Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kippo shows up in Metasploit #48

Closed
ghost opened this issue May 27, 2014 · 17 comments
Closed

Kippo shows up in Metasploit #48

ghost opened this issue May 27, 2014 · 17 comments

Comments

@ghost
Copy link

ghost commented May 27, 2014

From zabomber on February 03, 2012 10:49:54

What steps will reproduce the problem? 1. I'm using Armitage for Metasploit
2. Run a simple scan against a Kippo Honeypot
3. Check output for scanned services on port (22) What is the expected output? What do you see instead? [See Screenshot Attached] What version of the product are you using? On what operating system? Please provide any additional information below. This was a random scan in the wild, however, i was real interested to get a kippo result?

Attachment: Screenshot at 2012-02-03 19:46:35.png

Original issue: http://code.google.com/p/kippo/issues/detail?id=48

@ghost
Copy link
Author

ghost commented May 27, 2014

From ikoniaris on February 13, 2012 05:14:44

Confirmed. Screenshot attached.

At first I thought is was because of the SSH server banner, as I have seen a #FIXME comment in core/honeypot.py about it and I have reported in issue 47 that Kippo has many strings hardcoded.

But this is not the case. I found this presentation from a developer of metasploit on the subject and there is a screenshot of the code to specifically detect Kippo. As noted there Kippo prematurely sends a key init exchange which is an inconsistency.

Perhaps the developer would like to fix this (not sure if he actively maintains Kippo though).

Attachment: 2012-02-13_1507.png

@ghost
Copy link
Author

ghost commented May 27, 2014

From ikoniaris on February 13, 2012 05:15:13

Forgot to add the presentation link: http://prezi.com/wwuskkot4nhs/detecting-medium-interaction-honeypots/

@ghost
Copy link
Author

ghost commented May 27, 2014

From bweymes on February 15, 2012 08:13:42

This sucks. The problem lays in the implementation of SSH by Twisted. Any python server using Twisted's SSH code can be fingerprinted as shown above. http://www.devshed.com/c/a/Python/SSH-with-Twisted/ I imagine it will be very difficult to fix. The Metasploit code for Kippo detection looks solid. http://ghosthunter.googlecode.com/svn/trunk/metasploit/auxiliary/scanner/ssh/ssh_hydra.rb

@ghost
Copy link
Author

ghost commented May 27, 2014

From Andrew.Rse on February 15, 2012 08:21:52

So is this a bug in Twisted, should it not be sending a 'premature key init exchange'?

Also, presumably this means that any Twisted SSH server will be identified by Metasploit as Kippo. Are there sufficient examples of Twisted SSH servers in the wild that would cause Metasploit to remove this detection?

@ghost
Copy link
Author

ghost commented May 27, 2014

From desaster on February 15, 2012 08:31:22

So far I've only seen twisted conch used for small custom servers, but I'm sure there are some projects out there.

Now I haven't investigated this much (I'm lazy), but if this is also a mis-implementation of the SSH protocol, then it might be possible to get the Twisted guys to fix it :)

My plan was also to check out if there's any fixes in the latest twisted release regarding this, but I haven't gotten around to doing that yet.

The difference in behavior can easily be seen by telnetting to the ssh port; a normal ssh server just prints out the version string, while twisted/kippo prints out the key stuff as well.

@ghost
Copy link
Author

ghost commented May 27, 2014

From Andrew.Rse on February 16, 2012 01:22:23

This looks like it's along the right lines: http://twistedmatrix.com/trac/ticket/5409 I'm not sure though if this applies just to the Twisted Conch SSH client or the server too.

@ghost
Copy link
Author

ghost commented May 27, 2014

From bweymes on March 07, 2012 05:31:37

So it appears a cheeky hack of adding time.sleep(1) to transport.py at the top of the sendKexInit function works! transport.py is in /usr/share/pyshared/twisted/conch/ssh

def sendKexInit(self):
    """
    Send a I{KEXINIT} message to initiate key exchange or to respond to a
    key exchange initiated by the peer.

    @raise RuntimeError: If a key exchange has already been started and it
        is not appropriate to send a I{KEXINIT} message at this time.

    @return: C{None}
    """

time.sleep(1)   
    if self._keyExchangeState != self._KEY_EXCHANGE_NONE:
        raise RuntimeError(
            "Cannot send KEXINIT while key exchange state is %r" % (
                self._keyExchangeState,))

    self.ourKexInitPayload = (chr(MSG_KEXINIT) +
           randbytes.secureRandom(16) +
           NS(','.join(self.supportedKeyExchanges)) +
           NS(','.join(self.supportedPublicKeys)) +
           NS(','.join(self.supportedCiphers)) +
           NS(','.join(self.supportedCiphers)) +
           NS(','.join(self.supportedMACs)) +
           NS(','.join(self.supportedMACs)) +
           NS(','.join(self.supportedCompressions)) +
           NS(','.join(self.supportedCompressions)) +
           NS(','.join(self.supportedLanguages)) +
           NS(','.join(self.supportedLanguages)) +
           '\000' + '\000\000\000\000')
    self.sendPacket(MSG_KEXINIT, self.ourKexInitPayload[1:])
    self._keyExchangeState = self._KEY_EXCHANGE_REQUESTED
    self._blockedByKeyExchange = []

Note: Updating to twisted version 11 or 12 doesnt solve this problem.

@ghost
Copy link
Author

ghost commented May 27, 2014

From busybsd on March 31, 2012 14:23:48

time.sleep(1) appears to work for me too, but not in sendKexInit function.
In sendKexInit telnet to 22 port doesn't show extra info, but ssh won't work.
It's simply closes connection after:
debug1: SSH2_MSG_KEXINIT sent

Now I have placed time.sleep(1) into:
def connectionMade(self):
"""
Called when the connection is made to the other side. We sent our
version and the MSG_KEXINIT packet.
"""
self.transport.write('%s\r\n' % (self.ourVersionString,))
self.currentEncryptions = SSHCiphers('none', 'none', 'none', 'none')
self.currentEncryptions.setKeys('', '', '', '', '', '')

  •   time.sleep(1)
    self.sendKexInit()
    

And looks like it works now...but other evil text with telnet to 22 port still exists.

@ghost
Copy link
Author

ghost commented May 27, 2014

From desaster on April 08, 2012 10:39:13

Comment from #twisted:

`Twisted's behavior does appear to be in line with spec. "Key exchange will begin immediately after sending this identifier."´

That said, I'm experimenting with a small change to twisted. Tested only briefly but appears to work:

Index: twisted/conch/ssh/transport.py

--- twisted/conch/ssh/transport.py ( revision 34145 )
+++ twisted/conch/ssh/transport.py (working copy)
@@ -244,7 +244,8 @@
self.transport.write('%s\r\n' % (self.ourVersionString,))
self.currentEncryptions = SSHCiphers('none', 'none', 'none', 'none')
self.currentEncryptions.setKeys('', '', '', '', '', '')

  •    self.sendKexInit()
    
  •    # moved to dataReceived
    
  •    #self.sendKexInit()
    

    def sendKexInit(self):
    @@ -432,6 +433,8 @@
    return
    i = lines.index(p)
    self.buf = '\n'.join(lines[i + 1:])

  •                # moved from connectionMade
    
  •                self.sendKexInit()
     packet = self.getPacket()
     while packet:
         messageNum = ord(packet[0])
    

Status: Accepted

@ghost
Copy link
Author

ghost commented May 27, 2014

From desaster on April 08, 2012 11:19:04

And this is how I might patch it in kippo: http://paste.pocoo.org/show/578088/

@ghost
Copy link
Author

ghost commented May 27, 2014

From desaster on April 10, 2012 02:20:49

Issue 51 has been merged into this issue.

@ghost
Copy link
Author

ghost commented May 27, 2014

From tobisworld on April 21, 2012 09:22:08

your patch works perfect for me. Thanks a lot

@ghost
Copy link
Author

ghost commented May 27, 2014

From Boudewijnector on May 15, 2012 16:01:43

Just tried it using current versions of both metasploit and kippo, and kippo will not get detected. So seems to be fixed indeed very well!

msf auxiliary(ssh_version) > run

[] ******:22, SSH server version: SSH-2.0-OpenSSH_5.1p1 Debian-5
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_version) >

Great, the OS is indeed Debian.

@ghost
Copy link
Author

ghost commented May 27, 2014

From desaster on July 08, 2012 09:30:48

Patch added to trunk

Status: Fixed

@ghost
Copy link
Author

ghost commented May 27, 2014

From desaster on January 23, 2013 22:45:40

This fix is broken in later Twisted versions. Reopening the bug until I fix it again.

Status: Accepted

@ghost
Copy link
Author

ghost commented May 27, 2014

From ikoniaris on January 23, 2013 23:25:06

Confirmed. I had to add rev.219 to HoneyDrive ( http://bruteforce.gr/honeydrive ) because newer revisions didn't work. I should have reported this earlier, glad it's on your TODO list :)

@ghost
Copy link
Author

ghost commented May 27, 2014

From desaster on February 04, 2013 03:46:14

Added a workaround in r233

Status: Fixed

@ghost ghost closed this as completed May 27, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

0 participants