7MS #174: DIY SSH Honeypot with Kippo - Part 2
1 min read Podcast, diy

7MS #174: DIY SSH Honeypot with Kippo - Part 2

In this episode I took my Kippo installation to the next step by incorporating mysql. First thing I did is connected to my mysql instance:

mysql -u root -p

Then, I created an empty kippo database:

create database kippo;

Then I granted all permissions on the kippo database to a user called kipposql:

grant all on kippo.* TO 'kipposql'@'localhost' identified by 'A-PASSWORD-YOU-PICK';

Then quit to quit the mysql terminal.

Now, do a cd /home/kippo/kippo/doc/sql/ and import the mysql.sql file by doing:

mysql -u kipposql -p -h localhost kippo < mysql.sql

(You'll be prompted for your kippo user's password at this point)

Now, open up the /home/kippo/kippo/kippo.cfg file and look for database_mysql part and fill in with appropriate info:

host = localhost

database = kippo

username = kipposql

password = mypassword

port = 3306

Be sure to uncomment these mysql-related lines before saving your file! I didn't, so I had to do a ps x to find the string for kippo (it contains something like *.../usr/bin/python /usr/bin twisted -y kippo.tac..." and then lkill it with kill 1906 or whatever the appropriate PID is.

Then, do ./start.sh to fire this baby up!

From here you can use mysql commands to query the database. More on that in future episodes.

For now, though, another interesting file to look at is userdb.txt - this contains a username and password list for legitimate users. I left the default one in place (root/123456) and what's fun about that is once users "hack" into the shell, all the commands they issue get captured and sucked into the mysql database too. So you can see what kinds of netcat/wget/etc. commands they run to try and grab malicious files and wreak havoc on your system!

Also, if users take advantage of the passwd command, those new passwords get appended to the userdb.txt. So far, mine includes super secure passwords like toor, password, and password123.

References: