diff --git a/attempts.sh b/attempts.sh new file mode 100755 index 0000000..90ecd3d --- /dev/null +++ b/attempts.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# Basic dashboard to show recent honeypot stats... +# greg.foss[at]owasp.org +# v0.2 - 1/8/2015 + +echo "" +echo "reviewing logs -- this may take some time, please be patient..." +echo "" + +# queries +search=$(find /opt/kippo/log/kippo.log*) +attackers=$(echo "$search" | xargs -n16 -P18 grep -iH 'login attempt' | cut -d "]" -f 1 | cut -d "," -f 3 | grep -v 'login' | uniq); +breaches=$(echo "$search" | xargs -n16 -P18 grep -iH 'cmd' | cut -d "," -f 3 | cut -d "]" -f 1 | grep -v 'login' | uniq); +files=$(echo "$search" | xargs -n16 -P18 grep -iH "http:" | cut -d"]" -f 2 | awk '{print $3}' | grep -v '^$\|wget\|<\|(\|)' | uniq); +attempts=$(echo "$search" | xargs -n16 -P18 grep -iH 'login attempt' | cut -d "]" -f 2,3 | cut -d" " -f 4); + +# counts +success=$(echo "$attempts" | grep '\[USERNAME1/PASSWORD1\]\|\[USERNAME2/PASSWORD2\]' | wc -l); +attackercount=$(echo "$attackers" sort -u | wc -l) +attemptcount=$(echo "$attempts" | wc -l); +breachcount=$(echo "$breaches" | wc -l) +filecount=$(echo "$files" | wc -l) + +clear +echo "" +echo "Kippo Honeypot Statistics" +echo "" +echo $success" => successful password guesses" +echo $attemptcount" => total login attempts" +echo $attackercount" => total attacking IPs (10 most recent entries below)" +echo "--------------------" +echo "$attackers" | uniq | tail -n 10 +echo "--------------------" +echo "" +echo $breachcount" => honeypot breaches (10 most recent entries below)" +echo "--------------------" +echo "$breaches" | uniq | tail -n 10 +echo "--------------------" +echo "" +echo $filecount" => payloads downloaded (10 most recent entries below)" +echo "--------------------" +echo "$files" | uniq | tail -n 10 +echo "--------------------" +echo "" \ No newline at end of file diff --git a/firewall.sh b/firewall.sh new file mode 100755 index 0000000..9c01c86 --- /dev/null +++ b/firewall.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# RUN AS ROOT +# Set iptables to forward to the [default] kippo port + +iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222 \ No newline at end of file diff --git a/get-creds.sh b/get-creds.sh new file mode 100644 index 0000000..fd32572 --- /dev/null +++ b/get-creds.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l); +echo "" +echo $attempts" => login attempts" +echo "--------------------" +cat /opt/kippo/log/kippo.log | grep 'login attempt' | cut -d " " -f 3 4 5 | awk '{print "["$1" "$4}' +echo "--------------------" +echo "" \ No newline at end of file diff --git a/log/played/.gitignore b/log/played/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/log/played/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/replay-alert.sh b/replay-alert.sh new file mode 100755 index 0000000..5b3bc62 --- /dev/null +++ b/replay-alert.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# Send alerts when the honeypot is breached, including attacker activity details... +# greg.foss[at]owasp.org +# v0.1 - 1/6/2015 + +file=$(ls /opt/kippo/log/tty/*.log | cut -d"/" -f 6) +filecount=$(ls /opt/kippo/log/tty/*.log | wc -l) +host=$(ifconfig | grep 'inet addr' | grep -v '127' | cut -d":" -f2 | awk '{print $1}') +hostname=$(hostname) + +if [ $filecount -gt 0 ] +then + for i in $file; do + python /opt/kippo/utils/playlog.py /opt/kippo/log/tty/$i -m 1 > /opt/kippo/log/played/$i + mv /opt/kippo/log/tty/$i /opt/kippo/log/tty/old/ + unix2dos -f /opt/kippo/log/played/$i + sendEmail -f [FROM@ADDRESS.COM] -t [TO@ADDRESS.COM] -u "Kippo Honeypot Breached" -m "A Kippo Honeypot [$hostname] located at [$host] has been breached. A log of the attacker's activities has been attached for review" -a /opt/kippo/log/played/$i -s [YOUR.MAIL.SERVER]:25 -o tls=no + done; +else + exit +fi diff --git a/stop.sh b/stop.sh old mode 100644 new mode 100755