In the first episode, I briefly mentioned that the sticky factor of Kippo is much better than Kojoney. If you have followed the second episode and managed to gained access into your SSH honeypot, you will have realised it entertains most of the common commands.
You can modify the files in the directories kippo/commands and textcmds to result that differs from the default configuration, or add more files in these directories to have your honeypot entertain more commands.
In this episode I want to demonstrate a more interesting type of stickiness / persistence.
As most Linux users or attackers, we like to use commands to control the entire machine. Unfortunately, the “exit” command in Kippo does not close the SSH session completely. It makes the attacker think he / she have, but actually not.
The intruder is still in your Kippo shell, and you are still logging whatever they are about to type. With this capability, you can look into what attackers do after an intrusion.
The attacker will actually have to close the session window to exit the SSH session. If the attacker is using a bash only machine, he / she will have to do a force shutdown the machine to exit the SSH session.
I’m not sure if this is done intentionally, I found that the “exit” command does close off the session window if you are connecting through Putty. Having a “Connection to server closed” message still remaining on your Putty shell is really suspicious.
Since I’m already in the topic of stickiness, I’ll briefly cover a few configurations you should have done to make your Kippo unique; adding the sticky factor by not having the attacker know it’s a honeypot straight away.
In your Kippo configuration file – kippo.cfg – change the hostname of your honeypot. If you observed closely, my SSH honeypot is named “edgis-compsoc” instead of the default “nas3”.
Change the result returned by the ifconfig command. It will be suspicious if the attacker sees an IP address that differs to the one that he / she has connected to.
You should also change most of the results returned by commands of your SSH honeypot and its file system.