A low interaction honeypot (as Kippo) tries to mine a real service. Errors included. Unfortunately this is not always possible, which makes the trap detectable by human and some scan softwares.

Kippo uses Twisted conch, which doesn’t act always like a real OpenSSH server. One of the major issues is related to malformed data at connection that can disclose Kippo easily because Twisted responds to the client with:

[protocolbytes] bad packet length [protocolbytes]

With a real OpenSSH server, the client receives only this message:

Protocol mismatch.

But don’t worry (be happy), you will not be detected again! Apply this patch and the “bad response” will be intercepted and substituted with the right message.It’s just a workaround, but it works!

kippo-r246-bpl.patch
kippo-0.8-bpl.patch

Happy hunting!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.