Kippo 0.8 released

This was long due, however,

DO NOT GET EXCITED!

If you are using the svn version at the moment, please keep using it, and keep up with the updates via svn. This release only exists because too many people are still using version 0.5, which is very very old. I would rather just keep using svn, and remove the packaged releases altogether. However, I do recognize that people prefer a .tar.gz for just quickly trying it out.

The release, or preferably the svn repository can be found here:

https://code.google.com/p/kippo/

A packaged release is not really hard to make, but it seems I always have something I want to fix before making a release. I will try and change this mentality in the future, and do more releases, even if they end up being ugly and broken.

One thing that software releases usually provide is a nice list of new features and changes. I don’t have that, in fact I don’t even remember what has changed since 0.5!

Many changes since 0.5 are already years old. But I’ll list a couple less-known things here, that could deserve more attention:

Interactive console

This feature lets you talk to the attackers in real-time. Enabled by setting interact_enabled = true in kippo.cfg. If you’re wondering what’s going on in the minds of those botnet kiddies, why not ask them yourself?

Tip: colorify your playlog.py with -c

Tip: colorify your playlog.py with -c

The telnet interface of this feature is a bit crude, but should work (except on Putty).

XMPP

Markus added a XMPP support in kippo, which lets you log into an XMPP channel. This way you can gather data from any number of sensors, and then again have any number of backends store data from the channel to a database.

This is currently suffering from a lack of documentation; A simple wiki page would help a lot. I feel the feature has a lot of potential, though. If you’re interested in this feature, hop on IRC at #honeypots @ freenode, and we’ll help you set it up!

Maybe if there’s enough interest in it, I’ll finally get my lazy ass to write a wiki page about it…

malware.py

This is not a huge thing, but worth noting anyway. If you are tired of seeing attackers disconnect right after their downloaded scripts fail, you can try and keep them around for a little while longer by emulating their tools a little bit.

While this might be a well known feature, I don’t actually see people using it much to add new items. Here’s how you do it:

# 158c35ecfd4a4a490b613d87a22088fa (md5sum of the original file for reference)
class command_start1(HoneyPotCommand):
    def call(self):
        self.writeln('=====>Created by PuFoS<=====')
        self.writeln('++++++ *Asta e o arhiva privata*  ++++++++')
        self.writeln('Exemplu : ./start canal ')
        self.writeln('P.S : FARA DIEZ!')
slist[750] = command_start1       # file size of the original file
clist['start'] = command_start1   # file name of the original file

Basically you can create custom command (class command_start1), and assign it to a filename (‘start‘) and/or file size (750). Once an attacker unpacks a file using ‘tar’, and a file is found matching the name or the size, this piece of code will be attached to it.

Running a fake malware in kippo

You can find new commands to emulate by looking at your kippo logs, seeing what malware they try to run, and running it yourself (in a well secured, non-networked virtual machine!). Add a little bit of fake command output, and they might think they are actually running their own tool.

If you do add new malware commands, and they are fairly common, I would be happy to add them to kippo!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>