module process, and the developers of Kippo for building such an awesome honeypot.
As always, shoot me an email or find me on Twitter if you have any questions or feedback.
--Andrew
email -
twitter - github -P.S. I know the module is pretty sad. I had to google every line of it since I've never coded Ruby before.
NOTE 02/26/2015
After I published this blog post, Thomas Nicholson almost immediately developed a fix for his SSH honeypot, . Very shortly after that, developed a fix to implement in Kippo. Although this method (and related Metasploit module) still works in the main Kippo version maintained by Desaster, it has been remediated in the more up-to-date version maintained by Michel. Thanks guys for all of your great work!
转载地址:http://rhmmb.baihongyu.com/