2014-12-11 03:37:35 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
2014-12-11 08:40:20 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
|
include Msf::Auxiliary::Scanner
|
2014-12-12 19:57:35 +00:00
|
|
|
include Msf::Auxiliary::Report
|
2014-12-11 03:37:35 +00:00
|
|
|
|
2014-12-11 08:40:20 +00:00
|
|
|
def initialize
|
|
|
|
|
super(
|
|
|
|
|
'Name' => 'Kippo SSH Honeypot Detector',
|
2014-12-11 08:47:39 +00:00
|
|
|
'Description' => %q{This module will detect if an SSH server is running a Kippo
|
|
|
|
|
honeypot. This is done by issuing unexpected data to the SSH service and checking
|
2014-12-11 08:40:20 +00:00
|
|
|
the response returned for two particular non-standard error messages.},
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'URL', 'https://cultofthedyingsun.wordpress.com/2014/09/12/death-by-magick-number-fingerprinting-kippo-2014/' ],
|
2014-12-13 02:53:26 +00:00
|
|
|
[ 'URL', 'http://morris.guru/detecting-kippo-ssh-honeypots/' ],
|
2014-12-11 08:40:20 +00:00
|
|
|
],
|
|
|
|
|
'Author' => 'Andrew Morris <andrew[at]morris.guru>',
|
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
|
)
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Opt::RPORT(22)
|
|
|
|
|
], self.class)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
|
connect
|
2014-12-11 08:47:39 +00:00
|
|
|
banner = sock.get_once(1024)
|
2014-12-11 08:40:20 +00:00
|
|
|
sock.put(banner+"\n"*8)
|
2014-12-12 19:57:35 +00:00
|
|
|
response = sock.get(1024)
|
|
|
|
|
if response == "Protocol mismatch.\n" or response.include? "bad packet length 168430090"
|
|
|
|
|
print_status("#{ip}:#{rport} - Kippo honeypot detected!")
|
|
|
|
|
report_service(:host => rhost, :port => rport, :name => "ssh", :info => "Kippo SSH Honeypot")
|
2014-12-11 08:40:20 +00:00
|
|
|
end
|
|
|
|
|
end
|
2014-12-11 09:05:56 +00:00
|
|
|
end
|
2014-12-11 03:37:35 +00:00
|
|
|
|
