carnivore news
http://carnivore.it/
2010-09-08T02:49:39+02:00carnivore news
http://carnivore.it/
http://carnivore.it/lib/images/favicon.icotext/html2010-09-06T21:11:41+02:00xlinked
http://carnivore.it/2010/09/06/xlinked
<div class="level2">
<p>
Some dionaea related articles worth looking at:
</p>
<ul>
<li class="level1"><div class="li"> <a href="https://www.os3.nl/2009-2010/students/kevin_de_kok/idsweek1b" class="urlextern" title="https://www.os3.nl/2009-2010/students/kevin_de_kok/idsweek1b" rel="nofollow">Week 1b (Applications)</a> - very detailed look at dionaea, using different fingerprinting software, touches kippo and honeyd as well.</div>
</li>
<li class="level1"><div class="li"> <a href="http://networkdefense.com.au/2010/08/10/dionaea-update-from-down-under/" class="urlextern" title="http://networkdefense.com.au/2010/08/10/dionaea-update-from-down-under/" rel="nofollow">Dionaea update from Down Under</a> - nice visuals, looking at it you feel urged to buy Microsoft Office and create all your graphs with Excel too.</div>
</li>
<li class="level1"><div class="li"> <a href="http://blog.moep.name/index.php?/archives/2-Detecting-malware-with-dionaea.html" class="urlextern" title="http://blog.moep.name/index.php?/archives/2-Detecting-malware-with-dionaea.html" rel="nofollow">Detecting malware with dionaea</a> - bonus points for explaining readlogsqltree, missed points on the incomplete vlan setup - dionaea part is missing, this might be very interesting for others.</div>
</li>
<li class="level1"><div class="li"> <a href="http://blog.infosanity.co.uk/2009/12/01/new-dionaea-statistics-script/" class="urlextern" title="http://blog.infosanity.co.uk/2009/12/01/new-dionaea-statistics-script/" rel="nofollow">Infosanity's dionaea statistics script</a> - a golden oldies, but being unsure if I linked it already, better be safe then sorry.</div>
</li>
<li class="level1"><div class="li"> <a href="http://lhs.loria.fr/index.php?option=com_content&view=article&id=94&Itemid=84" class="urlextern" title="http://lhs.loria.fr/index.php?option=com_content&view=article&id=94&Itemid=84" rel="nofollow">Network Security Monitoring Infrastructure</a> - some larger deployment, looks nice, unfortunately larger deployers never come up with issues, bugs anything.</div>
</li>
<li class="level1"><div class="li"> <a href="http://www.prowling.nu/" class="urlextern" title="http://www.prowling.nu/" rel="nofollow">OpenIDS is alive</a> - if you are interested in porting dionaea to OpenBSD, OpenIDS wants to distribute dionaea on OpenBSD.</div>
</li>
<li class="level1"><div class="li"> <a href="http://jbmoore61.blogspot.com/2010/08/dionaea-first-impressions.html" class="urlextern" title="http://jbmoore61.blogspot.com/2010/08/dionaea-first-impressions.html" rel="nofollow">dionaea first impressions</a> - he did not read the docs on sqlite, and not on logrotate, but there is useful information in the comments.</div>
</li>
</ul>
</div>
<p>
<small>
This blog post was created on 2010-09-06 at 21:11 and last modified on 2010-09-06 at 21:11 by
Markus.
</small>
</p>
text/html2010-08-27T15:13:47+02:00Attacks on MSSQL
http://carnivore.it/2010/08/27/attacks_on_mssql
<div class="level2">
<p>
Even though I'm not the only <a href="http://www.securelist.com/en/blog/292/Who_needs_my_SQL_server" class="urlextern" title="http://www.securelist.com/en/blog/292/Who_needs_my_SQL_server" rel="nofollow">reporting attacks on MSSQL</a>, I've had no <em>shiny</em> attacks addressing <a href="http://carnivore.it/2010/08/25/gsoc_2010" class="wikilink1" title="2010:08:25:gsoc_2010">the brand new mssql code for dionaea</a> yet, I think due to protocol bugs. But I've had some nfq gathered bistreams which could be replayed to the mssql service.
</p>
<p>
The bistream replayed was collected on 2010-08-09 and was <em>contributed</em> by 182.236.160.29 to my port 1433/tcp. I choose this bistream for its size, which is 245625bytes, and the largest bistream I captured for mssql.
</p>
<p>
After resolving some issues, I was able to dump the commands send to the database into a text file.
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/08/27/attacks_on_mssql#readmore_2010_08_27_attacks_on_mssql" class="wikilink1" title="2010:08:27:attacks_on_mssql">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-08-27 at 15:13 and last modified on 2010-08-27 at 15:14 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dionaea" class="tag">dionaea</a>, <a href="http://carnivore.it/?btng[post][tags]=mssql" class="tag">mssql</a>.
</small>
</p>
text/html2010-08-25T15:05:26+02:00GSoC 2010
http://carnivore.it/2010/08/25/gsoc_2010
<div class="level2">
<p>
Within the umbrella of <a href="http://www.honeynet.org" class="urlextern" title="http://www.honeynet.org" rel="nofollow">The Honeynet Project</a> I've had two students working on dionaea as a GSoC2010 project this year.
The projects were:
</p>
<ul>
<li class="level1"><div class="li"> a basic SIP stack for dionaea</div>
</li>
<li class="level1"><div class="li"> improvements on the current SMB stack</div>
</li>
</ul>
</div>
<!-- SECTION "GSoC 2010" [11-276] -->
<h3><a name="dionaea_-_smb" id="dionaea_-_smb">dionaea - SMB</a></h3>
<div class="level3">
<p>
For today, let's focus on the SMB stack improvements.<br/>
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/08/25/gsoc_2010#readmore_2010_08_25_gsoc_2010" class="wikilink1" title="2010:08:25:gsoc_2010">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-08-25 at 15:05 and last modified on 2010-08-25 at 15:06 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dionaea" class="tag">dionaea</a>, <a href="http://carnivore.it/?btng[post][tags]=gsoc" class="tag">gsoc</a>, <a href="http://carnivore.it/?btng[post][tags]=mssql" class="tag">mssql</a>, <a href="http://carnivore.it/?btng[post][tags]=smb" class="tag">smb</a>.
</small>
</p>
text/html2010-08-20T11:00:24+02:00STUN_CLI_FIREWALLPING
http://carnivore.it/2010/08/20/stun_cli_firewallping
<div class="level2">
<p>
As <a href="http://carnivore.it/2010/08/06/nfq_fun#akamai_-_rsp10" class="wikilink1" title="2010:08:06:nfq_fun">mentioned earlier</a>, <em>I can see strange packets</em>.<br/>
And I'm looking for others who share this phenomenon.
</p>
<p>
The content of this strange packets is this:
</p>
<pre class="code">
RSP/1.0 STUN_CLI_FIREWALLPING
aguid:f8923c21083c4bb69e462f8ace0e6e0d
</pre>
<p>
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/08/20/stun_cli_firewallping#readmore_2010_08_20_stun_cli_firewallping" class="wikilink1" title="2010:08:20:stun_cli_firewallping">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-08-20 at 11:00 and last modified on 2010-08-20 at 11:03 by
Markus.
</small>
</p>
text/html2010-08-19T10:32:05+02:00Metasploit Fingerprinting
http://carnivore.it/2010/08/19/metasploit_os_fingerprinting_via_smb
<div class="level2">
<p>
<em> This article was written by <a href="http://g3nto.blogspot.com/" class="urlextern" title="http://g3nto.blogspot.com/" rel="nofollow">Tan Kean Siong</a> during his gsoc2010 project - improving dionaeas smb stack - I just fixed some typos and formatted it - Markus </em>
</p>
<p>
The Metasploit Framework is one of the most popular open source penetration testing framework with the world's largest database of public, tested exploits. Metasploit was created in 2003 using the <acronym title="Practical Extraction and Report Language">Perl</acronym> scripting language, lateron the framework was rewritten in the Ruby programming language.<br/>
The usage of the framework is user-friendly and the exploitation can be done by the workflow of:
</p>
<ul>
<li class="level1"><div class="li"> choosing the exploit</div>
</li>
<li class="level1"><div class="li"> configuring the payload </div>
</li>
<li class="level1"><div class="li"> execute the exploit. </div>
</li>
</ul>
<p>
This modularity, allowing all combinations of any exploit with any payload is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers, and payload writers, thus it emerge as the de facto vulnerability development framework in these days.
</p>
<p>
During the exploitation process, it is often required to know the exact version of the target’s operating system. Often exploits need to be customized to adapt to the particular <acronym title="Operating System">OS</acronym> environment, therefore knowing the remote operating system increase success rate of the attack.
Metasploit has includes comprehensive <acronym title="Operating System">OS</acronym> fingerprinting support for the Microsoft Windows operating system.
Metasploit can retrieve:
</p>
<ul>
<li class="level1"><div class="li"> the version of the operating system</div>
</li>
<li class="level1"><div class="li"> version of the service pack</div>
</li>
<li class="level1"><div class="li"> and the installed network services. </div>
</li>
</ul>
<p>
Dionaea need to support these fingerprinting method, as malware may adapt this remote version fingerprinting in the future.
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/08/19/metasploit_os_fingerprinting_via_smb#readmore_2010_08_19_metasploit_os_fingerprinting_via_smb" class="wikilink1" title="2010:08:19:metasploit_os_fingerprinting_via_smb">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-08-19 at 10:32 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dionaea" class="tag">dionaea</a>, <a href="http://carnivore.it/?btng[post][tags]=metasploit" class="tag">metasploit</a>, <a href="http://carnivore.it/?btng[post][tags]=smb" class="tag">smb</a>.
</small>
</p>
text/html2010-08-06T22:40:01+02:00nfq fun
http://carnivore.it/2010/08/06/nfq_fun
<div class="level2">
<p>
As early adaptor I currently enjoy the nfq module for dionaea.
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/08/06/nfq_fun#readmore_2010_08_06_nfq_fun" class="wikilink1" title="2010:08:06:nfq_fun">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-08-06 at 22:40 and last modified on 2010-08-06 at 22:42 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dionaea" class="tag">dionaea</a>, <a href="http://carnivore.it/?btng[post][tags]=iptables" class="tag">iptables</a>, <a href="http://carnivore.it/?btng[post][tags]=mssql" class="tag">mssql</a>, <a href="http://carnivore.it/?btng[post][tags]=nfq" class="tag">nfq</a>, <a href="http://carnivore.it/?btng[post][tags]=remotedesktop" class="tag">remotedesktop</a>, <a href="http://carnivore.it/?btng[post][tags]=rsp" class="tag">rsp</a>, <a href="http://carnivore.it/?btng[post][tags]=symantec" class="tag">symantec</a>.
</small>
</p>
text/html2010-07-30T20:31:59+02:00getting over dect
http://carnivore.it/2010/07/30/getting_over_dect
<div class="level2">
<p>
I noticed my account balance for my voip provider to drop by ~10€ during the last 3 days, even though I did not make that much calls. So I had a look on the list of outgoing calls, which is stored by the provider. The list showed me lots of phone numbers I did not know.<br/>
Looking at the list of connected phones to my account, there were only the phones I used myself, a Grandstream GXP 2000 and a Siemens Gigaset C450 IP DECT phone.
So it was rather obvious somebody else was connected to the base station of my C450 DECT phone, making calls on my costs.
</p>
<p>
<em>If the laws would have permitted it, I might have setup tcpdump on the gate, capturing all traffic from and to the C450 base station.</em>
</p>
<p>
I wanted this person to pay for his calls, so my first step was looking at the numbers he called, by comparing the numbers with numbers from my own phone book, this was really time consuming, and in the end he owned more than 95% of all calls.
</p>
<p>
I noticed a lengthy call to a number which was known by google, and associated with a sex toy shops telephone order service, and lots of calls to a single mobile number.
</p>
<p>
<em>If the laws would have permitted it, I'd have copied the pcap file from the router to a desktop with wireshark installed, and using wiresharks great VoIP replay, the conversation could have revealed the unknown person using my base station ordered drugs for 30€, the drug dealer complained about the bad quality, where the unknown replied he was using a wifi-phone.</em>
</p>
<p>
I tried to 'call myself', hoping his phone would ring too, so I could talk to him about his phone being connected to my base station, but nobody accepted the call.
So, I decided to call the most often called number, using my mobile.
This number turned out to be the unknowns girlfriend, who got really cooperative when I mentioned <em>the police</em>, she turned over her boyfriends address.
</p>
<p>
Some minutes after the call, the unknown <em>tried</em> to call me on my mobile, but he dialed the wrong number.
</p>
<p>
<em>If the laws would have permitted it, I'd have listend to this call by using wireshark on the pcap. Somebody calling an unknown, telling a story about his girlfriend calling him, claiming she was called by an unknown who said somebody who called he was using his phone, while the called always said he did not know anything about 'phone' but could get his own girlfriend on the phone. It would have been a hilarious dialogue.</em>
</p>
<p>
So, having his address, and the amount he owed me, I decided to give the unknown a visit.<br/>
He was expecting me, and even tipped me for my time spent on this.<br/>
The phone he used was a <em>Fritz!Fon MT-F</em>, which connected to my base station right after one turned it on.
</p>
<p>
After making sure there is no way to see the associated handsets on my C450 IP base station, I decided to get over DECT, turning the base station off.
</p>
</div>
<p>
<small>
This blog post was created on 2010-07-30 at 20:31 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dect" class="tag">dect</a>.
</small>
</p>
text/html2010-07-22T01:21:18+02:00python - getifaddrs
http://carnivore.it/2010/07/22/python_-_getifaddrs
<div class="level2">
<p>
For whatever reason python lacks a binding for <a href="http://www.kernel.org/doc/man-pages/online/pages/man3/getifaddrs.3.html" class="urlextern" title="http://www.kernel.org/doc/man-pages/online/pages/man3/getifaddrs.3.html" rel="nofollow">getifaddrs</a>. For dionaea I created the binding myself, but the code can not be used without dionaea, and I don't like having to install additional bindings to get some basic functionality.<br/>
Therefore, I decided to create the functionality provided by the dionaea getifaddrs binding using python ctypes, easy to <em>install</em>, no compiling, copy&paste does the trick.
</p>
<p>
The code works with python2/3, Linux works, Darwin/OSX may work, Windows? good question.<br/>
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/07/22/python_-_getifaddrs#readmore_2010_07_22_python_-_getifaddrs" class="wikilink1" title="2010:07:22:python_-_getifaddrs">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-07-22 at 01:21 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=ctypes" class="tag">ctypes</a>, <a href="http://carnivore.it/?btng[post][tags]=python3" class="tag">python3</a>.
</small>
</p>
text/html2010-07-03T15:15:04+02:00git-daemon logfile processing
http://carnivore.it/2010/07/03/git-daemon_logfile_processing
<div class="level2">
<p>
<a href="http://carnivore.it/_detail/2010/07/03/dionaea-git.png?id=2010%3A07%3A03%3Agit-daemon_logfile_processing" class="media" title="2010:07:03:dionaea-git.png"><img src="http://carnivore.it/_media/2010/07/03/dionaea-git.png" class="media" title="dionaea git useage" alt="dionaea git useage" /></a><br/>
<em>the git-daemon activity for the dionaea.git repository, pull and uniq hosts/day, basically 5-10 users update their software daily.</em>
</p>
<p>
Often the most complex part in data visualization is the processing before you can provide the data in a format your visualization software understands.<br/>
I choose the git-daemon logs as an example of such an case.<br/>
One could have used sshd logs as an example too, but I choose this, as I'm pretty sure there is no parser for the git-daemon logfiles.
In doubt, I'm pretty confident, one could adjust this git-daemon parser to deal with sshd too.
</p>
<p>
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/07/03/git-daemon_logfile_processing#readmore_2010_07_03_git-daemon_logfile_processing" class="wikilink1" title="2010:07:03:git-daemon_logfile_processing">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-07-03 at 15:15 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dataviz" class="tag">dataviz</a>, <a href="http://carnivore.it/?btng[post][tags]=gnuplot" class="tag">gnuplot</a>, <a href="http://carnivore.it/?btng[post][tags]=python3" class="tag">python3</a>, <a href="http://carnivore.it/?btng[post][tags]=sqlite" class="tag">sqlite</a>.
</small>
</p>
text/html2010-07-01T14:09:09+02:00research.microsoft.com - MSS of 536 bytes
http://carnivore.it/2010/07/01/research.microsoft.com_-_mss_of_536_bytes
<div class="level2">
<p>
A friend of mine recently tried to visit <a href="http://research.microsoft.com" class="urlextern" title="http://research.microsoft.com" rel="nofollow">research.microsoft.com</a>, he was unable to.
He spent some time on it, and came up with the following scenario:
</p>
<ul>
<li class="level1"><div class="li"> linux router with pmtu clamping</div>
<ul>
<li class="level2"><div class="li"> linux client does not work</div>
</li>
<li class="level2"><div class="li"> windows client works</div>
</li>
</ul>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> linux router with conditional pmtu clamping (if the mss is within 1400:1536)</div>
<ul>
<li class="level2"><div class="li"> linux client works</div>
</li>
<li class="level2"><div class="li"> windows client works</div>
</li>
</ul>
</li>
</ul>
<p>
I could reproduce this myself, for my setup <a href="http://research.microsoft.com" class="urlextern" title="http://research.microsoft.com" rel="nofollow">research.microsoft.com</a> did not work too, but I felt I would not loose too much anyway.
</p>
<p>
After some time he provided some pcap dumps for all possible combinations and scenarios, so I felt guilty and finally gave it a shot.
</p>
<p>
So what is wrong with <a href="http://research.microsoft.com" class="urlextern" title="http://research.microsoft.com" rel="nofollow">research.microsoft.com</a>?
</p>
<p>
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/07/01/research.microsoft.com_-_mss_of_536_bytes#readmore_2010_07_01_researchmicrosoftcom_-_mss_of_536_bytes" class="wikilink1" title="2010:07:01:research.microsoft.com_-_mss_of_536_bytes">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-07-01 at 14:09 and last modified on 2010-07-01 at 14:18 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=icmp" class="tag">icmp</a>, <a href="http://carnivore.it/?btng[post][tags]=microsoft" class="tag">microsoft</a>, <a href="http://carnivore.it/?btng[post][tags]=mss" class="tag">mss</a>, <a href="http://carnivore.it/?btng[post][tags]=pmtu" class="tag">pmtu</a>.
</small>
</p>
text/html2010-06-30T09:24:18+02:00metasploitable
http://carnivore.it/2010/06/30/metasploitable
<div class="level2">
<p>
Current dionaea trunk is metasploitable.
</p>
<p>
Getting this working was pretty nasty:
</p>
<ul>
<li class="level1"><div class="li"> metasploit tries to authenticate using GSS-<acronym title="Application Programming Interface">API</acronym></div>
<ul>
<li class="level2"><div class="li"> GSS-<acronym title="Application Programming Interface">API</acronym> requires ASN1 and embedds SPNEGO</div>
<ul>
<li class="level3"><div class="li"> SPNEGO requires ASN1 parsing, and embedds NTLMSSP</div>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/06/30/metasploitable#readmore_2010_06_30_metasploitable" class="wikilink1" title="2010:06:30:metasploitable">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-06-30 at 09:24 and last modified on 2010-06-30 at 16:13 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dionaea" class="tag">dionaea</a>, <a href="http://carnivore.it/?btng[post][tags]=gss-api" class="tag">gss-api</a>, <a href="http://carnivore.it/?btng[post][tags]=metasploit" class="tag">metasploit</a>, <a href="http://carnivore.it/?btng[post][tags]=ntlm" class="tag">ntlm</a>, <a href="http://carnivore.it/?btng[post][tags]=spnego" class="tag">spnego</a>.
</small>
</p>
text/html2010-06-28T10:34:32+02:00smb bugs
http://carnivore.it/2010/06/28/smb_bugs
<div class="level2">
<p>
While messing with the protocol, I found 2 bugs in smb client implementations, nothing fancy, but I really appreciate buggy implementations of this protocol, therefore …
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/06/28/smb_bugs#readmore_2010_06_28_smb_bugs" class="wikilink1" title="2010:06:28:smb_bugs">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-06-28 at 10:34 and last modified on 2010-06-28 at 16:56 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=metasploit" class="tag">metasploit</a>, <a href="http://carnivore.it/?btng[post][tags]=nmap" class="tag">nmap</a>, <a href="http://carnivore.it/?btng[post][tags]=smb" class="tag">smb</a>.
</small>
</p>
text/html2010-06-20T12:12:48+02:00the story of 7867de...3e33e7
http://carnivore.it/2010/06/19/the_story_of_7867de...3e33e7
<div class="level2">
</div>
<!-- SECTION "the story of 7867de...3e33e7" [11-54] -->
<h3><a name="getting_the_file" id="getting_the_file">getting the file</a></h3>
<div class="level3">
<p>
Some days ago I pushed some code to store files which get uploaded via smb file sharing to dionaea.<br/>
Yesterday I merged some beautified dce rpc code which was written by Tan Kean Siong during his gsoc 2010 dionaea-project.<br/>
Today, I got some captures which may provide some assistance when looking at dionaea log files.<br/>
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/06/19/the_story_of_7867de...3e33e7#readmore_2010_06_19_the_story_of_7867de3e33e7" class="wikilink1" title="2010:06:19:the_story_of_7867de...3e33e7">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-06-20 at 12:12 and last modified on 2010-06-20 at 12:14 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dionaea" class="tag">dionaea</a>, <a href="http://carnivore.it/?btng[post][tags]=gsoc2010" class="tag">gsoc2010</a>, <a href="http://carnivore.it/?btng[post][tags]=smb" class="tag">smb</a>.
</small>
</p>
text/html2010-06-17T09:41:10+02:00Netware SMB Remote Stack Overflow
http://carnivore.it/2010/06/17/netware_smb_remote_stack_overflow
<div class="level2">
<p>
I just had a look on the Novell Netware exploit published by Laurent Gaffié, and I'm glad other people have problems parsing smb correctly too.
Contrary to other exploit - addressing Microsofts SMB stack - this one exploits a parsing bug instead of a DCE Remote Procedure Call.
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/06/17/netware_smb_remote_stack_overflow#readmore_2010_06_17_netware_smb_remote_stack_overflow" class="wikilink1" title="2010:06:17:netware_smb_remote_stack_overflow">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-06-17 at 09:41 and last modified on 2010-06-17 at 22:28 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dionaea" class="tag">dionaea</a>, <a href="http://carnivore.it/?btng[post][tags]=netware" class="tag">netware</a>, <a href="http://carnivore.it/?btng[post][tags]=smb" class="tag">smb</a>.
</small>
</p>
text/html2010-06-12T19:35:05+02:00python3 - ctypes
http://carnivore.it/2010/06/12/python3_-_ctypes
<div class="level2">
</div>
<!-- SECTION "python3 - ctypes" [1-32] -->
<h3><a name="ctypes" id="ctypes">ctypes</a></h3>
<div class="level3">
<p>
If you want to use a native library in python, but there is no binding, you can 'try' to interface the library with ctypes.
</p>
<p>
As I wanted to play with bpf, which is part of libpcap, which lacks a python3 binding, I decided to try ctypes.
</p>
<p>
What I wanted to do:
</p>
<ul>
<li class="level1"><div class="li"> compile a bpf filter like <em>dst port 445 and src net 127.0.0.0/8</em></div>
</li>
<li class="level1"><div class="li"> match the bpf filter on a buffer</div>
</li>
</ul>
<p>
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/06/12/python3_-_ctypes#readmore_2010_06_12_python3_-_ctypes" class="wikilink1" title="2010:06:12:python3_-_ctypes">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-06-12 at 19:35 and last modified on 2010-06-15 at 03:13 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=bpf" class="tag">bpf</a>, <a href="http://carnivore.it/?btng[post][tags]=ctypes" class="tag">ctypes</a>, <a href="http://carnivore.it/?btng[post][tags]=pcap" class="tag">pcap</a>, <a href="http://carnivore.it/?btng[post][tags]=python3" class="tag">python3</a>, <a href="http://carnivore.it/?btng[post][tags]=sqlite" class="tag">sqlite</a>.
</small>
</p>
text/html2010-06-11T11:14:40+02:00data visualisation - afterglow
http://carnivore.it/2010/06/11/data_visualisation_-_afterglow
<div class="level2">
<p>
We will create images showing the correlation of attacker-host, vulnerability, malware.<br/>
Basically, image will look like this:<br/>
<a href="http://carnivore.it/_detail/2010/06/11/afterglow-malware-hosts-small.png?id=2010%3A06%3A11%3Adata_visualisation_-_afterglow" class="media" title="2010:06:11:afterglow-malware-hosts-small.png"><img src="http://carnivore.it/_media/2010/06/11/afterglow-malware-hosts-small.png" class="media" title="small version of an afterglow picture" alt="small version of an afterglow picture" /></a><br/>
<em> I had to cheat to get the image to a valid size … </em>
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/06/11/data_visualisation_-_afterglow#readmore_2010_06_11_data_visualisation_-_afterglow" class="wikilink1" title="2010:06:11:data_visualisation_-_afterglow">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-06-11 at 11:14 and last modified on 2010-06-15 at 01:00 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=afterglow" class="tag">afterglow</a>, <a href="http://carnivore.it/?btng[post][tags]=dataviz" class="tag">dataviz</a>, <a href="http://carnivore.it/?btng[post][tags]=dionaea" class="tag">dionaea</a>, <a href="http://carnivore.it/?btng[post][tags]=sqlite" class="tag">sqlite</a>.
</small>
</p>
text/html2010-06-06T14:06:33+02:00dnsbl test
http://carnivore.it/2010/06/06/dnsbl_test
<div class="level2">
<p>
Given the rumor infected windows boxes send spam, I wanted to check how many ips attacking my honeypot are blacklisted on <em>several</em> dnsbls. I used <a href="http://www.dnsbl.info/dnsbl-list.php" class="urlextern" title="http://www.dnsbl.info/dnsbl-list.php" rel="nofollow">this list for the dnsbls</a> and wrote some script to query all of them for the last 1000 hosts which addressed my honeypot.
</p>
<p>
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/06/06/dnsbl_test#readmore_2010_06_06_dnsbl_test" class="wikilink1" title="2010:06:06:dnsbl_test">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-06-06 at 14:06 and last modified on 2010-06-15 at 01:00 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dionaea" class="tag">dionaea</a>, <a href="http://carnivore.it/?btng[post][tags]=dnsbl" class="tag">dnsbl</a>.
</small>
</p>
text/html2010-06-06T13:25:39+02:00data visualisation
http://carnivore.it/2010/06/06/data_visualisation
<div class="level2">
<p>
<a href="http://carnivore.it/_detail/2010/06/06/newfiles.png?id=2010%3A06%3A06%3Adata_visualisation" class="media" title="2010:06:06:newfiles.png"><img src="http://carnivore.it/_media/2010/06/06/newfiles.png" class="media" title="new files" alt="new files" /></a><br/>
<em>Presenting data in a human compatible way is a problem, rumors say at this stage of evolution pictures work best.</em> <br/>
Therefore some hints how to create graphs using the dionaea logsql sqlite database.
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/06/06/data_visualisation#readmore_2010_06_06_data_visualisation" class="wikilink1" title="2010:06:06:data_visualisation">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-06-06 at 13:25 and last modified on 2010-06-15 at 01:00 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dataviz" class="tag">dataviz</a>, <a href="http://carnivore.it/?btng[post][tags]=dionaea" class="tag">dionaea</a>, <a href="http://carnivore.it/?btng[post][tags]=gnuplot" class="tag">gnuplot</a>, <a href="http://carnivore.it/?btng[post][tags]=sqlite" class="tag">sqlite</a>.
</small>
</p>
text/html2010-05-27T15:37:50+02:00batteries included
http://carnivore.it/2010/05/27/batteries_included
<div class="level2">
<p>
<a href="http://carnivore.it/_detail/2010/05/27/batteries.png?id=2010%3A05%3A27%3Abatteries_included" class="media" title="2010:05:27:batteries.png"><img src="http://carnivore.it/_media/2010/05/27/batteries.png" class="media" title="batteries from type 'included'" alt="batteries from type 'included'" /></a><br/>
</p>
<p>
<em>Fans of Python use the phrase “batteries included” to describe the standard library, which covers everything from asynchronous processing to zip files.</em> <br/>
Source: <a href="http://www.python.org/about/" class="urlextern" title="http://www.python.org/about/" rel="nofollow">python.org/about/</a>
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/05/27/batteries_included#readmore_2010_05_27_batteries_included" class="wikilink1" title="2010:05:27:batteries_included">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-05-27 at 15:37 and last modified on 2010-06-15 at 01:01 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=python" class="tag">python</a>, <a href="http://carnivore.it/?btng[post][tags]=python3" class="tag">python3</a>.
</small>
</p>
text/html2010-05-18T19:55:34+02:00debianization
http://carnivore.it/2010/05/18/debianization
<div class="level2">
<p>
Installing software using apt is convenient, compiling software using pbuilder allows creating packages apt can install - without having to install the dependencies required to compile the software yourself.
</p>
<p>
Therefore, some notices how to create debian packages for dionaea, including the libev, libemu and liblcfg dependencies.
</p>
<p>
This doc refers to Ubuntu >= 9.04 (karmic), of course it should be possible to use this on any debian plattform, but the effort may be slightly higher, as you'll have to backport some more packages (at least python3 and cython).
</p>
<p>
Backporting packages is rather easy, we'll backport libev 3.9 from Debian Unstable here.
</div>
<div class="level2">
<p>
<span class="curid"><a href="http://carnivore.it/2010/05/18/debianization#readmore_2010_05_18_debianization" class="wikilink1" title="2010:05:18:debianization">Read more…</a></span>
</p>
</div>
<p>
<small>
This blog post was created on 2010-05-18 at 19:55 and last modified on 2010-06-15 at 01:01 by
Markus.
It is tagged with <a href="http://carnivore.it/?btng[post][tags]=dionaea" class="tag">dionaea</a>, <a href="http://carnivore.it/?btng[post][tags]=pbuilder" class="tag">pbuilder</a>.
</small>
</p>