Beruflich Dokumente
Kultur Dokumente
Name: _____________________
1: Introduction
In this lab, we will configure a honeypot using the Kippo open source ssh honeypot, and use it to detect
and observe attacks started from an online password guessing tool, Hydra. We will use the following
two VMs:
Hydra is an online password guessing tool. Given a list of usernames and passwords, Hydra uses each
possible combination to attempt to login to a network service. Therefore, if you give Hydra a list of 10
usernames and a list of 100 passwords, it will then make 1000 attempts to login to the designated
service. Hydra is capable of guessing login credentials on a wide variety of systems, including ssh,
web applications, mail servers, database servers, and more. We will run Hydra on the Kali VM. Run
hydra to see which options you will need to use
$ hydra -h
Create two files, one containing a list of usernames, and the other containing a list of passwords. The
list of usernames should be stored in a file named users and contain the following strings:
msfadmin
root
student
The list of passwords should be stored in a file named passwords and contain the following:
password
password1
nku2014
msfadmin
toor
123456
2.1: Use Hydra to attempt to find ssh credentials on the Metasploitable2 VM. Include the output of
Hydra below, bolding the line where Hydra found the correct login credentials.
2.2: Repeat the attack against your Kali VM. Did it work or not? Include the output of Hydra below.
2.4: How many different valid usernames were attacked? How many invalid ones?
2.5: How many unsuccessful attacks do you find in the log? How many successful ones?
then start the database server. Create a database and mysql user for Kippo. There is no root password
for mysql by default, so just hit ENTER when asked for a password.
# mkdir /usr/local/src
# cd /usr/local/src
# wget http://kippo.googlecode.com/files/kippo-0.8.tar.gz
# tar zxvf kippo-0.8.tar.gz
# cd kippo-0.8/doc/sql
# mysql -u kippo -p
mysql> use kippo;
mysql> source mysql.sql;
mysql> show tables;
mysql> exit
Verify tables created by the commands in mysql.sql were shown by the show tables command.
Add your database configuration information to kippo.cfg
# cd ../..
# cat >>kippo.cfg <<EOF
[database_mysql]
host = localhost
database = kippo
username = kippo
password = kippo
EOF
Create a Linux user named kippo and give ownership of the kippo files to this user.
# su kippo
$ cd kippo-0.8
$ ./start.sh
It will take a minute for Kippo to start in the background. By default, Kippo runs on port 2222, which
we can verify with the lsof command.
$ exit
# lsof -i | grep kippo
3.1: Attempt a password guessing attack with Hydra against Kippo. Which username and password
pair was correct?
$ hydra -L users -P passwords -s 2222 127.0.0.1 ssh -V
$ less /usr/local/src/kippo-0.8/log/kippo.log
3.2: Use ssh to log into Kippo with the credentials guessed via Hydra above. Replace USERNAME
with the one found above. What prompt do you see?
$ ssh -l USERNAME -p 2222 127.0.0.1
3.3: Can you find the successful ssh login in the kippo.log file? What are the log entries for the
successful login?
$ less /usr/local/src/kippo-0.8/log/kippo.log
3.4: In one terminal, watch the Kippo logs using the tail -f command. In the other terminal, inside
your ssh session to Kippo, run commands to identify the OS and hardware of the “server” that you have
logged into. Do any of the commands show output that you would not expect from a legitimate Linux
server? What are usernames of all accounts with passwords?
# id
# uname -a
# cat /proc/cpuinfo
# cat /proc/meminfo
# cat /etc/password
# cat /etc/shadow
3.5: Install Hydra inside the honeypot, then run it. What happens when you attempt to run it?
# apt-get install hydra
# hydra
3.7: Kippo saves all files downloaded by the attacker, so that the files may be analyzed later. Is the file
stored by kippo the same as the one you downloaded inside kippo? Replace FILENAME with the
name of the file stored by Kippo.
# cd /usr/local/src/kippo-0.8/dl/
# ls -l
# cat FILENAME
Paper and electronic copies of this lab are week after the class in which you begin this lab. Bring a
printed copy with your name on it to class and send an e-mail to your instructor with the subject “CIT
380 Lab #12: Honeypots” with the completed lab file attached with the name lab12-honeypots-tunnels-
USERNAME.odt.