• Div0 Blog Editor

Kippo — Ion (BruteForce Lab) Edition

Note: This is an add-on post on top of my Kippo write-up.

Kippo2MySQL

Kippo2MySQL is a simple piece of script that extracts some very basic stats from Kippo’s text-based log files and inserts them into a MySQL database.

My setup already has MySQL logging features enabled by default. Nonetheless, you can still use this script to extract some very basic data from your Kippo’s text-based log files and insert them into a MySQL database.

My Network Setup

So not to add more stuff on my Kippo machine, I have a dedicated machine for analytics work e.g. assessing and analysing the logs.

Note: Do not perceive this as a recommended Kippo setup, it is just to demonstrate that not everything has to be lumped into one single machine.

On your Kippo machine

Make sure your MySQL service is listening on your dedicated network interface. Then, grant authorisation to your analyst(s).

mysql -h 192.168.60.12 -u root -p
GRANT SELECT ON kippo.* TO<analyst username>’@’192.168.60.10IDENTIFIED BY<password>;

GRANT CREATE TEMPORARY TABLES ON kippo.* TO<analyst username>’@’192.168.60.10IDENTIFIED BY<password>;

SHOW GRANTS FOR<analyst username>’@’192.168.60.10;
 

On your analytics machine, make sure you can access the database:

mysql -h 192.168.60.12 -u <analyst username> -p

Now, with the analytics machine all set up, get all the required software before proceeding:

sudo apt-get install python-dev mysql-client libmysqlclient-dev python-pip

Kippo-Malware

Kippo-Malware is a Python script that downloads all malicious files stored as URLs in your Kippo MySQL database. This is useful in situations e.g. you lost your files or something happened to your Kippo machine, but your database is still intact.

This script is also useful in my type of setup where I only have access to my Kippo database from my analytics machine (and not the files located in the dl/ directory).

Get the required Python packages:

sudo pip install mysql-python pony requests clint

Get a copy of Kippo-Malware:

git clone https://github.com/ikoniaris/kippo-malware

To run Kippo-Malware:

python kippo-malware.py -h
python kippo-malware.py -H 192.168.60.12 -u <analyst username> -p <password> --debug

The script also supports HTTP proxy usage to cover your IP address from malicious servers and custom User-Agent values.


Kippo-Graph

Kippo-Graph is a full-featured script which visualise stats from a Kippo honeypot.

Get the software Kippo-Graph needs:

sudo apt-get install libapache2-mod-php5 php5-mysql php5-gd php5-curl

Get your Apache Web server started:

sudo /etc/init.d/apache2 restart

Get your Kippo-Graph up and running:

cd /var/www/html
sudo git clone https://github.com/ikoniaris/kippo-graph
chmod 777 generate-graphs
cp config.php.dist config.php
vi config.php

Configure your Kippo-Graph configuration appropriately. Make sure to be pointing to the correct database, with the right credentials.

Browse to http://<your-web-server>/kippo-graph, and there you have it!

Kippo2ElasticSearch

Kippo2ElasticSearch is a Python script that can be used to transfer data from a Kippo MySQL dataset to an Elasticsearch instance.

Get the necessary packages:

sudo apt-get install libgeoip-dev
sudo pip install geoip pony pyes

Get a copy of Kippo2ElasticSearch:

git clone https://github.com/ikoniaris/kippo2elasticsearch

Configure kippo2elasticsearch.py according to your configurations, make sure your Elasticsearch is up and running, and finally – run the Python script:

python kippo2elasticsearch.py

If you examine the script properly, you’d realised that the script simply takes the results from the following MySQL query, and populate it in an Elasticsearch instance:

SELECT auth.*, sessions.ip, clients.version, sensors.ip  
FROM auth  
INNER JOIN sessions ON auth.session = sessions.id  
INNER JOIN clients ON sessions.client = clients.id  
INNER JOIN sensors ON sessions.sensor = sensors.id; 

With your dataset now on Elasticsearch as an instance, you can visualise some stats using Kibana.


I learned Elasticsearch and Kibana from the very beginning so to play with this. It’s very easy to get the basics right – You just need to dedicate a bit of your time to learn. Elastic provides many comprehensive guides: https://www.elastic.co/guide/index.html.

Author

Emil Tan, Chapter Lead, The Honeynet Project, Singapore Chapter

3 views

Contact Us

Terms of Use | Code of Conduct

All rights reserved.

Division Zero (Div0) © 2017-2020.

Edgis © 2011-2017.