Jump to content

ssh sort-honeypot (vps)


anode
 Share

Recommended Posts

Hi guys, have a VPS I'm not utilizing much.

But after looking through the logs, I see a LOT of ssh login attempts. (of course I've moved my actual ssh port off 22)

So here's my idea: Set up a fake login prompt to harvest the names & PWs they try. (could be very useful in oclHashcat!!)

Anything already out there for it? Or can a simple bash or Python script do it? (I'm happy to try *if* its possible. I hate chasing the unobtainable)

Would like it to bail on the IP after x failed attempts. (logging the IPs would be nice but not a must)

TIA

Link to comment
Share on other sites

You could use netcat as a basic gathering tool, but if they check for the banner header, or key sequence exchange of a real SSH handshake, then they may not attempt to login.

Example: "nc -l 22 > /your/path/log.txt" would write any connecting data they send, to log.txt so long as nothing else uses port 22.

I do something similar for my honeypots with PHP, but they just grab any form data sent to the pages and log all of it at the web server end, including file upload attempts(all your shell.php files are belong to me..thank you)

You could probably script up something with netcat in some manner though and automate a fake banner response and key exchange, then log whatever is sent to the port though. Be careful in how you setup nc because if open and accepting raw commands on your system, you just gave them root, hence, writing to a log file with the output > redirect.

Link to comment
Share on other sites

Thanks for the reply!

I did a cursory look at kippo (listened to info about it on a podcast) But it goes further then I want. From what I have gathered (by a quick look at it, could be wrong) is it provides a sandboxed shell on the 'hacked' remote system for the attacked to play in.

I'd like to stop it before being (falsely authenticated) and have them try *more* login attempts for me to log names/pws

I'm trying to build word lists for usernames and pw's

Link to comment
Share on other sites

Thanks for the reply!

I did a cursory look at kippo (listened to info about it on a podcast) But it goes further then I want. From what I have gathered (by a quick look at it, could be wrong) is it provides a sandboxed shell on the 'hacked' remote system for the attacked to play in.

I'd like to stop it before being (falsely authenticated) and have them try *more* login attempts for me to log names/pws

I'm trying to build word lists for usernames and pw's

Forgot to mention, you need to keep the connection alive for each user who disconnects, and also, useful to add CRLF's..lol.

"nc -Clkv 22 > log.txt"

Mind you, this will probably fail on true SSH clients being used since there won't be any true protocol established, handshake, etc, but people with raw scripted telnet, perl, python or netcat bruteforcers, etc, that just send raw data, it will capture it all to a file.

edit:

Someone on Twitter also just mentioned to me, use fail2ban and log analysis.

https://twitter.com/xxDigiPxx/status/553713910281699329

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...