Merge pull request #1 from wvu-r7/pr/4361

andrew-morris · andrew-morris · commit 81a069d54857 · 2014-12-15T15:51:48.000-05:00
Merging changes. Thanks for all the help!
diff --git a/modules/auxiliary/scanner/ssh/detect_kippo.rb b/modules/auxiliary/scanner/ssh/detect_kippo.rb
@@ -1,40 +1,49 @@
 require 'msf/core'
 
-class Metasploit3 < Msf::Auxiliary
+class Metasploit4 < Msf::Auxiliary
 
   include Msf::Exploit::Remote::Tcp
   include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
 
-    def initialize
-      super(
-        'Name'           => 'Kippo SSH Honeypot Detector',
-        'Description'    => %q{This module will detect if an SSH server is running a Kippo
-          honeypot. This is done by issuing unexpected data to the SSH service and checking
-          the response returned for two particular non-standard error messages.},
-        'References'  =>
-          [
-            [ 'URL', 'https://cultofthedyingsun.wordpress.com/2014/09/12/death-by-magick-number-fingerprinting-kippo-2014/' ],
-            [ 'URL', 'http://morris.guru/detecting-kippo-ssh-honeypots/' ],
-          ],
-        'Author'         => 'Andrew Morris <andrew[at]morris.guru>',
-        'License'        => MSF_LICENSE
-      )
-    register_options(
-      [
-        Opt::RPORT(22)
-      ], self.class)
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Kippo SSH Honeypot Detector',
+      'Description' => %q{
+        This module will detect if an SSH server is running a Kippo honeypot.
+        This is done by issuing unexpected data to the SSH service and checking
+        the response returned for two particular non-standard error messages.
+      },
+      'Author' => 'Andrew Morris <andrew[at]morris.guru>',
+      'References' => [
+        ['URL', 'https://cultofthedyingsun.wordpress.com/2014/09/12/death-by-magick-number-fingerprinting-kippo-2014/'],
+        ['URL', 'http://morris.guru/detecting-kippo-ssh-honeypots/']
+      ],
+      'License' => MSF_LICENSE
+    ))
+
+    register_options([
+      Opt::RPORT(22)
+    ])
   end
 
   def run_host(ip)
     connect
-    banner = sock.get_once(1024)
-    sock.put(banner+"\n"*8)
-    response = sock.get(1024)
-    if response == "Protocol mismatch.\n" or response.include? "bad packet length 168430090"
-      print_status("#{ip}:#{rport} - Kippo honeypot detected!")
-      report_service(:host => rhost, :port => rport, :name => "ssh", :info => "Kippo SSH Honeypot")
+    banner = sock.get_once
+    sock.put(banner + "\n" * 8)
+    response = sock.get_once
+
+    if response =~ /(?:^Protocol mismatch\.\n$|bad packet length)/
+      print_good("#{ip}:#{rport} - Kippo detected!")
+      report_service(
+        :host => ip,
+        :port => rport,
+        :name => 'ssh',
+        :info => 'Kippo SSH honeypot'
+      )
+    else
+      vprint_status("#{ip}:#{rport} - #{banner.strip} detected")
     end
   end
-end
 
+end
