Software at carnivore.it

dionaea

nepenthes

libemu

nebula

liblcfg


dionaea emulates MS10-061

MS10-061 allows uploading a file to a remote computer using the printer service (spoolss), use the spool service to write an 'at command' to the AT service, to run a job in the future, basically run the uploaded file.

While it is not perfect yet, it basically works.
Whats missing for metasploit:

  • the WritePrinter piped ATSVC command is lost
  • the piped NetShareEnum Trans command is lost - you have to set PNAME in metasploit

But, in the end, we already get the file, which is a good start.

Thanks to Tan Kean Siong for his contribution.

Below you can see how such an attack currently looks like using readlogsqltree:

2010-09-26 20:53:37
  connection 25889 smbd tcp accept ::ffff:127.0.0.1:445 <- ::ffff:127.0.0.1:45470 (25889 None)
   dcerpc bind: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '14d8483f-8f73-fc08-3b1b-c15070355ffe' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '24b9a895-d259-b5d6-7f1c-e0196c35cb12' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '2559f952-03e3-f9b2-662b-4e6f4fbfa993' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '2815b485-8bcc-cbc6-a45c-1cca0bc8a928' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '5877c11c-b7d6-92ac-b8e6-4a016a66d521' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '8c5c0212-2c8b-e9de-8889-19b94be5063e' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'c186c5da-bfeb-d0a3-8751-e8e50eea0004' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'cc3824ba-b733-5994-5aab-186390e18f3e' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'd0e857b9-7929-9ab0-d61b-6f64c1543512' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'e89a99e6-2782-7bc4-3fe6-1d3d1dcf4b5f' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'faf39128-da8f-234f-a9f4-9d466e2f6fc3' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'fd6e11c8-d3ad-c481-7a20-0ba79198b65e' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'fedc56ef-4c84-abd6-0f34-ac63f9d512cb' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 69 (OpenPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 17 (StartDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 23 (EndDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 17 (StartDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 23 (EndDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 29 (ClosePrinter ())
   profile: []
   offer: spoolss://::ffff:127.0.0.1/Xhbqy5httERSXV.exe
   download: 6b07a937c7a89f30206cfdf25b8331de spoolss://::ffff:127.0.0.1

gnuplotsql

smbd overview 2010
smb protocol stats for 2010 so far

gnuplotsql.py is a script I wrote to visualize the sqlite database in a useful way.

You can browse my statistics here while you use the script to create stats for your own database:

MSSQL attacks examined

Simplified version of the world.

Given the number of attacks reported on mssql, and the data I gathered over the last weeks, I decided to have a look on it.

Attacks on MSSQL

Even though I'm not the only reporting attacks on MSSQL, I've had no shiny attacks addressing the brand new mssql code for dionaea yet, I think due to protocol bugs. But I've had some nfq gathered bistreams which could be replayed to the mssql service.

The bistream replayed was collected on 2010-08-09 and was contributed by 182.236.160.29 to my port 1433/tcp. I choose this bistream for its size, which is 245625bytes, and the largest bistream I captured for mssql.

After resolving some issues, I was able to dump the commands send to the database into a text file.

GSoC 2010

Within the umbrella of The Honeynet Project I've had two students working on dionaea as a GSoC2010 project this year. The projects were:

  • a basic SIP stack for dionaea
  • improvements on the current SMB stack

dionaea - SMB

For today, let's focus on the SMB stack improvements.

Metasploit Fingerprinting

This article was written by Tan Kean Siong during his gsoc2010 project - improving dionaeas smb stack - I just fixed some typos and formatted it - Markus

The Metasploit Framework is one of the most popular open source penetration testing framework with the world's largest database of public, tested exploits. Metasploit was created in 2003 using the Perl scripting language, lateron the framework was rewritten in the Ruby programming language.
The usage of the framework is user-friendly and the exploitation can be done by the workflow of:

  • choosing the exploit
  • configuring the payload
  • execute the exploit.

This modularity, allowing all combinations of any exploit with any payload is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers, and payload writers, thus it emerge as the de facto vulnerability development framework in these days.

During the exploitation process, it is often required to know the exact version of the target’s operating system. Often exploits need to be customized to adapt to the particular OS environment, therefore knowing the remote operating system increase success rate of the attack. Metasploit has includes comprehensive OS fingerprinting support for the Microsoft Windows operating system. Metasploit can retrieve:

  • the version of the operating system
  • version of the service pack
  • and the installed network services.

Dionaea need to support these fingerprinting method, as malware may adapt this remote version fingerprinting in the future.

nfq fun

As early adaptor I currently enjoy the nfq module for dionaea.

metasploitable

Current dionaea trunk is metasploitable.

Getting this working was pretty nasty:

  • metasploit tries to authenticate using GSS-API
    • GSS-API requires ASN1 and embedds SPNEGO
      • SPNEGO requires ASN1 parsing, and embedds NTLMSSP

the story of 7867de...3e33e7

getting the file

Some days ago I pushed some code to store files which get uploaded via smb file sharing to dionaea.
Yesterday I merged some beautified dce rpc code which was written by Tan Kean Siong during his gsoc 2010 dionaea-project.
Today, I got some captures which may provide some assistance when looking at dionaea log files.

Netware SMB Remote Stack Overflow

I just had a look on the Novell Netware exploit published by Laurent Gaffié, and I'm glad other people have problems parsing smb correctly too. Contrary to other exploit - addressing Microsofts SMB stack - this one exploits a parsing bug instead of a DCE Remote Procedure Call.

data visualisation - afterglow

We will create images showing the correlation of attacker-host, vulnerability, malware.
Basically, image will look like this:
small version of an afterglow picture
I had to cheat to get the image to a valid size …

dnsbl test

Given the rumor infected windows boxes send spam, I wanted to check how many ips attacking my honeypot are blacklisted on several dnsbls. I used this list for the dnsbls and wrote some script to query all of them for the last 1000 hosts which addressed my honeypot.

start.txt · Last modified: 2010/10/13 12:09 by common
chimeric.de = chi`s home Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0