{"id":13795853,"url":"https://github.com/madirish/kojoney2","last_synced_at":"2025-05-13T00:30:36.050Z","repository":{"id":7122625,"uuid":"8417371","full_name":"madirish/kojoney2","owner":"madirish","description":"Kojoney2 is a low interaction SSH honeypot written in Python.  Based on Kojoney by Jose Antonio Coret","archived":false,"fork":false,"pushed_at":"2015-01-06T14:44:48.000Z","size":4204,"stargazers_count":37,"open_issues_count":3,"forks_count":5,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-08-04T23:10:00.376Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/madirish.png","metadata":{"files":{"readme":"README","changelog":"ChangeLog","contributing":null,"funding":null,"license":"copying","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-02-25T20:19:57.000Z","updated_at":"2024-05-16T17:43:53.000Z","dependencies_parsed_at":"2022-08-29T00:21:10.885Z","dependency_job_id":null,"html_url":"https://github.com/madirish/kojoney2","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madirish%2Fkojoney2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madirish%2Fkojoney2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madirish%2Fkojoney2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madirish%2Fkojoney2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/madirish","download_url":"https://codeload.github.com/madirish/kojoney2/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225159838,"owners_count":17430190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T23:01:03.217Z","updated_at":"2024-11-18T10:30:54.345Z","avatar_url":"https://github.com/madirish.png","language":"Ruby","funding_links":[],"categories":["\u003ca id=\"c8f749888134d57b5fb32382c78ef2d1\"\u003e\u003c/a\u003eSSH\u0026\u0026Telnet","Honeypots"],"sub_categories":[],"readme":"Kojoney2\n--------\n\nKojoney2 is a medium interaction SSH honeypot written in\nPython using the Twisted Conch libraries. As a medium\ninteraction honeypot, Kojoney2 simulates a real SSH\nenvironment. As with sshd(8), Kojoney2 will listen on port\n22 for connections from ssh(1) clients. Once a connection\nattempt is made, Kojoney2 will authenticate users by\ncomparing usernames and passwords provided to an internal\nlist of fake users. Most credentials will be accepted,\ngranting attackers access to a simulated shell, where they\ncan issue commands. Kojoney2 simulates responding to many\nlegitimate shell commands in order to trick attackers.\n\nMEDIUM INTERACTION HONEYPOT\n---------------------------\nAs opposed to a low interaction honeypot, Kojoney2 will\nactually download files requested by the attacker using wget\nor curl commands using Python\u0026rsquo;s native URL retrieval\nlibraries. These files are sandboxed in the download\ndirectory for analysis, but they do not appear in\nKojoney2\u0026rsquo;s simulated shell. Downloaded files are\nchecksummed using md5sum(1) against existing files to\nprevent duplicates (and denial-of-service via file system\nresource exhaustion).\n\nPURPOSE\n-------\nThe purpose of Kojoney2 is to fingerprint attacker\nbehavior and tools as well as to identify bad actors.\nKojoney2 can be deployed on an internal or external facing\nnetwork. On an internal network, Kojoney2 can serve as a\n\u0026quot;canary\u0026quot; by alerting operators to malicious\nbehavior inside the perimeter. Exposed to the external\nnetwork, Kojoney2 can identify the source of malicious\nattacks as well as fingerprint post-compromise behavior. By\nobserving attacker commands after they have accessed\nKojoney2 it is possible to derive indicators of compromise\nto use in investigations and defense of legitimate ssh\nservers.\n\nKojoney2 is also designed to trap malware samples. Files\ndownloaded by attackers are stored outside of the Kojoney2\nsimulated shell for analysis. A superficial analysis is\nperformed when files are downloaded by running them through\nthe file(1) command. Further analysis may require unpacking\nor unzipping samples, and the use of the strings(1),\nclamscan(1), or code level analysis of captures.\n\nFURTHER READING\n---------------\nFor more information about Kojoney2 refer to\ndocumentation online at http://www.madirish.net/212\n\nHISTORY\n-------\nKojoney2 was developed by the University of Pennsylvania's \nSchool of Arts \u0026 Sciences (http://www.sas.upenn.edu) after a \nseveral year long deployment of the original Kojoney honeypot \nby Jose Antonio Coret. Over time the codebase was refined, \nexpanded, and adjusted in response to attacker behavior observed \nvia the honeypot. Over that time, Kippo, another Python based \nSSH honeypot was released and Kojoney was adjusted to\nincorporate many of the most attractive features of Kippo,\nwhile still retaining its Kojoney core. As time progressed\nthe code base became less like the original and more like a\nnew product, and thus Kojoney2 was branded and distributed.\n\n\nRESOURCES\n---------\nKojoney2 is written in Python and requires the Python\nMySQL, Zope, and Twisted extensions. Kojoney2 also utilizes\nseveral BASH shell scripts for housekeeping.\n\nFILES\n-----\n/etc/init.d/kojoney\n\tInit script to start, stop, and restart Kojoney\u003c/p\u003e\n\n/opt/kojoney/kojoney.py\n\tThe Kojoney2 program\n\n/opt/kojoney/conf/fake_users\n\tThe flat file containing usernames and password that are\n\tallowed to log into the honeypot.\n\n/var/log/honeypot.log\n\tCommon path to the Kojoney2 honeypot log file.\n\n/opt/kojoney/reports/kojreport.py\n\tReport on statistics from the database over the last 24 hours\n\n/opt/kojoney/download\n\tThe repository for stashed attacker downloads\n\n/opt/kojoney/kojoney.sqlite3\n\tThe database of Kojoney2 data\n\nAUTHORS\n-------\nJustin C. Klein Keane - http://www.MadIrish.net\nOriginal code base by Jose Antonio Coret \u003cjoxeankoret@yahoo.es\u003e\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmadirish%2Fkojoney2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmadirish%2Fkojoney2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmadirish%2Fkojoney2/lists"}