Within the umbrella of The Honeynet Project I've had two students working on dionaea as a GSoC2010 project this year. The projects were:
For today, let's focus on the SMB stack improvements.
It's been my first time mentoring a GSOC projects, so I asked previous mentors I knew about their experience and a batch of good advises.
Best advise, create a challenge, some more or less simple task, where the applicant has to show knowledge of the domain, and the required skill to solve an existing problem.
For the SMB stack, I choose a bug which was in the code, provided the applicants with the required information to reproduce, the documentation, a hash of my own patch to fix it and let them go.
Tan Kean Siong applied for SMB, and he's had a rough start, as he lacked domains specific knowledge, but to get the challenge done, he always came back with a different approach of fixing the bug, in the end, I was absolutely impressed, as he was working like a maniac to get in.
To me, his motivation was way more important than the actual document which he had to sent in to apply for the project.
Once his solution was a bad as my own, we discussed how to do it properly, and he finally got the job.
The subset of his and my own english was the common denominator for communication on irc, and we've had 6 hours difference by timezones.
We split the large task he applied for into many small subtasks, when he got stuck with something, he let me know, I had a look on it, gave some advise how I'd do it, or where to look for documentation.
I gave him a git tree to push his changes, and every time he finished a subtask and asked for what to do now, he got another one. We've been working closely together, in most cases I could directly merge his code, after some time he even started reviewing my patches, identified problems on his own, came up with own solutions, and improved things which were not even on his list.
NTLM authentication was on his list, but due to missing dependencies (ASN.1 for python3) I had no idea how to get it done, so I was basically unable to assist at all, we identified the culprits on what was required to get it done together, and when I came up with code (port scapy's ASN.1 parser) to get it done, he improved it further.
As his commits got merged in time, his changes even propagated to mwcollectd already.
When GSOC was coming to an end, he asked me what to do next, a roadmap of features, a todo list …
As dionaea is goat driven development, there is no roadmap, basically I just look at current attack patterns, try to identify bottlenecks, bugs, trends, and act upon it.
So, all I could tell him, there were lots of MSSQL scans out there, I already looked up the documentation, collected some traffic and this would be a target to look into.
He just sent me a mail, asking to pull his tree … and announcing two weeks downtime for traveling.
Looking at his last commit, I really hope he enjoys his time off.
Author: gento <gento@local.(none)>
Date: Wed Aug 25 18:40:22 2010 +0800
mssql - MSSQL and TDS procotcol added
- Tabular Data Stream protocol support has added to Dionaea
- mssql.py contained the logic for the tds request and response
- tds.py contained all the tds stream and field dissection classes
- for now, dionaea able to support MS02-056 MS SQL Server Hello Overflow, can be tested with Metasploit
- need add support for other mssql vulnerabilities, tweak to support different version of TDS
conf/dionaea.conf.dist | 4 +-
modules/python/scripts/Makefile.am | 4 +
modules/python/scripts/mssql/include/tds.py | 435 ++++++++++++++++++++++
modules/python/scripts/mssql/mssql.py | 127 +++++++
modules/python/scripts/services.py | 11 +
5 files changed, 579 insertions(+), 2 deletions(-)
