CIT 380: Securing Computer Systems

Lab #12: Honeypots

Name: _____________________

1: Introduction

In this lab, we will configure a honeypot using the Kippo open source ssh honeypot, and use it to detect
and observe attacks started from an online password guessing tool, Hydra. We will use the following
two VMs:

1. Client: Kali Linux

2. Server: Metasploitable2
We will run both Hydra and Kippo on the Kali VM, and we will attempt password guessing with Hydra
against both VMs.
References

1. Kippo home page, http://code.google.com/p/kippo/

2. Hydra home page, https://www.thc.org/thc-hydra/

2: Password Guessing with Hydra

Hydra is an online password guessing tool. Given a list of usernames and passwords, Hydra uses each
possible combination to attempt to login to a network service. Therefore, if you give Hydra a list of 10
usernames and a list of 100 passwords, it will then make 1000 attempts to login to the designated
service. Hydra is capable of guessing login credentials on a wide variety of systems, including ssh,
web applications, mail servers, database servers, and more. We will run Hydra on the Kali VM. Run
hydra to see which options you will need to use

$ hydra -h

Create two files, one containing a list of usernames, and the other containing a list of passwords. The
list of usernames should be stored in a file named users and contain the following strings:

msfadmin
root
student

The list of passwords should be stored in a file named passwords and contain the following:

password
password1
nku2014
msfadmin
toor
123456
2.1: Use Hydra to attempt to find ssh credentials on the Metasploitable2 VM. Include the output of
Hydra below, bolding the line where Hydra found the correct login credentials.

$ hydra -L users -P passwords SERVER_IP ssh -V

2.2: Repeat the attack against your Kali VM. Did it work or not? Include the output of Hydra below.

$ hydra -L users -P passwords 127.0.0.1 ssh -V

2.3: Let's examine the logs on the Metasploitable VM to see if we can detect the password guessing
attack. Authentication logs are stored in /var/log.auth.log, which is only accessible by root for security.
Include one of the log entries in the box below. Bold the IP address from which the attack was
launched.

$ sudo less /var/log/auth.log

2.4: How many different valid usernames were attacked? How many invalid ones?

$ sudo less /var/log/auth.log

2.5: How many unsuccessful attacks do you find in the log? How many successful ones?

$ sudo less /var/log/auth.log

3: Installing the Kippo Honeypot

On the Kali VM, install the packages that Kippo depends on

$ sudo -s
# apt-get update
# apt-get install apache2 mysql-client mysql-server python-twisted python-
mysqldb subversion

then start the database server. Create a database and mysql user for Kippo. There is no root password
for mysql by default, so just hit ENTER when asked for a password.

# service mysql start

# mysql -h localhost -u root -p
mysql> create database kippo;
mysql> GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'kippo';
mysql> exit
Download Kippo and uncompress it.

# mkdir /usr/local/src
# cd /usr/local/src
# wget http://kippo.googlecode.com/files/kippo-0.8.tar.gz
# tar zxvf kippo-0.8.tar.gz
# cd kippo-0.8/doc/sql
# mysql -u kippo -p
mysql> use kippo;
mysql> source mysql.sql;
mysql> show tables;
mysql> exit

Verify tables created by the commands in mysql.sql were shown by the show tables command.
Add your database configuration information to kippo.cfg

# cd ../..
# cat >>kippo.cfg <<EOF
[database_mysql]
host = localhost
database = kippo
username = kippo
password = kippo

EOF

Create a Linux user named kippo and give ownership of the kippo files to this user.

# useradd -d /home/kippo -s /bin/bash -m kippo -g sudo

# cd /usr/local/src
# chown -R kippo kippo-0.8

Finally start Kippo as the kippo user

# su kippo
$ cd kippo-0.8
$ ./start.sh

It will take a minute for Kippo to start in the background. By default, Kippo runs on port 2222, which
we can verify with the lsof command.

$ exit
# lsof -i | grep kippo

3.1: Attempt a password guessing attack with Hydra against Kippo. Which username and password
pair was correct?
$ hydra -L users -P passwords -s 2222 127.0.0.1 ssh -V
$ less /usr/local/src/kippo-0.8/log/kippo.log

3.2: Use ssh to log into Kippo with the credentials guessed via Hydra above. Replace USERNAME
with the one found above. What prompt do you see?
$ ssh -l USERNAME -p 2222 127.0.0.1
3.3: Can you find the successful ssh login in the kippo.log file? What are the log entries for the
successful login?
$ less /usr/local/src/kippo-0.8/log/kippo.log

3.4: In one terminal, watch the Kippo logs using the tail -f command. In the other terminal, inside
your ssh session to Kippo, run commands to identify the OS and hardware of the “server” that you have
logged into. Do any of the commands show output that you would not expect from a legitimate Linux
server? What are usernames of all accounts with passwords?
# id
# uname -a
# cat /proc/cpuinfo
# cat /proc/meminfo
# cat /etc/password
# cat /etc/shadow

3.5: Install Hydra inside the honeypot, then run it. What happens when you attempt to run it?
# apt-get install hydra
# hydra

3.6: Download a file inside Kippo. Does it appear to work?

# wget http://kosh.nku.edu
# cat index.html

3.7: Kippo saves all files downloaded by the attacker, so that the files may be analyzed later. Is the file
stored by kippo the same as the one you downloaded inside kippo? Replace FILENAME with the
name of the file stored by Kippo.
# cd /usr/local/src/kippo-0.8/dl/
# ls -l
# cat FILENAME

3.8: What happens when you use ssh from kippo?

# ssh kosh.nku.edu
3.9: Find at least one command that demonstrates that Kippo is not a valid Linux server, because the
results of the command do not make sense, and cannot be explained by a missing or broken software
package (as the failure of the hydra command could be explained.) Write the command line in the box
below.

4: Submitting the Lab

Paper and electronic copies of this lab are week after the class in which you begin this lab. Bring a
printed copy with your name on it to class and send an e-mail to your instructor with the subject “CIT
380 Lab #12: Honeypots” with the completed lab file attached with the name lab12-honeypots-tunnels-
USERNAME.odt.