网络伪装--网络安全

Why the name kojoney?

Kojoney is a mix of the spanish word cojon (s/c/k/) and honey. In the spanish language the sentence "estar hasta los cojones" is used to express that you are cloyed. In the past I received many attacks against my SSH server and various of the attacks were very cool (i.e. using my name and sourname to brute force my SSH Server). In order to catch my attacker I decided to create a honeypot. The attacker stopped his offensives and (currently) I don't known who were the attacker but I realized of which this tool was very cool and I decided to release it to the public.

Dependencies

In order to run kojoney you need to meet various prerequisites (dependencies, if you prefer). The following is a list of the currently known prerequisites:

• OpenSSL
• Python
• Sh or Bash (Bourne Again SHell)
• Zope-Interfaces (included in the package)
• Twisted (included in the package)
• Twisted Conch (included in the package)

And there are other various optional prerequisites. The following is the list of optional prerequisites (strongly recommended anyway):

• Perl
• Perl IP Country extension (distributed with the kojoney package)
• Perl Geography Countries extension (distributed with the kojoney package)

Installing Kojoney

You don't need to install it. You can untar (or unzip) the package kojoney-XXX.tar.gz and execute the Python script 'kojoney.py', but you will need to have (or install manually) the prerequisites listed above.

Anyway, the recommended way is to install it and, if you want to install it you can use the supplied install script called INSTALL.sh.

Installing Kojoney with the install script

To install kojoney using the the install script follow these steps:

• Install all the prerequisites (listed in previous paragraphs).
• Download the latest kojoney package. Currently kojoney-0.0.3.2.zip (or a previous version).
• Copy it to a temporary directory (i.e. /tmp/kojoney)
• Un(zip|tar) the package

• Enter in to the 'kojoney' directory, and (as root user if is an unix like OS) type "sh INSTALL.sh". 
• Follow the wizard.

The following is a sample (correct) installation using INSTALL.sh:

And how can I uninstall it?

To uninstall it use the script called UNINSTALL.sh distributed with the kojoney package.

How can I start the daemon?

With no installation simply enter in the generated kojoney directory and type at the shell prompt "./kojoney.py". But, remember that you will need to have the prerequisites.

And how can I start it automatically at boot time?

In order to start automatically it at boot time you need to install kojoney with the script INSTALL.sh. When the installer asks you whether you want to run it automatically or not at boot time answer yes. This will copy the startup script kojoney in the /etc/init.d directory. 

Now, assign in which run levels you want to run this. This is distribution dependent but explained bellow.

How can I start kojoney automatically in Debian?

After a successfull installation of kojoney type the following commands as root in a terminal:

# ln -s /etc/init.d/kojoney /etc/rc2.d
# ln -s /etc/init.d/kojoney /etc/rc3.d
# ln -s /etc/init.d/kojoney /etc/rc5.d

How can I start kojoney automatically in Redhat?

After a successfull installation of kojoney type the following commands as root in a terminal:

# /sbin/chkconfig --level 345 kojoney on

Where is the kojoney log file?

By default kojoney daemon output will be redirected to the file /var/log/honeypot.log.

How can I generate activity reports?

Use the commands 'kojreport' and 'kojreport-filter' as follow:

# kojreport /var/log/honeypot.log 0 0 1 > /tmp/report.txt

If you only want to generate a report for one IP address or for an specific date use the command 'kojreport-filter' as follow:

# kojreport-filter /var/log/honeypot.log '<desired ip address or date>' 0 0 1

Where is the report utility documentation?

If you have installed it using the install script you can view the documentation of kojreport and kojreport-filter by typing in a terminal man kojreport or man kojreport-filter.

Otherwise, in the doc/html directory of the kojoney package you will found the html versions of the man pages. 

You can also view the html versions of the man pages online:

•  
• kojreport
• kojreport-filter
• kip2country
• kojhumans

Any example reports, please?

The following is a real plain text sample report.

I like reports with graphic and pies

I will write a new report generator utility that creates HTML reports with graphics and pies. Or maybe another person will create a PHP frontend for it... Maybe...

I wana view more reports!

Take a look to the following big report: big-report.

Uh! The reporting tool recognizes humans!?

Yes, it does. But, of course, not all the times.

How is possible to recognize if a session was opened by a bot or by a human?

We, the humans, are clumsy. The script seeks for SUPR and BACKSPACE characters in the executed commands. 

The script also checks if the intruder tried to change the window size or tried to forward X11 requests.

Using kojhumans, the tool to differ between humans and bots.

As of Kojoney v0.0.2 the tool kojhumans is distributed with the package. The syntax of this tool is as follow: 

$ /usr/share/kojoney/kojhumans <logfile> {--by-session|--by-ip}

The following is the result of running the tool against my home log file:

$ /usr/share/kojoney/kojhumans /var/log/honeypot.log --by-ip
Human detected at 127.0.0.1 (**, Intranet address)
Human detected at 82.77.71.107 (RO, Romania)

2 human(s) total

$ /usr/share/kojoney/kojhumans /var/log/honeypot.log --by-session
Session with id 0 opened by a human
Session with id 5 opened by a human
Session with id 1682 opened by a human

3 human session(s) total

To search for an specific session data refer to the section called How to search for an specific session data?.

What username/password combinations are allowed to connect to the honeypot?

The most widely used username and password combinations. You can view and/or edit the credentials stored in the file /etc/kojoney/fake_users (if you have been installed it using the installer) or by editing the file fake_usersdistributed with the kojoney package.

How to search for an specific session?

To search for an specific session you need to use the tool kojsession (distributed as of kojoney 0.0.2). The followings are example of uses:

$ /usr/share/kojoney/kojsession /var/log/honeypot.log -total
7258 session(s)

Ok, there are a total of 7258 sessions in our log file. Sessions are sequential, so the logged sessions will have id 0, 1, 3, 4, etc... In this example we will look a session opened by a human. The session has id 1682 so the command that we need to run is as follows

$ /usr/share/kojoney/kojsession /var/log/honeypot.log 1682

This will output a report for the session 1682, as we can see bellow:

Kojoney Honeypot Report
-----------------------

Date: lun 01 ago 2005 23:56:15 CEST
Log lines: 31
Log size: 4,0K /tmp/tmp.6pM2Df

Authenticated users. Successfull logons
---------------------------------------

      1 ftp

Total 1

Logons with null passwords
--------------------------

      1 ftp

Total 1

Logons with or without password
-------------------------------

      2 ftp
      1 tiffany

Total 3

X11 forward requests
--------------------
Total 0

Executed different commands
---------------------------

      2 id
      1 whoami
      1 w
      1 uptime
      1 ls -a
      1 cd home

Total 7

Number of times the intruder tries to change the terminal window size
---------------------------------------------------------------------
Total 1

IP Addresses
------------

   1    82.77.71.107 - 1 conexion(es)

Total 1

Sessions opened by humans
-------------------------
Session with id 1682 opened by a human

1 human session(s) total

Humans detecteds by IP
----------------------
Human detected at 82.77.71.107 (RO, Romania)

1 human(s) total

Internal Honeypot Errors
------------------------
Total 0

What information we collect?

1. We known that the attacker was enter into our honeypot by using the username and password combination ftp/ftp
2. He or she also tried to logon with the user ftp and with no password, and also with the username tiffany.
3. He or she tried to execute the commands "id" (two times), "whoami", "w", "uptime", "ls -a" and "cd home". 
4. The intruder changed the remote terminal window size during the intrussion (looking the log file in raw mode I found the attacker were using a simple xterm).
5. The attacker were an human.
6. The attacker comes from Romania, concretely around Craiova (thanks to the extremely cool tool xtraceroute).

Is not cool this reporting tool? :)

How to search for an specific IP address?

As of kojreport 0.0.2 you can use the tool kojreport-filter. The syntax of the tool is the same as the kojreport tool but changing the second parameter. The following is the syntax of the kojreport-filter utility:

$ kojreport-filter <log file> <filter> <traceroute> <nmap> <country resolution>

And the following is a sample report for the IP address 209.152.166.77:

Kojoney Honeypot Report
-----------------------

Date: mar 02 ago 2005 00:09:40 CEST
Log lines: 35679
Log size: 3,5M /tmp/tmp.JbRsEU

Authenticated users. Successfull logons
---------------------------------------

      2 root
      2 admin
      1 webmaster
      1 web
      1 user
      1 test
      1 oracle
      1 mysql
      1 guest
      1 administrator

Total 12

Unauthenticated users. Failed logons
------------------------------------
Total 0

Users successfully authenticateds with publickey
------------------------------------------------
Total 0

Users unsuccessfully authenticateds with publickey
--------------------------------------------------
Total 0

Logons with null passwords
--------------------------
Total 0

Logons with or without password
-------------------------------

   3421 root
     11 admin
     11 adam
     10 ellen
      9 ronald
      9 paul
      9 mail
      9 jack
      9 guest
      9 francis
      9 eric
      9 danny
      9 alex
      8 apple
      7 user
      7 adrian
      6 white
      6 webster
      6 viper
(...about 1400 other username/password combinations..)
      1 dakota
      1 Christ
      1 chicago
      1 arbgirl_phpbb1
      1 apple1
      1 alan
      1 absurdir_deadphp

Total 5070

Number of times a remote shell was opened
-----------------------------------------

Total 12

X11 forward requests
--------------------
Total 0

Executed different commands
---------------------------
Total 0

Number of times the intruder tries to change the terminal window size
---------------------------------------------------------------------
Total 0

IP Addresses
------------

   1    209.152.166.77 - 5093 conexion(es)

Total 1

IP Addresses and Countries
--------------------------

   1    209.152.166.77 - US, United States

Total 1

Sessions opened by humans
-------------------------
0 human session(s) total

Humans detecteds by IP
----------------------
0 human(s) total

Internal Honeypot Errors
------------------------
Total 0

This were clearly an automated attack launched by a bot from the United States.

How to search for an specific date and/or date range?

Use the same tool as in the previous section and as a filter specify a regular expression that matches your date range. In example:

$ kojreport-filter /var/log/honeypot.log '^2005/07/30' 0 0 1
Kojoney Honeypot Report
-----------------------

Date: mar 02 ago 2005 00:20:53 CEST
Log lines: 61066
Log size: 4,7M /tmp/tmp.MG7QZj

Authenticated users. Successfull logons
---------------------------------------

      3 root
      2 test
      2 admin
      1 webmaster
      1 web
      1 user
      1 oracle
      1 mysql
      1 guest
      1 administrator

Total 14

Unauthenticated users. Failed logons
------------------------------------

   3419 root
     11 adam
     10 ellen
      9 ronald
      9 paul
      9 mail
      9 jack
      9 francis
      9 eric
      9 danny
      9 alex
      9 admin
      8 guest
      8 apple
      7 adrian
      6 white
      6 webster
      6 viper
      6 user
      6 stephanie
      6 russ
      6 philip
      6 mike
      6 matt
      6 martin
      6 kayla
      6 jerry
      6 james
(...to many tries...)
      1 chicago
      1 arbgirl_phpbb1
      1 apple1
      1 alan
      1 administrator
      1 absurdir_deadphp

Total 5058

Logons with null passwords
--------------------------

      1 root

Total 1

Logons with or without password
-------------------------------

   3423 root
     11 admin
     11 adam
     10 ellen
      9 ronald
      9 paul
      9 mail
      9 jack
      9 guest
      9 francis
      9 eric
      9 danny
      9 alex
      8 apple
      7 user
      7 adrian
      6 white
      6 webster
      6 viper
      6 stephanie
      6 russ
      6 philip
      6 mike
      6 matt
(...and more combinatios again...)
      1 arbgirl_phpbb1
      1 apple1
      1 alan
      1 absurdir_deadphp

Total 5073

Number of times a remote shell was opened
-----------------------------------------
Total 14

X11 forward requests
--------------------
Total 0

Executed different commands
---------------------------
Total 0

Number of times the intruder tries to change the terminal window size
---------------------------------------------------------------------
Total 0

IP Addresses
------------

   1    209.152.166.77 - 5093 conexion(es)
   2    172.179.184.30 - 1 conexion(es)
   3    82.43.139.111 - 1 conexion(es)

Total 3

IP Addresses and Countries
--------------------------

   1    209.152.166.77 - US, United States
   2    172.179.184.30 - US, United States
   3    82.43.139.111 - GB, United Kingdom

Total 3

Sessions opened by humans
-------------------------
0 human session(s) total

Humans detecteds by IP
----------------------
0 human(s) total

Internal Honeypot Errors
------------------------
Total 0

At 2005/07/30 I received various (all automated) attacks from the United States and the United Kingdom, only 14 remote shells were opened and no one command were executed.

Where can I get more information about honeypots?

The following is a list of locations where you will find interesting information about honeypots: