detect_kippo -> ssh_honeypot & Add Cowrie support by g0tmi1k · Pull Request #21433 · rapid7/metasploit-framework

g0tmi1k · 2026-05-10T06:07:46Z

This PR does a few things:

Add report_vuln()
Add Cowrie support/detection
- Rename the module as a result
Use SSH Mixin
Add EXTENDED_CHECKS option, which shows the expected the OS based on the SSH banner
Add Notes

Targets are:

Metasploitable 2
Kali Host
2x containers for Cowrie & Kippo

        current  name     hosts  services  vulns  creds  loots  notes
        -------  ----     -----  --------  -----  -----  -----  -----
Before: *        default  1      1         0      0      0      0
After : *        default  1      2         1      0      0      0

Setup

Cowrie v3 on 2222/TCP
Kippo @ b9eb06a2830d4bf94702a97ff31da38115ef990b (2023-10-26) on 222/TCP
...Skipping running/setting up Metasploitable 2

$ docker pull cowrie/cowrie:latest
[...]
$ docker run -p 2222:2222 cowrie/cowrie:latest
2026-05-26T16:45:02+0000 [-] No operator config file found; using bundled defaults only
2026-05-26T16:45:02+0000 [-] Python Version 3.13.5 (main, May  5 2026, 21:05:52) [GCC 14.2.0]
2026-05-26T16:45:02+0000 [-] Twisted Version 26.4.0
2026-05-26T16:45:02+0000 [-] Cowrie Version 3.0.0
2026-05-26T16:45:02+0000 [-] Sensor UUID: 7d0d835e-58e3-11f1-a327-6228bf6b930a
2026-05-26T16:45:02+0000 [-] Loaded output engine: jsonlog
2026-05-26T16:45:02+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 26.4.0 (/cowrie/cowrie-env/bin/python3 3.13.5) starting up.
2026-05-26T16:45:02+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2026-05-26T16:45:02+0000 [-] CowrieSSHFactory starting on 2222
2026-05-26T16:45:02+0000 [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory <cowrie.ssh.factory.CowrieSSHFactory object at 0x7f6351e456a0>
2026-05-26T16:45:02+0000 [-] Ready to accept SSH connections



$ cd kippo/
$ docker run -p 222:2222 -v ./config/kippo.cfg:/app/kippo.cfg -v ./config/data:/app/data kippo:latest
2026-05-26 16:45:23+0000 [-] Log opened.
2026-05-26 16:45:23+0000 [-] twistd 15.1.0 (/usr/bin/python 2.7.18) starting up.
2026-05-26 16:45:23+0000 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2026-05-26 16:45:23+0000 [-] HoneyPotSSHFactory starting on 2222
2026-05-26 16:45:23+0000 [-] Starting factory <kippo.core.ssh.HoneyPotSSHFactory instance at 0x7f5327f4a730>

Before

Scanning a valid host, but closed port: 0
Scanning a valid host, open port, but incorrect: 0
Scanning another honeypot, not detected
All testing was done using master branch

$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use auxiliary/scanner/ssh/detect_kippo;
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true

Module options (auxiliary/scanner/ssh/detect_kippo):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    22               yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf auxiliary(scanner/ssh/detect_kippo) >

msf auxiliary(scanner/ssh/detect_kippo) > run RHOST=10.0.0.10 RPORT=9999
[*] 10.0.0.10:9999        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/detect_kippo) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf auxiliary(scanner/ssh/detect_kippo) >

msf auxiliary(scanner/ssh/detect_kippo) > run RHOST=10.0.0.10 RPORT=21
[*] 10.0.0.10:21          - 10.0.0.10:21 - 220 (vsFTPd 2.3.4) detected
[*] 10.0.0.10:21          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/detect_kippo) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf auxiliary(scanner/ssh/detect_kippo) >

msf auxiliary(scanner/ssh/detect_kippo) > run RHOST=10.0.0.10
[*] 10.0.0.10:22          - 10.0.0.10:22 - SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 detected
[*] 10.0.0.10:22          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/detect_kippo) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf auxiliary(scanner/ssh/detect_kippo) >

msf auxiliary(scanner/ssh/detect_kippo) > run RHOST=127.0.0.1 RPORT=2222
[*] 127.0.0.1:2222        - 127.0.0.1:2222 - SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3 detected
[*] 127.0.0.1:2222        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/detect_kippo) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  0      0         0      0      0      0

msf auxiliary(scanner/ssh/detect_kippo) >

msf auxiliary(scanner/ssh/detect_kippo) > run RHOST=127.0.0.1 RPORT=222
[+] 127.0.0.1:222         - 127.0.0.1:222 - Kippo detected!
[*] 127.0.0.1:222         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/detect_kippo) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      0      0      0

msf auxiliary(scanner/ssh/detect_kippo) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
127.0.0.1             Unknown                    device

msf auxiliary(scanner/ssh/detect_kippo) > services
Services
========

host       port  proto  name  state  info                resource  parents
----       ----  -----  ----  -----  ----                --------  -------
127.0.0.1  222   tcp    ssh   open   Kippo SSH honeypot  {}

msf auxiliary(scanner/ssh/detect_kippo) >

After

Scanning a valid host, but closed port: 1 host
Scanning a valid host, open port, but incorrect: 1 host, 1 service
Scanning a valid host, both honeypots: both detected
Scanning a valid host, non-honeypot valid SSH: SSH detected
All testing was done on this branch, with SSH mixin (SSH mixin: New functions to help populate workspaces #21479) and auth_brute_mixin applied (Auth_Brute mixin: Add report_host/report_service & remove dup IP:PORT #21396)

$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use auxiliary/scanner/ssh/ssh_honeypot;
options'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true

Module options (auxiliary/scanner/ssh/ssh_honeypot):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   EXTENDED_CHECKS  true             yes       Attempt to check the expected OS via the SSH banner
   RHOSTS                            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT            22               yes       The target port (TCP)
   THREADS          1                yes       The number of concurrent threads (max one per host)
   TIMEOUT          30               yes       Timeout for the SSH probe


View the full module info with the info, or info -d command.

msf auxiliary(scanner/ssh/ssh_honeypot) >

msf auxiliary(scanner/ssh/ssh_honeypot) > run RHOST=10.0.0.10 RPORT=9999
[-] 10.0.0.10:9999        - Connection refused
[*] 10.0.0.10:9999        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_honeypot) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         0      0      0      0

msf auxiliary(scanner/ssh/ssh_honeypot) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10

msf auxiliary(scanner/ssh/ssh_honeypot) >

msf auxiliary(scanner/ssh/ssh_honeypot) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/ssh_honeypot) > run RHOST=10.0.0.10 RPORT=21
[*] 10.0.0.10:21          - SSH banner: 220 (vsFTPd 2.3.4)
[*] 10.0.0.10:21          - Not thought to be Kippo - Received expected SSH probe
[*] 10.0.0.10:21          - Skipping Cowrie version check - Not an OpenSSH banner
[+] 10.0.0.10:21          - No SSH honeypot (Kippo/Cowrie) detected
[*] 10.0.0.10:21          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_honeypot) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      0      0      0

msf auxiliary(scanner/ssh/ssh_honeypot) > services
Services
========

host       port  proto  name  state  info                resource  parents
----       ----  -----  ----  -----  ----                --------  -------
10.0.0.10  21    tcp          open   220 (vsFTPd 2.3.4)  {}

msf auxiliary(scanner/ssh/ssh_honeypot) >

msf auxiliary(scanner/ssh/ssh_honeypot) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/ssh_honeypot) > run RHOST=10.0.0.10
[*] 10.0.0.10:22          - SSH banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] 10.0.0.10:22          - SSH banner suggests: Ubuntu, Linux, 8.04
[*] 10.0.0.10:22          - Not thought to be Kippo - Received expected SSH probe
[*] 10.0.0.10:22          - SSH KEX algorithms: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
[*] 10.0.0.10:22          - Not thought to be Cowrie - OpenSSH 4.7 predates tracked KEX milestones
[+] 10.0.0.10:22          - No SSH honeypot (Kippo/Cowrie) detected
[*] 10.0.0.10:22          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_honeypot) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         0      0      0      2

msf auxiliary(scanner/ssh/ssh_honeypot) > services
Services
========

host       port  proto  name  state  info                                   resource  parents
----       ----  -----  ----  -----  ----                                   --------  -------
10.0.0.10  22    tcp    ssh   open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1  {}        tcp (22/tcp)
10.0.0.10  22    tcp    tcp   open                                          {}

msf auxiliary(scanner/ssh/ssh_honeypot) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type         Data
 ----                     ----       -------  ----  --------  ----         ----
 2026-05-26 19:49:51 UTC  10.0.0.10  ssh      22    tcp       ssh.cpe      {:cpe=>"cpe:/o:canonical:ubuntu_linux:8.04"}
 2026-05-26 19:49:51 UTC  10.0.0.10  ssh      22    tcp       ssh.hostkey  {:type=>"ssh-rsa", :fingerprint=>"SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk"}

msf auxiliary(scanner/ssh/ssh_honeypot) >

msf auxiliary(scanner/ssh/ssh_honeypot) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/ssh_honeypot) > run RHOST=127.0.0.1 RPORT=2222
[*] 127.0.0.1:2222        - SSH banner: SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3
[*] 127.0.0.1:2222        - Not thought to be Kippo - Received expected SSH probe
[*] 127.0.0.1:2222        - SSH KEX algorithms: curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1, ext-info-s
[!] 127.0.0.1:2222        - SSH honeypot detected: Cowrie (likely) - Claims OpenSSH 9.2 but missing expected KEX: diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, sntrup761x25519-sha512@openssh.com
[*] 127.0.0.1:2222        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_honeypot) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         1      0      0      0

msf auxiliary(scanner/ssh/ssh_honeypot) > services
Services
========

host       port  proto  name  state  info                                    resource  parents
----       ----  -----  ----  -----  ----                                    --------  -------
127.0.0.1  2222  tcp    ssh   open   SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3  {}        tcp (2222/tcp)
127.0.0.1  2222  tcp    tcp   open                                           {}

msf auxiliary(scanner/ssh/ssh_honeypot) > vulns

Vulnerabilities
===============

Timestamp                Host       Service         Resource  Name                   References
---------                ----       -------         --------  ----                   ----------
2026-05-26 19:50:21 UTC  127.0.0.1  ssh (2222/tcp)  {}        SSH Honeypot Detected  URL-https://www.obscurechannel.com/x42/magicknumber.html,URL-https://web.archive.org/web/20170904010325/https://morris.sc
                                                                                     /detecting-kippo-ssh-honeypots/

msf auxiliary(scanner/ssh/ssh_honeypot) >

msf auxiliary(scanner/ssh/ssh_honeypot) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/ssh_honeypot) > run RHOST=127.0.0.1 RPORT=222
[*] 127.0.0.1:222         - SSH banner: SSH-2.0-OpenSSH_5.1p1 Debian-5
[!] 127.0.0.1:222         - SSH honeypot detected: Kippo (highly likely) - Server gave incorrect response when probed
[*] 127.0.0.1:222         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_honeypot) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         1      0      0      0

msf auxiliary(scanner/ssh/ssh_honeypot) > services
Services
========

host       port  proto  name  state  info                            resource  parents
----       ----  -----  ----  -----  ----                            --------  -------
127.0.0.1  222   tcp    ssh   open   SSH-2.0-OpenSSH_5.1p1 Debian-5  {}        tcp (222/tcp)
127.0.0.1  222   tcp    tcp   open                                   {}

msf auxiliary(scanner/ssh/ssh_honeypot) > vulns

Vulnerabilities
===============

Timestamp                Host       Service        Resource  Name                   References
---------                ----       -------        --------  ----                   ----------
2026-05-26 19:50:52 UTC  127.0.0.1  ssh (222/tcp)  {}        SSH Honeypot Detected  URL-https://www.obscurechannel.com/x42/magicknumber.html,URL-https://web.archive.org/web/20170904010325/https://morris.sc/
                                                                                    detecting-kippo-ssh-honeypots/

msf auxiliary(scanner/ssh/ssh_honeypot) >

g0tmi1k · 2026-05-26T19:56:40Z

Think I've finished tweaking with this PR!

smcintyre-r7 added this to Metasploit Kanban May 10, 2026

github-project-automation Bot moved this to Todo in Metasploit Kanban May 10, 2026

g0tmi1k force-pushed the ssh_honeypot branch 7 times, most recently from b3514a9 to c747484 Compare May 13, 2026 19:32

g0tmi1k force-pushed the ssh_honeypot branch 4 times, most recently from 64e6ddb to 66c7e91 Compare May 19, 2026 15:10

g0tmi1k marked this pull request as draft May 21, 2026 13:49

g0tmi1k added 2 commits May 22, 2026 11:58

detect_kippo: Convert to functions & Add report_vuln()

1a6f701

detect_kippo -> ssh_honeypot (Add Cowrie support)

ba176be

g0tmi1k force-pushed the ssh_honeypot branch 4 times, most recently from 4e9271b to fc25055 Compare May 26, 2026 17:03

g0tmi1k marked this pull request as ready for review May 26, 2026 19:56

g0tmi1k added 3 commits May 26, 2026 21:21

ssh_honeypot: Use SSH mixin (Msf::Exploit::Remote::SSH)

eb6828b

ssh_honeypot: Add EXTENDED_CHECKS

19c2ac4

ssh_honeypot: Update metadata (Notes & References)

1a38a3d

g0tmi1k force-pushed the ssh_honeypot branch from fc25055 to 1a38a3d Compare May 26, 2026 20:22

g0tmi1k mentioned this pull request May 27, 2026

SSH mixin: New functions to help populate workspaces #21479

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

detect_kippo -> ssh_honeypot & Add Cowrie support#21433

detect_kippo -> ssh_honeypot & Add Cowrie support#21433
g0tmi1k wants to merge 5 commits into
rapid7:masterfrom
g0tmi1k:ssh_honeypot

g0tmi1k commented May 10, 2026 •

edited

Loading

Uh oh!

g0tmi1k commented May 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

g0tmi1k commented May 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Setup

Before

After

Uh oh!

g0tmi1k commented May 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

g0tmi1k commented May 10, 2026 •

edited

Loading