I noticed my account balance for my voip provider to drop by ~10€ during the last 3 days, even though I did not make that much calls. So I had a look on the list of outgoing calls, which is stored by the provider. The list showed me lots of phone numbers I did not know.
Looking at the list of connected phones to my account, there were only the phones I used myself, a Grandstream GXP 2000 and a Siemens Gigaset C450 IP DECT phone.
So it was rather obvious somebody else was connected to the base station of my C450 DECT phone, making calls on my costs.
If the laws would have permitted it, I might have setup tcpdump on the gate, capturing all traffic from and to the C450 base station.
I wanted this person to pay for his calls, so my first step was looking at the numbers he called, by comparing the numbers with numbers from my own phone book, this was really time consuming, and in the end he owned more than 95% of all calls.
I noticed a lengthy call to a number which was known by google, and associated with a sex toy shops telephone order service, and lots of calls to a single mobile number.
If the laws would have permitted it, I'd have copied the pcap file from the router to a desktop with wireshark installed, and using wiresharks great VoIP replay, the conversation could have revealed the unknown person using my base station ordered drugs for 30€, the drug dealer complained about the bad quality, where the unknown replied he was using a wifi-phone.
I tried to 'call myself', hoping his phone would ring too, so I could talk to him about his phone being connected to my base station, but nobody accepted the call. So, I decided to call the most often called number, using my mobile. This number turned out to be the unknowns girlfriend, who got really cooperative when I mentioned the police, she turned over her boyfriends address.
Some minutes after the call, the unknown tried to call me on my mobile, but he dialed the wrong number.
If the laws would have permitted it, I'd have listend to this call by using wireshark on the pcap. Somebody calling an unknown, telling a story about his girlfriend calling him, claiming she was called by an unknown who said somebody who called he was using his phone, while the called always said he did not know anything about 'phone' but could get his own girlfriend on the phone. It would have been a hilarious dialogue.
So, having his address, and the amount he owed me, I decided to give the unknown a visit.
He was expecting me, and even tipped me for my time spent on this.
The phone he used was a Fritz!Fon MT-F, which connected to my base station right after one turned it on.
After making sure there is no way to see the associated handsets on my C450 IP base station, I decided to get over DECT, turning the base station off.
For whatever reason python lacks a binding for getifaddrs. For dionaea I created the binding myself, but the code can not be used without dionaea, and I don't like having to install additional bindings to get some basic functionality.
Therefore, I decided to create the functionality provided by the dionaea getifaddrs binding using python ctypes, easy to install, no compiling, copy&paste does the trick.
The code works with python2/3, Linux works, Darwin/OSX may work, Windows? good question.
the git-daemon activity for the dionaea.git repository, pull and uniq hosts/day, basically 5-10 users update their software daily.
Often the most complex part in data visualization is the processing before you can provide the data in a format your visualization software understands.
I choose the git-daemon logs as an example of such an case.
One could have used sshd logs as an example too, but I choose this, as I'm pretty sure there is no parser for the git-daemon logfiles.
In doubt, I'm pretty confident, one could adjust this git-daemon parser to deal with sshd too.
A friend of mine recently tried to visit research.microsoft.com, he was unable to. He spent some time on it, and came up with the following scenario:
I could reproduce this myself, for my setup research.microsoft.com did not work too, but I felt I would not loose too much anyway.
After some time he provided some pcap dumps for all possible combinations and scenarios, so I felt guilty and finally gave it a shot.
So what is wrong with research.microsoft.com?
Current dionaea trunk is metasploitable.
Getting this working was pretty nasty:
While messing with the protocol, I found 2 bugs in smb client implementations, nothing fancy, but I really appreciate buggy implementations of this protocol, therefore …
Some days ago I pushed some code to store files which get uploaded via smb file sharing to dionaea.
Yesterday I merged some beautified dce rpc code which was written by Tan Kean Siong during his gsoc 2010 dionaea-project.
Today, I got some captures which may provide some assistance when looking at dionaea log files.
I just had a look on the Novell Netware exploit published by Laurent Gaffié, and I'm glad other people have problems parsing smb correctly too. Contrary to other exploit - addressing Microsofts SMB stack - this one exploits a parsing bug instead of a DCE Remote Procedure Call.
If you want to use a native library in python, but there is no binding, you can 'try' to interface the library with ctypes.
As I wanted to play with bpf, which is part of libpcap, which lacks a python3 binding, I decided to try ctypes.
What I wanted to do:
We will create images showing the correlation of attacker-host, vulnerability, malware.
Basically, image will look like this:
I had to cheat to get the image to a valid size …
Given the rumor infected windows boxes send spam, I wanted to check how many ips attacking my honeypot are blacklisted on several dnsbls. I used this list for the dnsbls and wrote some script to query all of them for the last 1000 hosts which addressed my honeypot.
Presenting data in a human compatible way is a problem, rumors say at this stage of evolution pictures work best.
Therefore some hints how to create graphs using the dionaea logsql sqlite database.
