当前位置: 首页 > 工具软件 > Kippo > 使用案例 >

蜜罐Kippo的部署

充培
2023-12-01

一、kippo简介

当hk通过非法入侵获取到一服务器的权限后,很可能会在同网段进行大范围的端口探测,便于横向扩展获取更多服务器的控制权,因此 部署内网ssh蜜罐 把攻击者引诱到蜜罐中,触发实时告警,并知道哪台服务器已被控制,攻击者在蜜罐上做了哪些操作,通过将蜜罐服务器与生产服务器混合部署在网络中,可以实现对入侵行为的捕获。kippo是一个中等交互的ssh蜜罐,它可以记录hk执行的全部shell交互。(大部分公司采用商业版入侵防护,文章就研究学习一下就行啦 内容只有安装部署和使用方法 告警放到后面文章)

二、kippo特性

  • 具有欺骗性,例如 使用ssh时,好像是连接到了什么地方,但是使用exit或CTRL+D并不能真的退出。
  • 会话日志以兼容UML的格式存储,更易于以原始时间戳来进行重放。
  • 具有假的文件系统,可以增加和删除文件的能力。
  • 具有添加假文件内容能力,hk可以以 cat 命令查看文件。

三、安装部署

安装依赖

[root@localhost ~]# yum -y install gcc python-devel epel-release git
[root@localhost ~]# yum -y install python-pip
[root@localhost ~]# pip install twisted==15.2.0
[root@localhost ~]# pip install pycrypto

创建用户

[root@localhost ~]# groupadd -g 1001 kippo
[root@localhost ~]# useradd -g 1001 -u 1001 -d /kippo kippo

以kippo用户执行下载并启动

[root@localhost ~]# su - kippo
[kippo@localhost ~]$ cd /kippo/
[kippo@localhost ~]$ git clone https://github.com/desaster/kippo.git
[kippo@localhost ~]$ cd kippo/
[kippo@localhost kippo]$ ls
data  doc        honeyfs  kippo.cfg.dist  log        start.sh  txtcmds
dl    fs.pickle  kippo    kippo.tac       README.md  stop.sh   utils
[kippo@localhost kippo]$ cp kippo.cfg.dist kippo.cfg
[kippo@localhost kippo]$ ./start.sh 
twistd (the Twisted daemon) 15.2.0
Copyright (c) 2001-2015 Twisted Matrix Laboratories.
See LICENSE for details.
Starting kippo in the background...
:0: UserWarning: You do not have a working installation of the service_identity module: 'No module named service_identity'.  Please install it from <https://pypi.python.org/pypi/service_identity> and make sure all of its dependencies are satisfied.  Without the service_identity module and a recent enough pyOpenSSL to support it, Twisted can perform only rudimentary TLS client hostname verification.  Many valid certificate/hostname mappings may be rejected.
Generating new RSA keypair...
Done.
Generating new DSA keypair...
Done.   # 出现这个就说明启动成功了

查看默认的蜜罐密码

[kippo@localhost kippo]$ ls
data  doc        honeyfs  kippo.cfg       kippo.pid  log        start.sh  txtcmds
dl    fs.pickle  kippo    kippo.cfg.dist  kippo.tac  README.md  stop.sh   utils
[kippo@localhost kippo]$ cd data/
[kippo@localhost data]$ ls
ssh_host_dsa_key  ssh_host_dsa_key.pub  ssh_host_rsa_key  ssh_host_rsa_key.pub  userdb.txt
[kippo@localhost data]$ cat userdb.txt 
root:0:123456
root用户 密码为123456 这个是可以更改的

kippo.log中记录的登录信息

[kippo@localhost data]$ cd ..
[kippo@localhost kippo]$ ls
data  doc        honeyfs  kippo.cfg       kippo.pid  log        start.sh  txtcmds
dl    fs.pickle  kippo    kippo.cfg.dist  kippo.tac  README.md  stop.sh   utils
[kippo@localhost kippo]$ cd log/
[kippo@localhost log]$ ls
kippo.log  tty
登录信息日志保存在kippo.log中

用另一台服务器进行模拟登录

[root@localhost ~]# ssh root@192.168.52.132 -p 2222
The authenticity of host '[192.168.52.132]:2222 ([192.168.52.132]:2222)' can't be established.
RSA key fingerprint is SHA256:sjoer+4SI5IuO/DkAPyC1nmWS6+dOs4X2KP4Ejsju9Y.
RSA key fingerprint is MD5:d1:54:67:01:fe:d5:a9:f7:52:20:48:28:55:22:07:b2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.52.132]:2222' (RSA) to the list of known hosts.
Password:
root@svr03:~#  
我这里登录指定了端口号,如果不想指定的话,可以把sshd服务端口号改为其他,kippo改为22

到蜜罐服务器进行查看

[kippo@localhost log]$ cat kippo.log
2021-05-17 16:55:08+0800 [-] Log opened.
2021-05-17 16:55:08+0800 [-] twistd 15.2.0 (/usr/bin/python2 2.7.5) starting up. #蜜罐版本
2021-05-17 16:55:08+0800 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2021-05-17 16:58:45+0800 [-] New connection: 192.168.52.133:46858 (192.168.52.132:2222) [session: 0]
2021-05-17 16:58:45+0800 [-] Remote SSH version: SSH-2.0-OpenSSH_7.4 #sshd服务版本
2021-05-17 16:58:45+0800 [HoneyPotTransport,0,192.168.52.133] kex alg, key alg: diffie-hellman-group-exchange-sha1 ssh-rsa
HoneyPotTransport,0,192.168.52.133] root trying auth keyboard-interactive
2021-05-17 16:58:55+0800 [-] login attempt [root/123456] succeeded #登录蜜罐时输入的用户名及密码
2021-05-17 17:00:29+0800 [-] CMD: cd /
2021-05-17 17:00:29+0800 [-] Command found: cd / #在蜜罐中执行的命令

以重放形式输出完整的shell交互操作命令

[kippo@localhost tty]$ /kippo/kippo/utils/playlog.py -m 1 /kippo/kippo/log/tty/20210517-165855-2060.log
 类似资料: