While there was little development regarding nepenthes, there was lots of activity within dionaea lately.
Dionaea is meant to be a nepenthes successor,
embedding python as scripting language,
using libemu to detect shellcodes,
supporting ipv6 and tls
Dionaea is the result of all shortcomings we experienced with nepenthes, therefore it is meant to supersede nepenthes.
Spent some time on writing a libemu module for nepenthes last months, turned out to be rather difficult as nepenthes is a single threaded program and shellcode emulation is slow and may require creating new processes. Installing software with a broken Makefile ran rm -rf / (yes, as root) on my system, therefore this effort got lost anyway.
honeytrap is more likely to get working shellcode emulation than nepenthes, is multiple processes structure fits exactly the needs.
But even if you do not have to worry about creating (sub)processes, emulating shellcodes is not easy.
Most shellcode is written as fire&forget, if the shellcode works, be glad, if it does not work, do not care about the attacked host.
For example relying on returnvalues from system calls to create arguments on the stack, without verification.
In this case, the shellcode relied on the returnvalue of connect, and used it to create the length parameter for the recv syscall.
A user sent us the picture of a virus using the rfc1918 address rewrite in nepenthes to detect the honeypot.
As it has been a while since the last release, as a lot of things changed, and as these things are useless if nobody can benefit, we decided to roll a new release.
Yes, we skipped 0.1.8 and 0.1.9, taking the time & changes into account.
Whats left to say:
From time to time it's worth crawling the dark sides of the web for input, and sometimes there are intresting, sometimes funny things.
Pardon the excessive use of aolbonics in the screenshot, apart from blacking the ips we did not touch it, microsofts leetspeak guide might help you getting an idea what was meant to be said.
I played with UPnP lately, and think it may be worth to share the experiences.
The wikipedia entry is pretty general, and does not cover the large scale of problems, apart from missing authentication and a lack of standard for the HTTPMU protocoll.
I'll focus on a specific use of UPnP, a hardware router from linksys (WRT54GS) with UPnP enabled, this is a 'servicepoint', and a controllpoint, a nepenthes module which will add portforwarding rules on the gateway using upnp.
So what happens on the wire, the servicepoint has the address 192.168.1.1, the controlpoint 192.168.3.1 (I refomatted the messages)
Yesterday I came across http://honeytrap.sf.net written by Tillmann Werner, and after digging it a little, I think it's a good thing to talk about.
honeytrap is a slightly different approach to collect malware than nepenthes, honeytrap monitors the interfaces streams with libcap and uses a bpf pattern to capture only TCP RST packets send by the localhost to a remote host.
RST means reset, and it is (in this case) used to tell the remote host there is no service listening on the port he tried to connect.
Once such a RST packet is captured, honeytrap opens the port the remote asked for, and following connections to the same port will be accepted.
Furthermore honeytrap offers a so called “mirror mode”, if an attacker connects your honeytrap, honeytrap can connect the attacker on the same port, honeytrap will send the attacker everything the attacker sends him.
This way it is possible to emulate weaknesses without knowing about them, using the attackers weakness as a 'mirror'.
To be able to download malware, honeytrap offers a similar shell emulation to nepenthes and can download the files via tftp and ftp too.
Really cool, you should at give it a shot.
The similar nepenthes module module-honeytrap does not offer the mirror mode yet, but allows accepting connections to unbound ports intercepting the tcp handshake using ip_queue and libipq.
Maybe you've read the news about nepenthes on OpenWrt before. I mentioned the installation was pretty fat, as I had to install libstdc++ and this single file is about 4MB, where these dedicated hardware routers on linux got 8mb flash if you are lucky.
So, I went compiling nepenthes with uclibc++, which was an adventure of its own …
Once I was told man never get adult, just the toys get more expensive …
My latest ebay'd toy is a linksys WRT54GS in revision 1.1, (thats the revision that has 32mb ram and 8mb flash).
First step after connecting it to the lan was flashing it to run OpenWrt instead of the firmware shipped by the vendor.
There are 2 serious problems in 0.1.7 in handling mydoom & bagle connections, both will run the box out of memory.
Thats why we recommend to apply the patch, not loading the two modules would fix it too.
If you use prelude and wonder why it does not work, apply the shellcode-signatures yy* fn namespacing patch.
Some 'days' ago the deadline for the honeynet projects alliance bi annual status reports deadline was reached. As I think all reports are up now, or at least I hope it, I spend some time reading them.
As there is no single page where you could read all reports, this was pretty time consuming, after reading half of the reports, I had the great idea pasting the parts of every report together when we got mentioned.
After having done 3/4 of all pasting, my damn firefox decided to die … and I had to do it again.
I hope the summary was worth the time, I had to reformat some parts.
If you want to get the list of all reports, its below the summary.