Since summer 2014 I’ve been working on extensions and contributions to the well known Kippo honeypot developed by desaster. I noticed some SSH attacks against my systems were not logged in full detail and I started to work on additional logging, from there I’ve added ‘ssh exec commands’ support, SFTP support, SCP support, direct-tcpip (proxying) support and many other features. To distinguish this from the original software, I have now renamed the system to "Cowrie".

This came in recently in one of my honeypots, same IP address that attempted to download SSH bruteforcing scripts before, but this latest attempt shows a new method of operations. In the log below you can see they attempt to run ‘perl’. Kippo accepts the perl command, but we don’t see what’s executed. 2015-02-17 08:13:56+0000 [kippo.core.ssh.HoneyPotSSHFactory] New connection: AAA.BBB.CCC.DDD:40346 (127.0.0.1:2222) [session: 491] 2015-02-17 08:13:57+0000 [HoneyPotTransport,491,AAA.BBB.CCC.DDD] KEXINIT: client supported key exchange: ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman -group1-sha1'] 2015-02-17 08:13:57+0000 [HoneyPotTransport,491,AAA.