log replay automation and terminal-dashboard functionality

attempts.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# Basic dashboard to show recent honeypot stats...
+# greg.foss[at]owasp.org
+# v0.2 - 1/8/2015
+
+echo ""
+echo "reviewing logs -- this may take some time, please be patient..."
+echo ""
+
+# queries
+search=$(find /opt/kippo/log/kippo.log*)
+attackers=$(echo "$search" | xargs -n16 -P18 grep -iH 'login attempt' | cut -d "]" -f 1 | cut -d "," -f 3 | grep -v 'login' | uniq);
+breaches=$(echo "$search" | xargs -n16 -P18 grep -iH 'cmd' | cut -d "," -f 3 | cut -d "]" -f 1 | grep -v 'login' | uniq);
+files=$(echo "$search" | xargs -n16 -P18 grep -iH "http:" | cut -d"]" -f 2 | awk '{print $3}' | grep -v '^$\|wget\|<\|(\|)' | uniq);
+attempts=$(echo "$search" | xargs -n16 -P18 grep -iH 'login attempt' | cut -d "]" -f 2,3 | cut -d" " -f 4);
+
+# counts
+success=$(echo "$attempts" | grep '\[USERNAME1/PASSWORD1\]\|\[USERNAME2/PASSWORD2\]' | wc -l);
+attackercount=$(echo "$attackers" sort -u | wc -l)
+attemptcount=$(echo "$attempts" | wc -l);
+breachcount=$(echo "$breaches" | wc -l)
+filecount=$(echo "$files" | wc -l)
+
+clear
+echo ""
+echo "Kippo Honeypot Statistics"
+echo ""
+echo $success" => successful password guesses"
+echo $attemptcount" => total login attempts"
+echo $attackercount" => total attacking IPs (10 most recent entries below)"
+echo "--------------------"
+echo "$attackers" | uniq | tail -n 10
+echo "--------------------"
+echo ""
+echo $breachcount" => honeypot breaches (10 most recent entries below)"
+echo "--------------------"
+echo "$breaches" | uniq | tail -n 10
+echo "--------------------"
+echo ""
+echo $filecount" => payloads downloaded (10 most recent entries below)"
+echo "--------------------"
+echo "$files" | uniq | tail -n 10
+echo "--------------------"
+echo ""

firewall.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# RUN AS ROOT
+# Set iptables to forward to the [default] kippo port
+
+iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

get-creds.sh

@@ -0,0 +1,9 @@
+#!/bin/bash 
+
+attempts=$(cat /opt/kippo/log/kippo.log | grep 'login attempt' | wc -l); 
+echo "" 
+echo $attempts" => login attempts" 
+echo "--------------------"  
+cat /opt/kippo/log/kippo.log | grep 'login attempt' | cut -d " " -f 3 4 5 | awk '{print "["$1" "$4}'
+echo "--------------------" 
+echo "" 

log/played/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

replay-alert.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Send alerts when the honeypot is breached, including attacker activity details...
+# greg.foss[at]owasp.org
+# v0.1 - 1/6/2015
+
+file=$(ls /opt/kippo/log/tty/*.log | cut -d"/" -f 6)
+filecount=$(ls /opt/kippo/log/tty/*.log | wc -l)
+host=$(ifconfig | grep 'inet addr' | grep -v '127' | cut -d":" -f2 | awk '{print $1}')
+hostname=$(hostname)
+
+if [ $filecount -gt 0 ]
+then
+	for i in $file; do
+		python /opt/kippo/utils/playlog.py /opt/kippo/log/tty/$i -m 1 > /opt/kippo/log/played/$i
+		mv /opt/kippo/log/tty/$i /opt/kippo/log/tty/old/
+		unix2dos -f /opt/kippo/log/played/$i
+		sendEmail -f [FROM@ADDRESS.COM] -t [TO@ADDRESS.COM] -u "Kippo Honeypot Breached" -m "A Kippo Honeypot [$hostname] located at [$host] has been breached. A log of the attacker's activities has been attached for review" -a /opt/kippo/log/played/$i -s [YOUR.MAIL.SERVER]:25 -o tls=no
+	done;
+else
+	exit
+fi