Comments on: Cracking voyeurism

Cracking voyeurism

Foci for Analysis — Fri, 11 Mar 2011 08:35:53 -0800

Using honeypots and logging tools, some server admins have logged actual server break-in attempts by nincompoop crackers.

The honeypot in question is Kippo. You might want to run fail2ban to partially combat break-in attempts.

By: demiurge

demiurge — Fri, 11 Mar 2011 08:45:31 -0800

What triggers the owl prompt?

By: seventyfour

seventyfour — Fri, 11 Mar 2011 08:45:48 -0800

I don't wget it.

By: bicyclefish

bicyclefish — Fri, 11 Mar 2011 08:49:11 -0800

I enjoyed listening to 'Still Alive.' I'm going to need need help with the rest.

By: Ad hominem

Ad hominem — Fri, 11 Mar 2011 08:51:13 -0800

Seems like the owl prompt is triggered when he tries to install the rootkit. I'm kinda guessing That the honeypot spits it out whenever you try to do something unsupported.

By: Foci for Analysis

Foci for Analysis — Fri, 11 Mar 2011 08:52:41 -0800

The "owl prompt" is the result of the downloaded exploit scripts being prevented from actually running any malicious code. Some of the stuff Kippo does:

Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included Session logs stored in an UML compatible format for easy replay with original timings Just like Kojoney, Kippo saves files downloaded with wget for later inspection Trickery; ssh pretends to connect somewhere, exit doesn't really exit, etc

By: k5.user

k5.user — Fri, 11 Mar 2011 08:58:08 -0800

so, now I'm curious, how rigorous/secure is kippo ? The articles say it's a honeypot, shell of a shell.. Does it have any vulnerabilities ?

By: zamboni

zamboni — Fri, 11 Mar 2011 08:59:30 -0800

Looks like we've hosed kippo.rpg.fi (the "by" and "nincompoop" links).

By: routergirl

routergirl — Fri, 11 Mar 2011 09:00:07 -0800

The most amusing thing about this (besides the constant retry of "perl") is that one of the related videos is "How to view other computers' IP addresses," which is a video that purports you can get IPs of people looking at a site by trace routing to it from a cmd prompt. The kid trace routes to google.com and claims the ten IPs showing up are all people viewing Google. That made me giggle.

By: equalpants

equalpants — Fri, 11 Mar 2011 09:00:30 -0800

Oh, god, I love that some people actually respond "y" to the owl prompt, and that it replies with "NO WAI!". Priceless.

By: George_Spiggott

George_Spiggott — Fri, 11 Mar 2011 09:02:21 -0800

Does it have any vulnerabilities ? What a strange thing to ask. if anyone here knew about any vulnerabilities in klippo, the script kiddies would too and it'd be useless.

By: routergirl

routergirl — Fri, 11 Mar 2011 09:04:25 -0800

Ok, I take it back. The owl prompt and the reactions to it are really quite funny.

By: k5.user

k5.user — Fri, 11 Mar 2011 09:08:15 -0800

given the competency demonstrated by most of the logged folks, yeah, I wouldn't worry about it too much.. But, at least one person did figure out the system was a honeypot and walked away, I wouldn't be openly running a honeypot with out some serious consideration about the honeypot software.. (Now that opens the question the guy that figured it out, since we only get a small part of the log where he cusses out the operator, did the hacker go on to other lower-hanging fruit ? And if the hacker were of the destructive mindset, might have looked into the software to see what it's vulnerabilities are..)

By: ChrisHartley

ChrisHartley — Fri, 11 Mar 2011 09:08:42 -0800

These are hilarious, thank you for the links. denyhosts is similar to fail2ban but uses the crowd to watch and report attacks as they happen, preemptively blocking them once they reach a certain threshold.

By: special-k

special-k — Fri, 11 Mar 2011 09:09:30 -0800

I don't really follow what's going on but let me just say you guys are so adorable especially with those cute little owls.

By: Nelson

Nelson — Fri, 11 Mar 2011 09:16:39 -0800

I wonder if some of the stupid behaviour we're seeing is the result of attacks that are semi-automated. I imagine there are tools to help facilitate hacking many boxes quickly, in parallel, with macros.

By: Threeway Handshake

Threeway Handshake — Fri, 11 Mar 2011 09:19:13 -0800

(Now that opens the question the guy that figured it out, since we only get a small part of the log where he cusses out the operator, did the hacker go on to other lower-hanging fruit ? And if the hacker were of the destructive mindset, might have looked into the software to see what it's vulnerabilities are..) You are totally missing the point of a honeypot.

By: mcstayinskool

mcstayinskool — Fri, 11 Mar 2011 09:20:44 -0800

I would agree, Nelson, except for the fact that one of those hackers tried responding to the owl several times. Responses included "O", "RLY", "YES", and my favorite "oui" (because clearly O RLY is au Francais). No computer is that stupid.

By: Osrinith

Osrinith — Fri, 11 Mar 2011 09:24:01 -0800

For the sake of compare/contrast, does anyone have a link to a video showing a good hacker at work? It's just that I have very little comprehension of what goes on in the nuts and bolts of hacking (at the level of code) and would be interested to see it in action.

By: lumpenprole

lumpenprole — Fri, 11 Mar 2011 09:24:24 -0800

No computer is that stupid. Clearly, you never had to admin a windows NT box.

By: Foci for Analysis

Foci for Analysis — Fri, 11 Mar 2011 09:25:10 -0800

Oh absolutely, Nelson; automated attacks are everyday stuff. On the production server that I manage we get hundreds of attacks each day - and that's pretty normal if you ask around the web. I don't, however, believe that these logged attacks were automated, they are too lazy and stupid. I mean, typing mikdir instead of mkdir?!

By: Ad hominem

Ad hominem — Fri, 11 Mar 2011 09:28:27 -0800

Dunno, if I was a hacker and I kept running into these kippo honeypots I would grab the kippo source and look for vulnerabilities. It is no different than any other daemon and kippo running on port 22 has got to have root privs to bind to that port. Does it run through Inetd or some sort of modern equivalent? I haven't looked that the source but it is using twisted so that makes it python right?

By: Threeway Handshake

Threeway Handshake — Fri, 11 Mar 2011 09:28:48 -0800

does anyone have a link to a video showing a good hacker at work? Try this

By: Ad hominem

Ad hominem — Fri, 11 Mar 2011 09:30:01 -0800

Hahah Hack The Planet.

By: Threeway Handshake

Threeway Handshake — Fri, 11 Mar 2011 09:30:59 -0800

Does it run through Inetd or some sort of modern equivalent? Kippo is not a daemon: it uses Twistd's (python) ssh server. So good luck with that.

By: Foci for Analysis

Foci for Analysis — Fri, 11 Mar 2011 09:31:35 -0800

Osrinith, while not this visual or detailed, the story of how Anonymous compromised HBGary's servers is interesting. Ars ran several stories on the attacks (no need to buy the e-book, all articles are below Further reading). What really intrigues me about the HBGary saga? The initial attack vector was a CMS and pretty much everything Anon did was 101 stuff.

By: George_Spiggott

George_Spiggott — Fri, 11 Mar 2011 09:34:13 -0800

It is no different than any other daemon and kippo running on port 22 has got to have root privs to bind to that port. You can be sure it runs on another port and the launcher forwards port 22 to it. Anybody who writes a honeypot that runs as root (or any other well-known user with any privileges to speak of) should find a new line of work.

By: ErikaB

ErikaB — Fri, 11 Mar 2011 09:42:55 -0800

Osirinth, that's why it's funny (to those of us it's funny to). These logs don't show people comparing badly to "real" hackers. They show people comparing badly to completely inept everyday users. Imagine watching someone attempting to steal a bike. First they examine it thoughtfully for several minutes, while poking at bits of the frame and nodding sagely. Then they pull the brake lever several times, and finish by shuffling their feet quickly. Maybe once or twice someone actually gets a leg up and over the frame, and you cheer for them a bit inside. But then they fail to grasp the purpose of the pedals, and sit on the seat backwards, and fall off. And then you laugh and come here and post something like, "Hilarious!"

By: Threeway Handshake

Threeway Handshake — Fri, 11 Mar 2011 09:43:14 -0800

You can be sure it runs on another port and the launcher forwards port 22 to it. You make it run on any unprivileged port, through Twistd. Again, Kippo is not a daemon, it is a fake, jailed, shell that people can connect to through the twistd ssh server.

By: Ad hominem

Ad hominem — Fri, 11 Mar 2011 09:43:25 -0800

Ok now that I look at the site it uses iptables to forward port 22 so you are right that it probably has no privs. It can still write to the filesystem, probably not much you can do with that since there is no way for the attacker to control anything beyond the contents of the log files. So what about whatever the admin will be using to read the log files?

By: Faint of Butt

Faint of Butt — Fri, 11 Mar 2011 09:44:27 -0800


___
{o,o}
|)__)
-"-"-
O RLY?

By: Threeway Handshake

Threeway Handshake — Fri, 11 Mar 2011 09:46:59 -0800

So what about whatever the admin will be using to read the log files? I'm pretty sure vi, tail, cat, and the like won't go and run arbitrary code out of a logfile format.

By: ChrisHartley

ChrisHartley — Fri, 11 Mar 2011 09:47:23 -0800

The hacking scene from one of the Matrix movies where Trinity shuts down the power grid was (surprisingly) fairly realistic. Here is a transcript. She uses nmap to scan for open ports, then runs a script to exploit what was a real vulnerability in the ssh daemon to reset the root password, then she ssh's in and shuts down the power grid. If that doesn't help explain things just imagine that she walked around the perimeter of a building looking for doors, found one and then jimmied the faulty lock with a credit card. I like to picture these keystone cops hackers wearing black leather suits while typing "mikdir" in the honeypot.

By: Ad hominem

Ad hominem — Fri, 11 Mar 2011 09:50:29 -0800

I'm pretty sure vi, tail, cat, and the like won't go and run arbitrary code out of a logfile format. You are right, dumber things have happened though. I once got a logging until to overwrite /etc/crontab with arbitrary crap. That was in the stone ages though.

By: Osrinith

Osrinith — Fri, 11 Mar 2011 09:59:55 -0800

Thanks for the good examples, everyone. Le sigh. Despite being a child of the 80s and 90s and growing up with the internet, I completely missed out on the basic computer programming skills. I'm a fairly tech-savvy person, but only at the GUI level. Command line stuff makes me feel like a monkey with a stick.

By: k5.user

k5.user — Fri, 11 Mar 2011 10:03:07 -0800

Anybody who writes a honeypot that runs as root

Note that the launcher for kippo checks for this and bails if you try to run as root.. And we could argue semantics because the person who writes it ain't the guy running it .. (ie we're laughing here at the folks 'running' hacks/scripts..). But, given python, twisted, etc, are they known strong ? No funny crafted packets to send it off the deep end ? (most of my security works deal with non-interpreted languages, but google says python isn't immune from buffer overflows..)

By: Threeway Handshake

Threeway Handshake — Fri, 11 Mar 2011 10:03:24 -0800

You are right, dumber things have happened though. Yes, dumber things happen, and feel free to look at the source code for the jailed shell runs as an unpriv user. And also the server daemon that is from python for all of its vulns. If you find any, let everybody know! Hamburger. But anyway, it sure seems silly to heap all of this "WHAT IF TEH HONEYPOTZ ARE HAXD?" on this, but similar things aren't asked of other stuff, like say, every other program in the entire world?

By: spiderskull

spiderskull — Fri, 11 Mar 2011 10:08:12 -0800

Haha, thanks for the morning laughter. We're constantly dealing with this kind of nonsense at the university (they want to use our machines to spend spam over the massively quick internet connection). We've similarly setup honeypots, although slightly more asshole-y -- they actually believe they're in root when they're in a sandbox, ruining a completely useless piece of the file system.

By: Threeway Handshake

Threeway Handshake — Fri, 11 Mar 2011 10:10:41 -0800

Also, I really need to say that the fake exit command which looks like you've disconnected but really actually keeps you in the shell is the most hilarious thing ever. When I originally set one of these up and tested it out to make sure it worked, it 100% fucking fooled me, and the logfile probably would look really funny to anybody looking at is when suddenly my "own system" was acting incredibly strange. The thing about a honeypot like this is that it would make anybody seem comical -- anybody who didn't realize they're in a fake honeypot shell. Somebody brought up a stolen bike analogy, but this would be more like if say, Lance Armstrong were to steal a bike, and when he got on and pedaled, oh, I don't know, the bike wheels spun backwards, and turning right would make the bike go left.

By: Ad hominem

Ad hominem — Fri, 11 Mar 2011 10:16:55 -0800

Ok ok I give up. Things running exposed to the Internet should get far more scrutiny than most programs though.

By: steef

steef — Fri, 11 Mar 2011 10:17:48 -0800

I gotta change my password.

By: Threeway Handshake

Threeway Handshake — Fri, 11 Mar 2011 10:20:50 -0800

Things running exposed to the Internet So basically, every single program on every computer?

By: Ad hominem

Ad hominem — Fri, 11 Mar 2011 10:37:22 -0800

So basically, every single program on every computer? You know what I mean. Programs accepting connections from anyone with an ssh client. I'm not sure why you think it is so nuts to put some thought into how one would attack kibbo even as a thought exercise.

By: Skorgu

Skorgu — Fri, 11 Mar 2011 10:46:26 -0800

Actually Ad hominem is totally right. Any program that accepts data from the world must be treated as suspect and log analysis tools have been attacked before. That said it's a rather small attack surface and trivially easy to mitigate by doing your analysis in a jail/chroot/vm/whatever.

By: George_Spiggott

George_Spiggott — Fri, 11 Mar 2011 11:21:32 -0800

Eenie, meenie, chili beanie, give root to this attacking meanie (Just invoked a secret backdoor in your browser with that incantation... Christ, you sure have a lot of porn in your cache.)

By: evidenceofabsence

evidenceofabsence — Fri, 11 Mar 2011 12:47:29 -0800

because clearly O RLY is au Francais Oui!

By: kenko

kenko — Fri, 11 Mar 2011 13:41:10 -0800

Again, Kippo is not a daemon Twisted has facilities to fork twice, close file descriptors, set the process group, and all that jazz, and normally if you've got a long-running Twisted program you'll invoke twistd with options to do that stuff automatically, so I'm not sure why you're so confident that Kippo isn't a daemon.

By: Threeway Handshake

Threeway Handshake — Fri, 11 Mar 2011 20:20:21 -0800

Fine, everybody. The next time somebody posts something about a new car or whatever, i'm going to jack the thread and derail it into a discussion about how somebody could drive it off a cliff.

By: free hugs

free hugs — Sat, 12 Mar 2011 08:32:27 -0800

How about: when there's a thread about an anti-theft device for cars that lets a car thief get into your car and videotapes him, you post and say "any chance the dude could still figure out how to get that car running?"

By: heathkit

heathkit — Sat, 12 Mar 2011 16:07:44 -0800

My favorite hacking story goes back to college. I was working on the disk image for a robot for my school's entry in an autonomous underwater vehicle competition. The target hardware ( a small embedded x86 board ) mounted its root file system over NFS from a host machine. The host machine also had a serial console into the board - I could ssh into the host machine and pretty much do whatever. At the time, I had an unhealthy obsession with being able to work from starbucks. At first this was fine - the host machine was a basic debian install, and the only service running was ssh. However, eventually I got the video capture working and wanted to stream video from the lab. There are safe ways to do this, but being young and foolish I just asked the school's IT department to put the target machine on the internet. The root password for the target was "root". In less than a day of being exposed to the public internet, it had been breached. I probably wouldn't even have noticed, but luckily they changed the root password. Luckily, I was able to blow away the root file system from the host machine and shut it down remotely, but that was pretty embarrassing. It's not surprising to me that it got hacked - I'm just surprised it happened so darn quickly. tldr; before you put your autonomous sub on the internet, make sure it has a good password

By: Threeway Handshake

Threeway Handshake — Mon, 14 Mar 2011 16:46:03 -0800