1)环境搭建:

cd /root/
wget https://codeload.github.com/desaster/kippo/zip/master
unzip master
yum install twisted python-zope-interface python-pyasn1
mv kippo-master kippo
useradd kippo
chown -R kippo:kippo kippo/
cd kippo
cp kippo.cfg.dist kippo.cfg

因为kippo需要用普通账户启动,如果用root账户启动
ERROR: You must not run kippo as root!
因为普通账户无法启动1024以下的端口。首先修改一下本机SSH的端口为222。监听本地的2222端口,加一条防火墙规则,把22端口转到2222。

iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2222

启动kippo

[kippo@vincent tmp]$ ./kippo/start.sh
twistd (the Twisted daemon) 8.2.0
Copyright (c) 2001-2008 Twisted Matrix Laboratories.
See LICENSE for details.
Starting kippo in the background...
/usr/lib64/python2.6/site-packages/twisted/conch/ssh/keys.py:13: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
import sha, md5
/usr/lib64/python2.6/site-packages/twisted/conch/ssh/keys.py:13: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import sha, md5
Generating new RSA keypair...
Done.
Generating new DSA keypair...
Done.

使用其他机器扫描一下22端口。

root@kali-vincent:/tmp# nmap -p 22 172.16.100.167

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-29 14:58 CST
Nmap scan report for 172.16.100.167
Host is up (0.00036s latency).
PORT STATE SERVICE
22/tcp open ssh

可以看到22打开
使用默认账户密码root/123456登陆。

root@svr03:~# whoami
root
root@svr03:~# pwd
/root

PS:测试发现可以模拟的命令太少了,很容易就能看出来是蜜罐。

2)日志存在到数据库

yum install mysql mysql-server
/etc/init.d/mysqld start
mysql -uroot password hehe123
CREATE USER 'kippo'@'localhost' IDENTIFIED BY 'kippo';
create database kippo;
GRANT ALL ON kippo.* to 'kippo'@'localhost' identified by 'kippo';
flush privileges;

修改配置文件kippo.cfg

[database_mysql]
host = localhost
database = kippo
username = kippo
password = kippo
port = 3306

然后导入表结构

mysql -ukippo -p -Dkippo < /tmp/kippo/doc/sql/mysql.sql

安装python-mysql

yum -y install python-devel mysql-devel
wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz --no-check-certificate
tar -zxvf setuptools-0.6c11.tar.gz
cd setuptools-0.6c11
python setup.py install
wget https://pypi.python.org/packages/source/M/MySQL-python/MySQL-python-1.2.5.zip --no-check-certificate
Unzip MySQL-python-1.2.5.zip
Cd MySQL-python

修改site.cfg的mysql_config一行取消注释

mysql_config = /usr/lib64/mysql/mysql_config
python setup.py install

来看一下表结构:

mysql> show tables;
+-----------------+
| Tables_in_kippo |
+-----------------+
| auth |
| clients |
| downloads |
| input |
| sensors |
| sessions |
| ttylog |
+-----------------+
7 rows in set (0.01 sec)

执行过的命令:

mysql> select * from input;
+----+----------------------------------+---------------------+-------+---------+----------+
| id | session | timestamp | realm | success | input |
+----+----------------------------------+---------------------+-------+---------+----------+
| 1 | 529661ac3e1511e6b417000c292b5908 | 2016-06-29 16:20:15 | NULL | 1 | whoami |
| 2 | 529661ac3e1511e6b417000c292b5908 | 2016-06-29 16:31:10 | NULL | 1 | ifconfig |
+----+----------------------------------+---------------------+-------+---------+----------+
2 rows in set (0.01 sec)

连接过的IP:

mysql> select * from sessions;
+----------------------------------+---------------------+---------+--------+----------------+----------+--------+
| id | starttime | endtime | sensor | ip | termsize | client |
+----------------------------------+---------------------+---------+--------+----------------+----------+--------+
| 529661ac3e1511e6b417000c292b5908 | 2016-06-29 16:19:58 | NULL | 1 | 172.16.100.128 | 131x25 | 1 |
+----------------------------------+---------------------+---------+--------+----------------+----------+--------+
1 row in set (0.00 sec)

3)图形化

yum install httpd php php-mysql php-gd php-curl

1.3的php版本要求高,要自己编译,还是用yum的,装个低版本的

wget http://bruteforce.gr/wp-content/uploads/kippo-graph-1.2.tar.gz
tar -zxf kippo-graph-1.2.tar.gz
mv kippo-graph-1.2 /var/www/html/kippo
cd /var/www/html/kippo
cp config.php.dist config.php

vim config.php
修改一下内容

define('DIR_ROOT', '/var/www/html/kippo');
define('DB_HOST', 'localhost');
define('DB_USER', 'kippo');
define('DB_PASS', 'kippo');
define('DB_NAME', 'kippo');
define('DB_PORT', '3306');
运行命令
chmod 777 /var/www/html/kippo/generated-graphs/
/etc/init.d/http start
su - kippo
./start.sh

来看下图表展示:

123

4)目录结构
data: 存放ssh key,lastlog.txt和userdb.txt lastlog.txt:last命令的输出,即存储了登陆蜜罐的信息,也可以伪造 userdb.txt:可以登陆的用户,可以给一个用户设置多个密码,一个用户一行 格式为username:uid:password

honeyfs: etc目录中存在group hostname hosts issue passwd resolv.conf shadow这些 文件,cat /etc/filename目录中对应的文件时会显示这些文本文件中的内容. proc目录中存在cpuinfo meminfo version这些文件,cat /proc/filename目录中对应的文件时会显示这些文本文件中的内容.

log: 存放日志文件的地方,该目录包含一个kippo.log文件和tty目录 kippo.log:是存放启动记录,那些IP连接等信息 tty目录是每一个ssh过来后操作的记录,可以使用strings filename直接看到里面的内容
查看kippo.log,例如执行ifconfig
2016-06-30 00:31:10+0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,172.16.100.128] CMD: ifconfig
2016-06-30 00:31:10+0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,172.16.100.128] Command found: ifconfig
2016-06-30 00:31:10+0800 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,172.16.100.128] Reading txtcmd from “/tmp/kippo/txtcmds/sbin/ifconfig”

txtcmds: 存放命令的地方,这些命令都是文本文件,执行相关命令的时候直接显示文件内容
kippo: 核心文件,模拟一些交互式的命令等等
dl: wget等等下载的文件存放的地方