Making kippo reachable through port 22

Full NAT ( -> Source IP get lost):

  iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j DNAT --to-destination HONEYPOT:PORT
  iptables -t nat -A POSTROUTING -p tcp --dst HONEYPOT --dport PORT -j SNAT --to-source ROUTER_IP

Using REDIRECT target, for kippo running on the same box (source IP address won't get lost):

iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port HONEYPOT_PORT

here is the PF (BSD firewall) entry:

rdr pass on $ext_if proto tcp from any to any port 22 -> localhost port 2222

where $ext_if is a macro for your external network interface.

Hi all, first of all great job !

1) On iptables:

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -d ${myip} -p tcp --dport 22 -j REDIRECT --to-port 2222

Do you agree ? My iptables fu is not so good..

2) One other note: From windows putty I can connect to kippo honeypot, but once connected, if i do a 'exit' or CTRL+D, the hostname of the machine disappear and i get a 'localhost invite. cf logs from putty: --- login as: root Using keyboard-interactive authentication. Password: Ubuntu:~# ls Ubuntu:~# exit Connection to server closed. localhost:~# <-- here i can type commands...again... --- If i type 'exit' another type, this time i'm logged out.

Is it normal behavior ?

Thanks !!

Hi, for the iptables i found, it's normal :)

For the CTRL+D, i've no answer at the moment...

Regarding the exit command. Its a part of the features, its to see if it can trick the person into thinking they have disconnected and type any other interesting commands.

Features

Some interesting features:

• Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
• Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
• Session logs stored in an UML compatible format for easy replay with original timings
• Just like Kojoney, Kippo saves files downloaded with wget for later inspection
• Trickery; ssh pretends to connect somewhere, exit doesn't really exit, etc

hi great work ,really needed but how can you log intruders if it listens on 2222 port

I run twistd -y kippo.tac -n ,I test with ssh -p 2222 and I see results ,but after implementing the setcap thing ,I SSH with putty and no results comes up

Hi you can run kippo directly on port 22, by using authbind

First install authbind, on debian / ubuntu

$ sudo apt-get install authbind

Next with root:

# touch /etc/authbind/byport/22

# chown kippo:kippo /etc/authbind/byport/22

# chmod 777 /etc/authbind/byport/22

Now with the kippo's user change the start.sh from:

twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

to:

authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

Finished Kippo is running on port 22!!

Regards

Pedro H. Matheus

Also, you can use rinetd

In //etc/rinetd.conf add

# bindadress           bindport  connectaddress  connectport
your_server_ip_adress      22     localhost         2222

and start rinetd.

In the authbind solution don't forget to change ssh_port to 22 in kippo.cfg file !!