Land rapid7#4361, Kippo detector

Author: wvu

modules/auxiliary/scanner/ssh/detect_kippo.rb

@@ -0,0 +1,49 @@
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Kippo SSH Honeypot Detector',
+      'Description' => %q{
+        This module will detect if an SSH server is running a Kippo honeypot.
+        This is done by issuing unexpected data to the SSH service and checking
+        the response returned for two particular non-standard error messages.
+      },
+      'Author' => 'Andrew Morris <andrew[at]morris.guru>',
+      'References' => [
+        ['URL', 'https://cultofthedyingsun.wordpress.com/2014/09/12/death-by-magick-number-fingerprinting-kippo-2014/'],
+        ['URL', 'http://morris.guru/detecting-kippo-ssh-honeypots/']
+      ],
+      'License' => MSF_LICENSE
+    ))
+
+    register_options([
+      Opt::RPORT(22)
+    ])
+  end
+
+  def run_host(ip)
+    connect
+    banner = sock.get_once
+    sock.put(banner + "\n" * 8)
+    response = sock.get_once
+
+    if response =~ /(?:^Protocol mismatch\.\n$|bad packet length)/
+      print_good("#{ip}:#{rport} - Kippo detected!")
+      report_service(
+        :host => ip,
+        :port => rport,
+        :name => 'ssh',
+        :info => 'Kippo SSH honeypot'
+      )
+    else
+      vprint_status("#{ip}:#{rport} - #{banner.strip} detected")
+    end
+  end
+
+end