From 4b3b993455df6781cdf81068996ab30ba980d9a6 Mon Sep 17 00:00:00 2001 From: gfoss Date: Tue, 6 Jan 2015 23:17:24 -0700 Subject: [PATCH 1/5] log replay automation and dashboard functionality Basic dashboard which displays high-level statistics and interesting data. Automate the log replay process by auto playing TTY sessions and sending emails containing the session details following successful breaches. Firewall script for port redirection. --- attempts.sh | 44 +++++++++++++++++++++++++++++++++++++++++++ firewall.sh | 5 +++++ log/played/.gitignore | 2 ++ replay-alert.sh | 21 +++++++++++++++++++++ stop.sh | 0 5 files changed, 72 insertions(+) create mode 100755 attempts.sh create mode 100644 firewall.sh create mode 100644 log/played/.gitignore create mode 100755 replay-alert.sh mode change 100644 => 100755 stop.sh diff --git a/attempts.sh b/attempts.sh new file mode 100755 index 0000000..539e695 --- /dev/null +++ b/attempts.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# Basic dashboard to show recent honeypot stats... +# greg.foss[at]owasp.org +# v0.1 - 1/6/2015 + +echo "" +echo "reviewing logs -- this may take some time, please be patient..." +echo "" + +# queries +search=$(find /opt/kippo/log/kippo.log*) +attackers=$(echo "$search" | xargs -n16 -P18 grep -iH 'login attempt' | cut -d "]" -f 1 | cut -d "," -f 3 | uniq); +breaches=$(echo "$search" | xargs -n16 -P18 grep -iH 'cmd' | cut -d "," -f 3 | cut -d "]" -f 1 | uniq); +files=$(echo "$search" | xargs -n16 -P18 grep -iH "http:" | cut -d"]" -f 2 | awk '{print $3}' | grep -v '^$\|wget\|<\|(\|)' | uniq); +attempts=$(echo "$search" | xargs -n16 -P18 grep -iH 'login attempt' | cut -d "]" -f 2,3 | cut -d" " -f 4); + +# counts +success=$(echo "$attempts" | grep '\[USERNAME1/PASSWORD1\]\|\[USERNAME2/PASSWORD2\]' | wc -l); +attackercount=$(echo "$attackers" sort -u | wc -l) +attemptcount=$(echo "$attempts" | wc -l); +breachcount=$(echo "$breaches" | wc -l) +filecount=$(echo "$files" | wc -l) + +clear +echo "" +echo "Kippo Honeypot Statistics" +echo "" +echo $success" => successful password guesses" +echo $attemptcount" => total login attempts" +echo $attackercount" => total attacking IPs (10 most recent entries below)" +echo "--------------------" +echo "$attackers" | tail -n 10 +echo "--------------------" +echo "" +echo $breachcount" => honeypot breaches (10 most recent entries below)" +echo "--------------------" +echo "$breaches" | uniq | tail -n 10 +echo "--------------------" +echo "" +echo $filecount" => payloads downloaded (10 most recent entries below)" +echo "--------------------" +echo "$files" | tail -n 10 +echo "--------------------" +echo "" \ No newline at end of file diff --git a/firewall.sh b/firewall.sh new file mode 100644 index 0000000..9c01c86 --- /dev/null +++ b/firewall.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# RUN AS ROOT +# Set iptables to forward to the [default] kippo port + +iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222 \ No newline at end of file diff --git a/log/played/.gitignore b/log/played/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/log/played/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/replay-alert.sh b/replay-alert.sh new file mode 100755 index 0000000..3bb0874 --- /dev/null +++ b/replay-alert.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# Send alerts when the honeypot is breached, including attacker activity details... +# greg.foss[at]owasp.org +# v0.1 - 1/6/2015 + +file=$(ls /opt/kippo/log/tty/*.log | cut -d"/" -f 6) +filecount=$(ls /opt/kippo/log/tty/*.log | wc -l) +host=$(ifconfig | grep 'inet addr' | grep -v '127' | cut -d":" -f2 | awk '{print $1}') +hostname=$(hostname) + +if [ $filecount -gt 0 ] +then + for i in $file; do + python /opt/kippo/utils/playlog.py /opt/kippo/log/tty/$i -m 1 > /opt/kippo/log/played/$i + mv /opt/kippo/log/tty/$i /opt/kippo/log/tty/old/ + unix2dos /opt/kippo/log/played/$i + sendEmail -f [FROM@ADDRESS.COM] -t [TO@ADDRESS.COM] -u "Kippo Honeypot Breached" -m "A Kippo Honeypot [$hostname] located at [$host] has been breached. A log of the attacker's activities has been attached for review" -a /opt/kippo/log/played/$i -s [YOUR.MAIL.SERVER]:25 -o tls=no + done; +else + exit +fi diff --git a/stop.sh b/stop.sh old mode 100644 new mode 100755 From ccf669ed3ad2a15c04c846971c694dcd8c370e8a Mon Sep 17 00:00:00 2001 From: gfoss Date: Tue, 6 Jan 2015 23:27:43 -0700 Subject: [PATCH 2/5] chmod... --- firewall.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 firewall.sh diff --git a/firewall.sh b/firewall.sh old mode 100644 new mode 100755 From 98a6470661d40b41affa3caa429ea43286fc0a1a Mon Sep 17 00:00:00 2001 From: gfoss Date: Wed, 7 Jan 2015 00:10:28 -0700 Subject: [PATCH 3/5] small change --- replay-alert.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/replay-alert.sh b/replay-alert.sh index 3bb0874..5b3bc62 100755 --- a/replay-alert.sh +++ b/replay-alert.sh @@ -13,7 +13,7 @@ then for i in $file; do python /opt/kippo/utils/playlog.py /opt/kippo/log/tty/$i -m 1 > /opt/kippo/log/played/$i mv /opt/kippo/log/tty/$i /opt/kippo/log/tty/old/ - unix2dos /opt/kippo/log/played/$i + unix2dos -f /opt/kippo/log/played/$i sendEmail -f [FROM@ADDRESS.COM] -t [TO@ADDRESS.COM] -u "Kippo Honeypot Breached" -m "A Kippo Honeypot [$hostname] located at [$host] has been breached. A log of the attacker's activities has been attached for review" -a /opt/kippo/log/played/$i -s [YOUR.MAIL.SERVER]:25 -o tls=no done; else From 38df4e7a5f794799c03d6cfd8865d71e29fdc9e4 Mon Sep 17 00:00:00 2001 From: gfoss Date: Sun, 11 Jan 2015 11:24:41 -0700 Subject: [PATCH 4/5] small terminal dashboard changes --- attempts.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/attempts.sh b/attempts.sh index 539e695..90ecd3d 100755 --- a/attempts.sh +++ b/attempts.sh @@ -1,7 +1,7 @@ #!/bin/bash # Basic dashboard to show recent honeypot stats... # greg.foss[at]owasp.org -# v0.1 - 1/6/2015 +# v0.2 - 1/8/2015 echo "" echo "reviewing logs -- this may take some time, please be patient..." @@ -9,8 +9,8 @@ echo "" # queries search=$(find /opt/kippo/log/kippo.log*) -attackers=$(echo "$search" | xargs -n16 -P18 grep -iH 'login attempt' | cut -d "]" -f 1 | cut -d "," -f 3 | uniq); -breaches=$(echo "$search" | xargs -n16 -P18 grep -iH 'cmd' | cut -d "," -f 3 | cut -d "]" -f 1 | uniq); +attackers=$(echo "$search" | xargs -n16 -P18 grep -iH 'login attempt' | cut -d "]" -f 1 | cut -d "," -f 3 | grep -v 'login' | uniq); +breaches=$(echo "$search" | xargs -n16 -P18 grep -iH 'cmd' | cut -d "," -f 3 | cut -d "]" -f 1 | grep -v 'login' | uniq); files=$(echo "$search" | xargs -n16 -P18 grep -iH "http:" | cut -d"]" -f 2 | awk '{print $3}' | grep -v '^$\|wget\|<\|(\|)' | uniq); attempts=$(echo "$search" | xargs -n16 -P18 grep -iH 'login attempt' | cut -d "]" -f 2,3 | cut -d" " -f 4); @@ -29,7 +29,7 @@ echo $success" => successful password guesses" echo $attemptcount" => total login attempts" echo $attackercount" => total attacking IPs (10 most recent entries below)" echo "--------------------" -echo "$attackers" | tail -n 10 +echo "$attackers" | uniq | tail -n 10 echo "--------------------" echo "" echo $breachcount" => honeypot breaches (10 most recent entries below)" @@ -39,6 +39,6 @@ echo "--------------------" echo "" echo $filecount" => payloads downloaded (10 most recent entries below)" echo "--------------------" -echo "$files" | tail -n 10 +echo "$files" | uniq | tail -n 10 echo "--------------------" echo "" \ No newline at end of file From 3e9861523e396c2917ac13afb5d7a35c6a950a26 Mon Sep 17 00:00:00 2001 From: gfoss Date: Wed, 13 May 2015 21:09:07 -0600 Subject: [PATCH 5/5] get-creds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added a tiny script to extract credentials from kippo logs — great for internal pentests :-) --- get-creds.sh | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 get-creds.sh diff --git a/get-creds.sh b/get-creds.sh new file mode 100644 index 0000000..fd32572 --- /dev/null +++ b/get-creds.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l); +echo "" +echo $attempts" => login attempts" +echo "--------------------" +cat /opt/kippo/log/kippo.log | grep 'login attempt' | cut -d " " -f 3 4 5 | awk '{print "["$1" "$4}' +echo "--------------------" +echo "" \ No newline at end of file