Andy Smith's Blog

Kippo Customisations

  • Honeypots
  • SSH

Having ran Kippo for a while now I am beginning to suspect that people are recognising the Kippo install and moving on. This isn't too difficult as there are some fairly static  pieces of data that Kippo will provide you with should you request them. Fortunately it's very easy to change these as we see fit, so we will!

NOTE: Don't just do this. This is not exactly best security practice. I personally am using information about a computer that is not running Kippo and putting it on to a different server. If you just run the below commands on a computer running Kippo then an attacker is going to know all sorts of information about your computer that may give them the upper hand in an actual attack. At the very list edit the passwd file to replace usernames.

The following commands are to illustrate what I have done. Copying and pasting may not be the best of ideas.

Update honeyfs:

cat /proc/cpuinfo > kippo/honeyfs/proc/cpuinfo
cat /etc/issue > kippo/honeyfs/etc/issue
cat /etc/passwd > kippo/honeyfs/etc/passwd

Update txtcmds:

dmesg > kippo/txtcmds/bin/dmesg
mount > kippo/txtcmds/bin/mount
#<em><strong>definitely</strong> change the I.P. addresses within this file
</em>ifconfig > kippo/txtcmds/sbin/ifconfig

Next up I am going to add some more 'programs'

php -v > kippo/txtcmds/bin/
python --version > kippo/txtcmds/bin/python

Arguably these two may alert the attacker as they will be expecting to be able to type php and python rather than just get the version output but my hope is that it will fool them in to thinking that they are installed and encourage them to wget some of their tools.

So now hopefully our honeypot will look more legitimate to the attacker, or at least one that has gotten used to stock Kippo installs. Only time will tell!

Comments !