After reading Roger A. Grimes review of low interaction honeypots KFSensor, HoneyPoint and Honeyd and being surprised by the pricing scheme, I decided to test it, maybe I was missing something, and if not, I could at least double the price for dionaea.
So I downloaded KFSensor trial from here, after entering the totally required information you get redirected to the actual page where you can download WinPcap and KFSensor 4.7 Trial.
I installed WinPcap and KFSensor, rebooted, and ran into the first problem:
Actually I was expecting this, but they have documents how to disable
Windows Networking, so I got it working … basically. I decided not to disable the RPC service on port 135, as I had doubts the machine would boot afterwards, and run some basic test before messing with everything.
The main thing I was interested in was the protocols KFSensor supports, and how far it takes the emulation.
The http service basically worked, showing this page:
I was excited to see the smb stack of KFSensor, so I decided to test it with smbclient, nmap and metasploit.
Listing shares worked basically with smbclient, but there'd be some place for improvements:
smbclient -L '\\192.168.53.229' Enter common's password: Sharename Type Comment --------- ---- ------- cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \srvsvc failed with error NT_STATUS_INVALID_NETWORK_RESPONSE PRINTER$ Disk HL-1030 Printer Brother Printer DOCS Disk Shared Documents IPC$ IPC Remote Inter Process Communication session request to 192.168.53.229 failed (Called name not present) session request to 192 failed (Called name not present) Server Comment --------- ------- Workgroup Master --------- -------
Uploading a file via smb using smbclient did not work at all:
smbclient '\\192.168.53.229\IPC$' Enter common's password: smb: \> dir NT_STATUS_NOT_FOUND listing \* 255 blocks of size 0. 0 blocks available smb: \> mkdir test smb: \> cd test cd \test\: NT_STATUS_NOT_FOUND smb: \> dir NT_STATUS_NOT_FOUND listing \* 255 blocks of size 0. 0 blocks available smb: \> put /tmp/KFSensor-httpd.png cli_push returned NT_STATUS_END_OF_FILE putting file /tmp/KFSensor-httpd.png as \/tmp/KFSensor-httpd.png cli_chain_cork failed SUCCESS - 0 closing remote file \/tmp/KFSensor-httpd.png
Next on the list nmap, given the nse scripts nmap can mess with smb as well, and there are several scripts to mess with smb, I decided to list shares and users.
/opt/nmap/bin/nmap --script smb-enum-users.nse -p445 192.168.53.229 Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-11-25 13:33 CET NSE: Script Scanning completed. Nmap scan report for 192-168-53-229.dyn.wired.example.prv (192.168.53.229) Host is up (0.0028s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds
To my big surprise
Given my experiences with windows, I restarted the service, and it would log the attack, but still return no data, so basically I was able to evade logging after some basic tests, without even trying to do so. Given I did not really mess with the system before, just tried the smb upload, I decided to try to reproduce this later on and put a note here, so I do not forget trying to reproduce.
I had a look on the packets exchanged with wireshark, and nmap closed the connection listing everything:
So I figured the nmap debug flags, and ran it again:
/opt/nmap/bin/nmap --script smb-enum-shares.nse -p445 192.168.53.229 --log-errors -dd Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-11-25 14:02 CET Fetchfile found /opt/nmap/share/nmap/nmap-services The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Fetchfile found /opt/nmap/share/nmap/nse_main.lua Fetchfile found /opt/nmap/share/nmap/nselib/ Fetchfile found /opt/nmap/share/nmap/scripts/script.db Fetchfile found /opt/nmap/share/nmap/scripts/smb-enum-shares.nse NSE: Script smb-enum-shares.nse was selected by name. NSE: Loaded 1 scripts for scanning. NSE: Loaded 'smb-enum-shares.nse'. Initiating Ping Scan at 14:02 Scanning 192.168.53.229 [2 ports] ultrascan_host_probe_update called for machine 192.168.53.229 state UNKNOWN -> HOST_UP (trynum 0 time: 863) Changing ping technique for 192.168.53.229 to connect to port 80 ultrascan_host_probe_update called for machine 192.168.53.229 state HOST_UP -> HOST_UP (trynum 0 time: 925) Changing global ping host to 192.168.53.229. Completed Ping Scan at 14:02, 0.00s elapsed (1 total hosts) Overall sending rates: 1818.18 packets / s. mass_rdns: Using DNS server 192.168.53.1 Initiating Parallel DNS resolution of 1 host. at 14:02 mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 14:02, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 14:02 Scanning 192-168-53-229.dyn.wired.example.prv (192.168.53.229) [1 port] Discovered open port 445/tcp on 192.168.53.229 Changing global ping host to 192.168.53.229. Completed Connect Scan at 14:02, 0.01s elapsed (1 total ports) Overall sending rates: 91.50 packets / s. NSE: Script scanning 192.168.53.229. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 14:02 NSE: NSE Script Threads (1) running: NSE: Starting 'smb-enum-shares' (thread: 0x2537f10) against 192.168.53.229. NSE: SMB: Attempting to log into the system to enumerate shares NSE: SMB: Starting SMB session for 192-168-53-229.dyn.wired.example.prv (192.168.53.229) NSE: SMB: Added account '' to account list NSE: SMB: Added account 'guest' to account list NSE: SMB: Sending SMB_COM_NEGOTIATE NSE: SMB: Lanman hash: aad3b435b51404eeaad3b435b51404ee NSE: SMB: NTLM hash: 31d6cfe0d16ae931b73c59d7e0c089c0 NSE: SMB: Creating NTLMv1 response NSE: SMB: Lanman response: 750d712c70aaf617dace4a3687963c74ce84e88f0cb12291 NSE: SMB: NTLM response: 750d712c70aaf617dace4a3687963c74ce84e88f0cb12291 NSE: SMB: Sending SMB_COM_SESSION_SETUP_ANDX NSE: SMB: Closing socket NSE: SMB: Enumerating shares failed, guessing at common ones (SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [19]) NSE: SMB: Starting SMB session for 192-168-53-229.dyn.wired.example.prv (192.168.53.229) NSE: SMB: Sending SMB_COM_NEGOTIATE NSE: SMB: Sending SMB_COM_SESSION_SETUP_ANDX NSE: SMB: Closing socket NSE: Finished 'smb-enum-shares' (thread: 0x2537f10) against 192.168.53.229. Completed NSE at 14:02, 0.05s elapsed NSE: Script Scanning completed. Nmap scan report for 192-168-53-229.dyn.wired.example.prv (192.168.53.229) Host is up, received syn-ack (0.0021s latency). Scanned at 2010-11-25 14:02:18 CET for 1s PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack Host script results: | smb-enum-shares: |_ ERROR: Couldn't enumerate shares: SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [19] Final times for host: srtt: 2109 rttvar: 5324 to: 100000 Read from /opt/nmap/share/nmap: nmap-services. Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
nmap complained about way to less data, so I had a look on the Session Setup AndX response packet sent by KFSensor, and … I'm uncertain if this is a valid reply:
But, I got curious which flags2 and capabilities were negotiated by the KFSensor service, and had a look:
Compared to a Windos XP response, I was at least missing the unicode and extended security flags in capabilities as well as the unicode flag in flags2.
Given nmap failed on KFSensor during authentication when trying to list shares, I expected KFSensor to fail on listing users too, and I was right.
I felt it was time to raise the bar, throwing shellcode on the honeypots and see what they could do, so I ran metasploit and choose ms08_067_netapi to start with.
use exploit/windows/smb/ms08_067_netapi set RHOST 192.168.53.229 set PAYLOAD windows/exec set CMD calc.exe exploit
Metasploit came back with an error
[-] Exploit exception: The server responded with unimplemented WordCount 2 for command 117 [*] Exploit completed, but no session was created.
and KFSensor did not ring the bell to notify an attack, and did not log it either, so … given my experience with Windows, I restarted the KFSensor again, and now the attack ringed the bell and got logged by KFSensor, but the result remained the same. I had a look on wireshark, and metasploit is correct, KFSensors response to the TreeConnect AndX Request is wrong:
use exploit/windows/smb/ms03_049_netapi set RHOST 192.168.53.229 set PAYLOAD windows/exec set CMD calc.exe exploit
As expected, KFSensor failed again, due to the same problem as for ms08_067_netapi, TreeConnect AndX is not implemented properly.
[-] Exploit exception: The server responded with unimplemented WordCount 2 for command 117 [*] Exploit completed, but no session was created.
KFSensor offers MSSQL as a service on udp/1433 and tcp/1433.
As I lack a real MSSQL client, I decided to access the server with freetds, freetds tsql did nothing when I used expects the server to be listening on tcp/1434 by default, but can be forced to use any port, so I forced it to use 1433 instead.
/opt/freetds/bin/tsql -H 192.168.53.229 -p 1433 -U sa -P sa locale is "en_US.UTF-8" locale charset is "UTF-8" using default charset "UTF-8" Segmentation fault
Even though freetds tsql should not segfault, somehow the response sent by KFSensor seemd to be invalid, so I had a look on the packet …
And even though wiresharks Tabular Data Stream processing is really weak, it correctly detects the malformed packet.
I choose lftp as ftp client to access KFSensors ftp service.
lftp :~> debug lftp :~> open 192.168.53.229 ---- Resolving host address... ---- 1 address found: 192.168.53.229 lftp 192.168.53.229:~> user anonymous Password: lftp anonymous@192.168.53.229:~> ls ---- Connecting to 192.168.53.229 (192.168.53.229) port 21 <--- 220 Microsoft FTP Service ---> FEAT <--- 500 'FEAT': command not understood. ---> AUTH TLS <--- 500 'AUTH': command not understood. ---> USER anonymous <--- 331 Anonymous access allowed, send identity (e-mail name) as password. ---> PASS XXXX <--- 230 User logged in. ---> PWD <--- 257 "/" is current directory. ---> PASV <--- 227 Entering Passive Mode (192,168,53,229,11,110) ---- Connecting data socket to (192.168.53.229) port 2926 `ls' at 0 [Making data connection...] <--- 221 221-Inactivity time exceeded - Auto banned for 5 minutes **** Peer closed connection
I noticed the ring a bell sound was delayed until the ftp control connection was closed.
But, obviously KFSensors ftp daemon does not do passive ftp, at least it failed to complete the command in time. So I went for active ftp instead.
lftp :~> debug lftp :~> set ftp:passive-mode off lftp :~> open 192.168.53.229 ---- Resolving host address... ---- 1 address found: 192.168.53.229 lftp 192.168.53.229:~> user anonymous Password: lftp anonymous@192.168.53.229:~> ls ---- Connecting to 192.168.53.229 (192.168.53.229) port 21 <--- 220 Microsoft FTP Service ---> FEAT <--- 500 'FEAT': command not understood. ---> AUTH TLS <--- 500 'AUTH': command not understood. ---> USER anonymous <--- 331 Anonymous access allowed, send identity (e-mail name) as password. ---> PASS XXXX <--- 230 User logged in. ---> PWD <--- 257 "/" is current directory. ---> PORT 192,168,53,20,211,208 <--- 200 PORT command successful. ---> LIST <--- 150 Opening ASCII mode data connection for /bin/ls (58 bytes). <--- 425 Can't build data connection. ---- Closing data socket ---> PORT 192,168,53,20,195,95 <--- 200 PORT command successful. ---> LIST <--- 150 Opening ASCII mode data connection for /bin/ls (58 bytes). <--- 425 Can't build data connection. ---- Closing data socket ---> PORT 192,168,53,20,175,185 <--- 200 PORT command successful. ...
This did not work either.
MySQL, a protocol I never looked into, but I gave it a shot nevertheless.
mysql -h 192.168.53.229 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 13 Server version: 5.0.24b-community Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show tables; +--------------------+ | Tables_in_accounts | +--------------------+ | email | | orders | | products | | users | | account | +--------------------+ 5 rows in set (0.01 sec)
To my great surprise, this seems to work.
So I wanted to know if the tables had any data associated:
mysql> select * from email; Query OK, 0 rows affected (0.00 sec)
All tables turned out to be empty, so I wanted to insert data into the tables, and got the tables columns:
show columns from email; +-------+------+------+-----------+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+------+------+-----------+---------+-------+ | | | | COLUMNS | | Extra | +-------+------+------+-----------+---------+-------+ 1 row in set (0.00 sec)
But, this was so far the best working service, the username and commands were logged and visible in the gui.
Given the experiences I've had with SMB, MSSQL and ftp I decided messing with Windows internals to be able to run attacks on MS RPC at tcp/135 was a waste of time.
While I'm not that interested in the GUI, there are some benefits which should be pointed out:
You get some basic overview, which is nice, and the restart button is right on top of the menu, which is very important, as it failed several times within less than an hour, and less than 100 attacks here, or maybe I was not waiting long enough for the alerts to come up.
The details for an attack were at least not bad, basic packet dissection for easy inspection
There is very little left to say, but I really think Roger A. Grimes who authored the afore mentioned review on infoworld.com should review his writings.
Reviewing software by comparing the advertised supported features is not journalism, it is advertising disguised as review by self-proclaimed an expert in the field.
Having many port open does not make a good honeypot, and Windows is not the best plattform if you go for attacks addressing Windows services.
For everyone who spend $599 on KFSensor after reading the infoworld review, if you got for it and get a refund, I'll be glad to grant you a discount on dionaea.
Informed of the post and given the possibility to respond, neither KFSensor nor Roger A. Grimes replied as of 2011-01-16.
[…] http://carnivore.it/2010/11/25/kfsensor_review […]