What
is
kojoney?
Kojoney is a low level interaction honeypot that emulates an SSH
server. The daemon is written in Python
using the Twisted
Conch
libraries.
Why
the name kojoney?
Kojoney is a mix of the spanish word cojon (s/c/k/) and honey. In the
spanish language the sentence "estar hasta los cojones" is used to
express that you are cloyed.
In the past I received many attacks against my SSH server and various
of the attacks were very cool (i.e. using my name and sourname to
brute force my SSH Server). In order to catch my attacker
I decided to create a honeypot. The attacker stopped his offensives and
(currently) I don't known who were the attacker but I realized of which
this tool was very cool and I decided to release it to the public.
Who
is the
author of kojoney?
Me :) The author of the project is -officially- Jose Antonio Coret (please, for the love of god, Joxean), also known as
Joxean Koret. You can contact me at joxeankoret N0SP4M at n0$p4m yah00
D0T es.
Which is the
license
of kojoney?
Kojoney is released under the GNU General Public License version 2 (the
GPL).
Does it works under Win32?
Yes, I have been tested it under Cygwin and with ActiveState Python in
my work but due to the lack of a Windows machine at home no packages
have been released for M$ Windows environments.
Any volunteer?
In fact, Kojoney should work under any Python supported plattform. Please, take a look at the following location to view if your operating system is supported (Any COMMON operative system in which Python is not supported yet?).
I found a bug!
If you have been found a bug in Kojoney, please report it here. If the bug is a security bug, don't heasitate and contact me privately to my e-mail address joxeankoret N0SP4M at n0$p4m yah00
D0T es.
Where can I
download the source of kojoney?
Follow the above link.
Download
Dependencies
In order to run kojoney you need to meet various prerequisites
(dependencies, if you prefer). The following is a list of the currently
known prerequisites:
And there are other various optional prerequisites. The following is
the list of optional prerequisites (strongly recommended anyway):
Installing
Kojoney
You don't need to install it. You can untar (or unzip) the package
kojoney-XXX.tar.gz and execute the Python script 'kojoney.py', but you
will need to have (or install manually) the prerequisites listed above.
Anyway, the recommended way is to install it and, if you want to
install it you can use the supplied install script called INSTALL.sh.
Installing
Kojoney with the install script
To install kojoney using the the install script follow these steps:
- Install all the prerequisites (listed in previous
paragraphs).
- Download the latest kojoney package. Currently
kojoney-0.0.3.2.zip (or a previous version).
- Copy it to a temporary directory (i.e. /tmp/kojoney)
- Un(zip|tar) the package
$ tar
-xvzf
kojoney-0.0.3.1.tar.gz (or unzip kojoney-0.0.3.2.zip)
(...)
$ ls
kojoney kojoney-0.0.3.1.tar.gz
- Enter in to the 'kojoney' directory, and (as root
user if is an unix like OS)
type "sh INSTALL.sh".
- Follow the wizard.
The following is a sample (correct) installation using
INSTALL.sh:
$ su
password:
# sh
INSTALL.sh
Kojoney Honeypot installer.
Press enter to view the license agreement ...
<<< NOTE: After read the license
agreement press 'q' to exit >>>
Do you accept the ZPL, MIT and GPL license terms
(yes/no) ?
yes
All
licenses accepted.
******************************************
Kojoney Honeypot Installer version 0.0.3
******************************************
Step 1 - Copying files
(... uninteresting information...)
Step 2 - Building libraries
[+] Building and installing [IP-Country]
[+] Building and installing [Geograpy-Countries]
[+] Building and installing [Zope Interfaces]
[+] Building and installing [Twisted extension]
[+] Building and installing [PyCrypto]
(... Possibly various warnings. You can
ignore
these safely...)
[+] Building and installing [Twisted Conch extension]
Step 3 - Installing documentation
[+] Installing man pages
Step 4 - Changing permissions and creating symbolic links
[+] Creating symlinks
Step 5 - Final questions and fun
Do you want to run it automatically at boot time (yes/no)?
yes
***No run levels were assigned. You need to do this manually.***
Do you want to run it now (yes/no)?
yes
Starting daemon
Kojoney installation finished.
And how can
I
uninstall it?
To uninstall it use the script called UNINSTALL.sh distributed with the
kojoney package.
How can I
start
the daemon?
With no installation simply enter in the generated kojoney directory
and type at the shell prompt "./kojoney.py".
But, remember that you will need to have the prerequisites.
And how
can I start
it
automatically at boot time?
In order to start automatically it at boot time you need to install
kojoney with the script INSTALL.sh. When the installer asks
you whether you want to run it automatically or not at boot time answer
yes.
This will copy
the startup script kojoney in
the /etc/init.d directory.
Now, assign in which run levels you want to run this. This is
distribution dependent but explained bellow.
How can I
start kojoney automatically in Debian?
After a successfull installation of kojoney type the following commands
as root in a terminal:
# ln -s /etc/init.d/kojoney /etc/rc2.d
# ln -s /etc/init.d/kojoney /etc/rc3.d
# ln -s /etc/init.d/kojoney /etc/rc5.d
How can I
start kojoney automatically in Redhat?
After a successfull installation of kojoney type the following commands
as root in a terminal:
# /sbin/chkconfig --level 345 kojoney on
Where is the
kojoney log file?
By default kojoney daemon output will be redirected to the file
/var/log/honeypot.log.
How can I
generate activity reports?
Use the commands 'kojreport'
and 'kojreport-filter'
as follow:
# kojreport /var/log/honeypot.log 0 0 1 > /tmp/report.txt
If you only want to generate a report for one IP address or
for an specific date use the command 'kojreport-filter' as
follow:
# kojreport-filter /var/log/honeypot.log '<desired ip address or
date>' 0 0 1
Where is
the report utility documentation?
If you have installed it using the install script you can view
the documentation of kojreport and kojreport-filter by typing in a
terminal man kojreport
or man kojreport-filter.
Otherwise, in the doc/html
directory of the kojoney package you will found the html versions of
the man pages.
You can also view the html versions of the man pages online:
Any example
reports, please?
The following is a real plain text sample report.
I like
reports with graphic and pies
I will write a new report generator utility that creates HTML reports
with graphics and pies. Or maybe another person will create a PHP
frontend for it... Maybe...
I wana
view more reports!
Take a look to the following big report: big-report.
Uh! The
reporting tool recognizes humans!?
Yes, it does. But, of course, not all the times.
How
is possible to recognize if a session was opened by a bot or by a human?
We, the humans, are clumsy. The script seeks for SUPR and BACKSPACE
characters in the executed commands.
The script also checks if the intruder tried to change the window size
or tried to forward X11 requests.
Using kojhumans, the tool
to differ between humans and bots.
As of Kojoney v0.0.2 the tool kojhumans is distributed with the
package. The syntax of this tool is as follow:
$ /usr/share/kojoney/kojhumans
<logfile> {--by-session|--by-ip}
The following is the result of running the tool
against my home log file:
$ /usr/share/kojoney/ kojhumans
/var/log/honeypot.log --by-ip
Human detected at 127.0.0.1 (**, Intranet address)
Human detected at 82.77.71.107 (RO, Romania)
2 human(s) total
$ /usr/share/kojoney/ kojhumans
/var/log/honeypot.log --by-session
Session with id 0 opened by a human
Session with id 5 opened by a human
Session with id 1682 opened by a human
3 human session(s) total
To search for an specific session data refer to the
section called How to
search for an specific session data?.
What
username/password combinations are allowed
to connect
to the honeypot?
The most widely used
username and password combinations. You can view and/or edit the
credentials stored in the file /etc/kojoney/fake_users
(if you have been installed it using the installer) or by editing the
file fake_users
distributed with the kojoney package.
How to
search for an specific session?
To search for an specific session you need to use the tool kojsession
(distributed as of kojoney 0.0.2). The followings are example of uses:
$ /usr/share/kojoney/kojsession /var/log/honeypot.log
-total
7258 session(s)
Ok, there are a total of 7258 sessions in our log
file.
Sessions are sequential, so the logged sessions will have id 0, 1, 3,
4, etc... In this example we will look a session opened by a human. The
session has id 1682 so the command that we need to run is as follows
$ /usr/share/kojoney/kojsession /var/log/honeypot.log
1682
This will output a report for the session 1682, as
we can see bellow:
Kojoney Honeypot Report
-----------------------
Date: lun 01 ago 2005 23:56:15 CEST
Log lines: 31
Log size: 4,0K /tmp/tmp.6pM2Df
Authenticated users. Successfull logons
---------------------------------------
1 ftp
Total 1
Logons with null passwords
--------------------------
1 ftp
Total 1
Logons with or without password
-------------------------------
2 ftp
1 tiffany
Total 3
X11 forward requests
--------------------
Total 0
Executed different commands
---------------------------
2 id
1 whoami
1 w
1 uptime
1 ls -a
1 cd home
Total 7
Number of times the intruder tries to change the terminal window size
---------------------------------------------------------------------
Total 1
IP Addresses
------------
1 82.77.71.107 - 1
conexion(es)
Total 1
Sessions opened by humans
-------------------------
Session with id 1682 opened by a human
1 human session(s) total
Humans detecteds by IP
----------------------
Human detected at 82.77.71.107 (RO, Romania)
1 human(s) total
Internal Honeypot Errors
------------------------
Total 0
What information we collect?
- We known that the attacker was enter into our
honeypot by using the username and password combination ftp/ftp
- He or she also tried to logon with the user ftp and
with no password, and also with the username tiffany.
- He or she tried to execute the commands "id" (two
times), "whoami", "w", "uptime", "ls -a" and "cd home".
- The intruder changed the remote terminal window size
during the intrussion (looking the log file in raw mode I found
the attacker were using a simple xterm).
- The attacker were an human.
- The attacker comes from Romania, concretely around
Craiova (thanks to the extremely cool tool xtraceroute).
Is not cool this reporting tool? :)
How to search
for an specific IP address?
As of kojreport 0.0.2 you can use the tool kojreport-filter.
The syntax of the tool is the same as the kojreport tool but changing
the second parameter. The following is the syntax of the
kojreport-filter utility:
$ kojreport-filter <log file>
<filter> <traceroute> <nmap>
<country resolution>
And the following is a sample report for
the IP address 209.152.166.77:
Kojoney Honeypot Report
-----------------------
Date: mar 02 ago 2005 00:09:40 CEST
Log lines: 35679
Log size: 3,5M /tmp/tmp.JbRsEU
Authenticated users. Successfull logons
---------------------------------------
2 root
2 admin
1 webmaster
1 web
1 user
1 test
1 oracle
1 mysql
1 guest
1 administrator
Total 12
Unauthenticated users. Failed logons
------------------------------------
Total 0
Users successfully authenticateds with publickey
------------------------------------------------
Total 0
Users unsuccessfully authenticateds with publickey
--------------------------------------------------
Total 0
Logons with null passwords
--------------------------
Total 0
Logons with or without password
-------------------------------
3421 root
11 admin
11 adam
10 ellen
9 ronald
9 paul
9 mail
9 jack
9 guest
9 francis
9 eric
9 danny
9 alex
8 apple
7 user
7 adrian
6 white
6 webster
6 viper
(...about 1400 other username/password combinations..)
1 dakota
1 Christ
1 chicago
1 arbgirl_phpbb1
1 apple1
1 alan
1 absurdir_deadphp
Total 5070
Number of times a remote shell was opened
-----------------------------------------
Total 12
X11 forward requests
--------------------
Total 0
Executed different commands
---------------------------
Total 0
Number of times the intruder tries to change the terminal window size
---------------------------------------------------------------------
Total 0
IP Addresses
------------
1 209.152.166.77 -
5093 conexion(es)
Total 1
IP Addresses and Countries
--------------------------
1 209.152.166.77 -
US, United States
Total 1
Sessions opened by humans
-------------------------
0 human session(s) total
Humans detecteds by IP
----------------------
0 human(s) total
Internal Honeypot Errors
------------------------
Total 0
This were clearly an automated attack launched by a bot from the United
States.
How to
search for an specific date and/or date range?
Use the same tool as in the previous section and as a filter specify a
regular expression that matches your date range. In example:
$ kojreport-filter /var/log/honeypot.log
'^2005/07/30' 0 0 1
Kojoney Honeypot Report
-----------------------
Date: mar 02 ago 2005 00:20:53 CEST
Log lines: 61066
Log size: 4,7M /tmp/tmp.MG7QZj
Authenticated users. Successfull logons
---------------------------------------
3 root
2 test
2 admin
1 webmaster
1 web
1 user
1 oracle
1 mysql
1 guest
1 administrator
Total 14
Unauthenticated users. Failed logons
------------------------------------
3419 root
11 adam
10 ellen
9 ronald
9 paul
9 mail
9 jack
9 francis
9 eric
9 danny
9 alex
9 admin
8 guest
8 apple
7 adrian
6 white
6 webster
6 viper
6 user
6 stephanie
6 russ
6 philip
6 mike
6 matt
6 martin
6 kayla
6 jerry
6 james
(...to many tries...)
1 chicago
1 arbgirl_phpbb1
1 apple1
1 alan
1 administrator
1 absurdir_deadphp
Total 5058
Logons with null passwords
--------------------------
1 root
Total 1
Logons with or without password
-------------------------------
3423 root
11 admin
11 adam
10 ellen
9 ronald
9 paul
9 mail
9 jack
9 guest
9 francis
9 eric
9 danny
9 alex
8 apple
7 user
7 adrian
6 white
6 webster
6 viper
6 stephanie
6 russ
6 philip
6 mike
6 matt
(...and more combinatios again...)
1 arbgirl_phpbb1
1 apple1
1 alan
1 absurdir_deadphp
Total 5073
Number of times a remote shell was opened
-----------------------------------------
Total 14
X11 forward requests
--------------------
Total 0
Executed different commands
---------------------------
Total 0
Number of times the intruder tries to change the terminal window size
---------------------------------------------------------------------
Total 0
IP Addresses
------------
1 209.152.166.77 -
5093 conexion(es)
2 172.179.184.30 - 1
conexion(es)
3 82.43.139.111 - 1
conexion(es)
Total 3
IP Addresses and Countries
--------------------------
1 209.152.166.77 -
US, United States
2 172.179.184.30 -
US, United States
3 82.43.139.111 -
GB, United Kingdom
Total 3
Sessions opened by humans
-------------------------
0 human session(s) total
Humans detecteds by IP
----------------------
0 human(s) total
Internal Honeypot Errors
------------------------
Total 0
At 2005/07/30 I received various (all automated)
attacks
from the United States and the United Kingdom, only 14 remote shells
were opened and no one command were executed.
Where can
I get more information about honeypots?
The following is a list of locations where you will find interesting
information about honeypots:
Thanks
Thanks to Bollofino because of the good logo he truly made.
Thanks to Defero.tk
because of the traductions and also for the good logo he made. (Don't take a look to http://defero.tk :P).
Thanks to barrapunto.com.
Thanks to my f* confusions.
Thanks
to my girlfriend because of the pacience. What a crudel life... Or not :)
Thanks to the savane people because of the CSS.
Thanks to the sourceforge.net people.
And, of course, thanks to all my attackers because of their disinterested help.
Do
you want to view a live
honeypot?
|