metasploit-framework/modules/auxiliary/scanner/ssh/detect_kippo.rb

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner

    def initialize
      super(
        'Name'           => 'Kippo SSH Honeypot Detector',
        'Description'    => %q{This module will detect if an SSH server is running a Kippo
          honeypot. This is done by issuing unexpected data to the SSH service and checking
          the response returned for two particular non-standard error messages.},
        'References'  =>
          [
            [ 'URL', 'https://cultofthedyingsun.wordpress.com/2014/09/12/death-by-magick-number-fingerprinting-kippo-2014/' ],
          ],
        'Author'         => 'Andrew Morris <andrew[at]morris.guru>',
        'License'        => MSF_LICENSE
      )
    register_options(
      [
        Opt::RPORT(22)
      ], self.class)
  end

  def run_host(ip)
    connect
    banner = sock.get_once(1024)
    sock.put(banner+"\n"*8)
    response = sock.get(1024) # Not sure what the difference is between get and recv, but updated. Will look into.
    if response == "Protocol mismatch.\n" or response.include? "bad packet length 168430090" # I know this is ugly
      print_status("#{ip} - Kippo honeypot detected!") # Currently reading the report_* documentation trying to figure out how to implement properly
    end
  end
end
added detect_kippo.rb 2014-12-11 03:37:35 +00:00			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

Addressed some recommendations made by wvu-r7. Need to remove some comments, add reporting, etc. 2014-12-11 08:40:20 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Auxiliary::Scanner`
added detect_kippo.rb 2014-12-11 03:37:35 +00:00
Addressed some recommendations made by wvu-r7. Need to remove some comments, add reporting, etc. 2014-12-11 08:40:20 +00:00			`def initialize`
			`super(`
			`'Name' => 'Kippo SSH Honeypot Detector',`
forgot to run through msftidy.rb. made a few minor corrections 2014-12-11 08:47:39 +00:00			`'Description' => %q{This module will detect if an SSH server is running a Kippo`
			`honeypot. This is done by issuing unexpected data to the SSH service and checking`
Addressed some recommendations made by wvu-r7. Need to remove some comments, add reporting, etc. 2014-12-11 08:40:20 +00:00			`the response returned for two particular non-standard error messages.},`
			`'References' =>`
			`[`
			`[ 'URL', 'https://cultofthedyingsun.wordpress.com/2014/09/12/death-by-magick-number-fingerprinting-kippo-2014/' ],`
			`],`
			`'Author' => 'Andrew Morris <andrew[at]morris.guru>',`
			`'License' => MSF_LICENSE`
			`)`
			`register_options(`
			`[`
			`Opt::RPORT(22)`
			`], self.class)`
			`end`

			`def run_host(ip)`
			`connect`
forgot to run through msftidy.rb. made a few minor corrections 2014-12-11 08:47:39 +00:00			`banner = sock.get_once(1024)`
Addressed some recommendations made by wvu-r7. Need to remove some comments, add reporting, etc. 2014-12-11 08:40:20 +00:00			`sock.put(banner+"\n"*8)`
			`response = sock.get(1024) # Not sure what the difference is between get and recv, but updated. Will look into.`
			`if response == "Protocol mismatch.\n" or response.include? "bad packet length 168430090" # I know this is ugly`
			`print_status("#{ip} - Kippo honeypot detected!") # Currently reading the report_* documentation trying to figure out how to implement properly`
			`end`
			`end`
screwed up formatting. updated indention at the end. ok seriously, going to bed now 2014-12-11 09:05:56 +00:00			`end`
added detect_kippo.rb 2014-12-11 03:37:35 +00:00