Closed GoogleCodeExporter closed 9 years ago
GoogleCodeExporter
commented
9 years ago Hey,
I'm confused by this. What's the problem exactly? :P
When it first loads, it connects to the honeypot and grabs it version string
and then uses that when hackers fingerprint it.Original comment by tnn...@googlemail.com on 16 Mar 2014 at 2:02
GoogleCodeExporter
commented
9 years ago Hey
Sorry, i might have been a bit tired when i made the ticket this morning :) Ill
try to clarify.
Try reproducing the issue by following these steps:
1.
Use Nmap against tcp/22 to get the service version
$ nmap -Pn -sV -p22 [ip address of FQDN]
2.
Run one scan directly against the honeypot.
Run one scan against the honeypot with HonSSH as the middle man.
3.
Inspect the output of these two scans.
- This is the output from the scan directly against the honeypot.
Nmap scan report for [ip.add.re.ss]
Host is up (0.00071s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.3 (protocol 2.0)
- This is the output from the scan against the honeypot with HonSSH as the
middle man.
Nmap scan report for [FQDN] ([ip.add.re.ss])
Host is up (0.000062s latency).
rDNS record for [ip.add.re.ss]: [FQDN]
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.25%I=7%D=3/16%Time=5325BF3E%P=x86_64-unknown-openbsd5.3%
SF:r(NULL,1CC,"SSH-2\.0-OpenSSH_6\.3\x20Bank\x20Of\x20Sweden\r\n\0\0\x01\x
SF:a4\x04\x14\^\x86\x96#\xa0\xffF\x9f\x12\xa1\x9a\xfb\n\xee_\?\0\0\0\x1adi
SF:ffie-hellman-group1-sha1\0\0\0\x07ssh-rsa\0\0\0\x85aes256-ctr,aes256-cb
SF:c,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-ctr,cast128-cbc,b
SF:lowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc\0\0\0\x85aes256-ctr,aes256-c
SF:bc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-ctr,cast128-cbc,
SF:blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc\0\0\0\x12hmac-sha1,hmac-md5
SF:\0\0\0\x12hmac-sha1,hmac-md5\0\0\0\tnone,zlib\0\0\0\tnone,zlib\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0:\xd8%\x88");
Would appreciate if you could attempt to reproduce the issue, if you get the
same results from both scans im gonna have to dig into my firewall config and
the way it handles those packages :P Original comment by are.hans...@gmail.com on 16 Mar 2014 at 3:35
GoogleCodeExporter
commented
9 years ago LOL!
Its nothing to do with HonSSH at all, i found the issue now.
Sorry! My bad! Close the ticket!!! :POriginal comment by are.hans...@gmail.com on 16 Mar 2014 at 3:37
GoogleCodeExporter
commented
9 years ago Haha no worries man :D Currently fixing the other issues :P One less to think
about hahaOriginal comment by tnn...@googlemail.com on 16 Mar 2014 at 3:39
GoogleCodeExporter
commented
9 years ago Explanation:
The honeypot is running OpenBSD, the sshd_confing has an option called
'VersionAddendum', it allows you to append a custom string to it...I think you
see where this is going ;)Original comment by are.hans...@gmail.com on 16 Mar 2014 at 3:41
GoogleCodeExporter
commented
9 years ago Haha brilliant :DOriginal comment by tnn...@googlemail.com on 16 Mar 2014 at 3:42
Original issue reported on code.google.com by
are.hans...@gmail.comon 16 Mar 2014 at 4:40