Monthly Archives: August 2015

Compromising a honeypot network through the Kippo password when logstash exec is used

This is a shared post by @rikvduijn and @wez3forsec.

We have been playing with Honeypots lately (shoutout to Theo and Sebastian for adding their honeypots to the network), collecting and visualizing the data from the honeypots is done via ELK. The environment contains a central server to centralize all the collected data from the honeypots that are connected to it. The environment is visualized in the following diagram:

tmo

In order to collect interesting data on Dutch IP’s we run every event through a filter adding Geo location based on IP. After that we run all events that pertain to Dutch IP’s through a Python script using the logstash function exec.

Continue reading