Andy Smith's Blog

  • Quick and Easy SSH MITM

    A quick intro to using mitmproxy to man-in-the-middle an SSH connection.

    So you want to sniff an SSH connection (that you have access to) but wireshark is giving you junk? Luckily someone has written a tool for that. The mitmproxy by Maximilian Hils allows you to plop a fake server in between your SSH client and the SSH server you're connecting to.

    I wanted to have a nose at the data sent from git to github over SSH. This is what I did.

    # Download mitmproxy
    git clone
    #Generate mitm keys (these go to ~/.mitmkeys)

    Now you want to install the SSH key you just generated to the server you want to mitm.

    #Install SSH key
    ssh-copy-id -i ~/.mitmkeys/ user@victimserver

    Then run the proxy, pointing it at the victimserver.

    #Run proxy
    ./mitmproxy_ssh -H victimserver

    This runs the proxy on localhost:2222

    Now simply connect to the local proxy:

    ssh localhost -p 2222

    And ta-da! You should see the raw data sent between client and server in the window you ran mitmproxy_ssh.


  • Raspberry Pi Wi-Fi Honeypot

    I wanted to turn my Raspberry Pi in to a "fake" wireless access point that would accept Wi-Fi connections without a password but sandbox all requests to a local web server, like some hotel Wi-Fi you might encounter.

    It turns out that to achieve this you need a Wi-Fi dongle that supports "AP Mode". I ended up ordering an Edimax EW-7711UAN which has worked perfectly in AP mode with the pi so far.

    For this tutorial I am assuming that your pi is physically connected to your network via a LAN cable (on eth0). We can't set this up over Wi-Fi because the Wi-Fi network is going to be sandboxed.


    So, beginning with a fresh Raspian install I installed the following:

    sudo apt-get install -y hostapd dnsmasq nginx
    • hostapd will allow you to receive connections on your dongle, as if it were a wireless router.

    • Dnsmasq will allow the pi to provide DNS and DHCP services which is the bare minimum we need to get the clients to "work" on the network.

    • Nginx is the web server we'll use to serve the dummy files on our sandboxed network.


    First hostapd:

    sudo touch /etc/hostapd/hostapd.conf
    sudo nano /etc/hostapd/hostapd.conf

    And paste the following:


    We also need to tell hostapd where to find this config file:

    sudo nano /etc/init.d/hostapd

    Find the line:


    And change it to:


    This will set your pi up to accept unsecured connections. Don't do it if you don't know what you're doing.

    Next up, dnsmasq:

    sudo nano /etc/dnsmasq.conf

    And paste the following (at the end of the file):


    This will set up the DHCP server, resolve all DNS lookups to and log all queries to /var/log/dnsmasq.

    Now, you may have noticed that we used there, the plan is to get the Wi-Fi adaptor listening on This is to segregate the open Wi-Fi connections from the regular network:

    sudo nano /etc/network/interfaces

    And replace the contents with:

    auto lo
    iface lo inet loopback
    iface eth0 inet dhcp
    iface wlan0 inet static
    pre-up iptables-restore < /etc/iptables.rules

    Then, let's put a message in our www directory:

    sudo echo "<h1>hello!<h1>" > /usr/share/nginx/www/index.html

    Finally, we want to lock down our pi so that anyone who gets on the open network can't get up to any funny business:

    sudo iptables -F
    sudo iptables -i wlan0 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    sudo iptables -i wlan0 -A INPUT -p tcp --dport 80 -j ACCEPT
    sudo iptables -i wlan0 -A INPUT -p udp --dport 53 -j ACCEPT
    sudo iptables -i wlan0 -A INPUT -p udp --dport 67:68 -j ACCEPT
    sudo iptables -i wlan0 -A INPUT -j DROP
    sudo sh -c "iptables-save > /etc/iptables.rules"

    Let's set up all these services to start on startup so it will just work each time we turn it on:

    sudo update-rc.d nginx defaults
    sudo update-rc.d hostapd defaults
    sudo update-rc.d dnsmasq defaults

    Now make sure this will work on boot by turning it off and on again:

    sudo reboot


    If you do a Wi-Fi search on your laptop or phone you should now see "NotFreeWifi". If you connect and type in "" you should get the message we wrote out earlier.


    Now if you're a normal human being you've probably just blindly pasted these commands in to your shell. If you'd like to know what you've set up, then read on!

    Using hostapd we've set up our wireless dongle to take unsecured (no passwords) connections using the SSID "NotFreeWifi". This will allow anyone with Wi-Fi on their laptop or phone or whatever to connect to the pi.

    On it's own this won't do much - clients won't be able to do anything once they connect -so we've setup Dnsmasq to give clients I.P. addresses and tell them use (the pi's I.P.) as a gateway.

    We've also used Dnsmasq to provide a DNS server which we've (rather sneakily) set up to give the address to any request. So if someone tries to visit, we tell them the address is

    Finally we've set up a webserver on the pi - so when users do try and go to they actually connect to our pi - where we say hello to them.


    I've been running this on my pi for a week now and because of it's location I wasn't expecting to get any connections. Which is why I was pretty surprised to see that 5 people who weren't me have connected:

    sudo cat /var/log/dnsmasq.log  | grep provides | awk '{print $9}' | sort | uniq

  • The $15 (per year) Honeypot

    Super low budget VPS servers make an ideal home for your own honeypot, this post takes you through setting up a feature packed honeypot on a TinyVZ VPS.

    I'm always on the look out for a cheap place to a host a honeypot which is why I was pretty intrigued when I came accross a few companies offering $15 per year virtual private servers.

    This offer does seem to good to be true - and I don't plan on hosting anything important on my VPS - but I've been running one with TinyVZ for 3 months now and had no problems to speak of.

    So, here's a quick guide to setting up your own $15 honeypot - though please don't treat this as a glowing endorsement of super cheap VPSs, when I paid my $15 I treated it more as placing a bet than purchasing a service.

    I have chosen TinyVZ as the host for this guide, you can almost certainly do this on other similarly cheap hosts. Because this guide uses my honeypot setup script most of it revolves around navigating TinyVZ's control panel. I am not affiliated with TinyVZ.

    TinyVZ have confirmed that they are happy for their customers to run honeypots.


    Server Setup (TinyVZ Specific)

    • Sign up for a TinyVZ account (this can take up to 3 days**)
    • You will eventually receive a "New Server Information" email.
    • Login to the control panel with the details provided.
    • Click "Reload OS"
    • Choose ubuntu-12.04-x86 and push "Reload with selected OS"
    • Once that's done go back to "Main Menu"
    • Now copy the I.P. address of "Host Machine" and connect via SSH to this address
    • When prompted enter username "vz" and password "vz"
    • Now for "RAMCP Username" and "RAMCP Password" enter the username and password provided in the welcome email
    • You should now be logged in as root
    • Set a password with passwd
    • Install sudo: apt-get update && apt-get install sudo

    Install (Ubuntu)

    • Now run the following: wget -q -O /tmp/setup.bash && bash /tmp/setup.bash


    Tada - you should now have a full Kippo and Dionaea install. You can monitor /var/kippo and /var/dionaea for logs and binaries.

    Security Considerations The default setup you are left with on this server is iffy at best. You should not really be logging in as root, I would advise at the very least following this guide on securing SSH.


  • Automatic Honeypot Setup Script

    I have just finished work on the first version of my automatic honeypot setup script. This script will turn a vanilla install of Ubuntu 12.04 into a fully functioning honeypot in under 3 minutes.

    I have two main issues that I have encountered when playing around with honeypot software.

    Firstly, you often won't find out that there are problems with your configuration until an attacker hits. And this can sometimes take hours. Nothing is more frustrating than coming back to a honeypot after a week to find a log file full of Access Denied messages.

    Secondly, honeypot software is designed with technical users in mind. Installing Apache Web Server is a matter of apt-get install apache2, it will start on system start up and come with helpful defaults. Whereas if you want to install kippo, you need to check out the subversion repository and it certainly won't set itself up to run on startup.

    This script is my solution to these problems:

    Running the script will install the following services:

    All of these services will:

    • run straight out of the box with no additional configuration
    • start on system start up and log to /var/log
    • have useful and secure defaults

    You will be prompted for exactly one piece of information:

    • the network interface you want these services to run on

    This the first release and testing has been limited to Ubuntu 12.04. This script does all sorts of things as a super user, so please, for now, only run it on a clean install.

    Feature requests, bug reports and pull requests are encouraged on the Github.

    If you have any other queries, please feel free to contact me.

    Here's a video of a 3 minute install: